1

Why Care About Cybersecurity?

1.1 ON THE MEANING AND IMPORTANCE OF
CYBERSPACE AND CYBERSECURITY

Most people in modern society encounter computing and communications technologies all day, every day. Offices and stores and factories and street vendors and taxis are filled with computers, even if the computers are not openly visible. People type at the keyboard of computers or tablets and use their smart phones daily. People’s personal lives involve computing through social networking, home management, communication with family and friends, and management of personal affairs. The operation of medical devices implanted in human bodies is controlled by embedded (built-in) microprocessors.

A much larger collection of information technology (IT) is instrumental in the day-to-day operations of companies, organizations, and government. Companies large and small rely on computers for diverse business processes ranging from payroll and accounting to the tracking of inventory and sales, to support for research and development (R&D). The distribution of food and energy from producer to retail consumer depends on computers and networks at every stage. Nearly everyone (in everyday society, business, government, and the military services) relies on wireless and wired digital communications systems. IT is used to execute the principal business processes in government and in many of the largest sectors of the economy, including financial services, health care, utilities, transportation, and retail and management services. Indeed, the architecture of today’s enterprise IT systems is the very embodiment



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 7
1 Why Care About Cybersecurity? 1.1  ON THE MEANING AND IMPORTANCE OF CYBERSPACE AND CYBERSECURITY Most people in modern society encounter computing and communi- cations technologies all day, every day. Offices and stores and factories and street vendors and taxis are filled with computers, even if the com- puters are not openly visible. People type at the keyboard of computers or tablets and use their smart phones daily. People’s personal lives involve computing through social networking, home management, communica- tion with family and friends, and management of personal affairs. The operation of medical devices implanted in human bodies is controlled by embedded (built-in) microprocessors. A much larger collection of information technology (IT) is instru- mental in the day-to-day operations of companies, organizations, and government. Companies large and small rely on computers for diverse business processes ranging from payroll and accounting to the tracking of inventory and sales, to support for research and development (R&D). The distribution of food and energy from producer to retail consumer depends on computers and networks at every stage. Nearly everyone (in everyday society, business, government, and the military services) relies on wireless and wired digital communications systems. IT is used to execute the principal business processes in government and in many of the largest sectors of the economy, including financial services, health care, utilities, transportation, and retail and management services. Indeed, the architecture of today’s enterprise IT systems is the very embodiment 7

OCR for page 7
8 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY of the critical business logic in complex enterprises. Today, it is impos- sible to imagine the Walmarts, the FedExes, the Amazons, and even the “traditional” industries such as manufacturing without IT. Today and increasingly in the future, computing and communications technologies (collectively, information technologies) are found and will be more likely to be found in places where they are essentially invisible to everyday view: in cars, wallets, clothing, refrigerators, keys, cabinets, watches, doorbells, medicine bottles, walls, paint, structural beams, roads, dishwashers, identification cards, telephones, and medical devices (includ- ing some embedded in human beings). These devices will be connected— the so-called Internet of Things. Computing will be embedded in myriad places and objects; even today, computing devices are easily transported in pockets or on wrists. Computing devices will be coupled to multiple sensors and actuators. Computing and communications will be seamless, enabling the tight integration of personal, family, and business systems. Sensors, effectors, and computing will be networked together so that they pass relevant information to one another automatically. In this emerging era of truly pervasive computing, the ubiquitous integration of computing and communications technologies into com- mon everyday objects enhances their usefulness and makes life easier and more convenient. Understanding context, personal information appli- ances will make appropriate information available on demand, enabling users to be more productive in both their personal and their professional lives. And, as has been true with previous generations of IT, interconnec- tions among all of these now-smart objects and appliances will multiply their usefulness many times over. It is in the context of this technology-rich environment that the term “cyberspace” often arises. Although “cyberspace” does not have a single agreed-upon definition,1 some things can be said about how the term is used in this report. First, cyberspace is not a physical place, although many elements of cyberspace are indeed physical, do have volume and mass, and are located at points in physical space that can be specified in three spatial dimensions. Second, cyberspace includes but is not limited to the Internet—cyberspace also includes computers (some of which are attached to the Internet and some not) and networks (some of which may be part of the Internet and some not). Third, cyberspace includes many intangibles, such as information and software and how different elements of cyberspace are connected to each other. So a rough definition might be that cyberspace consists of artifacts For example, a Cisco blog post sought to compare 11 different definitions of cyberspace. 1 See Damir Rajnovic, “Cyberspace—What Is It?,” Cisco Blogs, July 26, 2012, available at https://blogs.cisco.com/security/cyberspace-what-is-it/.

OCR for page 7
WHY CARE ABOUT CYBERSECURITY? 9 based on or dependent on computing and communications technology; the information that these artifacts use, store, handle, or process; and the interconnections among these various elements. But the reader should keep in mind that this is a rough and approximate definition and not a precise one. Given our dependence on cyberspace, we want and need our infor- mation technologies to do what they are supposed to do and only when they are supposed to do it. We also want these technologies to not do things they are not supposed to do. And we want these things to be true in the face of deliberately hostile or antisocial actions. Cybersecurity issues arise because of three factors taken together. First, we live in a world in which there are parties that will act in deliber- ately hostile or antisocial ways—parties that would do us harm or sepa- rate us from our money or violate our privacy or steal our ideas. Second, we rely on IT for a large and growing number of societal functions. Third, IT systems, no matter how well constructed (and many are not as well constructed as the state of the art would allow), inevitably have vulner- abilities that the bad guys can take advantage of. Thus, a loosely stated definition of cybersecurity is the following: Security in cyberspace (i.e., cybersecurity) is about technologies, processes, and policies that help to prevent and/or reduce the negative impact of events in cyberspace that can happen as the result of deliberate actions against information technology by a hostile or malevolent actor. To go beyond this loosely stated definition of cybersecurity, it is nec- essary to elaborate on the meaning of “impact,” on what makes impact “negative,” and on what makes an actor “hostile” or “malevolent.” By definition, an action that changes the functionality of a given information artifact (software or hardware) has impact—Chapter 3 dis- cusses different kinds of impact that are related to cybersecurity. But any given impact can be positive or negative and any actor can be virtuous or malevolent, depending on the perspective of the parties involved—that is, who is a perpetrator and who is a target. In many cases with which readers of this report are likely to be concerned, the meanings of these terms are both reasonably clear and shared. For example, with respect to the information technology on which law-abiding U.S. citizens and organizational entities rely, what makes an impact negative is that their information technology no longer works as these parties expect it to work. By contrast, if criminals and terrorists are relying on such technologies and it is the U.S. government that takes actions to render their technologies inoperative, the impact would usually be seen as positive. Similarly, many repressive regimes put into place various mecha- nisms in cyberspace to monitor communications of dissidents. These

OCR for page 7
10 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY regimes may regard as “malevolent actors” those who help dissidents breach the security of these mechanisms and circumvent government monitoring, but others may well regard such parties as virtuous rather than malevolent actors. Compromising the cybersecurity of an Internet- based mechanism for conducting surveillance against such parties has a negative impact from the standpoint of these regimes, but a positive impact for those seeking to open up these regimes. There are also cases of concern to readers of this report in which the meanings of “negative” and “malevolent” may not be shared. Consider the debate over Internet surveillance by the National Security Agency (NSA) sparked by the revelations of Edward Snowden starting in June 2013. According to news stories on these documents in the Washington Post and the Guardian, the NSA has engaged in a broad program of elec- tronic surveillance for counterterrorism purposes.2 Some of the reactions to these revelations have characterized the NSA’s actions as having a significant negative impact on the security of the Internet. Others have defended the actions of the NSA as a vital element in U.S. counterterror- ism efforts. Last, the above definition does not limit cybersecurity to technology. Indeed, one of the most important lessons to emerge from cybersecurity experience accumulated over several decades is that nontechnological factors can have an impact on cybersecurity that is at least as great as technology’s impact. A full consideration of cybersecurity necessarily entails significant attention to process (how users of information technol- ogy actually use it) and policy (how the organizations of which users are a part ask, incentivize, or require their users to behave). 1.2  CYBERSECURITY AND PUBLIC POLICY CONCERNS Cybersecurity has been an issue of public policy significance for a number of decades. For example, in 1991 the National Research Council wrote in Computers at Risk: We are at risk. Increasingly, America depends on computers. They control power delivery, communications, aviation, and financial services. They are used to store vital information, from medical records to business plans to criminal records. Although we trust them, they are vulnerable— to the effects of poor design and insufficient quality control, to accident, and perhaps most alarmingly, to deliberate attack. The modern thief can 2 A summary of these major revelations can be found in Dustin Volz, “Everything We Learned from Edward Snowden in 2013,” National Journal, December 31, 2013, available at http://www.nationaljournal.com/defense/everything-we-learned-from-edward-snowden- in-2013-20131231.

OCR for page 7
WHY CARE ABOUT CYBERSECURITY? 11 steal more with a computer than with a gun. Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb. (p. 7) What is worrisome from a public policy perspective is that the words above, with only a few modifications, could just as easily have been writ- ten today. Today, cybersecurity is still a major issue—indeed, its signifi- cance has grown as our reliance on IT has increased. Table 1.1 illustrates some of the security consequences of the changes in the information technology environment in the past 20 years. The IT on which we rely is for the most part created, owned, and operated by the private sector, which means that improving the cyberse- curity posture of the nation will require action by relevant elements of the private sector. Nonetheless, many parties believe that the government has an important role in helping to address cybersecurity problems, in much the same way that the government has many responsibilities for national security, law enforcement, and other problems of societal scale. TABLE 1.1  Potential Security Consequences of More Than Two Decades’ Worth of Change in Information Technology (IT) Potential Security Consequence Change Since 1990 (illustrative, not comprehensive) Microprocessors, storage devices, More integration of IT into the communications links, and so on—the raw functions of daily life means more hardware underlying IT—demonstrate opportunities for malevolent actors to performance that is several orders of compromise those functions. magnitude more capable than their counterparts of 20 years ago. Devices for computing have shifted New security approaches are needed toward—or at least expanded to include— to secure battery-operated devices mobile computing: tablets, pads, smart with relatively little computational phones, smart watches, and so on. Desktop power. and laptop computers are still important to many end users, especially in business App stores can provide greater environments, but mobile devices are assurance about the security of ubiquitous today. Accompanying this installed software. change are new business models for providing software to end users—vendor- Enterprises cannot exercise total controlled or vendor-operated app control over computing resources stores are now common. Many corporate used on their behalf. employees use their personally owned computing devices for business purposes. continued

OCR for page 7
12 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY TABLE 1.1 Continued Potential Security Consequence Change Since 1990 (illustrative, not comprehensive) Cyberphysical systems are physical IT-based control of cyberphysical systems that are controlled at least in part systems means that cybersecurity by IT. Physical devices with embedded compromises can affect physical computing accept data from the physical systems and may cause death, world (through sensors such as cameras destruction, or physical damage. or thermometers) and/or cause changes in the physical world (through actuators such as a motor that causes something to move or a heater that heats a fluid). Such systems are everywhere—in manufacturing assembly lines, chemical production plants, power generation and transmission facilities, automobiles, airplanes, buildings, heating and cooling facilities, and so on— because IT helps to optimize the use and operation of these systems. Cloud computing has become increasingly Concentration of computing resourc- popular as a way for businesses (and es for many parties potentially offers individuals) to increase the efficiency a “big fat target” for malevolent ac- of their IT operations. By centralizing tors. Cloud computing infrastructure management and IT infrastructure, cloud may also provide malevolent actors a computing promises to reduce the cost of platform from which to launch their computing and increase its accessibility to attack. Greater centralization, how- a geographically dispersed user base. ever, enables providers of computing services to exercise tighter control over security by highly experienced and more expert security-knowledge- able administrators. The number of Internet users has grown Inexperienced users are more by at least two orders of magnitude in the untutored in the need for security past two decades, and hundreds of millions and are thus more vulnerable. of new users (perhaps as many as a billion) will begin to use the Internet as large parts A larger user base means a larger of Africa, South America, and Asia come number of potentially malevolent online in the next decade. Cyberphysical actors. devices will become increasingly connected to the Internet of Things, on the theory that network connections between these devices will enable them to operate more efficiently and effectively. The rise of social networking and Connectivity among friends and computing, as exemplified by applications contacts offers opportunities for such as Facebook and Twitter, is based on malevolent actors to improperly the ability of IT to bring large numbers of take advantage of trust people into contact with one another. relationships.

OCR for page 7
WHY CARE ABOUT CYBERSECURITY? 13 Public policy concerns about the effects of inadequate cybersecurity are often lumped into a number of categories: • Cybercrime. Cybercrime can be broadly characterized as the use of the Internet and IT to steal valuable assets (e.g., money) from their rightful owners or otherwise to take actions that would be regarded as criminal if these actions were taken in person, and a breach of security is usually an important element of the crime. Criminal activity using cyber means includes cyber fraud and theft of services (e.g., stealing credit card num- bers); cyber harassment and bullying (e.g., taking advantage of online anonymity to threaten a victim); cyber vandalism (e.g., defacing a Web site); penetration or circumvention of cybersecurity mechanisms intended to protect the privacy of communications or stored information (e.g., tapping a phone call without legal authorization); and impersonation or identity theft (e.g., stealing login names and passwords to forge e-mail or to improperly manipulate bank accounts). Loss of privacy and theft of intellectual property are also crimes (at least sometimes) but generally occupy their own categories of concern. Note also that in addition to the direct financial effects of cybercrime, measures taken to enhance cyberse- curity consume resources (e.g., money, talent) that could be better used to build improved products or services or to create new knowledge. And, in some cases, concerns about cybersecurity have been known to inhibit the use of IT for some particular application, thus leading to self-denial of the benefits such an application might bring. • Loss of privacy. Losses of privacy can result from the actions of oth- ers or of the individual concerned. Large-scale data breaches occur from time to time, for reasons including loss of laptops containing sensitive data and system penetrations by sophisticated intruders. Intruders have used the sound and video capabilities of home computers for blackmail and extortion. In other cases, individuals post information in their IT- based social networks without understanding the privacy implications of doing so, and are later surprised when such information is accessible to parties that they have not explicitly authorized for such access. Individu- als are concerned about the privacy of their data and communications, and a variety of U.S. laws guard against improper disclosure of such information. • Activism. Activism is often defined as nongovernmental efforts to promote, block, or protest social or political change. Compromises in cybersecurity have been used in some activist efforts in cyberspace, wherein activists may compromise the cybersecurity of an installation in an effort to make a political statement or to call attention to a cause, for example, by improperly obtaining classified documents for subsequent release or by defacing a public-facing Web site. Activism may also be an

OCR for page 7
14 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY expression of patriotism, e.g., defacement by citizens of Nation A of Web sites belonging to adversaries of Nation A. • Misappropriation of intellectual property such as proprietary software, R&D work, blueprints, trade secrets, and other product information. Con- cern over theft of intellectual property is especially pronounced when the targeted firms are part of the defense industrial base and supply key goods and services vital to national security. Although misappropriation of trade secrets is prohibited under international trade law, many coun- tries in the world conduct activities aimed at collecting information that might be economically useful to their domestic companies.3 Private com- panies also have incentives to undertake these latter activities, although in many cases some of such activity is forbidden by domestic laws. • Espionage. Espionage refers to one nation’s attempts to gather intel- ligence on other nations, where intelligence information includes informa- tion related to national security and foreign affairs. Cyber espionage refers to national-level entities conducting espionage activities using cyber means to obtain important intelligence information relevant to national security (such as classified documents). As a general rule, one nation’s col- lection of intelligence information about another nation is not prohibited under international law. • Denials (or disruption) of service. When services are not available when needed, the elements of society that rely on those services are inconvenienced and may be harmed. Denials of service per se do not necessarily entail actual damage to the facilities providing service. For example, an attacker might flood the telephone network with calls, mak- ing it impossible to place one, but as soon as the attacker stops, it again becomes possible to make a call. Denial of services is described further in Chapter 3. • Destruction of or damage to physical property. Such concerns fall into three general categories: — Individual cyberphysical systems, such as automobiles, airliners, and medical devices. Increasingly, computers control the opera- tion of such systems, and communications links, either wired or wireless, connect them to other computational devices. Thus, a malevolent actor might be able to improperly assume control of individual cyberphysical systems or to obtain information (e.g., medical information) that should be private. — Critical infrastructure, which includes multiple facilities for electric power generation and transmission, telecommunications, banking and finance, transportation, oil and gas production and storage, and water supply. Although failures in individual facilities 3 The U.S. government has an explicit policy against conducting such activities.

OCR for page 7
WHY CARE ABOUT CYBERSECURITY? 15 might be expected from time to time, near-simultaneous failure of multiple facilities might have catastrophic results, such as exten- sive loss of life, long-lasting disruption of the services that these facilities provide, or significant property damage and economic loss. Policy makers have become increasingly concerned about cyber threats to critical infrastructure emanating from both nations and terrorist groups. — Public confidence. Modern economies depend in large measure on public confidence in the institutions and services that support everyday activities. Under some circumstances, it is possible that even localized damage to some critical part of infrastructure (or even symbols of the nation, such as important monuments) could have a massive effect on public confidence, and thus certain types of attack that would not cause extensive actual damage must be considered to have some catastrophic potential as well. As far as is known publicly, actual destruction of or damage to physi- cal property to date has been a relatively rare occurrence, although there have been many incidents in the other categories outlined above. • Threats to national security and cyber war. U.S. armed forces depend heavily on IT for virtually every aspect of their capabilities—weapons sys- tems; systems for command, control, communications, and intelligence; systems for managing logistics; and systems for administration. Given that dependence, potential adversaries are developing ways to threaten the IT underlying U.S. military power.4 In addition, other nations are also using IT in the same ways that the United States is using it, for both military and civilian purposes, suggesting that the United States could itself seek opportunities to advance its national interests by going on the offensive in cyberspace. Concerns about the areas described above have made cybersecurity a hot topic that has garnered substantial public and government attention. In international circles too, such as the United Nations and NATO, as well as in bilateral relationships with parties such as China and the European Union, cybersecurity is moving higher on the agenda. But as important as cybersecurity is to the nation, progress in public policy to improve the nation’s cybersecurity posture has not been as rapid as might have been expected. One reason—perhaps the most important reason—is that cybersecurity is only one of a number of significant public policy issues—and measures taken to improve cybersecurity potentially 4 See, for example, U.S. Department of Defense, Department of Defense Strategy for Operating in Cyberspace, July 2011, available at www.defense.gov/news/d20110714cyber.pdf.

OCR for page 7
16 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY have negative effects in these other areas. Some of the most important conflicts arise with respect to: • Economics. The costs of action to improve cybersecurity beyond an individual organization’s immediate needs are high and not obviously necessary, and the costs of inaction are not borne by the relevant decision makers. Decision makers discount future possibilities so much that they do not see the need for present-day action. Also, cybersecurity is increas- ingly regarded as a part of risk management—an important part in many cases, but nonetheless only a part. And this reality is reflected in policy debates as well—with all of the competing demands for a share of govern- ment budgets and attention from senior policy makers, policy progress in cybersecurity has been slower than many have desired. • Innovation. The private sector is constantly trying to bring forward new applications and technologies that improve on old ways of perform- ing certain functions and offer useful new functions. But attention to security can slow bringing new products and services to market, with the result that new technologies and applications are often offered for general use without the benefit of a review for effective security. The public policy question is how to manage the tradeoff between the pace of innovation and a more robust security posture. • Civil liberties. Some measures proposed to improve cybersecurity for the nation potentially infringe on civil liberties, such as privacy, ano- nymity, due process, freedom of association, free speech, and due process. Advocates of such measures either argue that their favored measures do not infringe on civil liberties, or assert that the infringements are small and relatively insignificant. In some cases, potential infringements arise because changes in information technology have gone beyond the tech- nology base extant when important legal precedents were established. For example, a 1979 Supreme Court case (Smith vs. Maryland) held that metadata on phone calls (i.e., the phone numbers involved and the dura- tion and time of the call) was less worthy of privacy protection than was “content” information, that is, what the parties to a phone call actually say to each other. But the concept of metadata has come to mean “data asso- ciated with a communication that is not communications content,” and given the way modern electronic communications operate, the relevance of the 1979 precedent has been challenged as many analysts assert that metadata is more revealing than content information.5 5 See, for example, Susan Landau, “Highlights from Making Sense of Snowden, Part II: What’s Significant in the NSA Revelations,” IEEE Security and Privacy 12(1, January/ February):62-64, 2014, available at http://doi.ieeecomputersociety.org/10.1109/ MSP.2013.161. The sense in which metadata is or is not “more” revealing depends on context,

OCR for page 7
WHY CARE ABOUT CYBERSECURITY? 17 • International relations and national security. Because of the world- wide Internet and a global supply chain in which important elements of information technology are created, manufactured, and sold around the world, cyberspace does not have physical national borders. But the world is organized around nation-states and national governments, and every physical artifact of information technology is located somewhere. Conse- quently, one might expect cyberspace-related tensions to arise between nations exercising sovereignty over their national affairs and interacting with other nations—that is, in their international relations. 1.3  ORGANIZATION OF THIS REPORT Chapter 2 presents some fundamental concepts in information tech- nology that are necessary for understanding cybersecurity. Chapter 3 explores different kinds of cybersecurity threats and actors and explains what it means to compromise cybersecurity. Chapter 4 describes a variety of methods for strengthening and enhancing cybersecurity. Chapter 5 is devoted to a further discussion of key public policy issues relating to cybersecurity. Chapter 6 provides a number of takeaway findings. of course. Large-scale analysis of phone metadata reveals patterns of communication— the identities of communicating parties, and when and with what frequency such communications occur. For some people in some situations, a map of their communications patterns is more privacy-sensitive than what they are saying in their conversations or even in any one conversation; in other situations for other people, their patterns of communication are less sensitive.