and development—that is, computer systems are increasingly needed for organizations to be able to operate at all. Critical national infrastructures—such as those associated with energy, banking and finance, defense, law enforcement, transportation, water systems, and government and private emergency services—also depend on information systems and networks. The telecommunications system itself and the Internet running on top of it are critical infrastructure for the nation. Information systems play a critical role in many governmental functions, including national security and homeland and border security.
The conventional definition of computer security relates to the following attributes of a computer system: confidentiality (the system prevents unauthorized access to information), integrity (information in the system cannot be altered without authorization), and availability (the system is available for authorized use). Authentication—the verification of identity using some combination of something that one knows (such as a password), something that one has (such as a hardware token), and something that one is (such as a fingerprint)—is often thought of as an additional essential security capability. Reliability is a closely related concept—a reliable system performs and maintains its functions even in hostile circumstances, including but not limited to threats from adversaries.
Nearly all indications of the severity of the security threat to computer systems, whether associated with losses or damage, type of attack, or presence of vulnerability, indicate a continuously worsening problem.2 The potential consequences fall into three broad categories:
Economic drag—To counter security problems, organizations are forced to spend in order to defend and strengthen insecure IT systems.
Avoidance—Because of the perceived security risks of computing, individuals or organizations avoid using IT systems, thereby missing the potential benefit of their use.
Catastrophe—Failure of an IT system causes major economic loss and perhaps even loss of life. A catastrophe could be the result of a cyberattack, a serious software design or implementation flaw, or system misuse.
Despite advances that have been made in both practice and technology, cybersecurity will be a concern into the foreseeable future. More and more sensitive information will be stored in systems whose security does not necessarily increase in proportion to the value of the assets they contain. The threats will continue to evolve both on their own and as defenses against them are discovered and implemented. New vulnerabilities will emerge as previously unknown weaknesses are uncovered and as innova-