A tweet can reveal your location, an Apple Watch monitors your health, a grocery chain loyalty card allows the supermarket to track your purchases. All of this constitutes what Michael Chertoff describes as “digital exhaust”—data that we constantly and unconsciously emit. The challenge this poses is how to protect that data in an increasingly interconnected world.

Even as governments grapple with this challenge, “we also should consider the next generation of technology that is going to support the Internet—and that is 5G,” said Chertoff, who served as secretary of the US Department of Homeland Security from 2005 to 2009.

In the year since the US Cyber Command was elevated to a unified combatant command there has been an “increase in clarity” on the US cyber strategy, specifically on the Department of Defense’s role, and an “alignment in the law,” US Air Force Brig. Gen. Timothy D. Haugh, commander, Cyber National Mission Force at US Cyber Command, said in Washington on April 23.

“What we are focused on in terms of military activities in cyberspace is…not about what the Department of Defense’s role is, it’s how can we enable our international partners, our domestic partners, and industry to be able to defend those things that are critical to our nation’s success,” said Haugh.

One of the United States’ top cybersecurity officials noted the progress the US government has made in engaging potential domestic and international targets of cyberattacks, but argued that “information sharing is the minimum bar” the federal government should clear. According to Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security, “we have to get beyond information sharing… to operationalizing information security.”

Krebs, who spoke at the eighth annual International Conference on Cyber Engagement (ICCE) in Washington, DC, on April 23, argued that more action is needed to defend US businesses and critical infrastructures as hostile nation states are ramping up their attacks on US entities.

US and international cybersecurity officials called for greater international cooperation to combat Internet crime and malign cyber activity during the 8th annual International Conference on Cyber Engagement (ICCE) in Washington, DC, on April 23.

David Koh, who serves as commissioner of cybersecurity, chief executive of the Cyber Security Agency, and defense cyber chief in Singapore’s Ministry of Defense, called for likeminded nations to establish “a rules-based cyberspace based on applicable international law and the adoption of voluntary operational norms.” Koh argued that other global common spaces, such as maritime and aviation, are governed by complex international rule systems, and “cyberspace should not be any different from the physical domains.”

We have put almost everything out there in cyberspace—personal data, intellectual property, even access to the controls of critical infrastructure. And we have been woefully deficient in defending it. With each passing day, our nation faces an onslaught of cyber threats from various adversaries, including nation states.

The good news is that the White House and the Department of Defense (DoD) both have released closely aligned cyber strategies that stress the importance of tackling these threats head-on through partnerships with our allies, the private sector, and between agencies, to “defend forward, shape the day-to-day competition, and prepare for war.”

The Cyber 9/12 Strategy Challenge—the brainchild of the Atlantic Council’s Cyber Statecraft Initiative—got underway in London on February 11. The two-day event is a unique and innovative cyber crisis and policy response simulation. The UK edition is part of a wider Atlantic Council effort to foster the next generation of multidisciplinary cyber professionals.

“The UK government’s National Cyber Security Strategy is clear that more must be done for the UK to meet the future national demand. Much like the NCSC’s CyberFirst courses, Cyber 9/12 is an effective way to nurture the next generation of cyber security experts,” said Paul Chichester, director for operations at the National Cyber Security Centre in London.

Polish Prime Minister Mateusz Morawiecki on January 16 called for a collective Western response to cyber threats while urging allies to increase spending on cybersecurity.

“I call on you today and encourage your leaders and governments to spend more money on cyber warfare, as we do, on cyber soldiers to protect our Internet frontier,” Morawiecki said on the opening day of a two-day conference jointly hosted by PKO Bank Polski and the Atlantic Council in Warsaw, Poland.

“Our enemies will not wait,” Morawiecki said, adding, “They are arming up as we speak. Only a collective response will keep he threat at bay, and only a decisive one.”

The conference, “A New Initiative for Poland: A Future Global Leader in Securing the 4th Industrial Revolution,” seeks to deepen US-Polish ties by developing cybersecurity as a key pillar in the relationship.

British ‘Code of Practice for Consumer IoT Security’ draws on Atlantic Council report

Consumer Internet of Things (IoT) products are notoriously insecure. In October 2016, the Mirai botnet amassed a massive botnet army of IoT-connected devices, eventually used in a distributed denial of service (DDoS) attack that overwhelmed the capabilities of some of the largest Internet providers in the world and took down the Internet across the US East Coast. Mirai’s authors began building their tool as teenagers, amassing an IoT zombie horde using techniques known (and easily preventable) for decades. Unfortunately, the norm for IoT devices is lax security—simple, hardcoded (unchangeable) passwords, and operating systems that can’t be patched or updated with security protection.
French President Emmanuel Macron on November 12 launched the “Paris Call for Trust and Security in Cyberspace”—the first state-supported initiative that brings together a set of principles that both the public and the non-governmental sector can implement and endorse to increase trust and stability in cyberspace.

Macron introduced the Paris Call at the Internet Governance Forum in Paris. The event was part of Paris Digital Week, which has brought together thinkers, innovators, decision-makers and investors for a discussion on current and future digital issues from November 11 to November 14.

In his speech, Macron called on all actors to work together toward building trust and security in cyberspace. Many states, as well as private companies and civil society organizations, have already thrown their support behind the declaration on developing common principles for securing cyberspace. The Atlantic Council’s Cyber Statecraft Initiative is proud to be one of the early supporters of the Call.
Critical infrastructure—from the electric grid to public transportation—is under assault as cyber attackers gain a foothold in the United States.

When the US Department of Homeland Security (DHS) released its cybersecurity strategy in May, it laid out seven goals to help the government better defend the United States and its infrastructure against the constant onslaught of sophisticated cyber threats.