Cybersecurity:
Authoritative Reports and Resources
Rita Tehan
Information Research Specialist October 25, 2013
Congressional Research Service
7-5700
www.crs.gov
R42507
Report Documentation Page
Form Approved OMB No. 0704-0188Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number.
1. REPORT DATE
25 OCT 2013
2. REPORT TYPE3. DATES COVERED
00-00-2013 to 00-00-2013
4. TITLE AND SUBTITLE
Cybersecurity: Authoritative Reports and Resources
5a. CONTRACT NUMBER 5b. GRANT NUMBER
5c. PROGRAM ELEMENT NUMBER
6. AUTHOR(S) 5d. PROJECT NUMBER
5e. TASK NUMBER 5f. WORK UNIT NUMBER
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)
Congressional Research Service,The Library of Congress ,101 Independence Ave, SE,Washington,DC,20540
8. PERFORMING ORGANIZATION REPORT NUMBER
9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)
11. SPONSOR/MONITOR’S REPORT NUMBER(S)
12. DISTRIBUTION/AVAILABILITY STATEMENT
Approved for public release; distribution unlimited
13. SUPPLEMENTARY NOTES 14. ABSTRACT
15. SUBJECT TERMS
16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF
ABSTRACT
Same as Report (SAR)
18. NUMBER OF PAGES
107
19a. NAME OF RESPONSIBLE PERSON a. REPORT
unclassified
b. ABSTRACT
unclassified
c. THIS PAGE
unclassified
Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18
Cybersecurity: Authoritative Reports and Resources
Congressional Research Service
Summary
Cybersecurity vulnerabilities challenge governments, businesses, and individuals worldwide.
Attacks have been initiated by individuals, as well as countries. Targets have included
government networks, military defenses, companies, or political organizations, depending upon whether the attacker was seeking military intelligence, conducting diplomatic or industrial
espionage, or intimidating political activists. In addition, national borders mean little or nothing to cyberattackers, and attributing an attack to a specific location can be difficult, which also makes a response problematic.
Congress has been actively involved in cybersecurity issues, holding hearings every year since 2001. There is no shortage of data on this topic: government agencies, academic institutions, think tanks, security consultants, and trade associations have issued hundreds of reports, studies, analyses, and statistics.
This report provides links to selected authoritative resources related to cybersecurity issues. This report includes information on
• “Legislation”
• “Executive Orders and Presidential Directives”
• “Data and Statistics”
• “Cybersecurity Glossaries”
• “CRS Reports by Topic”
• Government Accountability Office (GAO) reports
• White House/Office of Management and Budget reports
• Military/DOD
• Cloud Computing
• Critical Infrastructure
• National Strategy for Trusted Identities in Cyberspace (NSTIC)
• Cybercrime/Cyberwar
• International
• Education/Training/Workforce
• Research and Development (R&D)
• “Related Resources: Other Websites”
The report will be updated as needed.
Cybersecurity: Authoritative Reports and Resources
Contents
Introduction ... 1
Legislation ... 1
CRS Reports and Other CRS Products: Legislation ... 1
Hearings in the 113
thCongress ... 4
Hearings in the 112
thCongress ... 10
Executive Orders and Presidential Directives ... 20
Data and Statistics ... 24
Cybersecurity Glossaries ... 31
CRS Reports by Topic ... 33
CRS Reports and Other CRS Products Overview: Cybersecurity Policy Framework ... 33
CRS Reports: Critical Infrastructure ... 63
CRS Reports and Other CRS Products: Cybercrime and National Security ... 72
Related Resources: Other Websites ... 97
Tables Table 1. Major Legislation: Senate (113
thCongress) ... 2
Table 2. Major Legislation: House (113
thCongress) ... 2
Table 3. Major Legislation: Senate (112
thCongress) ... 3
Table 4. Senate Floor Debate: S. 3414 (112
thCongress) ... 3
Table 5. Major Legislation: House (112
thCongress) ... 4
Table 6. House Hearings (113
thCongress), by Date ... 5
Table 7. House Hearings (113
thCongress), by Committee ... 6
Table 8. House Markup (113
thCongress), by Date ... 8
Table 9. Senate Hearings (113
thCongress), by Date ... 8
Table 10. Other Hearings (113
thCongress), by Date ... 9
Table 11. Senate Hearings (113
thCongress), by Committee ... 9
Table 12. Other Hearings (113
thCongress), by Committee ... 9
Table 13. House Hearings (112
thCongress), by Date ... 11
Table 14. House Hearings (112
thCongress), by Committee ... 13
Table 15. House Markups (112
thCongress), by Date ... 16
Table 16. Senate Hearings (112
thCongress), by Date ... 16
Table 17. Senate Hearings (112
thCongress), by Committee... 17
Table 18. Congressional Committee Investigative Reports ... 19
Table 19. Executive Orders and Presidential Directives ... 21
Table 20. Data and Statistics: Cyber Incidents, Data Breaches, Cybercrime ... 25
Table 21. Glossaries of Cybersecurity Terms ... 31
Table 22. Selected Reports: Cybersecurity Overview ... 34
Table 23. Selected Government Reports: Government Accountability Office (GAO) ... 38
Table 24. Selected Government Reports: White House/Office of Management and Budget ... 45
Cybersecurity: Authoritative Reports and Resources
Congressional Research Service
Table 25. Selected Government Reports: Department of Defense (DOD) ... 48
Table 26. Selected Government Reports: National Strategy for Trusted Identities in Cyberspace (NSTIC) ... 53
Table 27. Selected Government Reports: Other Federal Agencies ... 54
Table 28. Selected Reports: Cloud Computing ... 59
Table 29. Selected Reports: Critical Infrastructure ... 64
Table 30. Selected Reports: Cybercrime/Cyberwar ... 73
Table 31. Selected Reports: International Efforts ... 80
Table 32. Selected Reports: Education/Training/Workforce ... 89
Table 33. Selected Reports: Research & Development (R&D) ... 94
Table 34. Related Resources: Congressional/Government ... 97
Table 35. Related Resources: International Organizations ... 99
Table 36. Related Resources: News ... 100
Table 37. Related Resources: Other Associations and Institutions ... 101
Contacts Author Contact Information... 102
Key Policy Staff ... 102
Cybersecurity: Authoritative Reports and Resources
Introduction
Cybersecurity is a sprawling topic that includes national, international, government, and private industry dimensions. In the 113
thCongress, 5 bills have been introduced in the Senate and 7 in the House. More than 40 bills and resolutions with provisions related to cybersecurity were
introduced in the first session of the 112
thCongress, including several proposing revisions to current laws. In the 111
thCongress, the total was more than 60. Several of those bills received committee or floor action, but none became law. In fact, no comprehensive cybersecurity legislation has been enacted since 2002.
This report provides links to cybersecurity hearings and legislation under consideration in the 113
thCongress and those considered in the 112
thCongress, as well as executive orders and presidential directives, data and statistics, glossaries, and authoritative reports.
For CRS analysis, please see the collection of CRS reports found on the Issues in Focus:
Cybersecurity site.
Legislation
No major legislative provisions relating to cybersecurity have been enacted since 2002, despite many recommendations made over the past decade. The Obama Administration sent Congress a package of legislative proposals in May 2011
1to give the federal government new authority to ensure that corporations that own the assets most critical to the nation’s security and economic prosperity are adequately addressing the risks posed by cybersecurity threats.
Cybersecurity legislation advanced in both chambers in the 112
thCongress. The House passed a series of bills that address a variety of issues—from toughening law enforcement of cybercrimes to giving the Department of Homeland Security oversight of federal information technology and critical infrastructure security to lessening liability for private companies that adopt cybersecurity best practices. The Senate pursued a comprehensive cybersecurity bill with several committees working to create a single vehicle for passage, backed by the White House—to no avail. The Senate bill also got mired in a procedural dispute over amendments.
Table 1 and Table 2 provide lists of Senate and House legislation under consideration in the 113
thCongress, in order by date introduced. When viewed in HTML, the bill numbers are active links to the Bill Summary and Status page in the Legislative Information Service (LIS).
CRS Reports and Other CRS Products: Legislation
• CRS Legal Sidebar, House Intelligence Committee Marks Up Cybersecurity Bill CISPA, Richard M. Thompson II
• CRS Legal Sidebar, Privacy and Civil Liberties Issues Raised by CISPA, Andrew Nolan
• CRS Legal Sidebar, CISPA, Private Actors, and the Fourth Amendment, Richard M. Thompson
1