National Academies Press: OpenBook
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×

AT THE NEXUS OF CYBERSECURITY
AND PUBLIC POLICY


Some Basic Concepts and Issues


David Clark, Thomas Berson, and Herbert S. Lin, Editors

Committee on Developing a Cybersecurity Primer:
Leveraging Two Decades of National Academies Work

Computer Science and Telecommunications Board

NATIONAL RESEARCH COUNCIL
                          OF THE NATIONAL ACADEMIES

THE NATIONAL ACADEMIES PRESS

Washington, D.C.

www.nap.edu

Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×

THE NATIONAL ACADEMIES PRESS     500 Fifth Street, NW     Washington, DC 20001

NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance.

Support for this project was provided by the National Science Foundation under Award Number CNS-0940372. Additional support was provided by Microsoft Corporation, Google, Inc., and the President’s Committee of the National Academies.

Any opinions, findings, or conclusions expressed in this publication are those of the author(s) and do not necessarily reflect the views of the organizations or agencies that provided support for the project.

International Standard Book Number 13: 978-0-309-30318-7
International Standard Book Number 10: 0-309-30318-4
Library of Congress Control Number: 2014940211

This report is available from

Computer Science and Telecommunications Board
National Research Council
500 Fifth Street, NW
Washington, DC 20001

Additional copies of this report are available from the National Academies Press, 500 Fifth Street, NW, Keck 360, Washington, DC 20001; (800) 624-6242 or (202) 334-3313; http://www.nap.edu.

Copyright 2014 by the National Academy of Sciences. All rights reserved.

Printed in the United States of America

Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×

THE NATIONAL ACADEMIES

Advisers to the Nation on Science, Engineering, and Medicine

The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences.

The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. C. D. Mote, Jr., is president of the National Academy of Engineering.

The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine.

The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. C. D. Mote, Jr., are chair and vice chair, respectively, of the National Research Council.

www.national-academies.org

Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×

COMMITTEE ON DEVELOPING A CYBERSECURITY PRIMER:
LEVERAGING TWO DECADES OF
NATIONAL ACADEMIES WORK

DAVID CLARK, Massachusetts Institute of Technology, Chair

THOMAS BERSON, Anagram Laboratories

MARJORY BLUMENTHAL,1 Georgetown University

Staff

HERBERT S. LIN, Study Director and Chief Scientist, Computer Science and Telecommunications Board

ERIC WHITAKER, Senior Program Assistant, Computer Science and Telecommunications Board

_________________

1 Ms. Blumenthal resigned from the committee on May 1, 2013, and accepted a position as executive director for the President’s Council of Advisors on Science and Technology.

Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×

COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD

ROBERT F. SPROULL, University of Massachusetts, Amherst, Chair

LUIZ ANDRÉ BARROSO, Google, Inc.

STEVEN M. BELLOVIN, Columbia University

ROBERT F. BRAMMER, Brammer Technology, LLC

EDWARD FRANK, Apple, Inc.

SEYMOUR E. GOODMAN, Georgia Institute of Technology

LAURA M. HAAS, IBM Alamaden Research Laboratory

MARK A. HOROWITZ, Stanford University

MICHAEL KEARNS, University of Pennsylvania

ROBERT KRAUT, Carnegie Mellon University

SUSAN LANDAU, Google, Inc.

PETER LEE, Microsoft Corporation

DAVID E. LIDDLE, US Venture Partners

BARBARA LISKOV, Massachusetts Institute of Technology

JOHN STANKOVIC, University of Virginia

JOHN A. SWAINSON, Dell, Inc.

PETER SZOLOVITS, Massachusetts Institute of Technology

ERNEST J. WILSON, University of Southern California

KATHERINE YELICK, Lawrence Berkeley National Laboratory

JON EISENBERG, Director

LYNETTE I. MILLETT, Associate Director and Senior Program Officer

VIRGINIA BACON TALATI, Program Officer

SHENAE BRADLEY, Senior Program Assistant

RENEE HAWKINS, Financial and Administrative Manager

HERBERT S. LIN, Chief Scientist

ERIC WHITAKER, Senior Program Assistant

For more information on CSTB, see its Web site at http://www.cstb.org, write to CSTB, National Research Council, 500 Fifth Street, NW, Washington, DC 20001, call (202) 334-2605, or e-mail the CSTB at cstb@nas.edu.

Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×

This page intentionally left blank.

Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×

Preface

Today, cybersecurity is widely viewed as a matter of pressing national importance. Many elements of cyberspace are notoriously vulnerable to an expanding range of attacks by a spectrum of hackers, criminals, terrorists, and state actors. For example, government agencies and private-sector companies both large and small suffer from cyber thefts of sensitive information, cyber vandalism (e.g., defacing of Web sites), and denial-of-service attacks. The nation’s critical infrastructure, including the electric power grid, air traffic control system, financial systems, and communication networks, depends extensively on information technology for its operation.

Concerns about the vulnerability of the information technology on which the nation relies have deepened in the security-conscious environment after the September 11, 2001, attacks and in light of increased cyber espionage directed at private companies and government agencies in the United States. National policy makers have become increasingly concerned that adversaries backed by considerable resources will attempt to exploit the cyber vulnerabilities in the critical infrastructure, thereby inflicting substantial harm on the nation. Numerous policy proposals have been advanced, and a number of bills have been introduced in Congress to tackle parts of the cybersecurity challenge.

Although the larger public discourse sometimes treats the topic of cybersecurity as a new one, the Computer Science and Telecommunications Board (CSTB) of the National Research Council has long recognized

Page viii Cite
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×

cybersecurity as a major challenge for public policy.1 CSTB work in cybersecurity over more than two decades (Box P.1) offers a wealth of information on practical measures, technical and nontechnical challenges, and potential policy responses. Produced by the Committee on Developing a Cybersecurity Primer: Leveraging Two Decades of National Academies Work (see Appendix A), the present report draws on past insights developed in this body of work to provide a concise primer on the fundamentals of cybersecurity and the nexus between cybersecurity and public policy (see Box P.2 for the project’s statement of task).

This report is based primarily on earlier CSTB work (see Appendix B), and for readability, direct extracts from that work are not set in quotation marks, nor are paraphrases from that work identified as such. However, the report also addresses issues not covered in earlier CSTB work, and the committee acknowledges with gratitude input from William Press (University of Texas at Austin), Tim Gibson (Draper Laboratories), Stefan Savage (University of California, San Diego), and William Sanders (University of Illinois at Urbana-Champaign) on a variety of cybersecurity-related topics in the course of its work.

As a primer, this report presents fundamental concepts and principles that serve as points of departure for understanding specific cybersecurity incidents or proposals to improve security. The specifics of cybersecurity change rapidly, but the fundamental concepts and principles endure, or at least they change much more slowly. These concepts and principles are approximately independent of particular cybersecurity technologies or incidents, although they manifest themselves in a wide variety of different technologies and incidents.

The report’s emphasis on fundamental concepts and principles also means that in the interest of brevity, coverage in this primer cannot be comprehensive. For readers who wish to explore particular topics more deeply, the detailed CSTB reports listed in Appendix B provide a substantial resource.

________________

1 The Web page at http://sites.nationalacademies.org/CSTB/CSTB_059144 lists all CSTB reports related to cybersecurity.

Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×

BOX P.1 Selected Computer Science and Telecommunications Board Work on Cybersecurity—A Brief Summary of Highlights

The 1991 CSTB report Computers at Risk warned that “as computer systems become more prevalent, sophisticated, embedded in physical processes, and interconnected, society becomes more vulnerable to poor system design … and attacks on computer systems” and that “the nature and magnitude of computer system problems are changing dramatically” (p. 1). It also lamented that “known techniques are not being used” to increase security.

In 1999, CSTB released Trust in Cyberspace, which proposed a research agenda to increase the trustworthiness of information technology (IT), with a special focus on networked information systems. This report went beyond security matters alone, addressing as well other dimensions of trustworthiness such as correctness, reliability, safety, and survivability. Importantly, it also noted that “economic and political context is critical to the successful development and deployment of new technologies” (p. viii).

In 2002, CSTB issued Cybersecurity Today and Tomorrow: Pay Now or Pay Later, which reprised recommendations from a decade of CSTB cybersecurity studies. Its preface noted that “it is a sad commentary on the state of the world that what CSTB wrote more than 10 years ago is still timely and relevant. For those who work in computer security, there is a deep frustration that research and recommendations do not seem to translate easily into deployment and utilization” (p. v).

CSTB’s 2007 report Toward a Safer and More Secure Cyberspace observed that “there is an inadequate understanding of what makes IT systems vulnerable to attack, how best to reduce these vulnerabilities, and how to transfer cybersecurity knowledge to actual practice” (p. vii). It set forth an updated research agenda, sought to inspire the nation to strive for a safer and more secure cyberspace, and focused “substantial attention on the very real challenges of incentives, usability, and embedding advances in cybersecurity into real-world products, practices, and services” (p. xii).

In 2009, CSTB turned its attention to the technical and policy dimensions of cyberattack—the offensive side of cybersecurity. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities concluded that although cyberattack capabilities are an important asset for the United States, the current policy and legal framework for their use is ill-formed, undeveloped, and highly uncertain and that U.S. policy should be informed by an open and public national debate on technological, policy, legal, and ethical issues posed by cyberattack capabilities.

In 2010, the CSTB report Toward Better Usability, Security, and Privacy of Information Technology: Report of a Workshop identified research opportunities and ways to embed usability considerations in design and development related to security and privacy. In that year, CSTB also produced a second workshop report, Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options, a collection of papers that examined governmental, economic, technical, legal, and psychological challenges involved in deterring cyberattacks.

_________________

NOTE: All of these reports were published by the National Academies Press, Washington, D.C.

Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×

BOX P.2 The Project Statement of Task

A primer on the technical and policy issues of cybersecurity, building on more than two decades of prior Academies work, will be developed under the auspices of a small study committee. The report will examine what is known about effective technical and nontechnical approaches, the state of the art and open challenges, why relatively little progress has been made in cybersecurity despite the recommendations of many reports from the Academies and elsewhere, and potential policy responses. Much of the material will be drawn directly from previous reports. The committee will also review emerging issues and new technical and nontechnical approaches that may not have been covered in previous National Research Council reports.

Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×

Acknowledgment of Reviewers

This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making its published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this report:

Steven Bellovin, Columbia University,

RuthAnne Bevier, California Institute of Technology,

Jack Goldsmith, Harvard Law School,

Raymond Jeanloz, University of California, Berkeley,

Anita Jones, University of Virginia,

Butler Lampson, Microsoft Corporation, and

Steven Wallach, Convey Computer Corporation.

Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the conclusions, nor did they see the final draft of the report before its release. The review of this report was overseen by Sam Fuller (Analog Devices). Appointed by the National Research Council, he was responsible for mak-

Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×

ing certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.

Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×

This page intentionally left blank.

Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R1
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R2
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R3
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R4
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R5
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R6
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R7
Page viii Cite
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R8
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R9
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R10
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R11
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R12
Page xiii Cite
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R13
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R14
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R15
Suggested Citation:"Front Matter." National Research Council. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: The National Academies Press. doi: 10.17226/18749.
×
Page R16
Next: Summary »
At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues Get This Book
×
Buy Paperback | $44.00 Buy Ebook | $35.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

We depend on information and information technology (IT) to make many of our day-to-day tasks easier and more convenient. Computers play key roles in transportation, health care, banking, and energy. Businesses use IT for payroll and accounting, inventory and sales, and research and development. Modern military forces use weapons that are increasingly coordinated through computer-based networks. Cybersecurity is vital to protecting all of these functions. Cyberspace is vulnerable to a broad spectrum of hackers, criminals, terrorists, and state actors. Working in cyberspace, these malevolent actors can steal money, intellectual property, or classified information; impersonate law-abiding parties for their own purposes; damage important data; or deny the availability of normally accessible services. Cybersecurity issues arise because of three factors taken together - the presence of malevolent actors in cyberspace, societal reliance on IT for many important functions, and the presence of vulnerabilities in IT systems. What steps can policy makers take to protect our government, businesses, and the public from those would take advantage of system vulnerabilities?

At the Nexus of Cybersecurity and Public Policy offers a wealth of information on practical measures, technical and nontechnical challenges, and potential policy responses. According to this report, cybersecurity is a never-ending battle; threats will evolve as adversaries adopt new tools and techniques to compromise security. Cybersecurity is therefore an ongoing process that needs to evolve as new threats are identified. At the Nexus of Cybersecurity and Public Policy is a call for action to make cybersecurity a public safety priority. For a number of years, the cybersecurity issue has received increasing public attention; however, most policy focus has been on the short-term costs of improving systems. In its explanation of the fundamentals of cybersecurity and the discussion of potential policy responses, this book will be a resource for policy makers, cybersecurity and IT professionals, and anyone who wants to understand threats to cyberspace.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!