Cybersecurity requires technically literate analyses of policy, its impact, and alternative approaches. The Cybersecurity, Strategy, and Policy program works to inform policymaking that will improve the security of technology systems and their users, covering topics from improved cybersecurity metrics and policy design to building more defensible cloud computing services and software supply chains.

Featured Content

Cybersecurity, Strategy, and Policy

Article Dec 19, 2024

The eight body problem: Exploring the implications of Salt Typhoon

By Cyber Statecraft Team

The Cyber Statecraft community and friends offer their thoughts on the implications of the Salt Typhoon campaign based on what is known to date, what the campaign says about the last four years of cybersecurity policy, and where policymakers should focus in the months ahead.
Cybersecurity Internet
Cybersecurity, Strategy, and Policy

Report Jun 12, 2024

“Reasonable” cybersecurity in forty-seven cases: The Federal Trade Commission’s enforcement actions against unfair and deceptive cyber Practices

By Isabella Wright and Maia Hamin

The FTC has brought 47 cases against companies for unfair or deceptive cybersecurity practices. What can we learn from them?
Cybersecurity
Cybersecurity, Strategy, and Policy

Report Mar 29, 2021

Broken trust: Lessons from Sunburst

By Trey Herr, Will Loomis, Emma Schroeder, Stewart Scott, Simon Handler, and Tianjiu Zuo

The story of trust is an old one, but the Sunburst cyber-espionage campaign was a startling reminder of the United States’ collective cyber insecurity and the inadequacy of current US strategy to compete in a dynamic intelligence contest in cyberspace.
Cybersecurity Intelligence

Artificial Intelligence

Cybersecurity, Strategy, and Policy

Issue Brief Aug 19, 2024

AI in cyber and software security:  What’s driving opportunities and risks?

By Maia Hamin, Jennifer Lin, Trey Herr

This issue brief discusses the drivers of evolving risks and opportunities presented by generative artificial intelligence (GAI), particularly in cybersecurity, while acknowledging the broader implications for policymakers and for national security.
Artificial Intelligence Cybersecurity
Cybersecurity, Strategy, and Policy

Report Feb 15, 2024

Hacking with AI

By Maia Hamin, Stewart Scott

Can generative AI help hackers? By deconstructing the question into attack phases and actor profiles, this report analyzes the risks, the realities, and their implications for policy.
Artificial Intelligence Cybersecurity
Cybersecurity, Strategy, and Policy

The 5×5 Oct 27, 2023

The 5×5—The cybersecurity implications of artificial intelligence

By Maia Hamin, Simon Handler

A group of experts with diverse perspectives discusses the intersection of cybersecurity and artificial intelligence.
Artificial Intelligence Cybersecurity

Open Source Software

Cybersecurity, Strategy, and Policy

Issue Brief Apr 18, 2024

O$$ security: Does more money for open source software mean better security? A proof of concept

By Sara Ann Brackett, John Speed Meyers, Stewart Scott

A proof-of-concept study looking for correlation between open source software project funding and security practices at scale.
Cybersecurity
Cybersecurity, Strategy, and Policy

Report Feb 8, 2023

Avoiding the success trap: Toward policy for open-source software as infrastructure

By Stewart Scott, Sara Ann Brackett, Trey Herr, Maia Hamin with the Open Source Policy Network

Open-source software (OSS) sits at the center of almost every digital technology moving the world since the early 1980s—laptops, cellphones, widespread internet connectivity, cloud computing, social media, automation, all the rainbow flavors of e-commerce, and even secure communications and anti-censorship tools.
Cybersecurity
Cybersecurity, Strategy, and Policy

Issue Brief Oct 12, 2023

Driving software recalls: Manufacturing supply chain best practices for open source consumption

By Jeff Wayman, Brian Fox

Product recalls require practices that can help software vendors move toward better component selection and tracking and better relationships with customers, all while making software vendors responsible for OSS security instead of maintainers.
Cybersecurity

Publications

In-Depth Research & Reports

Mar 14, 2022

Targeting Ukraine through Washington: Russian election interference, Ukraine, and the 2024 US election 

By Gavin Wilde and Justin Sherman

US officials should recognize that Ukraine’s trajectory has always been a centerpiece of Russian interference in US elections. Doing so should guide US policymakers’ observations of what is happening now in Ukraine—and their preparations for what promises to be a climactic 2024 US election cycle.

Cybersecurity Disinformation

Issue Brief

Dec 6, 2021

Cybersecurity concerns for the energy sector in the maritime domain

By Andy Bochman, Ian Ralby

As a wide spectrum of energy companies continue to rely on the maritime domain or even increase that reliance, they must be mindful that traditional maritime threats—like piracy, theft, and weather events—are not the only threats they face today. Maritime cybersecurity concerns are among the most potentially disruptive to energy-sector interests, and yet are among the least understood and addressed.

Cybersecurity Energy Transitions

Article

Nov 30, 2021

Improving Cybersecurity Outcomes in the Telecommunications Sector

By Tasha Jhangiani and Frances Schroeder

From Internet service providers (ISPs) to cable companies, the telecommunications industry facilitates rapid and widespread communication across the globe. With recent increases in cyber attacks, telecommunications firms have been affected by cyber threats more than ever before. Due to the significant amount of private information that is shared and stored through the critical networks they […]

Cybersecurity Technology & Innovation

Article

Nov 19, 2021

A Lunar Guide to Ransomware: Choose-your-own-adventure

By Emma Schroeder, Logan Wolff, and the Cyber Statecraft Initiative

Check out the Cyber Statecraft Initiative’s ransomware choose-your-own-adventure story!

Feature

Nov 19, 2021

Software Supply Chains: Turns Out All You Need to Trust is Caffeine and Cats

By Emma Schroeder and the Cyber Statecraft Initiative

In the first episode of The Cyber Moonshot, we invite you to join us a few hundred years from now, in a quaint little food court on the surface of the moon. As we explore the lives and foibles of the lunar inhabitants, we will also explore the complexities and absurdities of cybersecurity. From software supply chains to smart homes to phishing, we will pull common cyber headaches and lessons away from the abstract or technical and firmly into a world where cats can sense trust and the cloud has a sentience of their own.

Report

Nov 15, 2021

Data rules for machine learning: How Europe can unlock the potential while mitigating the risks

By Blanka Soulava, Hamish Cameron and Victoria Ying

Artificial intelligence (AI) will increasingly shape societies and the global economy. Machine learning—which is responsible for the vast majority of AI advancements—is enhancing the way businesses and governments make decisions, develop products, and deliver services. How will the European Union unlock the potential of AI, while mitigating the risks?

Cybersecurity Digital Policy

In-Depth Research & Reports

Oct 4, 2021

Raising the colors: Signaling for cooperation on maritime cybersecurity

By William Loomis, Virpratap Vikram Singh, Dr. Gary C. Kessler, Dr. Xavier Bellekens

Few industries are as critical to the global economy as the maritime transportation system (MTS). However, the efficient operation of the MTS is at risk, as the industry is increasingly vulnerable to cyber threats. The MTS must work to raise its baseline for cybersecurity and better protect its actors from systemic cyber threats going forward.

Cybersecurity Maritime Security

Report

Jun 28, 2021

Collective cybersecurity for the Three Seas

By Safa Shahwan Edwards, Simon Handler, Trey Herr, Adam Marczyński, and Jakub Teska

In Central and Eastern Europe’s Three Seas region, twelve countries have joined together to invest in critical infrastructure projects and increase interconnectivity on energy, infrastructure, and digitization efforts along the way. To strengthen the resilience of these technical investments and better bind together the defensive cybersecurity operations of these societies, Three Seas member states should establish a regional hub for cybersecurity together with key private sector partners.

Central Europe Cybersecurity

New Atlanticist

May 11, 2021

How operational collaboration can improve US cyber capability and response

By Gregory Rattray

Dealing with cyber challenges to US national security will take operational collaboration that unites all levels of the government and the private sector. These efforts can maximize the strategic impact of public- and private-sector capabilities, speed up defenders’ response times, and provide organizations with advanced warning of potential attacks and complex threats to resilience.

Cybersecurity Technology & Innovation

Report

May 10, 2021

Mission resilience: Adapting defense aerospace to evolving cybersecurity challenges

By Simon Handler, Trey Herr, Steve Luczynski, and Reed Porada

While aerospace presents inherently distinct challenges from other spaces, defense organizations could look to the private sector and adapt commercial practices to implement the principles of resilience.

Cybersecurity Defense Industry
Load More

Events

Public Event Thu, April 6, 2023 • 10:15 am ET

Rebalancing responsibility: Implementing the National Cybersecurity Strategy
Cybersecurity National Security Technology & Innovation United States and Canada
Online Event Fri, April 1, 2022 • 10:30 am ET

Protecting the global marine transportation system against cyber threats

The global maritime transport system is the backbone of international trade and a pillar of US power projection. It is also increasingly under cyber attack, and securing the system will require significant policy and industry engagement.

Cybersecurity Maritime Security Trade and tariffs
Online Event Mon, August 2, 2021 • 2:30 pm ET

Building the picture bit-by-bit: Why the US needs a Bureau of Cyber Statistics
Cybersecurity

The Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more