Professional Documents
Culture Documents
Introduction
As one of, if not the singular, most tempting targets for cyberattacks in the world, the
United States government is rushing to meet the challenge of a threat unlike any other in history.
Cyberattacks can come from anywhere, be perpetrated by anyone, and require no organization to
pose a severe threat to the functioning, secrecy, and availability of governmental and private
networks that underpin the daily activities of the worlds most powerful country. While much
money, many man hours, and federal initiatives have been allocated to boost the nations
cybersecurity workforce, cyberattacks continue to menace public and private computer networks
on a daily basis.
This research paper is designed to examine the makeup and status of the United States
cyber infrastructure, investigate the nature of threats now emerging from the cybersphere,
determine ways in which the country is working to expand and improve cybersecurity, list some
of the challenges facing the nation, and recommend ways to move forward. Ultimately, even as
critical cyber infrastructure quickly improves thanks to increased budgets, technological
improvements, and the recruitment of field experts, the cyber threat is so dispersed, diverse, and
continuous that the country remains at high risk of malicious infiltration of its most sensitive
information networks.
What the Cyber Infrastructure Looks Like
Just like everywhere else in the world, the digital infrastructure of the United States is
based on the Internet, a notoriously insecure and inflexible construct, making it vulnerable to
countless intrusions. The Secret Internet Protocol Router Network (SIPRNet) and Non-classified
Internet Protocol Router Network (NIPRNet) are the classified and unclassified networks used
Bjerke 3
by the U.S. Department of Defense (DoD) and U.S. Department of State. SIPRNet (pronounced
sipper net) is more or less a classified version of the public Internet. As such, it provides
information-sharing capabilities, email, and website access within a secured environment.
NIPRNet (pronounced nipper net) is the network used for exchanging unclassified, yet still
sensitive, information between users. The quickly expanding network has already been quietly
infiltrated by untold number of unauthorized users leading to regular requests for budget
increases to address this concern from DoD.1
Additionally, the government maintains a number of civilian cyber networks and the broader
cyber ecosystems includes millions of networks, both public and private, that oversee the
conduct of every industry in the country including finance, healthcare, and education, to name a
few. Other aspects of the nations critical infrastructure, such as chemical plants, water, and
electricity are also monitored and controlled by computer networks. Lastly comes the vast web
of individual users connected to the Internet via private Internet Service Providers (ISPs) who
regularly access local networks for work, news, communications, shopping, and other vital
economic and personal activities.
What are Cyber Threats?
According to the U.S. Department of Homeland Security (DHS), a cyber threat is a
person or persons who gain unauthorized access to a network through a data communications
pathway.2 DHS further categorizes the sources of deliberate cyber threats to include national
governments, terrorists, industrial spies and organized crime groups, hacktivists, hackers, and
1 William Matthews, Mapping the Pentagons Networks: DoD Uses IPSonar to
Improve Defense, Defense News, last modified January 10, 2010,
http://www.defensenews.com/article/20100118/DEFFEAT01/1180306/MappingPentagon-s-Networks.
Bjerke 4
members of the General Accountability Offices (GAOs) threat table. The following are
paraphrased definitions of these cyber threats as defined by DHS:
The cyber warfare programs of national governments are designed to harm U.S.
interests and can range from propaganda web pages to espionage and
infrastructure disruption. These programs are the only cyber threats viewed as the
causes of future widespread, long-duration damage to U.S. critical
infrastructures.
Currently, traditionally-defined terrorists are the least likely to demonstrate the
skillsets required to pursue an aggressive cyber warfare campaign and are
considered a limited threat. However, the landscape may change in the future as
Bjerke 5
security, and professional black-hat hackers who are paid to penetrate networks.
The GAO threat table includes threats such as bot-network hackers who seek to
coordinate attacks with various network-based schemes, criminal groups, foreign
intelligence services, spammers, terrorists, phishers, malicious insiders, and
spyware/malware authors.3
The targets of cyber threats range from the military and critical infrastructures to financial
institutions and other businesses. The primary goals of cybercrime, cyber warfare, and cyber
terrorism are typically financial theft, disruption of services, or theft of confidential/classified
information. The economic impact of such attacks can range from negligible into the billions of
dollars, per incident.
Vulnerability and Costs
DHS runs a national clearinghouse of information related to cyber threats called the U.S.
Computer Emergency Readiness Team (US-CERT) that has a variety of tasks including the
tracking of nationwide cyberincidents. DHS defines a cyberincidents as the violation of an
explicit or implied security policy.4 Such cyberincidents could include unauthorized access to a
network, distributed denial of service (DDoS) attacks, and other malicious activities. According
to a GAO analysis of US-CERT data for fiscal years 2006 to 2012, the number of cyberincidents
reported to US-CERT rose steadily from 5,503 in 2006 to 48,562 in 2012.5 Over 40 percent of all
3 Ibid.
4 Report Cyber Incidents, U.S. Department of Homeland Security, access date
February 27, 2014, http://www.dhs.gov/how-do-i/report-cyber-incidents.
Bjerke 6
The average annualized cost of cybercrime incurred per organization was $11.56 million,
with a range of $1.3 million to $58 million.
Bjerke 7
The average time to resolve a cyberattack was 32 days, with an average cost incurred
during this period of $1,035,769, or $32,469 per day.8
Like with government networks, the most costly cybercrimes to private organizations are caused
by DDoS and web-based attacks, with information theft and business disruption representing the
highest external costs.9
Development, Expansion and Improvement of Cybersecurity Infrastructures
As an overall, top-level response to mounting cyber threats, the Cyberspace Policy Review
released by the White House outlines several broad actions the nation should take in order to
achieve the goals of cybersecurity. These actions include:
in information technology.
Expand and train the workforce to protect the Nations competitive advantage.
Help organizations and individuals make smart choices as they manage risk.10
Increasing public awareness includes development of a communications strategy that
partners the federal government with educators and industry. The partnership would wage a
8 Ponemon Institute, LLC, 2013 Cost of Cyber Crime Study: United States (Traverse
City, MI: Ponemon Institute, 2013), 1-2.
9 Ibid., 23-24.
10 U.S. Department of State, Cyberspace Policy Review, (Washington, D.C.: DoS,
2013), 13.
Bjerke 8
large-scale campaign to raise awareness of cybersecurity issues and involve public education
regarding the digital safety, ethics, and security.11 Building a system to promote cybersecurity
education involves the federal government, and all of its departments and agencies, expanding
support for education programs and R&D, such as federal grants research centers to keep the
U.S. competitive.12 The federal government may consider ways to attract and retain experts in the
field of cybersecurity while promoting the development of current federal employees through
training cross-agency assignments to build professional cybersecurity networks.13 Finally, in
order to support organizations and individuals in managing cybersecurity risks, the federal
government should continue the facilitation of information sharing on threats, vulnerabilities,
and best practices.14
Taking a leading role in the evolution of U.S. cybersecurity, DHS has begun initiatives
that bring together public and private partners, improved collaboration with financial and critical
infrastructure sectors, and added special cybercrime divisions within organizations such as the
U.S. Secret Service and U.S. Immigration and Customs Enforcement (ICE). Specifically, the
Electronic Crimes Task Forces (ECTFs) within the Secret Service focuses on locating
international cyber criminals while the Cyber Intelligence Section contributes to their arrest.15
The Cyber Crimes Center (C3), a division of ICE, works in the prevention and solving of cyber
11 Ibid., 13-14.
12 Ibid., 14.
13 Ibid., 15.
14 Ibid.
15 Department of Homeland Security, Combat Cyber Crime, accessed on March 3,
2014, http://www.dhs.gov/combat-cyber-crime.
Bjerke 9
incidents such as identity theft, identifying sources of fraud for immigration documents, and the
investigation of large-scale producers of child pornography.16
DHS also works to secure website with the .gov domain while providing expertise to the
private sector. The agency monitors .gov network traffic to track malicious activity as well as
develop strategies for uncovering and addressing cyber vulnerabilities.17 The National
Cybersecurity and Communications Integration Center (NCCIC), operating out of DHS,
responds to cyberincidents with technical assistance and develops a common operating picture
for all government and private sector entities.18 As of February 2014, DHS spearheaded the
Critical Infrastructure Cyber Community (C3) Voluntary Program. The initial focus of the
program is the engagement of sector-specific agencies (such as communications, energy, and
financial services sectors) and other organizations to development ways to implement the
concurrently released Framework for Improving Critical Infrastructure: Cybersecurity (the
Framework), produced by the National Institute of Standards and Technology.19
The C3 Voluntary Program will eventually reach all critical infrastructure and businesses
choosing to implement the Framework and will assist them in understanding how to use it and
16 Ibid.
17 Department of Homeland Security, Secure Cyber Networks, accessed on March
3, 2014, http://www.dhs.gov/secure-cyber-networks.
18 Ibid.
19 Department of Homeland Security, About the Critical Infrastructure Cyber
Community C3 Voluntary Program, accessed on March 5, 2014,
http://www.dhs.gov/about-critical-infrastructure-cyber-community-c%C2%B3voluntary-program.
Bjerke 10
other cyber-risk management efforts.20 The Program will also serve as a point of contact for
assisting with the use of the Framework and for directing organizations to resources to support its
use.21 The Program is designed to encourage improved cyber resiliency, expand use of the
Framework, and promote cybersecurity management as an integral component of all-hazards risk
management.
The Framework itself is the result of a collaborative effort between government and the
private sector to create a common-language document for guiding cost-effective, cybersecurity
risk management practices without the need for additional regulations. The Framework is
sensitive to individual privacy and civil liberties as it assists organizations in developing custom
cybersecurity programs.22 And while not designed to suit every need for every business at all
times, the Framework can reduce cybersecurity risks if implemented by organizations that adapt
the management aspects of the document to their unique set of risks and priorities.23
According to the document, the core Framework consists of five functions include:
identify, protect, detect, respond, and recover from an incident. These function organize
cybersecurity risk management in order to facilitate decision-making, address threats, and allow
for learning from previous activities.24 In order to ensure that current organization processes are
adaptive to dynamic threats and risk aware, the Framework implements Tiers to describe
20 Ibid.
21 Ibid.
22 National Institute of Standards and Technology, Framework for Improving Critical
Infrastructure Cybersecurity, (Washington, D.C.: NIST, 2014), 1.
23 Ibid., 2.
24 Ibid., 7.
Bjerke 11
current practices. These Tiers include: Partial, Risk Informed, Repeatable, and Adaptive.25 Each
Tier describes an organizations current risk management situation ranging from Partial (no
formalized cybersecurity risk management practices, ad hoc risk management) to Adaptive
(organization adapts practices on lessons learned and sufficiently adapts to evolving
cybersecurity threats.26
A few addition expansions to the nations cybersecurity infrastructure include the
Cybersecurity Information Sharing and Collaboration Program (CISCP), the National Cyber
Investigative Joint Task Force (NCIJTF), and Multi-State Information Sharing and Analysis
Center (MS-ISAC). The CISCP is a DHS-established program that is responsible for information
sharing between the owners and operators of critical infrastructure.27 The NCIJTF is an FBI
initiative that facilitates interagency collaboration and serves as a central point for coordinating
and sharing information related to the investigation of cyber threat.28 The MS-ISAC, a division of
the Center for Internet Security, provides real-time monitoring of networks, releases early
warnings and advisories of cyber threats, identifies and attempts to mitigate network
vulnerabilities, and incident response.29
25 Ibid., 9-11.
26 Ibid.
27 U.S. Department of Homeland Security, CIKR Cyber Information Sharing and
Collaboration Program (CISCP), accessed on March 6, 2014,
http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/201306/ispab_june2013_menna_ciscp_one_pager.pdf.
28 U.S. Federal Bureau of Investigation, National Cyber Investigative Joint Task
Force, accessed on March 6, 2014,
http://www.fbi.gov/news/podcasts/thisweek/national-cyber-investigative-joint-taskforce-i.mp3/view.
Bjerke 12
29 Multi-State Information Sharing and Analysis Center, Center for Internet Security,
accessed on March 6, 2014, http://msisac.cisecurity.org/about/.
30 U.S. General Accountability Office, CYBERSECURITY: A Better Defined and
Implemented National Strategy Is Needed to Address Persistent Challenges,
(Washington, D.C.: GAO, 2013), 12.
31 Ibid.
32 Ibid.
33 Ibid.
Bjerke 13
Bjerke 14
sector computer networks. All recommendations are intended to enhance existing security
programs and fall into both the technical and non-technical categories. Several of the lesstechnical recommendations include:
Deploy a Host Intrusion Detection System (HIDS) to identify and block attacks.
Use an application proxy for web servers in order to filter out malicious requests.
Disable active scripting in email attachments.
Add several measures to protect passwords and accounts such as using multiple
authentication methods, requiring password lengths to be at least 15 characters, and use
Bjerke 15
The hyper-connected networks of the U.S. government, critical infrastructure, and private sector
make the country enormously vulnerable to cyberattacks that could devastate the economy,
compromise national security, and reduce the quality of life of citizens. The number and diversity
of cyber threats continue to expand and the costs of detecting, mitigating, and recovering from
malicious cyber intrusions is dramatically increasing. Unfortunately, such a large government
overseeing an immense economy is slow to adapt to uber-dynamic cybersecurity conditions and
are largely unable to keep ahead of the evolving cyber-threat landscape.
While there are numerous recommendations for improving The U.S.s cyber
infrastructure, and the government and private sector have been quick to adopt these
recommendations as policy, implementation of these policies have been sluggish. The high cost
of implementing such logistically-complex strategies is a major obstacle in ensuring vulnerable
networks are better guarded against intrusion. And even as federal agencies work to improve
inter-agency collaboration, private networks seek to harden their sensitive networks, and
initiatives are created to ensure the nation retains an expert cybersecurity workforce, the fruits of
these endeavors have not yet generated an adequate response to cyber threats. The countrys
cyber infrastructures remain at high risk with dangerous implications for national security,
critical infrastructure, and the lives of U.S. citizens.
Bjerke 16
Bibliography
Matthews, William Mapping the Pentagons Networks: DoD Uses IPSonar to Improve
Defense, Defense News, last modified January 10, 2010,
http://www.defensenews.com/article/20100118/DEFFEAT01/1180306/MappingPentagon-s-Networks.
Multi-State Information Sharing and Analysis Center, Center for Internet Security, accessed on
March 6, 2014, http://msisac.cisecurity.org/about/.
Bjerke 17
Ponemon Institute, LLC, 2013 Cost of Cyber Crime Study: United States (Traverse City, MI:
Ponemon Institute, 2013), 1-2.
U.S. Department of Homeland Security, Industrial Control, Systems Cyber Emergency Response
Team (ICS-CERT), Cyber Threat Source Descriptions (Washington, D.C.: DHS, 2014),
accessed on February 27, http://ics-cert.us-cert.gov/content/cyber-threat-sourcedescriptions.
U.S. Department of Homeland Security, Report Cyber Incidents, accessed on February 27,
2014, http://www.dhs.gov/how-do-i/report-cyber-incidents.
U.S. Department of State, Cyberspace Policy Review, (Washington, D.C.: DoS, 2013), 13.
U.S. Department of Homeland Security, Combat Cyber Crime, accessed on March 3, 2014,
http://www.dhs.gov/combat-cyber-crime.
U.S. Department of Homeland Security, Secure Cyber Networks, accessed on March 3, 2014,
http://www.dhs.gov/secure-cyber-networks.
Bjerke 18
U.S. Department of Homeland Security, About the Critical Infrastructure Cyber Community C3
Voluntary Program, accessed on March 5, 2014, http://www.dhs.gov/about-criticalinfrastructure-cyber-community-c%C2%B3-voluntary-program.
U.S. Department of Homeland Security, CIKR Cyber Information Sharing and Collaboration
Program (CISCP), accessed on March 6, 2014,
http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/201306/ispab_june2013_menna_ciscp_one_pager.pdf.
U.S. Federal Bureau of Investigation, National Cyber Investigative Joint Task Force, accessed
on March 6, 2014, http://www.fbi.gov/news/podcasts/thisweek/national-cyberinvestigative-joint-task-force-i.mp3/view.