Bjerke 2

Introduction
As one of, if not the singular, most tempting targets for cyberattacks in the world, the
United States government is rushing to meet the challenge of a threat unlike any other in history.
Cyberattacks can come from anywhere, be perpetrated by anyone, and require no organization to
pose a severe threat to the functioning, secrecy, and availability of governmental and private
networks that underpin the daily activities of the worlds most powerful country. While much
money, many man hours, and federal initiatives have been allocated to boost the nations
cybersecurity workforce, cyberattacks continue to menace public and private computer networks
on a daily basis.
This research paper is designed to examine the makeup and status of the United States
cyber infrastructure, investigate the nature of threats now emerging from the cybersphere,
determine ways in which the country is working to expand and improve cybersecurity, list some
of the challenges facing the nation, and recommend ways to move forward. Ultimately, even as
critical cyber infrastructure quickly improves thanks to increased budgets, technological
improvements, and the recruitment of field experts, the cyber threat is so dispersed, diverse, and
continuous that the country remains at high risk of malicious infiltration of its most sensitive
information networks.
What the Cyber Infrastructure Looks Like
Just like everywhere else in the world, the digital infrastructure of the United States is
based on the Internet, a notoriously insecure and inflexible construct, making it vulnerable to
countless intrusions. The Secret Internet Protocol Router Network (SIPRNet) and Non-classified
Internet Protocol Router Network (NIPRNet) are the classified and unclassified networks used

Bjerke 3

by the U.S. Department of Defense (DoD) and U.S. Department of State. SIPRNet (pronounced
sipper net) is more or less a classified version of the public Internet. As such, it provides
information-sharing capabilities, email, and website access within a secured environment.
NIPRNet (pronounced nipper net) is the network used for exchanging unclassified, yet still
sensitive, information between users. The quickly expanding network has already been quietly
infiltrated by untold number of unauthorized users leading to regular requests for budget
increases to address this concern from DoD.1
Additionally, the government maintains a number of civilian cyber networks and the broader
cyber ecosystems includes millions of networks, both public and private, that oversee the
conduct of every industry in the country including finance, healthcare, and education, to name a
few. Other aspects of the nations critical infrastructure, such as chemical plants, water, and
electricity are also monitored and controlled by computer networks. Lastly comes the vast web
of individual users connected to the Internet via private Internet Service Providers (ISPs) who
regularly access local networks for work, news, communications, shopping, and other vital
economic and personal activities.
What are Cyber Threats?
According to the U.S. Department of Homeland Security (DHS), a cyber threat is a
person or persons who gain unauthorized access to a network through a data communications
pathway.2 DHS further categorizes the sources of deliberate cyber threats to include national
governments, terrorists, industrial spies and organized crime groups, hacktivists, hackers, and
1 William Matthews, Mapping the Pentagons Networks: DoD Uses IPSonar to
Improve Defense, Defense News, last modified January 10, 2010,
http://www.defensenews.com/article/20100118/DEFFEAT01/1180306/MappingPentagon-s-Networks.

Bjerke 4

members of the General Accountability Offices (GAOs) threat table. The following are
paraphrased definitions of these cyber threats as defined by DHS:

The cyber warfare programs of national governments are designed to harm U.S.
interests and can range from propaganda web pages to espionage and
infrastructure disruption. These programs are the only cyber threats viewed as the
causes of future widespread, long-duration damage to U.S. critical

infrastructures.
Currently, traditionally-defined terrorists are the least likely to demonstrate the
skillsets required to pursue an aggressive cyber warfare campaign and are
considered a limited threat. However, the landscape may change in the future as

more network-savvy individuals join the ranks of terror organizations.

Industrial spies and organized crime groups are considered a medium-level

cybersecurity threat largely due to industrial espionage and financial thefts.

So called hacktivists are groups or foreign, politically active hackers that hold
anti-U.S. views and threaten to cause isolated, yet damaging, attacks. Their
primary focus is on spreading propaganda in support of a political agenda rather

than causing harm to critical infrastructures.

Hackers are members of a very large community that, despite its size, poses a
relatively small long-term threat to U.S. critical infrastructure. However, hackers
do pose a high risk of isolated and/or brief disruptions to U.S. networks with
effects potentially extending to property damage. Hackers are further sub-divided
into groups including sub-communities, unskilled script kiddies, worm and

2 Cyber Threat Source Descriptions, U.S. Department of Homeland Security,

Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), access
date February 27, 2014, http://ics-cert.us-cert.gov/content/cyber-threat-sourcedescriptions.

Bjerke 5

virus writers, profit-seeking white-hat hackers who actually work to improve

security, and professional black-hat hackers who are paid to penetrate networks.
The GAO threat table includes threats such as bot-network hackers who seek to
coordinate attacks with various network-based schemes, criminal groups, foreign
intelligence services, spammers, terrorists, phishers, malicious insiders, and
spyware/malware authors.3

The targets of cyber threats range from the military and critical infrastructures to financial
institutions and other businesses. The primary goals of cybercrime, cyber warfare, and cyber
terrorism are typically financial theft, disruption of services, or theft of confidential/classified
information. The economic impact of such attacks can range from negligible into the billions of
dollars, per incident.
Vulnerability and Costs
DHS runs a national clearinghouse of information related to cyber threats called the U.S.
Computer Emergency Readiness Team (US-CERT) that has a variety of tasks including the
tracking of nationwide cyberincidents. DHS defines a cyberincidents as the violation of an
explicit or implied security policy.4 Such cyberincidents could include unauthorized access to a
network, distributed denial of service (DDoS) attacks, and other malicious activities. According
to a GAO analysis of US-CERT data for fiscal years 2006 to 2012, the number of cyberincidents
reported to US-CERT rose steadily from 5,503 in 2006 to 48,562 in 2012.5 Over 40 percent of all

3 Ibid.
4 Report Cyber Incidents, U.S. Department of Homeland Security, access date
February 27, 2014, http://www.dhs.gov/how-do-i/report-cyber-incidents.

Bjerke 6

cyberincidents reported by federal agencies involved attempts to access U.S. networks or

introduce malicious code into those computer systems.6
In addition to attacks on federal systems, those incidences taking place within state and
private networks, and to individual citizens, ramp up into the tens of millions per day. The recent
attacks on the CIAs website in June 2011 and February 2012, which brought the site down with
DDoS attacks, are just a couple of (relatively minor) indications that the U.S. cyber infrastructure
has a problem. Even more troubling is data from the National Preparedness Report (NPR),
released by DHS in 2013. In it, states and territories reported extremely low capabilities for
dealing with cybersecurity threats with just 17 percent of responses to the NPR indicating high
anti-cybercrime capabilities.7 And what about the financial costs of recovering from
cyberattacks?
An independent study conducted by the Ponemon Institute in 2013 found that not only
has the sophisticationof cyberattacks increased exponentially over the past several years, but that
that costs for handling the aftereffects of cybercrime have skyrocketed as well. Key findings
from the study include:

The average annualized cost of cybercrime incurred per organization was $11.56 million,
with a range of $1.3 million to $58 million.

5 U.S. Generable Accountability Office, CYBERSECURITY: A Better Defined and

Implemented National Strategy Is Needed to Address Persistent Challenges,
(Washington, D.C.: GAO, 2013), 6.
6 Ibid., 7.
7 U.S. Department of Homeland Security, National Preparedness Report
(Washington, D.C: DHS, 2013), 8.

Bjerke 7

Organizations experienced an average of 122 successful attacks per week.

The average time to resolve a cyberattack was 32 days, with an average cost incurred
during this period of $1,035,769, or $32,469 per day.8

Like with government networks, the most costly cybercrimes to private organizations are caused
by DDoS and web-based attacks, with information theft and business disruption representing the
highest external costs.9
Development, Expansion and Improvement of Cybersecurity Infrastructures
As an overall, top-level response to mounting cyber threats, the Cyberspace Policy Review
released by the White House outlines several broad actions the nation should take in order to
achieve the goals of cybersecurity. These actions include:

Promote cybersecurity risk awareness for all citizens.

Build an education system that will enhance understanding of cybersecurity and allow the
United States to retain and expand upon its scientific, engineering, and market leadership

in information technology.
Expand and train the workforce to protect the Nations competitive advantage.
Help organizations and individuals make smart choices as they manage risk.10
Increasing public awareness includes development of a communications strategy that

partners the federal government with educators and industry. The partnership would wage a

8 Ponemon Institute, LLC, 2013 Cost of Cyber Crime Study: United States (Traverse
City, MI: Ponemon Institute, 2013), 1-2.
9 Ibid., 23-24.
10 U.S. Department of State, Cyberspace Policy Review, (Washington, D.C.: DoS,
2013), 13.

Bjerke 8

large-scale campaign to raise awareness of cybersecurity issues and involve public education
regarding the digital safety, ethics, and security.11 Building a system to promote cybersecurity
education involves the federal government, and all of its departments and agencies, expanding
support for education programs and R&D, such as federal grants research centers to keep the
U.S. competitive.12 The federal government may consider ways to attract and retain experts in the
field of cybersecurity while promoting the development of current federal employees through
training cross-agency assignments to build professional cybersecurity networks.13 Finally, in
order to support organizations and individuals in managing cybersecurity risks, the federal
government should continue the facilitation of information sharing on threats, vulnerabilities,
and best practices.14
Taking a leading role in the evolution of U.S. cybersecurity, DHS has begun initiatives
that bring together public and private partners, improved collaboration with financial and critical
infrastructure sectors, and added special cybercrime divisions within organizations such as the
U.S. Secret Service and U.S. Immigration and Customs Enforcement (ICE). Specifically, the
Electronic Crimes Task Forces (ECTFs) within the Secret Service focuses on locating
international cyber criminals while the Cyber Intelligence Section contributes to their arrest.15
The Cyber Crimes Center (C3), a division of ICE, works in the prevention and solving of cyber
11 Ibid., 13-14.
12 Ibid., 14.
13 Ibid., 15.
14 Ibid.
15 Department of Homeland Security, Combat Cyber Crime, accessed on March 3,
2014, http://www.dhs.gov/combat-cyber-crime.

Bjerke 9

incidents such as identity theft, identifying sources of fraud for immigration documents, and the
investigation of large-scale producers of child pornography.16
DHS also works to secure website with the .gov domain while providing expertise to the
private sector. The agency monitors .gov network traffic to track malicious activity as well as
develop strategies for uncovering and addressing cyber vulnerabilities.17 The National
Cybersecurity and Communications Integration Center (NCCIC), operating out of DHS,
responds to cyberincidents with technical assistance and develops a common operating picture
for all government and private sector entities.18 As of February 2014, DHS spearheaded the
Critical Infrastructure Cyber Community (C3) Voluntary Program. The initial focus of the
program is the engagement of sector-specific agencies (such as communications, energy, and
financial services sectors) and other organizations to development ways to implement the
concurrently released Framework for Improving Critical Infrastructure: Cybersecurity (the
Framework), produced by the National Institute of Standards and Technology.19
The C3 Voluntary Program will eventually reach all critical infrastructure and businesses
choosing to implement the Framework and will assist them in understanding how to use it and

16 Ibid.
17 Department of Homeland Security, Secure Cyber Networks, accessed on March
3, 2014, http://www.dhs.gov/secure-cyber-networks.
18 Ibid.
19 Department of Homeland Security, About the Critical Infrastructure Cyber
Community C3 Voluntary Program, accessed on March 5, 2014,
http://www.dhs.gov/about-critical-infrastructure-cyber-community-c%C2%B3voluntary-program.

Bjerke 10

other cyber-risk management efforts.20 The Program will also serve as a point of contact for
assisting with the use of the Framework and for directing organizations to resources to support its
use.21 The Program is designed to encourage improved cyber resiliency, expand use of the
Framework, and promote cybersecurity management as an integral component of all-hazards risk
management.
The Framework itself is the result of a collaborative effort between government and the
private sector to create a common-language document for guiding cost-effective, cybersecurity
risk management practices without the need for additional regulations. The Framework is
sensitive to individual privacy and civil liberties as it assists organizations in developing custom
cybersecurity programs.22 And while not designed to suit every need for every business at all
times, the Framework can reduce cybersecurity risks if implemented by organizations that adapt
the management aspects of the document to their unique set of risks and priorities.23
According to the document, the core Framework consists of five functions include:
identify, protect, detect, respond, and recover from an incident. These function organize
cybersecurity risk management in order to facilitate decision-making, address threats, and allow
for learning from previous activities.24 In order to ensure that current organization processes are
adaptive to dynamic threats and risk aware, the Framework implements Tiers to describe
20 Ibid.
21 Ibid.
22 National Institute of Standards and Technology, Framework for Improving Critical
Infrastructure Cybersecurity, (Washington, D.C.: NIST, 2014), 1.
23 Ibid., 2.
24 Ibid., 7.

Bjerke 11

current practices. These Tiers include: Partial, Risk Informed, Repeatable, and Adaptive.25 Each
Tier describes an organizations current risk management situation ranging from Partial (no
formalized cybersecurity risk management practices, ad hoc risk management) to Adaptive
(organization adapts practices on lessons learned and sufficiently adapts to evolving
cybersecurity threats.26
A few addition expansions to the nations cybersecurity infrastructure include the
Cybersecurity Information Sharing and Collaboration Program (CISCP), the National Cyber
Investigative Joint Task Force (NCIJTF), and Multi-State Information Sharing and Analysis
Center (MS-ISAC). The CISCP is a DHS-established program that is responsible for information
sharing between the owners and operators of critical infrastructure.27 The NCIJTF is an FBI
initiative that facilitates interagency collaboration and serves as a central point for coordinating
and sharing information related to the investigation of cyber threat.28 The MS-ISAC, a division of
the Center for Internet Security, provides real-time monitoring of networks, releases early
warnings and advisories of cyber threats, identifies and attempts to mitigate network
vulnerabilities, and incident response.29

25 Ibid., 9-11.
26 Ibid.
27 U.S. Department of Homeland Security, CIKR Cyber Information Sharing and
Collaboration Program (CISCP), accessed on March 6, 2014,
http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/201306/ispab_june2013_menna_ciscp_one_pager.pdf.
28 U.S. Federal Bureau of Investigation, National Cyber Investigative Joint Task
Force, accessed on March 6, 2014,
http://www.fbi.gov/news/podcasts/thisweek/national-cyber-investigative-joint-taskforce-i.mp3/view.

Bjerke 12

Challenges to Implementing Cybersecurity Initiatives

The GAOs statement on cybersecurity lays out an insightful overview of the challenges
facing the federal government in implementing cybersecurity measures to protect the United
States critical infrastructure. The GAO lists five control categories where it rated federal
agencies on information security weaknesses: security management, access controls,
configuration management, segregation of duties, and contingency planning.30 Inspectors general
at 22 of 24 agencies reported information security as a major challenge.31 GAO reports that most
of these weaknesses are attributable to an incomplete implementation of information security
programs.32
Many of the challenges underlying this lack of implementation, as stated in the
Cybersecurity report, lie with incomplete cyber security guidance and insufficient compliance
regulations. And while agencies such as DHS have worked to coordinate the federal response for
cyber incidents, information sharing among federal agencies and private-sector organizations is
far from optimal. Cyber and predictive analyses have also yet to be established but had begun
testing during fiscal year 2013.33

29 Multi-State Information Sharing and Analysis Center, Center for Internet Security,
accessed on March 6, 2014, http://msisac.cisecurity.org/about/.
30 U.S. General Accountability Office, CYBERSECURITY: A Better Defined and
Implemented National Strategy Is Needed to Address Persistent Challenges,
(Washington, D.C.: GAO, 2013), 12.
31 Ibid.
32 Ibid.
33 Ibid.

Bjerke 13

A tracking mechanism, which is deemed important for information-sharing about

ongoing, federally-funded research and development projects, has yet to be fully developed,
therefore results from cyber research and development are largely isolated within agencies.34
Security related to emerging technologies such as cloud computing, social media, and mobile
devices has not been sufficiently addressed. For instance, the GAO found that federal agencies
have inadequate policies for protecting and managing information disseminated via social media
networks.35 Risks inherent in relying on global supply chains for information technology
projects, such vulnerabilities to information systems to tampering by manufacturers, have also
been largely neglected.36
While these critiques were directed at federal government networks, they can be easily
transferred to private-sector networks and function as guidelines for developing strong
cybersecurity measures within private firms. Most private firms have internal investigation teams
that analyze and recommend based on unique organizations structures and policies, so it is
difficult to rate the readiness of private-sector cyber security infrastructure. However, the
challenges listed by the GAO for federal networks are relevant to sensitive networks everywhere,
regardless of scale.
Recommendations
A Technical Security Alert released by the United States Computer Emergency Readiness Team
(US-CERT) attempts to provide guidance when it comes to securing government and private34 Ibid., 16.
35 Ibid., 17.
36 Ibid.

Bjerke 14

sector computer networks. All recommendations are intended to enhance existing security
programs and fall into both the technical and non-technical categories. Several of the lesstechnical recommendations include:

Deploy a Host Intrusion Detection System (HIDS) to identify and block attacks.
Use an application proxy for web servers in order to filter out malicious requests.
Disable active scripting in email attachments.
Add several measures to protect passwords and accounts such as using multiple
authentication methods, requiring password lengths to be at least 15 characters, and use

alphanumeric passwords with symbols.

Adhere to network security best practices.
Ensure systems have up-to-date patches.37
For its own part, the GAO recommends the development and adoption of a

comprehensive strategic approach to mitigating the risks of successful cybersecurity attacks.38

This strategy would not only adhere to characteristics that align with larger national security
goals, but also hold agencies accountable for their own cybersecurity improvements. The GAO
also recommends Congress create legislation to more clearly define the roles and responsibilities
for the implementation and oversight of information security programs and protection of the
nations critical cyber assets.39
Conclusion

37 Security Recommendations to Prevent Cyber Intrusions, US-CERT, accessed on

March 9, 2014, http://www.us-cert.gov/ncas/alerts/TA11-200A.
38 U.S. Generable Accountability Office, CYBERSECURITY: A Better Defined and
Implemented National Strategy Is Needed to Address Persistent Challenges,
(Washington, D.C.: GAO, 2013), 23.
39 Ibid., 24.

Bjerke 15

The hyper-connected networks of the U.S. government, critical infrastructure, and private sector
make the country enormously vulnerable to cyberattacks that could devastate the economy,
compromise national security, and reduce the quality of life of citizens. The number and diversity
of cyber threats continue to expand and the costs of detecting, mitigating, and recovering from
malicious cyber intrusions is dramatically increasing. Unfortunately, such a large government
overseeing an immense economy is slow to adapt to uber-dynamic cybersecurity conditions and
are largely unable to keep ahead of the evolving cyber-threat landscape.
While there are numerous recommendations for improving The U.S.s cyber
infrastructure, and the government and private sector have been quick to adopt these
recommendations as policy, implementation of these policies have been sluggish. The high cost
of implementing such logistically-complex strategies is a major obstacle in ensuring vulnerable
networks are better guarded against intrusion. And even as federal agencies work to improve
inter-agency collaboration, private networks seek to harden their sensitive networks, and
initiatives are created to ensure the nation retains an expert cybersecurity workforce, the fruits of
these endeavors have not yet generated an adequate response to cyber threats. The countrys
cyber infrastructures remain at high risk with dangerous implications for national security,
critical infrastructure, and the lives of U.S. citizens.

Bjerke 16

Bibliography
Matthews, William Mapping the Pentagons Networks: DoD Uses IPSonar to Improve
Defense, Defense News, last modified January 10, 2010,
http://www.defensenews.com/article/20100118/DEFFEAT01/1180306/MappingPentagon-s-Networks.

Multi-State Information Sharing and Analysis Center, Center for Internet Security, accessed on
March 6, 2014, http://msisac.cisecurity.org/about/.

Bjerke 17

National Institute of Standards and Technology, Framework for Improving Critical

Infrastructure Cybersecurity, (Washington, D.C.: NIST, 2014), 1.

Ponemon Institute, LLC, 2013 Cost of Cyber Crime Study: United States (Traverse City, MI:
Ponemon Institute, 2013), 1-2.

US-CERT, Security Recommendations to Prevent Cyber Intrusions, accessed on March 9, 2014,

http://www.us-cert.gov/ncas/alerts/TA11-200A.

U.S. Department of Homeland Security, Industrial Control, Systems Cyber Emergency Response
Team (ICS-CERT), Cyber Threat Source Descriptions (Washington, D.C.: DHS, 2014),
accessed on February 27, http://ics-cert.us-cert.gov/content/cyber-threat-sourcedescriptions.

U.S. Department of Homeland Security, Report Cyber Incidents, accessed on February 27,
2014, http://www.dhs.gov/how-do-i/report-cyber-incidents.

U.S. Generable Accountability Office, CYBERSECURITY: A Better Defined and Implemented

National Strategy Is Needed to Address Persistent Challenges, (Washington, D.C.: GAO,
2013), 6.

U.S. Department of Homeland Security, National Preparedness Report (Washington, D.C:

DHS, 2013), 8.

U.S. Department of State, Cyberspace Policy Review, (Washington, D.C.: DoS, 2013), 13.

U.S. Department of Homeland Security, Combat Cyber Crime, accessed on March 3, 2014,
http://www.dhs.gov/combat-cyber-crime.

U.S. Department of Homeland Security, Secure Cyber Networks, accessed on March 3, 2014,
http://www.dhs.gov/secure-cyber-networks.

Bjerke 18

U.S. Department of Homeland Security, About the Critical Infrastructure Cyber Community C3
Voluntary Program, accessed on March 5, 2014, http://www.dhs.gov/about-criticalinfrastructure-cyber-community-c%C2%B3-voluntary-program.

U.S. Department of Homeland Security, CIKR Cyber Information Sharing and Collaboration
Program (CISCP), accessed on March 6, 2014,
http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/201306/ispab_june2013_menna_ciscp_one_pager.pdf.

U.S. Federal Bureau of Investigation, National Cyber Investigative Joint Task Force, accessed
on March 6, 2014, http://www.fbi.gov/news/podcasts/thisweek/national-cyberinvestigative-joint-task-force-i.mp3/view.