INSIGHTi Cybersecurity Homeland Security Issues for the 116th Congress March 29 2019 Introduction For policymaking purposes cybersecurity can be considered the security of cyberspace Taking this broad view allows policymakers to examine discrete elements of cybersecurity and determine which parts to address through the legislative process Cyberspace itself includes the infrastructure necessary for the internet to work e g wires modems and servers the services used via the Internet e g web applications and websites the devices on the network e g computers and Internet-of-Things devices and the users of those devices Cybersecurity involves many interrelated issues such as education workforce management research and development intelligence law enforcement and defense Recent congressional activity and Member statements suggest that five specific cybersecurity topics with an intersection to homeland security may arise during the 116th Congress This Insight first discusses the importance of risk management for cybersecurity then introduces each of those topics Information Sharing Critical Infrastructure Protection and Cybersecurity Cyber Supply Chain Risk Management Federal Agency Oversight and Data Protection and Privacy Risk Management When computer scientists refer to cybersecurity they are generally not talking about security as an absolute and achievable state of safety Rather they refer to cybersecurity as a process of risk management Risk can be managed in four ways it can be avoided transferred controlled and accepted To know the appropriate course of action an organization must first understand which risks they face Risks can be understood as the threats an organization faces the vulnerabilities they have to their Congressional Research Service https crsreports congress gov IN11088 CRS INSIGHT Prepared for Members and Committees of Congress Congressional Research Service 2 systems and the consequences or impacts of a successful attack against them Risks can be managed against systems networks and data In managing those risks managers employ an information security model to understand risk areas and tools to address risks Policymakers could choose to examine these risk management factors holistically or to consider specific elements and ways to address specific risk factors Policy Areas Information Sharing Policymakers could choose to examine information sharing as a tool that may strengthen an organization’s cybersecurity The need to maintain current awareness of the relationships between technologies and attacks is a reason that information sharing is frequently included in the cybersecurity discussion Through information sharing one party seeks to bolster the knowledge of its partners Information may provide opportunities for organizations to learn from one another reduce their vulnerability to hacking and quickly adapt to changing conditions Successful information sharing occurs when an organization receives information has the capability to process it knows how to use it and makes a change to its practices to better secure itself However the advantage to sharing information is only realized when the result is a valuable change in behavior because of the information shared Some organizations may miss critical information lack the expertise to understand it lack the resources to take action or otherwise not change their behavior Critical Infrastructure Protection and Cybersecurity The National Infrastructure Protection Plan directs the owners and operators of facilities under the nation’s 16 critical infrastructure sectors and the sector-governing bodies to consider cybersecurity risks to their sectors However their ability to understand risk and to provide resources to manage risk for their sectors varies In an effort to bolster cybersecurity risk management policymakers could choose to direct federal agencies to provide assistance to a sector or sectors to engage in rulemaking or to otherwise incentivize cybersecurity activities e g expediting security clearances or prioritizing federal contracting opportunities To assist a sector some agencies have specific programs designed to provide information technical assistance or capabilities for critical infrastructure DHS can provide assistance to all sectors The National Institute of Standards and Technology NIST has published a cybersecurity framework to assist those responsible for critical infrastructure Cyber Supply Chain Risk Management Recent news articles and government reports have focused attention on cyber supply chain issues Managing risks associated with a global and complex product supply chain for information technology IT is known as cyber supply chain risk management C-SCRM C-SCRM refers to addressing both the risks that foreign adversaries may introduce to products and unintentional risks such as poor quality control and vendor management Policymakers could choose to pursue legislative options to clarify agency responsibilities relative to C-SCRM such as increasing awareness providing oversight prohibiting certain companies from supplying components or services or requiring an entity to evaluate products for cyber supply chain risks Congressional Research Service 3 Federal Agency Oversight Federal agencies collect process store and transmit sensitive information such as personally identifiable information and national security information Agencies rely on IT to use this information and requested over $17 billion in cybersecurity funding for FY2020 Yet the Government Accountability Office GAO bi-annually highlights that agencies face various challenges in IT management This is despite existing statutes guidance and resources agencies have to assist in managing their IT Congress could choose to pursue investigations hearings or legislation to improve oversight of the government’s overall IT program s or could focus on an individual agency’s cybersecurity efforts In pursuing this oversight Congress may review agency spending on IT and cybersecurity and follow up on GAO and Inspector General IG recommendations related to improving agency IT management Data Security and Privacy The Equifax breach and multiple Facebook incidents have highlighted data security and privacy issues While these concepts may be interrelated and certain technologies like encryption can help achieve both for policymaking and operational purposes they are distinct Data security refers to strategies to keep out unauthorized users while privacy refers to using data regardless of where it is stored or who accessed it In keeping with the concept of risk management it is important to consider “from what” one is seeking to secure their data or seek to keep it private when designing policies or strategies for security and privacy Policymakers could choose to pursue comprehensive such as the General Data Protection Regulation or sectoral such as the Health Insurance Portability and Accountability Act HIPAA standards approaches to data security and privacy In the past the federal government has addressed these issues sectorally But recent state and federal discussions have focused on more comprehensive approaches Author Information Chris Jaikaran Analyst in Cybersecurity Policy Disclaimer This document was prepared by the Congressional Research Service CRS CRS serves as nonpartisan shared staff to congressional committees and Members of Congress It operates solely at the behest of and under the direction of Congress Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role CRS Reports as a work of the United States Government are not subject to copyright protection in the United States Any CRS Report may be reproduced and distributed in its entirety without permission from CRS However as a CRS Report may include copyrighted images or material from a third party you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material IN11088 · VERSION 2 · NEW Congressional Research Service 4 IN11088 · VERSION 2 · NEW