|
CyberSecurity |
|
There is no doubt that as individuals, as businesses, and as a nation as a whole, we are increasingly at risk if we choose to do nothing in the face of our growing infrastructure vulnerabilities. These risks are real. We don't need to wait for a catastrophe to occur - indeed we must not allow a catastrophe to occur - in order to recognize that much work needs to be done. - Ronald L. Dick, Director US National Infrastructure Protection Center September 5, 2001
From its origins, security was not built into the network as a feature and responsibility of the network. Instead, security was left to the ends of the network to implement. See End-to-End; ARPANET Information Brochure, Defense Communications Agency p. 8 1978 (" The ARPANET itself (the communications subnet or "backbone") contains no security features for privacy or for the protection of classified defense information transiting the network. Therefore, it is the responsibility of those sponsors and users operating hosts in the network to take steps to protect information resident or accessible through their host computers from access by unauthorized users and to provide protection against unauthorized access to classified information which may reside or be accessible via their host computer link to the network.")
Derived From: Public and Private Entities Face Challenges in Addressing Cyber Threats, GAO-07-705 (June 2007)
What is cyberspace?
National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD23) defines cyberspace as the interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries. Common usage of the term also refers to the virtual environment of information and interactions between people. [2009 Review] |
"Cybercrime is a threat to U.S. national economic and security interests. Various studies and expert opinion estimate the direct economic impact from cybercrime to be in the billions of dollars annually. The annual loss due to computer crime was estimated to be $67.2 billion for U.S. organizations, according to a 2005 Federal Bureau of Investigation (FBI) survey. The estimated losses associated with particular crimes include $49.3 billion in 2006 for identity theft and $1 billion annually due to phishing. These projected losses are based on direct and indirect costs that may include actual money stolen, estimated cost of intellectual property stolen, and recovery cost of repairing or replacing damaged networks and equipment. In addition, there is concern about threats that nation-states and terrorists pose to our national security through attacks on our computer-reliant critical infrastructures and theft of our sensitive information. For example, according to the U.S.-China Economic and Security Review Commission report, Chinese military strategists write openly about exploiting the vulnerabilities created by the U.S. military's reliance on advanced technologies and the extensive infrastructure used to conduct operations. Also, according to FBI testimony, terrorist organizations have used cybercrime to raise money to fund their activities. Despite the reported loss of money and information and known threats from adversaries, there remains a lack of understanding about the precise magnitude of cybercrime and its impact because cybercrime is not always detected or reported (cybercrime reporting is discussed further in our challenges section). -"Numerous public and private entities (federal agencies, state and local law enforcement, industry, and academia) have individual and collaborative responsibilities to protect against, detect, investigate, and prosecute cybercrime. The Departments of Justice (DOJ), Homeland Security (DHS), and Defense (DOD), and the Federal Trade Commission (FTC) have prominent roles in addressing cybercrime within the federal government. DOJ's FBI and DHS's U.S. Secret Service (Secret Service) are key federal organizations with responsibility for investigating cybercrime. State and local law enforcement organizations also have key responsibilities in addressing cybercrime. Private entities-Internet service providers, security vendors, software developers, and computer forensics vendors-focus on developing and implementing technology systems to protect against computer intrusions, Internet fraud, and spam and, if a crime does occur, detecting it and gathering evidence for an investigation. In addition, numerous partnerships have been established between public sector entities, between public and private sector entities, and internationally to address various aspects of cybercrime. For example, the Cyber Initiative and Resource Fusion Unit is a partnership established among federal law enforcement, academia, and industry to analyze cybercrime and determine its origin and how to fight it.
"Federal and state governments and other nations have enacted laws that apply to cybercrime and the legal recourse or remedies available. In addition, there are international agreements to improve the laws across nations and international cooperation on addressing cybercrime. Some federal statutes address specific types of cybercrime, while other federal statutes address both traditional crime and cybercrime."
Derived From: CRS Report (Mar 2009) "In January 2008, the Bush Administration initiated the Comprehensive National Cybersecurity Initiative (the CNCI) to make the United States more secure against cyber threats. The Homeland Security Presidential Directive 23 and National Security Presidential Directive 54 establishing the CNCI are classified. Some details of the Initiative have been made public in Departmental press releases, speeches by executive branch leaders, and analysis and insight offered by individuals that follow cyber security and terrorism related issues. The CNCI “establishes the policy, strategy, and guidelines to secure federal systems.”2 The CNCI also delineates “an approach that anticipates future cyber threats and technologies, and requires the federal government to integrate many of its technical and organizational capabilities to better address sophisticated threats and vulnerabilities.”3 Subsequent to the issuance of the classified directives, congressional committees have held hearings regarding the CNCI and heard testimony from a commission established to address necessary cybersecurity reforms.
"Few details have been publicly released regarding the implementation activities or status of CNCI efforts since the establishment of the initiative. According to one media account, Steven Chabinsky, Deputy Director of the Joint Interagency Cyber Task Force for the Office of the DNI, stated at an information technology security conference that there are 12 objectives supporting the Initiative’s goal of comprehensively addressing the nation’s cyber security concerns. They are:
1. Move towards managing a single federal enterprise network;
2. Deploy intrinsic detection systems;
3. Develop and deploy intrusion prevention tools;
4. Review and potentially redirect research and funding;
5. Connect current government cyber operations centers;
6. Develop a government-wide cyber intelligence plan;
7. Increase the security of classified networks;
8. Expand cyber education;
9. Define enduring leap-ahead technologies;
10. Define enduring deterrent technologies and programs;
11. Develop multi-pronged approaches to supply chain risk management; and
12. Define the role of cyber security in private sector domains.
Threats | Agency [REVISE THESE LINKS] |
Threats Against the Network | |
White House DHS Lead Agency (Prevention, Alerts, Info Sharing, Recovery) DOJ (enforcement, investigation) DOD DOC NSA CIA NSF (funding for R&D) |
|
Cyberwar |
DOS, Bureau of Diplomatic Security, Office of Computer Security, Cyber Threat Analysis Division |
Telecommunications | FCC White House |
Threats Over the Network | |
Spam | FTC (Prevention, Consumer Info, Info Gathering, Enforcement) FCC (SMS Spam - Prevention, Enforcement) White House |
Fraud | FTC (Prevention, Consumer Info, Info Gathering, Enforcement) DOJ (Enforcement) White House |
ID Theft | FTC (Prevention, Consumer Info, Info Gathering, Enforcement) DOJ (Enforcement) White House |
Offensive Content on the Internet | DOJ (Enforcement) DHS |
Gambling | DOJ (Enforcement) |
eMedicine, Drugs | DOJ (Enforcement) |
Alcohol Tobacco Sales | DOJ (Enforcement) - ATF |
Hacks to Personal Computers | DOJ (Enforcement) White House |
CyberStalking | DOJ (Enforcement) - FBI |
Financial, Investing |
Securities and Exchange Commission |
Illegal Wiretaps | DOJ (Enforcement) - FBI - Computer Crimes and Intellectual Property Section |
Research | NITRD |
Table 1: Sources of Cyber Threats
Threat Source | Description |
Foreign nations | "Foreign intelligence services use cyber tools as part of their information gathering and espionage activities. According to the Director of National Intelligence, a growing array of state and nonstate adversaries are increasingly targeting—for exploitation and potential disruption or destruction— information infrastructure, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries." |
Criminal groups | "There is an increased use of cyber intrusions by criminal groups that attack systems for monetary gain. |
Hackers | "Hackers sometimes crack into networks for the thrill of the challenge or for bragging rights in the hacker community. While remote cracking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Thus, attack tools have become more sophisticated and easier to use. |
Hacktivists | "Hacktivism refers to politically motivated attacks on publicly accessible Web pages or e-mail servers. These groups and individuals overload e-mail servers and hack into Web sites to send a political message. |
Disgruntled insiders | "The disgruntled insider, working from within an organization, is a principal source of computer crimes. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a victim system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat also includes contractor personnel. |
Terrorists | "Terrorists seek to destroy, incapacitate, or exploit critical infrastructures to threaten national security, cause mass casualties, weaken the U.S. economy, and damage public morale and confidence. However, traditional terrorist adversaries of the United States have been less developed in their computer network capabilities than other adversaries. The Central Intelligence Agency believes terrorists will stay focused on traditional attack methods, but it anticipates growing cyber threats as a more technically competent generation enters the ranks. |
Network Service Provider |
End users (customers, or people attempting to communicate with customers, or customers of other vendors) entrust their communications to the network service provider. The network service provider in possession of the communications has the ability to monitor, observe, engage in espionage, profile, collect data, degrade, spoof, block, or reroute the traffic. The network service provider can also access equipment of the customer. Service providers can also fail to maintain the security of their infrastructure, making customer communications vulnerable to third parties. The customer may have no knowledge of the actions of the network service provider. The incentives of the network service provider may be commercial (data gathering for advertising or for profiling which is sold to third parties), espionage (if for instance the network service provider is controlled by a third party), and criminal activity. An network service providers actions may be authorized pursuant to the consent of the end user, in excess over authorization, or unauthorized. See Common Carrier Liability; ECPA ISP; ISP; Privacy; CPNI. A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers, FTC Staff Report, i (Oct. 21, 2021), (stating "As the direct gateways to this essential and ubiquitous tool, internet service providers (“ISPs”) can monitor and record their customers’ every online move, giving them the ability to surveil consumers and amass large amounts of information on them as they go about their daily lives."); Ohm, Paul, The Rise and Fall of Invasive ISP Surveillance, 2009 U. Ill. L. Rev. 1417 (August 30, 2008), ("An ISP’s opportunity to invade user privacy stems from network architecture. The ISP operates the network chokepoint—its computers stand between the user and the rest of the Internet—and from this privileged vantage point it has access to all of its users’ private communications"); Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Computer Crime and Intellectual Property Section, Criminal Division, DOJ p 173 (2009) (discussing information possessed by ISPs that can be obtained by law enforcement); Coggs v. Bernard 2 Ld. Raym. 909, 918, 92 Eng. Rep. 107, 112 (1703) And this is the case of the common carrier, common hoymen, master of a ship, etc. . . . The law charges this person thus intrusted to carry goods, against all events but acts of god, and of the enemies of the King. For though the force be never so great as if an irresistible multitude of people should rob him, nevertheless he is chargeable. And this is a politick establishment, contrived by the policy of the law, for the safety of all persons, the necessity of whose affairs oblige them to trust these sorts of persons, that they any be safe in their ways of dealing; for else these carriers might have an opportunity of undoing all persons that had any dealings with them, by combining with thieves, etc. and yet doing it in such a clandestine manner, as would not be possible to be discovered. And this is the reason the law is founded upon in that point. The second sort are bailees, factors and such life. And though a bailee is to have a reward for his management, yet he is only to do the best he can. Ant if he be robb'd etc., It is a good account . . .; Promoting the Privacy of Customers of Broadband and Other Telecom Services, WC Docket 16-106, Report and Order, para 28 (Nov. 2, 2016), rescinded by Congress ("we reaffirm our earlier finding that a broadband provider “sits at a privileged place in the network, the bottleneck between the customer and the 28 29 rest of the Internet” —a position that we have referred to as a gatekeeper. As such, BIAS providers can collect “an unprecedented breadth” of electronic personal information.") |
Commercial Interests | Commercial interests that gather data about individual communications, creating profiles, aggregating data - for purposes of advertising, or providing data to third parties (for instance, an application which is able to track geolocation providing information to a retail store about what customers visit that store including the customers demographic information). This information could also be used for political purposes. |
Benevolent but negligent actors | A service or application provider, intending to provide a service or application, but negligently maintains security or infrastructure, making customers - or people for whom they have data - vulnerable to third party attack |
Cybersecurity: Continued Efforts Are Needed to Protect Information Systems from Evolving Threats, GAO-10-230T, p. 4 (Nov. 17, 2009) (citing FBI