pdfRead the Publication (PDF)

As the energy sector has become more globalized and increasingly complex in its reliance on software components, the supply-chain risk has evolved and expanded. One such risk that stands out is unintended taint, namely flaws in software components unintentionally built into products in design or implementation. Unintended taint may lead to unintended supply-chain subversion, and represents a significant and credible threat to the uninterrupted functionality of critical infrastructure within the energy sector. In this issue brief, we outline a taxonomy for understanding certain energy sector risks and provide concrete recommendations for policy makers and the private sector.
pdfRead the Publication (PDF)

In cybersecurity, it is time to go beyond sharing and ad hoc cooperation, to collaboration at scale across borders, stakeholders, and sectors. This effort should begin with a determined study of the responses to past incidents and how to improve them, then proceed to new, action-oriented Cyber Incident Collaboration Organizations (CICO) to streamline response. The goal of a CICO must be to streamline the current response process for an incident type, to provide an umbrella to make such work easier or to upscale it. In this issue brief, Jason Healey presents the next generation of innovations that will simplify agile, scalable response to incidents—across borders, stakeholders, and sectors.
pdfRead the Publication (PDF)

The aviation industry is faced with a complex and critical challenge to carefully balance costs with evolving business imperatives, customer demands, and safety standards. The increasing use of new technologies in the movement towards automation has yielded efficiencies and enhanced the customer experience. Yet, it has also inadvertently created vulnerabilities for exploitation. As a central component of commerce, trade, and transportation infrastructure, the aviation industry is indispensable to the global economy. The consequences of failure would carry direct public safety and national security implications.

pdfRead the Publication
In 2016, a series of highly impactful and publicized disruptions provided a wake-up call to societies on both sides of the Atlantic making obvious their dependence on inherently unpredictable technology. Just before the year began, a targeted attack disrupted the Ukrainian energy grid, forcing its operators to fall back on decades-old manual processes, and a similar attack followed late in the year. The Hollywood Presbyterian Hospital in Los Angeles was forced to shut down for weeks as a critical patient-care system was unintentionally disrupted by ransomware—a common plague that impacted many other parts of societal infrastructure through the year, including San Francisco’s Bay Area Rapid Transit (BART), US electricity providers, and hospitals in the United States and across Europe. At the same time, a botnet of poorly secured devices disrupted large portions of the US Internet and knocked more than one million German households offline. And while the Russian breach of the Democratic National Committee (DNC) and the associated influence campaign continue to shock many in the United States and beyond, the specter of hackable voting computers also cast doubt on the US electoral system in the lead-up to and aftermath of the presidential election.

pdfRead the Publication (PDF)
Last year, the Barack Obama administration issued PPD-41, “Cyber Incident Protection,” setting forth cyber security incident roles and missions for federal agencies but with no explicit reference to the Department of Defense (DoD). By contrast, the DoD Cyber Strategy provides that DoD will be prepared to “defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence.” Certainly, in a conflict where an adversary will utilize cyber as part of an overall military attack, the DoD will necessarily play a major operational role. This paper discusses what that role should entail.

pdfRead the Publication (PDF)

The Internet of Things (IoT) is the next step in the evolution of wireless networks. Analysts predict the IoT will double in size to nearly 50 billion devices by 2020, comprising a $1.7 trillion market. One of the greatest opportunities still lies ahead in the form of the “smart home.”


Read the Report Online

pdfRead the Report (PDF)
pdfRead the FAQ's (PDF)

In 2030, will the Internet and related information and communications technologies (ICTs) continue to drive global innovation and prosperity? Or will that bright promise be swamped by an unstable and insecure Internet, so overwhelmed by non-stop attacks that it has become an increasing drag on economic growth? The answers, as far as we can predict, are not promising and mean the difference in tens of trillions of dollars in global economic growth over the next fifteen years.
The Internet of Things of digital, networked technology is quickly moving to the forefront of society, the global economy, and the human experience.

Individuals wear networked devices to learn more about themselves, their diet, their exercise regimen, and their vital signs. Doctors can adjust and optimize implanted medical devices, such as pacemakers, quickly and accurately—and often with no need for intrusive medical procedures. The rewards of networked healthcare come with overlapping areas of concern that have to address to fully unlock the potential of these technologies.
The Internet makes everyone neighbors in cyberspace, connected by a digital infrastructure that serves as the bedrock of their communities. But despite pockets of excellence, the neighborhood-watch system is broken. Not all kinds of sharing are equal, as many organizations involved in cyber defense are net consumers—not suppliers—of shareable cybersecurity information.
pdfRead the Report (PDF)
Confidence-building measures (CBMs) are an instrument of interstate relations aimed to strengthen international peace and security by reducing and eliminating the causes of mistrust, fear, misunderstanding, and miscalculations that states have about the military activities of other states.

The anonymous and complex nature of the Internet and the potency, low cost, and deniability of cyber operations make them potentially counterproductive to building trust. CBMs, as confidence and trust-building concepts, are particularly suitable for cyberspace. However, the application of these measures have yet to be extensively applied in cyberspace. Because cyberspace is predominantly dominated not by the actions of states but nonstate actors, CBMs for cyberspace must thus be inclusive of all stakeholders active in cyberspace. They must reduce risk and support trust by either building on preexisting concepts and mechanisms from other domains of international relations or by creating unique bottom-up approaches.

Confidence-Building Measures in Cyberspace: A Multistakeholder Approach for Stability and Security, a new Cyber Statecraft Initiative report from the Atlantic Council's Brent Scowcroft Center on International Security, analyzes different ways to involve private-sector actors and build confidence without extensive legal or political action by states. Authors Jason Healey, John C. Mallery, Klara Tothova Jordan, and Nathaniel V. Youd recommend four types of CBMs--collaboration, crisis management, restraint, and engagement measures--which can be established to mitigate potentially escalatory effects of activities in cyberspace. The measures proposed in this report suggest a multistakeholder-centric approach to leverage all possible stakeholders to improve overall Internet resilience and decrease the chances of miscalculation, mistrust, and misunderstanding.