LegiStorm

Summary:

The information and communications technology (ICT) industry has evolved greatly over the last half century. The technology is ubiquitous and increasingly integral to almost every facet of modern society. ICT devices and components are generally interdependent, and disruption of one may affect many others. Over the past several years, experts and policymakers have expressed increasing concerns about protecting ICT systems from cyberattacks, which many experts expect to increase in frequency and severity over the next several years. The act of protecting ICT systems and their contents has come to be known as cybersecurity. A broad and arguably somewhat fuzzy concept, cybersecurity can be a useful term but tends to defy precise definition. It is also sometimes inappropriately conflated with other concepts such as privacy, information sharing, intelligence gathering, and surveillance. However, cybersecurity can be an important tool in protecting privacy and preventing unauthorized surveillance, and information sharing and intelligence gathering can be useful tools for effecting cybersecurity. The management of risk to information systems is considered fundamental to effective cybersecurity. The risks associated with any attack depend on three factors: threats (who is attacking), vulnerabilities (how they are attacking), and impacts (what the attack does). Most cyberattacks have limited impacts, but a successful attack on some components of critical infrastructure (CI)—most of which is held by the private sector—could have significant effects on national security, the economy, and the livelihood and safety of individual citizens. Reducing such risks usually involves removing threat sources, addressing vulnerabilities, and lessening impacts. The federal role in cybersecurity involves both securing federal systems and assisting in protecting nonfederal systems. Under current law, all federal agencies have cybersecurity responsibilities relating to their own systems, and many have sector-specific responsibilities for CI. On average, federal agencies spend more than 10% of their annual ICT budgets on cybersecurity. More than 50 statutes address various aspects of cybersecurity, and new legislation has been debated since at least the 111th Congress. Executive Order 13636 and Presidential Policy Directive 21, released in February 2013, address the cybersecurity of CI through voluntary public/private sector collaboration and use of existing regulatory authorities. Five bills enacted in December 2014 address the security of federal ICT, the cybersecurity workforce at the Department of Homeland Security (DHS), cybersecurity research and development, and DHS information-sharing activities. Other bills would have addressed information sharing more broadly, protection of CI, notification of victims of data breaches, and cybercrime laws, among other issues. At the beginning of the 114th Congress, the Obama Administration took actions including proposed legislation on information sharing, data-breach notification, and cybercrime laws. Bills addressing those and other issues have been introduced in the House and the Senate. Several have seen committee or floor action, with two bills on information sharing, H.R. 1560 and H.R. 1731, passing the House in April 2015. The executive-branch actions and proposed legislation are largely designed to address several well-established near-term needs in cybersecurity. However, those needs exist in the context of more difficult long-term challenges relating to design, incentives, consensus, and environment. Legislation and executive actions in the 114th Congress could have significant impacts on those challenges. For access to additional CRS reports and other resources, see the Cybersecurity Issue Page at http://www.crs.gov.