Programs: Science and Policy
AAAS Policy Brief: Cybersecurity
President Barack Obama has identified attacks on cyber networks as one of the most serious threats that Americans face today; recent attacks, such as those by the “hacktivist” group Anonymous, and threats from terrorist organizations like Al Qaeda, or even other nations, put government agencies, private corporations, and individuals at risk. In the past few years, the Departments of Defense (DoD), Homeland Security (DHS), Commerce, and NASA have been targeted by cyber criminals. These agencies depend on their networks to communicate and conduct business on a daily basis. Local networks keep businesses, schools, hospitals, and homes running, and electrical grids provide power to the entire country; interruptions of service or destruction of these networks could prove catastrophic to public health and the national economy.
In a 2009 statement, the President said that protecting these digital infrastructures from intruders is vital to our national security and economic well-being. In order to prevent future attacks, we need new strategies that will help the government and private sector work together to keep our networks secure. On October 11, 2012, a few days after American infrastructure was targeted by cyber criminals, U.S. Defense Chief Leon Panetta implored private business owners to coordinate their efforts to protect their networks. He warned that we are in a “pre-9/11 moment,” and that there are criminals who are “seeking to create advanced tools to attack [our] systems and cause panic, destruction, and even loss of life” (Deasy, 2012). Then, in February 2013, President Obama signed an executive order that increases information sharing between the government and the private sector in order to enhance national security.
What Are the Threats?
Common cyber threats include spam, phishing, and spyware. Spam is unsolicited material that typically comes through email or messenger accounts, and it is used to spread malicious software, or malware, that is meant to disrupt normal computer operations (such as Trojan Horses or worms); phishing allows hackers to obtain confidential information such as personal passwords; and spyware is software that monitors computer activity without users’ knowledge (GAO, 2005). While these tools are used to commit cyber crimes around the globe, the United States hosts 20.3 percent of the world’s malware (second only to Russia, which hosts 23.2 percent) (Rapoza, 2012). According to a recent report, approximately 30 percent of U.S. computers are infected with malware (Panda Labs, 2012).
The Obama Administration has become increasingly concerned by recent acts of cyber-terrorism—attacks by terrorist organizations or governments on critical infrastructure systems, such as electrical and nuclear power plants, transportation systems, and water treatment facilities.
In 2011, the Pentagon announced that it had been the target of a cyber attack by a foreign government that stole massive amounts of sensitive data. In 2012, China successfully hacked the DoD’s Common Access Card system (Tilghman, 2012), and NASA alone reported over 5,000 cybersecurity incidents. While China and Russia appear to be the main culprits of cyber crime against American systems, Iran is also emerging as a new threat to the United States.
Federal Government Initiatives
In response to the Oklahoma City bombing in 1995, former President Bill Clinton issued Presidential Decision Directive 39, which authorized the Attorney General to oversee a Critical Infrastructure Working Group that was tasked with identifying vulnerabilities in American infrastructure. After receiving the working group’s report, President Clinton established the President’s Commission on Critical Infrastructure Protection, which produced a report containing recommendations for developing infrastructure security strategies. While Clinton’s efforts did not result in long-run solutions, he did establish cybersecurity as a national priority (Greenwald, 2010).
After the 9/11 terrorist attacks in 2001, Congress established the DHS, which took over most government cybersecurity initiatives. In 2008, President George W. Bush launched the Comprehensive National Cybersecurity Initiative (CNCI). The Presidential Directives establishing the initiative are still classified, but executive branch leaders have released some details. Goals of CNCI include investing in defensive technologies, educating federal agents about cyber threats, and developing a more expansive workforce to ensure an adequate supply of cybersecurity experts in the future (The White House, 2008). There are now 12 CNCI projects, led by DHS, DOD, the Office of the Director of National Intelligence, and the Office of Science and Technology Policy.
The Center for Strategic and International Studies (CSIS), a think tank, released a report in December 2008 saying that while the Administration’s commitment to cybersecurity was reassuring, CNCI was not extensive enough to address the nation’s cybersecurity issues. The report recommended that the President establish a new cyberspace office in the Executive Office of the President that would manage all government network security initiatives occurring in the executive, legislative, and judicial branches (CSIS, 2008). The Government Accountability Office (GAO) also assessed the program in 2010, and found that CNCI faced a number of challenges—the agency recommended that CNCI officials better define agency roles, establish metrics of success, and become a bit more transparent to the public. Specifically, the GAO noted that CNCI shared few details about their ongoing projects or the progress that they have made. Although some details must remain classified for security reasons, the GAO suggested that CNCI be open enough to maintain trust between the public and the federal government, and facilitate coordination with other agencies and programs to avoid duplication of efforts. More transparency would also ensure that CNCI is held accountable to other government agencies, Congress, and of course, the American people.
In 2009, President Obama launched a 60-day cyberspace policy review, which pulled together work from several different cybersecurity researchers organized by the National Science Foundation (NSF). This review assessed existing U.S. cybersecurity policies, including CNCI, and issued several action plans:
- Appoint an official to coordinate inter-agency cybersecurity policies;
- Update the national strategy to keep communications infrastructure secure;
- Conduct a legal analysis of cybersecurity policies;
- Improve public knowledge of cybersecurity issues;
- Prepare an emergency response plan in the event of a cyber-attack; and
- Determine cyber R&D priorities.
These are not unlike the recommendations that various committees and think tanks have been making since 1995, and the specifics were left largely to Cybersecurity Coordinator Howard Schmidt (appointed by Obama to serve within a new Cybersecurity Office housed in the National Security Agency (NSA)). During his tenure, Schmidt focused on improving coordination between the DHS and NSA, and creating the National Strategy for Trusted Identities in Cyberspace, which was established to help businesses ensure that online transactions are safe and secure.
In 1991, Congress passed the High Performance Computing Act of 1991 (P.L. 102-194), as amended by the Next Generation Internet Research Act of 1998 (P.L. 105-305), which among other things, established the Networking and Information Technology Research and Development Program (NITRD). The NITRD is a group of Federal R&D agencies that “provide research and development foundations for assuring continued U.S. technological leadership…meeting needs of the Federal government for advanced networking, computing systems, software, and associated information technologies…[and]accelerating development and deployment of these technologies” (NITRD website). In 2012, the group released a strategic plan that lays out steps for expanding human-computer partnerships, improving security and reliability, and improving IT training and education programs. Since then, there have been few attempts at passing new cybersecurity legislation until 2011. The 112th Congress considered several bills and resolutions with provisions related to cybersecurity, but none passed:
- S. 413, Cybersecurity and Internet Freedom Act of 2011
- S. 1151, Personal Data Privacy and Security Act of 2011
- S. 1342, Grid Cyber Security Act
- S. 1535, Personal Data Protection and Breach Accountability Act of 2011
- S. 2102, Cybersecurity Information Sharing Act of 2012 (CISPA)
- S. 968, PROTECT IP Act of 2011 (PIPA)
- S.2105, Cybersecurity Act of 2012 (CSA) (failed in Senate)
House of Representatives
- H.R. 76, Cybersecurity Education Enhancement Act of 2011
- H.R.174, Homeland Security Cyber and Physical Infrastructure Protection Act of 2011
- H.R.2096, Cybersecurity Enhancement Act of 2011*
- H.R.3523, Cyber Intelligence Sharing and Protection Act*
- H.R.3674, PRECISE Act of 2011
- H.R.4263, SECURE IT Act of 2012
- H.R.3834, Advancing America’s Networking and Information Technology Research and Development Act of 2012*
- H.R.4257, Federal Information Security Amendments Act of 2012*
- H.R. 3261, Stop Online Piracy Act (SOPA)
*These bills passed the House
Most notable were SOPA, PIPA, CISPA, and CSA. SOPA was introduced in the House by Representative Lamar Smith (R-TX), then- chairman of the House Judiciary Committee. PIPA was introduced by Senator Patrick Leahy (D-VT), Senate Judiciary Committee chairman, but it was withdrawn in January 2012. Both bills sought to prevent the theft of intellectual property and trafficking of counterfeit goods by authorizing the Attorney General to take legal action against an owner or operator of a site that facilitates online piracy. While SOPA applied to any site that was “committing or facilitating” infringement, PIPA applied only to sites that did not have any other major purpose.
CISPA would have facilitated the sharing of information between the U.S. government and private corporations by waiving various privacy laws and policies that apply to wiretaps, gun laws, education record laws, census data, medical records, and other information in the interest of national security. In other words, private web companies, social networks, and Internet service providers would be allowed (although not required) to share citizens’ personal information with the federal government. However, civil rights groups such as the American Civil Liberties Union (ACLU) were concerned that CISPA would authorize government officials to spy on individual citizens without their knowledge or consent. On February 13, 2013, Representative Mike Rogers (R-MI) re-introduced CISPA; it is currently being considered by the House Permanent Select Intelligence Committee.
The CSA, perhaps the most controversial of the cyber bills, failed in the Senate despite bipartisan support. The CSA, unlike the other proposed bills, focused on protecting America’s infrastructure in order to guard power plants, water systems, transportation networks, and online resources from cyber-terrorist attacks by directing the DHS Secretary to identify “critical” infrastructure, and establish cybersecurity requirements and response/restoration plans for those systems. The Act was filibustered and failed primarily due to pressure from private sector business advocates, who argued that the cost of complying with the standards established by the CSA would place an impossible financial burden on the for-profit sector. Republicans withdrew their support when Senate Majority Leader Harry Reid chose not to allow for an open amendment process on all bills during the final weeks of the 112th session.
While no legislation passed in the 112th Congress, members of the 113th Congress are eager to try again. On January 3, 2013, Representative Sheila Jackson Lee (D-TX) introduced the Cybersecurity Education Enhancement Act (H.R. 86), which directs the DHS Secretary to establish a grant program for institutions of higher education that invest in cybersecurity professional development or associate degree programs. Senator Jay Rockefeller (D-WV) introduced the Cybersecurity and American Cyber Competitiveness Act of 2013 (S.21); with this new legislation, Rockefeller hopes “to secure the United States against cyber-attack, to improve communication and collaboration between the private sector and Federal Government, to enhance American competitiveness and create jobs in the information technology industry, and to protect the identities and sensitive information of American citizens and businesses.” The bill also includes language that promotes R&D investments to expand the IT workforce and improve the U.S. economy. .
Technical and Policy Challenges
Improving cybersecurity will be a difficult task for Congress and the White House; both will have to overcome several challenges—some of which could take many years to address.
First, the GAO (2010) recommended better defined roles for various agencies and individuals. This may help alleviate some of the tension between leaders in the field, and reduce duplication of efforts. There is also no single agency or center that is in charge of overseeing cybersecurity issues, which means that a coordinated multi-agency response may be difficult to manage in the event of a cyber attack.
More specifically, a 2009 report from the CRS stressed the importance of establishing one official definition of “cybersecurity” across agencies and sectors. Right now, there are no universally recognized terms or definitions, which may make it difficult to communicate and collaborate.
Congress and the federal government hope to collaborate more closely with the private sector—for-profit corporations will be responsible (perhaps voluntarily) for adhering to government security standards, and they may also be able to monitor, detect, and respond to potential threats. Sponsors of cybersecurity bills may also depend on advice and support from the private sector during the legislative process. In January 2013, Senator Jay Rockefeller (D-WV) received a memorandum from the Majority Staff of the Senate Committee on Commerce, Science, and Transportation that summarized feedback from about 300 Fortune 500 companies pertaining to the cybersecurity bill he introduced in 2012. While most of those companies supported increased information sharing and collaboration between the private and public sectors, they did express concerns about mandatory requirements that could reduce the flexibility with which they are able to deal with their own cyber issues or duplicate work that they are already doing. They also want to ensure that the information they share with the government will be confidential, so that they do not put their or their stockholders’ financial well-being at risk.
Any cybersecurity legislation that the Congress hopes to pass will have to, at least in some ways, cater to the needs of businesses that will inevitably seek the most cost-effective solutions. Support from civil liberties groups, who want cybersecurity legislation that will keep Americans safe without compromising their privacy, would also enhance the viability of the bill.
Finally, the government is looking for ways to improve its cyber-intelligence workforce. According to a 2009 study from the Georgetown University Center on Education and the Workforce, only 5.1 percent of all graduates obtain computer science or mathematics degrees and only two percent (36,500) of those students study cybersecurity specifically (Carnevale, et.al, 2011). Tom Kellermann, a former member of President Obama’s Cybersecurity Commission says that the government will need to hire at least 10,000 cybersecurity experts in the next couple of years, and the private sector will need to hire another 40,000 (Fitzpatrick, 2012). For now, experts argue that it is difficult to recruit new experts, because careers in software development and computer engineering are more lucrative. In 2009, the median salary for a graduate earning a degree in security was $55,000 compared with $75,000 for computer engineering.
“We’re not preparing enough people to work in information technology, period,” said Janice Cuny, program director for computing education at the NSF. “We’re producing about two-thirds of the IT people that we need nationwide, and we’re way behind in cybersecurity…we do a horrible job teaching computer science in high school…most high schools don’t teach computer science at all.” The NSF plans to fund 10,000 computer science classes in public high schools by 2016. Currently, it is funding two pilot courses, “Exploring Computer Science” and “Computer Science Principles” (Fitzpatrick, 2012).
The Pentagon also announced its own plan to improve the cybersecurity workforce; the DoD’s Cyber Command will expand from 900 employees to 4,900 employees. The decision comes in light of growing cyber threats to Federal infrastructure. Three new forces will be created: National Missions forces will protect electrical grids and power plants, Combat Mission Forces will help carry out offensive attacks, and Cyber Protection Forces will improve DoD’s networks (Nakashima, 2013).
- Carnevale, Anthony P.; Strohl, Jeff; Melton, Michelle. “What’s It Worth? The Economic Value of College Majors.” Georgetown University Center on Education and the Workforce. Washington, DC. 24 May 2011.
- Congressional Research Service (CRS). “Cybersecurity: authoritative reports and resources.” Washington, DC. 26 April 2012.
- CRS. “Cybersecurity: current legislation, executive branch initiatives, and options for Congress.” Washington, DC. 12 January 2009.
- CSIS Commission on Cybersecurity for the 44th Presidency. “Securing Cyberspace for the 44th Presidency.” Washington, DC. December 2008.
- Deasy, Kristin. “Panetta: US cyber security threat a ‘pre-9/11 moment.” Global Post. 12 October 2012.
- Fitzpatrick, Alexander. “Cybersecurity experts need to meet growing demand.” The Washington Post and Mashable. Washington, DC. 29 May 2012.
- Government Accountability Office (GAO). “Emerging Cybersecurity Issues Threaten Federal Information Systems.” Washington, DC. 2005.
- GAO. “Cybersecurity: Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative.” Washington, DC. March 2010.
- Greenwald, Eric A. “History Repeats Itself: The 60-Day Policy Review in Context.” Journal of National Security Law & Policy. Vol. 4:41. 2010.
- Nakashima, Ellen. “Pentagon to boost cybersecurity force.” Washington Post. 27 January 2013.
- Panda Labs. Panda Labs Quarterly Report. Bilbaou, Spain. April-June 2012.
- Rapoza, Kenneth. “For Internet Safety, Russia Most Dangerous In World.” Forbes. 11 November 2012.
- The White House. “The Comprehensive National Cybersecurity Initiative.” Washington, DC.
- Tilghman, Andrew. “Chinese Virus Targets DoD Common Access Card.” Defense News. 18 June 2012.