National Cybersecurity Strategy

"Digital technologies today touch nearly every aspect of American life. The openness and connection enabled by a access to the internet are game-changes for communities everywhere, as we have all experienced throughout the COVID-19 pandemic. That's why, thanks to the Bipartisan Infrastructure Law, my administration is investing $65 billion to make sure every American has access to reliable, high-speed Internet. And when we pick up our smart p;hones to keep in touch with loved ones, log on to social media to share our ides with one another, or connect to the internet to do business or take care of any of our basic needs, we need to be able to trust that the underlying digital ecosystem  is safe, reliable, and secure. This National Cybersecurity Strategy details the comprehensive approach my Administration is taking to better secure cyberspace and ensure the United States is in the strongest possible position to realize all the benefits  and potential of our digital future..."
cybersecurity 

Federal Cybersecurity: America's Data Still at Risk

"In June 2019, the Permanent Subcommittee on Investigations (Subcommittee) issued a bipartisan report titled: Federal Cybersecurity: America’s Data at Risk (the 2019 Report). That report highlighted systemic failures of eight key Federal agencies to comply with Federal cybersecurity
standards identified by agencies’ inspectors general. The 2019 Report documented how none of  these eight agencies met basic cybersecurity standards and protocols, including properly  protecting Americans’ personally identifiable information (PII); maintaining a list of the
equipment and programs on agency networks; and promptly installing security patches to remediate vulnerabilities that hackers could exploit. The 2019 Report also highlighted that all eight agencies were operating legacy computer systems, which are costly to maintain and difficult to secure. Based on those findings, the Subcommittee determined that these eight
Federal agencies were failing to protect the sensitive data they stored and maintained. 

 
This report revisits those same eight agencies two years later. What this report finds is stark. Inspectors general identified many of the same issues that have plagued Federal agencies for more than a decade. Seven agencies made minimal improvements, and only DHS managed to
employ an effective cybersecurity regime for 2020. As such, this report finds that these seven Federal agencies still have not met the basic cybersecurity standards necessary to protect America’s sensitive data.
* * * * * * * * * * *
The current state of cyber espionage. In the past two years, state-sponsored hackers have perpetrated some of the largest and most damaging cyber-attacks in our history. In December
2020, we learned that the Russian Foreign Intelligence Service used a sophisticated supply chain vulnerability to corrupt a security patch for SolarWinds network management software. This allowed hackers to infiltrate nine Federal agencies, including DHS, State, Energy, and Treasury. Russia’s cyber-spies remained undetected in those Federal agencies’ systems for at least nine months. The Federal Government only became aware of the attack after it was discovered by a private cybersecurity firm, FireEye, which was also breached. The Federal Government is still working to understand exactly what information and data Russia accessed during those nine months..."
Federal Cybersecurity 

National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems

"Protection of our Nation’s critical infrastructure is a responsibility of the government at the Federal, State, local, Tribal, and territorial levels and of the owners and operators of that infrastructure.  The cybersecurity threats posed to the systems that control and operate the critical infrastructure on which we all depend are among the most significant and growing issues confronting our Nation.  The degradation, destruction, or malfunction of systems that control this infrastructure could cause significant harm to the national and economic security of the United States.

Section 1.  Policy.  It is the policy of my Administration to safeguard the critical infrastructure of the Nation, with a particular focus on the cybersecurity and resilience of systems supporting National Critical Functions, defined as the functions of Government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on national security, economic security, public health or safety, or any combination thereof. 

Sec. 2.  Industrial Control Systems Cybersecurity Initiative.  Accordingly, I have established an Industrial Control Systems Cybersecurity Initiative (Initiative), a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.  The primary objective of this Initiative is to defend the United States’ critical infrastructure by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks.  The goal of the Initiative is to greatly expand deployment of these technologies across priority critical infrastructure..."
Cybersecurity and infrastructure 

Executive Order on Improving the Nation’s Cybersecurity

"By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Section 1.  Policy.  The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.  The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.  The Federal Government must also carefully examine what occurred during any major cyber incident and apply lessons learned.  But cybersecurity requires more than government action.  Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector.  The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.  In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.

Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.  The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid.  The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)). 

It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.  The Federal Government must lead by example.  All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order..."
Nation's Cybersecurity 

SolarWinds Attack—No Easy Fix

"On December 13, 2020, the cybersecurity firm FireEye published research that a malicious actor was exploiting a supply chain vulnerability in SolarWinds products to hack into government and private sector information technology (IT) networks. SolarWinds confirmed the security incident. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring federal agencies to remove certain SolarWinds products from agency networks.
 

 Media initially reported that the U.S. Treasury and Commerce departments were susceptible to this attack; subsequent reports added additional agencies. The list of compromised agencies and companies is expected to expand.
 

 As private sector and government researchers continue investigating this incident, the cybersecurity community expects to learn more about the attack, the adversary, their targets, compromised data and systems, and ways to recover from the incident. This Insight provides an overview of the incident, federal response, and policy considerations.
 
The Attack

SolarWinds (Austin, TX) makes IT management products for business customers. These products allow chief information officers (CIOs) to automate certain activities such as managing internet protocol (IP) addresses, monitoring devices, and deploying updates.

A critical element to any software application or platform is the mechanism by which the vendor pushes updates and patches to users. SolarWinds built functions into their products which push update files to users (as is common practice).

A malicious actor discovered a way to compromise SolarWinds’ software update service for the Orion IT management platform (a SolarWinds suite of products). The actor was able to compromise the update channel used by Orion to distribute malware. When run, the code executed the Sunburst malware in the SolarWinds IT management platform. Once executed, Sunburst would go dormant for a period of time (to avoid detection) before fetching additional instructions from its command-and-control (C2) server. The additional instructions allowed the actors to exfiltrate files, execute new commands, profile the system, and manipulate the machine. The actors sought to hide their presence by manipulating files and disguising their activity as normal network traffic. SolarWinds stated that of their 300,000-plus customers, roughly   18,000 are susceptible to this attack. Known vulnerable versions of the platform were released in spring 2020 and were still vulnerable through mid-December 2020.."
Solar Winds Attack

Social Media Cybersecurity

"Now more than ever, consumers spend increasing amounts of time on the Internet. With every social media account you sign up for, every picture you post, and status you update, you are sharing information about yourself with the world. How can you be proactive to stay safe online and, “Own IT. Secure IT. Protect IT.”? #BeCyberSmart and take these simple steps to connect with confidence and safely navigate the social media world.

DID YOU KNOW?

• 3.48 billion people worldwide now use social media worldwide. That’s an increase of 9% from 2018. Put another way: 45% of the total world population are using social networks.¹
• Digital consumers spend nearly 2.5 hours on social networks and social messaging every day.²
• 69% of U.S. adults use at least one social media site³ and the average American has 7.1 social media accounts.⁴

SIMPLE TIPS TO OWN IT.

Remember, there is no ‘Delete’ button on the Internet. Share with care, because even if you delete a post or picture from your profile seconds after posting it, chances are someone still saw it.

Update your privacy settings. Set the privacy and security settings to your comfort level for information sharing. Disable geotagging, which allows anyone to see where you are—and where you aren’t—at any given time.

Connect only with people you trust. While some social networks might seem safer for connecting because of the limited personal information shared through them, keep your connections to people you know and trust.

Never click and tell. Limit what information you post on social media—from personal addresses to where you like to grab a coffee. What many people don’t realize is that these seemingly random details are all that criminals need to know to target you, your loved ones, and your physical belongings—online and in the real world. Keep Social Security numbers, account numbers, and passwords private, as well as specific information about yourself, such as your full name, address, birthday, and even vacation plans. Disable location services that allow anyone to see where you are—and where you aren’t—at any given time. Read the Social Media Cybersecurity Tip Sheet for more information..."
Social media cybersecurity

Cybersecurity While Traveling

"In a world where we are constantly connected, cybersecurity cannot be limited to the home or office. When you’re traveling — whether domestic or international—it is always important to practice safe online behavior and take proactive steps to secure Internet-enabled devices. The more we travel, the more we are at risk for cyberattacks. #BeCyberSmart and use these tips to connect with confidence while on the go.

SIMPLE TIPS TO OWN IT.

Before You Go

• If you connect, you must protect. Whether it’s your computer, smartphone, game device, or other network devices, the best defense against viruses and malware is to update to the latest security software, web browser, and operating systems. Sign up for automatic updates, if you can, and protect your devices with anti-virus software.
• Back up your information. Back up your contacts, financial data, photos, videos, and other mobile device data to another device or cloud service in case your device is compromised and you have to reset it to factory settings.
• Be up to date. Keep your software updated to the latest version available. Maintain your security settings to keeping your information safe by turning on automatic updates so you don’t have to think about it, and set your security software to run regular scans.
• Keep it locked. Lock your device when you are not using it. Even if you only step away for a few minutes, that is enough time for someone to steal or misuse your information. Set your devices to lock after a short time and use strong PINs and passwords.
• Double your login protection. Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in. If MFA is an option, enable it by using a trusted mobile device, such as your smartphone, an authenticator app, or a secure token—a small physical device that can hook onto your key ring..."
  Cybersecurity

Cybersecurity: Data, Statistics, and Glossaries

"This report describes data and statistics from government, industry, and information technology (IT) security firms regarding the current state of cybersecurity threats in the United States and internationally. These include incident estimates, costs, and annual reports on data security breaches, identity thefts, cybercrimes, malware, and network securities.

Much is written on this topic, and this CRS report directs the reader to authoritative sources that address many of the most prominent issues. The annotated descriptions of these sources are listed in reverse chronological order, with an emphasis on material published in the last several years. Included are resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources..."

Cybersecurity

Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources

"As online attacks grow in volume and sophistication, the United States is expanding its cybersecurity efforts. Cybercriminals continue to develop new ways to ensnare victims, whereas nation-state hackers compromise companies, government agencies, and businesses to create espionage networks and steal information. Threats come from both criminals and hostile countries, especially China, Russia, Iran, and North Korea.

Much is written on this topic, and this CRS report directs the reader to authoritative sources that address many of the most prominent issues. The annotated descriptions of these sources are listed in reverse chronological order, with an emphasis on material published in the past several years. This report includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources:

Table 1—cybercrime, data breaches and security, including hacking, real-time attack maps, and statistics (such as economic estimates)
Table 2—national security, cyber espionage, and cyberwar, including Stuxnet,
Table 3—cloud computing, the Internet of Things (IoT), and FedRAMP..."
Cybercrime and national security

Justice Department’s Role in Cyber Incident Response

"Criminals and other malicious actors increasingly rely on the Internet and rapidly evolving technology to further their operations. In cyberspace, criminals can compromise financial assets, hacktivists can flood websites with traffic—effectively shutting them down, and spies can steal intellectual property and government secrets. When such cyber incidents occur, a number of questions arise, including how the federal government will react and which agencies will respond.

The Obama Administration, through Presidential Policy Directive/PPD-41, outlined how the government responds to significant cyber incidents. Responding to cyber incidents involves (1) threat response, (2) asset response, and (3) intelligence support. The Department of Justice (DOJ), through the Federal Bureau of Investigation (FBI, or the bureau) and National Cyber Investigative Joint Task Force (NCIJTF), is the designated lead on threat response, which involves investigating and attributing specific cyber activities to particular individuals or entities as well as facilitating intelligence and information sharing..." 
Justice Dept. and cybersecurity

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

"Cybersecurity vulnerabilities challenge governments, businesses, and individuals worldwide. Attacks have been initiated against individuals, corporations, and countries. Targets have included government networks, companies, and political organizations, depending upon whether the attacker was seeking military intelligence, conducting diplomatic or industrial espionage, engaging in cybercrime, or intimidating political activists. In addition, national borders mean little or nothing to cyberattackers, and attributing an attack to a specific location can be difficult, which may make responding problematic.

Despite many recommendations made over the past decade, most major legislative provisions relating to cybersecurity had been enacted prior to 2002. However, on December 18, 2014, five cybersecurity bills were signed by the President. These bills change federal cybersecurity programs in a number of ways:
 codifying the role of the National Institute of Standards and Technology (NIST) in developing a “voluntary, industry-led set of standards” to reduce cyber risk;
 codifying the Department of Homeland Security’s (DHS’s) National Cybersecurity and Communications Integration Center as a hub for interactions with the private sector;
 updating the Federal Information Security Management Act (FISMA) by requiring the Office of Management and Budget (OMB) to “eliminate ... inefficient and wasteful reports”; and
 requiring DHS to develop a “comprehensive workforce strategy” within a year and giving DHS new authorities for cybersecurity hiring..."
Cybersecurity

Cybersecurity: Critical Infrastructure Authoritative Reports and Resources

"Critical infrastructure is defined in the USA PATRIOT Act (P.L. 107-56, §1016(e)) as “systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.”

Presidential Decision Directive 63, or PDD-63, identified activities whose critical infrastructures should be protected: information and communications; banking and finance; water supply; aviation, highways, mass transit, pipelines, rail, and waterborne commerce; emergency and law enforcement services; emergency, fire, and continuity of government services; public health services; electric power, oil and gas production; and storage. In addition, the PDD identified four activities in which the federal government controls the critical infrastructure: (1) internal security and federal law enforcement; (2) foreign intelligence; (3) foreign affairs; and (4) national defense..."
Cybersecurity

Protecting Personal Information: A Guide for Business

"Most companies keep sensitive personal information in their files—names, Social Security numbers, credit card, or other account data. If this information falls into the wrong hands, it can lead to fraud or identity theft. The principles in this brochure can help a business keep data secure..."
Data breach

Encryption: Frequently Asked Questions

"Encryption is a process to secure information from unwanted access or use. Encryption uses the art of cryptography to change information which can be read (plaintext) and make it so that it cannot be read (ciphertext). Decryption uses the same art of cryptography to change that ciphertext back to plaintext. Encryption takes five elements to work: plaintexts, keys, encryption methods, decryption methods, and ciphertexts. Data that are in a state of being stored or in a state of being sent are eligible for encryption. However, data that are in a state of being processed— that is being generated, altered, or otherwise used—are unable to be encrypted and remain in plaintext and vulnerable to unauthorized access..."
Encryption

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

"Cybersecurity vulnerabilities challenge governments, businesses, and individuals worldwide. Attacks have been initiated against individuals, corporations, and countries. Targets have included government networks, companies, and political organizations, depending upon whether the attacker was seeking military intelligence, conducting diplomatic or industrial espionage, engaging in cybercrime, or intimidating political activists. In addition, national borders mean little or nothing to cyberattackers, and attributing an attack to a specific location can be difficult, which may make responding problematic.

Despite many recommendations made over the past decade, most major legislative provisions relating to cybersecurity had been enacted prior to 2002. However, on December 18, 2014, in the last days of the 113th Congress, five cybersecurity bills were signed by the President. These bills change federal cybersecurity programs in a number of ways:

codifying the role of the National Institute of Standards and Technology (NIST) in developing a “voluntary, industry-led set of standards” to reduce cyber risk;

codifying the Department of Homeland Security’s (DHS’s) National Cybersecurity and Communications Integration Center as a hub for interactions with the private sector;

updating the Federal Information Security Management Act (FISMA) by requiring the Office of Management and Budget (OMB) to “eliminate ... inefficient and wasteful reports”;

and  requiring DHS to develop a “comprehensive workforce strategy” within a year and giving DHS new authorities for cybersecurity hiring..."
Cybersecurity

Iranians Charged with Hacking U.S. Financial Sector

"Seven Iranians working on behalf of the Iranian government have been indicted for a series of cyber crimes that cost U.S. financial institutions tens of millions of dollars and compromised critical controls of a New York dam.

Using botnets and other malicious computer code, the individuals—employed by two Iran-based computer companies sponsored and directed by the Iranian government—engaged in a systematic campaign of distributed denial of service (DDoS) attacks against nearly 50 institutions in the U.S. financial sector between late 2011 and mid-2013. The repeated, coordinated attacks disabled bank websites and prevented customers from accessing their online accounts...."
Iranian Hacking

Cybersecurity: Critical Infrastructure Authoritative Reports and Resources

"Critical infrastructure is defined in the USA PATRIOT Act (P.L. 107-56, Sec. 1016(e)) as “systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.”

Presidential Decision Directive 63, or PDD-63, identified activities whose critical infrastructures should be protected: information and communications; banking and finance; water supply; aviation, highways, mass transit, pipelines, rail, and waterborne commerce; emergency and law enforcement services; emergency, fire, and continuity of government services; public health services; electric power, oil and gas production; and storage. In addition, the PDD identified four activities in which the federal government controls the critical infrastructure: (1) internal security and federal law enforcement; (2) foreign intelligence; (3) foreign affairs; and (4) national defense..."
Cybersecurity

FDIC Highlights New Resources for Bank Customers on Precautions When Using Computers and the Internet Cybersecurity publications announced as part of National Consumer Protection Week

"The Federal Deposit Insurance Corporation (FDIC) announced new resources today to educate bank customers about appropriate steps they can take to help avoid fraud and other cyber threats when banking online or on their mobile devices. The information is being issued in advance of National Consumer Protection Week, March 6-12.

As part of an ongoing effort to highlight safe online banking strategies, the FDIC released two new cybersecurity brochures today aimed at consumers and business customers of financial institutions. The brochures include tips to help users protect and maintain their computer systems and data. In addition to expandedcybersecurity information available online, the FDIC also released a special edition of the quarterly newsletter FDIC Consumer News featuring precautions consumers can take at home and when banking remotely using laptops, desktops, smartphones, and other mobile devices.

While federally insured financial institutions are required to have vigorous information security programs to safeguard financial data, financial institution customers and businesses also need to know how to steer clear of potential fraudulent situations. The FDIC is using National Consumer Protection Week as an opportunity to remind bank customers about taking appropriate cybersecurity precautions..."
Cybersecurity

Commission on Enhancing National Cybersecurity

"By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to enhance cybersecurity awareness and protections at all levels of Government, business, and society, to protect privacy, to ensure public safety and economic and national security, and to empower Americans to take better control of their digital security, it is hereby ordered as follows:

Section 1. Establishment. There is established within the Department of Commerce the Commission on Enhancing National Cybersecurity (Commission).."
Cybersecurity

Strengthening Our Nation's Cybersecurity

"Today, President Obama is releasing his final budget proposal of his Administration. It's a strong reflection of what investments he believes will move our country forward and keep our country and the American people safe.

A key part of that involves the strength of our nation's cybersecurity. From buying products, to running businesses, to chatting with the people we love, our online world has fundamentally reshaped the way we live our lives. But living in a digital age also makes us more vulnerable to malicious cyber activity.

We have to adapt to this national threat. That's why President Obama has worked for more than seven years to aggressively and comprehensively confront this challenge. So today, he is directing the Administration to implement a Cybersecurity National Action Plan (CNAP) -- the capstone of our national cybersecurity efforts.."
Cybersecurity