Cybertelecom Federal Internet Law & Policy An Educational Project

CyberSecurity

There is no doubt that as individuals, as businesses, and as a nation as a whole, we are increasingly at risk if we choose to do nothing in the face of our growing infrastructure vulnerabilities. These risks are real.  We don't need to wait for a catastrophe to occur - indeed we must not allow a catastrophe to occur - in order to recognize that much work needs to be done. - Ronald L. Dick, Director US National Infrastructure Protection Center  September 5, 2001

Derived From: Public and Private Entities Face Challenges in Addressing Cyber Threats, GAO-07-705 (June 2007)

"Numerous public and private entities (federal agencies, state and local law enforcement, industry, and academia) have individual and collaborative responsibilititelephonetelephonees to protect against, detect, investigate, and prosecute cybercrime. The Departments of Justice (DOJ), Homeland Security (DHS), and Defense (DOD), and the Federal Trade Commission (FTC) have prominent roles in addressing cybercrime within the federal government. DOJ's FBI and DHS's U.S. Secret Service (Secret Service) are key federal organizations with responsibility for investigating cybercrime. State and local law enforcement organizations also have key responsibilities in addressing cybercrime. Private entities-Internet service providers, security vendors, software developers, and computer forensics vendors-focus on developing and implementing technology systems to protect against computer intrusions, Internet fraud, and spam and, if a crime does occur, detecting it and gathering evidence for an investigation. In addition, numerous partnerships have been established between public sector entities, between public and private sector entities, and internationally to address various aspects of cybercrime. For example, the Cyber Initiative and Resource Fusion Unit is a partnership established among federal law enforcement, academia, and industry to analyze cybercrime and determine its origin and how to fight it.

"Federal and state governments and other nations have enacted laws that apply to cybercrime and the legal recourse or remedies available. In addition, there are international agreements to improve the laws across nations and international cooperation on addressing cybercrime. Some federal statutes address specific types of cybercrime, while other federal statutes address both traditional crime and cybercrime."

Derived From: CRS Report (Mar 2009) "In January 2008, the Bush Administration initiated the Comprehensive National Cybersecurity Initiative (the CNCI) to make the United States more secure against cyber threats. The Homeland Security Presidential Directive 23 and National Security Presidential Directive 54 establishing the CNCI are classified. Some details of the Initiative have been made public in Departmental press releases, speeches by executive branch leaders, and analysis and insight offered by individuals that follow cyber security and terrorism related issues. The CNCI “establishes the policy, strategy, and guidelines to secure federal systems.”2 The CNCI also delineates “an approach that anticipates future cyber threats and technologies, and requires the federal government to integrate many of its technical and organizational capabilities to better address sophisticated threats and vulnerabilities.”3 Subsequent to the issuance of the classified directives, congressional committees have held hearings regarding the CNCI and heard testimony from a commission established to address necessary cybersecurity reforms.

"Few details have been publicly released regarding the implementation activities or status of CNCI efforts since the establishment of the initiative. According to one media account, Steven Chabinsky, Deputy Director of the Joint Interagency Cyber Task Force for the Office of the DNI, stated at an information technology security conference that there are 12 objectives supporting the Initiative’s goal of comprehensively addressing the nation’s cyber security concerns. They are:

1. Move towards managing a single federal enterprise network;
2. Deploy intrinsic detection systems;
3. Develop and deploy intrusion prevention tools;
4. Review and potentially redirect research and funding;
5. Connect current government cyber operations centers;
6. Develop a government-wide cyber intelligence plan;
7. Increase the security of classified networks;
8. Expand cyber education;
9. Define enduring leap-ahead technologies;
10. Define enduring deterrent technologies and programs;
11. Develop multi-pronged approaches to supply chain risk management; and
12. Define the role of cyber security in private sector domains.

Hearings & Reports

• White House
  • Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure, White House (NSPD-54/HSPD23) (May 2009) [2009 Review]
    • May 28, 2009 House Science and Technology Committee Press release Gordon Joins Members for Release of Cyber Security Report
  • The White House, Office of the press Secretary, President Obama Directs the National Security and Homeland Security Advisors to Conduct Immediate Cyber Security Review (Feb. 9, 2009),
  • 2007, the Comprehensive National Cybersecurity Initiative (CNCI)
  • Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and Protection (December 17, 2003).
  • Presidential Decision Directive 63, Critical Infrastructure Protection, May 22, 1998, at section II.
• Hearings
  • Senate Subcommittee on Terrorism and Homeland Security, "Cybersecurity: Preventing Terrorist Attacks and Protecting Privacy in Cyberspace" Nov 17, 2009
    • Witness List:
    • PANEL I
    • James Baker Associate Deputy Attorney General, Office of the Deputy Attorney General U.S. Department of Justice Washington, DC
    • Philip Reitinger Deputy Under Secretary, National Protection and Programs Directorate Director, National Cyber Security Center U.S. Department of Homeland Security Washington, DC
    • Richard Schaeffer Director, Information Assurance Directorate National Security Agency U.S. Department of Defense Fort Meade, Maryland
    • Steven R. Chabinsky Deputy Assistant Director, Cyber Division Federal Bureau of Investigation U.S. Department of Justice Washington, DC
    • PANEL II
    • Gregory T. Nojeim Senior Counsel and Director, Project on Freedom, Security & Technology Center for Democracy and Technology Washington, DC
    • Larry Clinton President, Internet Security Alliance Arlington, VA
    • Larry M. Wortzel, Ph.D. Vice Chairman, U.S.-China Economic and Security Review Commission Washington, DC
  • Senate Committee on H. Security & Governmental Affairs, Hearing Cyber Attacks: Protecting Industry Against Growing ThreatsMonday, September 14, 2009 10:00 AM Dirksen Senate Office Building, room 342 Witnesses
    • Panel 1 . Robert O. Carr [view testimony] Chairman and Chief Executive Officer Heartland Payment Systems, Inc.
    • William B. Nelson [view testimony] President and Chief Executive Officer Financial Services Information Sharing and Analysis Center
    • Michael P. Merritt [view testimony] Assistant Director, Office of Investigations, U.S. Secret Service U.S. Department of Homeland Security
    • Philip R. Reitinger [view testimony] Deputy Under Secretary, National Protection and Programs Directorate U.S. Department of Homeland Security
  • Jun 25, 2009 Hearing Assessing Cybersecurity Activities at NIST and DHS House Science & Technology Committee
    • Jun 25, 2009 Press release Subcommittee Examines DHS's and NIST's Cybersecurity Efforts
  • Jun 16, 2009 Hearing Agency Response to Cyberspace Policy Review House Science and Technology Committee
    • Jun 16, 2009 Press release Witnesses, Members Discuss How to Secure Cyberspace
    • Statement for the Record Dr. Peter Fonash Acting Director, National Cybersecurity Division Chief Technology Officer, Office of Cybersecurity and Communications National Protection and Programs Directorate U.S. Department of Homeland Security
  • Jun 10, 2009 Hearing Cyber Security R&D House Science & Technology Committee
    • Jun 10, 2009 Press release Subcommittee Examines Federal Cyber Security Measures, Looking for Ways to Improve R&D
  • House Committee on H. Security, "Reviewing the Federal Cybersecurity Mission" Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Tuesday, March 10, 2009 2:00 p.m. in 311 Cannon House Office Building Subcommittee on Emerging Threats, Cybersecurity, Science and Technology Hearing "Reviewing the Federal Cybersecurity Mission"
    • "Testimony of Amit Yoran, Netwitness Corporation, 'Reviewing the Federal Cybersecurity Mission,'"
    • "Statement of Chairman Bennie G. Thompson, 'Reviewing the Federal Cybersecurity Mission,'"
    • "Statement of Chairwoman Yvette D. Clarke,"
    • "Statement of David Powner, Director, Information Technology Management Issues, United States Government Accountability Office, 'National Cybersecurity Strategy: Key Improvements are Needed to Strengthen the Nation's Posture,'"
    • "Statement of James A. Lewis, Center for Strategic and International Studies, 'Reviewing the Federal Cybersecurity Mission,'"
    • "Testimony of Mary Ann Davidson, Chief Security Officer, Oracle Corporation,"
    • "Written Testimony of Scott Charney, Corporate Vice President, Microsoft Corporation's Trustworthy Computing, 'Securing America's Cyber Future: Simplify, Organize and Act,'"
  • United States House of Representatives, hearing before the Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, "Statement for the Record of Seán P. McGurk, Director, Control Systems Security Program, National Cyber Security Division, National Protection and Programs Directorate, Department of Homeland Security," March 24, 2009
  • United States House of Representatives, hearing before the Committee on Science and Technology, "Statement of Dr. Christopher L. Greer, Director, National Coordination Office for Networking and Information Technology Research and Development," April 1, 2009
  • United States House of Representatives, hearing before the Committee on Transportation and Infrastructure, Subcommittee on Aviation, "Statement of James C. May, President and CEO, Air Transport Association of America, Inc., 'Air Traffic Control Modernization and NextGen: Near-Term Achievable Goals,'" March 18, 2009
  • United States House of Representatives, hearing before the Committee on Transportation and Infrastructure, Subcommittee on Aviation, "Statement of The Honorable Calvin L. Scovel III, Inspector General, U.S. Department of Transportation, 'Federal Aviation Administration: Actions Needed to Achieve Mid-term NextGen Goals,'" March 18, 2009
  • United States House of Representatives, hearing before the Permanent Select Committee on Intelligence, "Annual Threat Assessment" by Dennis C. Blair, Director of National Intelligence, February 25, 2009
  • House Permanent Select Committee on Intelligence, Cyber Security: Hearing on the Nation’s Cyber Security Risks, 110th Cong. (Sept. 18, 2008);
  • House Homeland Security Committee, Cybersecurity Recommendations for the Next Administration: Hearing Before the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, 110th Cong. (Sept. 16, 2008).
  • CyberSecurity: Protecting America's Critical Infrastructure, Economy, and Consumers, Subcommittee on Telecom and the Internet, Sept 13, 2006
  • “Cybersecurity—Getting It Right: The Importance of Research in Cybersecurity and What More Our Country Needs to Do,” on July 22, 2003. Subcommittee on Cybersecurity, Science, and Research Development of the US House of Representatives Select Committee on Homeland Security
  • "Overview of the Cyber Problem: A Nation Dependent and Dealing with Risk,” June 2003 Subcommittee on Cybersecurity, Science, and Research Development of the US House of Representatives Select Committee on Homeland Security
• Reports
  • CRS Report RL33123, Terrorist Capabilities for Cyberattack: Overview and Policy Issues, by John Rollins and Clay Wilson
  • CRS Report RL30153, Critical Infrastructures: Background, Policy, and Implementation, by John D. Moteff
  • Congressional Research Service, report by John Rollins and Anna C. Henning entitled "Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations," March 10, 2009
  • Department of the Treasury, FSSCC/FBIIC Cyber Security Intelligence and Information Sharing Work Groups, "Roadmap for Improved Information Sharing: Situational Analysis and Recommendations for Action" (undated)
  • Information Technology Information Sharing and Analysis Center, letter from Brian Willis, February 27, 2009
  • National Security Telecommunications Advisory Committee, "NSTAC Response to the Sixty-Day Cyber Study Group," March 12, 2009
  • United States House of Representatives, Permanent Select Committee on Intelligence, "HPSCI White Paper on Cyber security," December 10, 2008
  • Center for Strategic and International Studies, Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency (2008).
  • Jul 01, 2008 Requested Report [GAO] CYBER ANALYSIS AND WARNINGHouse Science & Technology Committee
  • Library of Congress.  Congressional Research Service.  Information Operations, Electronic Warfare, and Cyberwar:  Capabilities and Related Policy Issues , by Clay Wilson.  Washington, CRS, March 20, 2007.  18 p.
  • Information Security, Emerging Cybersecurity Issues Threaten Federal Informational Systems, GAO Report to Congressional Requesters, (2005) [GAO 05]
  • “The Economic Impact of Cyber Attacks.” CRS 2004
  • GAO, Information Security: Continued Efforts Needed to Sustain Progress in Implementing Statutory Requirements, GAO-04-483T (Washington, D.C.: Mar. 16, 2004).
  • Critical Infrastructure Protection: Who's in Charge, GSA before Committee on Governmental Affairs (Oct 2001)
  • Threat Assessment of Malicious Code and Human Threats, Lawrence E. Bassham &W. Timothy Polk, National Institute of Standards and Technology Computer Security Division, Thu Mar 10 15:32:55 EST 1994

Laws

• Child Protection Laws
• Computer Fraud and Abuse Act 18 USC 2030
• Federal Information Security Management Act of 2002 (FISMA)
  • "FISMA establishes clear criteria to improve federal agencies' cybersecurity programs. Enacted into law on December 17, 2002, as title III of the EGovernment Act of 2002, FISMA requires federal agencies to protect and maintain the confidentiality, integrity, and availability of their information and information systems.5 It also assigns specific information security responsibilities to the Office of Management and Budget (OMB), the Department of Commerce's National Institute of Standards and Technology (NIST), agency heads, chief information officers (CIO), and inspectors general (IG). For OMB, these responsibilities include developing and overseeing the implementation of policies, principles, standards, and guidelines on information security, as well as reviewing, at least annually, and approving or disapproving, agency information security programs. FISMA required each agency including agencies with national security systems, to develop, document, and implement agencywide information security programs to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Specifically, this program is to include
    • "periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems;
    • "risk-based policies and procedures that cost-effectively reduce information security risks to an acceptable level and ensure that information security is addressed throughout the life cycle of each information system;
    • subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems;
    • security awareness training for agency personnel, including contractors and other users of information systems that support the operations and assets of the agency;
    • periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, performed with frequency depending on risk, but no less than annually, and that includes testing of management, operational, and technical controls for every system identified in the agency's required inventory of major information systems;
    • a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency;
    • procedures for detecting, reporting, and responding to security incidents; and
    • plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.
  • "FISMA requires each agency to report annually to OMB, selected congressional committees, and the Comptroller General on the adequacy of information security policies, procedures, and practices, and on compliance with FISMA's requirements.
  • "FISMA also charges the Director of OMB with ensuring the operation of a central federal information security incident center with responsibility for issuing guidance to agencies on detecting and responding to incidents. Other responsibilities include compiling and analyzing information about incidents and informing agencies about current and potential information security threats. Prior to FISMA, the CIO Council (then chaired by OMB's Deputy Director for Management) issued a memorandum to all agency CIOs instructing agencies to follow specific practices for appropriate coordination and interaction with the Federal Computer Incident Response Capability (FedCIRC).6 OMB's statutory requirement supported FedCIRC, and OMB received quarterly reports from FedCIRC on the federal government's status on information technology security incidents.
  • "Following the establishment of DHS and in an effort to implement action items described in the National Strategy to Secure Cyberspace, FedCIRC was dissolved as a separate entity and its functions absorbed into the United States Computer Emergency Readiness Team (US-CERT), which was created in September 2003. US-CERT was established to aggregate and disseminate cybersecurity information to improve warning about and response to incidents, increase coordination of response information, reduce vulnerabilities, and enhance prevention and protection. US-CERT analyzes incidents reported by federal civilian agencies and coordinates with national security incident response centers in responding to incidents on both classified and unclassified systems. US-CERT also provides a service through its National Cyber Alert System to identify, analyze, prioritize, and disseminate information on emerging vulnerabilities and threats."
  • "FISMA also requires NIST to establish standards, guidelines, and requirements to help agencies improve the posture of their information security programs.9 NIST has issued several publications relevant to assisting agencies in protecting their systems against emerging cybersecurity threats. For instance, Special Publication 800-61, Computer Security Incident Handling Guide, advises agencies to establish an incident-response capability that includes establishing guidelines for communicating with outside parties regarding incidents, including law enforcement agencies, and also discusses handling specific types of incidents, including malicious code and unauthorized access. Additionally, NIST Special Publication 800-68 (Draft), Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist, describes configuration recommendations that focus on deterring malware, countermeasures against security threats with malicious payload, and specific recommendations for addressing spyware." [GAO 2005 p 9, 14]
• Fraud in Connection with Access Devices 18 USC 1029
• ID Documents Fraud 18 USC 1028
  • Aggregated Identity Theft 18 USC 1028A
• Wire Fraud 18 USC 1343
• Federal Trade Commission Act 15 USC 45
• Can Spam Act 15 U.S.C. § 7701, 18 U.S.C. § 1037
• USA Patriot Act

White House

"The Administration already has established an Information and Communications Infrastructure Interagency Policy Committee (ICI-IPC), chaired by the National Security Council (NSC) and Homeland Security Council (HSC),19 as the primary policy coordination body for issues related to achieving an assured, reliable, secure, and survivable global information and communications infrastructure and related capabilities." [2009 Review 7]

White House has proposed the position of a Cybersecurity Czar / Coordinator

"The President should consider appointing a cybersecurity policy official at the White House, reporting to the NSC and dual-hatted with the NEC, to coordinate the Nation's cybersecurity-related policies and activities. This individual would chair the ICI-IPC and lead a strong process in consultation with other elements of the EOP to resolve competing priorities and coordinate interagency development of policies and strategies for cybersecurity.20 The cybersecurity policy official should participate in all appropriate economic, counterterrorism, and science and technology policy discussions to inform them of cybersecurity perspectives.

"To be successful, the President's cybersecurity policy official must have clear presidential support, authority, and sufficient resources to operate effectively in policy formulation and the coordination of interagency cybersecurity-related activities. The cybersecurity policy official should be supported by at least two Senior Directors and appropriate staff from the NSC and at least one Senior Director and appropriate staff from the NEC. These directorates would report through the cybersecurity policy official and work together in pursuit of the goals set forth in this paper and established as national policy. In addition, to achieve additional scale and integration across the NSC, each NSC regional and functional directorate should designate an individual to be responsible for following cybersecurity-related issues in the directorate's portfolio and coordinating with the directorate for cybersecurity.

"The cybersecurity policy official should not have operational responsibility or authority, nor the authority to make policy unilaterally. Using interagency coordination processes, the cybersecurity policy official should harmonize cybersecurity-related policy and technology efforts across the Federal government, ensure that the President's budget reflects federal priorities for cybersecurity, and develop a legislative agenda, all in consultation with the Federal government's Chief Technology Officer and Chief Information Officer-along with the appropriate entities within the Office of Management and Budget (OMB), the Office of Science and Technology Policy (OSTP), and the NEC.

"This appointment also would make crisis management more effective by establishing the cybersecurity policy official as the White House action officer for cyber incident response (a similar role to the action officers who help the White House monitor terrorist attacks or natural disasters); departments and agencies would continue to perform their operational roles.

"To facilitate coordination, all federal departments and agencies should establish a point-of-contact in their respective executive suites authorized to interface with the White House on cybersecurityrelated issues.

"The cybersecurity policy official-through the interagency policy development process-should prepare for the President's consideration an updated national strategy to secure the information and communications infrastructure. The strategy should include continued evaluation of CNCI activities and build, where appropriate, on its successes.24 The national strategy should focus senior leadership attention and time toward resolving issues that hamper U.S. efforts to achieve an assured, reliable, secure, and resilient global information and communications infrastructure and related capabilities.25 The strategy would assist government efforts to raise public awareness, renew and build international alliances and public-private partnerships, establish a more comprehensive national cyber response and recovery plan, and promote an aggressive research and development agenda that has the potential to result in new technologies that will enhance cybersecurity.

"The Federal government should continue the principle of "mission bridging" started under the CNCI. Departments and agencies should expand the sharing of expertise, knowledge, and perspectives about threats, tradecraft, technology, and vulnerabilities between network defenders and the intelligence, military, and law enforcement organizations that develop U.S. operational capabilities in cyberspace. In addition, the cybersecurity policy official should help coordinate intelligence and military policies and strategies for cyberspace-including for countering terrorist use of the Internet-to ensure integration of all mission equities.The cybersecurity policy official should engage external advisory bodies. Many advisory bodies touch on cybersecurity-related issues, including the National Security and Telecommunications Advisory Committee (NSTAC), the National Infrastructure Advisory Council (NIAC), the Critical Infrastructure Partnership Advisory Council (CIPAC), and the Information Security and Privacy Advisory Board (ISPAB). The cybersecurity policy official should review the responsibilities of these bodies and propose changes as necessary to optimize advice and eliminate unnecessary duplication.

"Other structures will be needed to help ensure that civil liberties and privacy rights are protected. Such structures would signal transparency and build trust between the civil liberties and privacy community, the public, and the program for cybersecurity, especially if implemented from the outset.26 It is important to reconstitute the Privacy and Civil Liberties Oversight Board (PCLOB), accelerate the selection process for its board members, and consider whether to seek legislative amendments to broaden its scope to include cybersecurity-related issues.27 Other options include: facilitating regular engagement of government civil liberties and privacy advisors on policy matters for cybersecurity or designating a dedicated privacy and civil liberties officer within the NSC (or, more broadly, the EOP) to engage with the private-sector civil liberties and privacy community, an oversight board, and government civil liberties and privacy officers.28, 29

"Equally important to developing cybersecurity policy, is assuring the effective execution and implementation of that policy to meet the goals of the larger strategy. Accordingly, the cybersecurity policy official, in consultation with OMB and other EOP entities, will need to ensure effective implementation of cybersecurity-related policy and activities. During the course of the 60-day review, stakeholders suggested a variety of options to coordinate and oversee cybersecurity activities. Several commentators identified strong executive leadership as well as focused, multi-year attention across the participating departments and agencies as critical elements to ensure that the U.S. Government has the mechanisms needed for an effective cybersecurity program. Currently, some of these oversight functions for existing cybersecurity efforts are being performed outside of the EOP. For example, the Joint Interagency Cyber Task Force (JIACTF), under the Director of National Intelligence, currently is responsible for coordinating and monitoring the implementation of the CNCI. The cybersecurity policy official, in consultation with OMB and other EOP entities, should develop structural options to perform appropriate oversight, implementation, and other functions. These could include among others, developing a JIACTF-like function30 in OMB or elsewhere in the EOP, creating an entity similar to President Eisenhower's Operations Coordinating Board,31 or establishing some other entity that, among other things, assists in assessing department and agency performance and oversees federal compliance with cybersecurity standards. Unless and until such an office is established, the work of the JIACTF should continue.32" [2009 Review 7]

Other Govt Activity

• House Committee on Science and Technology Sep 23, 2009 Press release Subcommittee Approves Legislation to Strengthen the Federal Cybersecurity R&D Portfolio

Cybersecurity Research

NITRD Sept 22, 2009 (In response to the President's call to secure our nation's cyber infrastructure, the White House Office of Science and Technology Policy (OSTP) and the Federal Networking and Information Technology Research and Development (NITRD) Program developed the Leap-Ahead Initiative with the goal of developing the national cyber security leap-ahead research and development agenda. Between August 17th and 19th of this year, the NITRD Program, with guidance from OSTP and the Office of the Assistant Secretary for Defense Networks and Information Integration, held a National Cyber Leap Year Summit in Arlington, Virginia.)

• National Cyber Leap Year Summit 2009 Co-Chairs Report: download
• National Cyber Leap Year Summit 2009 Participants' Ideas Report: download

Links

• Economics of Information Security (ECONSEC)
• Economics and Security Resource Page Ross Anderson
• CMU Usable Privacy and Security Laboratory
• IT-ISAC

Papers

• An Economic Map of Cybercrime - Alvaro Cardenas, University of California-Berkeley, John Chuang, University of California-Berkeley, Jens Grossklags, University of California-Berkeley, Svetlana Radosavac, DOCOMO Communications Labratories USA, Inc., Chris Hoofnagle,University of California-Berkeley TPRC 2009
• Bauer, Johannes M. and Van Eeten, Michel (2009) "Cybersecurity: stakeholder incentives, externalities, and policy options", Telecommunications Policy, 33(10-11)
• Van Eeten, Michel J. G. and Bauer, Johannes M. (2009) "Megacrises and the internet: risks, incentives and externalities", Journal of Contingencies and Crisis Management, forthcoming.
• Melissa Hathaway, Cyber Security – An Economic and National Security Crisis, Intelligencer: Journal of U.S. Intelligence Studies, Fall 2008 at 31-6.

News & Blogs

• Details on presidential motorcades, safe house for First Family, leak via P2P, CW 7/30/2009
• McAfee Warns Spam, Trojans and Botnets Skyrocketing, Wired 7/30/2009
• Twitter: A Growing Security Minefield, CW 7/27/2009
• U.S. seeks 'top guns' for cybersecurity, CW 7/27/2009
• U.S. Official: Cybersecurity Plans Not Just Talk, Internet News 7/2/2009
• Why don't I feel all warm and fuzzy about this?, ISEN 5/13/2009
• New Bill Would Give Feds Sweeping Cybersecurity Enforcement Powers, Ecommerce Times 4/2/2009
• Bill Would Federalize Cybersecurity- Senate Proposal Would Affect Even Some Private Networks, Senate Commerce 4/2/2009
• Chairman Rockefeller and Senator Snowe Introduce Comprehensive Cybersecurity Legislation, Senate Commerce 4/2/2009
• White House cyber adviser--more questions than answers, CNET 3/27/2009
• Creation of White House cybersecurity office remains uncertain, CW 3/27/2009
• FTC questions cloud-computing security, CNET 3/18/2009
• Hearing Announcement: Cybersecurity - Assessing Our Vulnerabilities and Developing An Effective Defense, Senate Commerce 3/10/2009
• Top US Federal Cybersecurity Official Resigns, Criticizes NSA Takeover, CircleID 3/10/2009
• Obama Proposes Millions for Cybersecurity, Internet News 3/3/2009
• A New Internet Attack: Parking Tickets, CW 2/5/2009
• Feds urged to provide cybersecurity incentives, CW 11/20/2008
• Obama administration to inherit tough cybersecurity challenges, CW 11/20/2008
• Will Twitter and terrorism meet?, BBC 10/28/2008
• FTC's Cyber Security Site Gets an Upgrade, FTC 10/2/2008
• Ready to blow the whistle on a cybercrime? Who ya gonna call?, CW 9/12/2007
• ESTABLISHMENT OF THE PUBLIC SAFETY AND HOMELAND SECURITY BUREAU AND OTHER ORGANIZATIONAL CHANGES., FCC 9/26/2006
• FCC Establishes Public Safety and Homeland Security Bureau, Converged Network 9/26/2006
• Fiddling while Rome burned, CNET 9/2/2006
• Federal agencies get a D+ on cybersecurity, CW 2/18/2005
• Clarke: Who leads cybersecurity?, FCW 2/18/2005
• Reports: FBI Shutters Public E-Mail System, eweek 2/8/2005
• Bush backs boost for cybersecurity, FCW 2/8/2005
• Bush's Cyber Security Force Loses Another One, InternetNews 1/14/2005
• F.B.I. May Scrap Vital Overhaul of Its Outdated Computer System, NYT 1/14/2005
• Calling for security leadership, FCW 12/10/2004
• Committee calls for cybersecurity post, FCW 12/10/2004
• Ridge leaves mixed legacy, CNET 12/3/2004
• Former cybersecurity czar: Code-checking tools needed, Infoworld 12/3/2004
• US gets new cyber security chief, BBC 10/8/2004
• Access to Tom Ridge or bust, CNET 10/8/2004
• Howard Schmidt to lead U.S. CERT, CW 10/8/2004
• US cyber security chief resigns, BBC 10/5/2004
• Steps for Creating National CSIRTs, CERT 10/5/2004
• U.S. cybersecurity chief resigns, CNET 10/5/2004
• FTC Continues Education, Enforcement Efforts to Promote Information Security, FTC 9/24/2004
• Cybersecurity czar may get a promotion, CNET 9/21/2004
• Collins praises, Lieberman blasts homeland security orders, FCW 12/19/2003
• Organizational Models for Computer Security Incident Response Teams, CERT 2/10/2004
• U.S. creates cyberalert system, CNET 2/2/2004
• Gov't Rolls Out Cyber Alert System, Internet News 2/2/2004
• Fed cybersecurity chiefs get a council, FCW 12/5/2003
• Feds simulate terrorist cyberattack, CNN 12/2/2003
• DHS Cuts Tech Funding By 30%, Internet News 11/14/2003
• EU hi-tech crime agency created, BBC 11/21/2003
• Homeland security goes online, BBC 6/9/03
• Government forms cybersecurity unit, CNET 6/9/03
• Homeland Security to tap director, CNET 6/6/03
• Broadband Users Lack Basic Security, Internet News 6/6/03
• When to make the cybersecurity call, FCW 4/4/03
• Creation of cybersecurity post in administration appears imminent, GovExec 4/1/03
• U.S. Government To Get Cybersecurity Chief, Salon 5/28/03
• Blogs play a role in homeland security, CW 5/12/03
• Homeland chief urges firms to bolster cybersecurity, GovExec 5/2/03
• Ridge Asks For Tech Help, Info World 4/30/03
• ITAA Calls For Cybersecurity Czar, Internet News 4/23/03
• Howard Schmidt is leaving the White House, GCN 4/21/03
• Howard Schmidt leaving government cybersecurity job, CW 4/21/03
• White House May Lose Top Cybersecurity Advisor, Internet News 4/21/03
• U.S. Cyber Security Plan A Mosaic, Internet News 4/17/03
• Cybe rsecurity in Europe and EU-Russia Co-operation, RAPID 4/11/03
• Clarke: No One's Minding the Cyber Store, eweek 4/9/03
• NIPC Leadership Questioned, Info World 2/28/03
• Anti-terror Network 'in Disarray', BBC 2/21/03
• Cybersecurity Chief To Quit, Internet News 1/29/03
• U.S. Cybersecurity Czar to Resign, Wired 1/29/03
• Cooper named Homeland Dept. CIO, FCW 1/10/03
• White House trims cybersecurity plan, MSNBC 1/7/03
• Feds Building Internet Monitoring Center, Wash Post 2/10/03
• Homeland Office Is Told to Answer Queries on Its Role, Wash Post 1/3/03
• Feds Delay Launch of Cyber-Security Plan, VOA 12/20/02
• The Year In Security, TechTV 1/2/03
• Sentries on the Net, CNET 1/2/03
• Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, CERT 12/4/02
• Homeland Security Is Watching You, Newsfactor 11/25/02
• NIPC Seeks Cyberalert Support, FCW 8/16/02
• NIPC CyberNotes Issue #2002-16, 08/12/2002, NIPC 8/16/02
• OECD Publishes Cyber-Security Guidelines, IDG 8/9/02
• OECD Governments Launch Drive to Improve Security of Online Networks, OECD 8/9/02
• Creating a Computer Security Incident Response Team: A Process for Getting Started, CERT 8/7/02
• Bush Adviser Encourages Hacking, Wash Post 8/2/02
• Cybersecurity Info Sharing Plan Blasted, Wash Post 7/29/02
• Report: Cyber Security Efforts Disorganized, USAToday 7/24/02
• National Strategy Executive Summary, WhiteHouse 7/17/02
• NIPC Reaches Out To Private IT Sector, Internet News 6/26/02
• Government Not Ready For Cyberattacks, Internet News 6/26/02
• White House Stressing IT Security, Wash Post 6/10/02
• Bush Plan Backs IT Infrastructure, FCW 6/5/02
• Homeland security network proposed, USA Today 6/5/02
• InfoSec: GartnerG2 Says Not Enough Being Done to Prepare for Cyberattacks, ITAA 5/22/02 
• Ridge wants tech firms to enlist in terrorism fight, USA Today 4/24/02
• Government cyber security chief warns of threats to infrastructure , Nando 2/20/02
• High-Tech Security Czar Warns Against Cyber Complacency , Wash Tech 2/20/02
• White House To Form Cybersecurity Center, FCW 2/15/02
• Cybercrime reporting procedure draws fire , CW 2/20/02
• U.S. Backing for Guidelines on Fighting CyberCrime, NYT 2/13/02
• NIPC Head: Communication Key, Must Do More, IDG 2/4/02
• NIST Prepping Security Guides, Fcw 1/28/02
• White House Cybersecurity 'Strategy' Due In June, Wash Tech 1/28/02
• U.S. Cyber Chief to Map Infrastructure for Security, Reuters 12/6/01
• Feds To Draw 'Map' Of Internet (by the National Infrastructure Simulation and Analysis Center which is a part of the Defense Threat Reduction Agency - NISAC is a partnership between DTRA and Los Alamos), Newsfactor 12/7/01
• Cyber-security czar snubs ID plan, MSNBC 11/9/01
• New Powers In Cybersecurity, Reuters 11/9/01
• Cybersecurity chief warns of Net threat, USAToday 11/9/01
• Security woes dog federal agencies, CNET 11/9/01
• ITAA Calls for Immediate New Federal IT Security Funding, Inews 11/9/01
• President Forms Cyberterrorism Panel, AP 10/17/01
• New Unit Targets Internet Crimes, LAT 7/13/01
• Top DOJ Official Outlines Priority List to Combat Cybercrime, Standard 6/15/01
• Internet warning system under siege (CERT), CNET 5/23/01
• NIPC Gets "F" In Hack Attack Warnings, InternetNews 5/23/01
• Bush considers cybersecurity coordination board, USAToday 5/16/01
• Bush Mulls cybersecurity, USAToday 5/11/01
• White House Site Attack Clues Sought, CW 5/8/01
• Senator: Aid Cyber Security By Secrecy, Reuters 5/8/01
• FBI Names New Chief For Computer Security, Infoworld 3/21/01
• U.S. Cyber-Chief Warns of Weaknesses, Newsfactor 3/21/01
• National Security Adviser sees cyberterrorist threat, USAToday 3/23/01