Internet-borne disruptions in 2016 were a wakeup call to society’s dependence on undependable technology. For societal infrastructure, such as transportation, energy, healthcare, and the Internet of Things (IoT) the consequences of cybersecurity failure impact human life, public safety, national security, and economic prosperity. At the same time, capability to disrupt these technological dependencies is increasingly available to high-intent, low-capability adversaries who wish to do harm. In response, the Atlantic Council became a force to catalyze societal resilience through policies for more trustworthy technology dependencies.
In December 2015, a targeted attack disrupted the Ukrainian energy grid until they could fall back on decades-old manual processes. In January, 2016 Hollywood Presbyterian Hospital shut down for weeks as Ransomware (financially-motivated cybercriminal software) accidentally disrupted a critical patient care system. Since then, this common plague has impacted many other parts of societal infrastructure, including transportation (Bay Area Rapid Transit and German S-Bahn), energy (electric providers and oil & gas), and healthcare (most prominently, twenty per cent of the UK National Health Trusts)around the world. A pseudonymous individual commandeered poorly secured IoT devices to disrupt large portions of the US Internet, then published the tools online for anyone to use. The specter of hackable voting machines threw the U.S. electoral system into chaos, disrupting the normal course of the Presidential election. Meanwhile, political parties and figures were targeted by an information campaign after communications and documents were stolen through low-skill hacking techniques.
In the face of these societal disruptions, the Cyber Statecraft Initiative brought a new resources and focus. The Council invested in a new team, Director Joshua Corman and Deputy Director Beau Woods, who brought new connections and credibility from the grassroots initiative “I Am The Cavalry.” The focus on cybersecurity impacts on public safety, national security, and economic prosperity allowed bold, swift action on a topic where urgency is merited.
A “Cyber 9/11” or “Digital Pearl Harbor” are common phrases with little exploration of what they actually mean or what we might do afterwards. The Cyber 9/12 Project explores how we should respond the day after a major cyber calamity. The headline Cyber 9/12 Project, part conference and part exercise, is an innovative event which presses leaders in government and private industry to explore day-after responses to a major cyber attack. A parallel event, the Cyber 9/12 Student Challenge, is a student competition devoted to challenging students to create and present high-level policy recommendations for day-after responses to a major cyber attack to a panel of judges drawn from the upper echelons of the White House, Department of Defense, Department of State and leading cyber security firms.
Hacking Cyber Literacy: A Knowledge Project: The Cyber Statecraft Initiative will focus on bridging the divide between cybersecurity and policy, specifically between Washington, DC and Silicon Valley, through shared knowledge and the translation of core principles in the cybersecurity field, resulting in a common vocabulary and understanding of the most important cybersecurity and policy issues. To do this, the Cyber Statecraft Initiative will develop technically literate resources to inform policy decision-makers. We intend to generate educational products using illustrations, videos, polling, storytelling, metaphors, psychological marketing, and other techniques. As a result, our products will promote technically literate policy decisions. This process will generate content that can be used and reused in future work and that can catalyze new networks of trusted experts from a diversity of backgrounds and experience.
An economic analysis of cyber supply chain security. An important issue needing attention is understanding the difference between existing liability regimes for public safety and those for software—as it relates to the Internet of Things, they come into conflict. Where accountability for cybersecurity is undefined, manufacturers, business customers, and consumers are all taking on indeterminate risk. This situation is likely to change when a high-profile, high-consequence Internet of Things hack hits media headlines. An abrupt change is likely to be a jarring, disruptive event to markets, prosperity, and trust, unless a thoughtful analysis has been conducted that conveys the benefits of alternative courses of action across the ecosystem. No one has yet tackled the economic, legal, and market tradeoffs of different accountability roles, and how to optimize for that thoughtful transition, with representative experts from these diverse fields.
Entering 2014, and still relatively at the dawn of the Information Age, we face a dilemma with regards to cyberspace and the stakes could not be higher: ensuring the Internet and cyberspace remain at least as free, and as awesome, for future generations as they have been for ours. The Cyber Statecraft Initiative has accordingly made “Saving Cyberspace” the mission to guide its work with many novel concepts and projects to help bring this vision to a practical reality in Washington DC and other national capitals and technology centers.
The Atlantic Council, in partnership with Zurich Insurance, is managing a year-long effort to understand the global aggregation of cyber risks which could cause systemic shocks and ways, such as insurance and resilience, to mitigate them. Currently, cybersecurity professionals are looking at cyber vulnerabilities one organization or one nation at a time, without looking at the systemic risk to the overall system. This approach is similar to how the financial sector handled risks prior to the 2008 crisis. Prior to then, financial risks were assessed one organization at a time, not recognizing how a shock to one sector, US sub-prime mortgages, might cascade to take down everyone else. The flagship initiative of the project is the “Cyber Risk Wednesdays” event series which features discussions aimed at reaching a better understanding of the consequences from concentrated and cascading cyber risks and means of mitigating them. Cyber experts dive into topics such as traditional and emerging cyber threats; costs and benefits of using insurance to tackle cyber threats; cascading failures and systemic stability of critical infrastructure and sectors; and role of measurement and data in assessing cyber risks.
Militaries study past wars in the air, sea, and land to learn appropriate lessons. However, even though cyber conflicts have been with us for over two decades, this history is largely ignored, forcing us to re-learn old lessons and repeat mistakes. This project has resulted in the first-ever cyber conflict history book to capture the lasting policy lessons of conflict in this new domain. A Fierce Domain: Conflict in Cyberspace, 1986 to 2012 explores the twenty-six-year history of cyber conflict and analyzes case studies of the most significant cyber incidents. It is the first book of its kind—a comprehensive, accessible history of cyber conflict. A Fierce Domain reaches back to look at the major “wake-up calls,” the major conflicts that have forced the realization that cyberspace is a harsh place where nations and others contest for superiority. The book identifies the key lessons for policymakers, and, most importantly, where these lessons greatly differ from popular myths common in military and political circles.
Strong cybersecurity, built on reliable and resilient networks, is critical to national and economic security. The path to comprehensive cybersecurity that maintains the Internet as an open, interoperable, secure, and reliable medium of exchange leads through responsible Internet governance. Too often, nations rush first to short-term security solutions, relegating to afterthought strategic decisions surrounding effective governance structures that serve the needs to all Internet users. The Cyber Statecraft Initiative’s project on internet governance seeks to broaden this critical conversation with international, public, and private stakeholders.