focused attacks, making coordinated attacks by hundreds of thousands of co-opted cooperating agents practical for the first time in history.
The potential consequences of a lack of security in cyberspace fall into three broad categories. First is the threat of catastrophe—a cyberattack, especially in conjunction with a physical attack, could result in thousands of deaths and many billions of dollars of damage in a very short time. Second is frictional drag on important economic and security-related processes. Today, insecurities in cyberspace systems and networks allow adversaries (in particular, criminals) to extract billions of dollars in fraud and extortion—and force businesses to expend additional resources to defend themselves against these threats. If cyberspace does not become more secure, the citizens, businesses, and governments of tomorrow will continue to face similar pressures, and most likely on a greater scale. Third, concerns about insecurity may inhibit the use of IT in the future and thus lead to a self-denial of the benefits that IT brings, benefits that will be needed for the national competitiveness of the United States as well as for national and homeland security.
A very broad spectrum of actors, ranging from lone hackers to major nation-states, poses security risks to the nation’s IT infrastructure. Organized crime (e.g., drug cartels) and transnational terrorists (and terrorist organizations, perhaps state-sponsored) occupy a region in between these two extremes, but they are more similar to the nation-state than to the lone hacker.
High-end attackers are qualitatively different from others by virtue of their greater resources—money, talent, time, organizational support and commitment, and goals. These adversaries can thus target vulnerabilities at any point in the IT supply chain from hardware fabrication to end uses. Furthermore, they are usually highly capable of exploiting human or organizational weaknesses over extended periods of time. The bottom line is that the threat is growing in sophistication as well as in magnitude, and against the high-end attacker, many current best practices and security technologies amount to little more than speed bumps—thus requiring additional fundamental research and new approaches, such as a greater emphasis on mitigation and recovery.
The committee believes that individual users, organizations, and society at large are entitled to use and rely on information technologies whose