Nations are increasingly dependent on information and information technology. Companies rely on computers for diverse business processes ranging from payroll and accounting to the tracking of inventory and sales, to support for research and development. Distribution of food, water, and energy is dependent on computers and networks at every stage, as is delivery of transportation, health care, and financial services. Modern military forces use weapons that are computer controlled. Even more important, the movements and actions of military forces are increasingly coordinated through computer-based networks that allow information and common pictures of the battlefield to be shared. Logistics are entirely dependent on computer-based scheduling and optimization.
In light of this dependence on information technology, cybersecurity is increasingly important to the nation, and cyberspace is vulnerable to a broad spectrum of hackers, criminals, terrorists, and state actors. Working in cyberspace, these malevolent actors can steal money, intellectual property, or classified information; snoop on private conversations; impersonate law-abiding parties for their own purposes; harass or bully innocent people anonymously; damage important data; destroy or disrupt the operation of physical machinery controlled by computers; or deny the availability of normally accessible services.
A number of factors, such as the September 11, 2001, attacks and higher levels of cyber espionage directed at private companies and government agencies in the United States, have deepened concerns about the vulnerability of the information technology (IT) on which the nation
relies. For example, policy makers have become increasingly concerned that adversaries backed by considerable resources will attempt to exploit the cyber vulnerabilities in the critical infrastructure, thereby inflicting substantial harm on the nation. Numerous policy proposals have been advanced, and a number of bills have been introduced in Congress to tackle parts of the cybersecurity challenge.
It is to help decision makers and the interested public make informed choices that this report was assembled. The report is fundamentally a primer on issues at the nexus of public policy and cybersecurity that leverages insights developed in work by the National Research Council’s Computer Science and Telecommunications Board over more than two decades on practical measures for cybersecurity, technical and nontechnical challenges, and potential policy responses.
This report defines cyberspace broadly as the artifacts based on or dependent on computing and communications technology; the information that these artifacts use, store, handle, or process; and how these various elements are connected. Security in cyberspace (i.e., cybersecurity) is about technologies, processes, and policies that help to prevent and/or reduce the negative impact of events in cyberspace that can happen as the result of deliberate actions against information technology by a hostile or malevolent actor.
Cybersecurity issues arise because of three factors taken together—the presence of malevolent actors in cyberspace, societal reliance on IT for many important functions, and the inevitable presence of vulnerabilities in IT systems that malevolent actors can take advantage of. Despite these factors, however, we still expect information technologies to do what they are supposed to do and only when they are supposed to do it, and to never do things they are not supposed to do. Fulfilling this expectation is the purpose of cybersecurity.
Against this backdrop, it appears that cybersecurity is a never-ending battle, and a permanently decisive solution to the problem will not be found in the foreseeable future.1 Cybersecurity problems result from the complexity of modern IT systems and human fallibility in making judgments about what actions and information are safe or unsafe from a cybersecurity perspective. Furthermore, threats to cybersecurity evolve, and adversaries—especially at the high-end part of the threat spectrum—constantly adopt new tools and techniques to compromise security when defenses are erected to frustrate them. As information technology becomes more ubiquitously integrated into society, the incentives to compromise the security of deployed IT systems grow. Thus, enhancing the cybersecurity posture of a system—and by extension the organization
1 Text in boldface constitutes the report’s findings.
in which it is embedded—must be understood as an ongoing process rather than something that can be done once and then forgotten.
Ultimately, the relevant policy question is not how the cybersecurity problem can be solved, but rather how it can be made manageable. Societal problems related to the existence of war, terrorism, crime, hunger, drug abuse, and so on are rarely “solved” or taken off the policy agenda once and for all. The salience of such problems waxes and wanes, depending on circumstances, and no one expects such problems to be solved so decisively that they will never reappear—and the same is true for cybersecurity.
At the same time, improvements to the cybersecurity posture of individuals, firms, government agencies, and the nation have considerable value in reducing the loss and damage that may be associated with cybersecurity breaches. A well-defended target is less attractive to many malevolent actors than are poorly defended targets. In addition, defensive measures force a malevolent actor to expend time and resources to adapt, thus making intrusion attempts slower and more costly and possibly helping to deter future intrusions.
Improvements to cybersecurity call for two distinct kinds of activity: efforts to more effectively and more widely use what is known about improving cybersecurity, and efforts to develop new knowledge about cybersecurity. The gap in security between the U.S. national cybersecurity posture and the threat has two parts. The first part (Part 1) of the gap is the difference between what our cybersecurity posture is and what it could be if known best cybersecurity practices and technologies were widely deployed and used. The second part (Part 2) is the gap between the strongest posture possible with known practices and technologies and the threat as it exists (and will exist). The Part 1 gap is primarily nontechnical in nature (requiring, e.g., research relating to economic or psychological factors regarding the use of known practices and techniques, enhanced educational efforts to promote security-responsible user behavior, and incentives to build organizational cultures with higher degrees of security awareness). Closing the Part 1 gap does not require new technical knowledge of cybersecurity per se, but rather the application of existing technical knowledge. Research will be needed to understand how better to promote deployment and use of such knowledge. Closing the Part 2 gap is where new technologies and approaches are needed, and is the fundamental rationale for technical research in cybersecurity.
Publicly available information and policy actions to date have been insufficient to motivate an adequate sense of urgency and ownership of cybersecurity problems afflicting the United States as a nation. For a number of years, the cybersecurity issue has received increasing public attention, and a greater amount of authoritative information regarding
cybersecurity threats is available publicly. But all too many decision makers still focus on the short-term costs of improving their own organizational cybersecurity postures, and little has been done to harness market forces to address matters related to the cybersecurity posture of the nation as a whole. If the nation’s cybersecurity posture is to be improved to a level that is higher than the level to which today’s market will drive it, the market calculus that motivates organizations to pay attention to cybersecurity must be altered in some fashion.
Cybersecurity is important to the nation, but the United States has other interests as well, some of which conflict with the imperatives of cybersecurity. Tradeoffs are inevitable and will have to be accepted through the nation’s political and policy-making processes. Senior policy makers have many issues on their agenda, and they must set priorities for the issues that warrant their attention. In an environment of many competing priorities, reactive policy making is often the outcome. Support for efforts to prevent a disaster that has not yet occurred is typically less than support for efforts to respond to a disaster that has already occurred. In cybersecurity, this tendency is reflected in the notion that “no or few attempts have yet been made to compromise the cybersecurity of application X, and why would anyone want to do so anyway?,” thus justifying why immediate attention and action to improve the cybersecurity posture of application X can be deferred or studied further.
Progress in cybersecurity policy has also stalled at least in part because of conflicting equities. As a nation, we want better cybersecurity, yes, but we also want a private sector that innovates rapidly, and the convenience of not having to worry about cybersecurity, and the ability for applications to interoperate easily and quickly with one another, and the right to no diminution in our civil liberties, and so on. Although research and deeper thought may reveal that, in some cases, tradeoffs between security and these other equities are not as stark as they might appear at first glance, policy makers will have to confront rather than elide tensions when they are irreconcilable, and honest acknowledgment and discussion of the tradeoffs (e.g., a better cybersecurity posture may reduce the nation’s innovative capability, may increase the inconvenience of using information technology, may reduce the ability to collect intelligence) will go a long way toward building public support for a given policy position.
The use of offensive operations in cyberspace as an instrument to advance U.S. interests raises many important technical, legal, and policy questions that have yet to be aired publicly by the U.S. government. Some of these questions involve topics such as U.S. offensive capabilities in cyberspace, rules of engagement, doctrine for the use of offensive capabilities, organizational responsibilities within the Department of Defense and the intelligence community, and a host of other
topics related to offensive operations. It is likely that behind the veil of classification, these topics have been discussed at length. The resulting opacity has many undesirable consequences, but one of the most important consequences is that the role offensive capabilities could play in defending important information technology assets of the United States cannot be discussed fully.
What is sensitive about offensive U.S. capabilities in cyberspace is generally the fact of U.S. interest in a specific technology for cyberattack (rather than the nature of that technology itself); fragile and sensitive operational details that are not specific to the technologies themselves (e.g., the existence of a covert operative in a specific foreign country, a particular vulnerability, a particular operational program); or U.S. knowledge of the capabilities and intentions of specific adversaries. Such information is legitimately classified but is not particularly relevant for a discussion about what U.S. policy should be. That is, unclassified information provides a generally reasonable basis for understanding what can be done and for policy discussions that focus primarily on what should be done.
In summary, cybersecurity is a complex subject whose understanding requires knowledge and expertise from multiple disciplines, including but not limited to computer science and information technology, psychology, economics, organizational behavior, political science, engineering, sociology, decision sciences, international relations, and law. Although technical measures are an important element, cybersecurity is not primarily a technical matter, although it is easy for policy analysts and others to get lost in the technical details. Furthermore, what is known about cybersecurity is often compartmented along disciplinary lines, reducing the insights available from cross-fertilization.
This report emphasizes two central ideas. The cybersecurity problem will never be solved once and for all. Solutions to the problem, limited in scope and longevity though they may be, are at least as much nontechnical as technical in nature.