Cyber Crime & National Security

"DOD has committed billions of dollars to developing, maintaining, and employing warfighting capabilities that rely on access to the electromagnetic spectrum. According to DOD, electronic warfare capabilities play a critical and potentially growing role in ensuring the U.S. military's access to and use of the electromagnetic spectrum. GAO [Government Accountability Office] was asked to assess the extent to which DOD (1) developed a strategy to manage electronic warfare and (2) planned, organized, and implemented an effective governance structure to oversee its electronic warfare policy and programs and their relationship to cyberspace operations. GAO analyzed policies, plans, and studies related to electronic warfare and cyberspace operations and interviewed cognizant DOD officials. [...] GAO recommends that DOD should (1) include in its future electronic warfare strategy reports to Congress certain key characteristics, including performance measures, key investments and resources, and organizational roles and responsibilities; (2) define objectives and issue an implementation plan for the Joint Electromagnetic Spectrum Control Center; and (3) update key departmental guidance to clearly define oversight roles, responsibilities, and coordination for electronic warfare management, and the relationship between electronic warfare and cyberspace operations. DOD generally concurred with these recommendations, except that the strategy should include performance measures. GAO continues to believe this recommendation has merit."

"Since 1997, GAO [Government Accountability Office] has designated federal information security as a government-wide high risk area, and in 2003 expanded this area to include computerized systems supporting the nation's critical infrastructure. In February 2015, in its high risk update, GAO further expanded this area to include protecting the privacy of personal information that is collected, maintained, and shared by both federal and nonfederal entities. FISMA [Federal Information Security Management Act] required federal agencies to develop, document, and implement an agency-wide information security program. The act also assigned OMB [Office of Management and Budget] with overseeing agencies' implementation of security requirements. FISMA also included a provision for GAO to periodically report to Congress on (1) the adequacy and effectiveness of agencies' information security policies and practices and (2) agencies' implementation of FISMA requirements. GAO analyzed information security-related reports and data from 24 federal agencies, their inspectors general, and OMB; reviewed prior GAO work; examined documents from OMB and DHS; and spoke to agency officials. GAO is recommending that OMB, in consultation with DHS and others, enhance security program reporting guidance to inspectors general so that the ratings of agency security performance will be consistent and comparable. OMB generally concurred with our recommendation."

The number of cyber incidents reported by federal agencies increased in fiscal year 2013 significantly over the prior 3 years (see figure). An effective response to a cyber incident is essential to minimize any damage that might be caused. DHS [Department of Homeland Security] and US-CERT [the United States Computer Emergency Readiness Team] have a role in helping agencies detect, report, and respond to cyber incidents. GAO [Government Accountability Office] was asked to review federal agencies' ability to respond to cyber incidents. To do this, GAO reviewed the extent to which (1) federal agencies are effectively responding to cyber incidents and (2) DHS is providing cybersecurity incident assistance to agencies. To do this, GAO used a statistical sample of cyber incidents reported in fiscal year 2012 to project whether 24 major federal agencies demonstrated effective response activities. In addition, GAO evaluated incident response policies, plans, and procedures at 6 randomly-selected federal agencies to determine adherence to federal guidance. GAO also examined DHS and US-CERT policies, procedures, and practices, and surveyed officials from the 24 federal agencies on their experience receiving incident assistance from DHS.

"This report provides references to analytical reports on cybersecurity from CRS, other government agencies, trade associations, and interest groups. The reports and related websites are grouped under the following cybersecurity topics: [1] Policy overview [2] National Strategy for Trusted Identities in Cyberspace (NSTIC) [3] Cloud computing and the Federal Risk and Authorization Management Program (FedRAMP) [4] Critical infrastructure [5] Cybercrime, data breaches, and data security [6] National security, cyber espionage, and cyberwar (including Stuxnet) [7] International efforts [8] Education/training/workforce [9] Research and development (R&D). In addition, the report lists selected cybersecurity-related websites for congressional and government agencies; news; international organizations; and other organizations, associations, and institutions."

"Presidential Decision Directive 63, or PDD-63, identified activities whose critical infrastructures should be protected: information and communications; banking and finance; water supply; aviation, highways, mass transit, pipelines, rail, and waterborne commerce; emergency and law enforcement services; emergency, fire, and continuity of government services; public health services; electric power, oil and gas production; and storage. In addition, the PDD identified four activities in which the federal government controls the critical infrastructure: (1) internal security and federal law enforcement; (2) foreign intelligence; (3) foreign affairs; and (4) national defense. In February 2013, the Obama Administration issued PPD-21, Critical Infrastructure Security and Resilience, which superseded HSPD-7 issued during the George W. Bush Administration. PPD-21 made no major changes in policy, roles and responsibilities, or programs, but did order an evaluation of the existing public-private partnership model, the identification of baseline data and system requirements for efficient information exchange, and the development of a situational awareness capability. PPD-21 also called for an update of the National Infrastructure Protection Plan, and a new Research and Development Plan for Critical Infrastructure, to be updated every four years.This report serves as a starting point for congressional staff assigned to cover cybersecurity issues as they relate to critical infrastructure. Much is written about protecting U.S. critical infrastructure, and this CRS report directs the reader to authoritative sources that address many of the most prominent issues."

"As online attacks grow in volume and sophistication, the United States is expanding its cybersecurity efforts. Cybercriminals continue to develop new ways to ensnare victims, whereas nation-state hackers compromise companies, government agencies, and businesses to create espionage networks and steal information. Threats come from both criminals and hostile countries, especially China, Russia, Iran, and North Korea. Much is written on this topic, and this CRS [Congressional Research Service] report directs the reader to authoritative sources that address many of the most prominent issues."

"This report provides links to cybersecurity legislation in the 112th, 113th, 114th, and 115th Congresses. Congress has held cybersecurity hearings every year since 2001. This report also provides links to cybersecurity-related committee hearings in the 113th, 114th, and 115th Congresses."

"Along with the rest of the U.S. government, the Department of Defense (DoD) depends on cyberspace to function. It is difficult to overstate this reliance; DoD operates over 15,000 networks and seven million computing devices across hundreds of installations in dozens of countries around the globe. DoD uses cyberspace to enable its military, intelligence, and business operations, including the movement of personnel and material and the command and control of the full spectrum of military operations. The Department and the nation have vulnerabilities in cyberspace. Our reliance on cyberspace stands in stark contrast to the inadequacy of our cybersecurity -- the security of the technologies that we use each day. Moreover, the continuing growth of networked systems, devices, and platforms means that cyberspace is embedded into an increasing number of capabilities upon which DoD relies to complete its mission. Today, many foreign nations are working to exploit DoD unclassified and classified networks, and some foreign intelligence organizations have already acquired the capacity to disrupt elements of DoD's information infrastructure. Moreover, non-state actors increasingly threaten to penetrate and disrupt DoD networks and systems. We recognize that there may be malicious activities on DoD networks and systems that we have not yet detected. DoD, working with its interagency and international partners, seeks to mitigate the risks posed to U.S. and allied cyberspace capabilities, while protecting and respecting the principles of privacy and civil liberties, free expression, and innovation that have made cyberspace an integral part of U.S. prosperity and security. How the Department leverages the opportunities of cyberspace, while managing inherent uncertainties and reducing vulnerabilities, will significantly impact U.S. defensive readiness and national security for years to come."

"The United States is committed to an open, secure, interoperable, and reliable Internet that enables prosperity, public safety, and the free flow of commerce and ideas. These qualities of the Internet reflect core American values -- of freedom of expression and privacy, creativity, opportunity, and innovation. And these qualities have allowed the Internet to provide social and economic value to billions of people. Within the U.S. economy alone, anywhere from three to 13 percent of business sector value-added is derived from Internet-related businesses. Over the last ten years Internet access increased by over two billion people across the globe.. Yet these same qualities of openness and dynamism that led to the Internet's rapid expansion now provide dangerous state and non-state actors with a means to undermine U.S. interests. […] This strategy recognizes that effective cybersecurity will require close collaboration within DoD and across the federal government, with industry, with international allies and partners, and with state and local governments. The pursuit of security in cyberspace requires a whole-of-government and international approach due to the number and variety of stakeholders in the domain, the flow of information across international borders, and the distribution of responsibilities, authorities, and capabilities across governments and the private sector. For each of DoD's missions, DoD must continue to develop routine relationships and processes for coordinating its cyber operations."

From the Introduction: "Emerging trends indicate that the pace of economic espionage and trade secret theft against U.S. corporations is accelerating. There appears to be multiple vectors of attack for persons and governments seeking to steal trade secrets. Foreign competitors of U.S. corporations, some with ties to foreign governments, have increased their efforts to steal trade secret information through the recruitment of current or former employees. Additionally, there are indications that U.S. companies, law firms, academia, and financial institutions are experiencing cyber intrusion activity against electronic repositories containing trade secret information. Trade secret theft threatens American businesses, undermines national security, and places the security of the U.S. economy in jeopardy. These acts also diminish U.S. export prospects around the globe and put American jobs at risk. [...] Departments across the U.S. government have roles in protecting trade secrets and preserving our nation's economic and national security. This strategy recognizes the crucial role of trade secrets in the U.S. economy and sets out a means for improved coordination within the U.S. government to protect them."

"[I]n order to enhance cybersecurity awareness and protections at all levels of Government, business, and society, to protect privacy, to ensure public safety and economic and national security, and to empower Americans to take better control of their digital security, it is hereby ordered as follows: Section 1. Establishment. There is established within the Department of Commerce the Commission on Enhancing National Cybersecurity (Commission). Sec. 2. Membership. (a) The Commission shall be composed of not more than 12 members appointed by the President. The members of the Commission may include those with knowledge about or experience in cybersecurity, the digital economy, national security and law enforcement, corporate governance, risk management, information technology (IT), privacy, identity management, Internet governance and standards, government administration, digital and social media, communications, or any other area determined by the President to be of value to the Commission. […] Sec. 3. Mission and Work. The Commission will make detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices. The Commission's recommendations should address actions that can be taken over the next decade to accomplish these goals."

This testimony compilation is from the March 4, 2015 hearing, "Cyber Operations: Improving the Military Cyber Security Posture in an Uncertain Threat Environment," before the U.S. House Committee on Armed Services. From the statement of Michael Rogers: "USCYBERCOM [U.S. Cyber Command] is a subunified command of U.S. Strategic Command; we are based at Fort Meade, Maryland. Approximately 1,100 people (military, civilians, and contractors) serve at USCYBERCOM, with a Congressionally-appropriated budget for Fiscal Year 2015 of approximately $509 million for Operations and Maintenance (O&M), Research, Development, Test and Evaluation (RDT&E), and military construction (MILCON). USCYBERCOM also includes its key Service cyber components: Army Cyber Command/Second Army, Marine Forces Cyberspace Command, Fleet Cyber Command/Tenth Fleet, and Air Forces Cyber/24th Air Force. Our collective missions are to direct the operation and defense of the Department of Defense's information networks while denying adversaries (when authorized) the freedom to maneuver against the United States and its allies in and through cyberspace." Statements, letters and materials submitted for the record include those of the following: Michael Rogers, Edward Cardon, Jan Tighe, Daniel O'Donohue and Burke Wilson.

This testimony compilation made by the HSDL staff is from the March 1, 2017 hearing, "Cyber Warfare in the 21st Century: Threats, Challenges, and Opportunities," before the U.S. House of Representatives Committee on Armed Services. The purpose of this hearing was to discuss cyber-warfare in the 21st century, and the various threats, challenges, and opportunities afforded by ever increasing cyber capabilities of both allies and enemies. Statements, letters, and materials submitted for the record include those of the following: Jason Healey, Martin C. Libicki, and Peter Singer.

This is a testimony compilation of the July 13, 2016 hearing on "Digital Acts of War: Evolving the Cybersecurity Conversation" held before the Subcommittee on National Security, Subcommittee on Information Technology, House Committee on Oversight and Government Reform. From the statement of Aaron Hughes: "Recognizing that DoD relies heavily on cyberspace for virtually everything we do, the Department's Cyber Strategy guides our efforts in cyberspace. The Strategy directs the Department to focus its efforts on three primary missions in cyberspace: (1) defend DoD information networks to ensure DoD mission effectiveness, (2) defend the United States against cyberattacks of significant consequence, and (3) provide full-spectrum cyber options to support contingency plans and military operations." Statements, letters, and materials submitted for the record include those of the following: Aaron Hughes, Chris Painter, Keith Alexander, Sean Kanuck, and Peter Warren Singer.

This testimony is from the July 16, 2015 hearing on "Global Perspective on Cyber Threats," before the U.S. House of Representatives, Committee on Appropriations. From the opening statement of Frank J. Cilluffo: "The U.S. financial services sector in particular is in the crosshairs as a primary target. To give you a sense of the magnitude of the problem, consider the following figures which were provided to me recently by a major U.S. bank on a not-for-attribution basis: just last week, they faced 30,000 cyber- attacks. This amounts to an attack every 34 seconds, each and every day. And these are just the attacks that the bank actually knows about, by virtue of a known malicious signature or IP address. […] This pace is magnified by the speed at which technologies continue to evolve and by the fact that our adversaries continue to adapt their tactics, techniques and procedures in order to evade and defeat our prevention and response measures. Against this background, a strong detection and mitigation program is just as necessary as a strong defense. […] The financial services sector understands this well and should therefore serve as a model for other sectors which are simply not as far along on the learning curve. Indeed, up until recently, even the financial sector invested overwhelmingly (85%) in prevention ." Statements, letters, and materials submitted for the record include those of the following: Frank J. Cilluffo, Michael Madon, and Richard Bejtlich

This is the September 29, 2015 hearing held before the Senate Committee on Armed Services entitled "United States Cybersecurity Policy and Threats." From the opening statement of committee chairman John McCain: "We meet at a critical time for the defense of our nation from cyberattacks. In just the past year, the United States has been attacked in cyberspace by Iran, North Korea, China, and Russia. Indeed, since our last cyber hearing in March, these attacks have only increased, crippling or severely disrupting networks across the government and private sector and compromising sensitive national security information. Recent attacks against the Joint Chiefs of Staff, the Pentagon, and the Office of Personnel Management are just the latest examples of the growing boldness of our adversaries and their desire to push the limits of acceptable behavior in cyberspace. New intrusions, breaches, and hacks are occurring daily." Statements, letters, and materials submitted for the record include those of the following: "James Clapper, Robert Work, and Michael Rogers.

This is the June 28, 2012 hearing on "Economic Espionage: A Foreign Intelligence Threat to American Jobs and Homeland Security," held before the U.S. House Committee on Homeland Security, Subcommittee on Counterterrorism and Intelligence. From the opening statement of Billy Long: "The National unemployment rate currently stands at 8.2 percent, and our Nation faces economic headwinds. Over the last 2 years, we have examined many threats to the U.S. homeland. However, today's hearing provides an opportunity, a unique opportunity, for Members on the subcommittee to examine an issue that affects both National security and American competitiveness and job security. This is an issue that touches small and medium-sized businesses in Congressional districts all across America. Foreign economic and industrial espionage against the United States represents a significant and growing threat to the Nation's prosperity, American jobs, and National security. The primary strengths of the private sector in the United States are its tangible assets, including research and development, intellectual property, sophisticated business processes, and enforceable contracts." Statements, letters, and materials submitted for the record include those of the following: Billy Long, Brian Higgins, Stuart Graham, John P. Woods, C. Frank Figliuzzi, and Gregory C. Wilshusen.

This is the May 21, 2014 hearing titled "Assessing Persistent and Emerging Cyber Threats to the U.S. in the Homeland." It was presented as a Joint Hearing before the U.S. House of Representatives Subcommittee on Counterterrorism and Intelligence and the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the Committee on Homeland Security. From the opening statement of the honorable Peter King: "The expanding number of cyber actors, ranging from nationstates to terrorists to criminals, as well as increasing attack capability and the increasing intensity of cyber attacks around the globe, have made cyber warfare and cyber crime one of the most significant threats facing the United States. […] Over the last decade the threats facing the United States have become more diverse, as have the tools for conducting attacks and waging war. While the United States has made great strides to secure the homeland since 9/11, our enemies have evolved, and we must now consider that a foreign adversary, terrorist network, or a criminal organization will use cyberspace to penetrate America's defenses. […] The subcommittees are meeting today to hear testimony examining persistent and emerging cyber threats to the United States." Statements, letters, and materials submitted for the record include those of the following: Glenn Lemons, Joseph Demarest, and Larry Zelvin.

"Threats to US national security will expand and diversify in the coming year, driven in part by China and Russia as they respectively compete more intensely with the United States and its traditional allies and partners. This competition cuts across all domains, involves a race for technological and military superiority, and is increasingly about values. Russia and China seek to shape the international system and regional security dynamics and exert influence over the politics and economies of states in all regions of the world and especially in their respective backyards. [...] The post-World War II international system is coming under increasing strain amid continuing cyber and WMD proliferation threats, competition in space, and regional conflicts. Among the disturbing trends are hostile states and actors' intensifying online efforts to influence and interfere with elections here and abroad and their use of chemical weapons. Terrorism too will continue to be a top threat to US and partner interests worldwide, particularly in Sub-Saharan Africa, the Middle East, South Asia, and Southeast Asia. The development and application of new technologies will introduce both risks and opportunities, and the US economy will be challenged by slower global economic growth and growing threats to US economic competitiveness."

"The Information in Warfare Group of the U.S. Army War College is proud to publish 'China's Cyber Power and America's National Security' by Colonel Jayson M. Spade. This effort represents the first research paper published outside the annual 'Information as Power' student anthology as a stand-alone monograph. There are several reasons for this distinction. Spade's work is exceptionally well-researched and written as evidenced by its receipt of the Armed Forces Communications and Electronics Association (AFCEA) writing award in 2011. Additionally, the topic of cyber power and national security remains a wicked U.S. national security problem that requires thoughtful and scholarly discourse toward a possible solution. To that end, Spade masterfully pushes the body of knowledge forward in this paper. Originally submitted as a Strategy Research Project, this monograph examines the growth of Chinese cyber power and their known and demonstrated capabilities for offensive, defensive and exploitive computer network operations. Comparing China's capacity and potential to the United States' current efforts for cyber security, Spade highlights the degree to which the People's Republic of China's cyber power poses a threat to United States' national security and offers proposals to improve future U.S. policy for cyber security and defense."

From the thesis abstract: "Self-attribution is a public declaration of responsibility for the conduct of an operation. It is distinguished from covert operations, where perpetrators provide no such acknowledgement and attempt to conceal their identities. Although self-attribution is always an option, this thesis examines legal and strategic reasons for a nation state to publically [sic] acknowledge its role in the conduct of a cyber-operation. The central result is that whereas neither international law nor national policy requires self-attribution, under certain strategic conditions it may be preferred."

From the thesis abstract: "The United States power grid is a logical target for a major cyber attack because it connects all of the nation's critical infrastructures with electricity. Attackers consistently exploit vulnerabilities of the bulk power system and are close to being able to disrupt electrical distribution. We live in a world that is interconnected, from personal online banking to government infrastructure; consequently, network security and defense are needed to safeguard the digital information and controls for these systems. The cyber attack topic has developed into a national interest because high-profile network breaches have introduced fear that computer network hacks and other security-related attacks have the potential to jeopardize the integrity of the nation's critical infrastructure. The national and economic security of the United States depends on a reliable, functioning critical infrastructure. A comprehensive understanding of the effects of a massive power failure may help promote changes in the way cyber security is run on our most important critical infrastructure: the national power grid. This study investigates the robustness of the power grid's network system, the collaboration between public and private sectors against cyber threats, and mitigation requirements in areas of weakened controls such as program planning and management, access controls, application software development, and system software and service continuity controls."

"The United States (U.S.) and its allies face an ever growing cyber threat. The emergence of the cyber domain has brought cyber threats and vulnerabilities to the forefront of U.S. national security. The ability to effectively operate defensively and offensively in cyberspace is crucial to U.S. military forces. Considering cyber is still relatively in its infancy, we can learn a lot from previous experiences in adopting a new domain for military operations. The rise of air power during the first half of the 20th century and the ascension of space power during the second half of the 20th century provides a backdrop for comparing against current cyber policies, strategies, and regulations."

"For more than fifty years, North American Aerospace Defense Command (NORAD) has been responsible for conducting aerospace warning and control missions for the defense of North America. In accomplishing those operations, Commander NORAD is responsible for making the official warning to both the president of the United States and the prime minister of Canada if North America is suddenly under aerospace attack. Now, with the dramatic increase in worldwide cyberspace events, NORAD has begun examining its own potential role within this new domain. Would involving NORAD in the military cyber attack warning process, leveraging its unique and proven binational structure, provide any advantages to both nations? To analyze this question, this essay traces NORAD's warning mission history, discusses the basic concepts involved with 'cyber attacks,' identifies key U.S. and Canadian military cyber organizations, and examines significant U.S. and Canadian cyberspace government policies. It then proposes three potential new courses of action for NORAD, identifying advantages, disadvantages, and proposed solutions to implementation. The essay ends by recommending that NORAD advocate for unrestricted cyberspace national event conference participation. This would be a realistic, achievable first step offering significant improvement in both NORAD's cyber attack situational awareness, as well as improving overall operational responsiveness."

"The Center for Internet Security (CIS) is a non-profit enterprise whose mission is to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. The practical CIS Benchmarks support available high level standards that deal with the 'Why, Who, When, and Where' aspects of IT security by detailing 'How' to secure an ever widening array of workstations, servers, network devices, and software applications in terms of technology specific controls. CIS Scoring Tools analyze and report system compliance with the technical control settings in the Benchmarks. The CIS Benchmarks and Scoring Tools are available for download free of charge to the Internet community from this web site."

"The Office of Cybersecurity and Communications (CS&C), within the National Protection and Programs Directorate, is responsible for enhancing the security, resilience, and reliability of the Nation's cyber and communications infrastructure. CS&C works to prevent or minimize disruptions to critical information infrastructure in order to protect the public, the economy, and government services. CS&C leads efforts to protect the federal '.gov' domain of civilian government networks and to collaborate with the private sector--the '.com' domain--to increase the security of critical networks. In addition, the National Cybersecurity and Communications Integration Center (NCCIC) serves as a 24/7 cyber monitoring, incident response, and management center and as a national point of cyber and communications incident integration. As the Sector-Specific Agency for the Communications and Information Technology (IT) sectors, CS&C coordinates national-level reporting that is consistent with the National Response Framework (NRF). Congress created the Office of the Assistant Secretary for Cybersecurity and Communications in 2006. CS&C carries out its mission through its five divisions: The Office of Emergency Communications (OEC); The National Cybersecurity and Communications Integration Center (NCCIC); Stakeholder Engagement and Cyber Infrastructure Resilience (SECIR); Federal Network Resilience (FNR); and Network Security Deployment (NSD). In addition, CS&C operates the Enterprise Performance Management Office, which ensures that the Assistant Secretary's strategic goals and priorities are reflected across all CS&C programs; measures the effectiveness of initiatives, programs, and projects that support those goals and priorities; and facilitates cross-functional mission coordination and implementation between CS&C components, within DHS, and among the interagency."

This website contains top news stories, press releases, videos, photos, and relevant links related to the area of cybersecurity in the United States.