The IT Law Wiki
Register
Advertisement
Cybersecurity is not an end unto itself; it is instead an obligation that our governments and societies must take on willingly, to ensure that innovation continues to flourish, drive markets, and improve lives.[1]
Security in cyberspace (i.e., cybersecurity) is about technologies, processes, and policies that help to prevent and/or reduce the negative impact of events in cyberspace that can happen as the result of deliberate actions against information technology by a hostile or malevolent actor.[2]
America's economic prosperity in the 21st century will depend on cybersecurity.[3]

Definitions

General

Cybersecurity (also called cyberspace security and cyber security) is

a discipline, or set of technologies, that seeks to enforce policies relating to several different aspects of computer use and electronic communication.[4]
[s]trategy, policy, and standards regarding the security of and operations in cyberspace, and encompass[ing] the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure.[5]
the interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.[6]
the prevention of damage to, unauthorized use of, or exploitation of, and, if needed, the restoration of electronic information and communications systems and the information contained therein to ensure confidentiality, integrity, and availability. Cybersecurity includes protection and restoration, when needed, of information networks and wireline, wireless, satellite, public safety answering points, and 911 communications systems and control systems. Cybersecurity is a major concern of both the government and the private sector.[7]
all the approaches taken to protect data, systems, and networks from deliberate attack as well as accidental compromise, ranging from preparedness to recovery.[8]
the collection of tools, policies, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber-environment and organization, as well as user's, assets.[9]
analysis, warning, information sharing, vulnerability reduction, risk mitigation and recovery efforts for networked information systems.[10]
a broad and arguably somewhat fuzzy concept for which there is no consensus definition, might best be described as measures intended to protect information systems — including technology (such as devices, networks, and software), information, and associated personnel from various forms of attack."[11]
the protection of investor and firm information from compromise through the use — in whole or in part — of electronic digital media, (e.g., computers, mobile devices or Internet protocol-based telephony systems).[12]

Cybersecurity is the security of cyberspace.[13]

ITU

Cybersecurity is

the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user's assets. Organization and user's assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user's assets against relevant security risks in the cyber environment. The general security objectives comprise the following: Availability; Integrity, which may include authenticity and non-repudiation; Confidentiality.[14]

Background

The nation's cybersecurity challenge stems from threats from a wide array of actors who seek to compromise the confidentiality, integrity, and availability of elements of cyberspace by exploiting flaws in the design, implementation, configuration, and operation of information technology systems. This cybersecurity threat faces individuals, organizations of all sizes, and government at all levels.[15]

"Cybersecurity issues arise because of three factors taken together — the presence of malevolent actors in cyberspace, societal reliance on IT for many important functions, and the inevitable presence of vulnerabilities in IT systems that malevolent actors can take advantage of."[16] "Cybersecurity problems result from the complexity of modern IT systems and human fallibility in making judgments about what actions and information are safe or unsafe from a cybersecurity perspective."[17]

"[C]ybersecurity is a complex subject whose understanding requires knowledge and expertise from multiple disciplines, including but not limited to computer science and information technology, psychology, economics, organizational behavior, political science, engineering, sociology, decision sciences, international relations, and law. Although technical measures are an important element, cybersecurity is not primarily a technical matter, although it is easy for policy analysts and others to get lost in the technical details. Furthermore, what is known about cybersecurity is often compartmented along disciplinary lines, reducing the insights available from cross-fertilization.[18] "Cyberspace is particularly difficult to secure due to a number of factors: the ability of malicious actors to operate from anywhere in the world, the linkages between cyberspace and physical systems, and the difficulty of reducing vulnerabilities and consequences in complex cyber networks."[19]

Cybersecurity is intertwined with the physical security of assets — from computers, networks, and their infrastructure to the environment surrounding these systems. Cybersecurity is a major concern of both the federal government and the private sector.

Cybersecurity must address not only deliberate attacks, such as from disgruntled employees, industrial espionage, and terrorists, but inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters. Vulnerabilities might allow an attacker to penetrate a network, gain access to control software, and alter load conditions to destabilize a network in unpredictable ways.

Cybersecurity has been called “one of the most urgent national security problems facing the new administration."[20] In a speech during his first presidential campaign, President Obama promised to “make cyber security the top priority that it should be in the 21st century . . . and appoint a National Cyber Advisor who will report directly” to the President.[21]

Cybersecurity is a cross-cutting field that affects many government and non-governmental stakeholders. As such, one of the most basic concerns, but most difficult to address, is that the term itself can carry different connotations for the various entities. For example, the U.S. military views cyberspace as a warfighting domain as well as a force enabler, enhancing troops’ ability to operate in real-time and with improved situational awareness. For the Department of Defense, cybersecurity takes on an offensive or defensive national security role. For other government stakeholders, cybersecurity means information security, or securing the information that resides on cyber infrastructure such as telecommunications networks, or the processes these networks enable. And for some, cybersecurity means protecting the information infrastructure from a physical or electronic attack.

Another cybersecurity difficulty for the government is balancing the protection of civil liberties and individual privacy protections with the desire for comprehensive security of networks and information. It is difficult to secure information infrastructures and their content without tradeoffs between security and the freedoms associated with the Internet. Many concerned about civil liberties fear that the executive branch will use its national security powers and national defense mandate as justification for encroaching on privacy without adequate oversight. Others regard security measures, such as network traffic monitoring, as a violation of the Universal Declaration of Human Rights, which states that "no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence."[22] Complicating the issue is a lack of consensus on the definition of "privacy" in the context of the Internet, and a lack of consensus on what sort of government resolution may be necessary as a network security measure.

Threats to cybersecurity

"[T]hreats to cybersecurity evolve, and adversaries — especially at the high-end part of the threat spectrum — constantly adopt new tools and techniques to compromise security when defenses are erected to frustrate them. As information technology becomes more ubiquitously integrated into society, the incentives to compromise the security of deployed IT systems grow. Thus, enhancing the cybersecurity posture of a system — and by extension the organization in which it is embedded — must be understood as an ongoing process rather than something that can be done once and then forgotten."[23]

"The interconnectedness and openness that the Internet, digital networks, and devices allow have also made securing our cyber landscape a task of unparalleled difficulty. As the world becomes more dependent on the information revolution, the pace of intrusions, disruptions, manipulations, and thefts also quickens. Beyond the resulting economic losses and national security threats, our privacy, civil liberties, and constitutional rights — even the voting system that underlies our democracy — all become vulnerable. For now, technological advancement continues to outpace security and will continue to do so unless shifts in our cybersecurity strategies — and how well we implement those strategies — are made.[24]

Federal role

The federal role in cybersecurity involves both securing federal systems and assisting in protecting nonfederal systems. Under current law, all federal agencies have cybersecurity responsibilities relating to their own systems, and many have sector-specific responsibilities for CI. More than 50 statutes address various aspects of cybersecurity.

Figure 1 is a simplified schematic diagram of major agency responsibilities in cybersecurity. In general, the National Institute of Standards and Technology (NIST) develops standards that apply to federal civilian ICT under the Federal Information Security Management Act of 2002 (FISMA), and the Office of Management and Budget (OMB) is responsible for overseeing their implementation. The Department of Defense (DOD) is responsible for military ICT, defense of the nation in cyberspace, and, through the National Security Agency (NSA), security of national security systems (NSS), which handle classified information. NSA is also part of the Intelligence Community (IC). The Department of Homeland Security (DHS) has operational responsibility for protection of federal civilian systems and is the lead agency coordinating federal efforts assisting the private sector in protecting CI assets. It is also the main federal focus of information sharing for civilian systems through its National Cybersecurity and Communications Integration Center (NCCIC). The Department of Justice (DOJ) is the lead agency for enforcement of relevant laws.

FedRole

In February 2015, the Obama Administration also established, via presidential memorandum, the Cyber Threat Intelligence Integration Center (CTIIC) under the Director of National Intelligence (DNI). Its purposes are to provide integrated analysis on cybersecurity threats and incidents affecting national interests across the federal government and to support relevant government entities, including the NCCIC and others at DOD and DOJ.

International aspects

There are a number of key entities and efforts with significant influence on international cyberspace security and governance. The organizations range from information-sharing forums that are nondecision-making gatherings of experts to private organizations to treaty-based, decision-making bodies founded by countries. Their efforts include those to address topics such as incident response, technical standards, and law enforcement cooperation.

A number of U.S. federal entities have responsibilities for, and are involved in, international cyberspace governance and security efforts. Specifically, the Departments of Commerce, Defense, Homeland Security, Justice, and State, among others, are involved in efforts to develop international standards, formulate cyber-defense policy, facilitate overseas investigations and law enforcement, and represent U.S. interests in international forums. Federal entities have varying roles among organizations and efforts with international influence over cyberspace security and governance, including engaging in bilateral and multilateral relationships with foreign countries, providing personnel to foreign agencies, leading or being a member of a U.S. delegation, coordinating U.S. policy with other U.S. entities through the interagency process, or attending meetings.

The global aspects of cyberspace present key challenges to U.S. policy (see table). Until these challenges are addressed, the United States will be at a disadvantage in promoting its national interests in the realm of cyberspace.

Global

Consumer acceptance

Cyber security has largely failed to gain wide adoption in many consumer products for a variety of reasons, including a lack of appreciation for consequences of insecurity, the difficulty of developing secure products, performance and cost penalties, user inconvenience, logistical problems for organizations in implementing and consistently maintaining security practices, and the difficulty of assessing the value of security improvements. But consumer and enterprise concerns have been heightened by increasingly sophisticated hacker attacks and identity thefts, warnings of "cyberterrorism," and the pervasiveness of IT uses.

Consequently, many in the computer industry have come to recognize that the industry’s continued ability to gain consumer confidence in new, more capable applications will depend on improved software development and systems engineering practices and the adoption of strengthened security models.

References

  1. International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World.
  2. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, at 9.
  3. President Barack Obama, "Remarks by the President on Securing Our Nation's Cyber Infrastructure" (May 29, 2009).
  4. Big Data and Privacy: A Technological Perspective, at 33.
  5. NICCS, Explore Terms: A Glossary of Common Cybersecurity Terminology (full-text).
  6. National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD-23).
  7. Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security Enterprise, Glossary, D-2.
  8. Massachusetts Inst. of Tech., The Future of the Electric Grid 208 (2011) (full-text).
  9. Global Strategic Report, at 27.
  10. Partnering for Cyber Resilience: Risk and Responsibility in a Hyperconnected World-Principles and Guidelines, at 14.
  11. Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, at 1 n.1.
  12. Report on Cybersecurity Practices, at 3.
  13. Cybersecurity: Selected Issues for the 115th Congress, at 1.
  14. ITU, List of Security-Related Terms and Definitions (full-text).
  15. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making, at 1.
  16. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, at 2.
  17. Id.
  18. Id. at 5.
  19. Department of Homeland Security, The 2014 Quadrennial Homeland Security Review, at 39 (June 18, 2014) (full-text).
  20. Securing Cyberspace for the 44th Presidency.
  21. July 17, 2008 speech at Purdue University.
  22. Article 12 of the Universal Declaration of Human Rights (full-text).
  23. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, at 2-3.
  24. Report on Securing and Growing the Digital Economy, at 3.

Source

See also

External resources

Advertisement