Cybersecurity requires technically literate analyses of policy, its impact, and alternative approaches. The Cybersecurity, Strategy, and Policy program works to inform policymaking that will improve the security of technology systems and their users, covering topics from improved cybersecurity metrics and policy design to building more defensible cloud computing services and software supply chains.

Featured Content

Cybersecurity, Strategy, and Policy

Article Dec 19, 2024

The eight body problem: Exploring the implications of Salt Typhoon

By Cyber Statecraft Team

The Cyber Statecraft community and friends offer their thoughts on the implications of the Salt Typhoon campaign based on what is known to date, what the campaign says about the last four years of cybersecurity policy, and where policymakers should focus in the months ahead.
Cybersecurity Internet
Cybersecurity, Strategy, and Policy

Report Jun 12, 2024

“Reasonable” cybersecurity in forty-seven cases: The Federal Trade Commission’s enforcement actions against unfair and deceptive cyber Practices

By Isabella Wright and Maia Hamin

The FTC has brought 47 cases against companies for unfair or deceptive cybersecurity practices. What can we learn from them?
Cybersecurity
Cybersecurity, Strategy, and Policy

Report Mar 29, 2021

Broken trust: Lessons from Sunburst

By Trey Herr, Will Loomis, Emma Schroeder, Stewart Scott, Simon Handler, and Tianjiu Zuo

The story of trust is an old one, but the Sunburst cyber-espionage campaign was a startling reminder of the United States’ collective cyber insecurity and the inadequacy of current US strategy to compete in a dynamic intelligence contest in cyberspace.
Cybersecurity Intelligence

Artificial Intelligence

Cybersecurity, Strategy, and Policy

Issue Brief Aug 19, 2024

AI in cyber and software security:  What’s driving opportunities and risks?

By Maia Hamin, Jennifer Lin, Trey Herr

This issue brief discusses the drivers of evolving risks and opportunities presented by generative artificial intelligence (GAI), particularly in cybersecurity, while acknowledging the broader implications for policymakers and for national security.
Artificial Intelligence Cybersecurity
Cybersecurity, Strategy, and Policy

Report Feb 15, 2024

Hacking with AI

By Maia Hamin, Stewart Scott

Can generative AI help hackers? By deconstructing the question into attack phases and actor profiles, this report analyzes the risks, the realities, and their implications for policy.
Artificial Intelligence Cybersecurity
Cybersecurity, Strategy, and Policy

The 5×5 Oct 27, 2023

The 5×5—The cybersecurity implications of artificial intelligence

By Maia Hamin, Simon Handler

A group of experts with diverse perspectives discusses the intersection of cybersecurity and artificial intelligence.
Artificial Intelligence Cybersecurity

Open Source Software

Cybersecurity, Strategy, and Policy

Issue Brief Apr 18, 2024

O$$ security: Does more money for open source software mean better security? A proof of concept

By Sara Ann Brackett, John Speed Meyers, Stewart Scott

A proof-of-concept study looking for correlation between open source software project funding and security practices at scale.
Cybersecurity
Cybersecurity, Strategy, and Policy

Report Feb 8, 2023

Avoiding the success trap: Toward policy for open-source software as infrastructure

By Stewart Scott, Sara Ann Brackett, Trey Herr, Maia Hamin with the Open Source Policy Network

Open-source software (OSS) sits at the center of almost every digital technology moving the world since the early 1980s—laptops, cellphones, widespread internet connectivity, cloud computing, social media, automation, all the rainbow flavors of e-commerce, and even secure communications and anti-censorship tools.
Cybersecurity
Cybersecurity, Strategy, and Policy

Issue Brief Oct 12, 2023

Driving software recalls: Manufacturing supply chain best practices for open source consumption

By Jeff Wayman, Brian Fox

Product recalls require practices that can help software vendors move toward better component selection and tracking and better relationships with customers, all while making software vendors responsible for OSS security instead of maintainers.
Cybersecurity

Publications

Feature

Jul 26, 2020

App stores in focus

By Trey Herr, June Lee, Will Loomis, and Stewart Scott

App stores and hubs are a popular target for software supply chain attacks on large numbers of users, exploiting trust in proprietary app ecosystems and the security of storefronts like Play Store and App Store.

Cybersecurity Technology & Innovation

Feature

Jul 26, 2020

Deep impact: States and software supply chain attacks

By Trey Herr, June Lee, Will Loomis, and Stewart Scott

States have used software supply chain attacks to great effect. Hijacked updates have routinely delivered the most crippling state-backed attacks, thanks in part to a continued failure to secure the code-signing process.

China Cybersecurity

Report

Jun 15, 2020

The reverse cascade: Enforcing security on the global IoT supply chain

By Nathaniel Kim, Trey Herr, and Bruce Schneier

The Internet of Things (IoT) refers to the increasing convergence of the physical and digital worlds and it affects us all. Hundreds of “things” are being connected to the Internet and each other, with more than fifty billion devices expected to be connected by 2030. Many IoT devices are manufactured abroad at low cost with little consideration for security. How can we secure these devices, especially those manufactured outside the United States?

Cybersecurity Internet of Things

New Atlanticist

May 19, 2020

Seven perspectives on securing the global IoT supply chain

By Trey Herr

Many IoT devices are manufactured abroad and many of these are extremely low cost with little consideration made for security. There is nothing inherently untrustworthy or insecure about foreign manufacturing, and individual firm and product lines are much more fruitful levels of analysis in establishing good security practices from bad. Importantly however—the United States has limited means to enforce its standards in foreign jurisdictions, like China, where the bulk of IoT products are manufactured.

Cybersecurity Internet

New Atlanticist

Jan 27, 2020

Warring for the soul of the internet: Ten years on

By Trey Herr, Justin Sherman

The new reality is one where democracies must play a more assertive role to protect an open, free, fair, and secure internet, utilizing a strategy that recognizes the changes the internet has undergone, the pernicious influence of authoritarian states, and the role companies have in both protecting and fragmenting it. The internet can’t be brought back in time but there is hope, perhaps, that its original core values can be preserved in a new form through determined effort by its users, some companies, and the democratic states where the open web was born.

Cybersecurity Internet

New Atlanticist

Nov 16, 2018

Securing the consumer internet of things

By Beau Woods and Jack Watson

Unfortunately, the norm for IoT devices is lax security—simple, hardcoded (unchangeable) passwords, and operating systems that can’t be patched or updated with security protection. Thus, on October 14, 2018, the United Kingdom’s department for Digital, Culture, Media, and Sport (DCMS) published its “Code of Practice for Consumer IoT Security.”

Cybersecurity Security & Defense

Issue Brief

Sep 11, 2018

Defining Russian election interference: An analysis of select 2014 to 2018 cyber enabled incidents

By Laura Galante & Shaun Ee

Of all the political ideas to defend themselves before the court of human history, few have proven as potent and as compelling as that of electoral democracy. Yet in recent years, electoral democracy has once more come under challenge, facing off against popular discontent, revisionist governments, and—most significantly—the rise of new media and digital technologies. […]

Cybersecurity Elections

Issue Brief

May 30, 2018

Supply chain in the software era

By Beau Woods and Andy Bochman

As the energy sector has become more globalized and increasingly complex in its reliance on software components, the supply-chain risk has evolved and expanded. One such risk that stands out is unintended taint, namely flaws in software components unintentionally built into products in design or implementation.

Cybersecurity English

Events

Public Event Thu, April 6, 2023 • 10:15 am ET

Rebalancing responsibility: Implementing the National Cybersecurity Strategy
Cybersecurity National Security Technology & Innovation United States and Canada
Online Event Fri, April 1, 2022 • 10:30 am ET

Protecting the global marine transportation system against cyber threats

The global maritime transport system is the backbone of international trade and a pillar of US power projection. It is also increasingly under cyber attack, and securing the system will require significant policy and industry engagement.

Cybersecurity Maritime Security Trade and tariffs
Online Event Mon, August 2, 2021 • 2:30 pm ET

Building the picture bit-by-bit: Why the US needs a Bureau of Cyber Statistics
Cybersecurity

The Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more