As online attacks grow in volume and sophistication, the United States is expanding its cybersecurity efforts. Cybercriminals continue to develop new ways to ensnare victims, whereas nation-state hackers compromise companies, government agencies, and businesses to create espionage networks and steal information. Threats come from both criminals and hostile countries, especially China, Russia, Iran, and North Korea.

Much is written on this topic, and this report directs the reader to authoritative sources that address many of the most prominent issues. The annotated descriptions of these sources are listed in reverse chronological order, with an emphasis on material published in the past several years. This report includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources.


Title Source Date Notes
The Cyberfeed Anubis Networks Continuously Updated This site provides real-time threat intelligence data worldwide.
Digital Attack Map Arbor Networks Continuously Updated The map is powered by data fed from 270+ ISP customers worldwide who have agreed to share network traffic and attack statistics. The map displays global activity levels in observed attack traffic, which it collected anonymously, and does not include any identifying information about the attackers or victims involved in any particular attack.
Cyber Incident Timeline Center for Strategic & International Studies (CSIS) Continuously Updated The CSIS’s Strategic Technologies program’s interactive “Cyber Incident Timeline” details the successful attacks on government agencies, defense and high tech companies, and international economic crimes with losses of more than $1 million, since 2006. It includes news reports and videos on most incidents.
Summary of U.S. State Data Breach Notification Statutes Davis Wright Tremaine LLP Continuously Updated Click on any of the states to see a full summary of their data breach notification statute. Dissent (pseudonym) Continuously Updated This site is a combination of news aggregation, investigative reporting, and commentary on data breaches and data breach laws. Can browse data breaches by sector.
ThreatExchange Facebook Continuously Updated ThreatExchange is a set of application programming interfaces, or APIs, that let disparate companies trade information about the latest online attacks. Built atop the Facebook Platform—a repository of a standard set of tools for coding applications within the worldwide social network—ThreatExchange is used by Facebook and a handful of other companies, including Tumblr, Pinterest, Twitter, and Yahoo. Access to the service is strictly controlled, but [Facebook] hopes to include more companies as time goes on.
Federal Trade Commission List of Settled Data Security Cases Federal Trade Commission (FTC) Continuously Updated The FTC’s Legal Resources website offers a compilation of laws, cases, reports, and more. The user can filter the FTC’s legal documents by type (case) and topic (data security), resulting in a list of 55 data security cases from 2000 to 2015, in reverse chronological order. Clicking the case name provides more details, such as the case citation, timeline, press releases, and pertinent legal documents.
Threat Intelligence Database Fidelis Barncat Continuously Updated The database includes more than 100,000 records with configuration settings extracted from malware samples gathered during Fidelis’ incident response investigations and other intelligence gathering operations over the past decade. The typical malware sample includes a large number of configuration elements, including those controlling the behavior of the malware on the host and others related to command-and-control traffic. Barncat is updated with hundreds of new configuration records each day. Barncat is available for use by CERTs, research organizations, government entities, ISPs and other large commercial enterprises. Access is free, but users must request access and meet specific criteria. FTC Continuously Updated The one-stop website is integrated with the FTC’s consumer complaint system, allowing consumers who are victims of identity theft to rapidly file a complaint with the FTC and then get a personalized guide to recovery that helps streamline many of the steps involved. The upgraded site, which is mobile and tablet accessible, offers an array of easy-to-use tools that enables identity theft victims to create the documents they need to alert police, the main credit bureaus, and the Internal Revenue Service (IRS) among others.
HHS Breach Portal: Breaches Affecting 500 or More Individuals Health and Human Services (HHS) Continuously Updated As required by Section 13402(e)(4) of the HITECH Act, P.L. 111-5 HHS must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are posted in a more accessible format that allows users to search and sort the posted breaches. Additionally, the format includes brief summaries of the breach cases that the Office for Civil Rights (OCR) has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information.
Combatting Cyber Crime Homeland Security Continuously Updated DHS works with other federal agencies to conduct high-impact criminal investigations to disrupt and defeat cyber criminals, prioritize the recruitment and training of technical experts, develop standardized methods, and broadly share cyber response best practices and tools. Criminal investigators and network security experts with deep understanding of the technologies malicious actors are using and the specific vulnerabilities they are targeting work to effectively respond to and investigate cyber incidents.
HoneyMap Honeynet Project Continuously Updated The HoneyMap displays malicious attacks as they happen. Each red dot represents an attack on a computer. Yellow dots represent “honeypots” or systems set up to record incoming attacks. The black box on the bottom gives the location of each attack. The Honeynet Project is an international 501(c)(3) nonprofit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security.
Data Breaches Identity Theft Resource Center Continuously Updated The report presents detailed information about data exposure events along with running totals for a specific year. Breaches are broken down into five categories: business, financial/credit/financial, educational, governmental/military, and medical/healthcare.
Regional Threat Assessment: Infection Rates and Threat Trends by Location Microsoft Security Intelligence Report (SIR) Continuously Updated The report provides data on infection rates, malicious websites, and threat trends by regional location, worldwide. (Note: Select “All Regions” or a specific country or region to view threat assessment reports.)
No More Ransom National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Center, Kaspersky Lab and Intel Security Continuously Updated The online portal offers a one-stop shop for battling ransomware infections.
ThreatWatch NextGov Continuously Updated ThreatWatch is a snapshot of the data breaches hitting organizations and individuals, globally, on a daily basis. It is not an authoritative list because many compromises are never reported or even discovered. The information is based on accounts published by outside news organizations and researchers.
No More Ransom National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Center, Kaspersky Lab and Intel Security Continuously Updated The online portal offers a one-stop shop for battling ransomware infections.
Information about OPM Cybersecurity Incidents Office of Personnel Management (OPM) Continuously Updated In April 2015, OPM discovered that the personnel data of 4.2 million current and former federal government employees had been stolen. Information such as full name, birth date, home address, and Social Security numbers was affected. While investigating this incident, in early June 2015, OPM discovered that additional information had been compromised, including background investigation records of current, former, and prospective federal employees and contractors.
Chronology of Data Breaches, Security Breaches 2005 to the Present Privacy Rights Clearinghouse (PRC) Continuously Updated The listed (U.S.-only) data breaches have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver’s license numbers. This list is not a comprehensive compilation of all breach data. Most of the information is obtained from verifiable media stories, government websites (e.g., state Attorneys General, such as the California AG’s breach website), or blog posts with information pertinent to the breach in question.
Criminal Underground Economy Series Trend Micro Continuously Updated A review of various cybercrime markets around the world.
Global Botnet Map Trend Micro Continuously Updated Trend Micro continuously monitors malicious network activities to identify command-and-control (C&C) servers and help increase protection against botnet attacks. The real-time map indicates the locations of C&C servers and victimized computers they control that have been discovered in the previous six hours.
The Equifax Data Breach: What to Do FTC September 8, 2017 FTC information on what to do after the Equifax data breach, including information how to set up a credit freeze and/or fraud alert.
Data Integrity: Recovering from Ransomware and Other Destructive Events (DRAFT) NIST September 6, 2017 Data integrity incidents, such as ransomware, destructive malware, malicious insider activity, and even honest mistakes, can compromise enterprise information, including emails, employee records, financial records, and customer data. (456 pages)
The FDIC’s Processes for Responding to Breaches of Personally Identifiable Information FDIC Inspector General September 2017 An FDIC audit found that protocols for responding to a data breach aren’t being followed, even as the agency has faced dozens of security incidents in the past two years. The audit stemmed from a series of data breaches at the FDIC over nearly two years, from January 2015 to December 2016. Overall the agency has confirmed or suspects that it was compromised 54 times within that time period. The Office of Inspector General selected 18 of those breaches to evaluate for the audit. (51 pages)
The CERT Guide to Coordinated Vulnerability Disclosure Carnegie Mellon August 2017 This document is intended to serve as a guide to those who want to initiate, develop, or improve their own CVD capability. In it, the reader will find an overview of key principles underlying the CVD process, a survey of CVD stakeholders and their roles, and a description of CVD process phases, as well as advice concerning operational considerations and problems that may arise in the provision of CVD and related services. (121 pages)
Social Security Numbers: OMB Actions Needed to Strengthen Federal Efforts to Limit Identity Theft Risks by Reducing Collection, Use, and Display GAO July 27, 2017 GAO was asked to review federal government efforts to reduce the collection and use of SSNs. This report examines (1) what governmentwide initiatives have been undertaken to assist agencies in eliminating their unnecessary use of SSNs and (2) the extent to which agencies have developed and executed plans to eliminate the unnecessary use and display of SSNs and have identified challenges associated with those efforts.
Highlights of a Forum: Combating Synthetic Identity Fraud GAO July 26, 2017 According to experts, synthetic identity fraud (SIF) has grown significantly in the last five years and has resulted in losses exceeding hundreds of millions of dollars to the financial industry in 2016. A key component of synthetic identities is SSNs—the principal identifier in the credit reporting system. GAO convened and moderated a diverse panel of 14 experts on February 15, 2017, to discuss: how criminals create synthetic identities; the magnitude of the fraud; and issues related to preventing and detecting SIF and prosecuting criminals. (33 pages)
Counting the Cost: Cyber Exposure Decoded Lloyd’s of London July 10, 2017 Lloyd’s Class of Business team estimates that the global cyber market is worth between $3 billion and $3.5 billion. Despite this growth, insurers’ understanding of cyber liability and risk aggregation is an evolving process as experience and knowledge of cyber-attacks grows. (56 pages)
2017 Cost of Data Breach Study: Global Overview Ponemon and IBM June 28, 2017 According to the report, the average total cost of data breach for the 419 companies participating in the research study decreased from $4.00 to $3.62 million. The average cost for each lost or stolen record containing sensitive and confidential information also significantly decreased from $158 in 2016 to $141 in this year’s study. However, despite the decline in the overall cost, companies in this year’s study are having larger breaches. (35 pages)
2016 Internet Crime Report Internet Crime Complaint Center’s (IC3) June 21, 2017 IC3 is a joint project of the National White Collar Crime Center and the FBI. In 2016, IC3 received a total of 298,728 complaints with reported losses in excess of $1.3 billion. This past year, the top three crime types reported by victims were non-payment and nondelivery, personal data breach, and payment scams. (28 pages)
Stateless Attribution: Toward International Accountability in Cyberspace RAND June 2017 This report reviews the state of cyber attribution and examines alternative options for producing standardized and transparent attribution that may overcome concerns about credibility. In particular, this exploratory work considers the value of an independent, global organization whose mission consists of investigating and publicly attributing major cyber attacks. (64 pages)
Worldwide DDoS Attacks & Cyber Insights Research Report Neustar May 2, 2017 Public and private organizations globally are getting slower at detecting and responding to distributed denial of service (DDoS) attacks as they become larger and more complex, new research shows. More than half of organizations surveyed in a global study reported taking three hours or more to detect a DDoS attack on their websites in the past year. Forty-eight percent said that they take at least three hours to respond to such an attack. (52 pages)
Data Breach Digest: Perspective is Reality Verizon April 26, 2017 In the Data Breach Digest, we share some of our most interesting cases—anonymized of course—so you can learn from the lessons of others. Our 16 cybercrime case studies cover the most lethal and prevalent threats you face—from partner misuse to sophisticated malware. We set out the measures you can take to better defend your organization and respond quickly if you are a victim of an attack. (100 pages)
Data Breach Investigative Report(registration required) Verizon April 27, 2017 The latest report examined 42,068 incidents and 1,935 breaches from 84 countries, drawing from the collective data of 65 organizations. Cyber espionage accounts for 21% of breaches, still far behind the 73% hat are financially motivated. Breaches are heavily concentrated in three sectors: financial, health care, and public sector. (76 pages)
2017 Internet Security Threat Report(registration required) Symantec April 26, 2017 Cyberattackers are seeking bigger financial hauls, targeting massive dollar amounts, and more than tripling their asking price via ransomware from 2015 to 2016. In 2015, ransomware demands averaged $294, but that jumped to $1,077 in 2016. The probable cause is that victims are paying up: globally, 34% paid the ransom, and in the United States, 64% did. (77 pages)
The Cyber-Value Connection: Revealing the link between cyber vulnerability CGI/Oxford Economics April 2017 The report looks at the reduction in company value that arises from a cyber breach, vividly demonstrating how a severe incident leads to a decline in share price. To ensure rigor and independence, CGI commissioned Oxford Economics to develop a robust econometric model using a “difference in differences” technique to isolate the damage caused to company value by a cyber breach from other movements in the market.(28 pages)
Identity Theft Services: Services Offer Some Benefits but Are Limited in Preventing Fraud GAO March 30, 2017 GAO was asked to examine issues related to identity theft services and their usefulness. The report examines, among other objectives, (1) the potential benefits and limitations of identity theft services and (2) factors that affect government and private-sector decisionmaking about them. GAO reviewed products, studies, laws, regulations, and federal guidance and contracts, and interviewed federal agencies, consumer groups, industry stakeholders, and eight providers selected because they were large market participants. (70 pages)
Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits RAND March 13, 2017 This report provides findings from real-world zero-day vulnerability and exploit data that could augment conventional proxy examples and expert opinion, complement current efforts to create a framework for deciding whether to disclose or retain a cache of zero-day vulnerabilities and exploits, inform ongoing policy debates regarding stockpiling and vulnerability disclosure, and add extra context for those examining the implications and resulting liability of attacks and data breaches for U.S. consumers, companies, insurers, and for the civil justice system broadly. (133 pages)
IBM X-Force Threat Intelligence Index 2017: The Year of the Mega-Breach IBM March 2017 In 2016, more than 4 billion records were leaked worldwide, exceeding the combined total from the two previous years, according to a report from IBM Security. The leaked documents comprised the usual credit cards, passwords, and personal health information, but the report also notes a shift in cybercriminal strategies, finding a number of significant breaches were related to unstructured data such as email archives, business documents, intellectual property, and source code. (30 pages)
The Web of Vulnerabilities: Hunters, Hackers, Spies, and Criminals Christian Science Monitor’sPasscode team and Northwestern University’s Medill School of Journalism February 10, 2017 In a joint multimedia project between The Christian Science Monitor’s Passcode team and Northwestern University’s Medill School of Journalism, they explore the growing arms race to discover software vulnerabilities and what it means for national security and everyone’s digital privacy and safety.
2017 Identity Fraud: Securing the Connected Life (press release) Javelin Strategy & Research February 2017 The study revealed that the number of identity fraud victims increased by 16% (rising to 15.4 million U.S. consumers) in the last year, a record high since Javelin Strategy & Research began tracking identity fraud in 2003. The study found that despite the efforts of the industry, fraudsters successfully adapted to net two million more victims this year with the amount fraudsters took rising by nearly $1 billion to $16 billion. (6 pages)
In 2017, The Insider Threat Epidemic Begins Institute for Critical Infrastructure Technology February 2017 The report offers a comprehensive analysis of the Insider Threat Epidemic, including research on (1) Characterizing Insider Threats (the insider threat cyber “kill chain,” non-malicious insider threats, malicious insider threats) (2) The Insider Threat Debate (3) Policies, Procedures, and Guidelines to Combat Insider Threats (4) Non-Technical Controls (5) Technical Controls. (52 pages)
Risk and Anxiety: A Theory of Data Breach Harms Texas Law Review December 14, 2016 The essay examines why courts have struggled when dealing with harms caused by data breaches. The difficulty largely stems from the fact that data breach harms are intangible, risk-oriented, and diffuse. The report explores how existing legal foundations support the recognition of such harm. It demonstrates how courts can assess risk and anxiety in a concrete and coherent way.
Verisign Distributed Denial of Service Trends Report Verisign December 2016 Provides a view into attack statistics and behavioral trends during the third quarter of 2016: 81% of attacks peaked over 1 Gbps’ 82% increase in attack size year over year; 59% of attacks used multiple attack types. (12 pages)
Department Releases Intake and Charging Policy for Computer Crime Matters Department of Justice October 25, 2016 In the course of litigation, DOJ released the policy under which it chooses whether to bring charges under the Computer Fraud and Abuse Act. As set forth in the memorandum, prosecutors must consider a number of factors to ensure that charges are brought only in cases that serve a substantial federal interest.
Data Breach Response: A Guide for Businesses Federal Trade Commission (FTC) October 25, 2016 The guidance document provides a basic checklist to help identify the general legal coverage for various types of data and point businesses to the relevant legal standards. It also includes a model notice letter for individuals whose Social Security numbers may have been breached. (16 pages)
IoT Devices as Proxies for Cybercrime Krebs on Security October 13, 2016 The post looks at how crooks are using hacked IoT devices as proxies to hide their true location online as they engage in a variety of other types of cybercriminal activity—from frequenting underground forums to credit card and tax refund fraud.
Examining the Costs and Causes of Cyber Incidents RAND October 10, 2016 Researchers found that the typical cost of a breach was about $200,000 and that most cyber events cost companies less than 0.4% of their annual revenues. The $200,000 cost was roughly equivalent to a typical company’s annual information security budget. (15 pages)
From the Trenches: Current Status of Security and Risk in the Financial Sector SANS Institute October 6, 2016 According to a recent SANS survey, some 55% of financial services firms report ransomware as the top attack threat, followed by phishing (50%), which previously held the top spot. More than 32% of financial firms say they’ve lost anywhere from $100,000 to $500,000 due to ransomware attacks.
2016 Internet Organised Crime Threat Assessment (IOCTA) Europol September 28, 2016 The IOCTA reports a continuing and increasing acceleration of the security trends observed in previous assessments. The additional increase in volume, scope, and financial damage combined with the asymmetric risk that characterizes cybercrime has reached such a level that in some EU countries cybercrime may have surpassed traditional crime in terms of reporting. (72 pages)
The Rising Face of Cyber Crime: Ransomware BitSight September 21, 2016 Ransomware attacks on government agencies around the world have tripled in the past year. Government entities are second most likely to be targeted by ransomware attacks, following only the education sector. About 4% of government agencies had been exposed to Nymaim, and 3% to Locky, both ransomware strains. Of all industries, government had the second lowest security rating and the highest ransomware attack rate. (11 pages)
Ransomware Victims Urged to Report Infections to Federal Law Enforcement FBI September 15, 2016 The FBI is requesting victims reach out to their local FBI office or file a complaint with the Internet Crime Complaint Center, at, with ransomware infection details (as detailed on the website).
Workshop on Data Breach Aftermath and Recovery for Individuals and Institutions National Academies Press September 2016 In January 2016, the National Academies of Sciences, Engineering, and Medicine hosted the Workshop on Data Breach Aftermath and Recovery for Individuals and Institutions. Participants examined existing technical and policy remediations, and they discussed possible new mechanisms for better protecting and helping consumers in the wake of a breach. Speakers were asked to focus on data breach aftermath and recovery and to discuss ways to remediate harms from breaches. The publication summarizes the presentations and discussions from the workshop. (67 pages)
Examining the costs and causes of cyber incidents Journal of Cybersecurity August 25, 2016 Researchers examined a sample of more than 12 000 cyber events that include data breaches, security incidents, privacy violations, and phishing crimes. The findings suggest that public concerns regarding the increasing rates of breaches and legal actions may be excessive compared with the relatively modest financial impact to firms that suffer these events. Specifically, they found that the cost of a typical cyber incident is less than $200 000 (about the same as the firm’s annual IT security budget), which represents only 0.4% of a firm’s estimated annual revenues. (15 pages)
Bugs in the System: A Primer on the Software Vulnerability Ecosystem and its Policy Implications New America July 28, 2016 The report offers five initial policy recommendations to ensure that more vulnerabilities are discovered and patched sooner: (1) The U.S. government should minimize its participation in the vulnerability market, because it is the largest buyer in a market that discourages researchers from disclosing vulnerabilities to be patched; (2) The U.S. government should establish strong, clear procedures for government disclosure of the vulnerabilities it buys or discovers, with a heavy presumption toward disclosure; (3) Congress should establish clear rules of the road for government hacking to better protect cybersecurity and civil liberties; (4) Government and industry should support bug bounty programs as an alternative to the vulnerabilities market and investigate other innovative ways to foster the disclosure and prompt patching of vulnerabilities; and (5) Congress should reform computer crime and copyright laws, and agencies should modify their application of such laws to reduce the legal chill on legitimate security research. (40 pages)
Second Interim Status Report on the U.S. Office of Personnel Management’s (OPM) Infrastructure Improvement Project – Major IT Business Case OPM May 18, 2016 The report finds that funding for the troubled IT security upgrades project remains an issue in part because of the agency’s poor planning. The inspector general finds the agency still lacks a “realistic budget” for the massive upgrade. (12 pages)
Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information RAND Corp. April 20, 2016 Key findings include (1) 26% of respondents, or an estimated 64 million U.S. adults, recalled a breach notification in the past 12 months; (2) 44% of those notified were already aware of the breach; (3) 62% of respondents accepted offers of free credit monitoring; (4) only 11% of respondents stopped dealing with the affected company following a breach; (5) 32% of respondents reported no costs of the breach and any inconvenience it garnered, while, among those reporting some cost, the median cost was $500; and (6) 77% of respondents were highly satisfied with the company’s post-breach response.
2016 Internet Security Threat Report | Government Symantec April 13, 2016 Public-sector data breaches exposed some 28 million identities in 2015, but hackers were responsible for only one-third of those compromises, according to new research. Negligence was behind nearly two-thirds of the exposed identities through government agencies. In total, the report suggests 21 million identities were compromised accidentally, compared with 6 million by hackers.
Combatting the Ransomware Blitzkrieg: The Only Defense is a Layered Defense, Layer One: Endpoint Security The Institute for Critical Infrastructure Technology April 2016 The report introduces the ins and outs of the more prevalent ransomware variants as well as other endpoints vulnerable to ransomware attacks, such as SCADA/ICS, IoT, cars, cloud, servers, specialized hardware, personal computers, and the most easily exploitable vulnerability, the human. (27 pages)
2016 Data Breach Investigations Report Verizon April 2016 Provides analysis and statistics on worldwide data breaches. “In 93% of cases, it took attackers minutes or less to compromise systems. Organizations, meanwhile, took weeks or more to discover that a breach had even occurred—and it was typically customers or law enforcement that sounded the alarm, not their own security measures.” (85 pages)
A Look Inside Cybercriminal Call Centers Krebs on Security January 11, 2016 Crooks who make a living via identity theft schemes, dating scams, and other con games often run into trouble when presented with a phone-based challenge that requires them to demonstrate mastery of a language they do not speak fluently. Enter the criminal call center, which allows scammers to outsource those calls to multilingual men and women who can be hired to close the deal.
Target Settlement Memorandum U.S. District Court, District of Minnesota December 2, 2015 Target Corporation has agreed to pay financial institutions almost $40 million to settle a class-action suit related to its massive 2013 data breach. The proposed settlement of up to $39,357,938.38 will apply to all U.S. financial institutions that issued payment cards put at risk as a result of the data breach. (20 pages)
The Cyberwar is On (Special Issue) The Agenda(Politico) December 2015 The cyber issue of The Agenda magazine contents include “Why Politicians can’t Handle Cyber,” “Inside the NSA’s Hunt for Hackers,” “America’s Secret Arsenal,” ” The Biggest Hacks (We Know About),” “Survey: What Keeps America’s Computer Experts Up at Night?,” The ‘Electronic Pearl Harbor’,” ” Our Best Frenemy, Time for a Ralph Nader Moment,” “The Crypto Warrior,” and “America’s CIO.”
Fiscal Year 2015 Top Management Challenges Office of Personnel Management (OPM), Office of Inspector General (OIG) October 30, 2015 See Internal Challenges section (pp. 15-22) for a discussion of challenges related to information technology, improper payments, the retirement claims process, and the procurement process. Officials in OPM’s Office of Procurement Operations violated the Federal Acquisition Regulation and the agency’s own policies in awarding a $20.7 million contract to provide credit monitoring and ID theft services. Investigators turned up “significant deficiencies” in the process of awarding the contract to Winvale Group and its subcontractor CSID. (22 pages)
With Stolen Cards, Fraudsters Shop to Drop Krebs on Security September 28, 2015 Fraudsters have perfected the reshipping service, a criminal enterprise that allows card thieves and the service operators to essentially split the profits from merchandise ordered with stolen credit and debit cards.
Drops for Stuff: An Analysis of Reshipping Mule Scams Federal Bureau of Investigation (FBI), University of CA Santa Barbara, Stony Brook University, Krebs on Security, University College London September 23, 2015 In reshipping scams, cybercriminals purchase high-value or high-demand products from online merchants using stolen payment instruments, and then ship the items to a credulous citizen. This person, who has been recruited by the scammer under the guise of “work-from-home” opportunities, then forwards the received products to the cybercriminals, most of whom are located overseas. Once the goods reach the cybercriminals, they are then resold on the black market for an illicit profit. (12 pages)
Follow the Data: Dissecting Data Breaches and Debunking Myths Trend Micro September 22, 2015 Trend Micro’s Forward-Looking Threat Research (FTR) Team has taken 10 years (2005-2015) of information on data breaches in the United States from the Privacy Rights Clearinghouse (PRC) and subjected it to detailed analysis to better understand the real story behind data breaches and their trends. (51 pages)
Timeline: Government Data Breaches Government Executive July 6, 2015 The timelines are based mainly on testimony from OPM Director Catherine Archuleta and Andy Ozment, assistant secretary for Cybersecurity and Communications at DHS, supplemented by information from news reports.
2015 Cost of Data Breach Study: Global Analysis Ponemon Institute and IBM May 27, 2015 The average cost of a breach was up worldwide in 2014, with U.S. firms paying almost $1.5 million more than the global average. In the United States, a data breach costs organizations on average $5.85 million (the highest of the 10 nations analyzed), up from $5.4 million in 2013. Globally, the cost of a breach is up 15% this year to $3.5 million. The United States likewise had the highest cost per record stolen, at $201, up from $188 last year. The country also led in terms of size of breaches recorded: U.S. companies averaged 29,087 records compromised in 2014. (Free registration required to download.) (31 pages)
Meet ‘Tox’: Ransomware for the Rest of Us McAfee Labs May 23, 2015 The packaging of malware and malware-construction kits for cybercrime “consumers” has been a long-running trend. Various turnkey kits that cover remote access plus botnet plus stealth functions are virtually anywhere. Ransomware, though very prevalent, has not yet appeared in force in easy-to-deploy kits. However, Tox is now available free.
2014 Internet Crime Report Internet Crime Complaint Center (IC3) May 19, 2015 IC3, a joint project of the National White Collar Crime Center and the FBI, received 269,422 complaints last year consisting of a wide array of scams affecting victims across all demographic groups. In 2014, victims of Internet crimes in the United States lost more than $800 million. On average, approximately 22,000 complaints were received each month. (48 pages)
Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data Ponemon Institute May 2015 A rise in cyberattacks against doctors and hospitals is costing the U.S. health-care system $6 billion a year as organized criminals who once targeted retailers and financial firms increasingly go after medical records. Criminal attacks are up 125% compared with five years ago lost laptops was the leading threat. The study also found most organizations are unprepared to address new threats and lack adequate resources to protect patient data. (7 pages)
Best Practices for Victim Response and Reporting of Cyber Incidents Department of Justice
April 29, 2015 DOJ issued new guidance for businesses on best practices for handling cyber incidents. The guidance is broken down into what companies should do—and should not do—before, during, and after an incident. The recommendations include developing an incident response plan, testing it, identifying highly sensitive data and risk management priorities, and connecting with law enforcement and response firms in advance. (15 pages)
2014 Global Threat Intel Report CrowdStrike February 6, 2015 The report summarizes CrowdStrike’s year-long daily scrutiny of more than 50 groups of cyber threat actors, including 29 different state-sponsored and nationalist adversaries. Key findings explain how financial malware changed the threat landscape and point of sale malware became increasingly prevalent. The report also profiles a number of new and sophisticated adversaries from China and Russia. (Free registration required.)
Unique in the Shopping Mall: on the Reidentifiability of Credit Card Metadata Science Magazine January 30, 2015 Massachusetts Institute of Technology (MIT) scientists showed they can identify an individual with more than 90% accuracy by looking at just four purchases; three if the price is included—and this is after companies “anonymized” the transaction records, saying they wiped away names and other personal details. (5 pages)
Ransomware on the Rise: FBI and Partners Working to Combat This Cyber Threat FBI January 20, 2015 Ransomware scams involve a type of malware that infects computers and restricts users’ access to their files or threatens the permanent destruction of their information unless a ransom—anywhere from hundreds to thousands of dollars—is paid. The site offers information on the FBI’s and federal, international, and private-sector partners’ proactive steps to neutralize some of the more significant ransomware scams through law enforcement actions against major botnets.
Exploit This: Evaluating the Exploit Skills of Malware Groups Sophos Labs Hungary January 2015 Researchers evaluated the malware and advanced persistent threat (APT) campaigns of several groups that all leveraged a particular exploit—a sophisticated attack against a specific version of Microsoft Office. The report found that none of the groups were able to modify the attack enough to infect other versions of Office, even though several versions were theoretically vulnerable to the same type of attack. Despite the aura of skill and complexity that seems to surround APTs, they are much less sophisticated than they are given credit for. (26 pages)
The Cost of Malware Containment Ponemon Institute January 2015 A survey of more than 600 U.S. IT security practitioners found that in a typical week, organizations receive an average of nearly 17,000 malware alerts; only 19% are deemed reliable or worthy of action. Compounding the problem, respondents believe their prevention tools miss 40% of malware infections in a typical week. (Free registration required.)
Addressing the Cybersecurity Malicious Insider Threat Schluderberg, Larry (Utica College Master’s Thesis) January 2015 “The purpose of this research was to investigate who constitutes Malicious Insider (MI) threats, why and how they initiate attacks, the extent to which MI activity can be modeled or predicted, and to suggest risk mitigation strategies. The results reveal that addressing the Malicious Insider threat is much more than just a technical issue. Dealing effectively with the threat involves managing the dynamic interaction between employees, their work environment and work associates, the systems with which they interact, and organizational policies and procedures.” (80 pages)
The Underground Hacker Markets are Booming with Counterfeit Documents, Premiere Credit Cards, Hacker Tutorials, and 1000% Satisfaction Guarantees Dell Secure Works December 2014 Researchers examined dozens of underground hacker markets and found that business is booming. Prices have gone down for many items and the offerings have expanded. According to the report, “Underground hackers are monetizing every piece of data they can steal or buy and are continually adding services so other scammers can successfully carry out online and in-person fraud.” (16 pages)
What Happens When You Swipe Your Card? 60 Minutes November 30, 2014 From the script for the segment “Swiping Your Card”: “Sophisticated cyberthieves steal your credit card information. Common criminals buy it and go on shopping sprees—racking up billions of dollars in fraudulent purchases. The cost of the fraud is calculated into the price of every item you buy. When computer crooks swipe your card number, we all end up paying the price. 2014 is becoming known as the ‘year of the data breach.'”
Continuing Federal Cyber Breaches Warn Against Cybersecurity Regulation Heritage Foundation October 27, 2014 A list of federal government cybersecurity breaches and failures, most of which occurred during 2013 and 2014. The list is part of a continuing series published by Heritage that serves as a long-term compilation of open-source data about federal cybersecurity breaches dating back to 2004.
2014 Cost of Cybercrime Global Report Hewlett-Packard Enterprise Security and the Ponemon Institute October 8, 2014 This 2014 global study of U.S.-based companies, which spanned seven nations, found that over the course of a year, the average cost of cybercrime climbed by more than 9% to $12.7 million for companies in the United States, up from $11.6 million in the 2013 study. The average time to resolve a cyberattack is also rising, climbing to 45 days from 32 days in 2013. (30 pages) (Email registration required.)
The Deep Web (Special Issue) The Kernel September 28, 2014 A special issue devoted to the Deep Web, Tor, Silk Road, black markets, etc.
How Consumers Foot the Bill for Data Breaches (infographic) August 7, 2014 More than 600 data breaches occurred in 2013 alone, with an average organizational cost of more than $5 million. But in the end, it is the customers who are often picking up the tab, from higher retail costs to credit card reissue fees.
Is Ransomware Poised for Growth? Symantec July 14, 2014 Ransomware usually masquerades as a virtual “wheel clamp” for the victim’s computer. For example, pretending to be from the local law enforcement, it might suggest the victim had been using the computer for illicit purposes and claim that to unlock his or her computer the victim would have to pay a fine—often between $100 and $500. The use of Ransomware escalated in 2013, with a 500% (sixfold) increase in attacks between the start and end of the year.
iDATA: Improving Defences Against Targeted Attack Centre for the Protection of National Infrastructure (UK) July 2014 The iDATA program consists of a number of projects aimed at addressing threats posed by nation-states and state-sponsored actors. iDATA has resulted in several outputs for the cybersecurity community. The document provides a description of the iDATA program and a summary of the reports. (8 pages)
Cyber Risks: The Growing Threat Insurance Information Institute June 27, 2014 Although cyber risks and cybersecurity are widely acknowledged to be serious threats, many companies today still do not purchase cyber risk insurance. Insurers have developed specialist cyber insurance policies to help businesses and individuals protect themselves from the cyber threat. Market intelligence suggests that the types of specialized cyber coverage being offered by insurers are expanding in response to this fast-growing market need. (27 pages)
Hackers Wanted: An Examination of the Cybersecurity Labor Market RAND Corporation June 24, 2014 RAND examined the current status of the labor market for cybersecurity professionals—with an emphasis on their being employed to defend the United States. This effort was in three parts: first, a review of the literature; second, interviews with managers and educators of cybersecurity professionals, supplemented by reportage; and third, an examination of the economic literature about labor markets. RAND also disaggregated the broad definition of cybersecurity professionals to unearth skills differentiation as relevant to this study. (110 pages)
Big Data and Innovation, Setting The Record Straight: De-identification Does Work Information Technology and Innovation Foundation and the Information and Privacy Commissioner, Ontario, Canada June 16, 2014 The paper examines a select group of articles that are often referenced in support of the myth that de-identified data sets are at risk of re-identifying individuals through linkages with other available data. It examines the ways in which the academic research referenced has been misconstrued and finds that the primary reason for the popularity of these misconceptions is not factual inaccuracies or errors within the literature but rather a tendency on the part of commentators to overstate or exaggerate the risk of re-identification. (13 pages)
Net Losses: Estimating the Global Cost of Cybercrime Center for Strategic and International Studies and McAfee June 2014 The report explores the economic impact of cybercrime, including estimation, regional variances, IP theft, opportunity and recovery costs, and the future of cybercrime. (24 pages)
2014 U.S. State of Cybercrime Survey Pricewaterhouse Coopers, CSO Magazine, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service May 29, 2014 The cybersecurity programs of U.S. organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries. This year, three out of four (77%) respondents to the survey had detected a security event in the past 12 months, and more than one-third (34%) said the number of security incidents detected had increased over the previous year. (21 pages)
Privileged User Abuse and The Insider Threat Ponemon Institute and Raytheon May 21, 2014 The report looks at what companies are doing right and the vulnerabilities that need to be addressed with policies and technologies. One problematic area is the difficulty in actually knowing if an action taken by an insider is truly a threat. Sixty-nine percent of respondents say they do not have enough contextual information from security tools to make this assessment, and 56% say security tools yield too many false positives. (32 pages) (Requires free registration to access.)
Online Advertising and Hidden Hazards to Consumer Security and Data Privacy Senate Permanent Subcommittee on Investigations May 15, 2014 The report found consumers could expose themselves to malware just by visiting a popular website. It noted that the complexity of the industry made it possible for both advertisers and host websites to defer responsibility and that consumer safeguards failed to protect against online abuses. The report also warned that current practices do not create enough incentives for “online advertising participants” to take preventive measures. (47 pages)
Sharing Cyberthreat Information Under 18 USC §2702(a)(3) Department of Justice (DOJ) May 9, 2014 DOJ issued guidance for Internet service providers to assuage legal concerns about information sharing. The white paper interprets the Stored Communications Act, (18 U.S.C. §2701 et seq.) which prohibits providers from voluntarily disclosing customer information to governmental entities. The white paper says the law does not prohibit companies from divulging data in the aggregate, without any specific details about identifiable customers. (7 pages)
The Target Breach, by the Numbers Krebs on Security May 6, 2014 A synthesis of numbers associated with the Target data breach of December 19, 2013 (e.g., number of records stolen, estimated dollar cost to credit unions and community banks, and the amount of money Target estimates it will spend upgrading payment terminals to support Chip-and-PIN enabled cards).
The Rising Strategic Risks of Cyberattacks McKinsey and Company May 2014 The authors suggest that companies are struggling with their capabilities in cyber risk management. As highly visible breaches occur with increasing regularity, most technology executives believe they are losing ground to attackers. Organizations large and small lack the facts to make effective decisions, and traditional “protect the perimeter” technology strategies are proving insufficient.
Big Data: Seizing Opportunities, Preserving Values White House May 2014 Findings include a set of consumer protection recommendations, such as national data-breach legislation, and a fresh call for baseline consumer-privacy legislation first recommended in 2012. (85 pages)
Russian Underground Revisited Trend Micro April 28, 2014 The price of malicious software—designed to enable online bank fraud, identity theft, and other cybercrimes—is falling dramatically in some of the Russian-language criminal markets in which it is sold. Falling prices are a result not of declining demand but rather of an increasingly sophisticated marketplace. The report outlines the products and services being sold and their prices. (25 pages)
Federal Agencies Need to Enhance Responses to Data Breaches Government Accountability Office (GAO) April 2, 2014 Major federal agencies continue to face challenges in fully implementing all components of agency-wide information security programs, which are essential for securing agency systems and the information they contain—including personally identifiable information (PII). (19 pages)
A “Kill Chain” Analysis of the 2013 Target Data Breach Senate Commerce Committee March 26, 2014 The report analyzes what has been reported to date about the Target data breach, using the intrusion kill chain framework, an analytical tool introduced by Lockheed Martin security researchers in 2011 and widely used today by information security professionals in both the public and private sectors. The analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach. (18 pages)
Markets for Cybercrime Tools and Stolen Data RAND Corporation National Security Research Division and Juniper Networks March 25, 2014 The report, part of a multiphase study on the future security environment, describes the fundamental characteristics of the criminal activities in cyberspace markets and how they have grown into their current state to explain how their existence can harm the information security environment. (83 pages)
Merchant and Financial Trade Associations Announce Cybersecurity Partnership Retail Industry Leaders Association February 13, 2014 Trade associations representing the merchant and financial services industries announced a new cybersecurity partnership. The partnership will focus on exploring paths to increased information sharing, better card security technology, and maintaining the trust of customers. Discussion regarding the partnership was initiated by the Retail Industry Leaders Association and the Financial Services Roundtable.
FTC Statement Marking the FTC’s 50th Data Security Settlement Federal Trade Commission (FTC) January 31, 2014 The FTC announced its 50th data security settlement. What started in 2002 with a single case applying established FTC Act precedent to the area of data security has grown into an enforcement program that has helped to increase consumer protections and encouraged companies to make safeguarding consumer data a priority. (2 pages)
Worst Practices Guide to Insider Threats: Lessons from Past Mistakes American Academy of Arts and Sciences January 2014 The report presents a worst practices guide of serious past mistakes regarding insider threats. Although each situation is unique, and serious insider problems are relatively rare, the incidents reflect issues that exist in many contexts and that every security manager should consider. Common organizational practices—such as prioritizing production over security, failure to share information across subunits, inadequate rules or inappropriate waiving of rules, exaggerated faith in group loyalty, and excessive focus on external threats—can be seen in many past failures to protect against insider threats. (32 pages)
ENISA Threat Landscape 2013—Overview of Current and Emerging Cyber-Threats European Union Agency for Network and Information Security (ENISA) December 11, 2013 The report is a comprehensive compilation of the top 15 cyber threats assessed in the 2013-reporting period. ENISA has collected more than 250 reports regarding cyber threats, risks, and threat agents. (70 pages)
Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent GAO December 9, 2013 GAO recommends that “to improve the consistency and effectiveness of government wide data breach response programs, the Director of OMB should update its guidance on federal agencies’ responses to a PII-related data breach to include (1) guidance on notifying affected individuals based on a determination of the level of risk; (2) criteria for determining whether to offer assistance, such as credit monitoring to affected individuals; and (3) revised reporting requirements for PII-related breaches to US-CERT [Computer Emergency Response Team], including time frames that better reflect the needs of individual agencies and the government as a whole and consolidated reporting of incidents that pose limited risk.” (67 pages)
Cyber-enabled Competitive Data Theft: A Framework for Modeling Long-Run Cybersecurity Consequences Brookings Institution December 2013 Economic espionage has existed at least since the industrial revolution, but the scope of modern cyber-enabled competitive data theft may be unprecedented. The authors present what they believe is the first economic framework and model to understand the long-run impact of competitive data theft on an economy by taking into account the actual mechanisms and pathways by which theft harms the victims. (18 pages)
Illicit Cyber Activity Involving Fraud Carnegie Mellon University Software Engineering Institute August 8, 2013 Technical and behavioral patterns were extracted from 80 fraud cases—67 insider and 13 external—that occurred between 2005 and the present. These cases were used to develop insights and risk indicators to help private industry, government, and law enforcement more effectively prevent, deter, detect, investigate, and manage malicious insider activity within the banking and finance sectors. (28 pages)
The Economic Impact of Cybercrime and Cyber Espionage Center for Strategic and International Studies (CSIS) July 22, 2013 According to CSIS, losses to the United States (the country in which data is most accessible) may reach $100 billion annually. The cost of cybercrime and cyber espionage to the global economy is some multiple of this, likely measured in hundreds of billions of dollars. (20 pages)
Cyber-Crime, Securities Markets, and Systemic Risk World Federation of Exchanges and the International Organization of Securities Commissions July 16, 2013 The report explores the nature and extent of cybercrime in securities markets and the potential systemic risk aspects of this threat. It presents the results of a survey to the world’s exchanges on their experiences with cybercrime, cybersecurity practices, and perceptions of the risk. (59 pages)
Remaking American Security: Supply Chain Vulnerabilities and National Security Risks Across the U.S. Defense Industrial Base Alliance for American Manufacturing May 2013 Reportedly because the supply chain is global, it makes sense for U.S. officials to cooperate with other nations to ward off cyberattacks. Increased international cooperation to secure the integrity of the global IT system is a valuable long-term objective. (355 pages)
Comprehensive Study on Cybercrime United Nations Office on Drugs and Crime February 2013 The study examined the problem of cybercrime from the perspective of governments, the private sector, academia, and international organizations. It presents its results in eight chapters, covering (1) Internet connectivity and cybercrime; (2) the global cybercrime picture; (3) cybercrime legislation and frameworks; (4) criminalization of cybercrime; (5) law enforcement and cybercrime investigations; (6) electronic evidence and criminal justice; (7) international cooperation in criminal matters involving cybercrime; and (8) cybercrime prevention. (320 pages)
Does Cybercrime Really Cost $1 Trillion? ProPublica August 1, 2012 In a news release to announce its 2009 report, Unsecured Economies: Protecting Vital Information, computer security firm McAfee estimated a $1 trillion global cost for cybercrime. The number does not appear in the report itself. This estimate is questioned even by the three independent researchers from Purdue University whom McAfee credits with analyzing the raw data from which the estimate was derived. An examination by ProPublica has found new grounds to question the data and methods used to generate these numbers, which McAfee and Symantec say they stand behind.
Proactive Policy Measures by Internet Service Providers against Botnets Organization for Economic Co-operation and Development (OECD) May 7, 2012 The report analyzes initiatives in a number of countries through which end-users are notified by Internet service providers (ISPs) when their computers are identified as being compromised by malicious software and encouraged to take action to mitigate the problem. (25 pages)
Developing State Solutions to Business Identity Theft: Assistance, Prevention and Detection Efforts by Secretary of State Offices National Association of Secretaries of State (NASS) January 2012 The white paper is the result of efforts by the 19-member NASS Business Identity Theft Task Force to develop policy guidelines and recommendations for state leaders dealing with identity fraud cases involving public business records. (23 pages)
Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines SANS Institute October 3, 2011 The 20 security measures are intended to focus agencies’ limited resources on plugging the most common attack vectors. (77 pages)
Revealed: Operation Shady RAT: an Investigation Of Targeted Intrusions Into 70+ Global Companies, Governments, and Non-Profit Organizations During the Last 5 Years McAfee August 2, 2011 A cyber-espionage operation lasting many years penetrated 72 government and other organizations, most of them in the United States, and has copied everything from military secrets to industrial designs, according to technology security company McAfee. (See page 4 for the types of compromised parties, page 5 for the geographic distribution of victim’s country of origin, pages 7-9 for the types of victims, and pages 10-13 for the number of intrusions for 2007-2010). (14 pages)
The Role of Internet Service Providers in Botnet Mitigation: an Empirical Analysis Based on Spam Data Organisation for Economic Co-operation and Development (OECD) November 12, 2010 The working paper considers whether ISPs can be critical control points for botnet mitigation, how the number of infected machines varies across ISPs, and why. (31 pages)
Untangling Attribution: Moving to Accountability in Cyberspace (Testimony) Council on Foreign Relations July 15, 2010 Robert K. Knake’s testimony before the House Committee on Science and Technology on the role of attack attribution in preventing cyberattacks and how attribution technologies can affect the anonymity and privacy of Internet users. (14 pages)
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities National Research Council 2009 The report explores important characteristics of cyberattacks. It describes the current international and domestic legal structure as it might apply to cyberattacks and considers analogies to other domains of conflict to develop relevant insights. (368 pages)


Table 2. National Security, Cyber Espionage, and Cyberwar

(includes Stuxnet, Dark Web/Darknet)

Title Source Date Notes
Cybersecurity Legislation International Telecommunications Union Continuously Updated An integral and challenging component of any national cybersecurity strategy is the adoption of regionally and internationally harmonized, appropriate legislation against the misuse of information and communication technologies (ICTs) for criminal or other purposes.
Cyberthreat: Real-Time Map Kaspersky Labs Continuously Updated Kaspersky Labs has launched an interactive cyber threat map that lets viewers see cybersecurity incidents as they occur around the world in real time. The interactive map includes malicious objects detected during on-access and on-demand scans, email and web antivirus detections, and objects identified by vulnerability and intrusion detection subsystems.
Cyberwarfare RAND Continuously Updated Explore RAND reports on cyberwarfare by product type (research, blog, multimedia, event, etc.) or author. Featured reports are at the top of the page.
Too Connected To Fail: How Attackers Can Disrupt the Global Internet, Why It Matters, And What We Can Do About It Belfer Center for Science and International Affairs (Harvard) May 2017 This paper examines attacks on core internet infrastructure through a lens of national security and nation state conflict. Most analyses have focused on the ability of non-state actors to use these tools to exact ransom or commit mischief. While these are real concerns, an examination of these attacks’ applicability in nation state conflict has been missing. (54 pages)
Cyber Compellence: Applying Coercion in the Information Age Marine Corps University and Northeastern University, presented at the Annual International Studies Association Meeting, Baltimore, Maryland April 25, 2017 The paper reviews how state actors applied cyber instruments to coerce adversaries between 2000 to 2014 differentiating between cyber disruption, espionage, and degradation. Cyber disruption and espionage methods seem to achieve their goals of gathering intelligence and signaling through harassment, but do not result in an observable behavioral change in the target in the near-term. Only on limited occasion, usually associated with US activity in cyberspace, does cyber coercion, often in the form of degradation, result in concessions. The idea of quick victory in the cyber domain remains elusive. (27 pages)
Bad Bots: The Weaponization of Social Media College of William and Mary; Project on International Peace and Security April 2017 In the next several years, hostile states or non-state actors will accelerate their use of social media bots to undermine democracy, recruit terrorists, disrupt markets, and stymie open-source intelligence collection. This report conducts an alternative futures analysis in order to help policymakers identify options to mitigate the threats of social media bots. In the worst-case and most-likely scenario, a technological stalemate between bots and bot-detection leads to a false sense of confidence in social media information, which allows for breakthroughs in bot technology to create disruptions until bot-detection technology advances. (23 pages)
Strategic Aspects of Cyberattack, Attribution, and Blame Proceedings of the National Academy of Sciences March 14, 2017 Attribution of cyberattacks has strategic and technical components. A formal model incorporates both elements and shows the conditions under which it is rational to tolerate an attack and when it is better to assign blame publicly. The model applies to a wide range of conflicts and provides guidance to policymakers about which parameters must be estimated to make a sound decision about attribution and blame. It also draws some surprising conclusions about the risks of asymmetric technical attribution capabilities. (12 pages)
Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits RAND March 13, 2017 The report provides findings from real-world zero-day vulnerability and exploit data that could augment conventional proxy examples and expert opinion, complement current efforts to create a framework for deciding whether to disclose or retain a cache of zero-day vulnerabilities and exploits, inform ongoing policy debates regarding stockpiling and vulnerability disclosure, and add extra context for those examining the implications and resulting liability of attacks and data breaches for U.S. consumers, companies, insurers, and for the civil justice system broadly. (133 pages)
Snapshot: Turning Back DDoS Attacks DHS Science and Technology, Homeland Security Advanced Research Projects Agency’s Cyber Security Division (CSD) February 16, 2017 CSD’s Distributed Denial of Service Defense (DDoSD) project is spearheading a three-pronged approach to shift the advantage to network infrastructure defenders. The project’s two primary focuses are on increasing deployment of best practices to slow attack scale growth and defending networks against one Tbps attack through development of collaboration tools that can be used by medium-size organizations. A third part of the project addresses other types of denial of service attacks, such as those against 911 and Next Generation 911 emergency management systems.
Task Force on Cyber Deterrence Defense Science Board February 2017 The U.S. military lacks the cyber capabilities to defend against potential attacks against financial systems, telecommunications systems, and other elements of critical infrastructure launched by Russia or China. Furthermore, the U.S. military’s dependence on IT makes it vulnerable to attacks that could diminish its capabilities to respond to such attacks. The task force recommends that the Pentagon develop a second-strike capability that is cyber-resilient. (44 pages)
The Enemy Has a Voice: Understanding Threats to Inform Smart Investment in Cyber Defense New America February 2017 The report discusses the general concept of cyber threat intelligence (CTI) and how this powerful concept can reduce “offensive dominant” nature of cybersecurity and describe various types of such information. The report outlines challenges with cyber threat intelligence going forward and proposes policy ideas that can help lead to improved access to such information across a variety of organizations. (16 pages)
Cyber Prep 2.0: Motivating Organizational Cyber Strategies in Terms of Threat Preparedness MITRE Corp. February 2017 Cyber Prep 2.0 focuses on advanced threats and corresponding elements of organizational strategy and includes material related to conventional cyber threats. Cyber Prep 2.0 can be used in standalone fashion, or it can be used to complement and extend the use of other, more detailed frameworks (e.g., the NIST [National Institute of Standards and Technology] Cybersecurity Framework) and threat models.
The U.S. Government and Zero-Day Vulnerabilities: from Pre-Heartbleed to Shadow Brokers Columbia Univ. Journal of International Affairs November 2016 Government agencies currently submit zero days they discover to an interagency Vulnerability Equities Process headed by the National Security Council. The review examines questions such as how likely criminals and foreign adversaries are to discover the vulnerability and how much damage they could do if they did discover it, balancing that with what value the vulnerability might provide to U.S. intelligence agencies. (22 pages)
Department Releases Intake and Charging Policy for Computer Crime Matters Department of Justice October 25, 2016 “In the course of recent litigation, the department yesterday shared the policy under which we choose whether to bring charges under the Computer Fraud and Abuse Act. As set forth in the memorandum, prosecutors must consider a number of factors in order to ensure that charges are brought only in cases that serve a substantial federal interest.”
Into the Gray Zone: The Private Sector and Active Defense Against Cyber Threats (Project Report) GWU Center for Cyber & Homeland Security October 2016 The report places the current cyber threat in its larger strategic context and then assesses the role of private-sector active defense in addressing such threats. With this in mind, the report proposes a framework that defines the most prevalent active defense measures and places them along a spectrum of relative risk and impact, indicating where close coordination with the government becomes necessary for responsible private action. (86 pages)
Brief History of Law Enforcement Hacking in the United States New America Foundation September 2016 Understanding the history of government hacking is important in order to engage more people in the ongoing policy discussion. The paper focuses on a selection of illustrative historical cases, with the understanding that due to the secret nature of government investigations, only a fraction of the hacking that has taken place is known. This overview highlights major trends in investigative hacking and will hopefully foster more inquiries into these practices by policymakers and the public. (20 pages)
Predicting Cyber Attacks: A Study of the Successes and Failures of the Intelligence Community Small Wars Journal July 7, 2016 The article focuses on identifying the major successes and failures of analysis from the Intelligence Community (IC) to predict cyberattacks against the United States. The research goal is to break down the components of a good cyber defensive force into variables to clearly identify those failures and successes and their effects on the operational ability of the IC in cyberspace. (11 pages)
Tech for Jihad: Dissecting Jihadist’s Digital Toolbox Flashpoint July 2016 The report attempts to catalog the 36 most noteworthy digital tools in common use by jihadists, and when they started using them. (13 pages)
Cyber Conflict: Prevention, Stability and Control Carnegie Cyber Policy Initiative July 2016 Only a few years ago, there were almost no norms globally accepted by governments on cybersecurity or cyber conflict. Even the United States, which had long pushed such norms, had publicly announced very few. The United States and a few other allies confirmed that laws of armed conflict (otherwise known as International Humanitarian Law or the “Geneva Convention”) applied to cyberspace. Recently, this has changed with tremendous progress, so much so that 2015 was called the Year of Global Cyber Norms. (10 pages)
Combatting the Ransomware Blitzkrieg: The Only Defense is a Layered Defense, Layer One: Endpoint Security The Institute for Critical Infrastructure Technology April, 2016 The brief contains an analysis of the need for endpoint security; vulnerable endpoints (users, personal computers, servers, mobile devices, specialize hardware, and cloud services); potentially vulnerable endpoints (SCADA/ICS, IoT devices, cars); endpoint security; and selecting an endpoint security strategy. (27 pages)
Know Your Enemies 2.0: The Encyclopedia of the Most Prominent Hactivists, Nation State, and Mercenary Hackers Information for Critical Infrastructure Technologies (ICIT) February 2016 The report covers threat groups not by use of a particular ranking system, but by the dominant players categorized by geography. Zero days, malware, tool kits, exploit techniques, digital foot prints, and targets are covered in this encyclopedia. (81 pages)
Operationalizing Cybersecurity Due Diligence: A Transatlantic Comparative Case Study South Carolina Law Review January 12, 2016 “Although much work has been done on applying the law of warfare to cyberattacks, far less attention has been paid to defining a law of cyber peace applicable below the armed attack threshold. Among the most important unanswered questions is what exactly nations’ due diligence obligations are to one another and to the private sector, as well as how these obligations should be translated into policy. In this article, we analyze how both the United States and the European Union are operationalizing the concept of cybersecurity due diligence, and then move on to investigate a menu of options presented to the European Parliament in November 2015 by the authors to further refine and apply this concept.” (28 pages)
ISIS’s OPSEC Manual Reveals How It Handles Cybersecurity Wired November 19, 2015 From the article, “So what exactly are ISIS attackers doing for OPSEC? It turns out ISIS has a 34-page guide to operational security, which offers some clues. [R]esearchers with the Combating Terrorism Center at West Point’s military academy uncovered the manual and other related documents from ISIS forums and chat rooms.”
2015 Annual Report to Congress U.S.-China Economic Commission November 17, 2015 Reportedly China causes increasing harm to the U.S. economy and security through two deliberate policies targeting the United States: (1) coordinated, government-backed theft of information from a wide variety of U.S.-based commercial enterprises and (2) widespread restrictions on content, standards, and commercial opportunities for U.S. businesses. Hackers working for the Chinese government—or with the government’s support and encouragement—have infiltrated the computer networks of U.S. government agencies, contractors, and private companies, and stolen personal information and trade secrets. (See Chapter 1, Section 4: Commercial Cyber Espionage and Barriers to Digital Trade in China.) (631 pages)
Cyber Defense: An International View U.S. Army War College Strategic Studies Institute September 2015 The paper provides an overview of four different national approaches to cyber defense: those of Norway, Estonia, Germany, and Sweden. It also provides a guide for engaging with the relevant governmental and other organizations in each of these countries and compares and contrasts the advantages and drawbacks of each national approach. (65 pages)
Deep Web and the Darknet: A Look Inside the Internet’s Massive Black Box Woodrow Wilson International Center for Scholars August 1, 2015 “This policy brief outlines what the Deep Web and Darknet are, how they are accessed, and why we should care about them. For policymakers, the continuing growth of the Deep Web in general and the accelerated expansion of the Darknet in particular pose new policy challenges. The response to these challenges may have profound implications for civil liberties, national security, and the global economy.” (20 pages)
Cyber-Enabled Economic Warfare: An Evolving Challenge Hudson Institute August 2015 This monograph is divided into six chapters: one dissecting the U.S.’s use of cyber-enabled economic warfare; two providing analyses of cyber-enabled economic warfare threats posed to the United States by state and non-state actors; two offering case studies of emerging cyber-enabled economic warfare in two key sectors, financial services and critical infrastructure; and a concluding chapter that reviews key takeaways and next steps. (174 pages)
Russian Underground 2.0 Trend Micro (Forward Looking Threat Team) July 28, 2015 The Russian underground is a mature ecosystem that covers all aspects of cybercriminal business activities and offers an increasingly professional underground infrastructure for the sale of malicious goods and services. There is increasing professionalization of the crime business that allows cheaper prices to dominate sales and thereby make it easy and very affordable for anyone without significant skill to buy whatever is needed to conduct criminal dealings. (41 pages)
Below the Surface: Exploring the Deep Web Trend Micro June 22, 2015 The research paper offers a look into the duality of the Deep Web—how its ability to protect anonymity can be used to communicate freely, away from censorship and law enforcement, or be used to expedite dubious or criminal pursuits. It also briefly touches on the Deep Web’s impact, and offers a forecast on how it could evolve over the next few years. (48 pages)
Cybersecurity: Jihadism and the Internet European Parliament Think Tank May 18, 2015 “Since the beginning of the conflict in Syria in March 2011, the numbers of European citizens supporting or joining the ranks of ISIL/Da’esh have been growing steadily, and may now be as high as 4,000 individuals. At the same time, the possible avenues for radicalisation are multiplying and the risks of domestic terrorism increasing. The proliferation of global jihadi messaging online and their reliance on social networks suggest that the Internet is increasingly a tool for promoting jihadist ideology, collecting funds, and mobilizing their ranks.” (2 pages)
APT30 and the Mechanics of a Long-Running Cyber-Espionage Operation: How a Cyber Threat Group Exploited Governments and Commercial Entities Across Southeast Asia and India for Over a Decade FireEye April 2015 Reportedly a Chinese government hacking team has used the same basic set of tools to spy on Southeast Asian and Indian dignitaries for a decade, demonstrating the low level of cyber defenses protecting government information across broad swaths of the world. According to Fireeye, the fact this group, APT30, has been able to use the same basic set of malware tools against government networks since at least 2005 suggests its targets remained unaware for more than a decade they were being spied on or were incapable of countering the threat. (70 pages)
Worldwide Threat Assessment of the U.S. Intelligence Community Director of National Intelligence February 26, 2015 Cybersecurity is the first threat listed in this annual review of worldwide threats to the United States. Despite ever-improving network defenses, the diverse possibilities for remote hacking intrusions, supply chain operations to insert compromised hardware or software, and malevolent activities by human insiders will hold nearly all ICT systems at risk for years to come. Moreover, the risk calculus employed by some private-sector entities reportedly does not adequately account for foreign cyber threats or the systemic interdependencies between different critical infrastructure sectors. (29 pages)
The Impact of the Dark Web on Internet Governance and Cyber Security Global Commission on Internet Governance February 2015 The Dark Web is a part of the Deep Web that has been intentionally hidden and is inaccessible through standard web browsers. The Deep Web has the potential to host an increasingly high number of malicious services and activities. To formulate comprehensive strategies and policies for governing the Internet, it is important to consider insights on its farthest reaches—the Deep Web and, more importantly, the Dark Web. The paper attempts to provide a broader understanding of the Dark Web and its impact on people’s lives. (18 pages)
Attributing Cyber Attacks Thomas Rid and Ben Buchanan, Journal of Strategic Studies December 23, 2014 The authors introduce the Q Model; designed to explain, guide, and improve the making of attribution. Matching an offender to an offence is an exercise in minimizing uncertainty on three levels: (1) tactically, attribution is an art as well as a science; (2) operationally, attribution is a nuanced process, not a black-and-white problem; and (3) strategically, attribution is a function of what is at stake politically. Successful attribution requires a range of skills on all levels, careful management, time, leadership, stress-testing, prudent communication, and recognizing limitations and challenges. (36 pages)
Operation Cleaver Cylance December 2, 2014 A sophisticated hacking group with ties to Iran has probed and infiltrated targets across the United States and 15 other nations during the past two years in a series of cyberattacks dubbed “Operation Cleaver.” The Cleaver group has evolved faster than any previous Iranian campaign, according to the report, which calls Iran “the new China” and expresses concern that the group’s surveillance operations could evolve into sophisticated, destructive attacks. (86 pages)
Legal Issues Related to Cyber NATO Legal Gazette December 2014 The NATO Legal Gazette contains thematically organized articles usually written by military or civilian legal personnel working at NATO or in the governments of NATO and partner nations. Its purpose is to share articles of significance for the large NATO legal community and connect legal professionals of the Alliance. It is not a formal NATO document. (74 pages)
The National Intelligence Strategy of the United States of America 2014 Office of the Director of National Intelligence September 18, 2014 Cyber intelligence is one of four “primary topical missions” the intelligence community must accomplish. Both state and non-state actors use digital technologies to achieve goals, such as fomenting instability or achieving economic and military advantages. They do so “often faster than our ability to understand the security implications and mitigate potential risks.” To become more effective in the cyber arena, the intelligence community reportedly must improve its ability to correctly attribute attacks. (24 pages)
Today’s Rising Terrorist Threat and the Danger to the United States: Reflections on the Tenth Anniversary of the 9/11 Commission Report The Annenberg Public Policy Center and the Bipartisan Policy Center July 22, 2014 Members of the panel that studied the 2001 attacks urge Congress to enact cybersecurity legislation, the White House to communicate the consequences of potential cyberattacks to Americans, and leaders to work with allies to define what constitutes an online attack on another country. (48 pages)
Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America’s Cyber Dependencies Center for a New American Security July 2014 The report examines existing information on technology security weaknesses and provides nine specific recommendations for the U.S. government and others to cope with these insecurities. (64 pages)
M Trends: Beyond the Breach: 2014 Threat Report Mandiant April 2014 Cyber-threat actors are expanding the uses of computer network exploitation to fulfill an array of objectives, from the economic to the political. Threat actors are not only interested in seizing the corporate “crown jewels” but are also looking for ways to publicize their views, cause physical destruction, and influence global decisionmakers. Private organizations have increasingly become collateral damage in political conflicts. Reportedly with no diplomatic solution in sight, the ability to detect and respond to attacks has never been more important. (28 pages)
Emerging Cyber Threats Report 2014 Georgia Institute of Technology January 2014 Brief compilation of academic research on losing control of cloud data, insecure but connected devices, attackers adapting to mobile ecosystems, the high costs of defending against cyberattacks, and advances in information manipulation. (16 pages)
Cybersecurity and Cyberwar: What Everyone Needs to Know Brookings Institution January 2014 Authors Peter W. Singer and Allan Friedman look at cybersecurity issues faced by the military, government, businesses, and individuals and examine what happens when these entities try to balance security with freedom of speech and the ideals of an open Internet. (306 pages)
W32.Duqu: The Precursor to the Next Stuxnet Symantec November 14, 2013 On October 14, 2011, a research lab with strong international connections alerted Symantec to a sample that appeared to be very similar to Stuxnet, the malware that wreaked havoc in Iran’s nuclear centrifuge farms. The lab named the threat Duqu because it creates files with the file name prefix DQ. The research lab provided Symantec with samples recovered from computer systems located in Europe as well as a detailed report with initial findings, including analysis comparing the threat to Stuxnet.
To Kill a Centrifuge: A Technical Analysis of What Stuxnet’s Creators Tried to Achieve The Langner Group November 2013 The report summarizes the most comprehensive research on the Stuxnet malware so far. It combines results from reverse engineering the attack code with intelligence on the design of the attacked plant and background information on the attacked uranium enrichment process. It looks at the attack vectors of the two different payloads contained in the malware and provides an analysis of the bigger and much more complex payload that was designed to damage centrifuge rotors by overpressure. (36 pages)
Strategies for Resolving the Cyber Attribution Challenge Air University, Maxwell Air Force Base May 2013 Private-sector reports have proven that it is possible to determine the geographic reference of threat actors to varying degrees. Based on these assumptions, nation-states, rather than individuals, should be held culpable for the malicious actions and other cyber threats that originate in or transit information systems within their borders or that are owned by their registered corporate entities. The work builds on other appealing arguments for state responsibility in cyberspace. (109 pages)
Role of Counterterrorism Law in Shaping ‘ad Bellum’ Norms for Cyber Warfare International Law Studies (U.S. Naval War College) April 1, 2013 “To date there has been little attention given to the possibility that international law generally and counterterrorism law in particular could and should develop a subset of cyber-counterterrorism law to respond to the inevitability of cyberattacks by terrorists and the use of cyber weapons by governments against terrorists, and to supplement existing international law governing cyber war where the intrusions do not meet the traditional kinetic thresholds.” (42 pages)
The Tallinn Manual on the International Law Applicable to Cyber Warfare Cambridge University Press/ NATO Cooperative Cyber Defence Center of Excellence March 5, 2013 The Tallinn Manual identifies the international law applicable to cyber warfare and sets out 95 “black-letter rules” governing such conflicts. An extensive commentary accompanies each rule, which sets forth the rule’s basis in treaty and customary law, explains how the group of experts interpreted applicable norms in the cyber context, and outlines any disagreements within the group as to the rule’s application. (Note: The manual is not an official NATO publication but rather an expression of opinions of a group of independent experts acting solely in their personal capacities.) (302 pages)
Cyberterrorism: A Survey of Researchers Swansea University March 2013 The report provides an overview of findings from a project designed to capture current understandings of cyberterrorism within the research community. The project ran between June 2012 and November 2012, and it employed a questionnaire that was distributed to more than 600 researchers, authors, and other experts. A total of 118 responses were received from individuals working in 24 countries across six continents. (21 pages)
National Level Exercise 2012: Quick Look Report Federal Emergency Management Agency (FEMA) March 2013 National Level Exercise (NLE) 2012 was a series of exercise events that examined the ability of the United States to execute a coordinated response to a series of significant cyber incidents. The NLE 2012 series focused on examining four major themes: planning and implementation of the draft National Cyber Incident Response Plan (NCIRP), coordination among governmental entities, information sharing, and decision making. (22 pages)
Responding to Cyber Attacks and the Applicability of Existing International Law Army War College January 2013 The paper identifies how the United States should respond to the threat of cyber operations against essential government and private networks. First, it examines the applicability of established international law to cyber operations. Next, it proposes a method for categorizing cyber operations across a spectrum synchronized with established international law. Then, it discusses actions already taken by the United States to protect critical government and private networks and concludes with additional steps the United States should take to respond to the threat of cyber operations. (34 pages)
Crisis and Escalation in Cyberspace RAND Corporation December 2012 The report considers how the Air Force should integrate kinetic and nonkinetic operations. Central to this process was careful consideration of how escalation options and risks should be treated, which, in turn, demanded a broader consideration across the entire crisis-management spectrum. Such crises can be managed by taking steps to reduce the incentives for other states to step into crisis, controlling the narrative, understanding the stability parameters of the crises, and trying to manage escalation if conflicts arise from crises. (200 pages)
Cyberattacks Among Rivals: 2001-2011 (from the article, “The Fog of Cyberwar” by Brandon Variano and Ryan Maness Foreign Affairs November 21, 2012 A chart showing cyberattacks by initiator and victim, 2001-2011. (Subscription required.)
Proactive Defense for Evolving Cyber Threats Sandia National Labs November 2012 The project applied rigorous predictability-based analytics to two central and complementary aspects of the network defense problem—attack strategies of the adversaries and vulnerabilities of the defenders’ systems—and used the results to develop a scientifically grounded, practically implementable methodology for designing proactive cyber defense systems. (98 pages)
Safeguarding Cyber-Security, Fighting in Cyberspace International Relations and Security Network (ISN) October 22, 2012 Looks at the militarization of cybersecurity as a source of global tension and makes the case that cyber warfare is already an essential feature of many leading states’ strategic calculations, followed by its opposite (i.e., the case that the threat posed by cyber warfare capabilities is woefully overstated).
Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World Symantec Research Labs October 16, 2012 The paper describes a method for automatically identifying zero-day attacks from field-gathered data that records when benign and malicious binaries are downloaded on 11 million real hosts around the world. Searching this data set for malicious files that exploit known vulnerabilities indicates which files appeared on the Internet before the corresponding vulnerabilities were disclosed. (12 pages)
Federal Support for and Involvement in State and Local Fusion Centers Senate Permanent Subcommittee on Investigations October 3, 2012 A two-year bipartisan investigation found that U.S. Department of Homeland Security efforts to engage state and local intelligence “fusion centers” have not yielded significant useful information to support federal counterterrorism intelligence efforts. In Section VI, “Fusion Centers Have Been Unable to Meaningfully Contribute to Federal Counterterrorism Efforts,” Part G, “Fusion Centers May Have Hindered, Not Aided, Federal Counterterrorism Efforts,” the report discusses the November 10, 2011 Russian “cyberattack” in Illinois. (141 pages)
Putting the “war” in cyberwar: Metaphor, analogy, and cybersecurity discourse in the United States First Monday July 2, 2012 The essay argues that current contradictory tendencies within U.S. cyber war discourse are unproductive and even potentially dangerous. It argues that the war metaphor and nuclear deterrence analogy are neither natural nor inevitable and that abandoning them would open up new possibilities for thinking more productively about the full spectrum of cybersecurity challenges, including the as-yet unrealized possibility of cyberwar.
Nodes and Codes: The Reality of Cyber Warfare U.S. Army School of Advanced Military Studies, Command and General Staff May 17, 2012 Explores the reality of cyber warfare through the story of Stuxnet. Three case studies evaluate cyber policy, discourse, and procurement in the United States, Russia, and China before and after Stuxnet to illustrate their similar, yet unique, realities of cyber warfare. (62 pages)
United States Counter Terrorism Cyber Law and Policy, Enabling or Disabling? Triangle Institute for Security Studies March 2012 The incongruence between national counterterrorism (CT) cyber policy, law, and strategy degrades the abilities of federal CT professionals to interdict transnational terrorists from within cyberspace. To optimize national CT assets and to stymie the growing threat posed by terrorists’ ever-expanding use of cyberspace, national decision-makers should modify current policies to efficiently execute national CT strategies, albeit within the framework of existing CT cyber-related statutes. (34 pages)
A Cyberworm that Knows No Boundaries RAND Corporation December 21, 2011 Stuxnet-like worms pose a serious threat even to infrastructure and computer systems that are not connected to the Internet. Defending against such attacks is an increasingly complex prospect. (55 pages)
Department of Defense Cyberspace Policy Report: A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934 DOD November


“When warranted, we will respond to hostile attacks in cyberspace as we would to any other threat to our country. We reserve the right to use all necessary means – diplomatic, informational, military< and economic – to defend our nation, our allies, our partners and our interests.” (14 pages)
Cyber War Will Not Take Place Journal of Strategic Studies October 5, 2011 The paper argues that cyber warfare has never taken place, is not currently taking place, and is unlikely to take place in the future. (29 pages)
Foreign Spies Stealing U.S. Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011 Office of the National Counterintelligence Executive October 2011 Because the United States is a leader in the development of new technologies and a central player in global financial and trade networks, foreign attempts to collect U.S. technological and economic information will continue at a high level and will represent a growing and persistent threat to U.S. economic security. The nature of the cyber threat will evolve with continuing technological advances in the global information environment. (31 pages)
A Four-Day Dive Into Stuxnet’s Heart Threat Level Blog (Wired) December 27, 2010 “It is a mark of the extreme oddity of the Stuxnet computer worm that Microsoft’s Windows vulnerability team learned of it first from an obscure Belarusian security company that even they had never heard of.”
Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? A Preliminary Assessment Institute for Science and International Security December 22, 2010 The report indicates that commands in the Stuxnet code intended to increase the frequency of devices targeted by the malware exactly match several frequencies at which rotors in centrifuges at Iran’s Natanz enrichment plant are designed to operate optimally or are at risk of breaking down and flying apart. (10 pages)
Stuxnet Analysis European Network and Information Security Agency October 7, 2010 A European Union cybersecurity agency warns that the Stuxnet malware is a game changer for critical information infrastructure protection. Computer systems that monitor supervisory-controlled and data acquisition systems infected with the worm might be programmed to establish destructive over or under pressure conditions by running industrial pumps at different frequencies.
Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy National Research Council October 5, 2010 Per request of the Office of the Director of National Intelligence, the National Research Council undertook a two-phase project aimed to foster a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and of the possible utility of these strategies for the U.S. government. (400 pages)
Cyber Warfare: Armageddon in a Teacup? Army Command and General Staff, Fort Leavenworth December 11, 2009 This study examines cyber warfare conducted against Estonia in 2007, Georgia in 2008, and Israel in 2008. According to the report, “In all three cases cyber warfare did not achieve strategic political objectives on its own. Cyber warfare employed in the three cases consisted mainly of Denial of Service attacks and website defacement. These attacks were a significant inconvenience to the affected nations, but the attacks were not of sufficient scope, sophistication, or duration to force a concession from the targeted nation. Cyber warfare offensive capability does not outmatch defensive capability to the extent that would allow the achievement of a strategic political objective through cyber warfare alone. The possibility of strategic-level cyber warfare remains great, but the capability has not been demonstrated at this time.” (106 pages)

Table 3. Cloud Computing,2 “The Internet of Things,”3 Smart Cities, and FedRAMP4

Title Source Date Notes
About FedRAMP Continuously Updated The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
Internet of Things Consortium Internet of Things Consortium Continuously Updated IoTC is comprised of hardware, software and analytics companies, in areas including home automation, wearables, connected cars, smart cities, 3D printing, and virtual/augmented reality. On behalf of its members, the IoTC is dedicated to the growth of the internet of things marketplace and the development of sustainable business models. The IoTC educates technology firms, retailers, insurance companies, marketers, media companies and the wider business community about the value of IoT.
Cyber-Physical Systems National Science Foundation (NSF) Continuously Updated Cyber-physical systems (CPS) integrate sensing, computation, control, and networking into physical objects and infrastructure, connecting them to the Internet and to each other.
Cyber-Physical Systems Office of Science and Technology Policy (OSTP), Networking and Information Technology Research and Development (NITRD) Program) Continuously Updated The CPS Senior Steering Group (SSG) is to coordinate programs, budgets, and policy recommendations for CPS research and development (R&D), which includes identifying and integrating requirements, conducting joint program planning, and developing joint strategies.
Cyber-Physical Systems University of California, Berkeley Continuously Updated “CPS are integrations of computation, networking, and physical processes. Embedded computers and networks monitor and control the physical processes, with feedback loops where physical processes affect computations and vice versa.”
Internet of Things Consortium Technology hardware, software and analytics companies Continuously Updated IoTC is composed of hardware, software and analytics companies, in areas including home automation, wearables, connected cars, smart cities, 3D printing, and virtual/augmented reality. On behalf of its members, the IoTC is dedicated to the growth of the Internet of things marketplace and the development of sustainable business models. The IoTC educates technology firms, retailers, insurance companies, marketers, media companies, and the wider business community about the value of IoT.
Newly Launched ‘Trusted IoT Alliance’ Unites the Industry to Further a Blockchain-based Internet of Things Medium September 19, 2017 The mission of the Trusted IoT Alliance is to bring companies together to develop and set the standard for an open source blockchain protocol to support IoT technology in major industries worldwide. The Alliance plans to fund small grants to support open source development and is reviewing proposals from IoT and blockchain technologists.
Internet of Things: Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD GAO July 27, 2017 Congress included provisions in reports associated with two separate statutes for GAO to assess the IoT-associated security challenges faced by DOD. This report (1) addresses the extent to which DOD has identified and assessed security risks related to IoT devices, (2) assesses the extent to which DOD has developed policies and guidance related to IoT devices, and (3) describes other actions DOD has taken to address security risks related to IoT devices.(46 pages)
Internet of Things: Communities Deploy Projects by Combining Federal Support with Other Funds and Expertise GAO July 26, 2017 All four of the communities that GAO reviewed are using federal funds in combination with other resources, both financial and non-financial, to plan and deploy IoT projects. For example, one community used the $40 million DOT award to leverage, from community partners, more than $100 million in additional direct and in-kind contributions, such as research or equipment contributions. Communities discussed four main challenges to deploying IoT, including community sectors (e.g., transportation, energy, and public safety) that are siloed and proprietary systems that are not interoperable with one another. (45 pages)
The Internet of Things Connectivity Binge: What Are the Implications? Pew Research Center June 6, 2017 As automobiles, medical devices, smart TVs, manufacturing equipment and other tools and infrastructure are networked, is it likely that attacks, hacks or ransomware concerns in the next decade will cause significant numbers of people to decide to disconnect, or will the trend toward greater connectivity of objects and people continue unabated? Some 1,201 responded to this nonscientific canvassing: 15% of these particular respondents said significant numbers would disconnect and 85% chose the option that most people will move more deeply into connected life. (94 pages)
Technology Assessment: Internet of Things: Status and implications of an increasingly connected world GAO May 15, 2017 GAO reviewed key reports and scientific literature; convened two expert meetings with the assistance of the National Academies; and interviewed officials from two agencies to obtain their views on specific implications of the IoT. (78 pages)
IoT, Automation, Autonomy, and Megacities in 2025 Center for Strategic & International Studies April 26, 2017 Engineers designing and implementing internet-connected IOT devices face daunting challenges that is creating a discomfort with what they see evolving in their infrastructures. This paper brings their concerns to life by extrapolating from present trends to describe plausible (likely?) future crises playing out in multiple global cities within 10 years. Much of what occurs in the scenarios is fully possible today. This paper attempts to reveal what is possible when these technologies are applied to critical infrastructure applications en masse without adequate security in densely populated cities of the near future that are less resilient than other environments. (16 pages)
The Cyber Shield Act: Is the Legislative Community Finally Listening to Cybersecurity Experts? Institute for Critical Infrastructure Technology April 2017 There are three main criteria to ensure a Cyber Shield program works. First, officials must ensure industry leaders are involved in developing the ratings but not leading the team. Second, the program should include a substantial public education component aimed at making consumers care enough about cybersecurity that the rankings actually change their buying decisions. Finally, the rankings themselves should go beyond a mere one-star to five-star ranking to incorporate more dynamic data. (8 pages)
A 21st Century Cyber-Physical Systems Education National Academy of Sciences Computer Science and Telecommunications Board February 2017 The report describes the knowledge and skills required to engineer increasingly capable, adaptable, and trustworthy systems that integrate the cyber and physical worlds and recommends paths for creating the courses and programs needed to educate the engineering workforce that builds them. (107 pages)
A Data Privacy Playbook Berkman Klein Center (Harvard) February 2017 Opening data has many important benefits, but sharing data comes with inherent risks to individual privacy: released data can reveal information about individuals that would otherwise not be public knowledge. The document is takes a first step toward codifying responsible privacy-protective approaches and processes that could be adopted by cities and other groups that are publicly releasing data. (111 pages)
Cross-Device Tracking: An FTC Staff Report FTC January 23, 2017 The report describes the technology used to track consumers across multiple Internet-connected devices, the benefits and challenges associated with it, and industry efforts to address those challenges. The report concludes by making recommendations to industry about how to apply traditional principles like transparency, choice, and security to this relatively new practice. (23 pages)
Rise of the Machines: the Dyn Attack Was Just a Practice Run Institute for Critical Infrastructure Technology December 2016 The Mirai IoT botnet has inspired a renaissance in adversarial interest in DDoS botnet innovation based on the lack of fundamental security-by-design in the Internet and in IoT devices… The report provides a comprehensive and detailed analysis of this threat which has forced stakeholders to recognize the lack of security by design and the prevalence of vulnerabilities inherent in the foundational design of IoT devices. (62 pages)
Internet of Things will demand a step-change in search solutions IEEE Intelligent Systems November 23, 2016 With more and more IoT devices being connected to the Internet, and smart city data projects starting to be implemented, there is an urgent need to develop new search solutions that will allow information from IoT sources to be found and extracted. Although existing search engines have ever more sophisticated and effective ways of crawling through web pages and searching for textual data, the article argues that they will not be effective in accessing the type of numerical and sensory data that IoT devices will need to gather. (5 pages)
Internet of Things (IoT) Security and Privacy Recommendations Broadband Internet Technical Advisory Group (BITAG) November 22, 2016 BITAG believes the recommendations outlined in this report may help to dramatically improve the security and privacy of IoT devices and minimize the costs associated with collateral damage. In addition, unless the IoT device sector—the sector of the industry that manufactures and distributes these devices—improves device security and privacy, consumer backlash may impede the growth of the IoT marketplace and ultimately limit the promise that IoT holds. (43 pages)
Strategic Principles for Securing the Internet of Things DHS November 15, 2016 The document explains IoT risks and provides a set of nonbinding principles and suggested best practices to build toward a responsible level of security for the devices and systems businesses design, manufacture, own, and operate. (17 pages)
Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems NIST November 2016 NIST formally unveiled their guidelines for increasing the security of Internet-connected devices. The guide provides security guidelines for 30 different processes involved with managing Internet-connected devices, from the supply phase to testing. (257 pages)
Building Smart Communities for the Future: Proceedings of a Workshop National Academies Press October 2016 Summary of presentations at June 21-22, 2016, Government-University-Industry Research Roundtable (GUIRR) meeting to explore the role of connectedness and sustainability in developing smart communities; the challenges and opportunities associated with the roll-out of intelligent systems; and the partnerships among governments, universities, and industry that are integral to these advances. (8 pages)
Announcing Over $80 million in New Federal Investment and a Doubling of Participating Communities in the White House Smart Cities Initiative White House September 26, 2016 In September 2015, the White House launched the Smart Cities Initiative to make it easier for cities, federal agencies, universities, and the private sector to work together to research, develop, deploy, and testbed new technologies that can help make our cities more inhabitable, cleaner, and more equitable. This year, to kick off Smart Cities Week, the Administration is expanding this initiative, with over $80 million in new federal investments and a doubling of the number of participating cities and communities, exceeding 70 in total.
Demystifying the Internet of Things (Information Technology Laboratory) ITL Bulletin September 2016 NIST SP800-183 offers an underlying and foundational science for IoT—based technologies on the realization that IoT involves sensing, computing, communication, and actuation. It presents a common vocabulary to foster a better understanding of IoT and better communication between those parties discussing IoT. (4 pages)
Increasing the Potential of IoT through Security and Transparency NTIA August 2, 2016 NTIA is planning to launch a new multistakeholder process to support better consumer understanding of IoT products that support security upgrades. They have used this approach to help make progress on issues such as cybersecurity vulnerability disclosure and to provide more transparency about data collected by mobile apps. Given the burgeoning consumer adoption of IoT, the time seems ripe to bring stakeholders together to help drive some guidelines to encourage the growth of IoT.
Network of ‘Things’ NIST July 28, 2016 The publication provides a basic model aimed at helping researchers better understand IoT and its security challenges. (30 pages)
How Is the Federal Government Using the Internet of Things? Center for Data Innovation July 25, 2016 The federal government faces a number of challenges that have slowed the adoption of IoT in the public sector. First, there is a lack of strategic leadership at the federal level about how to make use of IoT. Second, federal agencies do not always have workers with the necessary technical skills to effectively use data generated by IoT. Third, federal agencies do not have sufficient funding to modernize their IT infrastructure and begin implementing IoT pilot projects. Fourth, even when funding exists, federal procurement policies often make it difficult for agencies to quickly and easily adopt the technology. Finally, risks and uncertainty—about privacy, security, interoperability, and return on investment—delay federal adoption as potential federal users wait for the technology to mature and others to adopt first. (30 pages)
The Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things FTC Bureau of Consumer Protection and Office of Policy Planning June 2, 2016 FTC staff comment on NTIA’s Request for Comment on the Internet of Things. The comment highlights lessons learned from the FTC’s law enforcement, consumer and business education, and policy activities relating to these issues. It then addresses the benefits and risks of IoT, highlights some best practice recommendations for industry, discusses the role of government in fostering innovation in IoT products and services, and sets forth some considerations for NTIA in setting standards and promoting interoperability. (17 pages)
Cloud Computing: Agencies Need to Incorporate Key Practices to Ensure Effective Performance GAO April 7, 2016 GAO was asked to examine federal agencies’ use of Service Level Agreements (SLAs). GAO’s objectives were to (1) identify key practices in cloud computing SLAs and (2) determine the extent to which federal agencies have incorporated such practices into their SLAs. GAO analyzed research, studies, and guidance developed by federal and private entities to establish a list of key practices to be included in SLAs. GAO validated its list with the entities, including OMB, and analyzed 21 cloud service contracts and related documents of five agencies (with the largest fiscal year 2015 IT budgets) against the key practices to identify any variances, their causes, and impacts. (46 pages)
The Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things National Telecommunications and Information Administration (NTIA) April 6, 2016 NTIA is initiating an inquiry regarding the Internet of Things (IoT) to review the current technological and policy landscape. Through this notice, NTIA seeks broad input from all interested stakeholders—including the private industry, researchers, academia, and civil society—on the potential benefits and challenges of these technologies and what role, if any, the U.S. government should play in this area. After analyzing the comments, the department intends to issue a “green paper” that identifies key issues impacting deployment of these technologies, highlights potential benefits and challenges, and identifies possible roles for the federal government in fostering the advancement of IoT technologies in partnership with the private sector. (5 pages)
Product Testing and Validation Underwriters Laboratories April 4, 2016 The UL Cybersecurity Assurance Program (CAP) certification verifies that a product offers a reasonable level of protection against threats that may result in unintended or unauthorized access, change or disruption…. The [UL 2900] Standard contains requirements for the vendor to design the security controls in such a way that they demonstrably satisfy the security needs of the product. The Standard also describes testing and verification requirements aimed at collecting evidence that the designed security controls are implemented.
Alternative perspectives on the Internet of Things Brookings Institution March 25, 2016 Brookings scholars contribute their individual perspectives on the policy challenges and opportunities associated with IoT.
Emerging Cyber Threats Report 2016 Georgia Institute of Technology Cybersecurity Summit 2015 November 2015 “The intersection of the physical and digital world continued to deepen in 2015. The adoption of network-connected devices and sensors—the Internet of Things—accelerated and was expected to reach nearly 5 billion devices by the end of the year.” (20 pages)
Interim Report on 21st Century Cyber-Physical Systems Education NSF July 2015 “CPS [also known as The Internet of Things] are increasingly relied on to provide the functionality and value to products, systems, and infrastructure in sectors including transportation, health care, manufacturing, and electrical power generation and distribution. CPS are smart, networked systems with embedded sensors, computer processors, and actuators that sense and interact with the physical world; support real-time, guaranteed performance; and are often found in critical applications.” (48 pages)
Internet of Things: Mapping the Value Beyond the Hype McKinsey Global Institute June 2015 The paper is based upon a study of more than 100 use cases of the Internet of Things’ (IoT’s) potential economic impact within next 10 years. It outlines who will benefit and by how much. It also covers the factors—both enablers and barriers—that organizations face as they develop their IoT solutions. (144 pages)
Cloud Computing: Should Companies Do Most of Their Computing in the Cloud? The Economist May 26, 2015 Big companies have embraced the cloud more slowly than expected. Some are holding back because of costs and others are wary of entrusting sensitive data to another firm’s servers. Should companies be doing most of their computing in the cloud? Representing the “Yes” viewpoint is Simon Crosby, co-founder and chief technology officer (CTO) of Bromium Inc. Representing the “No” viewpoint is Bruce Schneier, CTO at Resilient Systems.
Formation of the Office of Technology Research and Investigation (OTRI) Federal Trade Commission (FTC) March 23, 2015 The OTRI will provide expert research, investigative techniques, and further insights to the agency on technology issues involving all facets of the FTC’s consumer protection mission, including privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and IoT. Like the former Mobile Technology Unit (MTU), the new office will be housed in the Bureau of Consumer Protection and is the agency’s latest effort to ensure that its core consumer protection mission keeps pace with the rapidly evolving digital economy. Kristin Cohen, the current chief of the MTU, will lead the work of the OTRI.
Insecurity in the Internet of Things(IoT) Symantec March 12, 2015 Symantec analyzed 50 smart home devices available today and found that none of them enforced strong passwords, used mutual authentication, or protected accounts against brute-force attacks. Of the mobile apps used to control the tested IoT devices, almost two out of 10 did not use Secure Sockets Layer (SSL) to encrypt communications to the cloud. The tested IoT technology also contained many common vulnerabilities. (20 pages)
FedRAMP High Baseline General Services Administration (GSA) February 3, 2015 GSA released a draft of security-control requirements for cloud-computer systems purchased by federal agencies for “high-impact” uses. High-impact data will likely consist of health and law-enforcement data, but not classified information. Currently, cloud computing vendors seeking to sell to federal agencies must obtain security accreditation through FedRAMP. To date, FedRAMP has offered accreditations up to the moderate-impact level. About 80% of federal IT systems are low- and moderate-impacts.
What is The Internet of Things? O’Reilly Media January 2015 Ubiquitous connectivity is meeting the era of data. Since working with large quantities of data became dramatically cheaper and easier a few years ago, everything that touches software has become instrumented and optimized. Finance, advertising, retail, logistics, academia, and practically every other discipline has sought to measure, model, and tweak its way to efficiency. Software can ingest data from many inputs, interpret it, and then issue commands in real time. (Free registration required.) (32 pages)
FedRAMP Forward: 2 Year Priorities General Services Administration (GSA) December 17, 2014 The report addresses how the program will develop over the next two years. GSA is focusing on three goals for FedRAMP:

  • increased compliance and agency participation,
  • improved efficiencies, and
  • continued adaptation. (14 pages)
The Internet of Things: 2014 OECD Tech Insight Forum Organisation for Economic Co-operation and Development (OECD) December 11, 2014 The IoT extends Internet connectivity beyond traditional machines such as computers, smartphones, and tablets to a diverse range of every-day devices that use embedded technology to interact with the environment, all via the Internet. How can this collected data be used? What new opportunities will this create for employment and economic growth? How can societies benefit from technical developments to health, transport, safety and security, business, and public services? The OECD Technology Foresight Forum facilitated discussion on what policies and practices will enable or inhibit the ability of economies to seize the benefits of IoT.
DOD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process Department of Defense (DOD) Inspector General December 4, 2014 Report states that the DOD chief information officer “did not develop an implementation plan that assigned roles and responsibilities as well as associated tasks, resources and milestones,” despite promises that an implementation plan would directly follow the cloud strategy’s release. (40 pages)
NSTAC Report to the President on the Internet of Things President’s National Security Telecommunications Advisory Committee November 18, 2014 The NSTAC unanimously approved a recommendation that governmental Internet traffic could get priority transmission during emergencies. The government already gets emergency priority in more traditional communications networks like the phone system through programs such as the Government Emergency Telecommunications Service (GETS). NSTAC now is proposing a GETS for the Internet. (56 pages)
The Department of Energy’s Management of Cloud Computing Activities: Audit Report Department of Energy (DOE) Inspector General September 1, 2014 According to the inspector general, DOE should do a better job buying, implementing, and managing its cloud computing services. Programs and sites department-wide have independently spent more than $30 million on cloud services, but the chief information officer’s office could not accurately account for the money. (20 pages)
Cloud Computing: The Concept, Impacts, and the Role of Government Policy Organization for Economic Co-operation and Development (OECD) August 19, 2014 The report gives an overview of cloud computing, it

  • presents the concept, the services it provides, and deployment models;
  • discusses how cloud computing changes the way computing is carried out;
  • evaluates the impacts of cloud computing (including its benefits and challenges as well as its economic and environmental impacts); and
  • discusses the policy issues raised by cloud computing and the roles of governments and other stakeholders in addressing these issues. (240 pages)
Internet of Things: the Influence of M2M Data on the Energy Industry GigaOm Research March 4, 2014 The report examines the drivers of machine-2-machine (M2M)-data exploitation in the smart-grid sector and the oil and gas sector, as well as the risks and opportunities for buyers and suppliers of the related core technologies and services. (21 pages)
Software Defined Perimeter Cloud Security Alliance December 1, 2013 Cloud Security Alliance’s software defined perimeter (SDP) initiative aims to make “invisible networks” accessible to a wider range of government agencies and corporations. The initiative will foster the development of architecture for securing the IoT using the cloud to create highly secure end-to-end networks between IP-addressable entities. (13 pages)
Delivering on the Promise of Big Data and the Cloud Booz Allen Hamilton January 9, 2013 Reference architecture does away with conventional data and analytics silos, consolidating all information into a single medium designed to foster connections called a ‘data lake,’ which reduces complexity and creates efficiencies that improve data visualization to allow for easier insights by analysts. (7 pages)
Cloud Computing: An Overview ofthe Technology and the Issues Facing American Innovators House Judiciary Committee, Subcommittee on Intellectual Property, Competition, and the Internet July 25, 2012 Overview and discussion of cloud computing issues. (156 pages)
Information Technology Reform: Progress Made but Future Cloud Computing Efforts Should be Better Planned Government Accountability Office (GAO) July 11, 2012 GAO recommends that the Secretaries of Agriculture, Health and Human Services, Homeland Security, State, and the Treasury, and the Administrators of the General Services Administration, and Small Business Administration should direct their respective chief information officers to establish estimated costs, performance goals, and plans to retire associated legacy systems for each cloud-based service, as applicable. (43 pages)
Cloud Computing Strategy DOD Chief Information Officer July 2012 The DOD Cloud Computing Strategy introduces an approach to move the department from the current state of a duplicative, cumbersome, and costly set of application silos to an end state that is agile, secure, and cost-effective and to a service environment that can rapidly respond to changing mission needs. (44 pages)
A Global Reality: Governmental Access to Data in the Cloud—A Comparative Analysis of Ten International Jurisdictions Hogan Lovells May 23, 2012 The white paper compares the nature and extent of governmental access to data in the cloud in many jurisdictions around the world. (13 pages)
Policy Challenges of Cross-Border Cloud Computing U.S. International Trade Commission May 2012 The report examines the main policy challenges associated with cross-border cloud computing—data privacy, security, and ensuring the free flow of information—and the ways countries are addressing them through domestic policymaking, international agreements, and other cooperative arrangements. (38 pages)
Cloud Computing Synopsis and Recommendations (SP 800-146) National Institute of Standards and Technology (NIST) May 2012 NIST’s guide explains cloud technologies in plain terms to federal agencies and provides recommendations for IT decisionmakers. (81 pages)
Global Cloud Computing Scorecard a Blueprint for Economic Opportunity Business Software Alliance February 2, 2012 The report notes that although many developed countries have adjusted their laws and regulations to address cloud computing, the wide differences in those rules make it difficult for companies to invest in the technology. (24 pages)
Concept of Operations: FedRAMP General Services Administration (GSA) February 7, 2012 FedRAMP is implemented in phases. The document describes all the services that were available at the 2012 initial operating capability. The concept of operations is updated as the program evolves toward sustained operations. (47 pages)
Federal Risk and Authorization Management Program (FedRAMP) Federal Chief Information Officers Council January 4, 2012 FedRAMP provides a standard approach to assessing and authorizing (A&A) cloud computing services and products.
Security Authorization of Information Systems in Cloud Computing Environments (FedRAMP) White House/Office of Management and Budget (OMB) December 8, 2011 FedRAMP is now required for all agencies purchasing storage, applications, and other remote services from vendors. The Administration promotes cloud computing as a means to save money and accelerate the government’s adoption of new technologies. (7 pages)
U.S. Government Cloud Computing Technology Roadmap, Volume I, Release 1.0 (Draft). High-Priority Requirements to Further USG Agency Cloud Computing Adoption (SP 500-293) National Institute of Standards and Technology (NIST) December 1, 2011 Volume I is aimed at interested parties that wish to gain a general understanding and overview of the background, purpose, context, work, results, and next steps of the U.S. Government Cloud Computing Technology Roadmap initiative. (32 pages)
U.S. Government Cloud Computing Technology Roadmap, Volume II, Release 1.0 (Draft), Useful Information for Cloud Adopters (SP 500-293) National Institute of Standards and Technology (NIST) December 1, 2011 Volume II is designed as a technical reference for those actively working on strategic and tactical cloud computing initiatives including, but not limited to, U.S. government cloud adopters. This volume integrates and summarizes the work completed as of 2011 and explains how these findings support the roadmap introduced in Volume I. (85 pages)
Information Security: Additional Guidance Needed to Address Cloud Computing Concerns GAO October 6, 2011 Twenty-two of 24 major federal agencies reported that they were either concerned or very concerned about the potential information security risks associated with cloud computing. GAO recommended that the NIST issue guidance specific to cloud computing security. (17 pages)
Cloud Computing Reference Architecture (SP 500-292) NIST September 1, 2011 The special publication, which is not an official U.S. government standard, is designed to provide guidance to specific communities of practitioners and researchers. (35 pages)
Federal Cloud Computing Strategy White House February 8, 2011 The strategy outlines how the federal government can accelerate the safe, secure adoption of cloud computing, and provides agencies with a framework for migrating to the cloud. It also examines how agencies can address challenges related to the adoption of cloud computing, such as privacy, procurement, standards, and governance. (43 pages)
25-Point Implementation Plan to Reform Federal Information Technology Management White House December 9, 2010 The plan’s goals are to reduce the number of federally run data centers from 2,100 to approximately 1,300, rectify or cancel one-third of troubled IT projects, and require federal agencies to adopt a “cloud first” strategy in which they will move at least one system to a hosted environment within a year. (40 pages)
Federal Guidance Needed to Address Control Issues With Implementing Cloud Computing GAO July 1, 2010 The report suggests that the OMB director should establish milestones for completing a strategy for implementing the federal cloud computing initiative to assist federal agencies in identifying uses for and information security measures to use in implementing cloud computing. (53 pages)



1. “A breach constitutes a ‘major incident’ when it involves[personally identifiable information] that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people,” the [OMB] memo states. “An unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to 100,000 or more individuals’ PII constitutes a ‘major incident.'” Source: Fiscal Year 2016-2017 on Federal Information Security and Privacy Management Requirements, November 4, 2016.
2. Cloud computing is a web-based service that allows users to access anything from email to social media on a third-party computer. For example, Gmail and Yahoo are cloud-based email services that allow users to access and store emails that are saved on each respective service’s computer, rather than on the individual’s computer.
3. The “Internet of Things” (IoT) refers to networks of objects that communicate with other objects and with computers through the Internet. “Things” may include virtually any object for which remote communication, data collection, or control might be useful, such as vehicles, appliances, medical devices, electric grids, transportation infrastructure, manufacturing equipment, or building systems.
4. The Federal Risk and Authorization Management Program (FedRAMP) was established in December 2011 to provide a government-wide standard, centralized approach to assessing and authorizing cloud computing services and products. It reached initial operational capabilities in June 2012 and became fully operational during FY2014.