Cybersecurity requires technically literate analyses of policy, its impact, and alternative approaches. The Cybersecurity, Strategy, and Policy program works to inform policymaking that will improve the security of technology systems and their users, covering topics from improved cybersecurity metrics and policy design to building more defensible cloud computing services and software supply chains.

Featured Content

Cybersecurity, Strategy, and Policy

Article Dec 19, 2024

The eight body problem: Exploring the implications of Salt Typhoon

By Cyber Statecraft Team

The Cyber Statecraft community and friends offer their thoughts on the implications of the Salt Typhoon campaign based on what is known to date, what the campaign says about the last four years of cybersecurity policy, and where policymakers should focus in the months ahead.
Cybersecurity Internet
Cybersecurity, Strategy, and Policy

Report Jun 12, 2024

“Reasonable” cybersecurity in forty-seven cases: The Federal Trade Commission’s enforcement actions against unfair and deceptive cyber Practices

By Isabella Wright and Maia Hamin

The FTC has brought 47 cases against companies for unfair or deceptive cybersecurity practices. What can we learn from them?
Cybersecurity
Cybersecurity, Strategy, and Policy

Report Mar 29, 2021

Broken trust: Lessons from Sunburst

By Trey Herr, Will Loomis, Emma Schroeder, Stewart Scott, Simon Handler, and Tianjiu Zuo

The story of trust is an old one, but the Sunburst cyber-espionage campaign was a startling reminder of the United States’ collective cyber insecurity and the inadequacy of current US strategy to compete in a dynamic intelligence contest in cyberspace.
Cybersecurity Intelligence

Artificial Intelligence

Cybersecurity, Strategy, and Policy

Issue Brief Aug 19, 2024

AI in cyber and software security:  What’s driving opportunities and risks?

By Maia Hamin, Jennifer Lin, Trey Herr

This issue brief discusses the drivers of evolving risks and opportunities presented by generative artificial intelligence (GAI), particularly in cybersecurity, while acknowledging the broader implications for policymakers and for national security.
Artificial Intelligence Cybersecurity
Cybersecurity, Strategy, and Policy

Report Feb 15, 2024

Hacking with AI

By Maia Hamin, Stewart Scott

Can generative AI help hackers? By deconstructing the question into attack phases and actor profiles, this report analyzes the risks, the realities, and their implications for policy.
Artificial Intelligence Cybersecurity
Cybersecurity, Strategy, and Policy

The 5×5 Oct 27, 2023

The 5×5—The cybersecurity implications of artificial intelligence

By Maia Hamin, Simon Handler

A group of experts with diverse perspectives discusses the intersection of cybersecurity and artificial intelligence.
Artificial Intelligence Cybersecurity

Open Source Software

Cybersecurity, Strategy, and Policy

Issue Brief Apr 18, 2024

O$$ security: Does more money for open source software mean better security? A proof of concept

By Sara Ann Brackett, John Speed Meyers, Stewart Scott

A proof-of-concept study looking for correlation between open source software project funding and security practices at scale.
Cybersecurity
Cybersecurity, Strategy, and Policy

Report Feb 8, 2023

Avoiding the success trap: Toward policy for open-source software as infrastructure

By Stewart Scott, Sara Ann Brackett, Trey Herr, Maia Hamin with the Open Source Policy Network

Open-source software (OSS) sits at the center of almost every digital technology moving the world since the early 1980s—laptops, cellphones, widespread internet connectivity, cloud computing, social media, automation, all the rainbow flavors of e-commerce, and even secure communications and anti-censorship tools.
Cybersecurity
Cybersecurity, Strategy, and Policy

Issue Brief Oct 12, 2023

Driving software recalls: Manufacturing supply chain best practices for open source consumption

By Jeff Wayman, Brian Fox

Product recalls require practices that can help software vendors move toward better component selection and tracking and better relationships with customers, all while making software vendors responsible for OSS security instead of maintainers.
Cybersecurity

Publications

Report

Jul 10, 2023

Critical infrastructure and the cloud: Policy for emerging risk

By Tianjiu Zuo, Justin Sherman, Maia Hamin, and Stewart Scott

Critical infrastructure increasingly depends upon cloud computing. Policy must adapt its approach to risk management accordingly.

Cybersecurity Resilience

Issue Brief

Jun 14, 2023

Who’s afraid of the SEC

By Maia Hamin

The SEC wants to require fast, public disclosure of cybersecurity incidents. These rules could benefit investors—and the cyber ecosystem.

Cybersecurity Internet

Issue Brief

Apr 19, 2023

Critical infrastructure cybersecurity prioritization: A cross-sector methodology for ranking operational technology cyber scenarios and critical entities

By Danielle Jablanski

As critical infrastructure becomes increasingly targeted by malicious adversaries, how can we effectively prioritize criticality?

Cybersecurity

Article

Mar 22, 2023

Modernizing critical infrastructure protection policy: Seven perspectives on rewriting PPD21

By Will Loomis

In February of 2013, then President Obama signed a landmark executive order – Presidential Policy Directive 21 (PPD 21) – that defined how U.S. Departments and Agencies would provide a unity of government effort to strengthen and maintain US critical infrastructure. Almost a decade later, evolutions in both the threat landscape and the interagency community invite the US government to revise this critical policy.

Cybersecurity Infrastructure Protection

Feature

Mar 16, 2023

Building a shared lexicon for the National Cybersecurity Strategy

By the Cyber Statecraft Initiative

The 2023 National Cybersecurity Strategy, released on March 3, represents the ambitions of the Biden Administration to chart a course within and through the cyber domain, staking out a critical set of questions and themes. These ambitions are reflected within the strategy’s pillars and titled sections, but also key words and phrases scattered throughout the […]

Cybersecurity National Security

Tech at the Leading Edge

Mar 3, 2023

How will the US counter cyber threats? Our experts mark up the National Cybersecurity Strategy

By Maia Hamin, Trey Herr, Will Loomis, Emma Schroeder, and Stewart Scott

On March 2, the White House released the 2023 US National Cybersecurity Strategy. Read along with CSI staff, fellows, and experts for commentary on the document and its relationship with larger cybersecurity policy issues.

Cybersecurity Technology & Innovation

Report

Feb 8, 2023

Avoiding the success trap: Toward policy for open-source software as infrastructure

By Stewart Scott, Sara Ann Brackett, Trey Herr, Maia Hamin with the Open Source Policy Network

Open-source software (OSS) sits at the center of almost every digital technology moving the world since the early 1980s—laptops, cellphones, widespread internet connectivity, cloud computing, social media, automation, all the rainbow flavors of e-commerce, and even secure communications and anti-censorship tools.

Cybersecurity

Issue Brief

Dec 12, 2022

Wargaming to find a safe port in a cyber storm

By Daniel Grobarcik, William Loomis, Michael Poznansky, Frank Smith

With the Maritime Transportation System increasingly reliant on cyberspace, how can cybersecurity be improved within key nodes of this critical infrastructure, particularly cargo ports?

Cybersecurity Maritime Security

Issue Brief

Nov 22, 2022

The cases for using the SBOMs we build

By Amelie Koran, Wendy Nather, Stewart Scott, and Sara Ann Brackett

Software bills of materials (SBOMs) provide key data suit for many uses. Industry and government can continue to sharpen their demand signals, shape implementation, and continue driving development and adoption.

Cybersecurity Technology & Innovation

Report

Sep 26, 2022

Security in the billions: Toward a multinational strategy to better secure the IoT ecosystem

By Patrick Mitchell, Liv Rowley, and Justin Sherman with Nima Agah, Gabrielle Young, and Tianjiu Zuo

The explosion of Internet of Things (IoT) devices and services worldwide has amplified a range of cybersecurity risks to individuals’ data, company networks, critical infrastructure, and the internet ecosystem writ large. In light of this systemic risk, this report offers a multinational strategy to enhance the security of the IoT ecosystem. It provides a framework for a clearer understanding of the IoT security landscape and its needs, looks to reduce fragmentation between policy approaches, and seeks to better situate technical and process guidance into cybersecurity policy.

Cybersecurity Internet of Things
Load More

Events

Public Event Thu, April 6, 2023 • 10:15 am ET

Rebalancing responsibility: Implementing the National Cybersecurity Strategy
Cybersecurity National Security Technology & Innovation United States and Canada
Online Event Fri, April 1, 2022 • 10:30 am ET

Protecting the global marine transportation system against cyber threats

The global maritime transport system is the backbone of international trade and a pillar of US power projection. It is also increasingly under cyber attack, and securing the system will require significant policy and industry engagement.

Cybersecurity Maritime Security Trade and tariffs
Online Event Mon, August 2, 2021 • 2:30 pm ET

Building the picture bit-by-bit: Why the US needs a Bureau of Cyber Statistics
Cybersecurity

The Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more