pdfRead the Publication (PDF)

With our modern-day reliance on digital technology, software and system vulnerabilities have become increasingly hard to avoid. Thoroughly eliminating all these vulnerabilities can be a challenge, but through a coordinated vulnerability disclosure (CVD) program, governments and private companies can mitigate them with the help of independent security researchers. When instituted and followed, a CVD program allows companies to manage the process of disclosure and handling of vulnerabilities in a controlled fashion by working with security researchers to coordinate a set of common terms and a timeline.
pdfRead the Publication (PDF)

Of all the political ideas to defend themselves before the court of human history, few have proven as potent and as compelling as that of electoral democracy. Yet in recent years, electoral democracy has once more come under challenge, facing off against popular discontent, revisionist governments, and—most significantly—the rise of new media and digital technologies. These technologies have at times demonstrated exhilarating promise, but they have also created new vulnerabilities that malicious actors have proven able and willing to exploit. This Issue Brief aims to provide a taxonomy of different forms and levels of state involvement in election interference, giving states a common lexicon to respond to cyber threats. It is not enough to simply speak of “hacking the vote”—and hopefully, by providing these initial terms, this report will spur a wider discussion on defining actions and sponsorship in this domain.
pdfRead the Publication (PDF)

As the energy sector has become more globalized and increasingly complex in its reliance on software components, the supply-chain risk has evolved and expanded. One such risk that stands out is unintended taint, namely flaws in software components unintentionally built into products in design or implementation. Unintended taint may lead to unintended supply-chain subversion, and represents a significant and credible threat to the uninterrupted functionality of critical infrastructure within the energy sector. In this issue brief, we outline a taxonomy for understanding certain energy sector risks and provide concrete recommendations for policy makers and the private sector.
pdfRead the Publication (PDF)

In cybersecurity, it is time to go beyond sharing and ad hoc cooperation, to collaboration at scale across borders, stakeholders, and sectors. This effort should begin with a determined study of the responses to past incidents and how to improve them, then proceed to new, action-oriented Cyber Incident Collaboration Organizations (CICO) to streamline response. The goal of a CICO must be to streamline the current response process for an incident type, to provide an umbrella to make such work easier or to upscale it. In this issue brief, Jason Healey presents the next generation of innovations that will simplify agile, scalable response to incidents—across borders, stakeholders, and sectors.
pdfRead the Publication (PDF)

The aviation industry is faced with a complex and critical challenge to carefully balance costs with evolving business imperatives, customer demands, and safety standards. The increasing use of new technologies in the movement towards automation has yielded efficiencies and enhanced the customer experience. Yet, it has also inadvertently created vulnerabilities for exploitation. As a central component of commerce, trade, and transportation infrastructure, the aviation industry is indispensable to the global economy. The consequences of failure would carry direct public safety and national security implications.

pdfRead the Publication
In 2016, a series of highly impactful and publicized disruptions provided a wake-up call to societies on both sides of the Atlantic making obvious their dependence on inherently unpredictable technology. Just before the year began, a targeted attack disrupted the Ukrainian energy grid, forcing its operators to fall back on decades-old manual processes, and a similar attack followed late in the year. The Hollywood Presbyterian Hospital in Los Angeles was forced to shut down for weeks as a critical patient-care system was unintentionally disrupted by ransomware—a common plague that impacted many other parts of societal infrastructure through the year, including San Francisco’s Bay Area Rapid Transit (BART), US electricity providers, and hospitals in the United States and across Europe. At the same time, a botnet of poorly secured devices disrupted large portions of the US Internet and knocked more than one million German households offline. And while the Russian breach of the Democratic National Committee (DNC) and the associated influence campaign continue to shock many in the United States and beyond, the specter of hackable voting computers also cast doubt on the US electoral system in the lead-up to and aftermath of the presidential election.

pdfRead the Publication (PDF)
Last year, the Barack Obama administration issued PPD-41, “Cyber Incident Protection,” setting forth cyber security incident roles and missions for federal agencies but with no explicit reference to the Department of Defense (DoD). By contrast, the DoD Cyber Strategy provides that DoD will be prepared to “defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence.” Certainly, in a conflict where an adversary will utilize cyber as part of an overall military attack, the DoD will necessarily play a major operational role. This paper discusses what that role should entail.

pdfRead the Publication (PDF)

The Internet of Things (IoT) is the next step in the evolution of wireless networks. Analysts predict the IoT will double in size to nearly 50 billion devices by 2020, comprising a $1.7 trillion market. One of the greatest opportunities still lies ahead in the form of the “smart home.”


Read the Report Online

pdfRead the Report (PDF)
pdfRead the FAQ's (PDF)

In 2030, will the Internet and related information and communications technologies (ICTs) continue to drive global innovation and prosperity? Or will that bright promise be swamped by an unstable and insecure Internet, so overwhelmed by non-stop attacks that it has become an increasing drag on economic growth? The answers, as far as we can predict, are not promising and mean the difference in tens of trillions of dollars in global economic growth over the next fifteen years.
The Internet of Things of digital, networked technology is quickly moving to the forefront of society, the global economy, and the human experience.

Individuals wear networked devices to learn more about themselves, their diet, their exercise regimen, and their vital signs. Doctors can adjust and optimize implanted medical devices, such as pacemakers, quickly and accurately—and often with no need for intrusive medical procedures. The rewards of networked healthcare come with overlapping areas of concern that have to address to fully unlock the potential of these technologies.