Most people in modern society encounter computing and communications technologies all day, every day. Offices and stores and factories and street vendors and taxis are filled with computers, even if the computers are not openly visible. People type at the keyboard of computers or tablets and use their smart phones daily. People’s personal lives involve computing through social networking, home management, communication with family and friends, and management of personal affairs. The operation of medical devices implanted in human bodies is controlled by embedded (built-in) microprocessors.
A much larger collection of information technology (IT) is instrumental in the day-to-day operations of companies, organizations, and government. Companies large and small rely on computers for diverse business processes ranging from payroll and accounting to the tracking of inventory and sales, to support for research and development (R&D). The distribution of food and energy from producer to retail consumer depends on computers and networks at every stage. Nearly everyone (in everyday society, business, government, and the military services) relies on wireless and wired digital communications systems. IT is used to execute the principal business processes in government and in many of the largest sectors of the economy, including financial services, health care, utilities, transportation, and retail and management services. Indeed, the architecture of today’s enterprise IT systems is the very embodiment
of the critical business logic in complex enterprises. Today, it is impossible to imagine the Walmarts, the FedExes, the Amazons, and even the “traditional” industries such as manufacturing without IT.
Today and increasingly in the future, computing and communications technologies (collectively, information technologies) are found and will be more likely to be found in places where they are essentially invisible to everyday view: in cars, wallets, clothing, refrigerators, keys, cabinets, watches, doorbells, medicine bottles, walls, paint, structural beams, roads, dishwashers, identification cards, telephones, and medical devices (including some embedded in human beings). These devices will be connected—the so-called Internet of Things. Computing will be embedded in myriad places and objects; even today, computing devices are easily transported in pockets or on wrists. Computing devices will be coupled to multiple sensors and actuators. Computing and communications will be seamless, enabling the tight integration of personal, family, and business systems. Sensors, effectors, and computing will be networked together so that they pass relevant information to one another automatically.
In this emerging era of truly pervasive computing, the ubiquitous integration of computing and communications technologies into common everyday objects enhances their usefulness and makes life easier and more convenient. Understanding context, personal information appliances will make appropriate information available on demand, enabling users to be more productive in both their personal and their professional lives. And, as has been true with previous generations of IT, interconnections among all of these now-smart objects and appliances will multiply their usefulness many times over.
It is in the context of this technology-rich environment that the term “cyberspace” often arises. Although “cyberspace” does not have a single agreed-upon definition,1 some things can be said about how the term is used in this report. First, cyberspace is not a physical place, although many elements of cyberspace are indeed physical, do have volume and mass, and are located at points in physical space that can be specified in three spatial dimensions. Second, cyberspace includes but is not limited to the Internet—cyberspace also includes computers (some of which are attached to the Internet and some not) and networks (some of which may be part of the Internet and some not). Third, cyberspace includes many intangibles, such as information and software and how different elements of cyberspace are connected to each other.
So a rough definition might be that cyberspace consists of artifacts
1 For example, a Cisco blog post sought to compare 11 different definitions of cyberspace. See Damir Rajnovic, “Cyberspace—What Is It?,” Cisco Blogs, July 26, 2012, available at https://blogs.cisco.com/security/cyberspace-what-is-it/.
based on or dependent on computing and communications technology; the information that these artifacts use, store, handle, or process; and the interconnections among these various elements. But the reader should keep in mind that this is a rough and approximate definition and not a precise one.
Given our dependence on cyberspace, we want and need our information technologies to do what they are supposed to do and only when they are supposed to do it. We also want these technologies to not do things they are not supposed to do. And we want these things to be true in the face of deliberately hostile or antisocial actions.
Cybersecurity issues arise because of three factors taken together. First, we live in a world in which there are parties that will act in deliberately hostile or antisocial ways—parties that would do us harm or separate us from our money or violate our privacy or steal our ideas. Second, we rely on IT for a large and growing number of societal functions. Third, IT systems, no matter how well constructed (and many are not as well constructed as the state of the art would allow), inevitably have vulnerabilities that the bad guys can take advantage of.
Thus, a loosely stated definition of cybersecurity is the following: Security in cyberspace (i.e., cybersecurity) is about technologies, processes, and policies that help to prevent and/or reduce the negative impact of events in cyberspace that can happen as the result of deliberate actions against information technology by a hostile or malevolent actor.
To go beyond this loosely stated definition of cybersecurity, it is necessary to elaborate on the meaning of “impact,” on what makes impact “negative,” and on what makes an actor “hostile” or “malevolent.”
By definition, an action that changes the functionality of a given information artifact (software or hardware) has impact—Chapter 3 discusses different kinds of impact that are related to cybersecurity. But any given impact can be positive or negative and any actor can be virtuous or malevolent, depending on the perspective of the parties involved—that is, who is a perpetrator and who is a target.
In many cases with which readers of this report are likely to be concerned, the meanings of these terms are both reasonably clear and shared. For example, with respect to the information technology on which law-abiding U.S. citizens and organizational entities rely, what makes an impact negative is that their information technology no longer works as these parties expect it to work. By contrast, if criminals and terrorists are relying on such technologies and it is the U.S. government that takes actions to render their technologies inoperative, the impact would usually be seen as positive.
Similarly, many repressive regimes put into place various mechanisms in cyberspace to monitor communications of dissidents. These
regimes may regard as “malevolent actors” those who help dissidents breach the security of these mechanisms and circumvent government monitoring, but others may well regard such parties as virtuous rather than malevolent actors. Compromising the cybersecurity of an Internet-based mechanism for conducting surveillance against such parties has a negative impact from the standpoint of these regimes, but a positive impact for those seeking to open up these regimes.
There are also cases of concern to readers of this report in which the meanings of “negative” and “malevolent” may not be shared. Consider the debate over Internet surveillance by the National Security Agency (NSA) sparked by the revelations of Edward Snowden starting in June 2013. According to news stories on these documents in the Washington Post and the Guardian, the NSA has engaged in a broad program of electronic surveillance for counterterrorism purposes.2 Some of the reactions to these revelations have characterized the NSA’s actions as having a significant negative impact on the security of the Internet. Others have defended the actions of the NSA as a vital element in U.S. counterterrorism efforts.
Last, the above definition does not limit cybersecurity to technology. Indeed, one of the most important lessons to emerge from cybersecurity experience accumulated over several decades is that nontechnological factors can have an impact on cybersecurity that is at least as great as technology’s impact. A full consideration of cybersecurity necessarily entails significant attention to process (how users of information technology actually use it) and policy (how the organizations of which users are a part ask, incentivize, or require their users to behave).
Cybersecurity has been an issue of public policy significance for a number of decades. For example, in 1991 the National Research Council wrote in Computers at Risk:
We are at risk. Increasingly, America depends on computers. They control power delivery, communications, aviation, and financial services. They are used to store vital information, from medical records to business plans to criminal records. Although we trust them, they are vulnerable—to the effects of poor design and insufficient quality control, to accident, and perhaps most alarmingly, to deliberate attack. The modern thief can
2 A summary of these major revelations can be found in Dustin Volz, “Everything We Learned from Edward Snowden in 2013,” National Journal, December 31, 2013, available at http://www.nationaljournal.com/defense/everything-we-learned-from-edward-snowdenin-2013-20131231.
steal more with a computer than with a gun. Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb. (p. 7)
What is worrisome from a public policy perspective is that the words above, with only a few modifications, could just as easily have been written today. Today, cybersecurity is still a major issue—indeed, its significance has grown as our reliance on IT has increased. Table 1.1 illustrates some of the security consequences of the changes in the information technology environment in the past 20 years.
The IT on which we rely is for the most part created, owned, and operated by the private sector, which means that improving the cybersecurity posture of the nation will require action by relevant elements of the private sector. Nonetheless, many parties believe that the government has an important role in helping to address cybersecurity problems, in much the same way that the government has many responsibilities for national security, law enforcement, and other problems of societal scale.
TABLE 1.1 Potential Security Consequences of More Than Two Decades’ Worth of Change in Information Technology (IT)
|Change Since 1990||Potential Security Consequence (illustrative, not comprehensive)|
|Microprocessors, storage devices, communications links, and so on—the raw hardware ! underlying IT—demonstrate performance that is several orders of magnitude more capable than their counterparts of 20 years ago.||More integration of IT into the functions of daily life means more opportunities for malevolent actors to compromise those functions.|
|Devices for computing have shifted toward—or at least expanded to include—mobile computing: tablets, pads, smart phones, smart watches, and so on. Desktop and laptop computers are still important to many end users, especially in business environments, but mobile devices are ubiquitous today. Accompanying this change are new business models for providing software to end users—vendor-controlled or vendor-operated app stores are now common. Many corporate employees use their personally owned computing devices for business purposes.||New security approaches are needed to secure battery-operated devices with relatively little computational power.
App stores can provide greater assurance about the security of installed software.
Enterprises cannot exercise total control over computing resources used on their behalf.
|Change Since 1990||Potential Security Consequence (illustrative, not comprehensive)|
|Cyberphysical systems are physical systems that are controlled at least in part by IT. Physical devices with embedded computing accept data from the physical world (through sensors such as cameras or thermometers) and/or cause changes in the physical world (through actuators such as a motor that causes something to move or a heater that heats a fluid). Such systems are everywhere—in manufacturing assembly lines, chemical production plants, power generation and transmission facilities, automobiles, airplanes, buildings, heating and cooling facilities, and so on—because IT helps to optimize the use and operation of these systems.||IT-based control of cyberphysical systems means that cybersecurity compromises can affect physical systems and may cause death, destruction, or physical damage.|
|Cloud computing has become increasingly popular as a way for businesses (and individuals) to increase the efficiency of their IT operations. By centralizing management and IT infrastructure, cloud computing promises to reduce the cost of computing and increase its accessibility to a geographically dispersed user base.||Concentration of computing resources for many parties potentially offers a “big fat target” for malevolent actors. Cloud computing infrastructure may also provide malevolent actors a platform from which to launch their attack. Greater centralization, however, enables providers of computing services to exercise tighter control over security by highly experienced and more expert security-knowledgeable administrators.|
|The number of Internet users has grown by at least two orders of magnitude in the past two decades, and hundreds of millions of new users (perhaps as many as a billion) will begin to use the Internet as large parts of Africa, South America, and Asia come online in the next decade. Cyberphysical devices will become increasingly connected to the Internet of Things, on the theory that network connections between these devices will enable them to operate more efficiently and effectively.||Inexperienced users are more untutored in the need for security and are thus more vulnerable.
A larger user base means a larger number of potentially malevolent actors.
|The rise of social networking and computing, as exemplified by applications such as Facebook and Twitter, is based on the ability of IT to bring large numbers of people into contact with one another.||Connectivity among friends and contacts offers opportunities for malevolent actors to improperly take advantage of trust relationships.|
Public policy concerns about the effects of inadequate cybersecurity are often lumped into a number of categories:
• Cybercrime. Cybercrime can be broadly characterized as the use of the Internet and IT to steal valuable assets (e.g., money) from their rightful owners or otherwise to take actions that would be regarded as criminal if these actions were taken in person, and a breach of security is usually an important element of the crime. Criminal activity using cyber means includes cyber fraud and theft of services (e.g., stealing credit card numbers); cyber harassment and bullying (e.g., taking advantage of online anonymity to threaten a victim); cyber vandalism (e.g., defacing a Web site); penetration or circumvention of cybersecurity mechanisms intended to protect the privacy of communications or stored information (e.g., tapping a phone call without legal authorization); and impersonation or identity theft (e.g., stealing login names and passwords to forge e-mail or to improperly manipulate bank accounts). Loss of privacy and theft of intellectual property are also crimes (at least sometimes) but generally occupy their own categories of concern. Note also that in addition to the direct financial effects of cybercrime, measures taken to enhance cybersecurity consume resources (e.g., money, talent) that could be better used to build improved products or services or to create new knowledge. And, in some cases, concerns about cybersecurity have been known to inhibit the use of IT for some particular application, thus leading to self-denial of the benefits such an application might bring.
• Loss of privacy. Losses of privacy can result from the actions of others or of the individual concerned. Large-scale data breaches occur from time to time, for reasons including loss of laptops containing sensitive data and system penetrations by sophisticated intruders. Intruders have used the sound and video capabilities of home computers for blackmail and extortion. In other cases, individuals post information in their IT-based social networks without understanding the privacy implications of doing so, and are later surprised when such information is accessible to parties that they have not explicitly authorized for such access. Individuals are concerned about the privacy of their data and communications, and a variety of U.S. laws guard against improper disclosure of such information.
• Activism. Activism is often defined as nongovernmental efforts to promote, block, or protest social or political change. Compromises in cybersecurity have been used in some activist efforts in cyberspace, wherein activists may compromise the cybersecurity of an installation in an effort to make a political statement or to call attention to a cause, for example, by improperly obtaining classified documents for subsequent release or by defacing a public-facing Web site. Activism may also be an
expression of patriotism, e.g., defacement by citizens of Nation A of Web sites belonging to adversaries of Nation A.
• Misappropriation of intellectual property such as proprietary software, R&D work, blueprints, trade secrets, and other product information. Concern over theft of intellectual property is especially pronounced when the targeted firms are part of the defense industrial base and supply key goods and services vital to national security. Although misappropriation of trade secrets is prohibited under international trade law, many countries in the world conduct activities aimed at collecting information that might be economically useful to their domestic companies.3 Private companies also have incentives to undertake these latter activities, although in many cases some of such activity is forbidden by domestic laws.
• Espionage. Espionage refers to one nation’s attempts to gather intelligence on other nations, where intelligence information includes information related to national security and foreign affairs. Cyber espionage refers to national-level entities conducting espionage activities using cyber means to obtain important intelligence information relevant to national security (such as classified documents). As a general rule, one nation’s collection of intelligence information about another nation is not prohibited under international law.
• Denials (or disruption) of service. When services are not available when needed, the elements of society that rely on those services are inconvenienced and may be harmed. Denials of service per se do not necessarily entail actual damage to the facilities providing service. For example, an attacker might flood the telephone network with calls, making it impossible to place one, but as soon as the attacker stops, it again becomes possible to make a call. Denial of services is described further in Chapter 3.
• Destruction of or damage to physical property. Such concerns fall into three general categories:
—Individual cyberphysical systems, such as automobiles, airliners, and medical devices. Increasingly, computers control the operation of such systems, and communications links, either wired or wireless, connect them to other computational devices. Thus, a malevolent actor might be able to improperly assume control of individual cyberphysical systems or to obtain information (e.g., medical information) that should be private.
—Critical infrastructure, which includes multiple facilities for electric power generation and transmission, telecommunications, banking and finance, transportation, oil and gas production and storage, and water supply. Although failures in individual facilities
3 The U.S. government has an explicit policy against conducting such activities.
might be expected from time to time, near-simultaneous failure of multiple facilities might have catastrophic results, such as extensive loss of life, long-lasting disruption of the services that these facilities provide, or significant property damage and economic loss. Policy makers have become increasingly concerned about cyber threats to critical infrastructure emanating from both nations and terrorist groups.
—Public confidence. Modern economies depend in large measure on public confidence in the institutions and services that support everyday activities. Under some circumstances, it is possible that even localized damage to some critical part of infrastructure (or even symbols of the nation, such as important monuments) could have a massive effect on public confidence, and thus certain types of attack that would not cause extensive actual damage must be considered to have some catastrophic potential as well.
As far as is known publicly, actual destruction of or damage to physical property to date has been a relatively rare occurrence, although there have been many incidents in the other categories outlined above.
• Threats to national security and cyber war. U.S. armed forces depend heavily on IT for virtually every aspect of their capabilities—weapons systems; systems for command, control, communications, and intelligence; systems for managing logistics; and systems for administration. Given that dependence, potential adversaries are developing ways to threaten the IT underlying U.S. military power.4 In addition, other nations are also using IT in the same ways that the United States is using it, for both military and civilian purposes, suggesting that the United States could itself seek opportunities to advance its national interests by going on the offensive in cyberspace.
Concerns about the areas described above have made cybersecurity a hot topic that has garnered substantial public and government attention. In international circles too, such as the United Nations and NATO, as well as in bilateral relationships with parties such as China and the European Union, cybersecurity is moving higher on the agenda.
But as important as cybersecurity is to the nation, progress in public policy to improve the nation’s cybersecurity posture has not been as rapid as might have been expected. One reason—perhaps the most important reason—is that cybersecurity is only one of a number of significant public policy issues—and measures taken to improve cybersecurity potentially
have negative effects in these other areas. Some of the most important conflicts arise with respect to:
• Economics. The costs of action to improve cybersecurity beyond an individual organization’s immediate needs are high and not obviously necessary, and the costs of inaction are not borne by the relevant decision makers. Decision makers discount future possibilities so much that they do not see the need for present-day action. Also, cybersecurity is increasingly regarded as a part of risk management—an important part in many cases, but nonetheless only a part. And this reality is reflected in policy debates as well—with all of the competing demands for a share of government budgets and attention from senior policy makers, policy progress in cybersecurity has been slower than many have desired.
• Innovation. The private sector is constantly trying to bring forward new applications and technologies that improve on old ways of performing certain functions and offer useful new functions. But attention to security can slow bringing new products and services to market, with the result that new technologies and applications are often offered for general use without the benefit of a review for effective security. The public policy question is how to manage the tradeoff between the pace of innovation and a more robust security posture.
• Civil liberties. Some measures proposed to improve cybersecurity for the nation potentially infringe on civil liberties, such as privacy, anonymity, due process, freedom of association, free speech, and due process. Advocates of such measures either argue that their favored measures do not infringe on civil liberties, or assert that the infringements are small and relatively insignificant. In some cases, potential infringements arise because changes in information technology have gone beyond the technology base extant when important legal precedents were established. For example, a 1979 Supreme Court case (Smith vs. Maryland) held that metadata on phone calls (i.e., the phone numbers involved and the duration and time of the call) was less worthy of privacy protection than was “content” information, that is, what the parties to a phone call actually say to each other. But the concept of metadata has come to mean “data associated with a communication that is not communications content,” and given the way modern electronic communications operate, the relevance of the 1979 precedent has been challenged as many analysts assert that metadata is more revealing than content information.5
5 See, for example, Susan Landau, “Highlights from Making Sense of Snowden, Part II: What’s Significant in the NSA Revelations,” IEEE Security and Privacy 12(1, January/ February):62-64, 2014, available at http://doi.ieeecomputersociety.org/10.1109/MSP.2013.161. The sense in which metadata is or is not “more” revealing depends on context,
• International relations and national security. Because of the worldwide Internet and a global supply chain in which important elements of information technology are created, manufactured, and sold around the world, cyberspace does not have physical national borders. But the world is organized around nation-states and national governments, and every physical artifact of information technology is located somewhere. Consequently, one might expect cyberspace-related tensions to arise between nations exercising sovereignty over their national affairs and interacting with other nations—that is, in their international relations.
Chapter 2 presents some fundamental concepts in information technology that are necessary for understanding cybersecurity. Chapter 3 explores different kinds of cybersecurity threats and actors and explains what it means to compromise cybersecurity. Chapter 4 describes a variety of methods for strengthening and enhancing cybersecurity. Chapter 5 is devoted to a further discussion of key public policy issues relating to cybersecurity. Chapter 6 provides a number of takeaway findings.
of course. Large-scale analysis of phone metadata reveals patterns of communication—the identities of communicating parties, and when and with what frequency such communications occur. For some people in some situations, a map of their communications patterns is more privacy-sensitive than what they are saying in their conversations or even in any one conversation; in other situations for other people, their patterns of communication are less sensitive.