Cybersecurity Library

The Cybersecurity Library is an ongoing effort to collect and organize documents and other resources that facilitate the exploration of interdisciplinary topics related to the challenge of cybersecurity. 

If you have comments or suggestions regarding the content of this page, please contact cybersecurity@stanford.edu

Cybersecurity Library  Index:

Key Cybersecurity Overview Texts

General Cybersecurity Resources

Assessing Cyber Insecurity

Cybersecurity Law & Enforcement

US Government Cybersecurity Efforts

Economics & Market Forces in Cybersecurity

Information Security Metrics

Liability & Cyberinsurance

Industrial & Operational Perspectives on Cybersecurity

Information Warfare

Technical Topics

Miscellaneous Readings

 .

 

Key Cybersecurity Overview Texts

Cybersecurity: Pay Now or Pay Later : A short text from the Computer Science and Telecommunications Board (CTSB) outlining the problem of cybersecurity.  Good introduction and outline of the topic. 

Critical Information Infrastructure Protection and the Law : A substantial text from the CTSB giving an overview of the major facets of government actions to protect information infrastructure.  Includes great depth on the topics of information sharing for key industries and the potential role of liability in future protection policies. 

Critical Infrastructures You Can Trust: Where Telecommunications Fits : An overview of actual and potential vulnerabilities within our current information infrastructure.

Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems : The Government Accounting Office (GAO) outlines the risks and challenges involved with securing America’s critical infrastructure control systems. 

General Cybersecurity Resources

Security In the News : A daily news report focusing largely on cybersecurity from the Institute for Security Technology Studies at Dartmouth College.

Assessing Cyber Insecurity

Computer-Related Risks and the National Infrastructure : Peter Neumann outlines national vulnerability to cyberthreats in this 1997 House of Representatives testimony. 

How Real is the Cybersecurity Threat? : Video of a 2002 panel including members from the Office of Cyberspace Security, Microsoft, backbone provider Genuity, Verisign, and a financial services company.  Based on their personal background and experience, each offers a different perspective of the current threat and who is responsible for improving the security of the Internet. 

Cyber Insecurity: The Cost of Monopoly :  An interesting and oft-quoted paper describing the risks of software monoculture for Internet security. 

Is Cyber Terror Next?  :  Security expert Dorothy Denning considering the likelihood of terrorists exploiting vulnerabilities exposed on the Internet. 

Is There a Cybersecurity Threat to National Security? :  A consideration of arguments for and against the existence of a serious threat to US national security.  Includes many useful references to other work assessing the cyberthreat environment.  

Critical Infrastructure Protection:  Significant Challenges Need to Be Addressed : Report by the Government Accounting Office (GAO) describing the key problems to be addressed by US policy focusing on critical infrastructure protection. 

Cybersecurity Law & Enforcement

States and Internet Enforcement :  Comprehensive document exploring the issue of how nations can enforce laws online both now and in the future. 

18 U.S.C. 1030 - The Computer Fraud and Abuse Act : US federal law outlining illegal behavior on computer systems, serving as an introduction to the concept of unauthorized access, which is central to defining what is illegal behavior online.

Council of Europe (COE) Convention on Cybercrime : The text of the COE's Convention on Cybercrime, which defines what laws cybercrime laws signing governments must pass and places requirements on abiding nations to assist other nations in the investigation of international cybercrimes outlined in the text.  The COE's convention on cybercrime is a guiding document not only in Europe, but also in the United States and other high tech nations. 

Cybercrime : The Council of Europe Convention :  A shorter summary article on the United States perspective of the cybercrime convention. 

United Nations Ponders Net’s Future : Short news article describing UN interest in governing the Internet

Internet Service Providers and Law Enforcement and National Security : Documents describing the duties of Australian Internet Service providers to assist the government on issues related to national security.

US Government Cybersecurity Efforts

General Texts:

Critical Foundations: Protecting America’s Infrastructure : Seminal report from the 1997 President’s Commission on Critical Infrastructure Protection (PCCIP). 

The National Strategy to Secure Cyberspace : The guiding document for the US government’s cybersecurity efforts.  Outlines the threat and the government’s initiatives focusing on a public private partnership and information sharing.

Summary of Computer Security Laws, Executive Orders and Directives : A strong overview of the major cybersecurity players and initiatives within the federal government.

Efforts within the Department of Homeland Security :

US-CERT :  The US Computer Emergency Response Team servers as the public face of the government’s cybersecurity efforts based within the Dept. of Homeland Security (DHS).

National Cyber Security Division Announcement :  The press release describing the creation of the National Cyber Security Division (NCSD) with DHS to combat cyber-threats.

Lieberman Criticizes DHS Cybersecurity Efforts :  An open letter from Senator Joseph Lieberman to DHS head Tom Ridge expressing concerns over the preparedness of US cybersecurity defenses.  This detailed document outlines both the argument for immediate action on the cybersecurity front and areas identified as needing improvement.

US Cybersecurity Chief Resigns : Article covering the resignation of Amit Yoran as the head of DHS cybersecurity efforts, citing frustrations concerning the importance of cybersecurity within DHS. 

Progress and Challenges in Securing the Nation’s Cyberspace : A July of 2004 report by the Office of the Inspector General analyzing the progress DHS has made toward improving national cybersecurity. 

Overview of DHS Cybersecurity R&D Activities : Presentation by Dr. Simon Szykman describing what research topics the DHS considers vital to mitigating cybersecurity threats.

DHS moves ahead with cybersecurity R&D efforts : Article outlining major DHS R&D initiatives within cybersecurity. 

Legislation & Other Congressional Action :

Important Computer Security Legislation : A concise list of legislation impacting the world of cybersecurity.

Cybersecurity Research & Development Act : A 2001 congressional bill providing funding for research and education in the area of cybersecurity. 

Health Insurance Portability and Accountability Act (HIPAA)  : Security Standards for Medical Data  : Description of the significant cybersecurity requirements on hospitals, HMO’s and others with access to private medical data created by HIPAA legislation. 

Federal Information Security Management Act (FISMA) :  Text of the bill that outlines annual cybersecurity reporting requirements for federal agencies.

NIST: FISMA Recommended Security Controls :  Specific suggested implementation requirements for federal agencies in order to ensure FISMA compliance.

Draft of Corporate Information Security Accountability Act : Draft legislation from congressional cybersecurity advocate Rep. Adam Putman (R-FL).  The bill never reach a vote. 

Recommendations from the Corporate Information Security Working Group (CISWG) :  Legislative recommendations from the CISWG, a diverse industry and government body created by Putman. 

Economics & Market Forces in Cybersecurity

Market Forces and Government Action in Security Cyberspace : Report from a conference at the Center for Strategic and International Studies analyzing whether market forces alone will provide for a secure Internet infrastructure or if government intervention is necessary.

Why Information Security is Hard – an Economic Perspective :  Ross Anderson’s well-known paper with a strong argument for the importance of considering economic incentives in addition to technical factors when analyzing Internet security. 

Can Market Forces Secure the Internet? : News article reporting the debate between former cybersecurity czar Richard Clarke and industry representation as to the necessity of government intervention on cybersecurity. 

Information Security Metrics

A Guide to Security Metrics :  Provides a good introduction by looking at the What, Why and How of security metrics.

NIST: Security Metrics Guide for Information Technology Systems : The government’s agency for technology standards provides a detailed document covering the major topics relating to Internet security metrics. 

Federal Information Technology Security Assessment Framework (FITSAF) : A report prepared by NIST for the “CIO Council” provides a framework for enterprises looking to implement security metrics.

Experience with FITSAF at the Internet Revenue Service :  The experience of the IRS utilizing the FITSAF framework to improve its cybersecurity decision-making. 

Liability & Cyberinsurance

Stepping on the Digital Scale: Duty and Liability for Negligent Internet Security : Security and legal expert Erin Kenneally provides a strong background in liability law and then analyzes how major cybersecurity stakeholders may be impacted by liability in the future. 

Liability Changes Everything : An Op-Ed by Bruce Schneier discussing the potential of liability as a mechanism to promote Internet security. 

Liability for Computer Glitches and Online Security Lapses : Detailed document providing in-depth examples of legal precedent regarding liability and how it applies to online security issues. 

Industrial & Operational Perspectives on Cybersecurity

Cybersecurity Strategy for the Federal Aviation Administration : A video of a talk giving by FAA Deputy CIO Arthur Pyster describing the critical infrastructure used in FAA operations and the challenges the face in securing it.  

Cyber Security Industry Alliance (CSIA) Testimony : Congressional testimony by the major lobbying group representing industry.  The transcript stresses the need for a private sector approach to improving cybersecurity without major government intervention. 

How to Spend a Dollar on Security :  A brief article proposing how a business should divide its cybersecurity budget among a variety of possible actions, ranging from awareness training, to risk management, to technological solutions. 

Companies Adapt to a Zero-day World :  Discusses the implication of a “zero day” exploit” (one for which no patch is available) for businesses protecting online assets. 

Information Warfare

CIA Warns of Chinese Plans for Cyber-Attacks on U.S. :  Article focusing on the potential for China to launch an Internet attack on the U.S. or its allies.

Bush Orders Guidelines for Cyber-Warfare : 2003 Washington Post article telling of a government directive to explore rules of engagement for a U.S. cyberattack.

Protecting out Homeland : A report from the Defense Science Board Task Force on Defensive Information Operations.

Information Operations: The Hard Reality of Soft Power : This text is a handbook used to teach Information Operations. The entire text is a good reference, with Chapter 1 serving as a solid introduction to the topic.

North Korea has 600 Computer Hackers, South Korea Says : An AP article discussing claims concerning North Korea's efforts to build an arsenal for cyber-attacks. 

Technical Topics

Introductory

How Internet Infrastructure Works :  A description from “How Stuff Works” providing a high-level overview of the Internet architecture. 

How Does the Internet Work? :  An introductory yet in-depth description of how major components of the Internet infrastructure operate. 


Intermediate
 

Security in Cyberspace: Combating Distributed Denial of Service Attacks :  An in-depth analysis of the problem of distributed denial of service attacks taking into account not only technological but also legal, economic and social factors. 

A Network Based Simulation Approach to Cybersecurity Policy : Combined technical and economic analysis of cybersecurity mitigation strategies. 

Robustness and the Internet:  Design and Evolution :   Paper describing the creation and growth of the system now know as the Internet, with a focus on the relation between complexity and robustness. 

Advanced

Internet Intrusions:  Global Characteristics and Prevalence :  Paper from the WAIL lab at Univ. of Wisconsin describing the nature of common attacks on the Internet today. 

CAIDA Security Attack Analysis :  A collection of detailed technical reports on various worms including Code Red, Slammer, and Witty.  Also includes a technical report on the denial of service attack on SCO. 

Miscellaneous Readings

These texts may be using for fostering discussion about cybersecurity.  Most are short and take an introductory look at cybersecurity problems.

Washington Post Timeline of Internet Attacks : Shows the evolution of computing and its relation to security issues, particularly focusing on viruses and worms. 

Independent Review of Carnivore System :  A technical look at the FBI’s Carnivore Internet surveillance system, now renamed to DCS1000.

How To Hack A Bank : An older article describing vulnerabilities and losses within the banking industry due to Internet attacks. Only the first 14 numbered sections are required reading.

What You Need to Know About Phishing : An overview of the phishing problem from Microsoft. Take note of how the article outlines the many different actors that come into play when attempting to fix this vulnerability.

Gambling Sites, This is a Holdup : Describes the current threat posed to online businesses by Denial-of-Service extortion threats.

License PC Users?  It's a Thought : Article discussing the oft-mentioned proposal to require a license to use the Internet, in hopes of curbing security issues caused by unknowledgable users.

New Hope for a Gov't Security Lock-down :  Takes a look at the role government can play in defining security standards and using its significant buying power to influence the security of commercial products.

contact: cybersecurity@stanford.edu