The following is the Dec. 8, 2022 Congressional Research Service In Focus report, Cybersecurity: A Primer.
The information technology that Americans use to chat with loved ones and make purchases are the same that can be turned against them to deny access to services, steal their information, or compromise the digital systems they trust. These tools exist in cyberspace, and the security of that environment is a large endeavor involving government, the private sector, international partners, and others. This In Focus provides an overview of cybersecurity for policymaking purposes, describes issues that cybersecurity affects, and discusses potential actions Congress could take.
The term “cyber” is frequently attached to a variety of security issues, underscoring that issues surrounding the management of cyberspace and its security are vast and complicated.
To highlight how complicated it is, consider that the federal government does not have a single definition of cyberspace or cybersecurity. The Cyberspace Solarium Commission—defined “cyber” as relating to, involving, or characteristic of computers, computer networks, information and communications technology (ICT), virtual systems, or computer-enabled control of physical components.
While this definition may be suitable for a broad discussion about information technology, it does not account for relevant policymaking considerations concerning cybersecurity. Essentially, cybersecurity is the security of cyberspace.
As an example, consider a single smartphone. An American company may have designed the device, but the device may be built by a different company abroad using material from yet another country. The phone runs on software built by one company but modern operating systems borrow code from other companies and developers. Once a user has the device it will likely be connected to a variety of networks such as a home wireless network, a corporate network, and a cellular network. Each of these networks has its own infrastructure, but also share common internet infrastructure. The user will also install applications that contain code and use infrastructure by yet other myriad companies. Imagining users at the center, one can see large and intricate systems on one side and the other to create these devices and ensure their operation. The entire infrastructure and all those services that are part of cyberspace exist to deliver an experience to a user, a human.
Thus, from a policymaking standpoint cybersecurity can be considered the security of cyberspace—which includes the devices, infrastructure, data, and users that make it up. To support cybersecurity policymaking, adjacent fields also need consideration. Education, workforce management, investment, entrepreneurship, and research and development are necessary to get a product to market. Developers, law enforcement, intelligence, incident response, and national defense are necessary to respond when something goes awry in cyberspace.
The nation faces many threats (manmade and not) with an array of capabilities to carry out attacks. Threat actors may directly target the elements of cyberspace (e.g., networks, data, services, and users). However, they may also use these elements to attack industry through cyberspace.
For instance, a hacker operating independently or under a nation-state’s instruction may target a hospital system. The hacker may send ransomware to a hospital to extort payment before the hospital can regain access to its files and devices. However, during that attack the hacker may also install a tool on the hospital’s network, providing persistent access they will use to steal data, including patient information or hospital operations material. The hacker can then use that information to identify additional targets. In this scenario the hacker has attacked the hospital network, networked medical devices, and patient data.
The Director of National Intelligence (DNI) delivers the Intelligence Community’s Worldwide Threat Assessment to Congress. In 2022, the DNI highlighted China, Russia, Iran, North Korea, and Transnational Organized Crime as threat actors of concern in cyberspace. These actors have demonstrated a growing capability and capacity for attacks against U.S. interests.
China is the most active actor conducting espionage campaigns but with a capability to disrupt infrastructure. Russia seeks to use disruptions in cyberspace to bolster its military and foreign policy goals. Iran aggressiveness in using cyber capabilities threatens networks and data. North Korea uses cyberspace to spy, steal, and disrupt.
Transnational criminal organizations will continue to conduct phishing, fraud, and ransomware attacks for their own economic gain and under the direction of a nation-state. The more these adversaries engage in cyberattacks, the more their expertise and willingness to use their capabilities grow.
In addition to threat actors, users face threats from inherent vulnerabilities in software. The Log4j vulnerability is one such example of widely used code that put many internet servers at risk of exposing user data.
Given that cybersecurity is a large and complex issue area, paring it down to sub-issue areas can help in both understanding problems and crafting solutions. Four areas to consider are information and system security, device security, governance, and international relations.
Computer scientists characterize security through three attributes:
Related to integrity is the concept of authentication or that users can verify data is from a trusted source. The internet was built using technologies that assume the trust of its users, but as the internet has grown into a global network, anonymity and data manipulation have proliferated, complicating the options a user has when determining the validity of online information.
Inaccurate identifiers also frustrate companies seeking to verify their users—leading many to adopt zero-trust architectures where users are continuously authenticated.
Similar to information security, the security of the system (e.g., the application, servers, routers, appliances, devices) can also be understood through the lenses of confidentiality, integrity, and availability. For an internet-connected device which monitors a building’s energy use, the utility and customer will want to ensure data on the device is only accessible to them (confidentiality), the device accurately states how much energy is used (integrity), and the device is always monitoring usage (availability).
Many different entities are involved in cybersecurity. Government entities with regulatory authority may choose to exercise that authority by scrutinizing an industry’s cybersecurity activities. Manufacturers may choose to adopt standards and best practices. Users may be savvy or oblivious to their cybersecurity risk. Network access and services providers may provide products which mitigate cybersecurity risk or transfer that risk to another party, such as to an insurer or to a security company. The interaction between all these parties through agreements, contracts, treaties, or other pacts creates a complex layer of responsibility and accountability for cyberspace. In addition to formal agreements, there are tacit understandings and expectations of each of these parties which continue to evolve as government and industry negotiate their shared responsibility for national cybersecurity.
The internet is a global network, where a packet of data originating from one country can move to another at the speed of light. The devices that make up the infrastructure of the internet have a global supply chain. The software those devices require to operate are often created by an international workforce. Policies that one country establishes may have market effects in another. The Internet-of-Things (IOT) highlights the international nature of cybersecurity. Devices may be built in one country to the standards of another where they will be sold. But, since they connect to the internet, they may become infected with malware from a third country, and be used against users in a fourth—all with little to no user action.
In crafting policy to address cybersecurity issues Congress has many options. Below is a list of possible actions Congress may take to strengthen cybersecurity (in alphabetical order).
Republished in the State of California as a work of the United States government.
Chris Jaikaran is a specialist in cybersecurity policy at the U.S. Congressional Research Service
More than 86 million Americans use the social media app TikTok to create, share, and view short videos, featuring everything from cute animals and influencer advice to comedy and dance performances.
Concerned experts point out that TikTok’s parent company, the Beijing-based ByteDance, has been accused of working with the Chinese government to censor content and could also collect sensitive data on users.
The recent leak of Pentagon documents included the suggestion that China is developing sophisticated cyber attacks for the purpose of disrupting military communication satellites. While this is unconfirmed, it is certainly possible, as many sovereign nations and private companies have considered how to protect from signal interference.
The Wisconsin shipyard that builds the U.S. Navy’s Freedom-class Littoral Combat Ship and the Constellation-class guided-missile frigate suffered a ransomware attack last week that delayed production across the shipyard, USNI News has learned.
Fincantieri Marinette Marine experienced the attack in the early morning hours of April 12, when large chunks of data on the shipyard’s network servers were rendered unusable by an unknown professional group, two sources familiar with a Navy summary of the attack told USNI News on Thursday.