Cybersecurity

"Cybersecurity is not an end unto itself; it is instead an obligation that our governments and societies must take on willingly, to ensure that innovation continues to flourish, drive markets, and improve lives."

"America's economic prosperity in the 21st century will depend on cybersecurity."

Definitions
Cybersecurity (also called cyberspace security and cyber security) is:

"[s]trategy, policy, and standards regarding the security of and operations in cyberspace, and encompass[ing] the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure."

"the interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries."

"the prevention of damage to, unauthorized use of, or exploitation of, and, if needed, the restoration of electronic information and communications systems and the information contained therein to ensure confidentiality, integrity, and availability. Cybersecurity includes protection and restoration, when needed, of information networks and wireline, wireless, satellite, public safety answering points, and 911 communications systems and control systems. Cybersecurity is a major concern of both the government and the private sector."

"all the approaches taken to protect data, systems, and networks from deliberate attack as well as accidental compromise, ranging from preparedness to recovery."

"the collection of tools, policies, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber-environment and organization, as well as user's, assets."

"analysis, warning, information sharing, vulnerability reduction, risk mitigation and recovery efforts for networked information systems."

"a broad and arguably somewhat fuzzy concept for which there is no consensus definition, might best be described as measures intended to protect information systems &mdash; including technology (such as devices, networks, and software), information, and associated personnel from various forms of attack.""

Background
"The nation's cybersecurity challenge stems from threats from a wide array of actors who seek to compromise the confidentiality, integrity, and availability of elements of cyberspace by exploiting flaws in the design, implementation, configuration, and operation of information technology systems. This cybersecurity threat faces individuals, organizations of all sizes, and government at all levels."

Cybersecurity is intertwined with the physical security of assets &mdash; from computers, networks, and their infrastructure to the environment surrounding these systems. Cybersecurity is a major concern of both the federal government and the private sector.

Cybersecurity must address not only deliberate attacks, such as from disgruntled employees, industrial espionage, and terrorists, but inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters. Vulnerabilities might allow an attacker to penetrate a network, gain access to control software, and alter load conditions to destabilize a network in unpredictable ways.

Cybersecurity has been called “one of the most urgent national security problems facing the new administration." In a speech during his presidential campaign, President Obama promised to “make cyber security the top priority that it should be in the 21st century . . . and appoint a National Cyber Advisor who will report directly” to the President.

Cybersecurity is a cross-cutting field that affects many government and non-governmental stakeholders. As such, one of the most basic concerns, but most difficult to address, is that the term itself can carry different connotations for the various entities. For example, the U.S. military views cyberspace as a warfighting domain as well as a force enabler, enhancing troops’ ability to operate in real-time and with improved situational awareness. For the Department of Defense, cybersecurity takes on an offensive or defensive national security role. For other government stakeholders, cybersecurity means information security, or securing the information that resides on cyber infrastructure such as telecommunications networks, or the processes these networks enable. And for some, cybersecurity means protecting the information infrastructure from a physical or electronic attack.

Another cybersecurity difficulty for the government is balancing the protection of civil liberties and individual privacy protections with the desire for comprehensive security of networks and information. It is difficult to secure information infrastructures and their content without tradeoffs between security and the freedoms associated with the Internet. Many concerned about civil liberties fear that the executive branch will use its national security powers and national defense mandate as justification for encroaching on privacy without adequate oversight. Others regard security measures, such as network traffic monitoring, as a violation of the Universal Declaration of Human Rights, which states that "no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence." Complicating the issue is a lack of consensus on the definition of "privacy" in the context of the Internet, and a lack of consensus on what sort of government resolution may be necessary as a network security measure.

International aspects
There are a number of key entities and efforts with significant influence on international cyberspace security and governance. The organizations range from information-sharing forums that are nondecision-making gatherings of experts to private organizations to treaty-based, decision-making bodies founded by countries. Their efforts include those to address topics such as incident response, technical standards, and law enforcement cooperation.

A number of U.S. federal entities have responsibilities for, and are involved in, international cyberspace governance and security efforts. Specifically, the Departments of Commerce, Defense, Homeland Security, Justice, and State, among others, are involved in efforts to develop international standards, formulate cyber-defense policy, facilitate overseas investigations and law enforcement, and represent U.S. interests in international forums. Federal entities have varying roles among organizations and efforts with international influence over cyberspace security and governance, including engaging in bilateral and multilateral relationships with foreign countries, providing personnel to foreign agencies, leading or being a member of a U.S. delegation, coordinating U.S. policy with other U.S. entities through the interagency process, or attending meetings.

The global aspects of cyberspace present key challenges to U.S. policy (see table). Until these challenges are addressed, the United States will be at a disadvantage in promoting its national interests in the realm of cyberspace.



Consumer acceptance
Cyber security has largely failed to gain wide adoption in many consumer products for a variety of reasons, including a lack of appreciation for consequences of insecurity, the difficulty of developing secure products, performance and cost penalties, user inconvenience, logistical problems for organizations in implementing and consistently maintaining security practices, and the difficulty of assessing the value of security improvements. But consumer and enterprise concerns have been heightened by increasingly sophisticated hacker attacks and identity thefts, warnings of "cyberterrorism," and the pervasiveness of IT uses.

Consequently, many in the computer industry have come to recognize that the industry’s continued ability to gain consumer confidence in new, more capable applications will depend on improved software development and systems engineering practices and the adoption of strengthened security models.

External resource

 * Center for Strategic and International Studies, Cybersecurity.