Cybersecurity requires technically literate analysis of policymaking, its impact, and alternative approaches. The Cybersecurity Policy and Strategy program works to inform policy that will improve the security of technology systems and their users, covering topics from improved cybersecurity measurement and policy design to building more defensible cloud computing services and crafting more resilient software supply chains.

Featured Content

Artificial Intelligence

Open Source Software

Publications

Cybersecurity Policy and Strategy

Dec 19, 2024

The eight body problem: Exploring the implications of Salt Typhoon

By Cyber Statecraft Team

The Cyber Statecraft community and friends offer their thoughts on the implications of the Salt Typhoon campaign based on what is known to date, what the campaign says about the last four years of cybersecurity policy, and where policymakers should focus in the months ahead.

Cybersecurity Internet

Cybersecurity Policy and Strategy

Nov 13, 2024

The role of data in improving cyber insurance pricing

By Alphaeus Hanson

In order to improve cybersecurity through cyber insurance, the private sector should aggregate cyber incident data to inform risk models and in turn, more accurately price cyber premiums.

Resilience

The 5×5

Oct 23, 2024

The 5×5—The evolving role of CISOs and senior cybersecurity executives

By Nitansha Bansal

For this Cybersecurity Awareness Month, senior cybersecurity executives share their insights into the evolution of their roles.

Cybersecurity

Issue Brief

Aug 19, 2024

AI in cyber and software security:  What’s driving opportunities and risks?

By Maia Hamin, Jennifer Lin, Trey Herr

This issue brief discusses the drivers of evolving risks and opportunities presented by generative artificial intelligence (GAI), particularly in cybersecurity, while acknowledging the broader implications for policymakers and for national security.

Artificial Intelligence Cybersecurity

Issue Brief

Jul 24, 2024

OT cyber policy: The Titanic or the iceberg

By Danielle Jablanski

Current policy does not address the issue of cyber-physical security with a systemic approach, instead focusing with tunnel vision on specific events. This analysis uses the iceberg model for systems thinking to address policy gaps in the OT ecosystem, detailing recommendations for the Cybersecurity and Infrastructure Security Agency (CISA).

Cybersecurity

Report

Jun 12, 2024

“Reasonable” cybersecurity in forty-seven cases: The Federal Trade Commission’s enforcement actions against unfair and deceptive cyber Practices

By Isabella Wright and Maia Hamin

The FTC has brought 47 cases against companies for unfair or deceptive cybersecurity practices. What can we learn from them?

Cybersecurity

The 5×5

May 1, 2024

The 5×5—The XZ backdoor: Trust and open source software

By Nitansha Bansal, Stewart Scott

Open source software security experts share their insights into the XZ backdoor, and what it means for open source software security.

Cybersecurity

Issue Brief

Apr 18, 2024

O$$ security: Does more money for open source software mean better security? A proof of concept

By Sara Ann Brackett, John Speed Meyers, Stewart Scott

A proof-of-concept study looking for correlation between open source software project funding and security practices at scale.

Cybersecurity

Cybersecurity Policy and Strategy

Feb 15, 2024

Hacking with AI

By Maia Hamin, Stewart Scott

Can generative AI help hackers? By deconstructing the question into attack phases and actor profiles, this report analyzes the risks, the realities, and their implications for policy.

Artificial Intelligence Cybersecurity

Cybersecurity Policy and Strategy

Feb 8, 2024

Future-proofing the Cyber Safety Review Board

By Maia Hamin, Trey Herr, Stewart Scott, Alphaeus Hanson

The Cyber Safety Review Board seeks to examine and learn from complex failures in cyberspace. As Congress considers how to design its next iteration, there are ways to make it more effective and adaptable for the increasing challenges to come.

Cybersecurity

The Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.