About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 (January 21, 2015)

handle is hein.crs/crsuntaahen0001 and id is 1 raw text is: CbrCongressional Research Service Informin ch egislative debate snce 19!4 Cybersecurity Issues and Challenges S January 21, 2015 Overview Information and communications technology (ICT) is ubiquitous and increasingly integral to almost every facet of modern society. ICT devices and components are generally interdependent, and disruption of one may affect many others. Over the past several years, experts and policymakers have expressed increasing concerns about protecting ICT systems from cyberattacks. The risks associated with any attack depends on three factors: threats (who is attacking), vulnerabilities (how they are attacking), and impacts (what the attack does). What are the threats? People who perform cyberattacks generally fall into one or more of five categories: criminals intent on monetary gain from crimes such as theft or extortion; spies intent on stealing classified or proprietary information used by government or private entities; nation- state warriors who develop capabilities and undertake cyberattacks in support of a country's strategic objectives; hacktivists who perform cyberattacks for nonmonetary reasons; and terrorists who engage in cyberattacks as a form of non-state or state-sponsored warfare. What are the vulnerabilities? Cybersecurity is in many ways an arms race between attackers and defenders. ICT systems are very complex, and attackers are constantly probing for weaknesses, which can occur at many points. Defenders can often protect against weaknesses, but three are particularly challenging: inadvertent or intentional acts by insiders with access to a system; supply chain vulnerabilities, which can permit the insertion of malicious software or hardware during the acquisition process; and previously unknown, or zero-day, vulnerabilities with no established fix. What are the impacts? A successful attack can compromise the confidentiality, integrity, and availability of an ICT system and the information it handles. Cybertheft or cyberespionage can result in exfiltration of financial, proprietary, or personal information from which the attacker can benefit, often without the knowledge of the victim. Denial-of service attacks can slow or prevent legitimate users from accessing a system. Botnet malware can give an attacker command of a system for use in cyberattacks on other systems. Attacks on industrial control systems can result in the destruction of the equipment they control, such as generators, pumps, and centrifuges. Most cyberattacks have limited impacts, but a successful attack on some components of critical infrastructure (CI)- most of which is held by the private sector-could have significant effects on national security, the economy, and the livelihood and safety of individual citizens. Thus, a rare successful attack with high impact can pose a larger risk than a common successful attack with low impact. Reducing the risks from cyberattacks usually involves (1) removing the threat source, e.g., by closing down botnets or reducing incentives for cybercriminals; (2) addressing vulnerabilities by hardening ICT assets, e.g., by patching software and training employees; and (3) lessening impacts by mitigating damage and restoring functions, e.g., by having back-up resources available for continuity of operations in response to an attack. Federal Role The federal role in cybersecurity involves both securing federal systems and assisting in protecting nonfederal systems. Under current law, all federal agencies have cybersecurity responsibilities relating to their own systems, and many have sector-specific responsibilities for CI. More than 50 statutes address various aspects of cybersecurity, and new legislation has been debated since at least the 111th Congress. However, until the end of the 113th Congress, no bills on cybersecurity had been enacted since the Federal Information Security Management Act (FISMA) in 2002. Figure I. Federal Atencv Roles in Cvbersecuritv Source: CRS. Notes: DHS: Department of Homeland Security; DOD: Department of Defense; DOJ: Department of Justice; IC: Intelligence Community; NIST: National Institute of Standards and Technology; NSA: National Security Agency; NSS: National Security Systems; OMB: Office of Management and Budget; R&D: Research and development. www.crsgov 1 7-570

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most