Cybersecurity - Atlantic Council

Deputy Director of Foresight, Scowcroft Strategy Initiative

After Vilnius: What’s next on Ukraine’s path to NATO?

Eastern Europe NATO Security & Defense Ukraine

Today’s Ukraine is often described as a testing ground for new military technologies, but it is important to stress that Ukrainians are active participants in this process who are in many instances leading the way with new innovations ranging from combat drones to artillery apps. This ethos is exemplified by initiatives such as BRAVE1, which was launched by the Ukrainian authorities in 2023 as a hub for cooperation between state, military, and private sector developers to address defense issues and create cutting-edge military technologies. BRAVE1 has dramatically cut down the amount of time and paperwork required for private sector tech companies to begin working directly with the military; according to Ukraine’s defense minister, this waiting period has been reduced from two years to just one-and-a-half months.

One example of Ukrainian tech innovation for the military is the Geographic Information System for Artillery (GIS Arta) tool developed in Ukraine in the years prior to Russia’s 2022 full-scale invasion. This system, which some have dubbed the “Uber for artillery,” optimizes across variables like target type, position, and range to assign “fire missions” to available artillery units. Battlefield insights of this nature have helped Ukraine to compensate for its significant artillery hardware disadvantage. The effectiveness of tools like GIS Arta has caught the attention of Western military planners, with a senior Pentagon official saying Ukraine’s use of technology in the current war is a “wake-up call.”

Alongside intensifying cooperation with the state and the military, members of Ukraine’s tech sector are also taking a proactive approach on the digital front of the war with Russia. A decentralized IT army, consisting of over 250,000 IT volunteers at its peak, has been formed to counter Russian digital threats. Moreover, the country’s underground hacktivist groups have shown an impressive level of digital ingenuity. For example, Ukraine’s IT army claims to have targeted critical Russian infrastructure such as railways and the electricity grid.

Ukraine’s tech industry has been a major asset in the fightback against Russia’s invasion, providing a much-needed economic boost while strengthening the country’s cyber defenses and supplying the Ukrainian military with the innovative edge to counter Russia’s overwhelming advantages in manpower and military equipment.

This experience could also be critical to Ukraine’s coming postwar recovery. The Ukrainian tech industry looks set to emerge from the war stronger than ever with a significantly enhanced global reputation. Crucially, the unique experience gained by Ukrainian tech companies in the defense tech sector will likely position Ukraine as a potential industry leader, with countries around the world eager to learn from Ukrainian specialists and access Ukrainian military tech solutions. This could serve as a key driver of economic growth for many years to come, while also improving Ukrainian national security.

David Kirichenko is an editor at Euromaidan Press, an online English language media outlet in Ukraine. He tweets @DVKirichenko.

Frederick Kempe
Alexander V. Mirtchev

Editor-in-chief

Matthew Kroenig

Editorial board members

James L. Jones
Odeh Aburdene
Paula Dobriansky
Stephen J. Hadley
Jane Holl Lute
Ginny Mulberger
Stephanie Murphy
Dan Poneman
Arnold Punaro

Executive summary

The United States and the People’s Republic of China (PRC) are engaged in a strategic competition surrounding the development of key technologies. Both countries seek to out-compete the other to achieve first-mover advantage in breakthrough technologies, and to be the best country in terms of the commercial scaling of emerging and existing technologies.

Until recently, the United States was the undisputed leader in the development of breakthrough technologies, and in the innovation and commercial scaling of emerging and existing technologies, while China was a laggard in both categories. That script has changed dramatically. China is now the greatest single challenger to US preeminence in this space.

For the United States, three goals are paramount. The first is to preserve the US advantage in technological development and innovation relative to China. The second is to harmonize US strategy and policy with those of US allies and partners, while gaining favor with nonaligned states. The third is to retain international cooperation around trade in technology and in scientific research and exploration.

The strategy outlined in these pages has three major elements: the promotion of technologically based innovation; the protection of strategically valuable science and technology (S&T) knowhow, processes, machines, and technologies; and the coordination of policies with allies and partners. The shorthand for this triad is “promote, protect, and coordinate.”

On the promotion side, if the United States wishes to remain the leading power in scientific research and in translating that research into transformative technologies, then the US government—in partnership with state and local governments, the private sector, and academia—will need to reposition and recalibrate its policies and investments. On the protect side, a coherent strategy requires mechanisms to protect and defend a country’s S&T knowledge and capabilities from malign actors, including trade controls, sanctions, investment screening, and more. Smartly deploying these tools, however, is exceedingly difficult and requires the United States to hone its instruments in a way that yields only intended results. The coordination side focuses on “tech diplomacy,” given the need to ensure US strategy and policy positively influence as many allies, partners, and even nonaligned states as possible, while continuing to engage China on technology-related issues. The difficulty lies in squaring the interests and priorities of the United States with those of its allies and partners, as well as nonaligned states, and even China itself.

This strategy assumes that China will remain a significant competitor to the United States for years to come. It also assumes that relations between the United States and China will remain strained at best or, at worst, devolve into antagonism or outright hostility. Even if a thaw were to reset bilateral relations entirely, the US interest in maintaining its advantage in technological development would remain.

Any successful long-term strategy will require that the US government pursue policies that are internally well coordinated, are based on solid empirical evidence, and are flexible and nimble in the short run, while being attentive to longer-run trends and uncertainties.

There are two major sets of risks accompanying this strategy. Overreach is one because decoupling to preserve geopolitical advantages can be at odds with economic interests. A second involves harms to global governance including failure to continue cooperation surrounding norms and standards to guide S&T research, and failure to continue international science research cooperation focused on solving global-commons challenges such as pandemics and climate change.

The recommendations that follow from this analysis include the following, all directed at US policymakers.

Restore and sustain public research and development (R&D) funding for scientific and technological advancement.
Improve and sustain STEM (science, technology, engineering, and math) education and skills training across K–12, university, community college, and technical schools.
Craft a more diverse tech sector.
Attract and retain highly skilled talent from abroad.
Support whole-of-government strategy development.
Ensure private-sector firms remain at the cutting edge of global competitiveness.
Improve S&T intelligence and counterintelligence.
Ensure calibrated development and application of punitive measures.
Build out and sustain robust multilateral institutions.
Engage with China, as it cannot be avoided.

A 2033 What If…

Imagine that it is the year 2033. Imagine that China has made enormous strides forward in the technology arena at the expense of the United States and its allies and partners. Suppose that this outcome occurred because, between 2023 and 2033, China’s economy not only does not weaken substantially but instead goes from strength to strength, including (importantly) increasing its capabilities in technological development and innovation. Suppose, too, that the US government failed to craft and maintain the kinds of investments and policies that are needed to sustain and enhance its world-leading tech-creation machine—its “innovation ecosystem”—to stay ahead of China. Suppose that the US government also failed to properly calibrate the punitive measures designed to prevent China from acquiring best-in-class technologies from elsewhere in the world—where calibration means the fine-tuning of policies to achieve prescribed objectives without spillover consequence. Finally, suppose that the United States and its allies and partners around the world failed to align with one another in terms of strategies and policies regarding how to engage China and, just as critically, about alignment of their own ends. What might that world look like?

Looking at that world from the year 2033, a first observation is that US scientific and technological (S&T) advantage, a period that lasted from 1945 to the 2020s, has come to an end. In its place is a world where China’s government labs, universities, and firms are often the first to announce breakthrough scientific developments and the first to turn them into valuable technologies.

For the US government and for allies and partners in the Indo-Pacific region, the strategic consequences are severe, as China has not only closed much of the defense spending gap by 2033 but is able to employ weaponry as advanced, and in some cases more advanced, than those of the United States and its allies.¹ Military planners from Washington to New Delhi watch China’s rising capabilities with much anxiety, given the geostrategic leverage that such changes have given Beijing across the region.

Nor is this problem the only headache for the United States and its coalition of partners in 2033. For a variety of reasons, many of China’s tech firms are outcompeting those elsewhere in the world, including some of the United States’ biggest and most important firms. Increasingly, the world looks as much to Shenzhen as to Silicon Valley for the latest tech-infused products and services.

China’s long-standing ambition to give its tech firms an advantage has paid off. The Chinese state has successfully pursued its strategy of commercial engagement with other countries, one that has been well known for decades and is characterized by direct and indirect financial and technical aid for purchases of Chinese hardware and software. This approach, while imperfect, drove adoption of Chinese technology abroad, with much of that adoption happening in the Global South.² Across much of Africa, Latin America, South and Southeast Asia, and the Middle East, China has grown into the biggest player in the tech space, with its technologies appealing both to consumers and to many governments looking for financial assistance in upgrading their tech infrastructure. Moreover, China’s tech assistance has aided authoritarian governments seeking the means to control access to information, especially online, and the desire to surveil citizens and suppress dissent.³ China’s efforts have been a major reason why the internet has fractured in many countries around the world. The ideal of the internet as an open platform is largely gone, replaced by a system of filtered access to information—in many instances, access that is controlled by authoritarian and illiberal states.

In 2033, even the biggest US-based tech firms struggle to keep pace with Chinese firms, as do tech firms based in Europe, Asia, and elsewhere. Although still formidable, Western firms find themselves at a disadvantage in both domestic and foreign markets. China’s unfair trading practices have continued to give its firms an edge, even in markets in mature economies and wealthy countries. China has continued its many unfair trading practices, including massive direct and indirect state subsidies and regulatory support for its firms, suspect acquisition—often outright theft—of intellectual property (IP) from firms abroad, and requiring that foreign firms transfer technology to China in exchange for granting access to its enormous domestic consumer market, in 2033 the biggest in the world.⁴ When added to the real qualitative leaps that China has made in terms of the range and sophistication of its tech-based products and services, foreign firms are often on the back foot even at home. In sector after sector, China is capturing an increasingly large share of global wealth.

Nor is this all. China’s rising influence means that the democratic world has found it impossible to realize its preferences concerning the global governance of technology. This problem extends beyond China’s now significant influence on technical-standards development within the range of international organizations that are responsible for standards.⁵ The problem is much larger than even that. Since the early 2020s, because of decreasing interest in scientific cooperation, the United States, China, and Europe have been unable to agree on the basic norms and principles that should guide the riskiest forms of advanced tech development. As a result, big gaps have appeared in how the major players approach such development. This patchwork, incomplete governance architecture has meant that countries, firms, and even individual labs have forged ahead without common ethical-normative frameworks to guide research and development. In such fields as artificial intelligence (AI), China has increased its implementation of AI-based applications that have eroded individual rights and privacies—for example, AI-driven facial-recognition technologies used by the state to monitor individual activity—not only within China, but in parts of the world where its technologies have been adopted.⁶

Nor is even this long list all that is problematic in the year 2033. Scientific cooperation between the United States and China—and, by extension, China and many US allies and partners—has declined precipitously since 2023. Cross-national collaboration among the world’s scientists has always been a proud hallmark of global scientific research, delivering progress on issues ranging from cancer treatments to breakthrough energy research. Collaboration between China on the one hand, and Western states on the other, used to be a pillar of global science. Now, unfortunately, much of that collaboration has disappeared, given the rising suspicions and antagonism and the resulting policies that were implemented to limit and, in some cases, even block scientific exchange.⁷

From the perspective of developments that led to this point in the year 2033, the United States and its allies and partners failed to pursue a coherent, cooperative, and united strategy vis-à-vis strategic competition with China. Policymakers were unable to articulate, and then implement, policies that were consistent over time and across national context. Various international forums were created for engagement on strategy and policy questions, but they proved of low utility as policy harmonization bodies or tech trade-dispute mechanisms.

Opening session of US-China talks at the Captain Cook Hotel in Anchorage, Alaska, US March 18, 2021. REUTERS/Frederic J. Brown

Strategic context

The above scenario, which sketches a world in 2033 where China has gained the upper hand at the expense of the United States and its allies and partners, is not inevitable. As this strategy paper articulates, there is much that policymakers in the United States and elsewhere can do to ensure that more benign futures, from their perspectives, are possible. However, as this strategy paper also articulates, their success is far from a given.

The United States and the People’s Republic of China (PRC) are engaged in a strategic competition surrounding the development of key technologies, including advanced semiconductors (“chips”), AI, advanced computing (including quantum computing), a range of biotechnologies, and much more. Both countries seek to out-compete the other to achieve first-mover advantage in breakthrough technologies, and to be the best country at the commercial scaling of emerging and existing technologies.

These two capabilities—the first to develop breakthrough technologies and the best at tech-based innovation—overlap in important respects, but they are not identical and should not be regarded as the same thing. The first country to build a quantum computer for practical application (such as advanced decryption) is an example of the former capability; the country that is best at innovating on price, design, application, and functionality of electric vehicles (EVs) is an example of the latter capability. The former will give the inventing country a (temporary) strategic and military advantage; the latter will give the more innovative country a significant economic edge, indirectly contributing to strategic and military advantage. The outcome of this competition will go a long way toward determining which country—China or the United States—has the upper hand in the larger geostrategic competition between them in the coming few decades.

For China, the primary goal is to build an all-encompassing indigenous innovation ecosystem, particularly in sectors that Chinese leadership has deemed critical. Beijing views technology as the main arena of competition and rivalry with the United States, with many high-level policies and strategy documents released under Xi Jinping’s tenure emphasizing technology across all aspects of society. Under Xi’s direction, China has intensified its preexisting efforts to achieve self-sufficiency in key technology sectors, centering on indigenous innovation and leapfrogging the United States.

On the US side, the Joe Biden administration and Congress have emphasized the need to maintain leadership in innovation and preserve US technological supremacy. Although there are many similarities between the Donald Trump and Biden administrations’ approaches to competition with China, one of the primary differences has been the Biden administration’s focus on bringing allies and partners onboard and trying to make policies as coordinated and multilateral as possible. While a laudable goal, implementation of a seamless allies-and-partners coordination is proving difficult.

Until recently, the United States was the undisputed leader in the development of breakthrough technologies, and in the innovation and commercial scaling of emerging and existing technologies. Until recently, China was a laggard in both categories, falling well behind the United States and most, if not all, of the world’s advanced economies in both the pace of scientific and technological (S&T) development and the ability to innovate around technologically infused products and services.

That script has changed dramatically as a result of China’s rapid ascension up the S&T ladder, starting with Deng Xiaoping’s reforms in the 1970s and 1980s and continuing through Xi Jinping’s tenure.⁸

Although analysts disagree about how best to measure China’s current S&T capabilities and its progress in innovating around tech-based goods and services, there is no dispute that China is now the greatest single challenger to US preeminence in this space. In some respects, China may already have important advantages over the United States and all other countries—for example, in its ability to apply what has been labeled “process knowledge,” rooted in the country’s vast manufacturing base, to improve upon existing tech products and invent new ones.⁹

Chinese President Xi Jinping speaks at the military parade marking the 70th founding anniversary of People’s Republic of China, on its National Day in Beijing, China October 1, 2019. REUTERS/Jason Lee

This competition represents a new phase in the two countries’ histories. The fall of the Berlin Wall and the decade that followed saw US leadership seek to include China as a member of the rules-based international order. In a March 2000 speech, President Bill Clinton spoke in favor of China’s entry into the World Trade Organization (WTO), arguing that US support of China’s new permanent normal trade relations (PNTR) status was “clearly in our larger national interest” and would “advance the goal America has worked for in China for the past three decades.”¹⁰ China’s leadership returned the favor, with President Jiang Zemin later stating that China “would make good on [China’s] commitments…and further promote [China’s] all-directional openness to the outside world.”¹¹

Despite some US concerns, the period from 2001 through most of the Barack Obama administration saw Sino-American relations at their best.¹² The lure of the Chinese market was strong, with bilateral trade in goods exploding from less than $8 billion in 1986 to more than $578 billion in 2016.¹³ People-to-people exchanges increased dramatically as well, with tourism from China increasing from 270,000 in 2005 to 3.17 million in 2017, and the number of student F-visas granted to PRC students increasing tenfold, from approximately 26,000 in 2000 to nearly 250,000 in 2014.¹⁴ US direct investment in China also grew significantly after 2000, as US companies saw the vast potential of the Chinese market and workforce. Notably, overall US investment in China continued to grow even after the COVID-19 pandemic.¹⁵

So what changed? In a 2018 essay titled “The China Reckoning,” China scholars Ely Ratner and Kurt Campbell—now both members of the Biden administration—described how the US plan for China and its role in the international system had not gone as hoped.

Neither carrots nor sticks have swayed China as predicted. Diplomatic and commercial engagement have not brought political and economic openness. Neither US military power nor regional balancing has stopped Beijing from seeking to displace core components of the US-led system. And the liberal international order has failed to lure or bind China as powerfully as expected. China has instead pursued its own course, belying a range of American expectations in the process.
Campbell and Ratner, “The China Reckoning.”

These sentiments were shared by many others in Washington. Many felt like China was taking advantage of the United States as the Obama administration transitioned to its “pivot to Asia.” For example, in 2014 China sent an uninvited electronic-surveillance ship alongside four invited naval vessels to the US-organized Rim of the Pacific (RIMPAC) military exercises, damaging what had appeared to be improving military-to-military relations.¹⁶ On the economic side, despite the two sides signing an agreement in April 2015 not to engage in industrial cyber espionage, it soon became clear that China did not plan to uphold its side of the bargain. In 2017, the US Department of Justice indicted three Chinese nationals for cyber theft from US firms, including Moody’s Analytics, Siemens AG, and Trimble.¹⁷

Within China, political developments were also driving changes in the relationship. Xi Jinping assumed power in November 2012, and most expected him to continue on his predecessors’ trajectory. However, in 2015 a slew of Chinese policies caught the eye of outside observers, especially the “Made in China 2025” strategy that caused a massive uproar in Washington and other global capitals, given its explicit focus on indigenization of key sectors, including the tech sector.

On the US side, when President Trump was elected in 2017, the bilateral economic relationship came under further fire, sparked by growing concerns surrounding China’s unfair trade practices, IP theft, and the growing trade deficit between the two countries. First the first time, frustration over these issues brought about strong US policy responses, including tariffs on steel, aluminum, soybeans, and more, a Section 301 investigation of Chinese economic practices by the US trade representative, and unprecedented export controls on the Chinese firms Huawei and ZTE. On the Chinese side, a growing emphasis on self-reliance, in conjunction with narratives surrounding the decline of the West, has dominated the conversation at the highest levels of government. In many instances, some of these statements—like China’s relatively unachievable indigenization goals in the semiconductor supply chain—have pushed the US policy agenda closer toward one centering on zero-sum tech competition.

In 2023, the Biden administration continued some Trump-era policies toward China, often reaching for export controls as a means to prevent US-origin technology from making its way to China. The Biden administration is even considering restricting outbound investment into China, stemming from concerns around everything from pharmaceutical supply chains to military modernization. The bottom line is that US-China competition is intense, and is here to stay for the foreseeable future.

Goals

There are three underlying goals for policymakers in the United States to consider when developing a comprehensive strategy.

Preserve the US advantage in technological development and innovation relative to China. Although the United States has historically led the world in the development of cutting-edge technologies, technological expertise, skills, and capabilities have proliferated worldwide and eroded this advantage. Although the United States arguably maintains its first position, it can no longer claim to be the predominant global S&T power across the entire board. As a result, US leadership will have to approach this issue with a clear-eyed understanding of US capabilities and strengths, as well as weaknesses.

Further, it is impractical to believe that the United States alone can lead in all critical technology areas. US policymakers must determine (with the help of the broader scientific community) not only which technologies are critical to national security but also how these technologies are directly relevant in a national security context. This point suggests the need for aligning means with ends—what is the US objective in controlling or promoting a specific technology? Absent strong answers to this question, technology controls or promotion efforts will likely yield unintended results, both good and bad.

Further, it is impractical to believe that the United States alone can lead in all critical technology areas. US policymakers must determine (with the help of the broader scientific community) not only which technologies are critical to national security but also how these technologies are directly relevant in a national security context. This point suggests the need for aligning means with ends—what is the US objective in controlling or promoting a specific technology? Absent strong answers to this question, technology controls or promotion efforts will likely yield unintended results, both good and bad.

Further, the United States’ capacity to transform basic research into applications and commercial products is an invaluable asset that has propelled its innovation ecosystem for decades. In contrast, Chinese leadership is keenly aware of its deficiencies in this area.

First-mover advantage in laboratory scientific research is not the same thing as innovation excellence. A country needs both if it seeks predominance. A country can have outstanding scientific capabilities but poor innovation capacity (or vice versa). Claims that China is surpassing the United States and other advanced countries in critical technology areas are premature, and often fail to consider how metrics to assess innovative capacity interact with one another (highly cited publications, patents, investment trends, market shares, governance, etc.).¹⁸ Assessing a country’s ability to preserve or maintain its technological advantage requires a holistic approach that takes all of these factors into account.
Harmonize strategy and policy with allies and partners, while gaining favor with nonaligned states. With respect to strategic competition vis-a-vis China, the interests of the United States are not always identical to those of its allies and partners. Any strategy designed to compete in the tech space with China needs to align with the strategies and interests of US allies and partners. Simultaneously, US strategy should offer benefits to nonaligned states within the context of this strategic competition with China, so as to curry favor with them.

This goal is especially important, given that the United States relies on and benefits from a network of allies and partners, whereas China aspires to self-sufficiency in S&T development. To preserve the United States’ advantage, US leadership must first recognize that its network is one of the strongest weapons in the US arsenal.

US allies and partners, of which there are many, want to maintain and strengthen their close diplomatic, security, and economic ties to the United States. The problem is that most also have substantial, often critical, economic relationships with China. Hence, they are loath to jeopardize their relationships with either the United States or China.

This strategic dilemma has become a significant one for US allies in both the transpacific and transatlantic arenas. As examples, Japan and South Korea, the two most advanced technology-producing countries in East Asia, are on the front lines of this dilemma. Their challenging situation owes to their geographic proximity to China on the one hand—and, hence, proximity to China’s strategic ambitions in the East and South China Seas, as well as Taiwan—and to their close economic ties to both China and the United States on the other.¹⁹ Although both have been attempting an ever-finer balancing act between the United States and China for years, the challenge is becoming more difficult.²⁰ In January 2023, Japan reportedly joined the United States and the Netherlands to restrict sales of advanced chipmaking lithography machines to China, despite the policy being against its clear economic interests.²¹ In April and May 2023, even before China banned sales of chips from Micron Technology, a US firm, the US government was urging the South Korea government to ensure that Micron’s principal rivals, South Korea’s Samsung Electronics and SK Hynix, did not increase their sales in China.²²

For nonaligned states, many of which are in the Global South, their interests are manifold and not easily shoehorned into a US-versus-China bifurcation. Many states in this category have generalized concerns about a world that is dominated by either Washington or Beijing, and, as such, are even more interested in hedging than are the closest US allies and partners. Their governments and business communities seek trade, investment, and access to technologies that can assist with economic development, while their consumers seek affordable and capable tech. Although China has made enormous strides with respect to technological penetration of markets in the Global South, there also is much opportunity for the United States and its allies and partners, especially given widespread popular appetite for Western ideals, messaging, and consumer-facing technologies.²³
Retain cooperation around trade and scientific exploration. One of the risks that is inherent in a fraught Sino-American bilateral relationship is that global public-goods provision will be weakened. Within the context of rising tensions over technological development, there are two big concerns: first, that global trade in technologically based goods and services will be harmed, and second, that global scientific cooperation will shrink.

An open trading system has been an ideal of the rules-based international order since 1945, built on the premise that fair competition within established trading rules is best for global growth and exchange. The US-led reforms at the end of the World War II and early postwar period gave the world the Bretton Woods system, which established the International Monetary Fund (IMF), plus the Marshall Plan and the General Agreement on Tariffs and Trade (GATT). Together, these reforms enabled unprecedented multi-decade growth in global trade.²⁴ China’s accession to the WTO in 2001, which the US government supported, marked a high point as many read into China’s entry its endorsement of the global trade regime based on liberal principles. However, since then—and for reasons having much to do with disagreements over China’s adherence to WTO trading rules—this global regime has come under significant stress. In 2023, with few signs that the Sino-American trade relationship will improve, there is significant risk of damage to the global trading system writ large.²⁵

Any damage done to the global trading system also risks harm to trade between the two countries, which is significant given its ongoing scale (in 2022, bilateral trade in goods measured a record $691 billion).²⁶. Tech-based trade and investment remain significant for both countries, as illustrated by the February 2023 announcement of a $3.5-billion partnership between Ford Motor Company and Contemporary Amperex Technology Limited (CATL) to build an EV-battery plant in Michigan using CATL-licensed technology.²⁷ A priority for US policymakers should be to preserve trade competition in tech-infused goods and services, at least for those goods and services that are not subject to national security-based restrictions and where China’s trade practices do not result in unfair advantages for its firms.

Beyond trade, there are public-goods benefits resulting from bilateral cooperation in the S&T domain. These benefits extend to scientific research that can hasten solutions to global-commons challenges—for example, climate change. China and the United States are the two most active countries in global science, and are each other’s most important scientific-research partner.²⁸ Any harm done to their bilateral relationship in science is likely to decrease the quality of global scientific output. Further, the benefits from cooperation also extend to creation and enforcement of international norms and ethics surrounding tech development in, for example, AI and biotechnology.

A worker conducts quality-check of a solar module product at a factory of a monocrystalline silicon solar equipment manufacturer LONGi Green Technology Co, in Xian, Shaanxi province, China December 10, 2019. REUTERS/Muyu Xu

Major elements of the strategy

The strategy outlined in these pages has three major elements: the promotion of technologically based innovation, sometimes labeled “running faster”; the protection of strategically valuable S&T knowhow, processes, machines, and technologies; and the coordination of policies with allies and partners. This triad—promote, protect, and coordinate—is also shorthand for the most basic underlying challenge facing strategists in the US government and in the governments of US allies and partners. In the simplest terms, strategists should aim to satisfy the “right balance between openness and protection,” in the words of the National Academies of Sciences, Engineering, and Medicine.²⁹ This strategic logic holds for both the United States and its allies and partners.

Promote: The United States has been the global leader in science and tech-based innovation since 1945, if not earlier. However, that advantage has eroded, in some areas significantly, in particular since the end of the Cold War. If the United States wishes to remain the leading power in scientific research and in translating that research into transformative technologies (for military and civilian application), then the US government, in partnership with state and local governments, the private sector, and academia, will have to reposition and recalibrate its policies and investments.

The preeminence of America’s postwar innovation ecosystem resulted from several factors, including: prewar strengths across several major industries; massive wartime investments in science, industry, and manufacturing; and even larger investments made by the US government in the decades after the war to boost US scientific and technological capabilities. The 1940s through 1960s were especially important, owing to the whole-of-society effort behind prosecuting World War II and then the Cold War. The US government established many iconic S&T-focused institutions, including the National Science Foundation (NSF), Defense Advanced Research Projects Agency (DARPA), the National Aeronautics and Space Administration (NASA), most of the country’s national laboratories (e.g., Sandia National Laboratories and Lawrence Livermore National Laboratories), and dramatically boosted funding for science education, public-health research, and academic scientific research.³⁰

This system, and the enormous investments made by the US government to support it, spurred widespread and systematized cooperation among government, academic science, and the private sector. This cooperation led directly to a long list of breakthrough technologies for military and civilian purposes, and to formation of the United States’ world-leading tech hubs, Silicon Valley most prominent among them.³¹

The trouble is that after the Cold War ended, “policymakers [in the US government] no longer felt an urgency and presided over the gradual and inexorable shrinking of this once preeminent system,” in particular through allowing federal spending on research and development (R&D) and education to flatline or even atrophy.³² From a peak of around 2.2 percent of national gross domestic product (GDP) in the early 1960s, federal R&D spending has declined since, reaching a low of 0.66 percent in 2017 before rebounding slightly to 0.76 percent in 2023.³³

Today, US competitors, including China, have figured out the secrets to growing their own innovation ecosystems (including the cultural dimensions that historically have been key to separating the United States from its competition) and are investing the necessary funding to do so. For example, several countries, especially China, have outpaced the United States in R&D spending. Between 1995 and 2018, China’s R&D spending grew at an astonishing 15 percent per annum, about double that of the next-fastest country, South Korea, and about five times that of the United States. By 2018, China’s total R&D spending (from public and private sources) was in second place behind the United States and had surpassed the total for the entire European Union.³⁴ From the US perspective, other metrics are equally concerning. A 2021 study by Georgetown University’s Center for Security and Emerging Technology (CSET) projected that China will produce nearly twice as many STEM PhDs as the United States by 2025 (if counting only US citizens graduating with a PhD in STEM, that figure would be three times as much). This projection is based, in part, on China’s government doubling its investment in STEM higher education during the 2010s.³⁵

The United States retains numerous strengths, including the depth and breadth of its scientific establishment, number and sizes of its Big Tech firms, robust startup economy and venture capital to support it, numerous world-class educational institutions, dedication to protection of intellectual property, relatively open migration system for high-skilled workers, diverse and massive consumer base, and its still-significant R&D investments from public and private sources.³⁶

In addition, over the past few years there have been encouraging signs of a shift in thinking among policymakers, away from allowing the innovation model that won the Cold War to further erode and toward increased bipartisan recognition that the federal government has a critical role to play in updating that system. As was the case with the Soviet Union, this newfound interest in strengthening the US innovation ecosystem owes much to a recognition that China is a serious strategic competitor to the United States in the technology arena.³⁷ The Biden administration’s passage of several landmark pieces of legislation, including the CHIPS and Science Act, the Inflation Reduction Act (IRA), and the Infrastructure Investment and Jobs Act (IIJA), increased the amount of federal government spending on S&T, STEM education and skills training, and various forms of infrastructure (digital and physical), all of which are concrete evidence of the degree to which this administration and much of Congress recognize the stiff challenge from China.
Protect: A coherent strategy requires mechanisms to protect and defend a country’s S&T knowledge and capabilities from malign actors. Policy documents and statements from US officials over the past decade have called out the many ways in which the Chinese state orchestrates technology transfer through licit and illicit means, ranging from talent-recruitment programs and strategic mergers and acquisitions (M&A) to outright industrial espionage via cyber intrusion and other tactics.³⁸

On the protect side, tools include trade controls, sanctions, investment screening, and more. On the export-control side, both the Trump and Biden administrations have relied on dual-use export-control authorities to both restrict China’s access to priority technologies and prevent specific Chinese actors (those deemed problematic by the US government) from accessing US-origin technology and components.³⁹ Investment screening has also been a popular tool; in 2018, Congress passed the bipartisan Foreign Investment Risk Review Modernization Act (FIRRMA) that strengthened and modernized the Committee on Foreign Investment in the United States (CFIUS)—an interagency body led by the Treasury Department that reviews inbound foreign investment for national security risks.⁴⁰ Under the Biden administration, a new emphasis on the national security concerns associated with US outbound investment into China has arisen, with an executive order focused on screening outbound tech investments in the works for almost a year.⁴¹ On sanctions, although the United States has so far been wary of deploying them against China, the Biden administration has, in conjunction with thirty-eight other countries, imposed a harsh sanctions regime on Russia and Belarus following Russia’s unprovoked invasion of Ukraine.⁴²

Trade controls can be effective tools, but they need to be approached with a clear alignment between means and ends. For decades, an array of export controls and other regulations have worked to prevent rivals from accessing key technologies. However, historical experience (such as that of the US satellite industry) shows that, with a clear alignment between means and ends, trade controls can have massive implications for the competitiveness of US industries and, by extension, US national security.⁴³

Before deploying these tools, it is critical for policymakers to first identify what China is doing—both within and outside its borders—in its attempts to acquire foreign technology, an evaluation that should allow the United States to hone more targeted controls that can yield intended results. Trade controls that are too broad and ambiguous tend to backfire, as they create massive uncertainties that lead to overcompliance on the part of industry, in turn causing unintended downside consequences for economic competitiveness.

Understanding China’s strategy for purposes of creating effective trade controls is not as difficult as it once appeared. For instance, a 2022 report from CSET compiled and reviewed thirty-five articles on China’s technological import dependencies.⁴⁴ This series of open-source articles, published in Chinese in 2018, provides specific and concrete examples of Chinese S&T vulnerabilities that can be used by policymakers to assess where and how to apply trade controls. Other similar resources exist. Although the Chinese government appears to be systematically tracking and removing these as they receive attention, there are ways for US government analysts and scholars to continue making use of these materials that preserve the original sources.
Coordinate: The final strategy pillar is outward facing, focused on building and sustaining relationships with other countries in and around the tech strategy and policy space. This pillar might be labeled “tech diplomacy,” given the need to ensure US strategy and policy positively influences as many allies, partners, and even nonaligned states as possible, while continuing to engage China on technology-related issues. As with the other two pillars, this pillar is simple to state as a priority, but difficult to realize in practice.

In a May 2022 speech, US Secretary of State Antony Blinken said that the administration’s shorthand formula is to “invest, align, [and] compete” vis-a-vis China.⁴⁵ Here, he meant “invest” to refer to large public investments in US competitiveness, “align” to closer coordination with allies and partners on tech-related strategy and policy, and “compete” largely to geostrategic competition with China over Taiwan, the East and South China Seas, and other areas.

Blinken’s remarks underscore the Biden administration’s priority for allies and partners to view the United States as a trusted interlocutor. When it comes to technology policy on China, the trouble lies in the execution—in particular, overcoming the tensions inherent within the “invest, align, compete” formula. After Blinken’s speech, for example, the IRA became law, which triggered a firestorm of protest among the United States’ closest transpacific and transatlantic allies. Viewing the IRA’s ample support for domestic production and manufacturing of electric vehicles and renewable-energy technologies—designed to boost the US economy and tackle climate change while taking on China’s advantages in these areas—the protectionist European Union (EU) went so far as to formulate a Green Deal Industrial Plan, widely seen as an industrial policy response to the IRA.⁴⁶ Much of the row over the IRA resulted from the perception—real or not—that the United States had failed to properly consider allies’ and partners’ interests while formulating the legislation. In the words of one observer, “amid the difficult negotiations at home on the CHIPS Act and the IRA, allies and partners were not consulted, resulting in largely unintended negative consequences for these countries.”⁴⁷

Long-term investment by US policymakers in multilateral institutions focused on technology will be a critical aspect of any potential victory. The Biden administration is already making strides on this front through several multilateral arrangements, including the resurrection of the Quadrilateral Security Dialogue (the Quad) and the establishment of the US-EU Trade and Technology Council (TTC) and AUKUS trilateral pact. All three of these arrangements have dedicated time and resources to specific technological issues in both the military/geopolitical and economic spheres, and all three have the potential to be massively impactful in terms of technology competition.

However, history has shown that these types of arrangements are only effective as long as high-level political leadership remains involved and dedicated to the cause. Cabinet officials and other high-level leaders from all participating countries—especially the United States—will have to demonstrate continued interest in and commitment to these arrangements if they want them to produce more than a handful of documents with broad strategic visions.

Assumptions

The strategy outlined in these pages rests on two plausible assumptions. First, this strategy assumes that China will not follow the Soviet Union into decline, collapse, and disintegration anytime soon, which, in turn, means that China should remain a significant competitor to the United States for a long time to come.

China’s leadership has studied the collapse of the Soviet Union closely and learned from it, placing enormous weight on delivering economic performance through its brand of state capitalism while avoiding the kind of reforms that Mikhail Gorbachev instituted during the 1980s, which included freer information flows, freer political discourse, and ideological diversity within the party and state—all of which Chinese leadership believes to have been key to the Soviet Union’s undoing.⁴⁸ China also does not have analogous centrifugal forces that threaten an internal breakup along geographic lines as did the Soviet Union, which had been constructed from the outset as a federation of republics built upon the contours of the tsarist empire. (The Soviet Union, after all, was a union of Soviet Socialist republics scattered across much of Europe and Asia).⁴⁹

These factors weigh against an assessment that China will soon collapse. Nicholas Burns, the US ambassador to China, has said recently that China is “infinitely stronger” than the Soviet Union ever was, “based on the extraordinary strength of the Chinese economy” including “its science and technology research base [and] innovative capacity.” He concluded that the Chinese challenge to the United States and its allies and partners “is more complex and more deeply rooted [than was the Soviet Union] and a greater test for us going forward.”⁵⁰

A more realistic long-term scenario is one in which the United States and its allies and partners would need to manage a China that will either become stronger or plateau, rather than one that will experience a steep decline. Both variants of this scenario are worrisome, and both underscore the need to hew to the strategy outlined in this paper. A stronger China brings with it obvious challenges. A plateaued China is a more vexing case, owing to the very real possibility that Chinese leadership might conclude that, as economic stagnation portends a future decline and fall, the case for military action (e.g., against Taiwan) is more, rather than less, pressing. The strategist Hal Brands, for example, has suggested that a China that has plateaued will become more dangerous than it is now, requiring a strategy that is militarily firm, economically wise (including maintenance of the West’s advantages in the tech-innovation space), and diplomatically flexible.⁵¹

Second, the strategy outlined here assumes that relations between the United States and China will remain strained at best or, at worst, devolve into antagonism or outright hostility. In 2023, the assumption of ongoing strained relations appears wholly rational, based on a straightforward interpretation of all available diplomatic evidence.

How this strategy should shift if the United States and China were to have a rapprochement would depend greatly on the durability and contours of that shift. Even if a thaw were to reset bilateral relations to where they were at the beginning of the century (an unlikely prospect), the US interest in maintaining a first-mover advantage in technological development would remain. As reviewed in this paper, there was a long period during which the United States and China traded technologically based goods and services in a more open-ended trading regime than is currently the case. During that period, the United States operated on two presumptions: that China’s S&T capabilities were nowhere near as developed as its own, and that the US system could stay ahead owing to its many strengths compared with China’s.

The trouble with returning to this former state is that both presumptions no longer hold. China has become a near-peer competitor in science and technological development, and its innovative capabilities are considerable.

If China and the United States were to thaw their relationship, the policy question would concern the degree to which the United States would reduce its “protect” measures—the import and export restrictions, sanctions, and other policies designed to keep strategic technologies and knowhow from China, while protecting its own assets from espionage, sabotage, and other potential harms.

Guidelines for implementation

As emphasized throughout this paper, any successful long-term strategy will require that the US government pursue policies that are internally well coordinated, are based on solid empirical evidence, and are flexible and nimble in the short run, while being attentive to longer-run trends and uncertainties. The government will need to improve its capabilities in three areas.

Improved intelligence and counterintelligence: The US government will need to reassess, improve, and extend its intelligence and counterintelligence capabilities about tech development. The intelligence community will need to be able to conduct ongoing, comprehensive assessments of tech trends and uncertainties of relevance to the strategic competition with the United States. To properly gauge the full range of relevant and timely information about China’s tech capabilities, the Intelligence Community’s practice of relying on classified materials will need to be augmented by stressing unclassified open-source material. Classified sources, which the Intelligence Community always has prioritized, do not provide a full picture of what is happening in China. Patent filings, venture-capital investment levels and patterns, scientific and technical literature, and other open sources can be rich veins of material for analysts looking to assess where China is making progress, or seeking to make progress, in particular S&T areas. The US government’s prioritization of classified material contrasts with the Chinese government’s approach. For decades, China has employed “massive, multi-layered state support” for the “monitoring and [exploitation] of open-source foreign S&T.”⁵² There is recognition that the US government needs to upgrade its capabilities in this respect. In 2020, the House Permanent Select Committee on Intelligence observed that “open-source intelligence (OSINT) will become increasingly indispensable to the formulation of analytic products” about China.⁵³

An intelligence pillar will need a properly calibrated counterintelligence element to identify where China might be utilizing its means and assets—including legal, illegal, and extralegal ones—to obtain intellectual property in the United States and elsewhere (China has a history of utilizing multiple means, including espionage, to gain IP that is relevant to their S&T development).⁵⁴ Here, “properly calibrated” refers to how counterintelligence programs must ensure that innocent individuals, including Chinese nationals who are studying or researching in the United States, are not brought under undue or illegitimate scrutiny. At the same time, these programs must be able to identify, monitor, and then handle as appropriate those individuals who might be engaging in industrial espionage or other covert activities. The Trump administration’s China Initiative was criticized both for its name (it implied that Chinese nationals and anyone of East Asian descent were suspect) and the perception of too-zealous enforcement (the program resulted in several high-profile cases ending in dismissal or exoneration for the accused). In 2022, the Biden administration shuttered this initiative and replaced it with “a broader strategy aimed at countering espionage, cyberattacks and other threats posed by a range of countries.”⁵⁵
Improved foresight: Strategic-foresight capabilities assist governments in understanding and navigating complex and fast-moving external environments. Foresight offices in government and the private sector systematically examine long-term trends and uncertainties and assess how these will shape alternative futures. These processes often challenge deeply held assumptions about where the world is headed, and can reveal where existing strategies perform well or poorly.

This logic extends to the tech space, where the US government should develop a robust foresight apparatus to inform tech-focused strategies and policies at the highest levels. The purpose of this capability would be to enhance and deepen understanding of where technological development might take the United States and the world. Such a foresight capability within the US government would integrate tech-intelligence assessments, per above, into comprehensive foresight-based scenarios about how the world might unfold in the future. The US government has impressive foresight capabilities already, most famously those provided by the National Intelligence Council (NIC). However, for a variety of reasons, including distance from the center of executive power, neither the NIC nor other foresight offices within the US government currently perform a foresight function described here. The US government should institutionalize a foresight function within or closely adjacent to the White House—for example, within the National Security Council or as a presidentially appointed advisory board. Doing so would give foresight the credibility and mandate to engage the most critical stakeholders from across the entire government and from outside of it, a model followed by leading public foresight offices around the world.⁵⁶ This recommendation is consistent with numerous others put forward by experts over the past decade, which stress how the US government needs to give foresight more capabilities while bringing it closer to the office of the president.⁵⁷
Improved S&T strategy and policy coordination: One of the major challenges facing the US government concerns internal coordination around S&T strategy and policy. As technology is a broad and multidimensional category, the government’s activities are equally broad, covered by numerous statutes, executive orders, and administrative decisions. One of many results is a multiplicity of departments and agencies responsible for administering the many different pieces of the tech equation, from investment to development to monitoring, regulation, and enforcement. In just the area of critical technology oversight and control, for example, numerous departments including Commerce, State, Defense, Treasury, Homeland Security, and Justice, plus agencies from the Intelligence Community, all have responsibilities under various programs.⁵⁸

Moreover, the US government’s approach to tech oversight tends to focus narrowly on control of specific technologies, which leads to an underappreciation of the broader contexts in which technologies are used. A report issued in 2022 by the National Academies of Sciences, Engineering, and Medicine argued that the US government’s historic approach to tech-related risks is done through assessing individual critical technologies, defining the risks associated with each, and then attempting to restrict who can access each type of technology. Given that technologies now are “ubiquitous, shared, and multipurpose,” the National Academies asserted, a smarter approach would be to focus on the motives of bad-faith actors to use technologies and then define the accompanying risks.⁵⁹ This approach “requires expertise that goes beyond the nature of the technology to encompass the plans, actions, capabilities, and intentions of US adversaries and other bad actors, thus involving experts from the intelligence, law enforcement, and national defense communities in addition to agency experts in the technology.”⁶⁰

US Secretary of State Antony Blinken meets with Chinese President Xi Jinping in the Great Hall of the People in Beijing, China, June 19, 2023. REUTERS

Major risks

There are two major sets of risks accompanying this strategy, both of which involve the potential damage that might result from failure to keep the strategic competition within acceptable boundaries.

Decoupling run amok: Overreach is one of the biggest risks associated with this strategy. Geopolitical and economic goals contradict, and it can be difficult to determine where to draw the line. As such, reconciling this dilemma will be the hardest part of a coherent and effective competition strategy.

Technology decoupling to preserve geopolitical advantages can be at odds with economic interests, which the United States is currently experiencing in the context of semiconductors. The October 7, 2022, export controls were deemed necessary for geopolitical reasons, as the White House’s official rationale for the policy centered around the use of semiconductors for military modernization and violation of human rights. However, limiting the ability of US companies like Nvidia, Applied Materials, KLA, and Lam Research to export their products and services to China, in addition to applying complex compliance burdens on these firms, has the potential to affect these firms’ ability to compete in the global semiconductor industry.

In addition, the continued deployment of decoupling tactics like export controls can put allies and partners in a position where they feel forced to choose sides between the United States and China. On the October 7 export controls, it took months to convince the Netherlands and Japan—two critical producer nations in the semiconductor supply chain whose participation is critical to the success of these export controls—to get on board with US policy.⁶¹ Even now, although media reporting says an agreement has been reached, no details of the agreements have been made public, likely due to concerns surrounding Chinese retaliation.

These issues are not exclusive to trade controls or protect measures. On the promote side, the IRA has also put South Korea in a difficult position as it relates to EVs and related components. When first announced, many on the South Korean side argued that the EV provisions of the IRA violated trade rules. At one point in late 2022, the South Korean government considered filing a complaint with the WTO over the issue.⁶² Although things seem to have cooled between Washington and Seoul—and the Netherlands and Japan have officially, albeit privately, agreed to join the US on semiconductor controls—these two instances should be lessons for US policymakers in how to approach technology policies going forward. Policies that push allies and partners too hard to decouple from the Chinese market are likely to be met with resistance, as many (if not all) US allies have deeply woven ties with Chinese industry, and often do not have the same domestic capabilities or resources that the United States has that can insulate us from potential harm. China is acutely aware of this, and will likely continue to take advantage of this narrative to convince US allies to not join in US decoupling efforts. China has historically leveraged economic punishments against countries for a variety of reasons, so US policymakers should be sure to incorporate this reality into their policy planning to ensure that allies are not put in tough positions.

Recently, government officials within the Group of Seven (G7) have been using the term “de-risking ” instead of “decoupling.” The term was first used by a major public official during a speech by Ursula von der Leyen, president of the European Commission, in a March 2023 speech where she called for an “open and frank” discussion with China on contentious issues.⁶³ The term was used again in the G7 communique of May 2023: economic security should be “based on diversifying and deepening partnerships and de-risking, not de-coupling.”⁶⁴ This rhetorical shift represents a recognition that full economic decoupling from China is unwise, and perhaps impossible. Moreover, it also is a tacit admission that decoupling sends the wrong signals not only to China, but to the private sector in the West as well.

In the authors’ opinion, de-risking is superior to decoupling as a rhetorical device—but changes in phrasing do not solve the underlying problem for policymakers in the United States, Europe, East Asia, and beyond. That underlying problem is to define and then implement a coherent strategy, coordinated across national capitals, that manages to enable them to stay a step ahead of China in the development of cutting-edge technology while preventing an economically disastrous trade war with China.
Harm to global governance: Another major set of risks involves the harms to global governance should the strategic competition between the United States and China continue on its current trajectory. Although the strategy outlined in these pages emphasizes, under the coordination pillar, maintenance of global governance architecture—the norms, institutions, pathways, laws, good-faith behavior, and so on that guide technology development—there is no guarantee that China and the United States, along with other important state and nonstate actors, will be able to do so given conflicting pressures to reduce or eliminate cooperative behavior.

Tragic outcomes of this strategic competition, therefore, would be: failure to continue cooperation regarding development of norms and standards that should guide S&T research; and failure to continue S&T research cooperation focused on solving global-commons challenges such as pandemics and climate change.

Any reduction in cooperation among the United States, China, and other leading S&T-research countries will harm the ability to establish norms and standards surrounding tech development in sensitive areas—for instance, in AI or biotechnology. As recent global conversations about the risks associated with rapid AI development show, effective governance of these powerful emerging technologies is no idle issue.⁶⁵

Even under the best of circumstances, however, global governance of such technologies is exceedingly difficult. For example, Gigi Kwik Gronvall, an immunologist and professor at Johns Hopkins University, has written that biotechnology development is “inherently international and cannot be controlled by any international command and control system” and that, therefore, “building a web of governance, with multiple institutions and organizations shaping the rules of the road, is the only possibility for [effective] governance.”⁶⁶ By this, she meant that—although a single system of rules for governing the biotechnology development is impossible to create given the speed of biotech research and multiplicity of biotech research actors involved (private and public-sector labs, etc.) around the world—it is possible to support a “web of governance” institutions such as the WHO that set norms and rules. Although this system is imperfect, as she admits, it is much better than the alternative, which is to have no governance web at all. The risk of a weak or nonexistent web becomes much more real if the United States, China, and other S&T leaders fail to cooperate in strengthening it.

Conclusions and recommendations

The arguments advanced in this paper provide an overview of the range and diversity of policy questions that must be taken into consideration when formulating strategies to compete with China in science and technology. This final section offers a set of recommendations that follow from this analysis.

Restore and sustain public R&D funding for scientific and technological advancement. As noted in this paper, public investment in R&D—most critically, federal-government investment in R&D—has been allowed to atrophy since the end of the Cold War. Although private-sector investment was then, and is now, a critical component of the nation’s R&D spending, public funding is also imperative for pure scientific research (versus applied research) and for funneling R&D toward ends that are in the public interest (defense, public health, etc.). Although the CHIPS and Science Act and the IRA both pledge massive increases in the amount of federal R&D investment, there is no guarantee that increased funding will be sustained over time. Less than a year after the CHIPS Act was signed into law, funding levels proposed in Congress and by the White House have fallen well short of amounts specified in the act.⁶⁷
Improve and sustain STEM education and skills training across K–12, university, community college, technical schools. It is widely recognized that the United States has fallen behind peer nations in STEM education and training at all levels, from K–12 through graduate training.⁶⁸ Although the Biden administration’s signature pieces of legislation, including the CHIPS Act, address this problem through increased funding vehicles for STEM education and worker-training programs, the challenge for policymakers will be to sustain interest in, and levels of funding for, such programs well into the future, analogous to the federal R&D spending challenge. Other related problems include the high cost of higher education, driven in part by lower funding by US states, that drives students into long-term indebtedness, and the need to boost participation in (and reduce stigma around) STEM-related training at community colleges and technical schools.⁶⁹ Germany’s well-established, well-funded, and highly respected technical apprenticeship programs are models.⁷⁰
Craft a more diverse tech sector. A closely related challenge is to ensure that the tech sector in the United States reflects the country’s diversity, defined in terms of gender, ethnicity, class, and geography. This is a long-term challenge that has multiple roots and many different pathways to success, including public investment in education, training, and apprenticeship programs, among other things.⁷¹ Among the most challenging problems (with potentially the most beneficial solutions) are those rooted in economic geography—specifically regional imbalances in the knowledge economy, where places like Silicon Valley and Boston steam ahead and many other places fall behind. As in other areas, recent legislation including the IRA, CHIPS Act, and IIJA have called for billions in funding to spread the knowledge economy to a greater number of “tech hubs” around the country. As with other pieces of the investment equation, however, there is no guarantee that billions will be allocated under current legislation.⁷²
Attract and retain high-skilled talent from abroad. One of the United States’ enduring strengths is its ability to attract and retain the world’s best talent, which has been of enormous benefit to its tech sector. A December 2022 survey conducted by the National Bureau of Economic Research (NBER), for example, found that between 1990 and 2016, about 16 percent of all inventors in the United States were immigrants, who, in turn, were responsible for 23 percent of all patents filed during the same period.⁷³ Although the United States is still the top destination for high-skilled migrants, other countries have become more attractive in recent years, owing to foreign countries’ tech-savvy immigration policies and problems related to the US H-1B visa system.⁷⁴
Support whole-of-government strategy development. This paper stresses the need to improve strategic decision-making regarding technology through improving (or relocating) interagency processes and foresight and intelligence capabilities. One recommendation is to follow the suggestion by the National Academies of Sciences, Engineering, and Medicine, and bring a whole-of-government strategic perspective together under the guidance of the White House.⁷⁵ Such a capacity would bring under its purview and/or draw upon a tech-focused foresight capacity, as well as an improved tech-focused intelligence apparatus (see below). The CHIPS Act contains provisions that call for development of quadrennial S&T assessments followed by technology strategy formulation, both to be conducted by the White House’s Office of Science Technology and Policy (OSTP).⁷⁶ A bill that was introduced in June 2022 by Senators Michael Bennet, Ben Sasse, and Mark Warner (and reintroduced in June 2023) would, if passed, create an Office of Global Competition Analysis, the purpose of which would be to “fuse information across the federal government, including classified sources, to help us better understand U.S. competitiveness in technologies critical to our national security and economic prosperity and inform responses that will boost U.S. leadership.”⁷⁷
Ensure private sector firms remain at the cutting edge of global competitiveness. Policymakers will need to strengthen the enabling environment to allow US tech firms to meet and exceed business competition from around the world. Doing so will require constant monitoring of best-practice policy development elsewhere, based on the presumption that other countries are tweaking their own policies to outcompete the United States. Policymakers will need to properly recalibrate, as appropriate and informed by best practices, an array of policy instruments including labor market and immigration policies, types and level of infrastructural investments, competition policies, forms of direct and indirect support, and more. An Office of Global Competition Analysis, as referred to above, might be an appropriate mechanism to conduct the horizon scanning tasks necessary to support this recommendation.
Improve S&T intelligence and counterintelligence. Consistent with the observations about shortcomings in the US Intelligence Community regarding S&T collection, analysis, and dissemination, some analysts have floated creation of an S&T intelligence capability outside the Intelligence Community itself. This capability would be independent of other agencies and departments within the government and would focus on collection and analysis of S&T intelligence for stakeholders within and outside of the US government, as appropriate.⁷⁸
Ensure calibrated development and application of punitive measures. As this paper has stressed at multiple points, although the US government has powerful protect measures at its disposal, implementing those measures often comes with a price, including friction with allies and partners. The US government should create an office within the Bureau of Industry and Security (BIS) at the Commerce Department to monitor the economic impact (intended and unintended) of its export-control policies on global supply chains before they are implemented (including impacts on allied and partner economies).⁷⁹ This office would have a function that is similar in intent to the Sanctions Economic Analysis Unit, recently established at the US Treasury to “research the collateral damage of sanctions before they’re imposed, and after they’ve been put in place to see if they should be adjusted.”⁸⁰
Build out and sustain robust multilateral institutions. This paper has stressed that any effort by the United States to succeed in its tech-focused competition with China will require that it successfully engage allies and partners in multilateral settings such as the EU-TTC, Quad, and others. As with so many other recommendations on this list, success will be determined by the degree to which senior policymakers can stay focused over the long run (i.e., across administrations) on this priority and in these multilateral forums. In addition, US policymakers might consider updating multilateral forums based on new realities. For example, some analysts have called for the creation of a new multilateral export-control regime that would have the world’s “techno-democracies…identify together the commodities, software, technologies, end uses, and end users that warrant control to address shared national security, economic security, and human rights issues.”⁸¹
Engagement with China cannot be avoided. The downturn in bilateral relations between the United States and China should not obscure the need to continue engaging China on S&T as appropriate, and as opportunities arise. There are zero-sum tradeoffs involved in the strategic competition with China over technology. At the same time, there are also positive-sum elements within that competition that need to be preserved or even strengthened. As the Ford-CATL Michigan battery-plant example underscores, trade in nonstrategic technologies (EVs, batteries, etc.) benefits both countries, assuming trade occurs on a level playing field. The same is true of science cooperation, where the risk is of global scientific research on climate change and disease prevention shrinking if Sino-American scientific exchange falls dramatically. Policymakers in the United States will need to accept some amount of S&T collaboration risk with China. They will need to decide what is (and is not) of highest risk and communicate that effectively to US allies and partners around the world, the scientific community, and the general public.

The authors would like to thank Noah Stein for his research assistance with this report.

Report authors

Staff

Peter Engelke

Global Energy Center Scowcroft Center for Strategy and Security

Technology & Innovation Europe & Eurasia

Fellow

Emily Weinstein

Nonresident Fellow

Global China Hub

China Technology & Innovation

Explore the Strategy Paper Series

Atlantic Council Strategy Paper Series Dec 21, 2022

Global Foresight 2023

In this year’s Global Foresight edition, our experts identify the top risks and opportunities for 2023. Our foresight team spots “snow leopards” that could have major unexpected impacts in 2023 and beyond. And we share findings from our survey of global strategists and foresight practitioners on how human affairs could unfold over the next decade.

Atlantic Council Strategy Paper Series Nov 30, 2022

Preparing for victory: A long-haul strategy to help Ukraine win the war against Russia—and secure the peace

By Stephen J. Hadley, William Taylor, John E. Herbst, Matthew Kroenig, Melinda Haring, and Jeffrey Cimmino

Ukraine’s counteroffensives, backed by expanded and accelerated US and allied support, continue to push Russian forces out of Ukrainian territory, although at a reduced rate. These hard-won successes, however, bring with them possible challenges that also must be addressed.

Europe & Eurasia Politics & Diplomacy

Report Dec 22, 2021

Seizing the advantage: A vision for the next US national defense strategy

By Clementine G. Starling, Tyson Wetzel, Christian Trotti

In this latest installment of the Atlantic Council Strategy Papers series, Forward Defense’s Clementine Starling, Lt Col Tyson Wetzel, and Christian Trotti articulate their vision and recommendations for the next US National Defense Strategy, including clearer prioritization, investments and divestments, reposturing of US forces, a new warfighting concept, and a focus on transnational threats like hybrid warfare and climate change.

China Defense Industry

Strategic Insights Memo Apr 24, 2023

Assessing China’s approach to technological competition with the United States

By Peter Engelke, Emily Weinstein

This past winter, the Scowcroft Center for Strategy and Security and the Global China Hub convened experts and officials in a private workshop to discuss how China views technological competition with the United States.

China Politics & Diplomacy

Strategic Insights Memo Nov 15, 2022

Designing domestic and multilateral strategies for maintaining technological superiority

By Peter Engelke, Emily Weinstein

This fall, the Scowcroft Center for Strategy and Security and the Global China Hub convened experts and officials in a private workshop to discuss how the United States, in conjunction with allies and partners, might design strategies to maintain technological superiority over China. The workshop explored the necessary components of a competitive strategy via both “protect” and “run faster” policies. This memo draws from insights gathered during the workshop to give policy makers a better understanding of the potential tools in the strategic arsenal.

China Defense Technologies

Strategic Insights Memo Jul 19, 2022

Toward coherence in tech competition with China

By Peter Engelke, Emily Weinstein

This June, the Scowcroft Center for Strategy and Security and the Global China Hub convened experts and officials in a private workshop to discuss technological competition between the United States, its allies and partners, and their biggest global competitor, China. The workshop explored the stakes in this competition across economic, military, and other domains, as well as the challenges facing Washington and its allies and partners with respect to China’s rising technological capabilities. This memo draws from insights gleaned during the workshop to give policymakers a better understanding of this competition, it stakes, and the strategic choices facing the United States and its allies and partners.

China Defense Technologies

Explore the programs

The Scowcroft Center for Strategy and Security works to develop sustainable, nonpartisan strategies to address the most important security challenges facing the United States and the world.

Global China Hub

The Global China Hub researches and devises allied solutions to the global challenges posed by China’s rise, leveraging and amplifying the Atlantic Council’s work on China across its 15 other programs and centers.

Explore more

1 Although China likely will not close the spending gap with the United States by the mid-2030s, current spending trajectories strongly suggest that China will have narrowed the gap considerably. See the US-China bilateral comparison in: “Asia Power Index 2023,” Lowy Institute, last visited June 13, 2023, https://power.lowyinstitute.org; “China v America: How Xi Jinping Plans to Narrow the Military Gap,” Economist, May 8, 2023, https://www.economist.com/china/2023/05/08/china-v-america-how-xi-jinping-plans-to-narrow-the-military-gap.

2 See, e.g., the arguments presented by: Bryce Barros, Nathan Kohlenberg, and Etienne Soula, “China and the Digital Information Stack in the Global South,” German Marshall Fund, June 15, 2022, https://securingdemocracy.gmfus.org/china-digital-stack/.

3 For a brief overview of China’s efforts in this regard, see: Bulelani Jili, China’s Surveillance Ecosystem and the Global Spread of Its Tools, Atlantic Council, October 17, 2022, https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/chinese-surveillance-ecosystem-and-the-global-spread-of-its-tools/.

4 For background to these practices, see: Karen M. Sutter, ““Made in China 2025’ Industrial Policies: Issues for Congress,” Congressional Research Service, March 10, 2023, https://sgp.fas.org/crs/row/IF10964.pdf; Gerard DiPippo, Ilaria Mazzocco, and Scott Kennedy, “Red Ink: Estimating Chinese Industrial Policy Spending in Comparative Perspective,” Center for Strategic and International Studies, May 23, 2022, https://www.csis.org/analysis/red-ink-estimating-chinese-industrial-policy-spending-comparative-perspective; “America Is Struggling to Counter China’s Intellectual Property Theft,” Financial Times, April 18, 2022, https://www.ft.com/content/1d13ab71-bffd-4d63-a0bf-9e9bdfc33c39; “USTR Releases Annual Report on China’s WTO Compliance,” Office of the United States Trade Representative, February 16, 2022, press release, 3, https://ustr.gov/about-us/policy-offices/press-office/press-releases/2022/february/ustr-releases-annual-report-chinas-wto-compliance.

5 On China and technical standards, see: Matt Sheehan, Marjory Blumenthal, and Michael R. Nelson, “Three Takeaways from China’s New Standards Strategy,” Carnegie Endowment for International Peace, October 28, 2021, https://carnegieendowment.org/2021/10/28/three-takeaways-from-china-s-new-standards-strategy-pub-85678.

6 China’s current (2023) AI regulations are generally seen as more developed than those in either Europe or the United States. However, analysts argue that the individual rights and corporate responsibilities to protect them, as outlined in China’s regulations, will be selectively enforced, if at all, by the state. See: Ryan Heath, “China Races Ahead of U.S. on AI Regulation,” Axios, May 8, 2023, https://www.axios.com/2023/05/08/china-ai-regulation-race.

7 The scientific community has warned that this scenario is a real risk, owing to heightened Sino-American tension. James Mitchell Crow, “US–China partnerships bring strength in numbers to big science projects,” Nature, March 9, 2022, https://www.nature.com/articles/d41586-022-00570-0.

8 Deng Xiaoping’s reforms included pursuit of “Four Modernizations” in agriculture, industry, science and technology, and national defense. In the S&T field, his reforms included massive educational and worker-upskilling programs, large investments in scientific research centers, comprehensive programs to send Chinese STEM (science, technology, engineering, and math) students abroad for advanced education and training, experimentation with foreign technologies in manufacturing and other production processes, and upgrading of China’s military to include a focus on development of dual-use technologies. Bernard Z. Keo, “Crossing the River by Feeling the Stones: Deng Xiaoping in the Making of Modern China,” Education About Asia 25, 2 (2020), 36, https://www.asianstudies.org/publications/eaa/archives/crossing-the-river-by-feeling-the-stones-deng-xiaoping-in-the-making-of-modern-china/.

9 Dan Wang, “China’s Hidden Tech Revolution: How Beijing Threatens U.S. Dominance,” Foreign Affairs, March/April 2023, https://www.foreignaffairs.com/china/chinas-hidden-tech-revolution-how-beijing-threatens-us-dominance-dan-wang.

10 “Full Text of Clinton’s Speech on China Trade Bill,” Federal News Service, March 9, 2000, https://www.iatp.org/sites/default/files/Full_Text_of_Clintons_Speech_on_China_Trade_Bi.htm.

11 “Speech by President Jiang Zemin at George Bush Presidential Library,” Ministry of Foreign Affairs of the PRC, October 24, 2002, https://perma.cc/7NYS-4REZ; G. John Ikenberrgy, “The Rise of China and the Future of the West: Can the Liberal System Survive?” Foreign Affairs 87, 1, (2008), https://www.jstor.org/stable/20020265.

12 Elizabeth Economy, “Changing Course on China,” Current History 102, 665, China and East Asia (2003), https://www.jstor.org/stable/45317282; Thomas W. Lippman, “Bush Makes Clinton’s China Policy an Issue,” Washington Post, August 20, 1999, https://www.washingtonpost.com/wp-srv/politics/campaigns/wh2000/stories/chiwan082099.htm.

13 Kurt M. Campbell and Ely Ratner, “The China Reckoning: How Beijing Defied American Expectations,” Foreign Affairs, February 18, 2018, https://www.foreignaffairs.com/articles/china/2018-02-13/china-reckoning.

14 “Number of Tourist Arrivals in the United States from China from 2005 to 2022 with Forecasts until 2025,” Statista, April 11, 2023, https://www.statista.com/statistics/214813/number-of-visitors-to-the-us-from-china/; and “Visa Statistics,” U.S. Department of State, https://travel.state.gov/content/travel/en/legal/visa-law0/visa-statistics.html.

15 “Direct Investment Position of the United States in China from 2000 to 2021,” Statista, January 26, 2023, https://www.statista.com/statistics/188629/united-states-direct-investments-in-china-since-2000/.

16 Robbie Gramer, “Washington’s China Hawks Take Flight,” Foreign Policy, February 15, 2023, https://foreignpolicy.com/2023/02/15/china-us-relations-hawks-engagement-cold-war-taiwan/; Sam LaGrone, “China Sends Uninvited Spy Ship to RIMPAC,” USNI News, July 18, 2014, https://news.usni.org/2014/07/18/china-sends-uninvited-spy-ship-rimpac.

17 “Findings of the Investigations into China’s Acts, Policies, and Practices Related to Technology Transfer, Intellectual Property, and Innovation Under Section 301 of the Trade Act of 1974,” Office of the United States Trade Representative, March 22, 2018, https://ustr.gov/sites/default/files/Section%20301%20FINAL.PDF. When asked in November 2018 if China was violating the 2015 cyber-espionage agreement, senior National Security Agency cybersecurity official Rob Joyce said, “it’s clear that they [China] are well beyond the bounds today of the agreement that was forced between our countries.” See: “U.S. Accuses China of Violating Bilateral Anti-Hacking Deal,” Reuters, November 8, 2018, https://www.reuters.com/article/us-usa-china-cyber/u-s-accuses-china-of-violating-bilateral-anti-hacking-deal-idUSKCN1NE02E.

18 Jacob Feldgoise, et. al, “Studying Tech Competition through Research Output: Some CSET Best Practices,” Center for Security and Emerging Technology, April 2023, https://cset.georgetown.edu/article/studying-tech-competition-through-research-output-some-cset-best-practices.

19 The World Intellectual Property Organization’s annual “Global Innovation Index,” considered the gold standard rankings assessment of the world’s tech-producing economies, ranks South Korea sixth and Japan thirteenth in the 2022 edition. “Global Innovation Index 2022. What Is the Future of Innovation-Driven Growth?” World Intellectual Property Organization, 2022, https://www.globalinnovationindex.org/analysis-indicator.

20 For a general review of the Japanese case, see: Mireya Solis, “Economic Security: Boon or Bane for the US-Japan Alliance?,” Sasakawa Peace Foundation USA, November 5–6, 2022, https://spfusa.org/publications/economic-security-boon-or-bane-for-the-us-japan-alliance/#_ftn19. For the South Korean case, see: Seong-Ho Sheen and Mireya Solis, “How South Korea Sees Technology Competition with China and Export Controls,” Brookings, May 17, 2023, https://www.brookings.edu/blog/order-from-chaos/2023/05/17/how-south-korea-sees-technology-competition-with-china-and-export-controls/.

21 Jeremy Mark and Dexter Tiff Roberts, United States–China Semiconductor Standoff: A Supply Chain under Stress, Atlantic Council, February 23, 2023, https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/united-states-china-semiconductor-standoff-a-supply-chain-under-stress/.

22 Yang Jie and Megumi Fujikawa, “Tokyo Meeting Highlights Democracies’ Push to Secure Chip Supplies,” Wall Street Journal, May 18, 2023, https://www.wsj.com/articles/tokyo-meeting-highlights-democracies-push-to-secure-chip-supplies-54e1173d?mod=article_inline; “US Urges South Korea not to Fill Chip Shortfalls in China if Micron Banned, Financial Times Reports,” Reuters, April 23, 2023, https://www.reuters.com/technology/us-urges-south-korea-not-fill-china-shortfalls-if-beijing-bans-micron-chips-ft-2023-04-23/.

23 See, e.g., the arguments in: Matias Spektor, “In Defense of the Fence Sitters. What the West Gets Wrong about Hedging,” Foreign Affairs, May/June 2023, https://www.foreignaffairs.com/world/global-south-defense-fence-sitters.

24 On the expansion of trade under Bretton Woods during the first postwar decades, see: Tamim Bayoumi, “The Postwar Economic Achievement,” Finance & Development, June 1995, https://www.elibrary.imf.org/view/journals/022/0032/002/article-A013-en.xml.

25 For a review of the history of the bilateral trade relationship, see: Anshu Siripurapu and Noah Berman, “Backgrounder: The Contentious U.S.-China Trade Relationship,” Council on Foreign Relations, December 5, 2022, https://www.cfr.org/backgrounder/contentious-us-china-trade-relationship.

26 Eric Martin and Ana Monteiro, “US-China Goods Trade Hits Record Even as Political Split Widens,” Bloomberg, February 7, 2023, https://www.bloomberg.com/news/articles/2023-02-07/us-china-trade-climbs-to-record-in-2022-despite-efforts-to-split?sref=a9fBmPFG#xj4y7vzkg

27 Neal E. Boudette and Keith Bradsher, “Ford Will Build a U.S. Battery Factory with Technology from China,” New York Times, February 13, 2023, https://www.nytimes.com/2023/02/13/business/energy-environment/ford-catl-electric-vehicle-battery.html.

28 “Tracking the Collaborative Networks of Five Leading Science Nations,” Nature 603, S10–S11 (2022), https://www.nature.com/articles/d41586-022-00571-z.

29 “Protecting U.S. Technological Advantage,” National Academies of Sciences, Engineering, and Medicine, 2022, 12, https://doi.org/10.17226/26647.

30 Robert W. Seidel, “Science Policy and the Role of the National Laboratories,” Los Alamos Science 21 (1993), 218–226, https://sgp.fas.org/othergov/doe/lanl/pubs/00285712.pdf.

31 The federal government’s hand in creating Silicon Valley is well known. For a short summary, see: W. Patrick McCray, “Silicon Valley: A Region High on Historical Amnesia,” Los Angeles Review of Books, September 19, 2019, https://lareviewofbooks.org/article/silicon-valley-a-region-high-on-historical-amnesia/. A forceful defense of the federal government’s role in creating and sustaining Silicon Valley is: Jacob S. Hacker and Paul Pierson, “Why Technological Innovation Relies on Government Support,” Atlantic, March 28, 2016, https://www.theatlantic.com/politics/archive/2016/03/andy-grove-government-technology/475626/.

32 Robert D. Atkinson, “Understanding the U.S. National Innovation System, 2020,” International Technology & Innovation Foundation, November 2020, 1, https://www2.itif.org/2020-us-innovation-system.pdf.

33 “National Innovation Policies: What Countries Do Best and How They Can Improve,” International Technology & Innovation Foundation, June 13, 2019, 82, https://itif.org/publications/2019/06/13/national-innovation-policies-what-countries-do-best-and-how-they-can-improve/; “Historical Trends in Federal R&D, Federal R&D as a Percent of GDP, 1976-2023,” American Association for the Advancement of Science, last visited June 13, 2023, https://www.aaas.org/programs/r-d-budget-and-policy/historical-trends-federal-rd.

34 Matt Hourihan, “A Snapshot of U.S. R&D Competitiveness: 2020 Update,” American Association for the Advancement of Science, October 22, 2020, https://www.aaas.org/news/snapshot-us-rd-competitiveness-2020-update.

35 Remco Zwetsloot, et al., “China is Fast Outpacing U.S. STEM PhD Growth,” Center for Security and Emerging Technology, August 2021, 2–4, https://cset.georgetown.edu/publication/china-is-fast-outpacing-u-s-stem-phd-growth/.

36 As reviewed in: Robert D. Atkinson, “Understanding the U.S. National Innovation System, 2020,” International Technology & Innovation Foundation, November 2020, https://www2.itif.org/2020-us-innovation-system.pdf.

37 See, e.g., the arguments laid out by Frank Lucas, chairman of the House Science, Space, and Technology Committee, in: Frank Lucas, “A Next-Generation Strategy for American Science,” Issues in Science and Technology 39, 3, Spring 2023, https://issues.org/strategy-american-science-lucas/.

38 “Findings of the Investigations into China’s Acts, Policies, and Practices Related to Technology Transfer, Intellectual Property, and Innovation Under Section 301 of the Trade Act of 1974”; “Threats to the U.S. Research Enterprise: China’s Talent Recruitment Plans,” Permanent Subcommittee on Investigations, Committee on Homeland Security and Governmental Affairs, US Senate, November 2019, https://www.hsgac.senate.gov/wp-content/uploads/imo/media/doc/2019-11-18%20PSI%20Staff%20Report%20-%20China’s%20Talent%20Recruitment%20Plans%20Updated2.pdf; Michael Brown and Pavneet Singh, “China’s Technology Transfer Strategy: How Chinese Investments in Emerging Technology Enable A Strategic Competitor to Access the Crown Jewels of U.S. Innovation,” Defense Innovation Unit Experimental (DIUx), January 2018, https://www.documentcloud.org/documents/4549143-DIUx-Study-on-China-s-Technology-Transfer.

39 Steven F. Hill, et. al, “Trump Administration Significantly Enhances Export Control Supply Chain Restrictions on Huawei,” K&L Gates, September 2020, https://www.klgates.com/Trump-Administration-Significantly-Enhances-Export-Control-Supply-Chain-Restrictions-on-Huawei-9-2-2020; and “Implementation of Additional Export Controls: Certain Advanced Computing and Semiconductor Manufacturing Items; Supercomputer and Semiconductor End Use; Entity List Modification,” Bureau of Industry and Security, US Department of Commerce, October 14, 2022, https://www.federalregister.gov/documents/2022/10/13/2022-21658/implementation-of-additional-export-controls-certain-advanced-computing-and-semiconductor.

40 “The Committee on Foreign Investment in the United States,” US Department of the Treasury, last visited June 13, 2023, https://home.treasury.gov/policy-issues/international/the-committee-on-foreign-investment-in-the-united-states-cfius.

41 Hans Nichols and Dave Lawler, “Biden’s Next Move to Box China out on Sensitive Tech,” Axios, May 25, 2023, https://www.axios.com/2023/05/25/china-investments-ai-semiconductor-biden-order.

42 “With Over 300 Sanctions, U.S. Targets Russia’s Circumvention and Evasion, Military-Industrial Supply Chains, and Future Energy Revenues,” US Department of the Treasury, press release, May 19, 2023, https://home.treasury.gov/news/press-releases/jy1494.

43 Tim Hwang and Emily S. Weinstein, “Decoupling in Strategic Technologies: From Satellites to Artificial Intelligence,” Center for Security and Emerging Technology, July 2022, https://cset.georgetown.edu/publication/decoupling-in-strategic-technologies/.

44 The articles were published in China’s state-run newspaper, Science and Technology Daily. Ben Murphy, “Chokepoints: China’s Self-Identified Strategic Technology Import Dependencies,” Center for Security and Emerging Technology, May 2022, https://cset.georgetown.edu/publication/chokepoints/.

45 Antony J. Blinken, “The Administration’s Approach to the People’s Republic of China,” US Department of State, May 26, 2022, https://www.state.gov/the-administrations-approach-to-the-peoples-republic-of-china/.

46 “Media Reaction: US Inflation Reduction Act and the Global ‘Clean-Energy Arms Race,’” Carbon Brief, February 3, 2023, https://www.carbonbrief.org/media-reaction-us-inflation-reduction-act-and-the-global-clean-energy-arms-race/; Théophile Pouget-Abadie, Francis Shin, and Jonah Allen, Clean Industrial Policies: A Space for EU-US Collaboration, Atlantic Council, March 10, 2023, https://www.atlanticcouncil.org/blogs/energysource/clean-industrial-policies-a-space-for-eu-us-collaboration/.

47 Shannon Tiezzi, “Are US Allies Falling out of ‘Alignment’ on China?” Diplomat, December 19, 2022, https://thediplomat.com/2022/12/are-us-allies-falling-out-of-alignment-on-china/.

48 “The Fall of Empires Preys on Xi Jinping’s Mind,” Economist, May 11, 2023, https://www.economist.com/briefing/2023/05/11/the-fall-of-empires-preys-on-xi-jinpings-mind; Kunal Sharma, “What China Learned from the Collapse of the USSR,” Diplomat, December 6, 2021, https://thediplomat.com/2021/12/what-china-learned-from-the-collapse-of-the-ussr/; Simone McCarthy, “Why Gorbachev’s Legacy Haunts China’s Ruling Communist Party,” CNN, August 31, 2022, https://www.cnn.com/2022/08/31/china/china-reaction-mikhail-gorbachev-intl-hnk/index.html.

49 For a review of the complex history of the construction and deconstruction of the Soviet Union, see: Serhii Plokhy, “The Empire Returns: Russia, Ukraine and the Long Shadow of the Soviet Union,”Financial Times, January 28, 2022, https://www.ft.com/content/0cbbd590-8e48-4687-a302-e74b6f0c905d.

50 Phelim Kine, “China ‘Is Infinitely Stronger than the Soviet Union Ever Was,’” Politico, April 28, 2023, https://www.politico.com/newsletters/global-insider/2023/04/28/china-is-infinitely-stronger-than-the-soviet-union-ever-was-00094266.

51 Hal Brands, “The Dangers of China’s Decline,” Foreign Policy, April 14, 2022, https://foreignpolicy.com/2022/04/14/china-decline-dangers/.

52 Tarun Chhabra, et al., “Open-Source Intelligence for S&T Analysis,” Center for Security and Emerging Technology (CSET), Georgetown University Walsh School of Foreign Service, September 2020, https://cset.georgetown.edu/publication/open-source-intelligence-for-st-analysis/.

53 A summary of and link to the committee’s redacted report is in: Tia Sewell, “U.S. Intelligence Community Ill-Prepared to Respond to China, Bipartisan House Report Finds,” Lawfare, September 30, 2020, https://www.lawfareblog.com/us-intelligence-community-ill-prepared-respond-china-bipartisan-house-report-finds.

54 William Hannas and Huey-Meei Chang, “China’s Access to Foreign AI Technology,” Center for Security and Emerging Technology (CSET), Georgetown University Walsh School of Foreign Service, September 2019, https://cset.georgetown.edu/publication/chinas-access-to-foreign-ai-technology/.

55 Ellen Nakashima, “Justice Department Shutters China Initiative, Launches Broader Strategy to Counter Nation-State Threats,” Washington Post, February 23, 2022, https://www.washingtonpost.com/national-security/2022/02/23/china-initivative-redo/.

56 Tuomo Kuosa, “Strategic Foresight in Government: The Cases of Finland, Singapore, and the European Union,” S. Rajaratnam School of International Studies, Nanyang Technological University, 43, https://www.files.ethz.ch/isn/145831/Monograph19.pdf.

57 For a review, including a summary of such recommendations, see: J. Peter Scoblic, “Strategic Foresight in U.S. Agencies. An Analysis of Long-term Anticipatory Thinking in the Federal Government,” New America, December 15, 2021, https://www.newamerica.org/international-security/reports/strategic-foresight-in-us-agencies/.

58 See, for example: Marie A. Mak, “Critical Technologies: Agency Initiatives Address Some Weaknesses, but Additional Interagency Collaboration Is Needed,” General Accounting Office, February 2015, https://www.gao.gov/assets/gao-15-288.pdf.

59 “Protecting U.S. Technological Advantage,” 97.

60 Ibid.

61 Toby Sterling, Karen Freifeld, and Alexandra Alper, “Dutch to Restrict Semiconductor Tech Exports to China, Joining US Effort,”Reuters, March 8, 2023, https://www.reuters.com/technology/dutch-responds-us-china-policy-with-plan-curb-semiconductor-tech-exports-2023-03-08/.

62 Troy Stangarone, “Inflation Reduction Act Roils South Korea-US Relations,” Diplomat, September 20, 2022, https://thediplomat.com/2022/09/inflation-reduction-act-roils-south-korea-us-relations/; “S. Korea in Preparation for Legal Disputes with U.S. over IRA,” Yonhap News Agency, November 3, 2022, https://en.yna.co.kr/view/AEN20221103004500320.

63 “Speech by President von der Leyen on EU-China Relations to the Mercator Institute for China Studies and the European Policy Centre,” European Commission, March 30, 2023, https://ec.europa.eu/commission/presscorner/detail/en/speech_23_2063.

64 “G7 Hiroshima Leaders’ Communiqué,” White House, May 20, 2023, https://www.whitehouse.gov/briefing-room/statements-releases/2023/05/20/g7-hiroshima-leaders-communique/.

65 See, e.g.: Kevin Roose, “A.I. Poses ‘Risk of Extinction,’ Industry Leaders Warn,” New York Times, May 30, 2023, https://www.nytimes.com/2023/05/30/technology/ai-threat-warning.html.

66 Gigi Kwik Gronvall, “Managing the Risks of Biotechnology Innovation,” Council on Foreign Relations, January 30, 2023, 7, https://www.cfr.org/report/managing-risks-biotechnology-innovation.

67 Madeleine Ngo, “CHIPS Act Funding for Science and Research Falls Short,” New York Times, May 30, 2023, https://www.nytimes.com/2023/05/30/us/politics/chips-act-science-funding.html; Matt Hourihan, Mark Muro, and Melissa Roberts Chapman, “The Bold Vision of the CHIPS and Science Act Isn’t Getting the Funding It Needs,” Brookings, May 17, 2023, https://www.brookings.edu/blog/the-avenue/2023/05/17/the-bold-vision-of-the-chips-and-science-act-isnt-getting-the-funding-it-needs/.

68 See, e.g.: Gabrielle Athanasia and Jillian Cota, “The U.S. Should Strengthen STEM Education to Remain Globally Competitive,” Center for Strategic and International Studies, April 1, 2022, https://www.csis.org/blogs/perspectives-innovation/us-should-strengthen-stem-education-remain-globally-competitive.

69 On per-student university funding at state level, see: Mary Ellen Flannery, “State Funding for Higher Education Still Lagging,” NEA Today, October 25, 2022, https://www.nea.org/advocating-for-change/new-from-nea/state-funding-higher-education-still-lagging

70 Matt Fieldman, “5 Things We Learned in Germany,” NIST Manufacturing Innovation Blog, December 14, 2022, https://www.nist.gov/blogs/manufacturing-innovation-blog/5-things-we-learned-germany.

71 For a review, see: Peter Engelke and Robert A. Manning, Keeping America’s Innovative Edge, Atlantic Council, April 2017, https://www.atlanticcouncil.org/in-depth-research-reports/report/keeping-america-s-innovative-edge-2/.

72 To date, Congress has allocated only 5 percent of the funds called for in the piece of the CHIPS Act that funds the tech hubs. Madeleine Ngo, “CHIPS Act Funding for Science and Research Falls Short,” New York Times, May 30, 2023, https://www.nytimes.com/2023/05/30/us/politics/chips-act-science-funding.html; Mark Muro, et al., “Breaking Down an $80 Billion Surge in Place-Based Industrial Policy,” Brookings, December 15, 2022, https://www.brookings.edu/blog/the-avenue/2022/12/15/breaking-down-an-80-billion-surge-in-place-based-industrial-policy/.

73 Shai Bernstein, et al., “The Contribution of High-Skilled Immigrants to Innovation in the United States,” National Bureau of Economic Research, December 2022, 3, https://www.nber.org/papers/w30797.

74 Miranda Dixon-Luinenburg, “America Has an Innovation Problem. The H-1B Visa Backlog Is Making It Worse,” Vox, July 13, 2022, https://www.vox.com/future-perfect/23177446/immigrants-tech-companies-united-states-innovation-h1b-visas-immigration.

75 “Protecting U.S. Technological Advantage,” 98–99.

76 Matt Hourihan, “CHIPS And Science Highlights: National Strategy,” Federation of American Scientists, August 9, 2022, https://fas.org/publication/chips-national-strategy/.

77 “Press Release: Bennet, Sasse, Warner Unveil Legislation to Strengthen U.S. Technology Competitiveness,” Office of Michael Bennet, June 9, 2022, https://www.bennet.senate.gov/public/index.cfm/2022/6/bennet-sasse-warner-unveil-legislation-to-strengthen-u-s-technology-competitiveness.

78 Tarun Chhabra, et al., “Open-Source Intelligence for S&T Analysis,” Center for Security and Emerging Technology (CSET),Georgetown University Walsh School of Foreign Service, September 2020, https://cset.georgetown.edu/publication/open-source-intelligence-for-st-analysis/.

79 Emily Weinstein, “The Role of Taiwan in the U.S. Semiconductor Supply Chain Strategy,” National Bureau of Asian Research, January 21, 2023, https://www.nbr.org/publication/the-role-of-taiwan-in-the-u-s-semiconductor-supply-chain-strategy/.

80 Daniel Flatley, “US Treasury Hires Economists to Study Consequences of Sanctions,” Bloomberg, May 17, 2023, https://www.bloomberg.com/news/articles/2023-05-18/us-treasury-hires-economists-to-study-consequences-of-sanctions?sref=a9fBmPFG.

81 Kevin Wolf and Emily S. Weinstein, “COCOM’s daughter?” World ECR, May 13, 2022, 25, https://cset.georgetown.edu/wp-content/uploads/WorldECR-109-pp24-28-Article1-Wolf-Weinstein.pdf.

The post Global Strategy 2023: Winning the tech race with China appeared first on Atlantic Council.

The 5×5—Cyber conflict in international relations: A scholar’s perspective

Simon Handler — Tue, 20 Jun 2023 04:01:00 +0000

This article is part of The 5×5, a monthly series by the Cyber Statecraft Initiative, in which five featured experts answer five questions on a common theme, trend, or current event in the world of cyber. Interested in the 5×5 and want to see a particular topic, event, or question covered? Contact Simon Handler with the Cyber Statecraft Initiative at SHandler@atlanticcouncil.org.

Over the past decade, scholarly debate over the topic of cyber conflict’s place in international relations has evolved significantly. The idea that cyber tools would fundamentally change the nature of war and warfare has largely given way to the idea that cyber conflict is merely a different way of doing the same old things, and primarily suited for engaging in an intelligence contest. Other, less settled questions range from whether cyber operations are useful tools of signaling to if these operations lead to escalation. These unsettled questions remain active in scholarly literature and, critically, inform policymaking approaches.

We brought together a group of leading scholars to provide insights on cyber conflict’s role in international relations, how the topic can best be taught to students, and how scholars and policymakers can better incorporate each other’s perspectives.

 #1 What, in your opinion, is the biggest misconception about cyber conflict’s role in international relations theory?

Andrew Dwyer, lecturer in information security, Department of Information Security, Royal Holloway, University of London; steering committee lead, Offensive Cyber Working Group:

“[The biggest misconception is] that cyberspace is malleable and controllable. The environment is often presented tangentially and, when it is, it is often about how people use the terrains of computation. I think that a lack of attention on how the environment ‘shapes’ people is one of the greatest missing parts of international relations thought. Simply, the environment and terrain have much more impact than is typically accounted for.”

Melissa Griffith, lecturer in technology and national security, Johns Hopkins University School of Advanced International Studies (SAIS) and the Alperovitch Institute for Cybersecurity Studies; non-resident research fellow, University of California, Berkeley’s Center for Long-Term Cybersecurity (CLTC):

“Much of the scholarship focused on the intersection between cyber conflict and international relations theory has concentrated on capturing the nature of the evolving cyber threat. This has led, in turn, to ongoing and vibrant debates over whether (a) deterrence strategies are feasible or valuable, (b) cyberspace favors the offense or defense, (c) cyber operations are useful tools for coercion, (d) cyberspace is escalatory, or (e) strategic competition in cyberspace is best understood as an intelligence contest, for example. While these are important areas of focus, they have previously overshadowed other lines of inquiry. Such as, why we see variation in how states respond in practice, a line of inquiry that requires leveraging international relations theories beyond those focused on grappling with what best captures the dynamics of this new threat space as a whole.”

Richard Harknett, professor & director, School of Public and International Affairs (SPIA); chair, Center for Cyber Strategy and Policy (CCSP), University of Cincinnati:

“[The biggest misconception is] that the most salient impact of cyber operations should be in conflict; that is, the equivalent of armed attack and warfighting. Much of cybersecurity studies, itself, has focused on the construct of cyber war and thus international relations theory has primarily treated ‘cyber’ as another form of war, when the majority of state cyber activity is actually a strategic attempt to gain relative power via an alternative to war. I argue from a realist-structuralist perspective that the most fascinating theoretical question is the interplay between states struggle for autonomy and the organizing principle of interconnectedness that defines the cyber strategic environment.”

Jenny Jun, research fellow, CyberAI Project, Center for Security and Emerging Technology; nonresident fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council; Ph.D. candidate, Department of Political Science, Columbia University:

“It is much more useful to think that conflict and competition have cyber dimensions to them, rather than to think that cyber conflict occurs in isolation.”

Jon Lindsay, associate professor, School of Cybersecurity and Privacy, Sam Nunn School of International Affairs, Georgia Institute of Technology:

“The biggest misconception remains that cyber operations are a revolution in military affairs akin to the invention of nuclear weapons. Cyber ‘conflict’ is better understood as the digital dimension of intelligence competition, between both state and nonstate competitors, which is an increasingly important and still understudied dimension of international relations.”

Michael Poznansky, associate professor, Strategic & Operational Research Department, US Naval War College; core faculty member, Cyber & Innovation Policy Institute:

Disclaimer: The opinions expressed below are the author’s alone and do not represent those of the U.S. Naval War College, the Department of Navy, the Department of Defense, or any government entity.

“One potential misconception is that we need entirely new theoretical frameworks to understand cyber conflict. Are there are distinctive attributes of cyberspace that should give us pause from unthinkingly applying existing international relations theories to it? You bet. But the real task—which many have been doing and are continuing to do—is to figure out where we can apply existing theories, perhaps with certain modifications, and where novel frameworks are genuinely needed.”

#2 What would you like to see change about how cyber conflict is widely taught?

Dwyer: “As much as there is frequent discussion about ‘interdisciplinarity’ in the study of cyber conflict, all too often we teach through and in silos. That is, we teach ‘from’ an angle, whether that be international relations, computer science, psychology, and so on. I think this does a disservice to the study of cyber conflict. I am not claiming for a wholly radical empiricism here, but about one that is less grounded in theory as a starting place for exploration.”

Griffith: “Notably, in this field, perhaps far more so than others, there is no uniform or widely pursued approach across classrooms, as pointed out by Herr, Laudrian, and Smeets in ‘Mapping the Known Unknowns of Cybersecurity Education‘. That said, students entering this field armed with social science and policy leaning coursework should be comfortable engaging with technical and private sector reporting alongside academic, government, and legal documents. At risk of straying beyond the focus of this topic (i.e., theory), I favor introducing students first to core technical foundations and operational realities—what is cyberspace and how has it evolved; how, when, and which groups hack; and how, where, and when does defense play out—before turning to policy, strategy, or theoretical debates. In my experience, this approach allows subsequent discussions of systemic, international, national, and subnational questions to be firmly grounded in the realities of the space.”

Harknett: “Cybersecurity is not a technical problem, but a political, economic, organizational, and behavioral challenge in a technically fluid environment. Thus, how cyber insecurity can be reduced and state competition in and through cyberspace can be stabilized should be taught from multiple perspectives across the computing and social sciences and humanities. Basically, a more multidisciplinary integrated, rather than segmented, approach to courses and curriculum.”

Jun: “There should be a greater effort to integrate literature on cyber conflict as part of bigger international relations themes such as coercion, signaling, trade, etc., and move away from viewing dynamics in cyberspace as monolithic. In many international relations syllabi, cyber conflict often appears at the very end (if at all) in about week thirteen as a standalone module. Often, the discussion question then becomes, “To what extent is cyber different from all of the traditional stuff we learned so far?” This not only leads to overgeneralizations about cyberspace and cyber conflict, but also nudges students into viewing cyber as something separate and distinct from other major themes and dynamics in international relations.”

Lindsay: “Two things that would improve cybersecurity education would be 1) to situate it in the history of intelligence and covert action, and 2) to give more attention to the political economy of cyberspace, which fundamentally shapes the dynamics of cyber conflict.”

Poznansky: “My hunch is that cyber conflict is often included in many international relations courses as part of a module on emerging technologies alongside space, autonomous systems, quantum, and so forth. Because cyberspace has relevance for almost all aspects of modern statecraft—warfighting, coercion, commerce, diplomacy—a better approach may be to consciously integrate it into modules on all these broader topics. Stand-alone courses also have high upside by allowing for a deep dive, but infusing cyber throughout discussions of major international relations concepts would offer a better foundation.”

#3 What is a piece of literature on cyber conflict theory that you recommend aspiring policymakers read closely and why?

Dwyer: “I think one of the best and underacknowledged written pieces is by JD Work, ‘Balancing on the Rail – considering responsibility and restraint in the July 2021 Iran Railways incident.’ In this piece, Work examines an incident on Iranian railways in July 2021. The explication of responsibility and restraint in offensive cyber operations is a must-read for anyone interested in the area.”

Griffith: “Whether or not readers agree with them, Michael Fisherkeller, Emily Goldman, and Richard Harknett’s Cyber Persistence Theory (2022) sets the stage for a productive and ongoing theoretical debate over the structural conditions animating cyberspace. Though an exercise in theory development rather than policy prescription, the book is not merely of interest to academics. Echoes of the underlying logic can be found animating US Cyber Command’s Persistent Engagement and the UK National Cyber Force’s recently released, ‘Responsible Cyber Power in Practice,’ for example.”

Harknett: “As Alexander George correctly wrote to bridge the gap between policy and theory, it is the theoretician that must cross-over the bridge to meet policymakers on their own turf. Two recent books that do a good job at this are Max Smeets’ No Short Cuts: Why States Struggle to Develop a Military Cyber-Force and a just released edited book from Smeets and Robert Chesney, Deter, Disrupt, or Deceive, which examines the debate between those who posit cyberspace as strategic competition and those who view it as an intelligence contest and thus apply research from intelligence studies. Misconceiving this fundamental categorization would have profound impact on policy development, and thus grappling with the difference between the two perspectives is important.”

Jun: “Aspiring policymakers should be familiar with the arguments made in Cyber Persistence Theory by Goldman, Fischerkeller, and Harknett, as well as the back-and-forth debate leading up to the publication of this book in various journals and opinion pieces. Ideas laid out in this book embody much of the thinking behind the 2018 US government pivot towards Persistent Engagement and Defend Forward away from a strategy based on deterrence by punishment. Reading the book as well as the debate around it will allow an aspiring policymaker to trace how certain characterizations of cyberspace and its functions will lead to corresponding theoretical predictions, and how such assessments are translated into strategy documents by various agencies.”

Lindsay: “I highly recommend the new volume by Robert Chesney and Max Smeets exploring the debate over cyber as an intelligence contest or something else. I also recommend that international relations scholars become more familiar with the Workshop on the Economics of Information Security community, which produces fascinating papers every year.”

Poznansky: “I am going to cheat and highlight two. First is an article by Jordan Branch looking at how the military’s use of familiar metaphors to understand and describe cyberspace affected investments and policy decisions. Branch shows that the comparisons we invoke to understand new phenomena have real-world impacts. Second is a new book by Erica Lonergan and Shawn Lonergan on the dynamics of escalation in cyberspace. It tackles one of the most pressing issues in cyber conflict in a way that appeals to scholars and practitioners alike.”

The 5×5—Conflict in Ukraine’s information environment

The cyber strategy and operations of Hamas: Green flags and green hats

The 5×5—Non-state armed groups in cyber conflict

#4 How has the theory of cyber conflict evolved in the last five years and where do you see the field evolving in the next five years?

Dwyer: “Undoubtedly, the greatest transformation has been the demise of ‘cyber war’ and ‘cyber weapons’ in both theory and practice. This has steadily been replaced (albeit over much more than the past five years) by cyber conflict as an ‘intelligence contest.’ In many ways, this is a welcome development. For the next five years, one might ask what then is distinct about cyber conflict; is it simply a transplant of conventional intelligence-related activity with new tools? I would wager not, and I hope that the cyber conflict studies community examines the role that technology plays that does not simply reduce computation to a tool with none of its own agency.”

Griffith: “Two significant shifts stand out. One of the biggest was the pivot away from the early focus on war toward a recognition of the diversity of activity that occurs in the absence of and below the threshold of war. In the process, the theories and disciplines cyber conflict scholars brought to bear expanded beyond security studies approaches, which had largely dominated the field, to increasingly include intelligence studies, history, economics, law, etc. In the next five years, I hope to see that aperture continue to widen as we continue to move beyond those early ‘cyber war’ framings to an array of questions stemming from a diversity of disciplines and examining a greater diversity of countries.”

Harknett: “Along with the work above, Ben Buchanan’s The Hacker and the State and Daniel Moore’s Offensive Cyber Operations have begun to examine the operational space as it is, rather than how people thought it would be. I think there is a significant pivot away from the cyber war construct occurring. Of course, my own bias is that Cyber Persistence Theory as presented by myself, Emily Goldman and Michael Fischerkeller offers a foundational piece of theory that explains a lot of the shifting in state strategy and behavior. I think the utility of the constructs of initiative persistence, campaigning, and strategic competition, will garner debate and may emerge or will be challenged as further research with this focus develops.”

Jun: “In the past five years, there has been a shift away from efforts to study cyber deterrence to focus on the dynamics of cyber incidents and/or campaigns below the threshold of armed conflict that occur on a regular basis. The field is also becoming more methodologically diverse. In the next five years, the field is likely to focus on getting at the nuances of cyber activity occurring below the threshold of armed conflict. The scholarly community may seek to answer questions such as: when a state takes certain offensive or defensive actions in cyberspace, what do these actions signal, and how are they interpreted on the receiving side? How do we measure or evaluate the effectiveness of cyber campaigns? As other states acquire cyber capabilities and respond to cyber threats, what accounts for how their cyber strategies evolve?”

Lindsay: “In the last five years, the field has taken a decidedly empirical turn. Cyber is no longer an emerging technology. It has emerged. We have decades of data to explore. This empirical turn complements the theoretical emphasis on intelligence that I mentioned above.”

Poznansky: “There has been an explosion of work over the last few years devoted to better understanding what exactly cyberspace represents. Is it yet another arena of warfare with some new bells and whistles or is it more akin to an intelligence contest? How we understand the nature of cyberspace has major implications for how we theorize cyber conflict and, equally important, what sorts of policy implications we arrive at. There is much more to be done here.”

#5 How can scholars and policymakers of cyber conflict better incorporate perspectives from each other’s work?

Dwyer: “This is by far the hardest question; however, it is about understanding the needs and goals of both academics and policymakers. This simply requires 1) a firm commitment and foundation from policymakers to fund critical social science and humanities work that can sustain positive engagement and trust building; 2) recognition and support for academics in the translation of their work and impact in ways that are visible to their institutions; and 3) for academics not enter a room with preconceived notions of the solutions to policymakers’ problems.”

Griffith: “There are a variety of models at our disposal, but one approach of note is on full display in Robert Chesney and Max Smeets’ recent edited volume, Deter, Disrupt, or Deceive, which explicitly puts authors who disagree—and who spearhead emerging schools of thought—in direct conversation with each other. This volume represents the culmination of roughly four years of formal and informal debate and has actively sought to continue the conversation through an ongoing, global series of workshops in the wake of its publication. Another model can be found in the field-building work of the Cyber Conflict Studies Association in United States and the European Cyber Conflict Research Initiative in Europe.”

Harknett: “Again, the bridge between policy and theory has never been easy to traverse, but one essential element is adopting an agreed upon lexicon. There is, currently, this interesting phenomena in which the UK’s National Cyber Mission Forces’ Responsible Cyber Power in Practice document and the US Defense Department’s approaches of cyber persistent engagement and defend forward, as well as the broader 2023 US National Cybersecurity Strategy, align with the logic of initiative persistence and the structural reasoning of cyber persistence theory, with growing focus on continuous campaigns and seizing the initiative, rather than legacy constructs such as deterrence threats. Although full lexicon consensus has yet to solidify, it will be interesting to observe whether it occurs overtime.”

Jun: “[Scholars and policymakers of cyber conflict can better incorporate perspectives from each other’s work with] more frequent conversations that raise good new policy-relevant research questions, efforts to ground theoretical and empirical research in what is actually going on, and efforts to turn conclusions from scholarly analysis into actionable policy agendas.”

Lindsay: “This question is tricky because there are several different groups on either side of the gap, and it is important for all of them to talk. On the policy side, there are government policymakers and intelligence professionals, but also the hugely important commercial sector. And on the academic side you have international relations scholars, computer scientists, and many other social scientists and engineers working in related areas. Cybersecurity is a pretty wicked interdisciplinary problem.”

Poznansky: “For scholars, being open to the possibility that many of the things we often bracket, in part because they can be hard to measure—bureaucratic politics, organizational culture, leadership, and so forth—is valuable. These factors probably explain more about cyber conflict than we care to admit. For practitioners, remaining open minded to debates that might sound purely academic in nature at first blush but in fact have immense practical relevance is also valuable. Whether cyberspace is mainly an arena for intelligence competition or warfighting—a debate, as mentioned, that is happening right now—matters for the prospect of developing norms, the utility of coercion, the dynamics of escalation, and more.”

Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

Human rights must be central in the African Union’s Digital Transformation Strategy

The post The 5×5—Cyber conflict in international relations: A scholar’s perspective appeared first on Atlantic Council.

Activists and experts assemble in Costa Rica to protect human rights in the digital age

Digital Forensic Research Lab — Wed, 07 Jun 2023 20:21:18 +0000

Will the world’s human-rights defenders be able to match the pace of quickly moving technological challenges arising from artificial intelligence, information wars, and more?

Rights activists, tech leaders, and other stakeholders are meeting at RightsCon Costa Rica on June 5-8 to collectively set an agenda for advancing human rights in this digital age.

Our experts at the Digital Forensic Research Lab are coordinating part of that effort, with a slate of RightsCon events as part of their 360/Open Summit: Around the World global programming. Below are highlights from the events at RightsCon, which cover digital frameworks in Africa, disinformation in Ukraine, online harassment of women globally, and more.

The latest from San José

Rethinking transparency reporting

Day two wraps with a warning about dangerous threats, from militant accelerationism to violence toward women

What’s behind today’s militant accelerationism?

The digital ecosystem’s impact on women’s political participation

Day one wraps with recommendations for Africa’s digital transformation, Venezuela’s digital connectivity, and an inclusionary web

What does a trustworthy web look like?

Mapping—and addressing—Venezuela’s information desert

Where open-source intelligence meets human-rights advocacy

Rethinking transparency reporting

On Day 3 of RightsCon Costa Rica, Rose Jackson, director of the DFRLab’s Democracy & Tech Initiative, joined panelists Frederike Kaltheuner, director for technology and human rights at Human Rights Watch, and David Green, civil liberties director at Electronic Frontier Foundation, for a panel on rethinking transparency reporting. The discussion was led and moderated by Gemma Shields, Online Safety Policy Lead at the United Kingdom’s Office of Communications (Ofcom).

Shields opened the session by describing the online safety bill currently making its way through the UK parliament and the role of Ofcom in its implementation. The bill will give new powers to Ofcom to test mandatory platform transparency reporting requirements. Through these efforts, Ofcom hopes that “good, effective meaningful transparency reporting might encourage proactive action from the platforms,” Shields explained.

During the discussion, the panelists discussed what will be central to implementation of the online safety bill, including what effective transparency reporting looks like. Kaltheuner emphasized the complexity of defining meaningful transparency when the use cases vary across end users, regulators, civil society, journalists, and academics. Green underscored the importance of centering user needs in the conversation and the need to tailor reporting mandates to specific platforms.

Jackson noted that it is a strategic imperative for the UK government to consult experts from the global majority and consider how regulations and norms could be potentially used for harm by non-democratic actors. As Jackson put it, “what happens in the most unprotected spaces is the beta test for what will show up in your backyard.” She also highlighted the importance of global civil society engaging with the UK Online Safety Bill and European transparency regulations, such as the Digital Services Act, because these policies are first movers in codifying more regulation, and future policies will refer back to these efforts.

Human rights must be central in the African Union’s Digital Transformation Strategy

The DFRLab gathered stakeholders from the policy-making, democracy, rights, and tech communities across the African continent to discuss the African Union’s Digital Transformation Strategy. Participants compared notes and identified opportunities for increasing the strategy’s human-rights focus as it approaches its mid-mandate review. Participants also agreed that trusted conveners, such as watchdog agencies within national governments, can play a critical facilitating role in ensuring effective communication between experts, users, and civil society on one hand and policymakers and elected officials on the other. Discussion of particular concerns with the Strategy or recommendations to increasingly center human rights in it will be continued in future gatherings.

Day two wraps with a warning about dangerous threats, from militant accelerationism to violence toward women

The DFRLab kicked off day two at RightsCon with a conversation on how Russian information operations, deployed ahead of the full-scale invasion of Ukraine, were used to build false justifications for the war, deny responsibility for the war of aggression, and mask Russia’s military build-up. The panel also highlighted two DFRLab reports, released in February 2023, that examine Russia’s justifications for the war and Russia’s attempts to undermine Ukraine’s resistance and support from the international community.

Transcript

Jun 8, 2023

Mapping the last decade of Russia’s disinformation and influence campaign in Ukraine

By Atlantic Council

Since its full-scale invasion of Ukraine, Russia has continued its information operations, targeting more than just Ukraine, say speakers at a RightsCon event hosted by the Digital Forensic Research Lab.

Disinformation Russia

While at RightsCon, the DFRLab participated in a discussion on militant accelerationism, its impact on minority communities, and how bad actors can be held accountable. The event, hosted by the United Kingdom’s Office of Communications and Slovakia’s Council of Media Services, featured panelists who discussed the ways in which policy can hold all voices, including those of the powerful, accountable. During the panel, DFRLab Research Fellow Meghan Conroy discussed how such violent narratives have become increasingly commonplace in some American ideologies and how extremist individuals and groups sympathetic to these narratives have been mobilized.

To close out the day, the DFRLab and the National Democratic Institute co-hosted a panel featuring global experts from civil society, government, and industry on how the threat of violence and harassment online has impacted the potential for women to participate in politics. As noted by the panelists, abuse suffered online is meant to strictly intimidate and silence those who want to get involved, and it is, therefore, all the more important that these very women, and those already established, stand up and speak out so as to serve as role models and protect diversity and equity in politics, tech, and beyond.

What’s behind today’s militant accelerationism?

By Meghan Conroy

While at RightsCon, I—a DFRLab research fellow and co-founder of the Accelerationism Research Consortium—joined an event hosted by the UK Office of Communications and Slovakia’s Council of Media Services on militant accelerationism.

My co-panelists and I provided an overview of militant accelerationism and an explanation of the marginalized groups that have been targets of militant accelerationist violence. I discussed accelerationist narratives that have not only permeated mainstream discourse but have also mobilized extremists to violence. Hannah Rose, research fellow and PhD candidate at King’s College London’s International Centre for the Study of Radicalization, zeroed in on the role of conspiracy theories in enabling the propagation of these extreme worldviews.

Stanislav Matějka, head of the Analytical Department at the Slovakian Council of Media Services, delved into the October 2022 attack in Bratislava. He flagged the role of larger, more mainstream platforms as well as filesharing services in enabling the spread of harmful content preceding the attack. Murtaza Shaikh, principal at the UK Office of Communications for illegal harms and hate and terrorism, highlighted the office’s work on the May 2022 attack in Buffalo, New York. He raised that these attacks result, in part, from majority populations framing themselves as under threat by minority populations, and then taking up arms against those minority populations.

Attendees then broke into groups to discuss regulatory solutions and highlight obstacles that may stand in the way of those solutions’ implementation or effectiveness. Key takeaways included the following:

Powerful voices need to be held to account. Politicians, influencers, and large platforms have played an outsized role in enabling the mainstreaming and broad reach of these worldviews.
Bad actors will accuse platforms and regulators of censorship, regardless of the extent to which content is moderated. As aforementioned, they’ll often position themselves as victims of oppression, and doing so in the context of content moderation policies is no different—even if the accusations are not rooted in reality.
Regulators must capitalize on existing expertise. Ahost of experts who monitor these actors, groups, and narratives across platforms, as well as their offline activities, can help regulators and platforms craft creative, adaptive, and effective policies to tackle the nebulous set of problems linked to militant accelerationism.

This conversation spurred some initial ideas that are geared toward generating more substantial discussion. Introducing those unfamiliar with understudied and misunderstood concepts, like militant accelerationism, is of the utmost importance to permit more effective combatting of online harms and their offline manifestations—especially those that have proven deadly.

Meghan Conroy is a US research fellow with the Atlantic Council’s Digital Forensic Research Lab.

The digital ecosystem’s impact on women’s political participation

By Abigail Wollam

The DFRLab and the National Democratic Institute (NDI) co-hosted a panel that brought together four global experts from civil society, government, and industry to discuss a shared and prevalent issue: The threat of digital violence and harassment that women face online, and the impact that it has on women’s participation in political life.

The panel was facilitated by Moira Whelan, director for democracy and technology at NDI; she opened the conversation by highlighting how critical these conversations are, outlining the threat to democracy posed by digital violence. She noted that as online harassment towards women becomes more prevalent, women are self-censoring and removing themselves from online spaces. “Targeted misogynistic abuse is designed to silence voices,” added panelist Julia Inman Grant, the eSafety commissioner of Australia.

Both Neema Lugangira (chairperson for the African Parliamentary Network on Internet Governance and member of parliament in Tanzania) and Tracy Chou (founder and chief executive officer of Block Party) spoke about their experiences with online harassment and how those experiences spurred their actions in the space. Lugangira found, through her experience as a female politician in Tanzania, that the more outspoken or visible a woman is, the more abuse she gets. She observed that women might be less inspired to participate in political life because they see the abuse other women face—and the lack of defense or support these women get from other people. “I decided that since we’re a group that nobody speaks for… I’m going to speak for women in politics,” said Lugangira.

Chou said that she faced online harassment when she became an activist for diversity, equity, and inclusion in the tech community. She wanted to address the problem that she was facing herself and founded Block Party, a company that builds tools to combat online harassment.

Despite these challenges, the panelists discussed potential solutions and ways forward. Australia is leading by example with its eSafety commissioner and Online Safety Act, which provide Australians with an avenue through which to report online abuses and receive assistance. Fernanda Martins, director of InternetLab, discussed the need to change how marginalized communities that face gendered abuse are seen and talked about; instead of talking about the community as a problem, it’s important to see them as part of the solution and bring them into the discussions.

Abigail Wollam is an assistant director at the Atlantic Council’s DFRLab

Transcript

Jun 8, 2023

The international community must protect women politicians from abuse online. Here’s how.

By Atlantic Council

At RightsCon, human-rights advocates and tech leaders who have faced harassment online detail their experiences—and ways the international community can support women moving forward.

Disinformation Resilience & Society

.@rightscon Day 2 in the books! Stay tuned, still more to come with @DFRLab #360OS. pic.twitter.com/V8KapT1PVb
— DFRLab (@DFRLab) June 7, 2023

Day one wraps with recommendations for Africa’s digital transformation, Venezuela’s digital connectivity, and an inclusionary web

This year at RightsCon Costa Rica, the DFRLab previewed its forthcoming Task Force for a Trustworthy Future Web report and gathered human-rights defenders and tech leaders to talk about digital frameworks in Africa, disinformation in Latin America and Ukraine, and the impact online harassment has on women in political life, and what’s to come with the European Union’s Digital Services Act.

Transcript

Jun 8, 2023

The European Commission’s Rita Wezenbeek on what comes next in implementing the Digital Services Act and Digital Markets Act

By Atlantic Council

At a DFRLab RightsCon event, Wezenbeek spoke about the need to get everyone involved in the implementation of the DSA and DMA.

Disinformation European Union

The programming kicked off on June 5 with the Digital Sherlocks training program in San José, which marked the first time the session was conducted in both English and Spanish. The workshop aimed to provide human-rights defenders with the tools and skills they need to build movements that are resilient to disinformation.

On June 6, the programming opened with a meeting on centering human rights in the African Union’s Digital Transformation Strategy. The DFRLab gathered stakeholders from democracy, rights, and tech communities across the African continent to discuss the African Union’s Digital Transformation Strategy. Participants compared notes and identified opportunities for impact as the strategy approaches its mid-mandate review.

Next, the DFRLab, Venezuela Inteligente, and Access Now hosted a session on strengthening Venezuela’s digital information ecosystem, a coalition-building meeting with twenty organizations. The discussion drew from a DFRLab analysis of Venezuela’s needs and capabilities related to the country’s media ecosystems and digital security, literacy, and connectivity. The speakers emphasized ways to serve vulnerable groups.

Following these discussions, the DFRLab participated a dialogue previewing findings from the Task Force for a Trustworthy Future Web. The DFRLab’s Task Force is convening a broad cross-section of industry, civil-society, and government leaders to set a clear and action-oriented agenda for future online ecosystems. As the Task Force wraps up its report, members discussed one of the group’s major findings: the importance of inclusionary design in product, policy, and regulatory development. To close out the first day of DFRLab programming at RightsCon Costa Rica, the task force notified the audience that it will be launching its report in the coming weeks.

What does a trustworthy web look like?

By Jacqueline Malaret and Abigail Wollam

The DFRLab’s Task Force for a Trustworthy Future Web is charting a clear and action-oriented roadmap for future online ecosystems to protect users’ rights, support innovation, and center trust and safety principles. As the Task Force is wrapping up its report, members joined Task Force Director Kat Duffy to discuss one of the Task Force’s major findings—the importance of inclusionary design in product, policy, and regulatory development—on the first day of RightsCon Costa Rica.

In just eight weeks, Elon Musk took over Twitter, the cryptocurrency market crashed, ChatGPT launched, and major steps have been made in the development of augmented reality and virtual reality, fundamentally shifting the landscape of how we engage with technology. Framing the panel, Duffy highlighted how not only has technology changed at a breakneck pace, but the development and professionalization of the trust and safety industry have unfolded rapidly in tandem, bringing risks, harms, and opportunities to make the digital world safer for all.

Task Force for a Trustworthy Future Web

The Task Force for a Trustworthy Future Web will chart a clear and action-oriented roadmap for future online ecosystems to protect users’ rights, support innovation, and center trust and safety principles.

The three panelists—Agustina del Campo, director of the Center for Studies on Freedom of Expression; Nighat Dad, executive director of the Digital Rights Foundation; and Victoire Rio, a digital-rights advocate—agreed that the biggest risk, which could yield the greatest harm, is shaping industry practices through a Western-centric lens, without allowing space for the global majority. Excluding populations from the conversation around tech only solidifies the mistakes of the past and risks creating a knowledge gap. Additionally, the conversation touched on the risk of losing sight of the role of government, entrenching self-regulation as an industry norm, and absolving both companies and the state for harms that can occur because of the adoption of these technologies.

Where there is risk, there is also an opportunity to build safer and rights-respecting technologies. Panelists said that they found promise in the professionalization and organization of industry, which can create a space for dialogue and for civil society to engage and innovate in the field. They are also encouraged that more and more industry engagements are taking place within the structures of international law and universal human rights. The speakers were encouraged by new opportunities to shape regulation in a way that coalesces action around systemic and forward-looking solutions.

But how can industry, philanthropy, and civil society maximize these opportunities? There is an inherent need to support civil society that is already deeply engaged in this work and to help develop this field, particularly in the global majority. There is also a need to pursue research that can shift the narrative to incentivize investment in trust and safety teams and articulate a clear case for the existence of this work.

Jacqueline Malaret is an assistant director at the Atlantic Council’s DFRLab

Abigail Wollam is an assistant director at the Atlantic Council’s DFRLab

Mapping—and addressing—Venezuela’s information desert

By Iria Puyosa and Daniel Suárez Pérez

On June 6, the DFRLab, Venezuela Inteligente, and Access Now (which runs RightsCon) hosted a coalition-building meeting with twenty organizations that are currently working on strengthening Venezuela’s digital information ecosystem. The discussion was built on an analysis, conducted by the DFRLab, of the country’s media ecosystems and digital security, literacy, and connectivity; the speakers focused on ways to serve vulnerable groups such as grassroots activists, human-rights defenders, border populations, and populations in regions afflicted by irregular armed groups.

The idea of developing a pilot project in an information desert combining four dimensions—connectivity, relevant information, security, and literacy—was discussed. Participants agreed that projects should combine technical solutions to increase access to connectivity and generate relevant information for communities, with a human-rights focus. In addition, projects should include a digital- and media-literacy component and continuous support for digital security.

Iria Puyosa is a senior research fellow at the Atlantic Council’s DFRLab

Daniel Suárez Pérez is a research associate for Latin America at the Atlantic Council’s DFRLab

What a great first day for @DFRLab’s #360OS at @rightscon Costa Rica! We’ll be in San José all week so stay tuned for more great content. pic.twitter.com/JGzIzp4sKD
— DFRLab (@DFRLab) June 5, 2023

Where open-source intelligence meets human-rights advocacy

By Ana Arriagada

On June 5, the DFRLab hosted a Digital Sherlocks workshop on strengthening human-rights advocacy through open-source intelligence (OSINT) and countering disinformation.

Learn more about the Digital Sherlocks program

The Digital Sherlocks program convenes a global community of researchers to build resilience against disinformation. Each semester, the program offers more than thirty free online trainings, ranging from basic to advanced levels, to cohorts drawn from universities, civil society, journalism, and academia. Through the Digital Sherlocks program, the DFRLab has trained at least 2,300 people in over 130 countries.

I co-led the workshop with DFRLab Associate Researchers Jean le Roux, Daniel Suárez Pérez, and Esteban Ponce de León.

In the session, attendees discussed the worrying rise of antidemocratic governments in Latin America—such as in Nicaragua and Guatemala—who are using open-source tools for digital surveillance and are criminalizing the work of journalists and human-rights defenders. When faced with these challenges, it becomes imperative for civil-society organizations to acquire and use investigative skills to produce well-documented reports and investigations.

During the workshop, DFRLab researchers shared their experiences investigating paid campaigns that spread disinformation or promote violence or online harassment. They recounted having used an array of tools to analyze the origin and behavior of these paid advertisements.

DFRLab researchers also discussed tools that helped them detect suspicious activity on platforms such as YouTube, where, for example, some gamer channels spread videos related to disinformation campaigns or political violence. The workshop attendees also discussed how policy changes at Twitter have made the platform increasingly challenging to investigate, but they added that open-source researchers are still investigating, thanks to the help of available tools and the researchers’ creative methodologies.

The workshop also showcased the DFRLab’s work with the Action Coalition on Meaningful Transparency (ACT). Attendees received a preview of ACT’s upcoming portal launch, for which the DFRLab has been offering guidance. The new resource will offer access to a repository of transparency reporting, policy documents, and analysis from companies, governments, and civil society. It will also include a registry of relevant actors and initiatives, and it will allow users to establish links between entries to see the connections between organizations, the initiatives they are involved in, and the reports they have published.

The workshop ended with the DFRLab explaining that social network analysis— the study of social relationships and structures using graph theory—is important because it allows for investigating suspicious activity or unnatural behavior exhibited by users on social media platforms.

Ana Arriagada is an assistant director for Latin America at the Atlantic Council’s DFRLab

The post Activists and experts assemble in Costa Rica to protect human rights in the digital age appeared first on Atlantic Council.

Will the debt ceiling deal mean less for homeland security?

Thomas S. Warrick — Wed, 31 May 2023 19:00:12 +0000

What the new budget deal to raise the federal debt ceiling means for homeland security is only slowly coming into focus. Very few of the initial statements out of the White House or House Republican leadership about the Fiscal Responsibility Act of 2023 mention what the new budget cap means for the Department of Homeland Security (DHS) or for homeland security more broadly. A close look, however, leaves reason for concern. DHS will be competing for fewer civilian budget dollars against the full range of the nation’s domestic needs and priorities. This puts the United States’ defenses at risk in areas where the threats are increasing, as in cybersecurity, border and immigration security, and domestic counterterrorism.

US President Joe Biden and House Speaker Kevin McCarthy deserve praise for avoiding a catastrophic default on the United States’ fiscal obligations that otherwise would have disrupted debt payments, Social Security payments to seniors, and the federal payroll that includes everyone who keeps the United States safe. Most commentators on the budget part of the deal have focused on the contrast between “defense spending,” where the agreement largely endorses the Biden administration’s requested increase for the Department of Defense, versus domestic programs, which are slated for a cut over the previous year’s levels. However, it is important to remember that DHS leads the defense of the United States against nonmilitary threats. DHS is responsible for border, aviation, and maritime security, as well as cybersecurity. It also helps protect critical infrastructure, oversees immigration, builds resilience, restores communities after disasters, and combats crimes of exploitation. As the third-largest cabinet department in the federal government, DHS’s budget is intrinsically linked to the security of the United States. However, DHS’s budget for fiscal year (FY) 2024 is not getting the same treatment as the budget for the Department of Defense (DOD).

When security is “nonsecurity”

The Fiscal Responsibility Act of 2023 classifies most of DHS’s budget as “nonsecurity.” This is paradoxical but true. Barring future changes to the deal, which are always possible, DHS will be in a zero-sum competition in the FY 2024 budget negotiations against other civilian programs such as nutrition programs for children, domestic law enforcement, housing programs, community grants programs, and national parks. Whereas the federal government should be spending more on cybersecurity, border and immigration security, and community programs to prevent violent extremism and domestic terrorism, the Fiscal Responsibility Act of 2023 will make this harder because the overall pot of money for nondefense programs for FY 2024 will be less than in FY 2023. This appears to be the case even though more spending on cybersecurity and border security has strong bipartisan support.

The Fiscal Responsibility Act of 2023 follows the legislative language of the Budget Control Act of 2011 (the first of several debt ceiling deals in the Obama administration), which divided so-called “discretionary” federal spending into two different two-way splits. First, there is the “security category” and the “nonsecurity category.” The security category includes most of the budgets of the departments of Defense, Homeland Security, and Veterans Affairs. It also includes the National Nuclear Security Administration, the intelligence community management account, and the so-called “150 account” for international programs such as military aid, development assistance, and overseas diplomatic operations. The nonsecurity category is essentially everything else, such as the departments of Justice, Health and Human Services, Commerce, Housing and Urban Development, and Interior.

Central to the 2011 budget deal was that it did not apply to nondiscretionary programs such as Social Security and fee-based programs such as citizenship and visa applications, which are not considered “discretionary” spending. Emergency spending, narrowly defined, was exempt from the budget caps, as was most of the war against al-Qaeda, which was categorized as “Overseas Contingency Operations” and exempt from the budget caps that began in 2011.

DHS will be competing for fewer civilian budget dollars against the full range of the nation’s domestic needs and priorities.

The second split in budget law, which originated in a budget deal in December 2013, is between the “revised security category” and the “revised nonsecurity category.” The revised security category includes only budget account 050, roughly 96 percent of which is the Department of Defense (budget code 051). About 3 percent is for nuclear programs run by the Department of Energy (code 053), and about 1 percent is for national defense-related programs at DHS, the Federal Bureau of Investigation (mainly counterintelligence programs), and parts of the Central Intelligence Agency.

The main DHS programs funded under this revised security category (budget code 054) are extremely limited: emergency management functions of the Federal Emergency Management Agency on things like emergency communications systems and alternate sites the federal government could use in case of emergency or an extreme event such as a nuclear attack, as well as some functions of the Cybersecurity and Infrastructure Security Agency.

Thus, since 2013, most of the budgets of DHS, the Department of Veterans Affairs, and foreign military assistance have been in the “security category” but have also paradoxically been in the “revised nonsecurity category.”

In the May 2023 budget deal, the $886.3 billion spending cap agreed to by the White House and the House Republican leadership for FY 2024 is only for the “revised security category.” Most of DHS, the Department of Veterans Affairs, and military assistance are lumped in with the $703.6 billion cap for “revised nonsecurity” civilian parts of the federal government. Of that, $703.6 billion, $121 billion is earmarked for veterans’ programs. After several other adjustments and offsets, as the White House calculates it, this leaves $637 billion for all other “revised nonsecurity” programs. This is a nominal cut of one billion dollars from what those departments got in the FY 2023 budget passed in December 2022. Because inflation in the past year was 4.9 percent, the effective budget cut to “revised nonsecurity programs” would be greater than one billion dollars. The House Republicans calculate an even greater cut, to $583 billion, by not including the adjustments and offsets.

Flash back to 2011 and forward to 2024

In 2011, the debate between the Obama administration and the Republicans in Congress could be simplified into the idea that Democrats wanted more spending on social programs in the “nonsecurity category,” while Republicans wanted more money spent on “security,” principally defense spending but also including homeland security.

The debate in 2023 does not break down so neatly. There is increasing, bipartisan agreement that the United States needs to be spending more on border and immigration security, and that waiting until the start of FY 2024 to address this shortfall is not going to enable the administration’s strategy to succeed. There is also bipartisan agreement that the federal government as a whole should spend more on cybersecurity. And as the Bipartisan Safer Communities Act showed, mental health and community grants to address the causes of school shootings have bipartisan support. There is also bipartisan support for military assistance to help Ukraine defend itself from Russian aggression and to help Taiwan build up its defenses to deter a possible Chinese invasion. These programs are all funded mostly or wholly from “revised nonsecurity” programs. It is not clear how these programs will fare in the budget environment created by the Fiscal Responsibility Act of 2023.

Commercial aviation and borders still need to be protected, even while cyber threats mount and increased quantities of fentanyl come through ports of entry.

Other departments and agencies can reallocate funds when priorities change, but not DHS. After DOD successfully led international efforts to take away the Islamic State of Iraq and al-Sham’s territory in Iraq and Syria, the military was able to pivot to Asia, redeploying drones and personnel out of the Middle East to defend the Indo-Pacific. However, for DHS, as the 2023 Quadrennial Homeland Security Review made clear, threats seldom go away, even when the homeland faces new threats. Commercial aviation and borders still need to be protected, even while cyber threats mount and increased quantities of fentanyl come through ports of entry.

As valid as these concerns are, they are no reason to torpedo the Fiscal Responsibility Act of 2023. To the contrary, failure to pass the bill would gravely jeopardize national and homeland security, not to mention the economic security of the United States.

Nor do these concerns mean that other departments and agencies do not have their own justifications for increased resources in FY 2024. But the Fiscal Responsibility Act of 2023 is not going to make it easier for homeland security. Congress needs to recognize this as it works toward the final budget for FY 2024, and, perhaps more urgently, when it considers whether to pass an emergency supplemental appropriations bill for border and immigration security. Congress needs to ensure, as it provided for military security in the “security category” of the Fiscal Responsibility Act, that DHS has the resources it needs to defend the nation against nonmilitary threats.

Thomas S. Warrick is the director of the Future of DHS project at the Scowcroft Center for Strategy and Security’s Forward Defense program and a nonresident senior fellow and the Scowcroft Middle East Security Initiative at the Atlantic Council. He is a former DHS deputy assistant secretary for counterterrorism policy.

The post Will the debt ceiling deal mean less for homeland security? appeared first on Atlantic Council.

Ukraine’s Diia platform sets the global gold standard for e-government

Anatoly Motkin — Wed, 31 May 2023 01:30:31 +0000

Several thousand people gathered at the Warner Theater in Washington DC on May 23 for a special event dedicated to Ukraine’s award-winning e-governance platform Diia. “Ukrainians are not only fighting. For four years behind the scenes, they have been creating the future of democracy,” USAID Administrator Samantha Power commented at the event.

According to Power, users of Diia can digitally access the kinds of state services that US citizens can only dream of, including crossing the border using a smartphone application as a legal ID, obtaining a building permit, and starting a new business. The platform also reduces the potential for corruption by removing redundant bureaucracy, and helps the Ukrainian government respond to crises such as the Covid pandemic and the Russian invasion.

Since February 2022, the Diia platform has played a particularly important part in Ukraine’s response to Russia’s full-scale invasion. According to Ukraine’s Minister of Digital Transformation Mykhailo Fedorov, in the first days of the invasion the platform made it possible to provide evacuation documents along with the ability to report property damage. Other features have since been added. The e-enemy function allows any resident of Ukraine to report the location and movement of Russian troops. Radio and TV functions help to inform people who find themselves cut off from traditional media in areas where broadcasting infrastructure has been damaged or destroyed.

Today, the Diia ecosystem offers the world’s first digital passport and access to 14 other digital documents along with 25 public services. It is used by more than half the Ukrainian adult population. In addition to consumer-oriented functions, the system collects information for the national statistical office and serves as a digital platform for officials. Diia is widely seen as the world’s first next-generation e-government platform, and is credited with implementing what many see as a more human-centric government service model.

Subscribe to UkraineAlert

As the world watches the Russian invasion of Ukraine unfold, UkraineAlert delivers the best Atlantic Council expert insight and analysis on Ukraine twice a week directly to your inbox.

Name
First Last
Email*
Phone
This field is for validation purposes and should be left unchanged.

In today’s increasingly digital environment, governments may find that they have a lot of siloed systems in place, with each system based on its own separate data, infrastructure, and even principles. As a result, people typically suffer from additional bureaucracy and need to deal repeatedly with different official organizations. Most e-government initiatives are characterized by the same problems worldwide, such as technical disparity of state systems, inappropriate data security and data protection systems, absence of unified interoperability, and inefficient interaction between different elements. Ukraine is pioneering efforts to identify more human-centric solutions to these common problems.

One of the main challenges on the path to building sustainable e-government is to combine user friendliness with a high level of cyber security. If we look at the corresponding indices such as the Online Services Index and Baseline Cyber Security Index, we see that only a handful of European countries have so far managed to achieve the right balance: Estonia, Denmark, France, Spain, and Lithuania. Beyond Europe, only Singapore and Malaysia currently meet the necessary standards.

Ukraine has a strong record in terms of security. Since the onset of the Russian invasion, the Diia system has repeatedly been attacked by Russian cyber forces and has been able to successfully resist these attacks. This is an indication that the Ukrainian platform has the necessary reserve of cyber security along with a robust and secure digital public infrastructure.

Eurasia Center events

After Vilnius: What’s next on Ukraine’s path to NATO?

Eastern Europe NATO Security & Defense Ukraine

The success of the IT industry in Ukraine over the past decade has already changed international perceptions of the country. Instead of being primarily seen as an exporter of metals and agricultural products, Ukraine is now increasingly viewed as a trusted provider of tech solutions. The Ministry of Digital Transformation is now working to make Diia the global role model for human-centric GovTech. According to Samantha Power, the Ukrainian authorities are interested in sharing their experience with the international community so that others can build digital infrastructure for their citizens based on the same human-centric principles.

USAID has announced a special program to support countries that, inspired by Diia, will develop their own e-government systems on its basis. This initiative will be launched initially in Colombia, Kosovo, and Zambia. Ukraine’s Diia system could soon be serving as a model throughout the transitional world.

As they develop their own e-government systems based on Ukraine’s experience and innovations, participating governments should be able to significantly reduce corruption tied to bureaucratic obstacles. By deploying local versions of Diia, transitional countries will also develop a large number of their own high-level IT specialists with expertise in e-government. This is an important initiative that other global development agencies may also see value in supporting.

Anatoly Motkin is president of the StrategEast Center for a New Economy, a non-profit organization with offices in the United States, Ukraine, Georgia, Kazakhstan, and Kyrgyzstan.

Winnona DeSombre Bernsen, nonresident fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council:

“I have not heard bad pieces of advice specifically geared toward threat intelligence professionals, but I was told by someone once that if I wanted to break into policy, I could not focus on cyber. This is mostly untrue: the number of cyber policy jobs in both the public and the private sectors are growing rapidly, because so many policy problems touch cybersecurity. Defense acquisition? Water safety? Civil Rights? China policy? All of these issues (and many more!) touch upon cybersecurity in some way. However, cyber cannot be your only focus! As most threat intelligence professionals know, cybersecurity does not operate in a vacuum. A company’s security protocols are only as good as the least aware employee, and a nation-state’s targets in cyberspace usually are chosen to further geopolitical goals. Understanding the issues that are adjacent to cyber in a way that creates sound policy is important when making the transition.”

Sherry Huang, program fellow, Cyber Initiative and Special Projects, William and Flora Hewlett Foundation:

“I would not count this as advice, but the emphasis on getting cybersecurity certifications that is persistent in the cyber threat intelligence community is not directly helpful to working in the cyber policy space. Having technical knowledge and skills is always a plus, but in my view, having the ability to translate between policymakers and technical experts is even more valuable in the cyber policy space, and there is not a certification for that.”

Katie Nickels, nonresident senior fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council; director of intelligence, Red Canary:

“I think there is a misconception that to work in cyber policy, you need to have spent time on Capitol Hill or at a think tank. I have found that to be untrue, and I think that misconception might make cybersecurity practitioners hesitant to weigh in on policy matters. The way I think of it is that cyber policy is the convergence of two fields: cybersecurity and policymaking. Whichever field is your primary one, you will have to learn about the other. Practitioners can absolutely learn about policy.”

Christopher Porter, nonresident senior fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council:

“When intelligence professionals think about policy work, they often experience a feeling of personal control—‘now I get to make the decisions!’ So there is a temptation to start applying your own pet theories or desired policy outcomes and start working on persuasion. That is part of it, but in reality policymaking looks a lot like intelligence work in one key aspect—it is still a team sport. You have to have buy-in from a lot of stakeholders, many of whom will have different perspectives or intellectual approaches to the same problem. Even if you share the same goal, they may have very different tools. So just as intelligence is a team sport, policymaking is too. That is a reality that is not reflected in a lot of academic preparation, which emphasizes theoretical rather than practical policymaking.”

Robert Sheldon, director of public policy & strategy, Crowdstrike:

“I sometimes hear people treating technical career paths and policy career paths as binary–and I do not think that is the direction that we are headed as a community. People currently working in technical cybersecurity disciplines, including threat intelligence, should consider gaining exposure to policy work without fully transitioning and leaving their technical pursuits behind. This is a straightforward way to make ongoing, relevant contributions to a crowded cyber policy discourse.”

#2 What about working in threat intelligence best prepared you for a career in cyber policy, or vice versa?

Desombre Bernsen: “Threat intelligence gave me two key skills: the first is the ability to analyze a large-scale problem. Just like threat intelligence analysts, cyber policymakers must look through large systems to find chokepoints and potential vulnerabilities, while also making sure that the analytic judgments one makes about the system are sound. This skill enables one to craft recommendations that best fit the problem. The second skill is the ability to tailor briefings to different principal decisionmakers. Threat intelligence is consumed by network defenders and C-suite executives alike, so understanding at what level you are briefing is key. A chief information security officer does not care about implementing YARA rules, just like a network defender does not want their time wasted with a recommendation on altering their company-wide phishing policies. Being able to figure out what the principal cares about, and to tailor recommendations to the audience best able to action on them is applicable to the cyber policy field as well. When briefing a company or government agency, knowing their risk tolerance and organization mission, for example, helps tailor the briefing to help them understand what they can do about the problem.”

Huang: “Being a cyber threat intelligence analyst gave me exposure to a wide variety of issues that are top of mind for government and corporate clients. In a week, I could be writing about nation-state information operations, briefing clients on cybersecurity trends in a certain industry, and sorting through data dumps on dark web marketplaces. Knowing a bit about numerous cyber topics made it easier for me to identify interest areas that wanted to pursue in the cyber policy space and, more importantly, allows me to easily understand and interact with experts on different cyber policy issue areas, which is helpful in my current role.”

Nickels: “The ability to communicate complex information in an accessible way is a skill I learned from my threat intelligence career that has translated well to policy work. Threat intelligence is all about informing decisions, so there are many overlaps with writing to inform policy.”

Porter: “In Silicon Valley, it is typical to have a position like ‘chief solutions architect.’ I have spent most of my career in intelligence being the ‘chief problems architect.’ It is the nature of the job to look for threats, problems, and shortcomings. Policymakers have the inverse task—to imagine a better future and build it, even if that is not the path we are on currently. But still, I think policymakers need to keep in mind how their plans might fail or lead to unintended consequences. When it comes to cybersecurity, new policies almost never eliminate a threat, they only change its shape. Much like the end to Ghostbusters, you get to choose the kind of problem you are going to face, but not whether or not you face one. Anyone with a background in intelligence will be ready for that step, where you have to imagine second- and third-order implications beyond the first-order effect you are seeking to have.”

Sheldon: “Working as an analyst early in my career taught me a lot about analytical methods and rigor, evidence quality, and constructing arguments. Each of these competencies apply directly to policy work.”

#3 What realities of working in the threat intelligence world do you believe are overlooked by the cyber policy community?

Desombre Bernsen: “The cyber policy community has not yet realized that threat intelligence researchers and parts of the security community themselves—similarly to high level cyber policy decisionmakers—are targets of cyberespionage and digital transnational repression. North Korea, Russia, China, and Iran have all targeted researchers and members of civil society in cyberspace. Famously, North Korea would infect Western vulnerability researchers, likely to steal capabilities. In addition, threat intelligence researchers lack the government protections many policymakers have. Researchers that publicly lambast US adversaries can be targeted and threatened online by state-backed trolls. Protections for these individuals are few and far between—CISA just this year rolled out a program for protecting civil society members targeted by transnational repression, so I hope it gets expanded soon.”

Huang: “Most of the time, threat intelligence analysts (at least in the private sector) do not hear from clients after a report has gone out and do not have visibility into whether their analysis and recommendations are helpful or have real-world impact. Feedback, whether positive or constructive, can help analysts fine-tune their craft and improve future analysis.”

Nickels: “I think the cyber policy community largely considers threat intelligence to be information to be shared about breaches, often in the form of indicators like IP addresses. While that can be one aspect of it, they may not recognize that threat intelligence analysts consider much more than that. Broadly, threat intelligence is about using an understanding of how cyber threats work to make decisions. Under that broad definition, cyber policymakers have a significant need for threat intelligence—if policymakers do not know how the threats operate, they cannot determine how to create policies to help organizations better protect against them.”

Porter: “There are aspects of the work—such as attribution—that are more reliable and not as difficult as imagined. Conversely, there are critical functions, like putting together good trends data or linking together multiple different pieces of evidence, that can be very difficult and time-intensive but seem simple to those outside the profession. So there is always a little bit of education that needs to take place before getting into a substantive back-and-forth, where the cyber intelligence community needs to explain a little bit about how they are doing their work, and the strengths and limitations of that so that everyone has the same assumptions and understands one another’s perspective.”

Sheldon: “The policy community sometimes lacks understanding of the sources and methods that threat intelligence practitioners leverage in their analysis. This informs the overall quality of their work, the skill needed to produce it, timeliness, extensibility, the possibility for sharing, and so on. All of these are good reasons for the two communities to talk more about how they do their work.”

The 5×5—Minding the cyber talent gap

The 5×5—Strengthening the cyber workforce

Cyber 9/12 Strategy Challenge

#4 What is the biggest change in writing for a threat intelligence audience vs. policymakers?

Desombre Bernsen: “The scope is much broader. Threats to a corporate system are confined largely to the corporate system itself, but the world of geopolitics has far more players and many more first- and second-order effects of the policies you recommend.”

Huang: “Not having to be as diligent about confidence levels! Jokes aside, it is similar in that being precise in wording and being brief and to the point are appreciated by both audiences. However, I do find that a policy audience often cares more about the forward-looking aspect and the ‘so what?’”

Nickels: “The biggest difference is that when writing for policymakers, you are expected to express your opinion! As part of traditional intelligence doctrine, threat intelligence analysts avoid injecting personal opinions into their assessments and try to minimize the effects of their cognitive biases. Intelligence analysts might write about potential outcomes of a decision, but should not weigh in on which decision should be made. However, policymakers want to hear what you recommend. It can feel freeing to be able to share opinions, and it remains valuable to try to hedge against cognitive biases because it allows for sounder policy recommendations.”

Porter: “Threat intelligence professionals are going to be very interested in how the work gets done, as the culture—to some degree—borrows from academic work, in terms of rewarding reproducibility of results and sharing of information. But, strictly speaking, policymakers do not care about that. Their job is to link the findings in those reports to the broader strategic context. One really only need to show enough of how the intelligence work was done to give the policymaker confidence and help them use the intelligence appropriately without understating or overstating the case. The result is that for policy audiences you end up starting from the end of the story—instead of a blog post or white paper building up to a firm conclusion, you talk about the conclusion and, depending on the level of technical understanding and skepticism on the part of the policymaker, may or may not get into the story of how things were pieced together at all.”

Sheldon: “Good writing in both disciplines has much in common. Each should be concise, include assertions and evidence, provide context, and make unknowns clear. But there are perhaps fewer ‘product types’ relevant to core threat intelligence consumers and, in some settings, analysts can assume some fundamental knowledge base among their audience.”

#5 Where is one opportunity to work on policy while still in industry that most people miss?

Desombre Bernsen: “You absolutely can work on policy issues while working in threat intelligence! I cannot just choose one, but I highly recommend searching for non-resident fellowship programs in think tanks (ECCRI, Atlantic Council, etc.), speaking at conferences on threat trends and their policy implications, and doing more policy through corporate threat wargaming internally.”

Huang: “Volunteering at conferences that involve the cyber policy community, such as Policy@DEF CON and IGF-USA. These are great opportunities to support policy-focused discussions and to have deeper interactions with peers in the cyber policy space.”

Nickels: “In the United States, one commonly missed opportunity is to reach out to elected representatives with opinions on cybersecurity legislation. Cybersecurity practitioners can also be on the lookout for opportunities to provide comments that help shape proposed regulations affecting the industry. For example, the Commerce Department invited public comments to proposed changes to the Wassenaar Arrangement around export controls of security software, and cybersecurity practitioners weighed in on how they felt the changes would influence tool development.”

Porter: “That will vary greatly from company to company; almost universally though, you will have the opportunity to help your colleagues and future generations by providing mentorship and career development opportunities. Personnel is policy, so in addition to thinking about particular policies you might want to shape, think also about how you can shape the overall policymaking process by helping others make the most of their talents. It will take years, but, in the long run, those are the kinds of changes that are most lasting.”

Sheldon: “Regardless of your current role, you can read almost everything relevant to the policy discourse. National strategies, executive orders, bills, commission and think tank reports, and so on are all publicly available. Unfortunately, many in the policy community are only skimming, but reading these sources deeply and internalizing them is a great basis to distinguish yourself in a policy discussion. Also, there are more opportunities than ever to read and respond to Requests for Comment from the National Institute of Standards and Technology and other government agencies, and these frequently include very technical questions.”

The post The 5×5—Cross-community perspectives on cyber threat intelligence and policy appeared first on Atlantic Council.

Iran is using its cyber capabilities to kidnap its foes in the real world

Borzou Daragahi — Wed, 24 May 2023 16:28:19 +0000

In November 2020, as results for the closely watched and hotly contested United States presidential and congressional elections began to emerge, hackers gained access to at least one website announcing results. They were thwarted, but it took the resources of the US military and the Department of Homeland Security to block what could have turned into another attempt to spread doubts and confusion about a vote that would eventually threaten to undermine US democracy some weeks later.

The culprit in the attack, according to US officials and tech professionals cited by The Washington Post, was a hacking group operating out of or at the direction of Iran—an increasingly powerful state actor in the world of cyber warfare.

The Islamic Republic has been steadily improving and sharpening its cyber warfare, cyber espionage, and electronic sabotage abilities, staging complex operations that, while not always successful, show what experts in the field describe as devious inventiveness.

In addition to its nuclear ambitions, its refining of missile technologies, and cultivation of armed ideologically motivated proxy paramilitary groups, Iran’s electronic warfare and intelligence operations are emerging as yet another worry about the country’s international posture.

The cyber realm fits snugly into Iran’s security arsenal. It is characterized by the asymmetricity, clandestinity, and plausible deniability that complement the proxy and shadow operations that have long been Islamic Republic’s favored tools for decades.

Iran’s most aggressive cyber realm actions are also powered by a sense of righteous grievance and resentment, emotional and ideological motivations that have long energized the clerical establishment. After all, it was US and Israeli spy agencies that, according to many experts, launched the era of cyber warfare by deploying the Stuxnet virus against the country’s controversial nuclear program in 2010, damaging hundreds of its centrifuges. Tehran is proud that its growing army of techies is catching up and, in some ways, surpassing the West at its own games.

Iran’s cyber efforts have been steadily broadening. They range from attempting to hack into defense, civil society, and private systems abroad to harassment campaigns against opponents in the diaspora. Experts closely watching Iran’s Internet and electronic warfare activities have detected an escalation of its abilities and ambitions in recent months. In early May, Microsoft issued a warning about Iran’s increasingly aggressive and sophisticated tactics.

“Iranian cyber actors have been at the forefront of cyber-enabled influence operations, in which they combine offensive cyber operations with multi-pronged influence operations to fuel geopolitical change in alignment with the regime’s objectives,” said the report by Microsoft’s Clint Watts, a former FBI cybersecurity expert.

In particular, Iran appears to be building complex tactics that merge cyber and real world operations to lure people into kidnappings. This new form of transnational repression has alarmed security professionals and governments worldwide.

“We’re seeing an evolution over time of this actor evolving and using their techniques in ever more complex ways,” Sherrod DeGrippo, a former head of threat research and detection at the cyber security firm Proofpoint told me in January. “Iran is seen in the big four of the main actors. It is really stepping onto the stage and evolving what it’s doing.”

One particularly nefarious tactic that they are using is creating fake personas in the form of researchers who approach targets and try to glean information or lure them out into the open for suspected kidnapping practices. Through my research in Turkey, we learned that it is quite possible Iranian intelligence operatives have infiltrated the Turkish mobile phone networks and are using the data to track dissidents in the country. In one instance, a vocal dissident journalist received a message identifying a cafe near her home that she walked past every day. She was so terrified that she refused to leave her home for months and wound up obtaining asylum in a Western country.

In another instance, a dissident living in Turkey received messages with photographs of recent tourist sites he had visited on a trip to Istanbul. The speculation is that Iran had managed to purchase or surreptitiously access tracking data for their phones and use it to intimidate them.

According to a December 2022 report by ProofPoint, Iran’s cyber activities have gone beyond anonymous hacks and phishing campaigns to include made-up personas meant to lure people out into the open and in at least one alleged attempt, a kidnapping attempt. Sometimes alleged Iranian operatives use US or Western phone numbers to register WhatsApp accounts which can obscure their identities.

Last year, Israel’s domestic security service Shin Bet uncovered an alleged plot to use false identities with robust and complex legends to lure businessmen and scholars abroad in what security officials suspect were Iranian kidnapping plots. In one case, an operative pretending to be a prominent Swiss political scientist invited Israelis to a conference abroad. A number of Israelis were on the verge of traveling before the plot was exposed.

Experts are also noticing that Iran is getting better and better at creating virtual honey traps. “They’re evolving their ability to create personas,” said DeGrippo, who has since moved to Microsoft. “They’ve used these personas that are mildly attractive. They like to use women’s names, as they have learned that they get a bit more interaction and success when they use female personas.”

The US and other Western countries are well aware of the threat posed by Iranian cyber operations and have taken steps to counter them. But Iran’s state-sponsored program continues to evolve. Tehran likely believes the cyber capabilities give it leverage to yield information without the messiness of a hostage crisis, the headlines of a boat seizure, the riskiness of a human intelligence operation, or the potential retribution of a missile strike.

In January, the London cyber security firm Secureworks published a report on the emergence of a new likely Iranian hacking collective called Abraham’s Ax, which aimed to use leaks and hacks to prevent the expansion of the Abraham Accords normalizing ties between Israel and some Arab states. The collective leaked allegedly stolen from the Saudi Ministry of the Interior and a recording said to be an intercepted phone conversation between Saudi ministers.

“There are clear political motivations behind this group with information operations designed to destabilize delicate Israeli-Saudi Arabian relations,” Rafe Pilling, a researcher at Secureworks, was quoted as saying.

Less than two months later, in March, Saudi Arabia signed a deal to resume ties with Iran rather than commence them with Israel, as many in Washington and Jerusalem were expecting.

While Prime Minister Benjamin Netanyahu’s hardline government and his rightwing policies likely played a major role in Saudi’s decision to hold off on joining the Abraham Accords, Riyadh’s hopes that it could rein Iran’s diverse array of threats—including its increasing cyber warfare capabilities—likely played a role in its decision to pen the China-brokered deal with Tehran.

Iran invests in its cyber warfare program because it works.

Borzou Daragahi is an international correspondent for The Independent. He has covered the Middle East and North Africa since 2002. He is also a nonresident fellow with the Atlantic Council’s Middle East Security Initiative. Follow him on Twitter: @borzou.

The post Iran is using its cyber capabilities to kidnap its foes in the real world appeared first on Atlantic Council.

Regional cyber powers are banking on a wired future. Expanding the Abraham Accords to cybersecurity will help.

Thomas S. Warrick — Fri, 19 May 2023 19:44:07 +0000

The Abraham Accords is one of the major diplomatic achievements of the last five years. This historic agreement normalized relations between Israel and the Arab countries of Bahrain, Morocco, Sudan, and the United Arab Emirates (UAE), in partnership with the United States. Following the initial burst of activity late in the Donald Trump administration, the accords’ first expansion under the Joe Biden administration was announced in Tel Aviv on January 31, when Bahrain, Israel, the UAE, and the United States said they would widen the scope of the accords to include cybersecurity.

The January announcement by US Department of Homeland Security Under Secretary for Strategy, Policy, and Plans Robert Silvers was, like the accords themselves, a surprise that seems perfectly logical in hindsight. Israel and the Arab countries who participated in the announcement are among the Middle East and North Africa (MENA) region’s most dynamic economies, with substantial public and private investments in high tech being an important factor in each country. These countries face threats from hostile actors, and defending their technology and their peoples is a challenge. A challenge shared can lead to a challenge overcome.

Cyberattacks from nation-states and cybercriminals affect everyone

Each of the countries involved, with the possible exception of Morocco, has recent historical reason to be concerned about protecting its people and its industrial base—cyber and non-cyber—against cyberattacks. The greatest threats come from the Islamic Republic of Iran and cybercriminals—and the two overlap like Venn diagram circles.

Iran uses a well-documented peculiar sense of symmetry in how it conducts cyberattacks. Iran has an especially aggressive cyber offensive state capability for a country its size. Most of Iran’s nearby peers in population (ex: Turkey, Congo, Thailand, and Tanzania) or GDP per capita (ex: Bosnia, Namibia, Paraguay, and Ecuador) do not mount offensive cyberattacks or information operations against other countries on the scale that Tehran does. Iran and Israel have been engaged in “gray zone” cyberattacks against each other for more than a decade, and Iran has carried out various kinds of cyber operations against Israel, Saudi Arabia, Bahrain, most of the Arab countries of the Gulf, and the United States.

Cybercrime is another threat that has increased in recent years. The United States has convened two international conferences on ransomware, with the most recent being held in October-November 2022. The UAE and Saudi Arabia were reportedly the main targets in the Gulf for ransomware attacks, according to media reports, but other Gulf Arab countries are also at risk.

Complicating the picture is the fact that Iran often uses private contractors to carry out cyber operations—sometimes those entities carry out cyberattacks for profit as well. This complicates attribution and gives Tehran a patina of plausible deniability.

These factors make deterring cyberattacks especially difficult in the Middle East. The United States has sometimes retaliated against Iranian cyberattacks by carrying out operations against the perpetrators. However, the logic of deterrence requires an ability to impose costs that surpass the adversary’s perceived gains from the conduct in question. Iran has shown limited susceptibility thus far to being deterred by the US or others’ cyber operations. This makes cyber defense even more important.

Setting aside old rivalries to work together on cybersecurity is now in everyone’s interest

Iranian cyber behavior, the rising threat of cybercrime, and the inability so far to deter these behaviors have made it imperative that Israel, the Gulf countries, and the United States work more closely on civilian cyber defense.

Network imperatives make it important that this collaboration be both at network speeds and peer-to-peer. Cybersecurity needs to move quickly to be effective at addressing threats, which means that governments facing common threats should work together. The architecture of pre-Internet times allowed for hub-and-spoke information sharing in a situation where several governments were regional rivals but all had a common ally they could trust (usually, an ally that was considerably far away).

As a result, the United States could simultaneously be an ally of Israel and most Arab countries in the Middle East, and each of the countries would be willing to share information with the United States, even if they wouldn’t do so with each other (France and the United Kingdom have played similar roles with different sets of countries). Each country could trust the United States to protect its sources and methods while working for the common good, which, in earlier days, was focused on keeping the Soviet Union at bay.

For a time, this approach worked in cybersecurity. But this is no longer the case. Al-Qaeda and the Islamic State of Iraq and al-Sham (ISIS) were social-media savvy but lacked the resources and deep bench of a nation-state, allowing the United States and MENA to limit terrorists’ efforts to raise funds and recruit new fighters.

Today, Iran, even under sanctions, has far more resources than al-Qaeda ever did to use cyber tools to target Israel and the Gulf Arab states. While there are signs that a lack of funds holds back some of Iran’s cyber operations, cyberattacks are still remarkably cost-effective. Cybercrime raises enough funds to enrich organized gangs to run their own 24/7 ransomware help desks. “Ransomware-as-a-service” is now an actual thing.

The countries in the MENA region still face a number of challenges in the cyber domain. The use of Chinese technology by some countries raises fears of possible network penetration. Each country needs to work out how privacy norms and expectations should govern electronic surveillance tools, because the abuse of those tools has become an international concern. US concerns over “spyware” has already led to an executive order against the use of commercial tools that pose a risk to national security or have been misused to enable human rights abuses around the world.

A number of countries in MENA—Israel, Bahrain, and the UAE included—are increasingly becoming regional cyber powers and are banking on a wired future. Many governments in the region are trying to stimulate local investment in the digital sector, and protecting small but growing companies from cyber threats is becoming a significant business, with market research experts estimating a doubling of dollar volume in five years. The UAE’s new National Security Strategy aims to train more than forty thousand cybersecurity professionals and encourages Emirati students to pursue a career in this field.

To the private sector, an agreement among Abraham Accords members is more than just a sign of possible government-to-government cooperation. The agreement gives a valuable green light for direct business-to-business exchanges that could benefit the economy of the region. It may also heighten the value of joining the accords for other nations facing cyber threats, such as Saudi Arabia.

Given the importance of a closer cybersecurity partnership among Israel, key Gulf Arab states, and the United States, broadening the Abraham Accords to include cybersecurity is an eminently sensible approach. Like other parts of the accords, expanding them to include cybersecurity will have a lasting impact if cooperation leads to real benefits in security and commerce, making the Middle East more secure and prosperous than ever before.

Thomas S. Warrick is the director of the Future of DHS project at the Scowcroft Center for Strategy and Security’s Forward Defense practice, and a senior fellow and the Scowcroft Middle East Security Initiative at the Atlantic Council.

The post Regional cyber powers are banking on a wired future. Expanding the Abraham Accords to cybersecurity will help. appeared first on Atlantic Council.

The 5×5—Cryptocurrency hacking’s geopolitical and cyber implications

Simon Handler — Wed, 03 May 2023 04:01:00 +0000

In January 2023, a South Korean intelligence service and a team of US private investigators conducted an operation to interdict $100 million worth of stolen cryptocurrency before its hackers could successfully convert the haul into fiat currency. The operation was the culmination of a roughly seven-month hunt to trace and retrieve the funds, stolen in June 2022 from a US-based cryptocurrency company, Harmony. The Federal Bureau of Investigation (FBI) attributed the theft to a team of North Korean state-linked hackers—one in a string of massive cryptocurrency hauls aimed at funding the hermit kingdom’s illicit nuclear and missile programs. According to blockchain analysis firm Chainalysis, North Korean hackers stole roughly $1.7 billion worth of cryptocurrency in 2022—a large percentage of the approximately $3.8 billion stolen globally last year.

North Korea’s operations have brought attention to the risks surrounding cryptocurrencies and how state and non-state groups can leverage hacking operations against cryptocurrency wallets and exchanges to further their geopolitical objectives. We brought together a group of experts to explore cybersecurity implications of cryptocurrencies, and how the United States and its allies should approach this challenge.

#1 What are the cybersecurity risks of decentralized finance (DeFi) and cryptocurrencies? What are the cybersecurity risks to cryptocurrencies?

Eitan Danon, senior cybercrimes investigator, Chainalysis:

Disclaimer: Any views and opinions expressed are the author’s alone and do not reflect the official position of Chainalysis.

“DeFi is one of the cryptocurrency ecosystem’s fastest-growing areas, and DeFi protocols accounted for 82.1 percent of all cryptocurrency stolen (totaling $3.1 billion) by hackers in 2022. One important way to mitigate against this trend is for protocols to undergo code audits for smart contracts. This would prevent hackers from exploiting vulnerabilities in protocols’ underlying code, especially for cross-chain bridges, a popular target for hackers that allows users to move funds across blockchains. As far as the risk to cryptocurrencies, the decentralized nature of cryptocurrencies increases their security by making it extraordinarily difficult for a hostile actor to take control of permissionless, public blockchains. Transactions associated with illicit activity continue to represent a minute portion (0.24 percent) of the total crypto[currency] market. On a fundamental level, cryptocurrency is a technology—like data encryption, generative artificial intelligence, and advanced biometrics—and thus a double-edged sword.”

Kimberly Donovan director, Economic Statecraft Initiative, and Ananya Kumar, associate director of digital currencies, GeoEconomics Center, Atlantic Council:

“We encourage policymakers to think about cybersecurity vulnerabilities of crypto-assets and services in two ways. The first factor is the threat of cyberattacks for issuers, exchanges, custodians, or wherever user assets are pooled and stored. Major cryptocurrency exchanges like Binance and FTX have had serious security breaches, which has led to millions of dollars being stolen. The second factor to consider is the use of crypto-assets and crypto-services in money-laundering. Often, attackers use cryptocurrencies to receive payments due to the ability to hide or obfuscate financial trails, often seen in the case of ransomware attacks. Certain kinds of crypto-services such as DeFi mixers and aggregators allow for a greater degree of anonymity to launder money for criminals, who are interested in hiding money and moving it quickly across borders.”

Giulia Fanti, assistant professor of electrical and computer engineering, Carnegie Mellon University:

“The primary cybersecurity risks (and benefits) posed by DeFi and cryptocurrencies are related to lack of centralized control, which is inherent to blockchain technology and the philosophy underlying it. Without centralized control, it is very difficult to control how these technologies are used, including for nefarious purposes. Ransomware, for example, enables the flow of money to cybercriminial organizations. The primary cybersecurity risks to cryptocurrencies on the other hand can occur at many levels. Cryptocurrencies are built on various layers of technology, ranging from an underlying peer-to-peer network to a distributed consensus mechanism to the applications that run atop the blockchain. Attacks on cryptocurrencies can happen at any of these layers. The most widely documented attacks—and those with the most significant financial repercussions—are happening at the application layer, usually exploiting vulnerabilities in smart contract code (or in some cases, private code supporting cryptocurrency wallets) to steal funds.”

Zara Perumal, chief technology officer, Overwatch Data:

“Decentralized means no one person or institution is in control. It also means that no one person can easily step in to enforce. In cases like Glupteba, fraudulent servers or data listed on a blockchain can be hard to take down in comparison to cloud hosted servers where companies can intervene. Cybersecurity risks to cryptocurrencies include endpoint risk, since there is not a centralized party to handle returning accounts as the standard ways of credential theft is a risk to cryptocurrency users. There is a bigger risk in cases like crypto[currency] lending, where one wallet or owner holds a lot of keys and is a large target. In 2022, there were numerous high-profile protocol attacks, including the Wormhole, Ronin, and BitMart attacks. These attacks highlight the risks associated with fundamental protocol vulnerabilities via blockchain, smart contracts or user interface.”

#2 What organizations are most active and capable of cryptocurrency hacking and what, if any, geopolitical impact does this enable for them?

Danon: “North Korea- and Russia-based actors remain on the forefront of crypto[currency] crime. North Korea-linked hackers, such as those in the Lazarus Group cybercrime syndicate, stole an estimated $1.7 billion in 2022 in crypto[currency] hacks that the United Nations and others have assessed the cash-strapped regime uses to fund its weapons of mass destruction and ballistic missiles programs. Press reporting about Federation Tower East—a skyscraper in Moscow’s financial district housing more than a dozen companies that convert crypto[currency] to cash—has highlighted links between some of these companies to money laundering associated with the ransomware industry. Last year’s designations of Russia-based cryptocurrency exchanges Bitzlato and Garantex for laundering hundreds of millions of dollars’ worth of crypto[currency] for Russia-based darknet markets and ransomware actors cast the magnitude of this problem into starker relief and shed light on a diverse constellation of cybercriminals. Although many pundits have correctly noted that Russia cannot ‘flip a switch’ and run its G20 economy on the blockchain, crypto[currency] can enable heavily sanctioned countries, such as Russia, North Korea, and others, to project power abroad while generating sorely needed revenue.”

Donovan and Kumar: “We see actors from North Korea, Iran, and Russia using both kinds of cybersecurity threats described above to gain access to money and move it around without compliance. Geopolitical implications include sanctioned state actors or state-sponsored actors using the technology to generate revenue and evade sanctions. Hacking and cyber vulnerabilities are not specific to the crypto-industry and exist across digital infrastructures, specifically payments architecture. These threats can lead to national security implications for the private and public entities accessing or relying on this architecture.”

Perumal: “Generally, there are state-sponsored hacking groups that are targeting cryptocurrencies for financial gain, but also those like the Lazarus Group that are disrupting the cryptocurrency industry. Next, criminal hacking groups may both use cryptocurrency to receive ransom payments or also attack on chain protocols. These groups may or may not be associated with a government or political agenda. Many actors are purely financially motivated, while other government actors may hack to attack adversaries without escalating to kinetic impact.”

#3 How are developments in technology shifting the cryptocurrency hacking landscape?

Danon: “The continued maturation of the blockchain analytics sector has made it harder for hackers and other illicit actors to move their ill-gotten funds undetected. The ability to visualize complex crypto[currency]-based money laundering networks, including across blockchains and smart contract transactions, has been invaluable in enabling financial institutions and crypto[currency] businesses to comply with anti-money laundering and know-your-customer requirements, and empowering governments to investigate suspicious activity. In some instances, hackers have chosen to let stolen funds lie dormant in personal wallets, as sleuths on crypto[currency] Twitter and in industry forums publicly track high-profile hacks and share addresses in real-time, complicating efforts to off-ramp stolen funds. In other instances, this has led some actors to question whether this transparency risks unnecessary scrutiny from authorities. For example, in late April, Hamas’s military wing, the Izz al-Din al-Qassam Brigades, publicly announced that it was ending its longstanding cryptocurrency donation program, citing successful government efforts to identify and prosecute donors.”

Donovan and Kumar: “Industry is responding and innovating in this space to develop technology to protect and/or trace cyber threats and cryptocurrency hacks. We are also seeing the law enforcement, regulatory, and other government communities develop the capability and expertise to investigate these types of cybercrimes. These communities are taking steps to make public the information gathered from their investigations, which further informs the private sector to safeguard against cyber operations as well as technology innovations to secure this space.”

Fanti: “They are not really. For the most part, hacks on cryptocurrencies are not increasing in frequency because of sophisticated new hacking techniques, but rather because of relatively mundane vulnerabilities in smart contracts. There has been some research on using cutting-edge tools such as deep reinforcement learning to try to gain funds from smart contracts and other users, particularly in the context of DeFi. However, it is unclear to what extent DeFi users are using such tools; on-chain records do not allow observers to definitively conclude whether such activity is happening.”

Perumal: “As the rate of ransomware attacks rises, cryptocurrency is more often used as a mechanism to pay ransoms. For both that and stolen cryptocurrency, defenders aim to track actors across the blockchain and threat actors increase their usage mixers and microtransactions to hide their tracks. A second trend is crypto-jacking and using cloud computing from small to large services to fund mining. The last development is not new. Sadly, phishing and social engineering for crypto[currency] logins is still a pervasive threat and there is no technical solution to easily address human error.”

Countering ransomware: Lessons from aircraft hijacking

Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behavior

Loose cobras: DPRK regime succession and uncertain control over offensive cyber capabilities

#4 What has been the approach of the United States and allied governments toward securing this space? How should they be approaching it?

Danon: “The US approach toward securing the space has centered on law enforcement actions, including asset seizures and takedowns with partners of darknet markets, such as Hydra Market and Genesis Market. Sanctions in the crypto[currency] space, which have dramatically accelerated since Russia’s invasion of Ukraine last February, have generated awareness about crypto[currency] based money laundering. However, as is the case across a range of national security problems, the United States has at times over relied on sanctions, which are unlikely to change actors’ behavior in the absence of a comprehensive strategy. The United States and other governments committed to AML should continue to use available tools and data offered by companies like Chainalysis to disrupt and deter bad actors from abusing the international financial system through the blockchain. Given the blockchain’s borderless and unclassified nature, the United States should also pursue robust collaboration with other jurisdictions and in multilateral institutions.”

Donovan and Kumar: “The United States and its allies are actively involved in this space to prevent regulatory arbitrage and increase information sharing on cyber risks and threats. They have also increased communication with the public and private sectors to make them aware of cyber risks and threats, and are making information available to the public and industry to protect consumers against cybercrime. Government agencies and allies should continue to approach this issue by increasing public awareness of the threats and enabling industry innovation to protect against them.”

Fanti: “One area that I think needs more attention from a consumer protection standpoint is smart contract security. For example, there could be more baseline requirements and transparency in the smart contract ecosystem about the practices used to develop and audit smart contracts. Users currently have no standardized way to evaluate whether a smart contract was developed using secure software development practices or tested prior to deployment. Standards bodies could help set up baseline requirements, and marketplaces could be required to report such details. While such practices cannot guarantee that a smart contract is safe, they could help reduce the prevalence of some of the most common vulnerabilities.”

Perumal: “Two recent developments from the US government are the White House cybersecurity strategy and the Cybersecurity and Infrastructure Security Agency’s (CISA) move to ‘secure by default.’ They both emphasize cooperation with the private sector to move security of this ecosystem to cloud providers. While the system is inherently decentralized, if mining or credential theft is happening on major technology platforms, these platforms have an opportunity to mitigate risk. The White House emphasized better tracing of transactions to “trace and interdict ransomware payments,” and CISA emphasizes designing software and crypto[currency] systems to be secure by default so smaller actors and users bear less of the defensive burden. At a high level, I like that this strategy moves protections to large technology players that can defend against state actors. I also like the focus on flexible frameworks that prioritize economics (e.g., cyber liability) to set the goal, but letting the market be flexible on the solution—as opposed to a prescriptive regulatory approach that cannot adapt to new technologies. In some of these cases, I think cost reduction may be a better lever than liability, which promotes fear on a balance sheet, however, I think the push toward financially motivated goals and flexible solutions is the right direction.”

#5 Has the balance of the threats between non-state vs. state actors against cryptocurrencies changed in the last five years? Should we be worried about the same entities as in 2018?

Danon: “Conventional categories of crypto[currency]-related crime, such as fraud shops, darknet markets, and child abuse material, are on the decline. Similarly, the threat from non-state actors, such as terrorist groups, remains extremely low relative to nation states, with actors such as North Korea and Russia continuing to leverage their technical sophistication to acquire and move cryptocurrency. With great power competition now dominating the policy agenda across many capitals, analysts should not overlook other ways in which states are exercising economic statecraft in the digital realm. For example, despite its crypto[currency] ban, China’s promotion of its permissioned, private blockchain, the Blockchain-based Service Network, and its central bank digital currency, the ‘digital yuan,’ deserve sustained research and analysis. Against the backdrop of China’s rise and the fallout from the war on Ukraine, it will also be instructive to monitor the efforts of Iran, Russia, and others to support non-dollar-pegged stablecoins and other initiatives aimed at eroding the dollar’s role as the international reserve currency.”

Donovan and Kumar: “More is publicly known now on the range of actors in this space than ever. Agencies such as CISA, FBI, and the Departments of Justice and the Treasury and others have made information available and provided a wide array of resources for people to get help or learn—such as stopransomware.gov. Private blockchain analytics firms have also enabled tracing and forensics, which in partnership with enforcement can prevent and punish cybercrime in the crypto[currency] space. Both the knowledge about ransomware and awareness of ransomware attacks have increased since 2018. As the popularity of Ransomware as a Service rises, both state and non-state actors can cause destruction. We should continue to be worried about cybercrime in general and remain agnostic of the actors.”

Perumal: “State actors continue to get more involved in this space. As cryptocurrencies and some digital currencies based on the blockchain become more mainstream, attacking it allows a more targeted geopolitical impact. In addition to attacks by governments (like Lazarus Group), a big recent development was China’s ban on cryptocurrency, which moved mining power from China to other parts of the world, especially the United States and Russia. This changed attack patterns and targets. At a high level, we should be worried about both financially-motivated and government-backed groups, but as the crypto[currency] market grows so does the sophistication of attacks and attackers.”

The post The 5×5—Cryptocurrency hacking’s geopolitical and cyber implications appeared first on Atlantic Council.

Practice makes perfect: What China wants from its digital currency in 2023

Ananya Kumar — Mon, 24 Apr 2023 16:58:55 +0000

It’s been a year since the Beijing Olympics, where China’s central bank digital currency (CBDC), the e-CNY, debuted in front of an international audience. As the e-CNY network has expanded over the last 12 months, China’s goals have become clearer. Domestically, the People’s Bank of China (PBOC) is still in test-and-learn mode, prioritizing experimentation over adoption. Globally, China is less focused on internationalizing the RMB than it is on setting technical and regulatory standards that will define how other countries’ central bank digital currencies will work going forward.

Domestic ambitions

Even with its persistent low adoption rates, the e-CNY is by far the largest CBDC pilot in the world by both the amount of currency in circulation—13.61 billion RMB—and the number of users—260 million wallets. As the pilot regions have expanded to 25 cities, so have the real-world use-cases tested through the pilots. From the start, the PBOC’s objective within its borders has been to not just to compete in China’s domestic payments landscape, which is dominated by two “private” players—AliPay and TencentPay/WePay—but to expand the universe of economic activities that are included the state-enabled payments network. So far, common use-cases being tested include public transportation, public health checkpoints including COVID test centers, integrated identification cards to receive and pay utilities such as retirement benefits and school tuition payments, as well as tax payments and refunds. The pilots have also begun testing technical and programmability functions like smart contracts for B2B and B2C functions, e-commerce and credit provision. Some of these projects are described in the table below..

These domestic test cases are likely to expand this year and cover a broader range of activities and regions. Already, the PBOC is looking to reach the margins of society: e-CNY is being tested amongst elderly populations and in broader rural connectivity schemes initiated to improve digitization. It is also aiming to reach AliPay and TencentPay/WePay customers through integrating their wallet and e-commerce functions for e-CNY distribution. Over the last few years, the PBOC, like the broader Chinese state apparatus, has displayed a tendency toward centralizing regulatory authority when it comes to the two sectors at the intersection of CBDCs —finance and technology. The universe of expanded economic networks enabled by the e-CNY has rightly created concerns regarding the centralization of authority by the PBOC, and the resulting impacts on freedom of choice and from state surveillance for its users. The expanded network of use cases across applications that would collect data on personal identification, health information, and consumption habits and behavior should also raise concerns around the vulnerability of such data to cyber threats domestically and abroad.

Recent developments on regulation

Interestingly, on the regulatory side, at the National People’s Congress in early March, there were a few changes announced to China’s financial regulators. The PBOC has lost its authority over financial holding companies and financial consumer protection regulation to a new regulator, the State Administration of Financial Supervision, which will also oversee banking and insurance regulation. The PBOC is also opening up 31 new provincial-level branches signaling deeper coordination between the PBOC and provincial level authorities. This reshuffle in authority signals further centralization of power under the party apparatus. Unlike other central banks, the PBOC is not fully independent, and requires the State Council to sign off on decisions relating to money supply and interest rates, and the State Council has been tracking PBOC’s research into e-CNY since approving the initial plan in 2016.

From a monetary policy perspective, the e-CNY infrastructure could be a handy tool in the hands of the PBOC, with which it can increase or decrease money supply. As China devises a strategy to stimulate consumer spending this year, there is an opportunity to do so by using and expanding the e-CNY network. China has already increased bank’s short term liquidity by $118 billion and long term liquidity by $72 billion through reducing reserve ratio requirements this year.

PBOC’s ambition for an all-encompassing domestic network of e-CNY infrastructure raises questions about the state’s ability and reach in controlling citizens’ activities. The pilots test real-world scenarios for CBDC use cases, and while adoption has been low, the broad range of applications suggest that testing, not adoption, is the priority for now.

e-CNY around the world

Use of the word “e-CNY” commonly refers to this domestic, retail payments infrastructure. However, much of the discussion in Washington references the cross-border, wholesale capabilities that the PBOC has been testing publicly for a while now. The PBOC participates in a joint experiment with the Hong Kong Monetary Authority, the Bank of Thailand, the Central Bank of the UAE and the Bank for International Settlements named Project mBridge, the purpose of which is to create a common infrastructure across borders to facilitate real-time and cheap transaction settlement. Last October, the project successfully conducted 164 transactions in collaboration with 20 banks across the 4 countries, settling a total of $22 million. Instead of relying on correspondent banking networks, banks were able to link with their foreign counterparts directly to conduct payments, FX settlements, redemptions and issuance across e-HKD, e-AED, e-THB and e-CNY. Interestingly, almost half of all transactions were in e-CNY, which amounted to approximately $1,705,453 issued, $3,410,906 used in payments and FX settlements and $6,811,812 redeemed. Both issuance and redemption transactions were highest in e-CNY, and as stated by the BIS, it was likely because of the automatic integration of the retail e-CNY system and the higher share of RMB in regional trade settlements.

Analysts have characterized wholesale cross-border arrangements like the mBridge as an effort towards de-dollarization and internationalization of the RMB. The e-CNY, much like its physical counterpart, faces the same liquidity constraints due to capital controls on off-shore transactions and holdings. This was reflected in the mBridge experiment, as one of the main feedback from participants was the need for greater liquidity from FX market makers and other liquidity providers to improve the FX transaction capabilities of the platform. Additionally, even if e-CNY were to become freely traded in the future, it could lead to significant appreciation of RMB and balance of payments issues for the PBOC. This is likely not a desirable outcome for the PBOC, which is why currency arrangements like the mBridge can only have a limited impact on the role of the dollar.

If winning the currency competition is an unlikely short-term objective of the PBOC, what has raised national security concerns regarding the e-CNY? China has long used the rhetoric of international cooperation and “do no harm” principles in its cross-border CBDC engagements. However, these cross-border experiments require months of preparation and coordination between central and commercial banks to ensure that regulatory and jurisdictional requirements are aligned. They highlight the need for legal pathways and standards for data sharing, privacy, and risk frameworks between heretofore unsynchronized jurisdictions. Similarly, experiments rely on technological prototypes that interact with existing domestic e-CNY framework, creating de-facto technical standards for cross-border transactions which are likely to be replicated by other jurisdictions. What can potentially emerge is a set of technical and regulatory standards built in the image of the e-CNY, and with that comes the baggage of surveillance and unauthorized access by the Chinese state. MBridge’s platform, for instance, can be utilized for domestic CBDC infrastructure if required by any jurisdiction.

Already, Chinese company Red Date Technology—which, along with China Mobile, UnionPay, State Information Center and others—is behind the creation of Blockchain Service Network (BSN) (a blockchain infrastructure service that connects different payment networks) has launched a similar product under the name of Universal Digital Payments Network. At an event at the World Economic Forum in January 2023, it targeted emerging markets experimenting with CBDCs and stablecoins, since the project wants to build an interconnected global architecture in the vein of BSN’s ambitions.

Technological and regulatory replication by country blocs, enabled by Chinese state and private actors, could create a parallel system of financial networks outside of the dollar, especially where there is a high volume of transactions. The United States relies on the dollar’s dominance to establish global anti-money laundering standards and achieve effective and broad implementation of financial sanctions. The emergence of alternate currency-blocs—enabled by e-CNY-like technology—has the potential to chip away at the primacy of the dollar in global finance and trade, as the dollar will not be the only available option.

Therefore, even though it is unlikely that the development of e-CNY would lead to a broader share of the RMB as a payment or reserve currency, replication of the e-CNY’s technical and regulatory model could further payments infrastructure that is not only inherently unworkable with the dollar, but exacerbates the privacy and surveillance concerns of the retail e-CNY by exporting the problem to the world. China’s domestic motivations of greater control and surveillance, therefore, are intertwined with its global ambitions, and the consequences will be dire in the absence of a competing, privacy preserving, dollar-enabling, payments infrastructure.

Ananya Kumar is the associate director for digital currencies with the GeoEconomics Center.

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Check out our CBDC Tracker

Central Bank Digital Currency Tracker

Our flagship Central Bank Digital Currency (CBDC) Tracker takes you inside the rapid evolution of money all over the world. The interactive database now features 130 countries— triple the number of countries we first identified as being active in CBDC development in 2020.

The post Practice makes perfect: What China wants from its digital currency in 2023 appeared first on Atlantic Council.

Russia’s invasion of Ukraine is also being fought in cyberspace

Vera Mironova — Thu, 20 Apr 2023 16:30:09 +0000

The Russian invasion of Ukraine is the first modern war to feature a major cyber warfare component. While the conventional fighting in Ukraine often resembles the trench warfare of the early twentieth century, the evolving battle for cyber dominance is highly innovative and offers important insights into the future of international aggression.

The priority for Ukraine’s cyber forces is defense. This is something they have long been training for and are excelling at. Indeed, Estonian PM Kaja Kallas recently published an article in The Economist claiming that Ukraine is “giving the free world a masterclass on cyber defense.”

When Russian aggression against Ukraine began in 2014 with the invasion of Crimea and eastern Ukraine’s Donbas region, Russia also began launching cyber attacks. One of the first attacks was an attempt to falsify the results of Ukraine’s spring 2014 presidential election. The following year, an attempt was made to hack into Ukraine’s electricity grid. In 2017, Russia launched a far larger malware attack against Ukraine known as NotPetya that Western governments rated as the most destructive cyber attack ever conducted.

In preparation for the full-scale invasion of 2022, Russia sought to access Ukraine’s government IT platforms. One of the goals was to obtain the personal information of Ukrainians, particularly those working in military and law enforcement. These efforts, which peaked in January 2022 in the weeks prior to the invasion, failed to seriously disrupt Ukraine’s state institutions but provided the country’s cyber security specialists with further important experience. “With their nonstop attacks, Russia has effectively been training us since 2014. So by February 2022, we were ready and knew everything about their capabilities,” commented one Ukrainian cyber security specialist involved in defending critical infrastructure who was speaking anonymously as they were not authorized to discuss details.

Subscribe to UkraineAlert

As the world watches the Russian invasion of Ukraine unfold, UkraineAlert delivers the best Atlantic Council expert insight and analysis on Ukraine twice a week directly to your inbox.

Name
First Last
Email*
Email
This field is for validation purposes and should be left unchanged.

Ukrainian specialists say that while Russian hackers previously tried to disguise their origins, many now no longer even attempt to hide their IP addresses. Instead, attacks have become far larger in scale and more indiscriminate in nature, with the apparent goal of seeking to infiltrate as many systems as possible. However, the defenders of Ukraine’s cyberspace claim Russia’s reliance on the same malware and tactics makes it easier to detect them.

The growing importance of digital technologies within the Ukrainian military has presented Russia with a expanding range of high-value targets. However, efforts to access platforms like Ukraine’s Delta situational awareness system have so far proved unsuccessful. Speaking off the record, Ukrainian specialists charged with protecting Delta say Russian hackers have used a variety of different methods. “They tried phishing attacks, but this only resulted in our colleagues having to work two extra hours to block them. They have also created fake interfaces to gain passwords and login details.”

Ukrainian security measures that immediately detect and block unauthorized users requesting information have proved effective for the Delta system and similar platforms. Russian hackers have had more success targeting the messaging platforms and situation reports of various individual Ukrainian military units. However, due to the fast-changing nature of the situation along the front lines, this information tends to become outdated very quickly and therefore is not regarded as a major security threat.

Eurasia Center events

“Cyber policy today has created a world in which seemingly everything non-military can be held at risk—hospitals, trains, dams, energy, water—and nothing is off limits.”¹

After Vilnius: What’s next on Ukraine’s path to NATO?

Eastern Europe NATO Security & Defense Ukraine

Ukraine’s cyber efforts are not exclusively focused on defending the country against Russian attack. Ukrainians have also been conducting counterattacks of their own against Russian targets. One of the challenges they have encountered is the comparatively low level of digitalization in modern Russian society compared to Ukraine. “We could hack into Russia’s railway IT systems, for example, but what information would this give us? We would be able to access train timetables and that’s all. Everything else is still done with paper and pens,” notes one Ukrainian hacker.

This has limited the scope of Ukrainian cyber attacks. Targets have included the financial data of Russian military personnel via Russian banks, while hackers have penetrated cartographic and geographic information systems that serve as important infrastructure elements of the Ukraine invasion. Ukrainian cyber attacks have also played a role in psychological warfare efforts, with Russian television and radio broadcasts hacked and replaced with content revealing suppressed details of the invasion including Russian military casualties and war crimes against Ukrainian civilians.

While Ukraine’s partners throughout the democratic world have provided the country with significant military aid, the international community has also played a role on the cyber front. Many individual foreign volunteers have joined the IT Army of Ukraine initiative, which counts more than 200,000 participants. Foreign hacker groups are credited with conducting a number of offensive operations against Russian targets. However, the large number of people involved also poses significant security challenges. Some critics argue that the practice of making Russian targets public globally provides advance warning and undermines the effectiveness of cyber attacks.

Russia has attempted to replicate Ukraine’s IT Army initiative with what they have called the Cyber Army of Russia, but this is believed to have attracted fewer international recruits. Nevertheless, Russia’s volunteer cyber force is thought to have been behind a number of attacks on diverse targets including Ukrainian government platforms and sites representing the country’s sexual minorities and cultural institutions.

The cyber front of the Russo-Ukrainian War is highly dynamic and continues to evolve. With a combination of state and non-state actors, it is a vast and complex battlefield full of gray zones and new frontiers. Both combatant countries have powerful domestic IT industries and strong reputations as hacker hubs, making the cyber front a particularly fascinating aspect of the wider war. The lessons learned are already informing our knowledge of cyber warfare and are likely to remain a key subject of study in the coming decades for anyone interested in cyber security.

Vera Mironova is an associate fellow at Harvard University’s Davis Center and author of Conflict Field Notes. You can follow her on Twitter at @vera_mironov.

Policy experts have long looked to other fields to gain a better understanding of cyber issues—natural disasters, terrorism, insurance and finance, and even nuclear weapons—due to the “always/never” rule. The always/never concept stipulates that weapons must always work correctly when they are supposed to and never be launched or detonated by accident or sabotage. The application of the always/never rule to process control systems across an increasingly digitized critical infrastructure landscape is incredibly difficult to master.

Threading the tapestry of risk across critical infrastructure requires a more granular and purposeful model than the current approach to classifying critical infrastructure can deliver. Failing to contextualize the broad problem set that is critical infrastructure cybersecurity jeopardies increasing the cost of compliance-based cybersecurity to the extent that small- and medium-sized businesses cannot afford the expense and/or expect the government to provide managed cybersecurity services for designated concentrations of risk across multiple sectors—an imprudent, expensive, and unsustainable outcome.

Informing decision-makers requires deeper analysis of critical infrastructure targets through available open-source intelligence, criticality and vulnerability data, the degradation of operations by cyber means, and mean time to recover from cyber impacts that does not exist at scale. This paper offers an initial step to focus on cyber-physical operations, discussing the limitations of current methods to prioritize across critical infrastructure cybersecurity and outlining a methodology for prioritizing scenarios and entities across sectors and local, state, and federal jurisdictions.

This methodology has two primary use cases:

It provides a way for asset owners to rank relevant cyber scenarios, enabling a single entity, organization, facility, or site in scope to prioritize a tabletop exercise scenario that maps cyber-physical impacts from control failures to localized cascading impacts.
It generates a standardized priority score, which can be used by government and industry stakeholders to compare entities, locations, facilities, or sites within any jurisdiction (by geography, sector, regulatory body, etc.)—e.g., to compare 1,000 entities in a single sector or to compare a prison to a water utility or a rail operator to a hospital.

Introduction

The Department of Homeland Security’s National Incident Management System includes five components: plan, organize and equip, train, exercise, and evaluate and improve.² Cybersecurity conversations are stuck in a limited cycle of buy a product, run a tabletop exercise, and check compliance boxes, often skipping key steps for organization, failing to exercise function-specific responsibilities, and almost never exercising to failure like a real emergency might require. Collectively, cyber-physical security requires new strategic and tactical thinking to better inform decision-makers in cyber policy, planning, and preparedness.

Critical infrastructure sectors and operations depend on equipment, communications, and business operations to supply goods, services, and resources to populations and interdependent commercial industries each day around the clock. Over the last decade, distributed operations, including manual and analog components that were originally not accessible via the internet, have increasingly become digitized and connected as networked technology connects systems to systems, sites to sites, and people to everything.

Owners and operators of critical infrastructure are responsible for securing their operations and processes from the inside out according to assorted regulatory and compliance requirements within and across each sector. The U.S. government is responsible for protecting citizens, national security, and the economy. Despite the tactical understanding of critical infrastructure equipment, communications, and business operations, critical infrastructure cybersecurity remains ambiguous. Several agencies across the U.S. government are working together to develop cybersecurity performance standards, baseline metrics, incident reporting mechanisms, information sharing tools, and liability protections.

Nevertheless, critical infrastructure cybersecurity presents a massive needle in a haystack problem. Where information technology (IT) sees many vulnerabilities, likely to be exploited in similar ways across mainstream and ubiquitous systems, operational technology (OT) security is often a proprietary ,case-by-case distinction. The oversimplification of their differences leads to a contextual gap when translating roles and responsibilities into tasks and capabilities for government and business continuity and disaster recovery for industry.

Essential critical infrastructure sectors

Source: cisa.gov

What is eating critical infrastructure is not a talent gap, the convergence of IT and OT, or even the lack of investment in cybersecurity products and solutions. It is the improbability of determining all possible outcomes from single points of dependence and the failure that exists between and beyond business continuity, physical equipment, and secure data and communications.

One consistently repeated recommendation from high-level decision-makers is that organizations, entities, and/or facilities carry out tabletop exercises and scenario planning to prepare for cyber situations that could have disruptive and devastating outcomes, especially those that threaten human life and national and economic security. However, there is no standardized way to develop or run these exercises or to decide which scenarios to simulate for teams based on size, location, scope, operational specifics, security maturity, and resource capacity.

All of it is critical, so what matters?

“Systems of economic exchange that promote patterns of civil society depend on the sustainable availability and equitable use of natural and social resources necessary for constructing a satisfying and ‘satisficing’ life by present and future generations.”³

Critical infrastructure is critical not only because the disruption, degradation, or destruction of entities/operations will impact life, the economy, or national security, but also because critical infrastructure sectors form the backbone of U.S. civil society. Some critical infrastructure sectors are also transactionally dependent on one another. The water sector depends heavily on operations and outputs from the energy, transportation, finance, and manufacturing sectors. Transportation depends on operations and outputs from the energy, finance, communications, and manufacturing sectors, and so on.⁴

There are indicators to suggest that government will likely continue tasking industry with cybersecurity requirements. Recent European Commission legislation sheds light on the due diligence of cybersecurity activities. The Network and Information Security 2 directive suggests that entities assess the proportionality of their risk management activities according to their individual degree of exposure to risks, size, likelihood and severity of incidents, and the societal and economic impacts of potential incidents.

According to retired National Cyber Director Chris Inglis, the Biden administration’s National Cybersecurity Strategy drills into “affirmative intentionality,” asking industry to raise the bar on cyber responsibility, liability, and resilience building. This comes at a time when best practices are numerous but implementation specifics are scarce. The strategy is positioned to expand mandated policies at sector risk management agencies and to double down on broader information sharing, combined with international law enforcement, to quell undeterred cyber criminals and threat-actor groups.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) uses the National Critical Functions Framework to define and assess critical functions across sectors. Critical functions, including the fifty-five published by CISA, are defined as “vital to the security, economy, and public health and safety of the nation.”⁵ Critical assets are prioritized as those which “if destroyed or disrupted, would cause national or regional catastrophic effects.”⁶

According to a review by the U.S. Government Accountability Office, this approach has fallen short in three major ways: Stakeholders found it difficult to prioritize the framework given competing planning and operations considerations, struggled with implementing the goals and strategies, and required more tailored information to use the framework in a meaningful way. As a result, only fourteen states out of fifty-six have provided updates to the National Critical Infrastructure Prioritization Program since 2017.⁷

Entities determined to be the most essential of all critical infrastructure are categorized as Section 9 entities, defined as “critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”⁸ A recommended definition of systemically important critical infrastructure (SICI) in proposed legislation suggests the secretary of the U.S. Department of Homeland Security could declare a facility, system, or asset as “systemically important critical infrastructure” if the compromise, damage, and/or destruction of that entity would result in the following:

The interruption of critical services, including the energy supply, water supply, electricity grid, and/or emergency services, that could cause mass casualties or lead to mass evacuations.
The perpetuation of catastrophic damage to the U.S. economy, including the disruption of the financial market, disruption of transportation systems, and the unavailability of critical technology services.
The degradation and/or disruption of defense, aerospace, military, intelligence, and national security capabilities.
The widespread compromise or malicious intrusion of technologies, devices, or services across the cyber ecosystem.⁹

Regardless of scoping for SICI, there is a lack of understanding about the inventory of industrial assets and technologies that are in use across critical sectors today and the configuration contingencies for risk management for that inventory. There is a similar absence of holistic awareness about the realistic, cascading impacts or the fallout analysis for entities with varying characteristics and demographics.

Operational technology

OT and industrial control system (ICS) technologies include a wide range of machines and equipment, such as pumps, compressors, valves, turbines and similar equipment, interface computers and workstations, programmable logic controllers, and many diagnostics, safety, and metering and monitoring systems that enable or report the status of variables, processes, and operations.

Supervisory control and data acquisition (SCADA) systems encompass operations management and supervisory control of local or physical OT controls and are programmed and monitored to direct one or more processes operating at scale—i.e., machines and devices command process controls that are involved in directing and manipulating physical sensors and actuators.

Sectors operating OT and ICS on a daily basis include oil and gas, power and utilities, water treatment and purification facilities, manufacturing, transportation, hospitals, and connected buildings. OT devices tend to be legacy devices with fifteen- to twenty-year lifecycles and beyond, operating 24-7 with rarely scheduled or available maintenance windows for software patches and updates. These devices often lack robust security controls by design and feature proprietary communication protocols and varying connectivity and networking requirements.

OT cybersecurity aims to prevent attacks that target process control equipment that reads data, executes logic, and sends outputs back to the machine or equipment. However, IT cybersecurity practices, analytics, forensics, and detection tools do not match the unique data and connectivity requirements and various configurations of OT environments.

A single operation or location might have more than a dozen different types of vendor technologies—SCADA, distributed control systems, programmable logic controllers, remote terminal units, human-machine interfaces, and safety instrumented systems—running with proprietary code and industry specific protocols. Prioritizing availability and data in motion, each asset and system will have unique parameters for identification and communication on a network, making it nearly impossible to manually log granular session- and packet-level details about each asset or system.

Attacks involving OT and ICS come predominately in two forms. Some are tailored specifically for a single target with the intent of establishing prolonged, undetected access to manipulate view and/or control scenarios that could result in physical disruption or destruction. Others involve “living off the land” techniques that target common denominators across organizations based on opportunistic activities, such as using established social engineering; tactics, techniques and procedures (TTPs); credential harvesting; and the purchase of intelligence and access from threat actors and groups conducting continuous reconnaissance and acting as initial access brokers.

Risks and vulnerabilities in operational technology and critical infrastructure

It is increasingly difficult to contextualize critical infrastructure both operationally—based on specific products, services, resources, processes, and technologies—and functionally—based on centralized versus distributed risks, dependencies, and interdependencies. Attempts to at contextualization have led to a debate between asset-specific (things, such as technologies, systems, and equipment) versus function-specific (actions, such as connecting, distributing, managing, and supplying) cybersecurity prioritization. This dichotomy is also characterized as “threats from” a threat actor and their capabilities to impact functions, instead of “threats to” specific assets as explained in product-specific vulnerability disclosures.¹⁰

Today there are thousands of known product vulnerabilities in OT and ICS systems from each vendor that produces machines and equipment in those categories. While each vulnerability is published with an associated common vulnerability score, it is impossible to immediately understand how severe that vulnerability will be in context for a single entity or organization’s risk profile based on the designated severity of the vulnerability. Vulnerabilities must be compared with operational status to understand their significance and to prioritize the actions and procedures that will reduce the severity of the vulnerability’s potential impacts.

Unfortunately, “threats from” actors cannot easily be mapped to the exploitation of threats to OT and ICS. The assets versus functions distinction that is commonplace in the current debate over critical infrastructure typically leads to a hyper focus on either systems impact analysis (asset-specific) or business continuity (function-specific) outcomes and limits holistic fallout analysis for four main reasons:

The plethora of existing product vulnerabilities in critical OT do not translate directly into manipulation of view or manipulation of control scenarios.
The severity scoring for vulnerabilities is too vague to determine cascading impacts or relevant fallout analysis for a specific facility or operation.
The loss of function outcomes and consequences are often not well scoped in terms of realistic cyber scenarios that would lead to and produce cascading impacts.
Cyber incidents that impact physical processes are less repeatable than IT attacks and accessible cyber threat intelligence for threat actors and TTPs that specifically target OT and ICS is less widely available, as there are fewer known and analyzed incidents.

Many OT and ICS systems have known vulnerabilities and unsophisticated, yet complex, designs; the security complexity is in the attack path or “kill chain,” targeting simplistic systems that can be configured in a myriad of ways. Critical infrastructure entities can be targeted by threat actors to exploit and extort their IT and OT or ICS systems, but OT and ICS systems—traditionally designed with mission state and continuity in mind—also risk having their native functionality targeted and hijacked in cyber scenarios.¹¹

Risks to cyber-physical systems include:

the use of legacy technologies with well-known vulnerabilities
the widespread availability of technical information about control systems
the connectivity of control systems to other networks
constraints on the use of existing security technologies and practices
insecure remote connections
a lack of visibility into network connectivity
complex and just-in-time supply chains
human error, neglect, and accidents.

If the core of cybersecurity is a calculation of threats, vulnerabilities, and likelihood, critical infrastructure sectors and technologies represent an exponential number of probabilistic outcomes for cyber scenarios with physical consequences. Despite increased awareness, pressure, and oversight from governments, boards, and insurance providers, the scale and complexity of the problem set quickly intensifies given the entanglement of

similar, but not identical, industries and technologies
inconsistent change management and documentation
reliance on third-party systems and components
external threat actors and TTPs
risk management and security best practices
compensating controls and security policy enforcement
compliance, standards, and regulations.

Table for potential escalation of consequences

This complexity results in four types of general OT and ICS cyber scenarios in critical infrastructure. The two most commonly discussed, but not necessarily the most commonly experienced, are if/when an adversary accesses an OT environment and intentionally causes effects within the scope of their objectives or causes unintended consequences beyond the scope of their objectives. These general scenarios can be further dissected and understood by referencing the specific attack paths and impacts outlined in the MITRE Corporation’s ATT&CK Matrix for ICS.¹²

A scoring methodology for cross-sector entity prioritization

Today, critical infrastructure cyber protection correlates sixteen different sectors, with no way to compare a standardized risk metric from a municipal water facility in Wyoming with a large commercial energy provider in Florida or a rural hospital in Texas with a train operator in New York. This section proposes a scoring methodology for cross-sector entity prioritization using qualitative scenario planning and quantitative indicators for severity scoring, assessing the potential for scenarios to cause public panic and to stress/overcome local, state, and federal response capacity.

Prioritizing critical infrastructure cybersecurity requires robust planning—comprehensive in scope, yet flexible enough to account for contingencies. Tasha Jhangiani and Graham Kennis note that “a risk-based approach to national security requires that the U.S. must prioritize its resources in areas where it can have the greatest impact to prevent the worst consequences.”¹³ Owners and operators of critical infrastructure have relayed to the U.S. government a need for more “regionally specific information” to address cyber threats. ¹⁴

A recent report on the ownership of various utilities in the United States found that “a better indicator of how to approach [cyber] regulations is to look at how many people a utility services,” a direct indicator for fallout analysis when OT systems are impacted.¹⁵ Where progress should start can be determined by expanding fallout analysis to identify the most at-risk environments across any given jurisdiction regardless of sector, location, ownership, or cybersecurity policy enforcement.

Scoring entities according to the prioritization methodology outlined below requires a well-executed thought exercise. The results are a way to determine the most consequential scenarios for facilities and operations, as well as the most at-risk facilities and operations within a given jurisdiction. The scoring can be performed at a local, state, or federal level. This type of prioritization offers an accessible way for entities to grapple with cybersecurity concerns in a local and regional context. The ranking also allows prioritization from an effects-based (impacts), rather than a means-based (capabilities), approach.

This methodology has two primary use cases:

The scoring matrix provides a way to rank and prioritize relevant cyber scenarios for a single entity, organization, facility, or site in scope.
a. The ranking, based on weighted scores, will allow any entity, organization, facility, or site to choose scenarios to exercise based on a choice of two real-world impacts (impact A, impact B) or to assess both impacts when choosing a tabletop scenario.
i. This ranking has the potential to prioritize scenarios that will cause public panic and/or overwhelm response resources over scenarios that simply have a higher cyber severity rating (see Table 1).
The standardized priority score provides an overall priority score for the entity, organization, facility, or site.
a. This score can be used to compare and rank different entities, locations, facilities, or sites within a given jurisdiction—city or local, state, federal, sector-specific, etc.

This methodology can be incorporated into assessments, training, and tabletop exercises in the planning phase of cyber risk mitigation and incident response. It can also be used by leaders to prioritize multiple critical infrastructure sectors or locations in their jurisdiction from a cybersecurity perspective.

How to use the methodology

Prioritizing cybersecurity efforts across critical infrastructure can borrow from the suggested fallout analysis applied to the public and local response capacity of a given target. When a weapon of mass destruction is used as an act of terror, according to the 2002 Federal Emergency Management Agency’s Interim Planning Guide for State and Local Governments, “Managing the Emergency Consequences of Terrorist Incidents,” there are two additional possible outcomes:¹⁶

Impact A—the creation of chaos, confusion, and public panic
Impact B—increased stress on local, state, and federal response resources.

Weighting cyber severity scores for scenarios based on impact A and impact B is essential, as each scenario will impact the level of public panic and available resources differently depending on the sector and that sector’s assets and functions, location, and region. For example, a hospital ransomware attack in an urban area may not cause widespread public panic, but it may have the ability to overwhelm response resources in rural areas. Conversely, an attack on the financial sector may result in public panic, but it may be less likely to overwhelm response resources.

An IT system interruption might cause business disruptions and downtime that results primarily in public panic, while manipulation of control at a water facility could have major impacts on both public panic and response resources. The 2021 Colonial Pipeline ransomware incident inadvertently shut down OT and ICS systems and led to unforeseen local and regional impacts. The scoring methodology used here works to manage uncertainty, identifying four essential components in consultation with informed cybersecurity experts, owners and operators, and local and regional stakeholders.

Scenario planning: Six scenarios will be outlined according to their potential to result in either manipulation of view (three scenarios) or manipulation of control (three scenarios) outcomes for OT. ¹⁷
Severity scoring: The scoring will be based on cybersecurity severity (see Tables 1 and 2).
Weighting and ranking scenarios: The scenarios will be weighted and ranked based on their potential to cause public panic and/or to stress or overwhelm response capacity.
Final scoring: The standardized priority score will be calculated for the entire entity/operation.

The methodology compliments the SICI definition of critical infrastructure outlined above and can also be used to enhance the following concerted CISA recommendations:¹⁸

develop primary, alternate, contingency, and emergency plans to mitigate the most severe effects of prolonged disruptions, including the ability to operate manually without the aid of control systems in the event of a compromise
ensure redundancies of critical components and data systems to prevent single points of failure that could produce catastrophic results
conduct exercises to provide personnel with effective and practical mechanisms to identify best practices, lessons learned, and areas for improvement in plans and procedures.

The resulting scenarios could further be compared using CISA’s National Cyber Incident Scoring System, designed to provide a repeatable and consistent mechanism for estimating the risk of an incident. In the future, this methodology can potentially be used together with a Diamond Model of Intrusion Analysis applied to cyber-physical incidents to better understand how adversaries demonstrate and use certain capabilities and techniques against critical infrastructure targets. This may allow for better nation-state level analysis and more robust information for decision-makers who struggle to understand the likelihood of attacks against specific operations or facilities today.

Analysis and calculations

Step 1: Scenario planning: Six scenarios will be outlined for their potential to result in either manipulation of view (three scenarios) or manipulation of control (three scenarios) outcomes for OT.¹⁹

Scenarios can include incidents in which the threat, vulnerability, or exploitation originate in the IT/corporate or enterprise side of operations. First, the top three most realistic manipulation of view scenarios for a target are identified based on impacts to OT, with severity indicators outlined in Table 1. Then, the top three most realistic manipulation of control scenarios for a target are identified based on impacts to OT, with indicators outlined in Table 1.

Table 1: Severity indicators

Qualitative assessment to determine severity score in Table 2

SOURCE: Adapted from the Center for Regional Disaster Resilience “Washington Cybersecurity Situational Awareness Concept of Operations (CONOPS)” guidance document²⁰

Step 2: Severity scoring: The scoring will be based on cybersecurity severity indicators (see Table 1). Each scenario is scored based on a severity rating in Table 2 (scores for each scenario range from 10 to 50).

Table 2: Severity rating

(does not have to equal 100)

SOURCE: Adapted from the Center for Regional Disaster Resilience “Washington Cybersecurity Situational Awareness Concept of Operations (CONOPS)” guidance document.²¹

Step 3: Weighting and ranking scenarios: The scenarios will be weighted and ranked based on their potential to cause public panic and/or to stress or overwhelm response capacity.

The scenarios will be ranked based on impact A and impact B. All six scenarios will be ranked separately by both likelihood of causing public panic and ability to overwhelm local response resources (see Table 3).

Table 3: Weighting likelihood to cause public panic and to overwhelm resources

(total weights must = 1)

Step 4: Final scoring: The standardized priority score will be calculated for the entire entity/operation. The weighted scores for both impact A and impact B are combined and the standardized priority score is calculated (see Figure 4).

Case study: Prison cybersecurity

In November 2022, the Atlantic Council’s Cyber Statecraft Initiative brought together cybersecurity experts to apply this scoring methodology to a mock tabletop exercise focused on a prison. A prison environment includes many functional OT and ICS systems and helps illustrate the utility of cybersecurity scenario planning beyond what is traditionally considered critical infrastructure. U.S. prisons also offer a real-world environment where experts who specialize in OT and ICS cybersecurity for any Section 9 entities or existing critical infrastructure sectors can address the problem set on equal footing, without speaking directly to any sector they serve or have worked in or with.

Prisons, often referred to as correctional facilities, operate across the United States. Twenty-six states and the Federal Bureau of Prisons rely heavily on private facilities to house incarcerated inmates.²²These facilities depend on a myriad of IT and OT systems for safe, healthy, and continuous 24-7 operations. Examples of IT systems in prisons include telephone and email, video, telemedicine, radios, and management platforms (i.e., access to computers or tablets for entertainment, education, job skills, and reentry planning). Examples of OT systems include security platforms, surveillance cameras, access control points, perimeter intrusion detection, cell doors, and health and safety platforms, such as fire alarms and heating, ventilation, and air conditioning (HVAC) systems.²³ These OT and ICS systems are exposed to the threats and vulnerabilities that were previously discussed.

Consider one potential OT scenario in which a threat actor gains access to the system that controls the cell doors, which are programmed not to open or close simultaneously. Access to the controllers that incrementally open and close the cell doors could be achieved and a threat actor could override the incremental interval, directing all doors to move at once, potentially surging the power and/or destroying electronics and components of the cyber-physical system. Researchers have discovered prison control rooms with internet access and commissaries connected to OT networks where programmable logic controllers are operating.²⁴ This scenario represents a potential manipulation of control that would likely produce some level of public panic, but may not necessarily overwhelm local response capabilities.

Tabletop participants conducted a 90-minute exercise to develop six potential scenarios—three specifying manipulation of view impacts to OT and three specifying manipulation of control impacts to OT. The guidelines specified that each scenario must be realistic, technically feasible, worst-case scenarios based on cyber-physical impacts. The scenarios could not be duplicative and must be considered irrespective of network segmentation and best practice compensating controls. Scenarios could have initial access vectors in traditional information technologies, directly or indirectly impacting OT.

The prison specifics indicated that the facility opened in 1993 as a supermax prison in upstate New York. The mock facility housed 300 male inmates and had about 500 employees. Visiting hours were reportedly weekends and holidays between 9:00am and 3:15pm. The facility was said to be located five miles outside of a city of 27,000 people. The immediate town had twenty-seven police officers and fourteen civilian support staff. The nearest hospital, with 125 beds, was five miles away and in similar proximity to two large elementary schools. The facility itself was described as a hub-and-spoke model for operations, with a central command center monitoring and operating the facility and control systems located on premise but removed from the command center.

Access vectors were potentially numerous, including technicians with equipment and inventory access, universal serial bus (USB) drive and other transient devices, internet-connected control systems and networks, software updates, remote access, and remote exploitation, leading to the example scenarios outlined below. The scenarios and scoring that follow are a snapshot of this mock exercise and the application of the methodology in this paper. The example demonstrates bounded knowledge of a simulated exercise and is meant to showcase how an organization or facility might use the methodology for an entity or operation. Participants were cybersecurity experts, however, the scenario planning and thought exercise is meant to include all relevant stakeholders.

Mock prison example scenarios: Manipulation of view and manipulation of control

MOV = manipulation of view, MOC = manipulation of control.

Figure 1. Priority based on severity rating alone (Table 1)

NOTE that based on cybersecurity severity alone, MOC 3 ranks highest as a cyber scenario worth preparing and executing a tabletop exercise for.

Figure 2. Weighted priority for impact A (panic)

FORMULA: Score = Severity * Panic
NOTE that based on the cybersecurity severity score and the ability to cause public panic, MOC 3 still ranks highest as a cyber scenario worth preparing and executing a tabletop exercise for.

Figure 3. Weighted priority for impact B (resources)

FORMULA: Score = Severity * Resources
NOTE that based on the cybersecurity severity score and the ability to overwhelm local response
capacity, MOC 2 now ranks highest as a cyber scenario worth preparing and executing a tabletop exercise for.

Figure 4. Weighted priority for impact A and B (both panic and resources)

FORMULA: Score = Severity * Panic * Resources

Manipulation of control scenario two—communications distributed denial-of-service, internally and externally, with capacity/threat to manipulate, modify, and disrupt process control systems—became potentially more impactful than manipulation of control scenario three—third-party access to takeover process control systems of cell block doors only—as a cyber scenario worth preparing for. Planning and training for a scenario that cuts off internal and external communications and includes uncertainty surrounding cyber-physical impacts is a more robust scenario than direct access to a limited OT/ICS asset or a potential ransomware situation that has limited cascading impacts.

The standardized priority score can be used to compare entities from various sectors based on likely real-world scenarios, expected severity, and impacted populations. Another entity with different severity and impact calculations may have a total score of 4.35, for example. It is scalable; a company can compare different facilities and a city or sector or agency can work to enhance protections for the top 10 percent of entities in their purview of responsibility or scope, creating a starting point for addressing the most critical of critical targets and building cross-sector resilience.

Conclusion

When considering whether assets or functions are more important, the answer is concretely somewhere in between—it always depends on the operation, product, or service. Evaluating entities and sectors against how well they implement cybersecurity requirements and best practices is abundant in complexity but limited in scope. Meanwhile, focusing on technology regulation leads to time-consuming and expensive audits and standardizing unrelated sectors yields vague guidance that becomes difficult to implement and enforce. Hypothetical cyber-physical scenarios quickly become convoluted with technical contingencies, competing priorities, overlapping authorities and analysis gaps.

Like the CARVER Target Analysis and Vulnerability Assessment tool, a similar way to standardize and prioritize what is most important from a cyber perspective is needed and must include impact analysis that goes beyond the cyber incident itself to consider scenarios that also impact public panic and the ability to overwhelm local response capabilities.²⁵ The methodology proposed in this paper is a simple scoring system that provides a repeatable mechanism that is suitable for prioritization based on real-world cyber scenarios, cyber-physical impacts, and fallout analysis.

Some sector-specific target and attack data exists, but there is still too much fear, uncertainty, and doubt driving tabletop exercises. Hopefully in the future, cyber policy and preparedness will have processes akin to the Homeland Security Exercise and Evaluation Program, with the key ingredient being a common approach.²⁶This methodology will not resolve all critical infrastructure cybersecurity and systemically critical infrastructure debates. It will take widespread adoption to be most useful, offering a strategic way to scope and prepare for effective tabletop exercises and to compare entities across various sectors and jurisdictions.

About the author

Danielle Jablanski is a nonresident fellow at the Cyber Statecraft Initiative under the Atlantic Council’s Digital Forensic Research Lab (DFRLab) and an OT cybersecurity strategist at Nozomi Networks, responsible for researching global cybersecurity topics and promoting operational technology (OT) and industrial control systems (ICS) cybersecurity awareness throughout the industry. Jablanski serves as a staff and advisory board member of the nonprofit organization Building Cyber Security, leading cyber-physical standards development, eduction, certifications, and labeling authority to advance physical security, safety, and privacy in public and private sectors. Since January 2022, Jablanski has also served as the president of the North Texas Section of the International Society of Automation, organizing monthly member meetings, training, and community engagements. She is also a member of the Cybersecurity Apprenticeship Advisory Taskforce with the Building Apprenticeship Systems in Cybersecurity Program sponsored by the US Department of Labor.

Russian army presses on in Bakhmut despite losses

1 Danielle Jablanski, “Why Cyber Holds the Entire World at Risk,” National Interest, April 5, 2022, https://nationalinterest.org/blog/techland-when-great-power-competition-meets-digital-world/why-cyber-holds-entire-world-risk.

2 “National Preparedness Cycle,” Homeland Security Emergency Management Center of Excellence, https://www.coehsem.com/emergency-management-cycle/.

3 Benjamin R., Barber, A Place for Us: How to Make Society Civil and Democracy Strong (New York: Hill and Wang, 1984).

4 Tyson Macaulay, Critical Infrastructure: Understanding Its Component Parts, Vulnerabilities, Operating Risks, and Interdependencies (Boca Raton: CRC Press, 2009).

5 “Critical Infrastructure Protection: CISA Should Improve Priority Setting, Stakeholder Involvement, and Threat Information Sharing,” U.S. Government Accountability Office, March 1, 2022, https://www.gao.gov/products/gao-22-104279.

6 “Critical Infrastructure Protection,” 2022.

7 “Critical Infrastructure Protection,” 2022.

8 Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, May 8, 2018.

9 Tasha Jhangiani and Graham Kennis, “Protecting the Critical of Critical: What Is Systemically Important Critical Infrastructure?” Lawfare, June 15, 2021, https://www.lawfareblog.com/protecting-critical-critical-what-systemically-important-critical-infrastructure.

10 Tyson Macaulay and Bryan Singer, Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS (Boca Raton: CRC Press, 2012), 57.

11 Michael J. Assante and Robert M. Lee, “The Industrial Control System Cyber Kill Chain,” SANS Institute, October 2015, https://na-production.s3.amazonaws.com/documents/industrial-control-system-cyber-kill-chain-36297.pdf.

12 “MITRE ATT&CK Matrix for ICS,” MITRE Corporation, last modified May 6, 2022,https://attack.mitre.org/matrices/ics/.

13 Jhangiani and Kennis, 2021.

14 “Critical Infrastructure Protection,” 2022.

15 Jacob Azrilyant, Melissa Sidun, and Mariami Dolashvili, “Fact and Fiction: Demystifying the Myth of the 85%,” capstone project, George Washington University, May 6, 2022, https://www.scribd.com/document/575971848/Fact-and-Fiction-85-and-Critical-Infrastructure.

16 “Managing the Emergency Consequences of Terrorist Incidents: Interim Planning Guide for State and Local Governments,” Federal Emergency Management Agency,July 2002, https://www.fema.gov/pdf/plan/managingemerconseq.pdf.

17 View and/or control cannot be recovered automatically or remotely from manipulation. The potential for sabotage can come through misinformation delivered to control room personnel or through malicious instructions sent to production infrastructure. Macaulay and Singer, 2012.

18 “Sector Spotlight: Cyber-Physical Security Considerations for the Electricity Sub-Sector,” Cybersecurity and Infrastructure Security Agency, https://www.cisa.gov/sites/default/files/publications/Sector%20Spotlight%20Cyber-Physical%20Security%20Considerations%20Electricity%20Sub-Sector%20508%20compliant.pdf.

19 View and/or control cannot be recovered automatically or remotely from manipulation. The potential for sabotage can come through misinformation delivered to control room personnel or through malicious instructions sent to production infrastructure. Macaulay and Singer, 2012.

20 Washington Cybersecurity Situational Awareness Concept of Operations (CONOPS),” Center for Regional Disaster Resilience, https://www.regionalresilience.org/uploads/2/3/2/9/23295822/washington_cybersecurity_situational_awareness_conops.pdf.

21 “Washington Cybersecurity Situational Awareness,” Center for Regional Disaster Resilience.

22 Mackenzie Buday and Ashley Nellis, “Private Prisons in the United Sates, The Sentencing Project,August 23, 2022, https://www.sentencingproject.org/reports/private-prisons-in-the-united-states/.

23 Teague Newman, Tiffany Rad, and John Strauchs, “SCADA & PLC Vulnerabilities in Correctional Facilities,” Wired, July 30, 2011, https://www.wired.com/images_blogs/threatlevel/2011/07/PLC-White-Paper_Newman_Rad_Strauchs_July22_2011.pdf.

24 Newman, Rad, and Strauchs, 2011.

25 “What is the CARVER Target Analysis and Vulnerability Assessment Methodology?” SMI Consultancy, https://www.smiconsultancy.com/what-is-carver.

26 “Homeland Security Exercise and Evaluation Program,” Federal Emergency Management Agency, https://training.fema.gov/programs/nsec/hseep/.

The post Critical infrastructure cybersecurity prioritization: A cross-sector methodology for ranking operational technology cyber scenarios and critical entities appeared first on Atlantic Council.

Russian War Report: Russian army presses on in Bakhmut despite losses

Digital Forensic Research Lab — Fri, 14 Apr 2023 17:34:44 +0000

As Russia continues its assault on Ukraine, the Atlantic Council’s Digital Forensic Research Lab (DFRLab) is keeping a close eye on Russia’s movements across the military, cyber, and information domains. With more than seven years of experience monitoring the situation in Ukraine—as well as Russia’s use of propaganda and disinformation to undermine the United States, NATO, and the European Union—the DFRLab’s global team presents the latest installment of the Russian War Report.

Security

Russia enacts “e-drafting” law

Drone imagery locates new burial site east of Soledar

Russian hackers target NATO websites and email addresses

Russian army presses on in Bakhmut despite losses

The General Staff of the Ukrainian Armed Forces recorded fifty-eight attacks on Ukrainian troop positions on April 9 and 10. Of these attacks, more than thirty were in the direction of Bakhmut, and more than twenty were in the direction of Marinka and Avdiivka. Russian forces also attempted to advance toward Lyman, south of Dibrova.

Documented locations of fighting April 1-13, 2023; data gathered from open-source resources. (Source: Ukraine Control Map, with annotations by the DFRLab)

On April 10, Commander of the Eastern Group of Ukrainian Ground Forces Oleksandr Syrskyi said that Russian forces in Bakhmut increasingly rely on government special forces and paratroopers because Wagner units have suffered losses in the recent battles. Syrskyi visited Bakhmut on April 9 to inspect defense lines and troops deployed to the frontline. According to the United Kingdom’s April 10 military intelligence report, Russian troops are intensifying tank attacks on Marinka but are still struggling with minimal advances and heavy losses.

On April 13, Deputy Chief of the Main Operational Directorate of Ukrainian Forces Oleksiy Gromov said that Bakhmut remains the most challenging section on the frontline as Russian forces continue to storm the city center, trying to encircle it from the north and south through Ivanivske and Bohdanivka. According to Ukrainian estimates, during a two-week period, Russian army and Wagner Group losses in the battle for Bakhmut amounted to almost 4,500 people killed or wounded. To restore the offensive potential in Bakhmut, Russian units that were previously attacking in the direction of Avdiivka were transferred back to Bakhmut.

On April 8, Commander of the Ukrainian Air Forces Mykola Oleshchuk lobbied for Ukraine obtaining F-16 fighter jets. According to his statement, Ukrainian pilots are now “hostages of old technologies” that render all pilot missions “mortally dangerous.” Oleshchuk noted that American F-16 jets would help strengthen Ukraine’s air defense. Oleshchuk said that even with a proper number of aircraft and pilots, Ukrainian aviation, which is composed of Soviet aircraft and missiles, may be left without weapons at some point. He noted the F-16 has a huge arsenal of modern bombs and missiles. The commander also discussed the need for superiority in the air and control of the sea. Currently, Russian aviation is more technologically advanced and outnumbers Ukraine, meaning Ukraine cannot adequately protect its airspace. In order for the Ukrainian army to advance and re-capture territory occupied by Russia, it will require substantial deliveries of aviation and heavy equipment like tanks, howitzers, and shells.

April 10, Ukrainian forces reported they had spotted four Russian ships on combat duty in the Black Sea, including one armed with Kalibr missiles. Another Russian ship was spotted in the Sea of Azov, along with seven in the Mediterranean, including three Kalibr cruise missile carriers.

Meanwhile, according to Ukrainian military intelligence, Russia plans to produce Kh-50 cruise missiles in June. If confirmed, this could potentially lead to increased missile strikes against Ukraine in the fall. The Kh-50 missiles in the “715” configuration are intended to be universal, meaning they can be used by many Russian strategic bombers, including the Tu-22M3, Tu-95MS, and Tu-160.

—Ruslan Trad, Resident Fellow for Security Research, Sofia, Bulgaria

Russia enacts “e-drafting” law

On April 11, the Russian State Duma approved a bill reading allowing for the online drafting of Russian citizens using the national social service portal Gosuslugi. One day later, the Russian Federal Council adopted the law. The new law enables military commissariats, or voenkomat, to send mobilization notices to anyone registered in the Gosuslugi portal. Contrary to the traditional in-person delivery of paper notices, the digital mobilization order will be enforced immediately upon being sent out to the user; ordinarily, men drafted for mobilization could dispute the reception of the notice during the twenty-one-day period after the notice was sent. As of 2020, 78 million users were reportedly registered in the Gosuslugi portal, nearly two-thirds of the Russian population.

Alongside the adoption of the digital mobilization notices are newly adopted restrictions regarding unresponsive citizens. Those who fail to appear at their local military commissariat in the twenty-day period following notice will be barred from leaving the country and banned from receiving new credit or driving a car. Of the 164 senators who took part in the vote, only one voted against the bill; Ludmila Narusova argued that the law had been adopted exceptionally hastily and that the punishments against “deviants” who do not respond to the notice are “inadequate.”

As explained by Riga-based Russian news outlet Meduza, the law also states that reserves could be populated with those who legally abstained from military service until the age of twenty-seven, due to an amendment in the bill that allows for personal data to be shared with the Russian defense ministry in order to establish “reasonable grounds” for mobilization notices to be sent out. Several institutions across the country will be subject to the data exchange, including the interior ministry, the federal tax office, the pension and social fund, local and federal institutions, and schools and universities.

–Valentin Châtelet, Research Associate, Security, Brussels, Belgium

Drone imagery locates new burial site east of Soledar

Images released by Twitter user @externalPilot revealed a new burial site, located opposite a cemetery, in the village of Volodymyrivka, southeast of Soledar, Donetsk Oblast. The DFRLab collected aerial imagery and assessed that the burial site emerged during the last week of March and the first week of April. The city of Soledar has been under Russian control since mid-January. The burial site faces the Volodymyrivka town cemetery. Drone footage shows several tombs with no apparent orthodox crosses or ornaments. Analysis of the drone imagery indicates around seventy new graves have been dug on this site. A DFRLab assessment of satellite imagery estimates the surface area of the burial site amounts to around thirteen hectares.

Location of new burial site east of Soledar, Volodymyrivka, Donetsk Oblast. (Source: PlanetLab, with annotations by the DFRLab)

–Valentin Châtelet, Research Associate, Security, Brussels, Belgium

Russian hackers target NATO websites and email addresses

On April 8, the pro-war Russian hacktivist movement Killnet announced they would target NATO in a hacking operation. On April 10, they said they had carried out the attack. The hacktivists claimed that “40% of NATO’s electronic infrastructure has been paralyzed.” They also claimed to have gained access to the e-mails of NATO staff and announced they had used the e-mails to create user accounts on LBGTQ+ dating sites for 150 NATO employees.

The hacktivists forwarded a Telegram post from the KillMilk channel showing screenshots of one NATO employee’s e-mail being used to register an account on the website GayFriendly.dating. The DFRLab searched the site for an account affiliated with the email but none was found.

Killnet also published a list of e-mails it claims to have hacked. The DFRLab cross-checked the e-mails against publicly available databases of compromised e-mails, like Have I been Pwned, Avast, Namescan, F-secure, and others. As of April 13, none of the e-mails had been linked to the Killnet hack, though this may change as the services update their datasets.

In addition, the DFRLab checked the downtime of the NATO websites that Killnet claims to have targeted with distributed denial of service (DDoS) attacks. According to IsItDownRightNow, eleven of the forty-four NATO-related websites (25 percent) were down at some point on April 10.

—Nika Aleksejeva, Resident Fellow, Riga, Latvia

The post Russian War Report: Russian army presses on in Bakhmut despite losses appeared first on Atlantic Council.

Banning TikTok alone will not solve the problem of US data security

Jonathan Panikoff — Fri, 31 Mar 2023 16:24:22 +0000

Last week, the TikTok chief executive officer, Shou Zi Chew, appeared before the US House of Representatives Energy and Commerce Committee. The media and political perception within the Washington Beltway is that it did not go well, and it didn’t. Chew’s answers were unconvincing and at times disingenuous, including when he downplayed accusations that the company had spied on journalists critical of the company. On social media, including on TikTok, the perception of the hearing by users was equally decisive, but not in Congress’s favor.

There are 150 million US users of TikTok, and the contrast between the creative and often viral nature of clips produced on the platform—including those defending Chew—and the stodgy nature of C-SPAN’s fixed camera positions, pre-planned talking points, and members demanding “yes” or “no” answers to their questions, made for an unfavorable contrast for committee members. US policymakers considering a ban on TikTok need to think about the very serious ramifications to people and small businesses whose livelihoods do, at least in part, rely on the app. Those Americans who use the app for professional and business purposes should have their legitimate concerns addressed by policymakers in a meaningful manner alongside any sort of ban.

But TikTok users’ usage of the social media app, even if only to generate business, does not mitigate the potential threats to US national security associated with it. In December, Director of National Intelligence Avril Haines warned about the potential uses of TikTok by Beijing stemming from the data the app collects and the possibility of using it to influence public opinion. TikTok’s algorithm, for example—which experts view as more advanced than that of Facebook parent company Meta—could be used by China to create propaganda that seeks to influence or manipulate elections and the broader information environment.

TikTok’s connections to China’s government stem from it being a wholly owned subsidiary of the Beijing-based company ByteDance. Chew testified that “ByteDance is not owned or controlled by the Chinese government.” However, Article VII of China’s National Intelligence Law of 2017 makes clear the mandated responsibility for private sector companies (and any Chinese organization) to “support, assist, and cooperate” with China’s intelligence community. ByteDance, therefore, has an absolute obligation to turn over to China’s intelligence apparatus any data it requests.

There are significant reasons to be skeptical of Chew’s claims that “Project Texas”—TikTok’s effort to wall off US user data from Chinese authorities by solely storing it in the United States—will prevent China from having access to US user data in the future. Worse, even if one takes Chew at his word that “Project Texas” will accomplish this feat, it defies logic to believe that ByteDance would not—independently or compelled by China’s intelligence agencies—retain a copy of all 150 million current US users’ data.

At the same time, TikTok is just a symptom of a much bigger problem. The United States and its allies have a more fundamental issue when it comes to their citizens using China-based apps, programs, or any technology that collects their data. All China-based companies have the same obligations to provide data information to China’s intelligence services whenever requested.

What the US government can do

TikTok’s ban would mitigate the immediate threat posed by the ByteDance subsidiary, but there’s far more work that needs to be done. The Committee on Foreign Investment in the United States (CFIUS) has, up until now, been the most prominent tool used to prevent foreign governments, or individuals associated with them, from making investments in the United States that could be used to ultimately undermine US national security. CFIUS has a specific and meaningful role focused on investments, but nowadays it has too often become the default instrument for reconciling an increasingly broad swath of national security challenges. This is in part because it has a track record of success, but also because it’s one of the only meaningful tools available to policymakers. But it is not an ideal tool for every situation, something best demonstrated by CFIUS’s challenge in resolving TikTok’s ongoing review that has stretched on for more than two years now.

The bipartisan RESTRICT Act—which would give the Department of Commerce the right to review foreign technologies and ban them in the United States or force their sale—is a thoughtful place from which to begin discussions about additional ways to mitigate the US national security challenges related to information and communications platforms available for mass use. But that act alone would not solve the broader data challenges as they exist today.

The lack of federal regulation related to commercial data brokers, which today can and do legally collect and resell the data of millions of Americans, is a glaring gap that needs to be filled immediately. A ban on TikTok, for example, would do nothing to prevent data brokers from aggregating the same consumer data from other apps and re-selling it to commercial entities, including those in China.

The threat posed by China to US national security, and to Americans’ individual data, is acute. The good news is the United States can deal with these challenges, but it will take more than just banning TikTok.

Jonathan Panikoff is a senior fellow in the Atlantic Council’s GeoEconomics Center and the former director of the Investment Security Group, overseeing the intelligence community’s CFIUS efforts, at the Office of the Director of National Intelligence.

The views expressed in this publication are the author’s and do not imply endorsement by the Office of the Director of National Intelligence, the intelligence community, or any other US government agency.

The post Banning TikTok alone will not solve the problem of US data security appeared first on Atlantic Council.

What to expect from the world’s democratic tech alliance as the Summit for Democracy unfolds

Katherine Walla — Wed, 29 Mar 2023 17:37:06 +0000

Watch the full event

Online Event Mon, March 27, 2023 • 1:30 pm ET

Live from the Freedom Online Coalition: How the FOC works for people around the world

The DFRLab hosts the US Deputy Secretary of State Wendy Sherman along with civil society and industry experts for a discussion on the Freedom Online Coalition and how the world’s democratic tech alliance advances human rights online.

Africa East Asia Europe & Eurasia Indo-Pacific

Ahead of the Biden administration’s second Summit for Democracy, US Deputy Secretary of State Wendy Sherman gave a sneak peek at what to expect from the US government on its commitments to protecting online rights and freedoms.

The event, hosted by the Atlantic Council’s Digital Forensic Research Lab on Monday, came on the same day that US President Joe Biden signed an executive order restricting the US government’s use of commercial spyware that may be abused by foreign governments or enable human-rights abuses overseas.

But there’s more in store for this week, Sherman said, as the United States settles into its role as chair of the Freedom Online Coalition (FOC)—a democratic tech alliance of thirty-six countries working together to support human rights online. As chair, the United States needs “to reinforce rules of the road for cyberspace that mirror and match the ideals of the rules-based international order,” said Sherman. She broke that down into four top priorities for the FOC:

Protecting fundamental freedoms online, especially for often-targeted human-rights defenders
Building resilience against digital authoritarians who use technology to achieve their aims
Building a consensus on policies designed to limit abuses of emerging technologies such as artificial intelligence (AI)
Expanding digital inclusion

“The FOC’s absolutely vital work can feel like a continuous game of catch-up,” said Sherman. But, she added, “we have to set standards that meet this moment… we have to address what we see in front of us and equip ourselves with the building blocks to tackle what we cannot predict.”

Below are more highlights from the event, during which a panel of stakeholders also outlined the FOC’s role in ensuring that the internet and emerging technologies—including AI—adhere to democratic principles.

Deepening fundamental freedoms

Sherman explained that the FOC will aim to combat government-initiated internet shutdowns and ensure that people can “keep using technology to advance the reach of freedom.”
Boye Adegoke, senior manager of grants and program strategy at the Paradigm Initiative, recounted how technology was supposed to help improve transparency in Nigeria’s recent elections. But instead, the election results came in inconsistently and after long periods of time. Meanwhile, the government triggered internet shutdowns around the election period. “Bad actors… manipulate technology to make sure that the opinions and the wishes of the people do not matter at the end of the day,” he said.
“It’s very important to continue to communicate the work that the FOC is doing… so that more and more people become aware” of internet shutdowns and can therefore prepare for the lapses in internet service and in freely flowing, accurate information, Adegoke said.
On a practical level, once industry partners expose where disruptions are taking place, the FOC offers a mechanism by which democratic “governments can work together to sort of pressure other governments to say these [actions] aren’t acceptable,” Starzak argued.
The FOC also provides a place for dialogue on human rights in the online space, said Alissa Starzak, vice president and global head of public policy at Cloudfare. Adegoke, who also serves in the FOC advisory network, stressed that “human rights [are] rarely at the center of the issues,” so the FOC offers an opportunity to mainstream that conversation into policymakers’ discussions on technology.

Building resilience against digital authoritarianism

“Where all of [us FOC countries] may strive to ensure technology delivers for our citizens, autocratic regimes are finding another means of expression,” Sherman explained, adding that those autocratic regimes are using technologies to “divide and disenfranchise; to censor and suppress; to limit freedoms, foment fear, and violate human dignity.” New technologies are essentially “an avenue of control” for authoritarians, she explained.
At the FOC, “we will focus on building resilience against the rise of digital authoritarianism,” Sherman said, which has “disproportionate and chilling impacts on journalists, activists, women, and LGBTI+ individuals” who are often directly targeted for challenging the government or expressing themselves.
One of the practices digital authoritarians often abuse is surveillance. Sherman said that as part of the Summit for Democracy, the FOC and other partners will lay out guiding principles for the responsible use of surveillance tech.
Adegoke recounted how officials in Nigeria justified their use of surveillance tech by saying that the United States also used the technology. “It’s very important to have some sort of guiding principle” from the United States, he said.
After Biden signed the spyware executive order, Juan Carlos Lara, executive director at Derechos Digitales, said he expects other countries “to follow suit and hopefully to expand the idea of bans on spyware or bans on surveillance technology” that inherently pose risks to human rights.

Addressing artificial intelligence

“The advent of AI is arriving with a level of speed and sophistication we haven’t witnessed before,” warned Sherman. “Who creates it, who controls it, [and] who manipulates it will help define the next phase of the intersection between technology and democracy.”
Some governments, Sherman pointed out, have used AI to automate their censorship and suppression practices. “FOC members must build a consensus around policies to limit these abuses,” she argued.
Speaking from an industry perspective, Starzak acknowledged that sometimes private companies and governments “are in two different lanes” when it comes to figuring out how they should use AI. But setting norms for both good and bad AI use, she explained, could help get industry and the public sector in the same lane, moving toward a world in which AI is used in compliance with democratic principles.
Lara, who also serves in the FOC advisory network, explained that the FOC has a task force to specifically determine those norms on government use of AI and to identify the ways in which AI contributes to the promise—or peril—of technology in societies worldwide.

Improving digital inclusion

“The internet should be open and secure for everyone,” said Sherman. That includes “closing the gender gap online” by “expanding digital literacy” and “promoting access to safe online spaces” that make robust civic participation possible for all. Sherman noted that the FOC will specifically focus on digital inclusion for women and girls, LGBTI+ people, and people with disabilities.
Starzak added that in the global effort to cultivate an internet that “builds prosperity,” access to the free flow of information for all is “good for the economy and good for the people.” Attaining that version of the internet will require a “set of controls” to protect people and their freedoms online, she added.
Ultimately, there are major benefits to be had from expanded connectivity. According to Sherman, it “can drive economic growth, raise standards of living, create jobs, and fuel innovative solutions” for global challenges such as climate change, food insecurity, and good governance.

Katherine Walla is an associate director of editorial at the Atlantic Council.

Watch the full event

The post What to expect from the world’s democratic tech alliance as the Summit for Democracy unfolds appeared first on Atlantic Council.

Wendy Sherman on the United States’ priorities as it takes the helm of the Freedom Online Coalition

Atlantic Council — Tue, 28 Mar 2023 14:22:55 +0000

Watch the event

Online Event Mon, March 27, 2023 • 1:30 pm ET

Live from the Freedom Online Coalition: How the FOC works for people around the world

Africa East Asia Europe & Eurasia Indo-Pacific

Event transcript

Uncorrected transcript: Check against delivery

Introduction
Rose Jackson
Director, Democracy & Tech Initiative, Digital Forensic Research Lab

Opening Remarks
Wendy Sherman
Deputy Secretary of State, US Department of State

Panelists
Boye Adegoke
Senior Manager, Grants and Program Strategy, Paradigm Initiative

Juan Carlos Lara
Executive Director, Derechos Digitales

Alissa Starzak
Vice President, Global Head of Public Policy, Cloudflare

Moderator
Khushbu Shah
Nonresident Fellow, Digital Forensic Research Lab

ROSE JACKSON: Hello. My name is Rose Jackson, and I’m the director of the Democracy + Tech Initiative here at the Atlantic Council in Washington, DC.

I’m honored to welcome you here today for this special event, streaming to you in the middle of the Freedom Online Coalition, or the FOC’s first strategy and coordination meeting of the year.

For those of you watching at home or many screens elsewhere, I’m joined here in this room by representatives from thirty-one countries and civil-society and industry leaders who make up the FOC’s advisory network. They’ve just wrapped up the first half of their meeting and wanted to bring some of the conversation from behind closed doors to the community working everywhere to ensure the digital world is a rights-respecting one.

It’s a particularly important moment for us to be having this conversation. As we get ready for the second Summit for Democracy later this week, the world’s reliance and focus on the internet has grown, while agreement [on] how to further build and manage it frays.

I think at this point it’s a bit of a throwaway line that the digital tools mediate every aspect of our lives. But the fact that most of the world has no choice but to do business, engage with their governments, or stay connected with friends and family through the internet makes the rules and norms around how that internet functions a matter of great importance. And even more because the internet is systemic and interconnected, whether it is built and imbued with the universal human rights we expect offline will determine whether our societies can rely on those rights anywhere.

Antidemocratic laws have a tendency of getting copied. Troubling norms are established in silence. And a splintering of approach makes it easier for authoritarians to justify their sovereign policies used to shutter dissent, criminalize speech, and surveil everyone. These are the core democratic questions of our time, and ensuring that the digital ecosystem is a rights-respecting one requires democracies [to row] in the same direction in their foreign policy and domestic actions.

The now twelve-year-old FOC, as the world’s only democratic tech alliance, presents an important space for democratic governments to leverage their shared power to this end, in collaboration with civil society and industry around the world.

We were encouraged last year when Secretary of State Antony Blinken announced at our open summit conference in Brussels that the US would take over as chair of the FOC in 2023 as part of its commitment to reinvest in the coalition and its success. Just over an hour ago, the US announced a new executive order limiting its own use of commercial spyware on the basis of risks to US national security and threats to human rights everywhere really brings home the stakes and potential of this work.

So today we’re honored to have Deputy Secretary of State Wendy Sherman here to share more about the US government’s commitment to these issues and its plans for the coming year as chair.

We’ll then turn to a panel of civil-society and industry leaders from around the world to hear more about how they view the role and importance of the FOC in taking action on everything from internet shutdowns to surveillance tech and generative AI. That session will be led by our nonresident fellow and the former managing editor of Rest of World Khushbu Shah.

Now, before I turn to the deputy secretary, I want to thank the FOC support unit, the US State Department, and our Democracy and Tech team here for making this event possible. And I encourage you in Zoomland to comment on and engage liberally with the content of today’s event on your favorite social media platforms, following at @DFRLab, and using the hashtags #SummitforDemocracy, #S4D too, or #PartnersforDemocracy.

For those tuning in remotely in need of closed captioning, please view today’s program on our YouTube channel through the link provided in the chat.

It is now my distinct honor to pass the podium to Deputy Secretary of State Wendy Sherman, who needs no introduction as one of our nation’s most experienced and talented diplomats.

Deputy Secretary, thank you so much for joining us.

WENDY SHERMAN: Good afternoon. It’s terrific to be with you, and thank you, Rose, for your introduction and for all of the terrific work that the Freedom Online Coalition is doing.

It is fitting to be here at the Atlantic Council for this event because your mission sums up our purpose perfectly: shaping the global future together. That is our fundamental charge in the field of technology and democracy: how we use modern innovations to forge a better future.

That’s what the DFRLab strives to achieve, through your research and advocacy, and that’s what the Freedom Online Coalition, its members, observers, and advisory network seek to accomplish through our work. Thank you for your partnership.

More than five decades ago—seems like a long time ago, but really very short—the internet found its origins in the form of the first online message ever sent, all of two letters in length, delivered from a professor at UCLA to colleagues at Stanford. It was part of a project conceived in university labs and facilitated by government. It was an effort meant to test the outer limits of rapidly evolving technologies and tap into the transformative power of swiftly growing computer networks.

What these pioneers intended at the time was actually to devise a system that could allow people to communicate in the event of a nuclear attack or another catastrophic event. Yet what they created changed everything—how we live and work, how we participate in our economy and in our politics, how we organize movements, how we consume media, read books, order groceries, pay bills, run businesses, conduct research, learn, write, and do nearly everything we can think of.

Change didn’t happen overnight, of course, and that change came with both promise and peril. This was a remarkable feat of scientific discovery, and it upended life as we know it for better, and sometimes, worse.

Over the years, as we went from search engines to social media, we started to face complicated questions as leaders, as parents and grandparents, as members of the global community—questions about how the internet can best be used, how it should be governed, who might misuse it, how it impacts our children’s mental and emotional health, who could access it, and how we can ensure that access is equitable—benefitting people in big cities, rural areas, and everywhere in between. Big-picture questions arose about these tectonic shifts. What would they mean for our values and our systems of governance? Whether it’s the internet as we understand it today or artificial intelligence revolutionizing our world tomorrow, will digital tools create more democracy or less? Will they be deployed to maximize human rights or limit them? Will they be used to enlarge the circle of freedom or constraint and contract it?

For the United States, the Freedom Online Coalition, and like-minded partners, the answer should point in a clear direction. At a basic level, the internet should be open and secure for everyone. It should be a force for free enterprise and free expression. It should be a vast forum that increases connectivity, that expands people’s ability to exercise their rights, that facilitates unfettered access to knowledge and unprecedented opportunities for billions.

Meeting that standard, however, is not simple. Change that happens this fast in society and reaches this far into our lives rarely yields a straightforward response, especially when there are those who seek to manipulate technology for nefarious ends. The fact is where all of us may strive to ensure technology delivers for our citizens, autocratic regimes are finding another means of expression. Where democracies seek to tap into the power of the internet to lift individuals up to their highest potential, authoritarian governments seek to deploy these technologies to divide and disenfranchise, to censor and suppress, to limit freedoms, [to] foment fear and [to] violate human dignity. They view the internet not as a network of empowerment but as an avenue of control. From Cuba and Venezuela to Iran, Russia, the PRC, and beyond, they see new ways to crush dissent through internet shutdowns, virtual blackouts, restricted networks, blocked websites, and more.

Here in the United States, alongside many of you, we have acted to sustain connections to internet-based services and the free flow of information across the globe, so no one is cut off from each other, the outside world, or cut off from the truth. Yet even with these steps, none of us are perfect. Every day, almost everywhere we look, democracies grapple with how to harness data for positive ends, while preserving privacy; how to bring out the best in modern innovations without amplifying their worst possibilities; how to protect the most vulnerable online while defending the liberties we hold dear. It isn’t an easy task, and in many respects, as I’ve said, it’s only getting harder. The growth of surveillance capabilities is forcing us to constantly reevaluate how to strike the balance between using technologies for public safety and preserving personal liberties.

The advent of AI is arriving with a level of speed and sophistication we haven’t witnessed before. It will not be five decades before we know the impact of AI. That impact is happening now. Who creates it, who controls it, [and] who manipulates it will help define the next phase of the intersection between technology and democracy. By the time we realize AI’s massive reach and potential, the internet’s influence might really pale in comparison. The digital sphere is an evolving and is evolving at a pace we can’t fully fathom and in ways at least I can’t completely imagine. Frankly, we have to accept the fact that the FOC’s absolutely vital work can feel like a continuous game of catchup. We have to acknowledge that the guidelines we adopt today might seem outdated as soon as tomorrow.

Now let me be perfectly clear: I am not saying we should throw up our hands and give up. To the contrary, I’m suggesting that this is a massive challenge we have to confront and a generational change we have to embrace. We have to set standards that meet this moment and that lay the foundation for whatever comes next. We have to address what we see in front of us and equip ourselves with the building blocks to tackle what we cannot predict.

To put a spin on a famous phrase, with the great power of these digital tools comes great responsibility to use that power for good. That duty falls on all our shoulders and the stakes could not be higher for internet freedom, for our common prosperity, for global progress, because expanded connectivity, getting the two billion unconnected people online can drive economic growth, raise standards of living, create jobs, and fuel innovative solutions for everything from combating climate change to reducing food insecurity, to improving public health, to promoting good governance and sustainable development.

So we need to double down on what we stand for: an affirmative, cohesive, values-driven, rights-respecting vision for democracy in a digital era. We need to reinforce rules of the road for cyberspace that mirror and match the ideals of the rules-based international order. We need to be ready to adapt our legal and policy approaches for emerging technologies. We need the FOC—alongside partners in civil society, industry, and elsewhere—to remain an essential vehicle for keeping the digital sphere open, secure, interoperable, and reliable.

The United States believes in this cause as a central plank of our democracy and of our diplomacy. That’s why Secretary Blinken established our department’s Bureau of Cyberspace and Digital Policy, and made digital freedom one of its core priorities. That’s why the Biden-Harris administration spearheaded and signed into and onto the principles in the Declaration for the Future of the Internet alongside sixty-one countries ready to advance a positive vision for digital technologies. That’s why we released core principles for tech-platform accountability last fall and why the president called on Congress to take bipartisan action in January.

That’s why we are committed to using our turn as FOC chair as a platform to advance a series of key goals.

First, we will deepen efforts to protect fundamental freedoms, including human rights defenders online and offline, many of whom speak out at grave risk to their own lives and to their families’ safety. We will do so by countering disruptions to internet access, combating internet shutdowns, and ensuring everyone’s ability to keep using technology to advance the reach of freedom.

Second, we will focus on building resilience against the rise of digital authoritarianism, the proliferation of commercial spyware, and the misuse of technology, which we know has disproportionate and chilling impacts on journalists, activists, women, and LGBTQI+ individuals. To that end, just a few hours ago President Biden issued an executive order that for the first time will prohibit our government’s use of commercial spyware that poses a risk to our national security or that’s been misused by foreign actors to enable human rights abuses overseas.

On top of that step, as part of this week’s Summit for Democracy, the members of the FOC and other partners will lay out a set of guiding principles on government use of surveillance technologies. These principles describe responsible practices for the use of surveillance tech. They reflect democratic values and the rule of law, adherence to international obligations, strive to address the disparate effect on certain communities, and minimize the data collected.

Our third objective as FOC chair focuses on artificial intelligence and the way emerging technologies respect human rights. As some try to apply AI to help automate censorship of content and suppression of free expression, FOC members must build a consensus around policies to limit these abuses.

Finally, we will strengthen our efforts on digital inclusion—on closing the gender gap online; on expanding digital literacy and skill-building; on promoting access to safe online spaces and robust civic participation for all, particularly women and girls, LGBTQI+ persons, those with disabilities, and more.

Here’s the bottom line: The FOC’s work is essential and its impact will boil down to what we do as a coalition to advance a simple but powerful idea, preserving and promoting the value of openness. The internet, the Web, the online universe is at its best when it is open for creativity and collaboration, open for innovation and ideas, open for communication and community, debate, discourse, disagreement, and diplomacy.

The same is true for democracy—a system of governance, a social contract, and a societal structure is strongest when defined by open spaces to vote, deliberate, gather, demonstrate, organize, and advocate. This openness could not be more important, because when the digital world is transparent, when democracy is done right, that’s when everyone has a stake in our collective success. That’s what makes everyone strive for a society that is free and fair in our politics and in cyberspace. That’s what we will give—that’s what we’ll give everyone reason to keep tapping into the positive potential of technology to forge a future of endless possibility and boundless prosperity for all.

So good luck with all your remaining work; lots ahead. And thank you so much for everything that you all do. Thank you.

KHUSHBU SHAH: Hello, everybody. Thank you so much for joining us. I’m Khushbu Shah, a journalist and a nonresident fellow at the Atlantic Council’s DFRLab.

We’re grateful to have these three experts here with us today to discuss rights in the digital world and the Freedom Online Coalition’s role in those rights. I’ll introduce you to these three experts.

This is Adeboye Adegoke, who is the senior manager of grants and program strategy at Paradigm Initiative. We have Alissa Starzak, the vice president and global head of public policy at Cloudflare, and Juan Carlos, known as J.C., Lara, who’s the executive director of Derechos Digitales. And so I will mention that both J.C. and Adeboye are also on the FOC’s Advisory Network, which was created as a strong mechanism for ongoing multi-stakeholder engagement.

And so I’ll start with the thirty-thousand-foot view. So we’ve heard—we’ve just heard about the FOC and its continued mission with the United States at the helm as chair this year in an increasingly interconnected and online world. More than five billion people are online around the world. That’s the majority of people [on] this planet. We spend nearly half of our time that we’re awake online, around more than 40 percent.

We as a global group of internet users have evolved in our use of the internet, as you’ve heard, since the creation of the FOC in 2011.

So Adeboye, why do you think now suddenly so many people are suddenly focused on technology as a key democratic issue? And speaking, you know, from your own personal experience in Nigeria, should we be?

ADEBOYE ADEGOKE: Yeah. I mean, I think the reasons are very clear, not just [looking out] to any region of the world, but, you know, generally speaking, I mean, the Cambridge Analytica, you know, issue comes to mind.

But also just speaking, you know, very specifically to my experience, on my reality as a Nigerian and as an African, I mean, we just concluded our general elections, and technology was made to play a huge role in ensuring transparency, you know, the integrity of the elections, which unfortunately didn’t achieve that objective.

But besides that, there are also a lot of concerns around how technology could be manipulated or has been manipulated in order to literally alter potential outcomes of elections. We’re seeing issues of microtargeting; you know, misinformation campaigns around [the] election period to demarcate, you know, certain candidates.

But what’s even most concerning for me is how technology has been sometimes manipulated to totally alter the outcome of the election. And I’ll give you a very clear example in terms of the just-concluded general elections in Nigeria. So technology was supposed to play a big role. Results were supposed to be transmitted to a central server right from the point of voting. But unfortunately, those results were not transmitted.

In fact, as a matter of fact, three or four days after the election, 50 percent of the results were not uploaded. As of the time that the election results were announced, those results were—less than 50 percent of the results had been transmitted, which then begin to, you know, lead to questioning of the integrity of those outcomes. These are supposed to be—elections are supposed to be transmitted, like, on the spot. So, you know, it becomes concerning.

The electoral panel [gave] an excuse that there was a technical glitch around, you know, their server and all of that. But then the question is, was there actually a technical glitch, or was there a compromise or a manipulation by certain, you know, bad actors to be able to alter the outcome of the election? [This] used to be the order of the day in many supposedly, you know, democratic countries, especially from the part of the world that I come from, where people really doubt whether what they see as the outcomes of their election is the actual outcome or somebody just writing something that they want.

So technology has become a big issue in elections. On one side, technology has the potential to improve on [the] integrity of elections. But on the other side, bad actors also have the tendency to manipulate technology to make sure that the opinions or the wishes of the people do not matter at the end of the day. So that’s very important here.

KHUSHBU SHAH: And you just touched on my next question for Alissa and J.C. So, as you mentioned, digital authoritarians have used tech to abuse human rights, limit internet freedoms. We’re seeing this in Russia and Myanmar, Sudan, and Libya. Those are some examples. [The] deputy secretary mentioned a few others. For example, in early 2022, at the start of its invasion of Ukraine, Russia suppressed domestic dissent by closing or forcing into exile the handful of remaining independent media outlets. In at least fifty-three countries, users have faced legal repercussions for expressing themselves online, often leading to prison terms, according to a report from Freedom House. It’s a trend that leaves people on the frontlines defenseless, you know, of course, including journalists and activists alike.

And so, J.C., what have you seen globally? What are the key issues we must keep an eye on? And what—and what are some practical steps to mitigate some of these issues?

JUAN CARLOS LARA: Yeah. I think it’s difficult to think about the practical steps without first addressing what those issues are. And I think Boye was pointing out basically what has been a problem as perceived in many in the body politic, or many even activists throughout the world. But I think it’s important to also note that these broader issues about the threats to democracy, about the threats to human rights, [they] manifest sometimes differently. And that includes how they are seen in my region, in Latin America, where, for instance, the way in which you see censorship might differ from country to country.

While some have been able to pass laws, authoritarian laws that restrict speech and that restrict how expression is represented online and how it’s penalized, some other countries have resorted to the use of existing censorship tools. Like, for instance, some governments [are] using [Digital Millennium Copyright Act] notice and technical mechanisms to delete or to remove some content from the online sphere. So that also becomes a problematic issue.

So when we speak about, like, how do we go into, like, the practical ways to address this, we really need to identify… some low-level practices [that] connect with the higher-level standards that we aspire to for democracies; and how bigger commitments to the rule of law and to fair elections and to addressing and facing human rights threats goes to the lower level of what are actually doing in governments, what people are actually doing when they are presented with the possibility of exercising some power that can affect the human rights of the population in general. So to summarize a bit of that point, we still see a lot of censorship, surveillance, internet blockings, and also, increasingly, the use of emerging technologies as things that might be threatening to human rights.

And while some of those are not necessarily exclusive to the online sphere, they are certainly been evolving—they have been evolving [for] several years. So we really need to address how those are represented today.

KHUSHBU SHAH: Thank you. Alissa, as our industry expert I want to ask you the same question. And especially I want you to maybe touch upon what J.C. was saying about low-level practices that might be practical.

ALISSA STARZAK: You know, I think I actually want to step back and think about all of this, because I think—I think one of the challenges that we’ve seen, and we certainly heard this in Deputy Secretary Sherman’s remarks—is that technology brings opportunities and risks. And some of the challenges, I think, that we’ve touched on are part of the benefit that we saw initially. So the drawbacks that come from having broad access is that you can cut it off.

And I think that as we go forward, thinking about the Freedom Online Coalition and sort of how this all fits together, the idea is to have conversations about what it looks like long term, what are the drawbacks that come from those low-level areas, making sure that there is an opportunity for activists to bring up the things that are coming up, for industry, sort of folks in my world, to do the same. And making sure that there’s an opportunity for governments to hear it in something that actually looks collaborative.

And so I think that’s our big challenge. We have to find a way to make sure [that] those conversations are robust, that there is dialogue between all of us, and [that] we can both identify the risks that come from low-level practices like that and then also figure out how to mitigate them.

KHUSHBU SHAH: Thank you. And so, back to you—both of you. I’d like to hear from you both about, as part of civil society—we can start with you, Adegoke—what role as an organization, such as the Freedom Online Coalition, what kind of role can it play in all of these issues that we’re talking about as it expands and it grows in its own network?

ADEBOYE ADEGOKE: Yeah. So I think the work of the Freedom Online Coalition is very critical in such a time as this. So when you look at most international or global [platforms] where conversations around technology, its impact, are being discussed, human rights is rarely at the center of the issues. And I think that is where the advocacy comes in terms of highlighting and spotlighting, you know, the relevance of human rights of this issue. And as a matter of fact, not just relevance but the importance of human rights to this issue.

I think the work of the FOC is relevant even more to the Global South than probably it is to the Global North because in the Global South you—our engagement with technology, and I mean at the government level, is only from the—it’s likely from the perspective of… economics and… security. [Human rights] is, sadly, in an early part of the conversation. So, you know, with a platform like the FOC, it’s an opportunity to mainstream human rights into the technology, you know, conversation generally, and it’s a great thing that some of us from that part of the world are able to engage at this level and also bring those lessons back to our work, you know, domestically in terms of how we engage the policy process in our countries.

And that’s why it’s very important for the work of FOC to be expanded to—you know, to have real impact in terms of how it is deliberate—in terms of how it is—it is deliberate in influencing not just regional processes, but also national processes, because the end goal—and I think the beauty of all the beautiful work that is being done by the coalition—is to see how that reflects on what governments, in terms of how governments are engaging technology, in terms of how governments are consciously taking into cognizance the human rights implication of, you know, new emerging technologies and even existing technologies. So I think the FOC is very, very important stakeholder in technology conversation globally.

KHUSHBU SHAH: J.C., I want to ask you the same question, especially as Chile recently joined the FOC in recent years. And love to hear what you think.

JUAN CARLOS LARA: Yeah. I think it’s important to also note what Boye was saying in the larger context of when this has happened for the FOC. Since its creation, we have seen what has happened in terms of shutdowns, in terms of war, in terms of surveillance revelations. So it’s important to also connect what the likemindedness of certain governments and the high-level principles have to do with the practice of those same governments, as well as their policy positions both in foreign policy forums and internally, as the deputy secretary was mentioning.

I think it’s—that vital role that Boye was highlighting, it’s a key role but it’s a work in progress constantly. In which way? Throughout the process of the FOC meeting and producing documents and statements, that’s when the advisory network that Boye and myself are members of was created. Throughout that work, we’ve been able to see what happens inside the coalition and what—the discussions they’re having to some degree, because I understand that some of them might be behind closed doors, and what those—how the process of those statements comes to be.

So we have seen that very important role [in] how it’s produced and how it’s presented by the governments and their dignitaries. However, I still think that it’s a work in progress because we still need to be able to connect that with the practice of governments, including those that are members of the coalition, including my own government that recently joined, and how that is presented in internal policy. And at the same time, I think that key role still has a big room—a big role to play in terms of creating those principles; in terms of developing them into increasingly detailed points of action for the countries that are members of; but also then trying to influence other countries, those that are not members of the coalition, in order to create, like, better standards for human rights for all of internet users.

KHUSHBU SHAH: Any thoughts, Alissa?

ALISSA STARZAK: Yeah. You know, I think J.C. touched on something that is—that is probably relevant for everyone who’s ever worked in government which is the reality that governments are complicated and there isn’t one voice, often, and there frequently what you see is that the people who are focused on one issue may not have the same position as people who are working on it from a different angle. And I think the interesting thing for me about the FOC is not that you have to change that as a fundamental reality, but that it’s an opportunity for people to talk about a particular issue with a focus on human rights and take that position back. So everybody sitting in this room who has an understanding of what human rights online might look like, to be able to say, hey, this is relevant to my government in these ways if you’re a government actor, or for civil society to be able to present a position, that is really meaningful because it means that there’s a voice into each of your governments. It doesn’t mean that you’re going to come out with a definitive position that’s always going to work for everyone or that it’s going to solve all the problems, but it’s a forum. And it’s a forum that’s focused on human rights, and it’s focused on the intersection of those two, which really matters.

So, from an FOC perspective, I think it’s an opportunity. It’s not going to ever be the be all and end all. I think we all probably recognize that. But you need—I think we need a forum like this that really does focus on human rights.

KHUSHBU SHAH: An excellent point and brings me to my next question for you three. Let’s talk specifics, speaking of human rights: internet shutdowns. So we’ve mentioned Russia. Iran comes to mind as well during recent months, during protests, and recently, very recently, the Indian government cut tens of millions of people off in the state of Punjab as they search for a Sikh separatist.

So what else can this look like, J.C.? Those are some really sort of very basic, very obvious examples of internet shutdowns. And how can the FOC and its network of partners support keeping people online?

JUAN CARLOS LARA: Yes, thank you for that question because specifically for Latin America, the way in which shutdowns may present themselves is not necessarily a huge cutting off of the internet for many people. It sometimes presents in other ways, like, for instance, we have seen the case of one country in South America in which their telecommunication networks has been basically abandoned, and therefore, all of the possibilities of using the internet are lost not because the government has decided to cut the cable, but rather because it’s let it rot, or because it presents in the form of partially and locally focused cutting off services for certain platforms.

I think the idea of internet shutdowns has provided awareness about the problems that come with losing access to the internet, but that also can be taken by governments to be able to say they have not shut access to the internet; it’s just that there’s either too much demand in a certain area or that a certain service has failed to continue working, or that it’s simply failures by telecommunication companies, or that a certain platform has not complied with its legal or judicial obligations and therefore it needs to be taken off the internet. So it’s important that when we speak about shutdowns we consider the broader picture and not just the idea of cutting off all of the internet.

KHUSHBU SHAH: Adeboye, I’d like to hear what your thoughts are on this in the context of Nigeria.

ADEBOYE ADEGOKE: Yeah. It’s really very interesting. And to the point, you know, he was making about, you know, in terms of when we talk about shutdown, I think the work around [understanding shutdowns] has been great and it’s really helped the world to understand what is happening globally. But just as he said, I think there are also some other forms of exclusion that [happen] because of government actions and inactions that probably wouldn’t fall on that thematic topic of shutdown, but it, in a way, is some sort of exclusionary, you know, policy.

So an example is in some remote areas in Nigeria, for example, for most of the technology companies who are laying cables, providing internet services, it doesn’t make a lot of business sense for them to be, you know, present in those locations. And to make the matter worse for them, the authorities, the local governments, those are imposing huge taxes on those companies to be able to lay their fiber cables into those communities, which means that for the businesses, for the companies it doesn’t make any economic sense to invest in such locations. And so, by extension, those [kinds] of people are shut down from the internet; they are not able to assess communication network and all of that.

But I also think it’s very important to highlight the fact that—I mean, I come from the continent where internet is shut down for the silliest reason that you can imagine. I mean, there have been [shutdowns] because [the] government was trying to prevent students cheating in exams, you know? Shutdowns are common during elections, you know? [Shutdowns] happen because [the] government was trying to prevent gossip. So it’s the silliest of reasons why there have been internet [shutdowns] in the area, you know, in the part of the world that I am from.

But what I think—in the context of the work that the FOC does, I think something that comes to mind is how we are working to prevent future [shutdowns]. I spoke about the election that just ended in Nigeria. One of the things that we did was to, shortly before the election, organize, like, a stakeholder meeting of government representative, of fact checkers, of, you know, the platforms, the digital companies, civil society [organizations], and electoral [observers]… to say that, OK, election is—if you are from Africa, any time election is coming you are expecting a shutdown. So it’s to have a conversation and say: Election is coming. There is going to be a lot of misinformation. There’s going to be heightened risk online. But what do we need to do to ensure that we don’t have to shut down the internet?

So, for Nigeria, we were able to have that conversation a few weeks before the election, and luckily the [internet was] not shut down. So I mean, I would describe that as a win. But just to emphasize that it is helpful when you engage in a platform like the FOC to understand the dimensions that [shutdowns] take across the world. It kind of helps you to prepare for—especially if you were in the kind of tradition that we were to prepare for potential shutdown. And also I think it’s also good to spotlight the work that Access Now has done with respect to spotlighting the issue of shutdown because it helps to get their perspective.

So, for example, I’m from Nigeria. We have never really experienced widespread shutdown in Nigeria, but because we are seeing it happen in our sister—in our neighboring countries—we are kind of conscious of that and were able to engage ahead of elections to see, oh, during election in Uganda, [the] internet was shut down. In Ethiopia, [the] internet was shut down. So it’s likely [the] internet will be shut down in Nigeria. And then to say to the authority: No, you know what? We don’t have to shut down the internet. This is what we can do. This is the mechanism on [the] ground to identify risk online and address those risks. And also, holding technology platform accountable to make sure that they put mechanism in place, to make sure they communicate those mechanisms clearly during elections.

So it’s interesting how much work needs to go into that, but I think it’s… important work. And I think for the FOC, it’s also—it’s also very important to continue to communicate the work that the FOC is doing in that regard so that more and more people become aware of it, and sort of more people are prepared, you know, to mitigate it, especially where you feel is the highest risk of shutdown.

KHUSHBU SHAH: Thank you. I’m going to jump across to the other side of that spectrum, to surveillance tech, to the—to the almost literally—the opposite, and I wanted to start with the news that Deputy Secretary Sherman mentioned, with the news that the Biden administration announced just this afternoon, a new executive order that would broadly ban US federal agencies from using commercially developed spyware that poses threats to human rights and national security.

The deputy secretary also mentioned, Alissa, some guiding principles that they were going to announce later this week with the FOC. What are some—what are some things—what are some principles or what are some ambitions that you would hope to see later this week?

ALISSA STARZAK: So I think there’s a lot coming is my guess. Certainly the surveillance tech piece is an important component, but I think there are lots of broad guidelines.

I actually want to go back to shutdowns for a second, if you don’t mind…. Because I think it’s a really interesting example of how the FOC can work well together and how you take all of the different pieces—even at this table—of what—how you sort of help work on an internet problem or challenge, right? So you have a world where you have activists on the ground who see particular challenges who would then work with their local government. You have industry partners like Cloudflare who can actually show what’s happening. So are there—is there a shutdown? Is there a network disruption? So you can take the industry component of it, and that provides some information for governments, and then governments can work together to sort of pressure other governments to say these aren’t acceptable. These are—these norms—you can’t—no, you can’t shut down because you are worried about gossip, and cheating, and an exam, right? There’s a set of broad international norms that become relevant in that space, and I think you take that as your example. So you have the players—you have the government to government, you have the civil society to government, you have the industry which provides information to government and civil society. And those are the pieces that can get you to a slightly better place.

And so when I look at the norms coming out later this week, what I’m going to be looking for are that same kind of triangulation of using all of the players in the space to come to a better—to come to a better outcome. So whether that’s surveillance tech, sort of understanding from civil society how it has been used, how you can understand it from other tech companies, how you can sort of mitigate against those abuses, working with governments to sort of address their own use of it to make sure that that doesn’t become a forum—all of those pieces are what you want from that model. And I think—so that’s what I’m looking for in the principles that come out. If they have that triangulation, I’m going to be—I’m going to be very happy.

KHUSHBU SHAH: What would you both be looking for, as well? J.C., I’ll start with you.

JUAN CARLOS LARA: Yeah, as part of the [FOC advisory network], of course, there might be some idea of what’s coming in when we speak about principles for governments for the use of surveillance capabilities.

However, there are two things that I think are very important to consider for this type of issue: first of all is that which principles and which rules are adopted by the states. I mean, it’s a very good—it’s very good news that we have this executive order as a first step towards thinking how states refrain from using surveillance technology disproportionately or indiscriminately. That’s a good sign in general. That’s a very good first step. But secondly, within this same idea, we would expect other countries to follow suit and hopefully to expand the idea of bans on spyware or bans on surveillance technology that by itself may pose grave risks to human rights, and not just in the case of this, or that, or the fact that it’s commercial spyware, which is a very important threat including for countries in Latin America who are regular customers for certain spyware producers and vendors.

But separately from that, I think it’s very important to also understand how this ties into the purposes of the Freedom Online Coalition and its principles, and how to have further principles that hopefully pick up on the learnings that we have had for several years of discussion on the deployment of surveillance technologies, especially by academia and civil society. If those are picked up by the governments themselves as principle, we expect that to exist in practice.

One of the key parts of the discussion on commercial spyware is that I can easily think of a couple of Latin American countries that are regular customers. And one of them is an FOC member. That’s very problematic, when we speak about whether they are abiding by these principles and by human rights obligations or not, and therefore whether these principles will generate any kinds of restraint in the use and the procurement of such surveillance tools.

KHUSHBU SHAH: So I want to follow up on that. Do you think that there—what are the dangers and gaps of having this conversation without proposing privacy legislation? I want to ask both of our—

JUAN CARLOS LARA: Oh, very briefly. Of course, enforcement and the fact that rules may not have the institutional framework to operate I think is a key challenge. That is also tied to capacities, like having people with enough knowledge and have enough, of course, exchange of information between governments. And resources. I think it’s very important that governments are also able to enact the laws that they put in the books, that they are able to enforce them, but also to train every operator, every official that might be in contact with any of these issues. So that kind of principle may not just be adopted as a common practice, but also in the enforcement of the law, so get into the books. Among other things, I think capacities and resources are, like—and collaboration—are key for those things.

KHUSHBU SHAH: Alissa, as our industry expert, I’d like to ask you that same question.

ALISSA STARZAK: You know, I think one of the interesting things about the commercial spyware example is that there is a—there is a government aspect on sort of restricting other people from doing certain things, and then there is one that is a restriction on themselves. And so I think that’s what the executive order is trying to tackle. And I think that the restricting others piece, and sort of building agreement between governments that this is the appropriate thing to do, is—it’s clearly with the objective here, right?

So, no, it’s not that every government does this. I think that there’s a reality of surveillance foreign or domestic, depending on what it looks like. But thinking about building rulesets of when it’s not OK, because I think there is—there can be agreement if we work together on what that ruleset looks like. So we—again, this is the—we have to sort of strive for a better set of rules across the board on when we use certain technologies. And I think—clearly, I think what we’ve heard, the executive order, it’s the first step in that process. Let’s build something bigger than ourselves. Let’s build something that we can work across governments for. And I think that’s a really important first step.

ADEBOYE ADEGOKE: OK. Yeah, so—yeah, so, I think, yeah, the executive order, it’s a good thing. Because I was, you know, thinking to myself, you know, looking back to many years ago when in my—in our work when we started to engage our government regarding the issue of surveillance and, you know, human rights implications and all of that, I recall very vividly a minister at the time—a government minister at the time saying that even the US government is doing it. Why are you telling us not to do it? So I think it’s very important.

Leadership is very key. The founding members of the FOC, if you look FOC, the principles and all of that, those tests are beautiful. Those tests are great. But then there has to be a demonstration of—you know, of application of those tests even by the governments leading, you know, the FOC so that it makes the work of people like us easier, to say these are the best examples around and you don’t get the kind of feedback you get many years ago; like, oh, even the US government is doing it. So I think the executive order is a very good place to start from, to say, OK, so this is what the US government is doing right now and this is how it wants to define their engagement with spyware.

But, of course, like, you know, he said, it has to be, you know, expanded beyond just, you know, concerns around spyware. It has to be expanded to different ways in which advanced technology [is] applied in government. I come from a country that has had to deal with the issues of, you know, terrorism very significantly in the past ten years, thereabout, and so every justification you need for surveillance tech is just on the table. So whenever you want to have the human rights conversation, somebody’s telling you that, you want terrorists to kill all of us? You know? So it’s very important to have some sort of guiding principle.

Yeah, we understand [the] importance of surveillance to security challenges. We understand how it can be deployed for good uses. But we also understand that there are risks to human-rights defenders, to journalists, you know, to people who hold [governments] accountable. And those have to be factored into how these technologies are deployed.

And in terms of, you know, peculiar issues that we have to face, basically you are dealing with issues around oversight. You are dealing with issues around transparency. You are dealing with issues around [a] lack of privacy frameworks, et cetera. So you see African governments, you know, acquiring similar technologies, trying, you know, in the—I don’t want to say in the guise, because there are actually real problems where those technologies might be justified. But then, because of the lack of these principles, these issues around transparency, oversight, legal oversight, human-rights considerations, it then becomes problematic, because this too then become—it’s true that it is used against human-rights defenders. It’s true that it is used against opposition political parties. It’s true that it is used against activists and dissidents in the society.

So it’s very important to say that we look at the principle that has been developed by the FOC, but we want to see FOC government demonstrate leadership in terms of how they apply those principles to the reality. It makes our work easier if that happens, to use that as an example, you know, to engage our government in terms of how this is—how it is done. And I think these examples help a lot. It makes the work very easy—I mean, much easier; not very easy.

KHUSHBU SHAH: Well, you mentioned a good example; so the US. So you reminded me of the biometric data that countries share in Central and North America as they monitor refugees, asylum seekers, migrants. Even the US partakes. And so, you know, what can democracies do to address the issue when they’re sometimes the ones leveraging these same tools? Obviously, it’s not the same as commercial spyware, but—so what are the boundaries of surveillance and appropriate behavior of governments?

J.C., can I throw that question to you?

JUAN CARLOS LARA: Happy to. And we saw a statement by several civil-society organizations on the use of biometric data with [regard] to migrants. And I think it’s very important that we address that as a problem.

I really appreciated that Boye mentioned, like, countries leading by example, because that’s something that we are often expecting from countries that commit themselves to high-level principles and that sign on to human-rights instruments, that sign declarations by the Human Rights Council and the General Assembly of the [United Nations] or some regional forums, including to the point of signing on to FOC principles.

I think that it’s very problematic that things like biometric data are being used—are being collected from people that are in situations of vulnerability, as is the case of very—many migrants and many people that are fleeing from situations of extreme poverty and violence. And I think it’s very problematic also that also leads to [the] exchange of information between governments without proper legal safeguards that prevent that data from falling into the hands of the wrong people, or even that prevent that data from being collected from people that are not consenting to it or without legal authorization.

I think it’s very problematic that countries are allowing themselves to do that under the idea that this is an emergency situation without proper care for the human rights of the people who are suffering from that emergency and that situations of migrations are being treated like something that must be stopped or contained or controlled in some way, rather than addressing the underlying issues or rather than also trying to promote forms of addressing the problems that come with it without violating human rights or without infringing upon their own commitments to human dignity and to human privacy and to the freedom of movement of people.

I think it’s—that it’s part of observing legal frameworks and refraining from collecting data that they are not allowed to, but also to obeying their own human-rights commitments. And that often leads to refraining from taking certain action. And in that regard, I think the discussions that there might be on any kind of emergency still needs to take a few steps back and see what countries are supposed to do and what obligations they are supposed to abide [by] because of their previous commitments.

KHUSHBU SHAH: So thinking about what you’ve just said—and I’m going to take a step back. Alissa, I’m going to ask you kind of a difficult question. We’ve been talking about specific examples of human rights and what it means to have online rights in the digital world. So what does it mean in 2023? As we’re talking about all of this, all these issues around the world, what does it mean to have freedom online and rights in the digital world?

ALISSA STARZAK: Oh, easy question. It’s really easy. Don’t worry; we’ve got that. Freedom Online’s got it; you’ve just got to come to their meetings.

No, I think—I think it’s a really hard question, right? I think that we have—you know, we’ve built something that is big. We’ve built something where we have sort of expectations about access to information, about the free flow of information across borders. And I think that, you know, what we’re looking at now is finding ways to maintain it in a world where we see the problems that sometimes come with it.

So when I look at the—at the what does it mean to have rights online, we want to—we want to have that thing that we aspire to, I think that Deputy Secretary Sherman mentioned, the sort of idea that the internet builds prosperity, that the access to the free flow of information is a good thing that’s good for the economy and good for the people. But then we have to figure out how we build the set of controls that go along with it that are—that protect people, and I think that’s where the rule of law does come into play.

So thinking about how we build standards that are respect—that respect human rights in the—when we’re collecting all of the information of what’s happening online, right, like, maybe we shouldn’t be collecting all of that information. Maybe we should be thinking of other ways of addressing the concerns. Maybe we should be building [a] framework that countries can use that are not us, right, or that people at least don’t point to the things that a country does and say, well, if they can do this, I can do this, right, using it for very different purposes.

And I think—I think that’s the kind of thing that we’re moving—we want to move towards, but that doesn’t really answer the underlying question is the problem, right? So what are the rights online? We want as many rights as possible online while protecting security and safety, which is, you know, also—they’re also individual rights. And it’s always a balance.

KHUSHBU SHAH: It seems like what you’re touching on—J.C., would you like to—

JUAN CARLOS LARA: No. Believe me.

KHUSHBU SHAH: Well, it seems like what you’re talking about—and we’re touching—we’ve, like, talked around this—is, like, there’s a—there’s a sense of impunity, right, when you’re on—like in the virtual world, and that has led to what we’ve talked about for the last forty minutes, right, misinformation/disinformation. And if you think about what we’ve all been talking about for the last few weeks, which is AI—and I know there have been some moments of levity. I was thinking about—I was telling Alissa about how there was an image of the pope wearing a white puffer jacket that’s been being shown around the internets, and I think someone pointed out that it was fake, that it was AI-generated. And so that’s one example. Maybe it’s kind of a fun example, but it’s also a little bit alarming.

And I think about the conversation we’re having, and what I really want to ask all of you is, so, how might these tools—like the AI, the issue of AI—further help or hurt [human rights] activists and democracies as we’re going into uncharted territories, as we’re seeing sort of the impact of it in real time as this conversation around it evolves and how it’s utilized by journalists, by activists, by politicians, by academics? And what should the FOC do—I know I’m asking you again—what can the FOC do? What should we aim for to set the online world on the right path for this uncharted territory? I don’t know who wants to start and attempt.

ADEBOYE ADEGOKE: OK, I’ll start. Yeah.

So I think it’s great that, you know, the FOC has, you know, different task [forces] working on different thematic issues, and I know there is a task force on the issue of artificial intelligence and human rights. So I think for me that’s a starting point, you know, providing core leadership on how emerging technology generally impacts… human rights. I think that’s the starting point in terms of what we need to do because, like the deputy secretary said, you know, technology’s moving at such a pace that we can barely catch up on it. So we cannot—we cannot afford to wait one minute, one second before we start to work on this issue and begin to, you know, investigate the human rights implications of all of those issues. So it’s great that the FOC’s doing that work.

I would just say that it’s very important for—and I think this [speaks] generally to the capacities of the FOC. I think the FOC needs to be further capacitated so that this work can be made to bear in real-life issues, in regional, in national engagement so that some of the hard work that has been put into those processes can really reflect in real, you know, national and regional processes.

ALISSA STARZAK: Yeah. So I definitely agree with that.

I think—I think on all of these issues I think we have a reality of trying to figure out what governments do and then what private companies do, or what sort of happens in industry, and sometimes those are in two different lanes. But in some ways figuring out what governments are allowed to do, so thinking about the sort of negative potential uses of AI may be a good start for thinking about what shouldn’t happen generally. Because if you can set a set of norms, if you can start with a set of norms about what acceptable behavior looks like and where you’re trying to go to, you’re at least moving in the direction of the world that you think you want together, right?

So understanding that you shouldn’t be generating it for the purpose of misinformation or, you know, that—for a variety of other things, at least gets you started. It’s a long—it’s going to be a long road, a long, complicated road. But I think there’s some things that can be done there in the FOC context.

JUAN CARLOS LARA: Yes. And I have to agree with both of you. Specifically, because the idea that we have a Freedom Online Coalition to set standards, or to set principles, and a taskforce that can devote some resources, some time, and discussion to that, can also identify where this is actually the part of the promise and which is the part of the peril. And how governments are going to react in a way that promotes prosperity, that promotes interactivity, and promotes commerce—exercise of human rights, the rights of individuals and groups—and which sides of it become problematic from the side of the use of AI tools, for instance, for detecting certain speech for censorship or for identifying people in the public sphere, because they’re working out on the streets, or to collect and process people without consent.

I think because that type of expertise and that type of high political debate can be held at the FOC, that can promote the type of norms that we need in order to understand, like, what’s the role of governments in order to steer this somewhere. Or whether they should refrain from doing certain actions that might—with the good intention of preventing the spread of AI-generated misinformation or disinformation—that may end up stopping these important tools to be used creatively or to be used in constructive ways, or in ways that can allow more people to be active participants of the digital economy.

KHUSHBU SHAH: Thank you. Well, I want to thank all three of you for this robust conversation around the FOC and the work that it’s engaging in. I want to thank Deputy Secretary Sherman and our host here at the Atlantic Council for this excellent conversation. And so if you’re interested in learning more about the FOC, there’s a great primer on it on the DFRLab website. I recommend you check it out. I read it. It’s excellent. It’s at the bottom of the DFRLab’s registration page for this event.

Watch the full event

The post Wendy Sherman on the United States’ priorities as it takes the helm of the Freedom Online Coalition appeared first on Atlantic Council.

Modernizing critical infrastructure protection policy: Seven perspectives on rewriting PPD21

Will Loomis — Wed, 22 Mar 2023 12:30:00 +0000

In February of 2013, then President Obama signed a landmark executive order—Presidential Policy Directive 21 (PPD 21)—that defined how US Departments and Agencies would pursue a unity of government effort to strengthen and maintain US critical infrastructure. Almost a decade later, evolutions in both the threat landscape and the interagency community invite the US government to revise this critical policy.

As the current administration looks to modernize this essential piece of legislation, particular emphasis must be placed on two key steps. First, to deconflict and clarify the specific roles and responsibilities within the ever-growing interagency—particularly, the SRMA-CISA relationship. Second, to help policymakers better understand and work to implement a risk-based approach to critical infrastructure protection—if everything is critical, what gets prioritized?

To dive deeper on this topic, we asked seven experts to offer their perspectives on critical infrastructure and how we can rebalance the interagency to better secure that infrastructure:

If the US government were to change the way it categorizes or prioritizes critical infrastructure, what’s a better alternative to the current approach?

“Over time, the phrase “critical infrastructure” has become overused. This overuse has led to varying definitions of the phrase, and the analyses conducted to better categorize the concept have led to inconsistent focus and findings across the sectors. The baseline definition— assets, systems, and networks, whether physical or virtual, [that] are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof – does not lend clarity because there is a definitional tension between infrastructure that is critical for sustaining and supporting Americans’ daily lives and the economy, and infrastructure that might be dangerous (ex. Chemical or nuclear facilities), but not necessarily critical.

The only way to resolve what should consistently be used as the underlying definition for “critical infrastructure” is clarify the goals or desired end state for these national risk management efforts. For instance, there are stated end goals to support continuity of government objectives, but it is not clear that there are a similar set of national resiliency goals to support the nation’s critical infrastructure. Recent CSAC recommendations (September 2022) made this point directly: “Clear national-level goals in the areas of national security, economic continuity, and health and human safety would help organize public and private critical infrastructure stakeholders in the analysis of what it would take to accomplish those objectives.” Whatever end goal is articulated, it must be sustained consistently for a long time (10 years or more). This will create the continuity necessary to marshal the resources of both industry and government to carry out these goals.

Government does not need to begin from nothing to carry out this work. The sector structure is in place, and the National Critical Functions are understood. Whatever end goal is articulated, mobilizing the initial analysis by using the current sector structure and what we already know about the critical functions in the following sequential approach:

Foundational/lifeline sector analysis: Energy, communications, transportation, and water & wastewater. All are dependent on these critical functions, and existing analysis has shown that disruption impacts are felt at once; all are precursors to community restoration post-disaster.
Middle level infrastructure: Chemical, financial Services, food and agriculture, healthcare/public health, and information technology (IT). The critical functions performed in these sectors are reliant on foundational infrastructure, are complex systems-of-systems, and are necessary for continuity of the economy/society.
Higher-level infrastructure (end users, producers of goods and services): Commercial & government facilities, critical manufacturing, defense industrial base (DIB), and emergency services. In some ways, these sectors are consumers of infrastructure and not really providers of it. This is not to suggest that the services provided by these sectors are NOT critical, but that they rely upon infrastructure provided by others.

With clearly articulated, long-term national goals, leveraging structures and analysis completed to date, the means to identify, categorize and prioritize which infrastructure is “critical” will be a logical outcome of the analysis.”

Kathryn Condello, Senior Director, National Security/Emergency Preparedness, Lumen Technologies

In theory, what is a Sector Risk Management Agency (SRMA)? In practice, how should a SRMA’s role change depending on what kind of organization plays that role?

“In theory, a SRMA should be the day-to-day, substantively deep operational partner within USG for private sector critical infrastructure partners. These SRMAs should be the entity that is in the trenches with critical infrastructure operators—working to better understand the threat environment, lift up and support those who lack sufficient resources or capabilities, and guide our partners to acceptable and more sustainable levels of risk management and resilience.

In practice, an organization’s resources and capabilities—and the role that they are able to play—varies a lot depending on the type of organization in this role. I’ll provide two examples here. First, some SRMAs—like the Coast Guard—have regulatory capabilities to help apply pressure to owner/operators in their sector to raise their baselines for security. Others, like the Department of Energy (DoE), need to rely on other agencies to do so or use other, more incentive-based programs to achieve these objectives. Second, SRMAs may bring a different balance of resources and substantive sector knowledge to the table. As an example, CISA—which serves as the SRMA for several sectors—may bring far more resources and manpower to the table than another single agency but may lack the deep sector knowledge and partnerships of an organization like DoE.”

Will Loomis, Associate Director, Digital Forensics Research Lab, Cyber Statecraft Initiative, Atlantic Council

Where are some of the biggest existing fault lines in the relationship between CISA and the SRMAs? How might any future revision to PPD-21 better address these?

“Current PPD-21 guidance is based on the model of the 16 critical infrastructure sectors where roles and responsibilities fall under the designated leads for each sector. This model works well when it comes to directing congressional funding to a particular agency or knowing which agency leads the response to an incident in a specific sector.

In reality, significant challenges to the security and safety of the nation’s critical infrastructure are typically complex, multi-faceted events that are rarely limited to just one sector. This holds true for both a single, catastrophic incident and the simple, daily work necessary to mitigate risks. Actions in both situations depend on and have impacts well outside a single sector.

PPD-21 guidance is purposely not prescriptive, which leaves certain elements open to interpretation when it comes to the SRMA’s primacy compared to CISA. Additionally, current guidance does not account for an agency’s capability to fulfill its SRMA responsibilities. The expertise and capabilities of some SRMAs are generally agreed to be more mature than others. I experienced firsthand the friction between different views and capabilities created during my time at CISA as part of the COVID Task Force. Disagreements on roles and responsibilities during the response to ransomware at a hospital or regarding the security of information systems in portions of the vaccine supply chain induced unnecessary challenges during an already difficult national pandemic.

I am not advocating for more detail on roles and responsibilities, since no amount of guidance could cover every situation and account for the differences in each agency’s expertise and capabilities. I do think a different approach where PPD-21 guidance has an increased focus towards national functions and an emphasis on greater collaboration and integration would better serve the ability of federal agencies to fulfill their missions.”

Steve Luczynski, Senior Manager – Critical Infrastructure Security, Accenture Federal Services

What responsibilities should SRMAs be investing in to be better operational partners for the private sector?

“SRMAs should look to prioritize those assets most significant to national security, begin processes to analyze risk, and ultimately buy down that risk utilizing experts within those sectors and cross training them in cyber. It’s time we refocus on nationally critical assets vs. trying to be everything to every asset, almost like a helpdesk approach to critical infrastructure protection. This includes clearly defining roles for state and local entities, as well setting objectives for performance. Finally, the government should cross train the private sector in a common language for coordination, like Incident Command System to work together better on a day-to-day basis, as well as during response and recovery from cyber events.”

Megan Samford, Non-Resident Senior Fellow, Cyber Statecraft Initiative, Atlantic Council; VP & Chief Product Security Officer – Energy Management, Schneider Electric

How should any future revision of PPD-21 think holistically about SRMA capabilities?

“In a perfect world there would be a dedicated cybersecurity SME at the federal level for each critical infrastructure sector, either within each SRMA or at CISA as a main technical liaison. In lieu of this reality, with the ‘near-future’ capabilities, SRMAs’ cybersecurity maturity and mandates should capture the entire supply chain—security management of suppliers, enterprise content management, development environment, products and services, upstream supply chain, operational technology (OT), and downstream supply chain—aligned to the CISA Cybersecurity Performance Goals as a baseline. As the SRMAs designate required tools and capabilities at the asset owner level, they should continue vendor-neutral evaluations of designated and required tools and capabilities. These agencies should represent the boots on the ground approach to the reframing sections above. SRMAs also need to identify the level of cybersecurity and risk management that asset owners can afford to own vs. what government can reasonably subsidize and augment. I don’t believe this can be effectively done without addressing the point above. Lastly, SRMAs should reevaluate the definition and efficacy of information sharing capabilities within each sector, as information sharing ≠ situational awareness ≠ incident prevention.

Regardless of commonalities, no two attacks on OT/industrial control systems (ICS) are ever the exact same, making automated response and remediation difficult. Unfortunately, this reality means that every operation and facility must wait to see another organization victimized before there can be shared signatures, detections, and fully-baked intelligence for threat hunting to ensue. In terms of the threat landscape, there is no way to standardize and correlate threat and vulnerability research produced from competitive market leaders. Information sharing lacks trust and verification, has been siloed into sector-specific, private sector, or government agency-specific mechanisms—creating single sources of information without much consensus. This is a major roadblock for efficacy across SRMAs and their situational awareness/strategic planning.”

Danielle Jablanski, Non-Resident Senior Fellow, Cyber Statecraft Initiative, Atlantic Council; OT Cybersecurity Strategist, Nozomi Networks

How can the US government address risks associated with cross-sector interdependencies in the naturally siloed SRMA model?

“When addressing cyber risks to critical infrastructure, the US government—and industry—need to reframe thinking around jurisdiction and impact. The SRMA model hinges on federal agencies, which creates a governance gap and cognitive blind spot for interdependence. In the same way that the National Security Council drives the interagency process, the US government needs a coordinating body to prioritize and manage the competing and corollary agencies. Whether that is CISA or ONCD, one office must take the strategic, systemic view of critical infrastructure.”

Munish Walter-Puri, Senior Director of Critical Infrastructure, Exiger

In any future policy, how could the US government preserve the ability to regularly adjust the boundaries of critical infrastructure classifications or sectors?

“Presidential Policy Directive 21 identified 16 critical infrastructure sectors and their associated sector-specific agencies (now called SRMAs) and called upon the Secretary of Homeland Security to “periodically evaluate the need for and approve changes to critical infrastructure sectors” and to “consult with the Assistant to the President for Homeland Security and Counterterrorism before changing a critical infrastructure sector or a designated [SRMA] for that sector.” Since the issuance of PPD-21, changes to the Homeland Security Act have required a reassessment of the current sector structure and SRMA designations at least every five years. The National Defense Authorization Act for Fiscal Year 2021 required the Secretary of Homeland Security to evaluate the sectors and SRMA designations and provide recommendations for revisions to the President. In fulfillment of this mandate, the Department of Homeland Security delivered a report to Congress and the President, assessing that the absence of a statutory basis for the definition of a “sector” has “created a challenge in clarifying and building criteria for clarifying and rationalizing the sector structure.” The report cites the National Infrastructure Protection Plan as the origin of the current operating definition of a “sector”: “[A] logical collection of assets, systems, or networks that provide a common function to the economy, government, or society.”

In evaluating critical infrastructure sector classifications or structure, the federal government should minimize the overall number of sectors to allow for productive engagement to accomplish specific efforts. Focusing on creating structures to enable cross-sector engagement scoped around specific risk management concerns prioritizes the work to be performed with flexibility and who needs to be there to support it. The current statutory requirement to regularly evaluate sector classifications would be sufficient provided the federal government creates a mechanism to convene critical infrastructure owners and operators independent of sector designations. In its September 2022 recommendations to the Director of the Cybersecurity and Infrastructure Security Agency (CISA), the Cybersecurity Advisory Committee Subcommittee on Systemic Risk recommended that CISA “[scope] its national resilience efforts around focus areas like national security, health and human safety, and economic prosperity” with the goal of enabling CISA “to use resources and personnel more efficiently to prioritize the appropriate [National Critical Functions]–and [systemically important entities]–and orient national resilience programming within each scope.” Within each of these focus areas, CISA, in its role as the national coordinator of sector risk management agencies, should periodically assess the challenges facing critical infrastructure owners and operators and identify workstreams to organize relevant entities that measurably contribute to the risk management effort. For example, under the broad focus area of national security, CISA might organize a cross-sector effort to address small unmanned aerial system surveillance of critical infrastructure sites, an issue for which the White House has organized a task force. These assessments should align with the cadence that the Homeland Security Act requires for reassessments of the sector/SRMA designations or in conjunction with the five-year term granted to the CISA Director. The federal government should also ensure that there is a mechanism for leadership of both the Sector Coordinating Councils and Government Coordinating Councils that provides decision-making authority for workstreams as the risk landscape evolves and new challenges arise.”

Jeffrey Baumgartner, Vice President, National Security and Resilience, Berkshire Hathaway Energy

The post Modernizing critical infrastructure protection policy: Seven perspectives on rewriting PPD21 appeared first on Atlantic Council.

The 5×5—Conflict in Ukraine’s information environment

Simon Handler — Wed, 22 Mar 2023 04:01:00 +0000

Just over one year ago, on February 24, 2022, Russia launched a full-scale invasion of neighboring Ukraine. The ensuing conflict, Europe’s largest since World War II, has not only besieged Ukraine physically, but also through the information environment. Through kinetic, cyber, and influence operations, Russia has placed Ukraine’s digital and physical information infrastructure—including its cell towers, networks, data, and the ideas that traverse them—in its crosshairs as it seeks to cripple Ukraine’s defenses and bring its population under Russian control.

Given the privately owned underpinnings of the cyber and information domains by technology companies, a range of local and global companies have played a significant role in defending the information environment in Ukraine. From Ukrainian telecommunications operators to global cloud and satellite internet providers, the private sector has been woven into Ukrainian defense and resilience. For example, Google’s Threat Analysis Group reported having disrupted over 1,950 instances in 2022 of Russian information operations aimed at degrading support for Ukraine, undermining its government, and building support for the war within Russia. The present conflict in Ukraine offers lessons for states as well as private companies on why public-private cooperation is essential to building resilience in this space, and how these entities can work together more effectively.

We brought together a group of experts to provide insights on the war being waged through the Ukrainian information environment and take away lessons for the United States and its allies for the future.

#1 How has conflict in the information environment associated with the war in Ukraine compared to your prior expectations?

Nika Aleksejeva, resident fellow, Baltics, Digital Forensic Research Lab (DFRLab), Atlantic Council:

“As the war in Ukraine started, everyone was expecting to see Russia conducting offensive information influence operations targeting Europe. Yes, we have identified and researched Russia’s coordinated information influence campaigns on Meta’s platforms and Telegram. These campaigns targeted primarily European countries, and their execution was unprofessional, sloppy, and without much engagement on respective platforms.”

Silas Cutler, senior director for cyber threat research, Institute for Security and Technology (IST):

“A remarkable aspect of this conflict has been how Ukraine has maintained communication with the rest of the world. In the days leading up to the conflict, there was a significant concern that Russia would disrupt Ukraine’s ability to report on events as they unfolded. Instead of losing communication, Ukraine has thrived while continuously highlighting through social media its ingenuity within the conflict space. Both the mobilization of its technical workforce through the volunteer IT_Army and its ability to leverage consumer technology, such as drones, have shown the incredible resilience and creativity of the Ukrainian people.”

Roman Osadchuk, research associate, Eurasia, Digital Forensic Research Lab (DFRLab), Atlantic Council:

“The information environment was chaotic and tense even before the invasion, as Russia waged a hybrid war since at least the annexation of Crimea and war in Eastern Ukraine in 2014. Therefore, the after-invasion dynamic did not bring significant surprises, but intensified tension and resistance from Ukrainian civil society and government toward Russia’s attempts to explain its unprovoked invasion and muddle the water around its war crimes. The only things that exceeded expectations were the abuse of fact-checking toolbox WarOnFakes and the intensified globalization of the Kremlin’s attempts to tailor messages about the war to their favor globally.”

Emma Schroeder, associate director, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council:

“The information environment has been a central space and pathway throughout which this war is being fought. Russian forces are reaching through that space to attack and spread misinformation, as well as attacking the physical infrastructure underpinning this environment. The behavior, while novel in its scale, is the continuation of Russian strategy in Crimea, and is very much living up to expectations set in that context. What has surpassed expectations is the effectiveness of Ukrainian defenses, in coordination with allies and private sector partners. The degree to which the international community has sprung forward to provide aid and assistance is incredible, especially in the information environment where such global involvement can be so immediate and transformative.”

Gavin Wilde, senior fellow, Technology and International Affairs Program, Carnegie Endowment for International Peace:

“The volume and intensity of cyber and information operations has roughly been in line with my prior expectations, though the degree of private and commercial activity was something that I might not have predicted a year ago. From self-selecting out of the Russian market to swarming to defend Ukrainian networks and infrastructure, the outpouring of support from Western technology and cybersecurity firms was not on my bingo card. Sustaining it and modeling for similar crises are now key.”

#2 What risks do private companies assume in offering support or partnership to states engaged in active conflict?

Aleksejeva: “Fewer and fewer businesses are betting on Russia’s successful economical future. Additionally, supporting Russia in this conflict in any way is morally unacceptable for most Western companies. Chinese and Iranian companies are different. As for Ukraine, supporting it is morally encouraged, but is limited by many practicalities, such as supply chain disruptions amid Russia’s attacks.”

Cutler: “By providing support during conflict, companies risk becoming a target themselves. Technology companies such as Microsoft, SentinelOne, and Cloudflare, which have publicly reported their support for Ukraine, have been historically targeted by Russian cyber operations and are already familiar with the increased risk. Organizations with pre-conflict commercial relationships may fall under new scrutiny by nationally-aligned hacktivist groups such as Killnet. This support for one side over the other—whether actual or perceived—may result in additional risk.”

Osadchuk: “An important risk of continuing business as usual [in Russia] is that it may damage a company’s public image and test its declared values, since the continuation of paying taxes within the country-aggressor makes the private company a sponsor of these actions. Another risk for a private company is financial, since the companies that leave a particular market are losing their profits, but this is incomparable to human suffering and losses caused by the aggression. In the case of a Russian invasion, one of the ways to stop the war is to cut funding for and, thus, undermine the Russian war machine and support Ukraine.”

Schroeder: “Private companies have long provided goods and services to combatants outside of the information environment. The international legal framework restricting combatants to targeting ‘military objects’ provides normative protection, as objects are defined as those ‘whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage’ in a manner proportional to the military gain foreseen by the operation. This definition, however, is still subject to the realities of conflict, wherein combatants will make those decisions to their own best advantage. In the information environment, this question becomes more complicated, as cyber products and services often do not fall neatly within standard categories and where private companies themselves own and operate the very infrastructure over and through which combatants engage. The United States and its allies, whether on a unilateral of supranational basis, work to better define the boundaries of civilian ‘participation’ in war and conflict, as the very nature of the space means that their involvement will only increase.”

Wilde: “On one hand, it is important not to falsely mirror onto others the constraints of international legal and normative frameworks around armed conflict to which responsible states strive to adhere. Like Russia, some states show no scruples about violating these frameworks in letter or spirit, and seem unlikely to be inhibited by claims of neutrality from companies offering support to victimized states. That said, clarity about where goods and services might be used for civilian versus military objectives is advisable to avoid the thresholds of ‘direct participation’ in war outlined in International Humanitarian Law.”

#3 What useful lessons should the United States and its allies take away from the successes and/or failures of cyber and information operations in Ukraine?

Aleksejeva: “As for cyber operations, so far, we have not seen successful disruptions achieved by Russia of Ukraine and its Western allies. Yes, we are seeing constant attacks, but cyber defense is much more developed on both sides than before 2014. As for information operations, the United States and its allies should become less self-centered and have a clear view of Russia’s influence activities in the so-called Global South where much of the narratives are rooted in anti-Western sentiment.”

Cutler: “Prior to the start of the conflict, it was strongly believed that a cyber operation, specifically against energy and communication sectors, would act as a precursor to kinetic action. While a WannaCry or NotPetya-scale attack did not occur, the AcidRain attack against the Viasat satellite communication network and other attacks targeting Ukraine’s energy sector highlight that cyber operations of varying effectiveness will play a role in the lead up to a military conflict.”

Osadchuk: “First, cyber operations coordinate with other attack types, like kinetic operations on the ground, disinformation, and influence operations. Therefore, cyberattacks might be a precursor of an upcoming missile strike, information operation, or any other action in the physical and informational dimensions, so allies could use cyber to model and analyze multi-domain operations. Finally, preparation for and resilience to information and cyber operations are vital in mitigating the consequences of such attacks; thus, updating defense doctrines and improving cyber infrastructure and social resilience are necessary.”

Schroeder: “Expectations for operations in this environment have exposed clear fractures in the ways that different communities define as success in a wartime operation. Specifically, there is a tendency to equate success with direct or kinetic battlefield impact. One of the biggest lessons that has been both a success and a failure throughout this war is the role that this environment can play. Those at war, from ancient to modern times, have leveraged every asset at their disposal and chosen the tool they see as the best fit for each challenge that arises—cyber is no different. While there is ongoing debate surrounding this question, if cyber operations have not been effective on a battlefield, that does not mean that cyber is ineffective, just that expectations were misplaced. Understanding the myriad roles that cyber can and does play in defense, national security, and conflict is key to creating an effective cross-domain force.

Wilde: “Foremost is the need to check the assumption that these operations can have decisive utility, particularly in a kinetic wartime context. Moscow placed great faith in its ability to convert widespread digital and societal disruption into geopolitical advantage, only to find years of effort backfiring catastrophically. In other contexts, better trained and resourced militaries might be able to blend cyber and information operations into combined arms campaigns more effectively to achieve discrete objectives. However, it is worth reevaluating the degree to which we assume offensive cyber and information operations can reliably be counted on to play pivotal roles in hot war.”

A parallel terrain: Public-private defense of the Ukrainian information environment

Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behavior

Hackers, Hoodies, and Helmets: Technology and the changing face of Russian private military contractors

#4 How do comparisons to other domains of conflict help and/or hurt understanding of conflict in the information domain?

Aleksejeva: “Unlike conventional warfare, information warfare uses information and psychological operations during peace time as well. By masking behind sock puppet or anonymous social media accounts, information influence operations might be perceived as legitimate internal issues that polarize society. A country might be unaware that it is under attack. At the same time, as the goal of conventional warfare is to break an adversary’s defense line, information warfare fights societal resilience by breaking its unity. ‘Divide and rule’ is one of the basic information warfare strategies.”

Cutler: “When looking at the role of cyber in this conflict, I think it is critical to examine the history of Hacktivist movements. This can be incredibly useful for understanding the influences and capabilities of groups like the IT_Army and Killnet.”

Osadchuk: “The information domain sometimes reflects the kinetic events on the ground, so comparing these two is helpful and could serve as a behavior predictor. For instance, when the Armed Forces of Ukraine liberate new territories, they also expose war crimes, civilian casualties, and damages inflicted by occupation forces. In reaction to these revelations, the Kremlin propaganda machine usually launches multiple campaigns to distance themselves, blame the victim, or even denounce allegations as staged to muddy the waters for certain observers.”

Schroeder: “It is often tricky to carry comparisons over different environments and context, but the practice persists because, well, that is just what people do—look for patterns. The ability to carry over patterns and lessons is essential, especially in new environments and with the constant developments of new tools and technologies. Where these comparisons cause problems is when they are used not as a starting point, but as a predetermined answer.”

Wilde: “It is problematic, in my view, to consider information a warfighting ‘domain,’ particularly because its physical and metaphorical boundaries are endlessly vague and evolving—certainly relative to air, land, sea, and space. The complexities and contingencies in the information environment are infinitely more than those in the latter domains. However talented we may be at collecting and analyzing millions of relevant datapoints with advanced technology, these capabilities may lend us a false sense of our ability to control or subvert the information environment during wartime—from hearts and minds to bits and bytes.”

#5 What conditions might make the current conflict exceptional and not generalizable?

Aleksejeva: “This war is neither ideological nor a war for territories and resources. Russia does not have any ideology that backs up its invasion of Ukraine. It also has a hard time maintaining control of its occupied territories. Instead, Russia has many disinformation-based narratives or stories that justify the invasion to as many Russian citizens as possible including Kremlin officials. Narratives are general and diverse enough, so everyone can find an explanation of the current invasion—be it the alleged rebirth of Nazism in Ukraine, the fight against US hegemony, or the alleged historical right to bring Ukraine back to Russia’s sphere of influence. Though local, the war has global impact and makes countries around the world pick sides. Online and social media platforms, machine translation tools, and big data products provide a great opportunity to bombard any internet user in any part of the world with pro-Russia massaging often tailored to echo historical, racial, and economic resentments especially rooted in colonial past.”

Cutler: “During the Gulf War, CNN and other cable news networks were able to provide live coverage of military action as it was unfolding. Now, real-time information from conflict areas is more broadly accessible. Telegram and social media have directly shaped the information and narratives from the conflict zone.”

Osadchuk: “The main difference is the enormous amount of war content, ranging from professional pictures and amateur videos after missile strikes to drone footage of artillery salvos and bodycam footage of fighting in the frontline trenches—all making this conflict the most documented. Second, this war demonstrates the need for drones, satellite imagery, and open-source intelligence for successful operations, which distances it from previous conflicts and wars. Finally, it is exceptional due to the participation of Ukrainian civil society in developing applications, like the one alerting people about incoming shelling or helping find shelter; launching crowdfunding campaigns for vehicles, medical equipment, and even satellite image services; and debunking Russian disinformation on social media.”

Schroeder: “One of the key lessons we can take from this war is the centrality of the global private sector to conflict in and through the information environment. From expedited construction of cloud infrastructure for the Ukrainian government to Ukrainian telecommunications companies defending and restoring services along the front lines to distributed satellite devices, providing flexible connectivity to civilians and soldiers alike, private companies have undoubtedly played an important role in shaping both the capabilities of the Ukrainian state and the information battlespace itself. While we do not entirely understand the incentives that drove these actions, an undeniable motivation that will be difficult to replicate in other contexts is the combination of Russian outright aggression and comparative economic weakness. Companies and their directors felt motivated to act due to the first and, likely, free to act due to the second. Private sector centrality is unlikely to diminish and, in future conflicts, it will be imperative for combatants to understand the opportunities and dependencies that exist in this space within their own unique context.”

Wilde: “My sense is that post-war, transatlantic dynamics—from shared norms to politico-military ties—lent significant tailwinds to marshal resource and support to Ukraine (though not as quickly or amply from some quarters as I had hoped). The shared memory of the fight for self-determination in Central and Eastern Europe in the late 1980s to early 1990s still has deep resonance among the publics and capitals of the West. These are unique dynamics, and the degree to which they could be replicated in other theaters of potential conflict is a pretty open question.”

The post The 5×5—Conflict in Ukraine’s information environment appeared first on Atlantic Council.

Building a shared lexicon for the National Cybersecurity Strategy

the Cyber Statecraft Initiative — Thu, 16 Mar 2023 12:00:00 +0000

The 2023 National Cybersecurity Strategy, released on March 3, represents the ambitions of the Biden Administration to chart a course within and through the cyber domain, staking out a critical set of questions and themes. These ambitions are reflected within the strategy’s pillars and titled sections, but also key words and phrases scattered throughout the document. As we and others have said, the success of this strategy will hinge largely on the practical implementation of its boldest ideas. The details of that implementation will depend on how the administration chooses to interpret or define many of the key terms found within the strategy.

To begin the creation of a shared lexicon to interpret these terms and the policy questions and implications that flow from each, this series identifies seven terms used throughout the strategy that represent pivotal ideas and priorities of this administration: “best-positioned actors,” “realign incentives,” “shift liability,” “build in security,” “modernize federal systems,” “privacy,” and “norms of responsible state behavior.” This article digs into the meaning behind these phrases and how they serve as waypoints in debates over the future of cybersecurity policy.

Strategy terms

“Best-positioned actors”

Throughout the National Cybersecurity Strategy, there are various iterations of the idea of “best-positioned actors” to describe and delineate the private actors expected, or at the least encouraged, to play a larger role in building and reinforcing a secure cyberspace. The repetition of this term represents a larger trend within the 2023 NCS: the central role of the private sector. The prior strategy certainly represented a step in this process, but its successor signals a more fundamental move toward addressing the significant role of private sector players in shaping cybersecurity.

According to this strategy, a keystone in this effort will be increased responsibility by the “best positioned actors” within the private sector. But what does this term mean? At its most basic level, a best-positioned company is one whose product(s) or service(s) represents a considerable portion of a key structural point identified within a pillar of US cyber strategy and, therefore, a company whose manner of operation will be decisive in determining cybersecurity outcomes for a large number of users. The strategy explains that “protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.” Though specific sectors or companies are not tied to this category in the strategy, the definition appears to include primarily the owners and operators of both traditional physical infrastructure, especially critical infrastructure, as well as digital infrastructure, like cloud computing services. It may also point to entities who operate as crucial intermediary nodes in the software stack or software development life cycle, whose privileged positions allow the implementation of security protections for downstream resources at scale, such as operating systems, app stores, browsers, and code-hosting platforms.

The strategy appears to distinguish these best-positioned actors as a sub-set within the category of actors whose action, or inaction, has the greatest potential consequences. The strategy further stipulates that a company’s resourcing partially determines its designation as best-positioned. This distinction reflects an issue throughout the digital ecosystem, where an entity responsible for a critical product or service might have insufficient resources, might fall under what Cyber Statecraft Initiative Senior Fellow Wendy Nather terms the “cyber poverty line,” to act as a best-positioned actor. Such entities may not be “best positioned,” but are important to the security and resilience if the products or services they are responsible for are depended on by a significant proportion of technology users or would, if compromised, create a large blast radius of effect because they play a connecting role within a large number of other products and services.

The strategy’s emphasis on shifting responsibility is crucial to reducing the impact of security failures on users and serves to support many of the other concepts around “build-in security,” “privacy,” and “realign incentives.” As a result, who that responsibility shifts to, the “best-positioned actors,” will have material influence on the outcomes of these policies. Establishing a common understanding of what companies fall within that category is imperative.

“Realign incentives”

Another term found throughout the National Cybersecurity Strategy—particularly within Pillar Three (Shape Market Forces)—is various iterations of “incentivizing responsibility.” It describes how the US government can shape the security ecosystem by motivating actors—chiefly the private sector owners, producers, and operators of critical technologies—toward a sense of heightened responsibility in securing US digital infrastructure. The previous strategy discussed incentives at a very high level—how to incentivize investments, innovation, and so on—but lacked a coherent sense of objective. The 2023 strategy moves closer to stating a goal but still falls short of actualizing a plan to achieve it. The repetition of this term represents a larger trend within the 2023 strategy: the desire to shift the onus of security failures away from users and onto the private sector. This term is a major driver to achieve the strategic objectives of the National Cyber Security Strategy.

These incentives are primarily divided into four categories: investment, procurement, regulation, and liability (discussed in Shifting Liability). Investment sits at the heart of Pillar Four (Invest in a Resilience Future), but this approach is common across the pillars. Using investment as an incentive includes creating or building upon existing funds and grant programs for critical and innovative technologies, especially those secure- and resilient-by-design (discussed further in Build in Security). Bridging investment and regulation is the strategy’s emphasis on using federal purchasing power to create positive incentives within the market to adopt stricter cybersecurity design standards.

More prominent throughout the strategy, however, is a regulatory approach that seeks to balance increased resilience with the realities of the free market. This inclusion is important—resilience investment is not maximally efficient. By design a resilient system may have multiple channels for the same information or control. Building resilience into a system may also involve costly engineering and research programs without adding new (and marketable) functionality, and they might even raise the cost of goods sold. Public policy can incentivize these less efficient investments and behaviors, but it may also need to mandate them, especially where markets are most dysfunctional or risk most concentrates. Regulatory tools are intrinsic to a properly functioning market and suffer abuse through neglect or overuse in equal measure.

The strategy hints that making security and resilience the preferred market choice requires making inadequate security approaches more difficult and costly. The strategy recognizes the critical role that private companies play in creating a secure and resilient cyber ecosystem—they are acknowledged even more frequently than allied and partner states. The various approaches to incentivizing responsibility illustrate the careful balancing act that a more robust public-private relationship will require, creating both opportunity and consequence for the private sector.

The strategy tasks the federal government with creating regulation responsibly, with “modern and nimble regulatory frameworks for cybersecurity tailored for each sector’s risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of implementation.” This specific and flexible approach is progress in the government’s approach to regulation, yet it raises questions as to the capability of the US government to create and regularly update a suite of regulatory statutes with sufficient agility. Finding specific and actionable ways to realign incentives and responsibilities will be essential to achieving the goals set by the 2023 strategy. However, to achieve this goal, it is essential to better identify both what these regulations seek to achieve and how to best design them to fit, bypassing the debate about Regulation: Friend or Foe.

“Shift liability”

The 2023 National Cybersecurity Strategy has an entire subsection dedicated to software liability—one of the strategy’s most explicit endorsements of a specific, new policy mechanism to shift responsibility and realign incentives for better cybersecurity. Creating a clear framework for software products and service liability would incentivize vendors to uphold baseline standards for secure software development and production, to protect themselves from legal action in response to damages incurred by issues with their product.

In the US legal landscape, software, by itself, is rarely considered a product (in contrast to physical goods with embedded software, such as smart TVs or smart cars). This limits the ability of a user to bring claims under traditional product-liability law against the manufacturer in the event of a security flaw or other problem with the software. In addition, many software vendors disclaim liability by contract—when a consumer clicks “I Agree” on a software license to install a program, they often agree to a contract that forfeits their right to sue the maker. Indeed, the strategy explicitly calls out this tactic.

Taken in tandem, these facts mean that software manufacturers often can insulate themselves from legal liability caused by failures of their products, removing a strong incentive that has motivated physical-goods manufacturers to put their products through rigorous safety testing. The Federal Trade Commission (FTC) retains broad enforcement powers against unfair and deceptive practices, which it has used to bring judgements against businesses for abysmal security failures, and certain authorities to regulate security practices in specific software-reliant sectors like the financial-services industry. However, a broader liability framework specific to software is conspicuously absent.

The strategy, recognizing that even the best-intentioned software manufacturers cannot anticipate all potential security vulnerabilities, leads with a safe harbor-based approach, in which software manufacturers are insulated from security-related product liability claims if they have adhered to a set of baseline secure development practices. This is a negligence liability standard—where manufacturers are held accountable only if they fail to meet an accepted baseline of adequate care—in contrast to a strict liability standard, in which manufacturers are liable for harms regardless of the precautions they took. The National Cybersecurity Strategy also makes explicit mention of the need to protect open-source developers from any form of liability for participating in open-source development, given that open-source software is more akin to free speech than to the offering of a final product. This recognition is both correct and important in light of the different paradigm within which open-source development operates and its incredibly common integration in most software products.

The strategy does not explicitly state whether such a standard should be enforced solely by an executive branch agency, such as the FTC, or whether the intent of the framework would be to allow individuals to directly sue software manufacturers whose products harmed them through a private right of action. The acknowledgement of the need to refine the software liability framework is a crucial step toward the strategy’s goals of realigning public-private incentives for security and resilience. The strategy is silent on whether existing federal authorities would be sufficient, through the FTC or even the Department of Justice’s Civil Cyber Fraud Initiative, or if a private right of action is still necessary (see here for more context on this distinction and liability as a cybersecurity policy issue). This could be a defining question, especially where it may involve congressional action to back up such a program versus merely sustain it.

“Build in security”

While discussing ways to shape market forces for improved security and resilience, the National Cybersecurity Strategy dedicates two sections of Pillar Three (Shape Market Forces) to adapt federal grants and other incentives to “build in security” throughout the cyber ecosystem. This is one of the more mature interpretations of the document’s focus on reshaping incentives and responsibilities to improve security. As far as individual technologies and products are concerned, vendor incentives to rush to market can leave security features as an afterthought or add on—worse, they can remove security considerations from design processes entirely. The implementation of secure-by-design technology is especially important in light of the interconnectedness of this space, as the integration of new technology alongside old systems can create points of weakness and transitive risk.

While much policymaking discussion considers how to punish or disincentivize poor practices, rewarding security incorporated at the outset of design is as useful. Software which is built to be difficult to compromise (versus layered with post-facto security features) can be easier, and sometimes cheaper, to defend in daily use and offer vendors and users both a more defensible product. These benefits are manifold when such standards are in place early in the development of an industry, as seen in the administration’s desire to implement a National Cyber-Informed Engineering Strategy for the new generation of clean energy infrastructure. The challenge will lie in whether the administration can define what it means to build in security (i.e., is it a set of specific practices, such as using memory-safe languages? or a set of process considerations which must be accounted for and documented?) with enough specificity to build policy incentive structures such as regulation around the concept.

The next logical step is to consider how to build in security not just for granular products but for systems writ large. The ever-increasing complexity of cloud infrastructure and other large-scale networked systems is an enormous strain on vendors and service providers, which have already gone to great lengths to engineer processes and software around navigating that complexity. Unchecked, those systems and their increasing importance will put users and government on their heels, forcing them to defend an extremely sophisticated and inherently insecure landscape.

Government is well-positioned to create incentives to help industry avoid race-to-the-bottom market pressures that lead towards insecurity and unmanaged complexity, and the strategy does well to tee up that priority even if it views the cyber landscape through a somewhat narrow product lens. Moving toward incentivizing secure design, architectural review processes, and buying down risk at the systems scale can convert “building in security” from an operational feature of federal funding to a strategic reshaping of the cyber landscape.

“Modernize federal systems”

Section Five within Pillar One (Defend Critical Infrastructure) of the National Cybersecurity Strategy focuses on modernizing what it terms the federal enterprise. The recognition of the federal civilian executive branch agencies (FCEB) as a singular enterprise from a security perspective is valuable and hints at broader themes for the Office of the National Cyber Director’s (ONCD) conception of modernization: streamlined points of contact, better coordinated security posturing and policymaking, and more evenly distributed and accessible resourcing and tooling among other gains.

At the most abstract level, modernization can be considered appropriately adjusting the federal enterprise to the challenges inherent in digital security: complexity, speed, and scale. Perhaps the most important contribution of the strategy here is the simple recognition that the federal government is outmatched—with infrastructure that has so far proven inadequate. The strategy’s approach to modernization commits to alleviating the government’s dependence on legacy systems that create too porous a foundation for US cybersecurity. Specific adaptations mentioned include the implementation of zero-trust architecture, a migration to cloud-based services, and progress toward “quantum-resistant cryptography-based environments.” Notably, “zero trust” remains a phrase of the moment after it did a starring turn in Executive Order 14028 and its use as a rhetorical catch-all for “modern” security tools and approaches has only increased.

The strategy directly appoints the Office of Management and Budget (OMB), in coordination with Cybersecurity and Infrastructure Security Agency (CISA), as the lead planner for FCEB cybersecurity planning and the custodian of shared services for constituent agencies. Though direct implementation plans are not laid out within this document, the specific tasking of the OMB to lead this process, assuming that the office receives the necessary resources, does create accountability and measurability for the pillar.

Another key component of FCEB modernization is a parallel workforce modernization. Any and all plans to create a modern, resilient federal cyber environment will require fostering a talented, diverse cyber workforce. The ONCD is spearheading this effort, and work on a workforce-specific strategy is underway. The National Cyber Strategy’s treatment of the cyber workforce provides a strong foundation for ONCD’s more detailed plan to address what is a significant problem for the US government. In that strategy, there is indeed opportunity to go further, not just to build the cyber workforce necessary for the problems of today, but to ensure that workforce development is conducted in parallel with government efforts to reshape its cyber environment into one that is more secure-by-design.

Modernization of federal systems is a gargantuan challenge, and one that will never be complete. To effectuate real change, modernization must become an engrained and cyclical process. This process does not have to mean the pursuit of the most cutting-edge technology for wholesale implementation across the FCEB, but must prioritize raising the baseline of security by targeting widespread dependencies and reduce risk for the most insecure and critical system components.

“Privacy”

One of the central themes of the inaugural National Cyber Director’s tenure was that cybersecurity must amount to more than creating an absence of threats. Securing the devices and services surrounding us should enable their use toward positive social, political, and economic ends. The security of data on these devices and running through these services is as much a question of protection against its appropriation and misuse by entities to whom it was entrusted as it is a question of preventing theft by malicious adversaries.

It is only a little surprising then, and very much welcome, to see the National Cybersecurity Strategy repeatedly highlight the importance of privacy as a key component of the United States’ cyber posture. Security and privacy are tightly intermeshed, as both a practical issue, where security features can function as guarantors of some privacy policies and protections, and as a policy issue—witness certain European Union (EU) member states agita over US surveillance and intelligence collection authorities as they impact the privacy of EU data and the perceived security of US-based cloud services. The inclusion of privacy is an overdue recognition of the fact that, if we succeed at preventing adversaries from stealing data from US networks, but then allow the same data to be freely bought and sold on the open web, we have gained little protection from espionage or targeting.

The recurring inclusion of privacy also marks an overdue move to collectively wield tools of both cybersecurity policy and corporate accountability in concert—taking the efforts of entities like the FTC, the Securities and Exchange Commission (SEC), and CISA together to drive change in private sector behavior. The strategy supports “legislative efforts to impose robust, clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information,” but stops short of acknowledging that Congress’ ongoing failure to pass a comprehensive federal privacy law is harming US national cyber posture. Given such a law would likely include mandatory minimum-security standards for entities processing personal data, a privacy law would also provide new enforcement tools for the executive branch to penalize companies for poor security practices, going a long way towards creating incentives to fix some of the market failures identified by the administration throughout the strategy. The strategy also arrives as the intelligence community and Congress more publicly recognize the national security importance of data security and the risks posed by the widespread proliferation of surveillance tools.

Privacy has many definitions, but perhaps the most significant implied here is control over information and the right to exercise that control in the service of individual liberty. Strengthening users’ control over the data they produce, its use in digital technologies, and the integrity of those technologies against harm is a means of giving greater power back to users. These acknowledgments are fundamentally important—however, without going further, policy risks falling back into the broken “notice and choice” model of privacy, which has demonstrated its insufficiency in the proliferation of cookie banners under GDPR. The strategy would have gone further if it had acknowledged the need to preclude companies from collecting, processing, and reselling consumer data beyond the minimum required to deliver requested goods and services, which would more fundamentally limit the collection and propagation of Americans’ data.

The embrace of privacy as a key component of cyber posture is a large step, but the strategy still lacks concrete operational plans for implementing this vision. Hopefully, this is a sign of policy action still to come. Using this strategy as another important marker, policymakers should continue to address cybersecurity and privacy issues by bringing individual users back into the conversation and restoring a measure of ownership over their digital footprint along the way.

“Norms of responsible state behavior”

Within the 2023 National Cybersecurity Strategy, the drafters highlight the need for the United States and its likeminded allies and partners to work toward a free, fair, and open cyber domain aligned with US cyber norms and values. This concept, as a guiding principle for strategy, is not new, and indeed, was a central pillar of the 2018 strategy. The continued emphasis placed on norms and values-guided cyber strategy signals the ongoing importance of this conversation.

This strategy specifically calls out the Declaration of the Future of the Internet (DFI) as creating a foundation for “a common, democratic vision for an open, free, global, interoperable, reliable, and secure digital future.” The strategy also highlights the importance of international institutions and agreements in developing a framework and set of norms for this vision, including the United Nations (UN) Group of Governmental Experts and Open-Ended Working Group and the Budapest Convention on Cybercrime.

While there is agreement among the United States and allies on a set of cyber norms, these norms do not encompass all of state behavior in cyberspace. Important differences in approach might impede the level of cooperation sought by the United States and its allies. One such tension, briefly mentioned, is the question of data localization requirements. Pillar Five (Forge International Partnerships) discusses a series of goals surrounding international collaboration. These include counter-threat coalitions, partner capacity building, and supply chain security. This pillar also discusses many existing efforts toward enhancing international cooperation, yet lacks a clear, cohesive set of actions for moving the United States and the global cyber ecosystem toward an “open, free, global, interoperable, reliable, and secure Internet.” Without such a bridge, US allies and partners around the globe, especially those with immature or nonexistent relationships with the US government on cyber issues, might struggle to move toward the kind of cyber ecosystem the US government seeks to create.

As the US government builds on and operationalizes the strategy, the cyber norms and values used as its frame will require clear specification as more than just platitudes. The internet is not a topic merely of foreign policy, and there are opportunities throughout the document to better connect discussion of shifting responsibility and securing the internet together, including these important normative dimensions through domestic implementation. It is simple to claim the pursuit of a free, fair, open, and secure cyber domain. However, if norms are truly to serve as the foundation of cyber strategy, the US government must do more than allude—it must lead the way in integrating specific ideals into its strategy, operations, and tactics.

Nonresident Senior Fellow

The post Building a shared lexicon for the National Cybersecurity Strategy appeared first on Atlantic Council.

Atkins on ICS Pulse Podcast

everges — Fri, 10 Mar 2023 20:47:33 +0000

ORIGINAL SOURCE

On March 7, IPSI Nonresident Senior Fellow Victor Atkins was interviewed on the Industrial Cybersecurity Pulse Podcast on protecting critical infrastructure.

Fellow

Victor Atkins

Indo-Pacific Security Initiative Scowcroft Center for Strategy and Security

Crisis Management Cybersecurity

The post Atkins on ICS Pulse Podcast appeared first on Atlantic Council.

How will the US counter cyber threats? Our experts mark up the National Cybersecurity Strategy

Maia Hamin, Trey Herr, Will Loomis, Emma Schroeder, and Stewart Scott — Sat, 04 Mar 2023 02:15:46 +0000

On March 2, the Biden administration released its 2023 National Cybersecurity Strategy (NCS), an attempt to chart a course through the stormy waters of cyberspace, where the private sector, peer-competitor states, and nonstate actors navigate around and with each other in ways growing more complex—and dangerous—by the day. The Atlantic Council’s Cyber Statecraft Initiative (CSI), which is housed within the Digital Forensic Research Lab, gathered a group of experts from government and private-sector cyber backgrounds to dive into the document and offer context, commentary, and concerns to help decipher the strategy. Commenters include Maia Hamin, Trey Herr, Danielle Jablanski, Amelie Koran, Will Loomis, Jeff Moss, Katie Nickels, Marc Rogers, Stewart Scott, and Chris Wysopal.

CSI’s key takeaways from the strategy

The strategy offers the much-needed beginnings of an ambitious shift in US cybersecurity policy, but it often falls short on implementation details and addressing past failures. The actionable outputs it does identify are fundamentally cautious.
The strategy’s greatest virtues might be its focus on the pressing need to grapple with market incentives driving insecurity and to reallocate responsibility for security.
By deferring rigorous treatment of allied and partner states’ role in its strategic vision for cybersecurity, the strategy gives short shrift to cybersecurity’s fundamentally global nature across all pillars.

BDR: Arguments for the National CyberSecurity Strategy

NCS table of contents

INTRODUCTION

INTRODUCTION
The Strategic Environment
Our Approach: A Path to Resilience in Cyberspace
Building On Existing Policy

PILLAR ONE | DEFEND CRITICAL INFRASTRUCTURE

PILLAR ONE | DEFEND CRITICAL INFRASTRUCTURE
Strategic Objective 1.1: Establish Cybersecurity Requirements to Support National Security and Public Safety
Strategic Objective 1.2: Scale Public-Private Collaboration
Strategic Objective 1.3: Integrate Federal Cybersecurity Centers
Strategic Objective 1.4: Update Federal Incident Response Plans
Strategic Objective 1.5: Modernize Federal Defenses

PILLAR TWO | DISRUPT AND DISMANTLE THREAT ACTORS

PILLAR TWO | DISRUPT AND DISMANTLE THREAT ACTORS
Strategic Objective 2.1: Integrate Federal Disruption Activities
Strategic Objective 2.2: Enhance Public-Private Operational Collaboration to Disrupt Adversaries
Strategic Objective 2.3: Increase the Speed and Scale of Intelligence Sharing and Victim Notification
Strategic Objective 2.4: Prevent Abuse of US-based Infrastructure
Strategic Objective 2.5: Counter Cybercrime, Defeat Ransomeware

PILLAR THREE | SHAPE MARKET FORCES TO DRIVE SECURITY AND RESILIENCE

PILLAR THREE | SHAPE MARKET FORCES TO DRIVE SECURITY AND RESILIENCE
Strategic Objective 3.1: Hold the Stewards of Our Data Accountable
Strategic Objective 3.2: Drive the Development of Secure IoT Devices
Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services
Strategic Objective 3.4: Use Federal Grants And Other Incentives To Build In Security
Strategic Objective 3.5: Leverage Federal Procurement to Improve Accountability
Strategic Objective 3.6: Explore a Federal Cyber Insurance Backstop

PILLAR FOUR | INVEST IN A RESLIENT FUTURE

PILLAR FOUR | INVEST IN A RESLIENT FUTURE
Strategic Objective 4.1: Secure the Technical Foundation of the Internet
Strategic Objective 4.2: Reinvigorate Federal Research and Development for Cybersecurity
Strategic Objective 4.3: Prepare for Our Post-Quantum Future
Strategic Objective 4.4: Secure Our Clean-Energy Future
Strategic Objective 4.5: Support Development of a Digital Identity Ecosystem
Strategic Objective 4.6: Develop a National Strategy to Strengthen Our Cyber Workforce

PILLAR FIVE | FORGE INTERNATIONAL PARTNERSHIPS

PILLAR FIVE | FORGE INTERNATIONAL PARTNERSHIPS TO PURSUE SHARED GOALS

Strategic Objective 5.1: Build Coalitions to Counter Threats to Our Digital Ecosystem
Strategic Objective 5.2: Strengthen International Partner Capacity
Strategic Objective 5.3: Expand US Ability to Assist Allies and Partners
Strategic Objective 5.4: Build Coalition to Reinforce Global Norms of Responsible State Behavior
Strategic Objective 5.5: Secure Global Supply Chains for Information, Communications, and Operational Technology Products and Services

IMPLEMENTATION

IMPLEMENTATION
Assess Effectiveness
Incorporate Lessons Learned
Making the Investment

Shared
Lexicon

Lawfare
Op-ed

Implementation PLan Markup

A steady course in stormy seas: How to read the Biden administration’s new cyber strategy

Far before the age of steam, in the earliest days of sailing ships, captains knew to keep their vessels close to shore. Out in deeper water lay the vicissitudes of storms and faithless winds. Safety lay in the often more arduous, lengthier voyages hugging the coastline. Trading speed for the safety of their ship, crew, and cargo, captains steered carefully through the rocks on a conservative course to their destination. Sailors might tell tales of the exotic lands they planned to visit, but reliable routes close to shore kept them far from the perils of such journeys.

The 2023 National Cybersecurity Strategy (NCS), released March 2, reflects this cautious reality in the actual commitments it makes under a bolder vision to “rebalance the responsibility to defend cyberspace” and “realign incentives to favor long-term investments.” The strategy’s greatest contribution in years to come will likely hinge on its success reframing cyber policy toward explicit discussion of the market—and its failure to adequately distribute responsibility and risk while still clinging to weak incentives for good security practices. This will serve future policy efforts well and open discussions about material changes in the complexity and defensibility of digital technologies. A market lens for cyber policy also serves to integrate privacy into mainstream cybersecurity discussions and heartily embraces the notion that it is more than just defense against external compromise that determines the security of users and data. The strategy also charts out new horizons in its acknowledgement of the need to address software product liability while protecting open-source developers.

But in its discussion of a liability regime, and throughout, the strategy often hews close to safe harbors, steering away from the specific actions and policies that would implement the thornier parts of its vision. The document’s focus on the market, for instance, is weakened by the absence of efforts to trace the source of market failings. Missing too are efforts to further unpack barriers to federal information-technology modernization or the complex web of cyber authorities that have left security requirements fragmented and inconsistent across sectors. The document also does little to integrate the international perspective across its discussion of threats or technologies, leaving the topic largely in a single, final pillar (the strategy is organized into five such pillars).

This was a singular opportunity to better address the global business environment in which technology vendors and consumers operate, and the geopolitical significance attached to questions of technology design and security. One need only look through the rapid expansion of activity in the Committee on Foreign Investment in the United States or the recent flurry of debate around TikTok to see the deeply international nature of the market in which the strategy seeks to drive “security and resilience.” The isolation of international issues ignores the reality of global US security partnerships and insufficiently addresses the reality of defense cooperation in cyberspace with both foreign states and private companies.

The Office of the National Cyber Director was handed a mammoth task in drafting this administration’s NCS. The young office could easily have foundered, beset by the interagency demons of the deep. Instead, it seems this captain and crew chose to remain in sight of land while charting in florid prose what could be in these grand adventures. The result is an important framework with some novel and useful policy activities, but also with questions that the cyber policy community must work to answer in the years to come. Important ideas, such as an affirmative statement about what the balance of responsibility for security should look like across the technology ecosystem, are here established in principle—flags left to be carried forward by others. In light of the fraught political winds the drafting team navigated, the result is commendable, but a frank recognition of how much work remains is also important. This text may serve to fire the imaginations of a generation of sailors yet to leave port, but we must ensure they do indeed set sail for distant shores and capture some of the promise presented here.

Authors and contributors

Maia Hamin is an associate director with the Atlantic Council’s Cyber Statecraft Initiative under the Digital Forensic Research Lab (DFRLab). She works on the Initiative’s Systems Security portfolio, which focuses on policy for open-source software, cloud, and other technologies with important systemic security effects.

Trey Herr is the director of the Atlantic Council’s Cyber Statecraft Initiative. His team works on cybersecurity and geopolitics including cloud computing, the security of the internet, supply chain policy, cyber effects on the battlefield, and growing a more capable cybersecurity policy workforce.

Danielle Jablanski is a nonresident fellow at the Cyber Statecraft Initiative and an operational technology (OT) cybersecurity strategist at Nozomi Networks, responsible for researching global cybersecurity topics and promoting OT and industrial control systems (ICS) cybersecurity awareness throughout the industry. Jablanski serves as a staff and advisory board member of the nonprofit organization Building Cyber Security, leading cyber-physical standards development, education, certifications, and labeling authority to advance physical security, safety, and privacy in the public and private sectors. Since January 2022, Jablanski has also served as the president of the North Texas Section of the International Society of Automation, organizing monthly member meetings, training, and community engagements.

Amelie Koran is a nonresident senior fellow at the Cyber Statecraft Initiative and the current director of external technology partnerships for Electronic Arts, Inc. Koran has a wide and varied background of nearly thirty years of professional experience in technology and leadership in the public and private sectors. During her career, she has supported work across various government agencies and programs including the US Department of the Interior, Treasury Department, and the Office of the Inspector General in the Department of Health and Human Services. In the private sector, she has held various roles including those at the Walt Disney Company, Splunk, Constellation Energy (now Exelon), Mandiant, and Xerox.

Will Loomis is an associate director with the Cyber Statecraft Initiative. In this role, he manages a wide range of projects at the nexus of geopolitics and national security with cyberspace.

Jeff Moss is a nonresident senior fellow with the Cyber Statecraft Initiative. He is also the founder and creator of both the Black Hat Briefings and DEF CON, two of the most influential information security conferences in the world, attracting over ten thousand people from around the world to learn the latest in security technology from those researchers who create it. DEF CON just had its thirtieth anniversary.

Katie Nickels is the director of intelligence for Red Canary as well as a SANS certified instructor for FOR578: Cyber Threat Intelligence and a nonresident senior fellow for the Cyber Statecraft Initiative. She has worked on cyber threat intelligence (CTI), network defense, and incident response for over a decade for the US Department of Defense, MITRE, Raytheon, and ManTech.

Marc Rogers is currently CSO for Qnetsecurity. He formerly worked at Okta, Cloudflare, Lookout, and Vectra. Rogers is a well-known security researcher (Tesla Model S, TouchID, Google Glass), senior advisor to IST, a member of the Ransomware Taskforce, and co-founder of the CTI League.

Emma Schroeder is an associate director with the Cyber Statecraft Initiative. Her focus in this role is on developing statecraft and strategy for cyberspace that is useful for both policymakers and practitioners.

Stewart Scott is an associate director with the Cyber Statecraft Initiative. He works on the Initiative’s systems security portfolio, which focuses on software supply chain risk management and open source software security policy.

Chris Wysopal is the co-founder and CTO of Veracode, an application security technology provider for software developers. He was one of the original software vulnerability researchers in the 1990’s. He has testified in Congress on the topic of government cybersecurity.

The post How will the US counter cyber threats? Our experts mark up the National Cybersecurity Strategy appeared first on Atlantic Council.

Makings of the Market: Seven perspectives on offensive cyber capability proliferation

Jen Roberts and Emma Schroeder — Wed, 01 Mar 2023 05:01:00 +0000

The marketplace for offensive cyber capabilities (OCC)—the combination of tools; vulnerabilities; and skills, including technical, organizational, and individual capacities used to conduct offensive cyber operations—continues to grow globally. These capabilities, once developed primarily by a small handful of states, are now available for purchase from this international private market, both legal and illegal, to a widening array of both state and nonstate actors. These capabilities, and their proliferation, pose an expanding set of risks to national security and human rights around the globe.

However, these capabilities also have legitimate use in state security and defense—the boundaries of which are ill-defined. Many states have clear incentives to participate in this market, to acquire these capabilities, and more types of actors are able to find financial opportunity as this market grows. Regulation, transparency, and reshaping of this market are necessary to counter the threats this unbounded proliferation poses, and states, independently and in cooperation, have the impetus and the opportunity to do so.

To dive deeper on this topic, we asked seven experts to offer their perspectives on these threats and how policymakers can help counter them:

Briefly, what are the principal equities/interests in the proliferation of cyber capabilities?

“There are five main players interested in the proliferation of cyber capabilities: capability vendors, governments, middlemen and resellers, large technology companies, and civil society organizations.

Capability vendors (i.e., zero-day brokers, Access-as-a-Service firms, spyware vendors etc.) sell capabilities to governments, occasionally through middlemen or resellers (especially if they do not have pre-existing relationships with people in government technology acquisition programs). These capabilities usually involve abusing platforms and services offered by tech companies—like breaking into phones, exploiting chat platforms, or hosting malware on cloud services. Some of the operations using these capabilities target legitimate national security threats, but others will target civil society organizations, especially if the government has a wide definition of national security and little outside accountability. The privatization of this industry also means that governments who previously could not afford to build spying capabilities at home can now do so, cheaply.

Because all players are operating in a space full of secrecy and information asymmetry, each part of the system can and will be abused. Some capability vendors sell to governments they shouldn’t sell to, some middlemen will repackage and resell vulnerabilities they’ve already sold to others, and some governments will abuse these tools to target vulnerable populations or engage in “spyware diplomacy”—allowing their domestic spyware companies to sell to a foreign government in order to curry diplomatic favor. Western governments, large technology firms, and civil society have overlapping interests in this space: curbing the abuse caused by its inherent secrecy and thereby see fewer abuses of human rights, fewer countries engaging in cyber operations, and fewer actors abusing technology services.”

Winnona DeSombre-Bernsen, non-resident fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council

What benefits and risks do companies like Zerodium, along with similar middlemen, pose as their role grows larger in the proliferation of offensive cyber capabilities?

“Zerodium and other middlemen operate as market makers, buying and selling the same product in a marketplace. Market making is not inherently bad—the problem arises when they connect vendors to customers both internationally and domestically without providing any transparency to the people they’re buying from or selling to. While these firms enable ways to capture supply from sources that wouldn’t be able to reach buyers directly or would be averse to a direct relationship, they also result in a murky supply chain. There is a lack of understanding around vulnerability sourcing, who the talent is, and who else they’re selling things to. Because of that, governments are unable to drive the direction of the supply chain for future assurance.

Zerodium is able to operate this way because government customers appreciate the lack of transparency: historically, independent exploits have been written by seedy individuals, and the less government has to interact with them, the better. However, this is no longer the case. Exploits are now available from reputable individuals and companies. If government customers continue to want this ambiguity, they will continue to enable brokers like Zerodium to operate outside of the best interests of the US market. Increased transparency from all parties will make sure offensive cyber capabilities end up in the proper hands.”

Sophia D’Antoine, founder and managing partner, Margin Research

If there is a legitimate state interest in shaping the flow of offensive cyber capabilities to friendly states, how does this activity differ from conventional arms sales? Is the US government signaling differently in the two spaces?

“The differences between conventional arms and offensive cyber capabilities are immense. Deniable ambiguity muddies every step of the way in attempting to meaningfully curtail the sale of offensive cyber capabilities. First, offensive cyber capabilities are often multi-role by nature; they are tools of network breaching, surveillance, and potential attack depending on how they are used. Second, their footprint is substantially smaller than their physical counterparts, which makes interdiction—or threat thereof—challenging to impossible. Third, offensive cyber capabilities require relatively little except for high quality personnel to produce reliable outputs. While experts may be in relatively short supply, manufacturing and supply chains are much thinner and therefore harder to subject to scrutiny, transparency, and enforcement.

Only a great deal of collaborative international intent and investment can even remotely make a dent in shaping the flow of offensive cyber capabilities. Efforts will need to include incentivizing the positive actors to continue participating responsibly, disincentivizing sales to less desirable users, creating a culture of due diligence on sale and use, exerting diplomatic pressure on “flexible” nations willing to host unscrupulous sellers or creating a pipeline of expat talent, and a stronger accounting of key human talent in this space and their doings. Considering the quantity of actors benefiting from the existing ambiguities, it is not clear to me that the motivation even exists to support a shift like that, let alone to invest in it strategically.”

Dr. Daniel Moore, cyber warfare researcher, author of “Offensive Cyber Operations”

There has been a lot of focus on Israel and NSO Group, but there are plenty of other countries home to similar activities. What kind of effects might Israel changing the character of its regulation of these firms have on where similar companies choose to do business?

“Despite receiving most of the attention, Israel is far from the only nation with a bustling digital surveillance industry. Indeed, over the last decade, the Israeli government has implemented additional controls on the export of hacking tools which has caused some local companies to consider moving abroad. The most common destination for this relocation effort so far has been Cyprus, but there is also some expansion in the Middle East and Asia – especially into the United Arab Emirates and Singapore.

As Western governments continue to move towards tighter controls on the sale and development of hacking tools, they will likely face internal pressures from their own defense and intelligence communities which may effectively temper rapid change. The sale of military-related products has long been seen as a key tool in the nation state diplomatic toolbox for building and maintaining relations between foreign partners.

Assuming some level of significant regulatory progress in the future, however, I expect to see more spyware companies move into tax haven territories that offer greater corporate secrecy. This is already beginning to occur. While the shift so far is limited and only anecdotal, it may lead to a situation where these companies are harder to identify, track and regulate.”

Christopher Bing, media fellow, Alperovitch Institute

Besides jurisdiction and the fact that many states want some of these companies to operate, what are policymakers biggest challenges to imposing penalties and positive shaping the behavior of companies across the marketplace for offensive cyber capabilities?

“The challenges are varied and speak to the core of transferring concepts from the physical to the digital world. The nature of the asset, i.e., data—which can be easily transmitted and transformed—makes transfers difficult to detect or trace across national boundaries. These traits coupled with the complex and global nature of the ecosystem comprised of varying cultures and legal jurisdictions create an intricate mix. Beyond these foundational aspects there is then:

The strategic national advantage and agency that offensive cyber capabilities provide.
Pace of policy response historically against dynamic, fast changing and modular ecosystems reliant on technical definitions at a trans-government level.
An assumption that only companies and not individuals with no legal entity are capable of being material market or capability shapers and makers.
Lack of transparency, insight, and monitorability of this global ecosystem when compared to physical equivalents such as small arms, chemical and radiological weapons etc.
Lack of evidence that an ecosystem which in part has its roots in counterculture, creativity, and anti-authoritarianism can be sufficiently shaped and controlled globally to achieve policy aims.
Ways in which software can be broken down into component parts distributed across many suppliers so as to not provide described functionality as written in legislation and yet reassembled elsewhere in the destination country to provide said functionality.
Existence of alternative financial systems which are resilient to Western government-imposed sanctions in situations of non-compliance or disagreement.
Existence of vast and growing amount of capability as open source which can be integrated to provide capability further lowering bar of entry.

These examples highlight the complexities and competing forces in a market which are only now starting to be contested. Any one of these could be material in its own right but when combined, highlight the enormity and complexity of the challenge to policymakers. Especially so when we recognize this list isn’t comprehensive.

However, this does not mean we should not try and learn from previous lessons as we look to address the challenge.”

Ollie Whitehouse, founder, BinaryFirefly

For governments and corporations, there is generally more public awareness of this proliferation and its impacts but so far that attention has translated to only limited action from both groups. What role should different kinds of companies play in raising awareness, shaping, and providing appropriate incentives or disincentives to this market for offensive cyber capabilities?

“Microsoft recognizes the urgency of the threat posed by cyber mercenaries and the proliferation of offensive cyber capabilities and believes that progress can only happen through strong multistakeholder partnerships. Therefore, we welcome the growing number of governments that are taking action. The charges brought in the United States against former US intelligence and military personnel accused of being cyber mercenaries is one such example. The European Parliament’s investigation of spyware use in Europe is another. These developments follow years of work by non-governmental organizations (NGOs), which tirelessly support and draw attention to the victims of cyber mercenaries—innocent citizens around the world.

Similarly, industry recognizes its own role in addressing this issue, but acknowledges that more needs to be done. The volume of abuse connected with this market is increasing exponentially and indeed, it seems likely that the current public revelations may only be the tip of the iceberg. Companies have a key role to play and should focus efforts around:

Taking steps to counter cyber mercenaries’ use of products and services to harm people
Identifying ways to actively counter the cyber mercenary market
Investing in cybersecurity awareness of customers, users and the general public
Protecting customers and users by maintaining the integrity and security of products and services and
Developing processes for handling valid legal requests for information.

Some transformative business practices include adhering to established corporate responsibility principles grounded in the protection of human rights and adopting policies that ensure private sector transparency.”

Monica Ruiz, program manager, Digital Diplomacy, Microsoft

How do you expect the clients present in the market for offensive cyber capabilities to change over the next 3 years?

“The market for offensive cyber capabilities has already demonstrated its ability to grow to meet ever-expanding demand. The affordability of these capabilities, relative to the cost of building them domestically, allows governments previously unable to procure surveillance capabilities the avenue to do so. The PEGA committee inquiry particularly calls out governments like Hungary and Greece who do not have large cyber operations capabilities but were able to purchase spyware for political suppression among other uses.

Even in cases where governments have attempted to crack down on companies operating within their countries, like Israel, the talent pool shifts to other states like Cyprus, North Macedonia, and Turkey to circumvent regulation. Growth is thus driven by demand and not limited by any highly effective regulatory scheme. The future of real governance over this market is dependent on governments, technology companies, and civil society partners enacting scalable and transparent policies for both vendors and clients. Done right, the international community can still effectively shape this market to greatly reduce widespread human rights abuses and national security harms.”

Jen Roberts, program assistant, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council

The post Makings of the Market: Seven perspectives on offensive cyber capability proliferation appeared first on Atlantic Council.

Tech innovation helps Ukraine even the odds against Russia’s military might

Mykhailo Fedorov — Tue, 28 Feb 2023 22:50:23 +0000

For more than a year, Ukraine has been fighting for its life against a military superpower that enjoys overwhelming advantages in terms of funding, weapons, and manpower. One of the few areas were Ukraine has managed to stay consistently ahead of Russia is in the use of innovative military technologies.

Today’s Ukraine is often described as a testing ground for new military technologies, but it is important to stress that Ukrainians are active participants in this process who are in many instances leading the way with new innovations. The scale of Russia’s invasion and the intensity of the fighting mean that concepts can often go from the drawing board to the battlefield in a matter of months or sometimes even days. Luckily, Ukraine has the tech talent and flexibility to make the most of these conditions.

With the war now entering its second year, it is clear that military tech offers the best solutions to the threats created by Russia’s invasion. After all, success in modern warfare depends primarily on data and technology, not on the number of 1960s tanks you can deploy or your willingness to use infantry as cannon fodder.

Russian preparations for the current full-scale invasion of Ukraine have been underway for much of the past two decades and have focused on traditional military thinking with an emphasis on armor, artillery, and air power. In contrast, the rapidly modernizing Ukrainian military has achieved a technological leap in less than twelve months. Since the invasion began, Ukraine has demonstrated a readiness to innovate that the more conservative Russian military simply cannot match.

Subscribe to UkraineAlert

As the world watches the Russian invasion of Ukraine unfold, UkraineAlert delivers the best Atlantic Council expert insight and analysis on Ukraine twice a week directly to your inbox.

Name
First Last
Email*
Name
This field is for validation purposes and should be left unchanged.

Modern weapons supplied by Ukraine’s international partners have played a crucial role in the Ukrainian military’s battlefield victories during the first year of the war. Likewise, Western countries have also supported Ukraine with a range of tech solutions and assistance. At the same time, Ukrainians have repeatedly demonstrated their ability to develop and adapt new technologies suited to the specific circumstances of Russia’s ongoing invasion. Ukraine has used everthing from drones and satellite imagery to artificial intelligence and situational awareness tools in order to inflict maximum damage on Russian forces while preserving the lives of Ukrainian service personnel and civilians.

Drones deserve special attention as the greatest game-changers of Russia’s war in Ukraine. Thanks to the widespread and skillful use of air reconnaissance drones, the Ukrainian military has been able to monitor vast frontline areas and coordinate artillery. Meanwhile, strike drones have made it possible to hit enemy positions directly.

The critical role of drones on the battlefield has helped fuel a wartime boom in domestic production. Over the past six months, the number of Ukrainian companies producing UAVs has increased more than fivefold. This expansion will continue. The full-scale Russian invasion of Ukraine is fast evolving into the world’s first war of robots. In order to win, Ukraine needs large quantities of drones in every conceivable category.

This helps to explain the thinking behind the decision to launch the Army of Drones initiative. This joint project within the framework of the UNITED24 fundraising platform involves the General Staff of the Ukrainian Armed Forces, the State Special Communications Service, and the Ministry of Digital Transformation. Within the space of six months, the Army of Drones initiative resulted in the acquisition of over 1,700 drones worth tens of millions of dollars. This was possible thanks to donations from individuals and businesses in 76 countries.

Ukraine is currently developing its own new types of drones to meet the challenges of the Russian invasion. For example, Ukraine is producing new kinds of naval drone to help the country guard against frequent missile attacks launched from Russian warships. Ukrainian tech innovators are making significant progress in the development of maritime drones that cost hundreds of thousands of dollars and can potentially target and deter or disable warships costing many millions.

Eurasia Center events

After Vilnius: What’s next on Ukraine’s path to NATO?

Eastern Europe NATO Security & Defense Ukraine

Ukrainian IT specialists are creating software products to enhance the wartime performance of the country’s armed forces. One good example is Delta, a comprehensive situational awareness system developed by the Innovation Center within Ukraine’s Defense Ministry. This tool could be best described as “Google maps for the military.” It provides real-time views of the battlefield in line with NATO standards by integrating data from a variety of sources including aerial reconnaissance, satellite images, and drone footage.

Such systems allow the Ukrainian military to become increasingly data-driven. This enables Ukrainian commanders to adapt rapidly to circumstances and change tactics as required. The system saves lives and ammunition while highlighting potential opportunities for Ukraine to exploit. This approach has already proven its effectiveness in the defense of Kyiv and during the successful counteroffensives to liberate Kharkiv Oblast and Kherson.

Ukraine has also launched a special chatbot that allows members of the public to report on the movements of enemy troops and military hardware. Integrated within the widely used Diia app, this tool has attracted over 460,000 Ukrainian users. The reports they provide have helped to destroy dozens of Russian military positions along with tanks and artillery.

In addition to developing its own military technologies, Ukraine has also proven extremely adept at taking existing tech solutions and adapting them to wartime conditions. One prominent example is Starlink, which has changed the course of the war and become part of Ukraine’s critical infrastructure. Satellite communication is one of Ukraine’s competitive advantages, providing connections on the frontlines and throughout liberated regions of the country while also functioning during blackouts. Since the start of the Russian invasion, Ukraine has received over 30,000 Starlink terminals.

Ukraine’s effective use of military technologies has led some observers to suggest that the country could become a “second Israel.” This is a flattering comparison, but in reality, Ukraine has arguably even greater potential. Within the next few years, Ukraine is on track to become a nation with top tier military tech solutions.

Crucial decisions setting Ukraine on this trajectory have already been made. In 2023, efforts will focus on the development of a military tech ecosystem with a vibrant startup sector alongwide a strong research and development component. There are already clear indications of progress, such as the recent creation of strike drone battalions within the Ukrainian Armed Forces.

The war unleashed by Russia in February 2022 has now entered its second year. Putin had expected an easy victory. Instead, his faltering invasion has highlighted Ukraine’s incredible bravery while also showcasing the country’s technological sophistication. Ukrainians have demonstrated their ability to defeat one of the world’s mightiest armies using a combination of raw courage and modern innovation. This remarkable success offers lessons for military strategy and security policy that will be studied for decades to come.

Mykhailo Fedorov is Ukraine’s Deputy Prime Minister and Minister of Digital Transformation.

Examining and mitigating the risks related to the involvement of private technology companies in the war in Ukraine is crucial and looking forward, the United States government must also examine the same questions with regard to its own security and defense:

What is the complete incentive structure behind a company’s decision to provide products or services to a state at war?
How dependent are states on the privately held portions of the information environment, including infrastructure, tools, knowledge, data, skills, and more, for their own national security and defense?
How can the public and private sectors work together better as partners to understand and prepare these areas of reliance during peace and across the continuum of conflict in a sustained, rather than ad hoc, nature?

Russia’s war against Ukraine is not over and similar aggressions are likely to occur in new contexts and with new actors in the future. By learning these lessons now and strengthening the government’s ability to work cooperatively with the private sector in and through the information space, the United States will be more effective and resilient against future threats.

Introduction

Russia’s invasion of Ukraine in 2022 held none of the illusory cover of its 2014 operation; instead of “little green men” unclaimed by Moscow, Putin built up his forces on Ukraine’s border for the entire international community to see. His ambitions were clear: To remove and replace the elected government of Ukraine with a figurehead who would pull the country back under Russia’s hold, whether through literal absorption of the state or by subsuming the entire Ukrainian population under Russia’s political and information control. In the year since the Russian invasion, Ukraine’s defense has held back the Russian war machine with far greater strength than many thought possible in the early months of 2022. President Zelenskyy, the Ukrainian government, and the Ukrainian people have repeatedly repelled Russian attempts to topple the state, buttressed in part by the outpouring of assistance from not just allied states, but also local and transnational private sector companies.

Amidst the largest conventional land war in Europe since the fall of the Third Reich, both Russia and Ukraine have directed considerable effort toward the conflict’s information environment, defined as the physical and digital infrastructure over and through which information moves, the tools used to interact with that information, and information itself. This is not only a domain through which combatants engage, but a parallel territory that the Kremlin seeks to contest and claim. Russian efforts in this realm, to destroy or replace Ukraine’s underpinning infrastructure and inhibit the accessibility and reach of infrastructure and tools within the environment, are countered by a Ukrainian defense that prioritizes openness and accessibility.

The information environment, and all the components therein, is not a state or military dominated environment; it is largely owned, operated, and populated by private organizations and individuals around the globe. The Ukrainian information environment, referring to Ukrainian infrastructure operators, service providers, and users, is linked to and part of a global environment of state and non-state actors where the infrastructure and the terrain is largely private. Russian operations within the Ukrainian information environment are conducted against, and through, this privately owned infrastructure, and the Ukrainian defense is likewise bound up in cooperative efforts with those infrastructure owners and other technology companies that are providing aid and assistance. These efforts have contributed materially, and in some cases uniquely, to Ukraine’s defense.

The centrality of this environment to the conduct of this war, raises important questions about the degree to which states and societies are dependent on information infrastructure and functionalities owned and operated by private actors, and especially transnational private actors. Although private sector involvement in the war in Ukraine has generally been positive, the fact that the conduct of war and other responsibilities in the realm of statehood are reliant on private actors leads to new challenges for these companies, for the Ukrainian government, and for the United States and allies.

The United States government must improve its understanding of, and facility for, joint public-private action to contest over and through the information environment. The recommendations in this report are intended to facilitate the ability of US technology companies to send necessary aid to Ukraine, ensure that the US government has a complete picture of US private-sector involvement in the war in Ukraine, and contribute more effectively to the resilience of the Ukrainian information environment. First, the US government should issue a directive providing assurance and clarification as to the legality of private sector cyber, information, capacity building, and technical aid to Ukraine. Second, a task force pulling from agencies and offices across government should coordinate to track past, current, and future aid from the private sector in these areas to create a better map of US collaboration with Ukraine across the public and private sectors. Third, the US government should increase its facilitation of private technology aid by providing logistical and financial support.

These recommendations, focused on Ukraine’s defense, are borne of and provoke larger questions that will only become more important to tackle. The information environment and attempts to control it have long been a facet of conflict, but the centrality of privately owned and operated technology—and the primacy of some private sector security capabilities in relation to all but a handful of states—pose increasingly novel challenges to the United States and allied policymaking communities. Especially in future conflicts, the risks associated with private sector action in defense of, or directly against, a combatant could be significantly greater and multifaceted, rendering existing cooperative models insufficient.

The Russian information offensive

The Russian Federation Ministry of Foreign Affairs defines information space—of which cyberspace is a part—as “the sphere of activity connected with the formation, creation, conversion, transfer, use, and storage of information and which has an effect on individual and social consciousness, the information infrastructure, and information itself.¹ Isolating the Ukrainian information space is key to both the short- and long-term plans of the Russian government. In the short term, the Kremlin pursues efforts to control both the flow and content of communications across the occupied areas.² In the longer term, occupation of the information environment represents an integral step in Russian plans to occupy and claim control over the Ukrainian population.

In distinct opposition to the global nature of the information environment, over the past decade or so, the Kremlin has produced successive legislation “to impose ‘sovereignty’ over the infrastructure, content, and data traversing Russia’s ‘information space,’” creating a sectioned-off portion of the internet now known as RuNet.³ Within this space, the Russian government has greater control over what information Russian citizens see and a greater ability to monitor what Russian citizens do online.⁴ This exclusionary interpretation is an exercise in regime security against what the Kremlin perceives as constant Western information warfare against it.⁵ As Gavin Wilde, senior fellow with the Carnegie Endowment for International Peace, writes, the Russian government views the information environment “as an ecosystem to be decisively dominated.”⁶

To the Kremlin, domination of the information environment in Ukraine is an essential step toward pulling the nation into its fold and under its control. Just as Putin views information domination as critical to his regime’s exercise of power within Russia, in Ukraine, Russian forces systematically conduct offensives against the Ukrainian information environment in an attempt to create a similar model of influence and control that would further enable physical domination. This strategy is evident across the Kremlin’s efforts to weaken the Ukrainian state for the last decade at least. In the 2014 and 2022 invasions, occupied, annexed, and newly “independent” regions of Ukraine were variously cut off from the wider information space and pulled into the restricted Russian information space.

The Crimean precedent – 2014

The Russian invasion of Ukraine did not begin in 2022, but in 2014. Examining this earlier Russian incursion illustrates the pattern of Russian offensive behavior in and through the information environment going back nearly a decade—a combination of physical, cyber, financial, and informational maneuvers that largely target or move through private information infrastructure. In 2014, although obfuscated behind a carefully constructed veil of legitimacy, Russian forces specifically targeted Ukrainian information infrastructure to separate the Crimean population from the Ukrainian information environment, and thereby the global information environment, and filled that vacuum with Russian infrastructure and information.

The Russian invasion of eastern Ukraine in 2014 was a direct response to the year-long Euromaidan Revolution, which took place across Ukraine in protest of then-President Viktor Yanukovych’s decision to spurn closer relations with the European Union and ignore growing calls to counter Russian influence and corruption within the Ukrainian government. These protests were organized, mobilized, and sustained partially through coordination, information exchange, and message amplification over social media sites like Facebook, Twitter, YouTube, and Ustream—as well as traditional media.⁷ In February 2014, after Yanukovych fled to Russia, the Ukrainian parliament established a new acting government and announced that elections for a new president would be held in May. Tensions immediately heightened, as Russian forces began operating in Crimea with the approval of Federal Assembly of Russia at the request of “President” Yanukovych, although Putin denied that they were anything other than “local self-defense forces.”⁸ On March 21, Putin signed the annexation of Crimea.⁹

During the February 2014 invasion of Crimea, the seizure and co-option of Ukrainian physical information infrastructure was a priority. Reportedly, among the first targets of Russian special forces was the Simferopol Internet Exchange Point (IXP), a network facility that enables internet traffic exchange.¹⁰ Ukraine’s state-owned telecommunications company Ukrtelecom reported that armed men seized its offices in Crimea and tampered with fiber-optic internet and telephone cables.¹¹ Following the raid, the company lost the “technical capacity to provide connection between the peninsula and the rest of Ukraine and probably across the peninsula, too.”¹² Around the same time, the head of the Security Service of Ukraine (SBU), Valentyn Nalivaichenko, reported that the mobile phones of Ukrainian parliament members, including his own, were blocked from connecting through Ukrtelecom networks in Crimea.¹³

Over the next three years, and through the “progressive centralization of routing paths and monopolization of Internet Service market in Crimea … the topology of Crimean networks has evolved to a singular state where paths bound to the peninsula converge to two ISPs (Rosetelecom and Fiord),” owned and operated by Russia.¹⁴ Russian forces manipulated the Border Gateway Protocol (BGP)—the system that helps connects user traffic flowing from ISPs to the wider internet—modifying routes to force Crimean internet traffic through Russian systems, “drawing a kind of ‘digital frontline’ consistent with the military one.”¹⁵ Residents of Crimea found their choices increasingly limited, until their internet service could only route through Russia, instead of Ukraine, subject to the same level of censorship and internet controls as in Russia. The Russian Federal Security Service (FSB) monitored communications from residents of Crimea, both within the peninsula and with people in Ukraine and beyond.¹⁶ Collaboration between ISPs operating in Crimea through Russian servers and the FSB appears to be a crucial piece of this wider monitoring effort. This claim was partially confirmed by a 2018 Russian decree that forbade internet providers from publicly sharing any information regarding their cooperation with “the authorized state bodies carrying out search and investigative activities to ensure the security of the Russian Federation.”¹⁷

From March to June 2014, Russian state-owned telecom company Rostelcom began and completed construction of the Kerch Strait cable, measuring 46 kilometers (about 28.5 miles) and costing somewhere between $11 and $25 million, to connect the Crimean internet with the Russian RuNet.¹⁸ Rostelcom, using a local agent in Crimea called Miranda Media, became the main transit network for several Crimean internet service providers (ISPs), including KCT, ACS-Group, CrimeaCom, and CRELCOM in a short period of time.¹⁹ There was a slower transition of customers from the Ukrainian company Datagroup to Russian ISPs, but nonetheless, the number of Datagroup customers in Crimea greatly decreased throughout 2014. According to one ISP interviewed by Romain Fontugne, Ksenia Ermoshina, and Emile Aben, “the Kerch Strait cable was used first of all for voice communication … The traffic capacity of this cable was rather weak for commercial communications.”²⁰ But by the end of 2017, remnant usage of Ukrainian ISPs had virtually disappeared, following the completion of a second, better internet cable through the Kerch Strait and a series of restrictions placed on Russian social media platforms, news outlets, and a major search engine by Ukrainian President Poroshenko.²¹The combination of the new restrictions, and the improved service of Russian ISPs encouraged more Crimeans to move away from Ukrainian ISPs.

Russia’s efforts to control the information environment within Crimea, and the Russian government’s ability to monitor communications and restrict access to non-Russian approved servers, severely curtailed freedom of expression and belief—earning the region zero out of four in this category from Freedom House.²² Through physical, and formerly private, information infrastructure, Russia was able to largely take control of the information environment within Crimea.

A parallel occupation – 2022

Digital information infrastructure

Just as in 2014, one of the first priorities of invading Russian forces in 2022 was the assault of key Ukrainian information infrastructure, including digital infrastructure. Before, during, and following the invasion, Russian and Russian-aligned forces targeted Ukrainian digital infrastructure through cyber operations, ranging in type, target, and sophistication. Through some combination of Ukrainian preparedness, partner intervention, and Russian planning shortfalls, among other factors, large-scale cyber operations disrupting Ukrainian critical infrastructure, such as those seen previously in 2015 with BlackEnergy and NotPetya, did not materialize.²³ This could be because such cyber operations require significant time and resources, and similar ends can be more cheaply achieved through direct, physical means. Russian cyber operators, however, have not been idle.

Preceding the physical invasion, there was a spate of activity attributed to both Russian and Russian-aligned organizations targeting a combination of state and private organizations.²⁴ From January 13 to 14, for example, hackers briefly took control of seventy Ukrainian government websites, including the Ministries of Defense and Foreign Affairs, adding threatening messages to the top of these official sites.²⁵ The following day, January 15, Microsoft’s Threat Intelligence Center reported the discovery of wiper malware, disguised as ransomware, in dozens of Ukrainian government systems, including agencies which “provide critical executive branch or emergency response function,” and an information technology firm that services those agencies.²⁶ A month later, on February 15, Russian hackers targeted several websites with distributed denial of service (DDoS) attacks, forcing Ukrainian defense ministry and armed forces websites, as well as those of PrivatBank and Oschadbank, offline.²⁷ Around the same time, according to Microsoft’s special report on Ukraine, “likely” Russian actors were discovered in the networks of unidentified critical infrastructure in Odessa and Sumy.²⁸ The day before the invasion, cybersecurity companies ESET and Symantec reported that a new destructive wiper was spreading across Ukrainian, Latvian, and Lithuanian networks, as a second round of DDoS attacks again took down a spate of government and financial institution websites.“²⁹ This activity centered around information—with defacements sending a clear threat to the Ukrainian government and population, DDoS attacks impairing accurate communication, and wiper malware degrading Ukrainian data—and gaining access to Ukrainian data for Russia. Although many of these operations targeted Ukrainian government networks, the attacks moved through or against privately operated infrastructure and, notably, the first public notification and detailing of several of these operations was undertaken by transnational technology companies.

After February 24, Russian cyber activity continued and the targets included a number of private information infrastructure operators. A March hack of Ukrtelecom—Ukraine’s largest landline operator, which also provides internet and mobile services to civilians and the Ukrainian government and military—resulted in a collapse of the company’s network to just 13 percent capacity, the most severe disruption in service the firm recorded since the invasion began.³⁰ Another such operation targeted Triolan—a Ukrainian telecommunications provider—on February 24 in tandem with the physical offensive and a second time on March 9. These incursions on the Triolan network took down key nodes and caused widespread service outages. Following the March 9 attack, the company was able to restore service, but these efforts were complicated by the need to physically access some of the equipment located in active conflict zones.³¹ These attacks against Ukraine-based information infrastructure companies caused service outages that were concurrent with the physical invasion and afterwards, restricted communications among Ukrainians and impeded the population’s ability to respond to current and truthful information.

This unacceptable cyberattack is yet another example of Russia’s continued pattern of irresponsible behaviour in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine.¹

Council of the European Union

These types of operations, however, were not restricted to Ukraine-based information infrastructure. A significant opening salvo in Russia’s invasion was a cyber operation directed against ViaSat, a private American-based satellite internet company that provides services to users throughout the world, including the Ukrainian military.³² Instead of targeting the satellites in orbit, Russia targeted the modems in ViaSat’s KA-SAT satellite broadband network that connected users with the internet.³³ Specifically, Russia exploited a “misconfiguration in a VPN [virtual private network] appliance to gain remote access to the trusted management segment of the KA-SAT network.”³⁴ From there, the attackers were able to move laterally though the network to the segment used to manage and operate the broader system.³⁵ They then “overwrote key data in flash memory on the modems,” making it impossible for the modems to access the broader network.³⁶ Overall, the effects of the hack were short-lived, with ViaSat reporting the restoration of connectivity within a few days after shipping approximately 30,000 new modems to affected customers.³⁷

SentinelOne, a cybersecurity firm, identified the malware used to wipe the modems and routers of the information they needed to operate.³⁸ The firm assessed “with medium-confidence“ that AcidRain, the malware used in the attack, had ”developmental similarities” with an older malware, VPNFilter, that the Federal Bureau of Investigation and the US Department of Justice have previously linked to the Russian government.³⁹ The United States, United Kingdom, and European Union all subsequently attributed the ViaSat hack to Russian-state backed actors.⁴⁰

The effectiveness of the operation is debated, although the logic of the attack is straightforward. Russia wanted to constrain, or preferably eliminate, an important channel of communication for the Ukrainian military during the initial stages of the invasion. Traditional, land-based radios, which the Ukrainian military relies on for most of their communications, only work over a limited geographic range, therefore making it more difficult to use advanced, long-range weapons systems.⁴¹ It should be expected that landline and conventional telephony would suffer outages during the opening phases of the war and struggle to keep up with rapidly moving forces.

Initially, it was widely reported that the Russian strike on ViaSat was effective. On March 15, a senior Ukrainian cybersecurity official, Viktor Zhora, was quoted saying that the attack on ViaSat caused “a really huge loss in communications in the very beginning of the war.⁴² When asked follow-up questions about his quote, Zhora said at the time that he was unable to elaborate, leading journalists and industry experts to believe that the attack had impacted the Ukrainian military’s ability to communicate.⁴³ However, several months later, on September 26, Zhora revised his initial comments, stating that the hack would have impacted military communications if satellite communications had been the Ukrainian military’s principal medium of communication. However, Zhora stated that the Ukrainian military instead relies on landlines for communication, with satellites as a back-up method. He went on to say that “in the case land lines were destroyed, that could be a serious issue in the first hours of war.”⁴⁴ The tension, and potential contradictions, in Zhora’s comments underlines the inherent complications in analyzing cyber operations during war: long-term consequences can be difficult to infer from short-term effects, and countries seek to actively control the narratives surrounding conflict.

The effectiveness of the ViaSat hack boils down to how the Ukrainian military communicates, and how adaptable it was in the early hours of the invasion. However, it is apparent how such a hack could impact military effectiveness. If Russia, or any other belligerent, was able to simultaneously disrupt satellite communications while also jamming or destroying landlines, forces on the frontlines would be at best poorly connected with their superiors. In such a scenario, an army would be cut off from commanders in other locations and would not be able to report back or receive new directives; they would be stranded until communications could be restored.

The ViaSat hack had a military objective: to disrupt Ukrainian military access to satellite communications. But the effects were not limited to this objective. The operation had spillover effects that rippled across Europe. In Germany, nearly 6,000 wind turbines were taken offline, with roughly 2,000 of those turbines remaining offline for nearly a month after the initial hack due to the loss of remote connectivity.⁴⁵ In France, modems used by emergency services vehicles, including firetrucks and ambulances, were also affected.⁴⁶

ViaSat is not a purely military target. It is a civilian firm that counts the Ukrainian military as a customer. The targeting of civilian infrastructure with dual civilian and military capability and use has occurred throughout history and has been the center of debate in international law, especially when there are cross-border spillover effects in non-combatant countries. Both the principle of proportionality and international humanitarian law require the aggressor to target only military objects, defined as objects “whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage” in a manner proportional to the military gain foreseen by the operation. ⁴⁷ What this means in practice, however, is that the aggressor determines whether they deem a target to be a military object and a beneficial target and, therefore, what is legitimate. Konstantin Vorontsov, the Head of the Russian Delegation to the United Nations, attempted to justify Russian actions in October 2022 by saying that the use of civilian space infrastructure to aid the Ukrainian war effort may be a violation of the Outer Space Treaty, thereby rendering this infrastructure a legitimate military target.⁴⁸ Similar operations like that against ViaSat are likely to be the new norm in modern warfare. As Mauro Vignati, the adviser on new digital technologies of warfare at the Red Cross, said in November 2022, insofar as private companies own and operate the information infrastructure of the domain, including infrastructure acting as military assets, “when war start[s], those companies, they are inside the battlefield.”⁴⁹

Physical information infrastructure

In February 2022, as Russian forces moved to seize airfields and key physical assets in Ukraine, they simultaneously assaulted the physical information infrastructure operating within and beneath the Ukrainian information environment. Russian forces targeted this infrastructure, largely privately operated, by taking control of assets where possible and destroying them where not, including through a series of Russian air strikes targeting Ukrainian servers, cables, and cell phone towers.⁵⁰ As of June 2022, about 15 percent of Ukrainian information infrastructure had been damaged or destroyed; by July, 12.2 percent of homes had lost access to mobile communication services, 11 percent of base stations for mobile operators were out of service, and approximately 20 percent of the country’s telecommunications infrastructure was damaged or destroyed.⁵¹ By August “the number of users connecting to the Internet in Ukraine [had] shrunk by at least 16 percent nationwide.”⁵²

In some areas of Ukraine, digital blackouts were enforced by Russian troops to cut the local population off from the highly contested information space. In Mariupol, the last cell tower connecting the city with the outside world was tirelessly tended by two Kyivstar engineers, who kept it alive with backup generators that they manually refilled with gasoline. Once the Russians entered the city, however, the Ukrainian soldiers who had been protecting the cell tower location left to engage with the enemy, leaving the Kyivstar engineers alone to tend to their charge. For three days the engineers withstood the bombing of the city until March 21, when Russian troops disconnected the tower and it went silent.⁵³

Russian forces coerced Ukrainian occupied territories onto Russian ISPs, once again through Rostelcom’s local agent Miranda Media, and onto Russian mobile service providers.⁵⁴ Information infrastructure in Ukraine is made up of overlapping networks of mobile service and ISPs, a legacy of the country’s complicated post-Soviet modernization process. This complexity may have been a boon for its resilience. Russian forces, observed digital-rights researcher Samuel Woodhams, “couldn’t go into one office and take down a whole region … There were hundreds of these offices and the actual hardware was quite geographically separated.⁵⁵ Across eastern Ukraine, including Kherson, Mlitopol, and Mariupol, the Russians aimed to subjugate the physical territory, constituent populations, and Ukrainian information space. In Kherson, Russian forces entered the offices of a Ukrainian ISP and at gunpoint, forced staff to transfer control to them.⁵⁶

Russian bombardment of telecommunications antennas in Kiev (Attribution: Mvs.gov.ua)

Routing the internet and communications access of occupied territories through Russia meant that Moscow could suppress communications to and from these occupied areas, especially through social media and Ukrainian news sites, sever access to essential services in Ukraine, and flood the populations with its own propaganda, as was proved in Crimea in 2014. Moving forward, Russia could use this dependency to “disconnect, throttle, or restrict access to the internet” in occupied territories, cutting off the occupied population from the Ukrainian government and the wider Ukrainian and international community.⁵⁷

The Kremlin’s primary purpose in the invasion of Ukraine was and is to remove the Ukrainian government and, likely, install a pro-Russian puppet government to bring to an end an independent Ukraine.⁵⁸ Therefore, isolating the information environment of occupied populations, in concert with anti-Ukrainian government disinformation, such as the multiple false allegations that President Zelenskyy had fled the country and abandoned the Ukrainian people,⁵⁹ were a means to sway the allegiances, or at least dilute the active resistance, of the Ukrainian people.⁶⁰ Without connectivity to alternative outlets, the occupying Russians could promote false and largely uncontested claims about the progress of the war. In early May 2022 for example, when Kherson lost connectivity for three days, the deputy of the Kherson Regional Council, Serhiy Khlan, reported that the Russians “began to spread propaganda that they were in fact winning and had captured almost all of Mykolaiv.”⁶¹

Russia used its assault on the information environment to undermine the legitimacy of the Ukrainian government and its ability to fulfill its governmental duties to the Ukrainian people. Whether through complete connectivity blackouts or through the restrictions imposed by Russian networks, the Russians blocked any communications from the Ukrainian government to occupied populations—not least President Zelenskyy’s June 13, 2022 address, intended most for those very populations, in which he promised to liberate all occupied Ukrainian land and reassured those populations that they had not been forgotten. Zelenskyy acknowledged the Russian barrier between himself and Ukrainians in occupied territories, saying, “They are trying to make people not just know nothing about Ukraine… They are trying to make them stop even thinking about returning to normal life, forcing them to reconcile.”⁶²

Isolating occupied populations from the Ukrainian information space is intended, in large part, said Stas Prybytko, the head of mobile broadband development within the Ukrainian Ministry of Digital Transformation, to “block them from communicating with their families in other cities and keep them from receiving truthful information.”⁶³ Throughout 2022, so much of what the international community knew about the war came—through Twitter, TikTok, Telegram, and more—from Ukrainians themselves. From videos of the indiscriminate Russian shelling of civilian neighborhoods to recordings tracking Russian troop movements, Ukrainians used their personal devices to capture and communicate the progress of the war directly to living rooms, board rooms, and government offices around the world.⁶⁴The power of this distributed information collection and open-source intelligence relies upon mobile and internet access. The accounts that were shared after Ukrainian towns and cities were liberated from Russian occupation lay bare just how much suffering, arrest, torture, and murder was kept hidden from international view by the purposeful isolation of the information environment and the constant surveillance of Ukrainians’ personal devices.⁶⁵ The war in Ukraine has highlighted the growing impact of distributed open source intelligence during the conduct of war that is carried out by civilians in Ukraine and by the wider open source research community though various social media and messaging platforms.⁶⁶

Narrative Warfare: How the Kremlin and Russian news outlets justified a war of aggression against Ukraine

Undermining Ukraine: How the Kremlin employs information operations to erode global confidence in Ukraine

Russian operations against, especially transnational, digital infrastructure companies can mostly be categorized as disruption, degradation, and information gathering, which saw Russian or Russian-aligned hackers moving in and through the Ukrainian information environment. The attacks against Ukrainian physical infrastructure, however, are of a slightly different character. Invading forces employed physically mediated cyberattacks, a method defined by Herb Lin as “attacks that compromise cyber functionality through the use of or the threat of physical force” to pursue the complete destruction or seizure and occupation of this infrastructure.⁶⁷ Both ends begin with the same purpose: to create a vacuum of information between the Ukrainian government, the Ukrainian people, and the global population, effectively ending the connection between the Ukrainian information environment and the global environment. But the seizure of this infrastructure takes things a step beyond: to occupy the Ukrainian information environment and pull its infrastructure and its people into an isolated, controlled Russian information space.

Reclaiming the Ukrainian information environment

Preparation of the environment

The Russian assault on the Ukrainian information environment is far from unanswered. Russian efforts have been countered by the Ukrainian government in concert with allied states and with technology companies located both within and outside Ukraine. Russia’s aim to pull occupied Ukrainian territory onto Russian networks to be controlled and monitored has been well understood, and Ukraine has been hardening its information infrastructure since the initial 2014 invasion. Ukraine released its Cyber Security Strategy in 2016, which laid out the government’s priorities in this space, including the defense against the range of active cyber threats they face, with an emphasis on the “cyber protection of information infrastructure.”⁶⁸ The government initially focused on centralizing its networks in Kyiv to make it more difficult “for Russian hackers to penetrate computers that store critical data and provide services such as pension benefits, or to use formerly government-run networks in the occupied territories to launch cyberattacks on Kyiv.”⁶⁹

As part of its digitalization and security efforts, the Ukrainian government also sought out new partners, both public and private, to build and bolster its threat detection and response capabilities. Before and since the 2022 invasion, the Ukrainian government has worked with partner governments and an array of technology companies around the world to create resilience through increased connectivity and digitalization.

Bolstering Ukrainian connectivity

Since the 2014 invasion and annexation of Crimea, Ukraine-serving telecommunications operators have developed plans to prepare for future Russian aggression. Lifecell, the third largest Ukrainian mobile telephone operator, prepared its network for an anticipated Russian attack. The company shifted their office archives, documentation, and critical network equipment from eastern to western Ukraine, where it would be better insulated from violence, added additional network redundancy, and increased the coordination and response capabilities of their staff.⁷⁰ Similarly, Kyivstar and Vodafone Ukraine increased their network bandwidth to withstand extreme demand. In October 2021, these three companies initiated an infrastructure sharing agreement to expand LTE (Long Term Evolution) networks into rural Ukraine and, in cooperation with the Ukrainian government, expanded the 4G telecommunications network to bring “mobile network coverage to an estimated 91.6 per cent of the population.”⁷¹

The expansion and improvement of Ukrainian telecommunications continued through international partnerships as well. Datagroup, for example, announced a $20 million partnership in 2021 with Cisco, a US-based digital communications company, to modernize and expand the bandwidth of its extensive networks.⁷² Since the February 2022 invasion, Cisco has also worked with the French government to provide over $5 million of secure, wireless networking equipment and software, including firewalls, for free to the Ukrainian government.⁷³

This network expansion is an integral part of the Ukrainian government’s digitalization plans for the country, championed by President Zelenskyy. Rather than the invasion putting an end to these efforts, Deputy Prime Minister and Minister for Digital Transformation Mykhailo Fedorov claimed that during the war “digitalization became the foundation of all our life. The economy continues to work … due to digitalization.⁷⁴ The digital provision of government services has created an alternate pathway for Ukrainians to engage in the economy and with their government. The flagship government initiative Diia, launched in February 2020, is a digital portal through which the 21.7 million Ukrainian users can access legal identification, make social services payments, register a business, and even register property damage from Russian missile strikes.⁷⁵ The Russian advance and consequent physical destruction that displaced Ukrainians means that the ability to provide government services through alternate and resilient means is more essential than ever, placing an additional premium on defending Ukrainian information infrastructure.

Backing up a government

As Russian forces built up along Ukraine’s borders, Ukrainian network centralization may have increased risk, despite the country’s improved defense capabilities. In preparation for the cyber and physical attacks against the country’s information infrastructure, Fedorov moved to amend Ukrainian data protection laws to allow the government to store and process data in the cloud and worked closely with several technology companies, including Microsoft, Amazon Web Services, and Google, to effect the transfer of critical government data to infrastructure hosted outside the country.⁷⁶ Cloud computing describes “a collection of technologies and organizational processes which enable ubiquitous, on-demand access to a shared pool of configurable computing resources.”⁷⁷ Cloud computing is dominated by the four hyperscalers—Amazon, Microsoft, Google, and Alibaba—that provide computing and storage at enterprise scale and are responsible for the operation and security of data centers all around the world, any of which could host customer data according to local laws and regulations.⁷⁸

According to its April 2022 Ukraine war report, Microsoft “committed at no charge a total of $107 million of technology services to support this effort” and renewed the relationship in November, promising to ensure that “government agencies, critical infrastructure and other sectors in Ukraine can continue to run their digital infrastructure and serve citizens through the Microsoft Cloud” at a value of about $100 million.⁷⁹ Amazon and Google have also committed to supporting cloud services for the Ukrainian government, for select companies, and for humanitarian organizations focused on aiding Ukraine.⁸⁰ In accordance with the Ukrainian government’s concerns, Russian missile attacks targeted the Ukrainian government’s main data center in Kyiv soon after the invasion, partially destroying the facility, and cyberattacks aggressively tested Ukrainian networks.⁸¹

Unlike other lines of aid provided by the international community to strengthen the defense of the Ukrainian information environment, cloud services are provided only by the private sector.⁸² While this aid has had a transformative effect on Ukrainian defense, that transformative quality has also raised concerns. Microsoft, in its special report on Ukraine, several times cites its cloud services as one of the determining factors that limited the effect of Russian cyber and kinetic attacks on Ukrainian government data centers, and details how their services, in particular, were instrumental in this defense.⁸³ In this same report, Microsoft claims to be most worried about those states and organizations that do not use cloud services, and provides corroborating data.⁸⁴ Microsoft and other technology companies offering their services at a reduced rate, or for free, are acting—at least in part—out of a belief in the rightness of the Ukrainian cause. However, they are still private companies with responsibilities to shareholders or board members, and they still must seek profit. Services provided, especially establishing information infrastructure like Cloud services, are likely to establish long-term business relationships with the Ukrainian government and potentially with other governments and clients, who see the effectiveness of those services illustrated through the defense of Ukraine.

Mounting an elastic defense

Working for wireless

Alongside and parallel to the Ukrainian efforts to defend and reclaim occupied physical territory is the fight for Ukrainian connectivity. Ukrainian telecommunications companies have been integral to preserving connectivity to the extent possible. In March 2022, Ukrainian telecom operators Kyivstar, Vodafone Ukraine, and Lifecell made the decision to provide free national mobile roaming services across mobile provider networks, creating redundancy and resilience in the mobile network to combat frequent service outages.⁸⁵ The free mobile service provided by these companies is valued at more than UAH 980 million (USD 26.8 million).⁸⁶ In addition, Kyivstar in July 2022 committed to the allocation of UAH 300 million (about USD 8.2 mil) for the modernization of Ukraine’s information infrastructure in cooperation with the Ukrainian Ministry of Digital transformation.⁸⁷ The statements that accompanied the commitments from Kyivstar and Lifecell—both headquartered in Ukraine—emphasized each company’s dedication to Ukrainian defense and their role in it, regardless of the short-term financial impact.⁸⁸ These are Ukrainian companies with Ukrainian infrastructure and Ukrainian customers, and their fate is tied inextricably to the outcome of this war.

As Russian forces advanced and attempted to seize control of information infrastructure, in at least one instance, Ukrainian internet and mobile service employees sabotaged their own equipment first. Facing threats of imprisonment and death from occupying Russians, employees in several Ukrtelecom facilities withstood pressure to share technical network details and instead deleted key files from the systems. According to Ukrtelecom Chief Executive Officer Yuriy Kurmaz, “The Russians tried to connect their control boards and some equipment to our networks, but they were not able to reconfigure it because we completely destroyed the software.”⁸⁹ Without functional infrastructure, Russian forces struggled to pull those areas onto Russian networks.

The destruction of telecommunications infrastructure has meant that these areas and many others along the war front are, in some areas, without reliable information infrastructure, either wireless or wired. While the Ukrainian government and a bevy of local and international private sector companies battle for control of on-the-ground internet and communications infrastructure, they also pursued new pathways to connectivity.

Searching for satellite

Two days after the invasion, Deputy Prime Minister Fedorov tweeted at Elon Musk, the Chief Executive Officer of SpaceX, that “while you try to colonize Mars — Russia try [sic] to occupy Ukraine! While your rockets successfully land from space — Russian rockets attack Ukrainian civil people! We ask you to provide Ukraine with Starlink stations and to address sane Russians to stand.”⁹⁰ Just another two days later, Fedorov confirmed the arrival of the first shipment of Starlink stations.⁹¹

Starlink, a network of low-orbit satellites working in constellations operated by SpaceX, relies on satellite receivers no larger than a backpack that are easily installed and transported. Because Russian targeting of cellular towers made communications coverage unreliable, says Fedorov, the government “made a decision to use satellite communication for such emergencies” from American companies like SpaceX.⁹² Starlink has proven more resilient than any other alternative throughout the war. Due to the low orbit of Starlink satellites, they can broadcast to their receivers at relatively higher power than satellites in higher orbits. There has been little reporting on successful Russian efforts to jam Starlink transmissions, and the Starlink base stations—the physical, earthbound infrastructure that communicates directly with the satellites—are located on NATO territory, ensuring any direct attack on them would be a significant escalation in the war.⁹³

Starlink has been employed across sectors almost since the war began. President Zelenskyy has used the devices himself when delivering addresses to the Ukrainian people, as well as to foreign governments and populations.⁹⁴ Fedorov has said that sustained missile strikes against energy and communication infrastructure have been effectively countered through the deployment of Starlink devices that can restore connection where it is most needed. He even called the system “an essential part of critical infrastructure.”⁹⁵

Starlink has also found direct military applications. The portability of these devices means that Ukrainian troops can often, though not always, stay connected to command elements and peer units while deployed.⁹⁶ Ukrainian soldiers have also used internet connections to coordinate attacks on Russian targets with artillery-battery commanders.⁹⁷ The Aerorozvidka, a specialist air reconnaissance unit within the Ukrainian military that conducts hundreds of information gathering missions every day, has used Starlink devices in areas of Ukraine without functional communications infrastructure to “monitor and coordinate unmanned aerial vehicles, enabling soldiers to fire anti-tank weapons with targeted precision.”⁹⁸ Reports have also suggested that a Starlink device was integrated into an unmanned surface vehicle discovered near Sevastopol, potentially used by the Ukrainian military for reconnaissance or even to carry and deliver munitions.⁹⁹ According to one Ukrainian soldier, “Starlink is our oxygen,” and were it to disappear, “our army would collapse into chaos.”¹⁰⁰

The initial package of Starlink devices included 3,667 terminals donated by SpaceX and 1,333 terminals purchased by the United States Agency for International Development (USAID).¹⁰¹ SpaceX initially offered free Starlink service for all the devices, although the offer has already been walked back by Musk, and then reversed again. CNN obtained proof of a letter sent by Musk to the Pentagon in September 2022 stating that SpaceX would be unable to continue funding Starlink service in Ukraine. The letter requested that the Pentagon pay what would amount to “more than $120 million for the rest of the year and could cost close to $400 million for the next 12 months.” It also clarified that the vast majority of the 20,000 Starlink devices sent to Ukraine were financed at least in part by outside funders like the United States, United Kingdom, and Polish governments.¹⁰²

After the letter was sent, but before it became public, Musk got into a Twitter spat with Ukrainian diplomat Adrij Melnyk after the former wrote a tweet on October 3 proposing terms of peace between Russia and Ukraine. Musk’s proposal included Ukraine renouncing its claims to Crimea and pledging to remain neutral, with the only apparent concession from Russia a promise to ensure water supply in Crimea. The plan was rejected by the public poll Musk included in the tweet, and Melnyk replied and tagged Musk, saying “Fuck off is my very diplomatic reply to you @elonmusk.”¹⁰³ After CNN released the SpaceX letter to the Pentagon, Musk seemingly doubled down on his decision to reduce SpaceX funding at first. He responded on October 14 to a tweet summarizing the incident, justifying possible reduced SpaceX assistance stating, “We’re just following his [Melnyk’s] recommendation,” even though the letter was sent before the Twitter exchange. Musk then tweeted the following day, “The hell with it … even though Starlink is still losing money & other companies are getting billions of taxpayer $, we’ll just keep funding Ukraine govt for free.”¹⁰⁴ Two days later, in response to a Politico tweet reporting that the Pentagon was considering covering the Starlink service costs, Musk stated that “SpaceX has already withdrawn its request for funding.”¹⁰⁵ Musk’s characterization of SpaceX’s contribution to the war effort has sparked confusion and reprimand, with his public remarks often implying that his company is entirely footing the bill when in fact, tens of millions of dollars’ worth of terminals and service are being covered by several governments every month.

The Starlink saga, however, was not over yet. Several weeks later in late October, 1,300 Starlink terminals in Ukraine, purchased in March 2020 by a British company for use in Ukrainian combat-related operations, were disconnected, allegedly due to lack of funding, causing a communications outage for the Ukrainian military.¹⁰⁶ Although operation was restored, the entire narrative eroded confidence in SpaceX as a guarantor of flexible connectivity in Ukraine. In November 2022, Federov noted that while Ukraine has no intention of breaking off its relationship with Starlink, the government is exploring working with other satellite communications operators.¹⁰⁷ Starlink is not the only satellite communications network of its kind, but its competitors have not yet reached the same level of operation. Satellite communications company OneWeb, based in London with ties to the British military, is just now launching its satellite constellation, after the Russian invasion of Ukraine required the company to change its launch partner from Roscosmos to SpaceX.¹⁰⁸ The US Space Development Agency, within the United States Space Force, will launch the first low earth orbit satellites of the new National Defense Space Architecture in March 2023. Other more traditional satellite companies cannot provide the same flexibility as Starlink’s small, transportable receivers.

UA Support Forces use Starlink (Attribution: Mil.gov.ua)

With the market effectively cornered for the moment, SpaceX can dictate the terms, including the physical bounds, of Starlink’s operations, thereby wielding immense influence on the battlefield. Starlink devices used by advancing Ukrainian forces near the front, for example, have reported inconsistent reliability.¹⁰⁹ Indeed CNN reported on February 9^th that this bounding was a deliberate attempt to separate the devices from direct military use, as SpaceX President Gwynne Shotwell explained “our intent was never to have them use it for offensive purposes.”¹¹⁰ The bounding decision, similar to the rationale behind the company’s decision to refuse to activate Starlink service in Crimea, was likely made to contain escalation, especially escalation by means of SpaceX devices.¹¹¹

But SpaceX is not the only satellite company making decisions to bound the area of operation of their products to avoid playing—or being perceived to play—a role in potential escalation. On March 16, 2022, Minister Fedorov tweeted at DJI, a Chinese drone producer, “@DJIGlobal are you sure you want to be a partner in these murders? Block your products that are helping russia to kill the Ukrainians!”¹¹² DJI responded directly to the tweet the same day, saying “If the Ukrainian government formally requests that DJI set up geofencing throughout Ukraine, we will arrange it,” but pointed out that such geofencing would inhibit all users of their product in Ukraine, not just Russians.¹¹³

While Russia continues to bombard the Ukrainian electrical grid, Starlink terminals have grown more expensive for new Ukrainian consumers, increasing from $385 earlier this year to $700, although it is unclear if this price increase also affected government purchasers.¹¹⁴ According to Andrew Cavalier, a technology industry analyst with ABI Research, the indispensability of the devices gives “Musk and Starlink a major head start [against its competitors] that its use in the Russia–Ukraine war will only consolidate.”¹¹⁵ Indeed, the valuation of SpaceX was $127 million in May 2022, and the company raised $2 billion in the first seven months of 2022.¹¹⁶ For SpaceX, the war in Ukraine has been an impressive showcase of Starlink’s capabilities and has proven the worth of its services to future customers. The company recently launched a new initiative, Starshield, intended to leverage “SpaceX’s Starlink technology and launch capability to support national security efforts. While Starlink is designed for consumer and commercial use, Starshield is designed for government use.”¹¹⁷ It is clear that SpaceX intends to capitalize on the very public success of its Starlink network in Ukraine.

Reclaiming Territory

The Russian assault is not over, but Ukraine has reclaimed “54 percent of the land Russia has captured since the beginning of the war” and the front line has remained relatively stable since November 2022.¹¹⁸ Videos and reports from reclaimed territory show the exultation of the liberated population. As Ukrainian military forces reclaim formerly occupied areas, the parallel reclamation of the information environment, by or with Ukrainian and transnational information infrastructure operators, follows quickly.

In newly liberated areas, Starlink terminals are often the first tool for establishing connectivity. In Kherson, the first regional capital that fell to the Russian invasion and reclaimed by Ukrainian troops on November 11, 2022, residents lined up in public spaces to connect to the internet through Starlink.¹¹⁹ The Ministry of Digital Transformation provided Starlink devices to the largest service providers, Vodaphone and Kyivstar, to facilitate communication while their engineers repaired the necessary infrastructure for reestablishing mobile and internet service.¹²⁰ A week after Kherson was recaptured, five Kyivstar base stations were made operational and Vodaphone had reestablished coverage over most of the city.¹²¹

Due to the importance of reclaiming the information space, operators are working just behind Ukrainian soldiers to reconnect populations in reclaimed territories to the Ukrainian and global information environment as quickly as possible, which means working in very dangerous conditions. In the Sumy region, a Ukrtelecom vehicle pulling up to a television tower drove over a land mine, injuring three of the passengers and killing the driver.¹²² Stanislav Prybytko, the head of the mobile broadband department in the Ukrainian Ministry of Digital Transformation, says “It’s still very dangerous to do this work, but we can’t wait to do this, because there are a lot of citizens in liberated villages who urgently need to connect.”¹²³ Prybytko and his eleven-person team have been central to the Ukrainian effort to stitch Ukrainian connectivity back together. The team works across a public-private collaborative, coordinating with various government officials and mobile service providers to repair critical nodes in the network and to reestablish communications and connectivity.¹²⁴ According to Ukrainian government figures, 80 percent of liberated settlements have partially restored internet connection, and more than 1,400 base stations have been rebuilt by Ukrainian mobile operators since April 2022.¹²⁵

Key Takeaways

The information environment is a key domain through which this war is being contested. The Russian government has demonstrated for over a decade the importance it places on control of the information environment, both domestically and as part of campaigns to expand the Russian sphere of influence abroad. Yet, despite this Russian focus, the Ukrainian government has demonstrated incredible resilience against physical assaults, cyberattacks, and disinformation campaigns against and within the Ukrainian information environment and has committed to further interlacing government services and digital platforms.

The centrality of this environment to the conduct of this war means that private actors are necessarily enmeshed in the conflict. As providers of products and services used for Ukrainian defense, these companies are an important part of the buttressing structure of that defense. The centrality of private companies in the conduct of the war in Ukraine brings to light new and increasingly important questions about what it means for companies to act as information infrastructure during wartime, including:

What is the complete incentive structure behind a company’s decision to provide products or services to a state at war?
How dependent are states on the privately held portions of the information environment, including infrastructure, tools, knowledge, data, skills, and more, for their own national security and defense?
How can the public and private sectors work together better as partners to understand and prepare these areas of reliance during peace and across the continuum of conflict in a sustained, rather than ad hoc, nature?

Incentives

The war in Ukraine spurred an exceptional degree of cooperation and aid from private companies within Ukraine and from around the globe. Much of public messaging around the private sector’s assistance of Ukrainian defense centers around the conviction of company leadership and staff that they were compelled by a responsibility to act. This is certainly one factor in their decision. But the depth of private actor involvement in this conflict demands a more nuanced understanding of the full picture of incentives and disincentives that drive a company’s decision to enter into new, or expand upon existing, business relationships with and in a country at war. What risks, for example, do companies undertake in a war in which Russia has already demonstrated its conviction that private companies are viable military targets? The ViaSat hack was a reminder of the uncertainty that surrounds the designation of dual-use technology, and the impact that such designations have in practice. What role did public recognition play in companies’ decisions to provide products and services, and how might this recognition influence future earnings potential? For example, while their remarks differed in tone, both Elon Musk on Twitter and Microsoft in its special report on Ukraine publicly claimed partial credit for the defense of Ukraine.

As the war continues into its second year, these questions are important to maintaining Ukraine’s cooperation with these entities. With a better understanding of existing and potential incentives, the companies, the United States, and its allies can make the decision to responsibly aid Ukraine much easier.

Dependencies

Private companies play an important role in armed conflict, operating much of the infrastructure that supports the information environment through which both state and non-state actors compete for control. The war in Ukraine has illustrated the willingness of private actors, from Ukrainian telecommunications companies to transnational cloud and satellite companies, to participate as partners in the defense of Ukraine. State dependence on privately held physical infrastructure is not unique to the information environment, but state dependence on infrastructure that is headquartered and operated extraterritorially is a particular feature.

Prior to and throughout the war, the Ukrainian government has coordinated successfully with local telecommunication companies to expand, preserve, and restore mobile, radio, and internet connectivity to its population. This connectivity preserved what Russia was attempting to dismantle—a free and open Ukrainian information environment through which the Ukrainian government and population can communicate and coordinate. The Ukrainian government has relied on these companies to provide service and connectivity, working alongside them before and during the war to improve infrastructure and to communicate priorities. These companies are truly engaging as partners in Ukrainian defense, especially because this information infrastructure is not just a medium through which Russia launches attacks but an environment that Russia is attempting to seize control of. This dependence has not been unidirectional—the companies themselves are inextricably linked to this conflict through their infrastructure, employees, and customers in Ukraine. Each is dependent to some degree on the other and during times of crisis, their incentives create a dynamic of mutual need.

The Ukrainian government has also relied on a variety of transnational companies though the provision of technology products or services and information infrastructure. As examined in this report, two areas where the involvement of these companies has been especially impactful are cloud services and satellite internet services. Cloud services have preserved data integrity and security by moving information to data centers distributed around the world, outside of Ukrainian territory and under the cyber-protection of those cloud service companies. Satellite services have enabled flexible and resilient connectivity, once again located and run primarily outside of Ukraine. These companies can provide essential services within the information environment and the physical environment of Ukraine, but are not fundamentally reliant on the integrity of the country. This dynamic is heightened by the fact that cloud service providers like Microsoft, Amazon Web Services, Google, and satellite internet service providers like Space X’s Starlink are operating within a market with global reach and very few competitors. While these companies and others have made the laudable decision to contribute to Ukrainian defense, the fact is that had they not, there are only a few, if any, other companies with comparable capabilities and infrastructure at scale. Additionally, there’s very little Ukraine or even the US government could have done to directly provide the same capabilities and infrastructure.

Coordination

Built into the discussions around dependency and incentives is the need for government and the private companies who own and operate information infrastructure to coordinate with each other from a more extensive foundation. While coordination with Ukrainian companies and some transnational companies emerged from sustained effort, many instances of private sector involvement were forged on an ad hoc basis and therefore could not be planned on in advance. The ad hoc approach can produce rapid results, as seen by Minister Fedorov’s tweet at Elon Musk and receipt of Starlink devices just days later. While this approach has been wielded by the Ukrainian government, and the Ministry for Digital Transformation in particular, to great effect, this very same example illustrates the complexity of transforming ad hoc aid into sustainable partnerships. Sustainability is especially important when states are facing threats outside of open war, across the continuum of insecurity and conflict where many of these capabilities and infrastructures will continue to be relied upon. Security and defense in the information environment requires states to work in coordination with a diverse range of local and transnational private actors.

Recommendations

Key recommendations from this paper ask the US government, in coordination with the Ukrainian government, to better understand the incentives that surround private sector involvement, to delineate states’ dependency on private information infrastructure, and to improve long-term public-private coordination through three pathways:

Define support parameters. Clarify how private technology companies can and should provide aid
Track support. Create a living database to track the patterns of technological aid to Ukraine from US private companies
Facilitate support requests. Add to the resilience of the Ukrainian information environment by facilitating US private aid.

Define support parameters

Private information infrastructure companies will continue to play a key role in this war. However, there are a number of unresolved questions regarding the decisions these companies are making about if, and how, to provide support to the Ukrainian government to sustain its defense. A significant barrier may be the lack of clarity about the risks of partnership in wartime, which may disincentivize action or may alter existing partnerships. Recent SpaceX statements surrounding the bounding of Starlink use is an example, at least in part, of just such a risk calculous in action. The US government and its allies should release a public directive clarifying how companies can ensure that their involvement is in line with US and international law—especially for dual-use technologies. Reaffirming, with consistent guidelines, how the United States defines civilian participation in times of war will be crucial for ensuring that such actions do not unintentionally legitimize private entities as belligerents and legitimate targets in wartime. At the direction of the National Security Advisor, the US Attorney General and Secretary of State, working through the Office of the Legal Advisor at the State Department, should issue public guidance on how US companies can provide essential aid to Ukraine while avoiding the designation of legitimate military target or combatant under the best available interpretation of prevailing law.

Track support

While a large amount of support for Ukraine has been given directly by or coordinated through governments, many private companies have started providing technological support directly to the Ukrainian government. Some private companies, especially those with offices or customers in Ukraine, got in touch directly with, or were contacted by, various Ukrainian government offices, often with specific requests depending on the company’s products and services.¹²⁶

However, the US government does not have a full and complete picture of this assistance, which limits the ability of US policymakers to track the implications of changing types of support or the nature of the conflict. Policymakers should have access to not only what kind of support is being provided by private US companies, but also the projected period of involvement, what types of support are being requested and denied by companies (in which case, where the US government may be able to act as an alternative provider), and what types of support are being supplied by private sector actors without a significant government equity or involvement. A more fulsome mapping of this assistance and its dependency structure would make it possible for policymakers and others to assess its impact and effectiveness. This data, were it or some version of it publicly available, would also help private companies providing the support to better understand how their contributions fit within the wider context of US assistance and to communicate the effect their products or services are having to stakeholders and shareholders. Such information may play a role in a company’s decision to partner or abstain in the future.

The US government should create a collaborative task force to track US-based private sector support to Ukraine. Because of the wide equities across the US government in this area, this team should be led by the State Department’s Bureau of Cyberspace and Digital Policy and include representatives from USAID, the Department of Defense’s Cyber Policy Office, the National Security Agency’s Collaboration Center, and the Cybersecurity and Infrastructure Security’s Joint Cyber Defense Collaborative. This task force should initially focus on creating a picture of public-private support to Ukraine from entities within the United States, but its remit could extend to work with allies and partners, creating a fulsome picture of international public-private support.

Facilitate support requests

Tracking the technical support that is requested, promised, and delivered to the Ukrainian government is an important first step toward gaining a better understanding of the evolving shape of the critical role that the private sector is increasingly playing in conflict. But closer tracking, perhaps by an associated body, could go further by acting as a process facilitator. Government offices and agencies have long been facilitators of private aid, but now states are increasingly able to interact with, and request support from, private companies directly, especially for smaller quantities or more specific products and services. While this pathway can be more direct and efficient, it also requires a near constant churn of request, provision, and renewal actions from private companies and Ukrainian government officials.

Private organizations have stepped into this breach, including the Cyber Defense Assistance Collaboration (CDAC), founded by Greg Rattray and Matthew Murray, now a part of the US-based non-profit CRDF Global. CDAC works with a number of US private technology companies, as well as the National Security and Defense Council of Ukraine and the Ukrainian think tank Global Cyber Cooperative Center, to match the specific needs of Ukrainian government and state-owned enterprises with needed products and services offered by companies working in coordination.¹²⁷

The growth and reach of this effort demonstrate the potential impact that a government-housed, or even a government-sponsored mechanism, could have in increasing the capacity to facilitate requests from the Ukrainian government, decreasing the number of bureaucratic steps required by Ukrainian government officials while increasing the amount and quality of support they receive. In addition, government facilitation would ease progress toward the previously stated recommendations by building in clarity around what kind of support can be provided and putting facilitation and aid tracking within a single process. As discussed above, this facilitation should start with a focus on US public-private support, but can grow to work alongside similar allied efforts. This could include, for example, coordination with the United Kingdom’s Foreign, Commonwealth and Development Office (FCDO) program, which “enables Ukrainian agencies to access the services of commercial cybersecurity companies.”¹²⁸ Crucially, this task force, helmed by the State Department’s Bureau of Cyberspace and Digital Policy, would act as a facilitator, not as a restricting body. Its mission in this task would be to make connections and provide information.

In line with tracking, US government facilitation would enable government entities to communicate where assistance can be most useful, such as shoring up key vulnerabilities or ensuring that essential defense activities are not dependent on a single private sector entity, and ideally, avoiding dependency on a single source of private sector assistance. A company’s financial situation or philanthropic priorities are always subject to change, and the US government should be aware of such risks and create resilience through redundancy.

Central to this resilience will be the provision of support to bolster key nodes in the Ukrainian telecommunications infrastructure network against not just cyber attacks but also against physical assault, including things like firewalls, mine clearing equipment, and power generators. Aiding the Ukrainian government in the search for another reliable partner for satellite communication devices that offer similar flexibility as Starlink is also necessary, and a representative from the Pentagon has confirmed that such a process is underway, following Musk’s various and contradictory statements regarding the future of SpaceX’s aid to Ukraine back in October.¹²⁹ Regardless, the entire SpaceX experience illustrates the need to address single dependencies in advance whenever possible.

A roadblock to ensuring assistance redundancy is the financial ability of companies to provide products and services to the Ukrainian government without charge or to the degree necessary. While the US government does provide funding for private technological assistance (as in the Starlink example), creating a pool of funding that is tied to the aforementioned task force and overseen by the State Department’s Bureau of Cyberspace and Digital Policy, would enable increased flexibility for companies to cover areas of single dependence, even in instances that would require piecemeal rather than one-to-one redundancy. As previously discussed, many companies are providing support out of a belief that it is the right thing to do, both for their customers and as members of a global society. However, depending on whether that support is paid or provided for free, or publicly or privately given, a mechanism that provides government clarity on private sector support, tracks the landscape of US private support to Ukraine, and facilitates support requests would make it easier for companies to make the decision to start or continue to provide support when weighed against the costs and potential risks of offering assistance.

Looking forward and inward

The questions that have emerged from Ukraine’s experience of defense in and through the information environment are not limited to this context. Private companies have a role in armed conflict and that role seems likely to grow, along with the scale, complexity, and criticality of the information infrastructures they own and operate. Companies will, in some capacity, be participants in the battlespace. This is being demonstrated in real time, exposing gaps that the United States and its allies and partners must address in advance of future conflicts.

Russia’s war on Ukraine has created an environment in which both public and private assistance in support of Ukrainian information infrastructure is motivated by a common aversion toward Russian aggression, as well as a commitment to the stability and protection of the Ukrainian government and people. This war is not over and despite any hopes to the contrary, similar aggressions will occur in new contexts, and with new actors in the future. It is crucial that in conjunction with examining and mitigating the risks related to the involvement of private technology companies in the war in Ukraine, the US government also examines these questions regarding its own national security and defense.

The information environment is increasingly central to not just warfighting but also to the practice of governance and the daily life of populations around the world. Governments and populations live in part within that environment and therefore atop infrastructure that is owned and operated by the private sector. As adversaries seek to reshape the information environment to their own advantage, US and allied public and private sectors must confront the challenges of their existing interdependence. This includes defining in what form national security and defense plans in and through the information environment are dependent upon private companies, developing a better understanding of the differing incentive structures that guide private sector decision-making, and working in coordination with private companies to create a more resilient information infrastructure network through redundancy and diversification. It is difficult to know what forms future conflict and future adversaries will take, or the incentives that may exist for companies in those new contexts, but by better understanding the key role that private information and technology companies already play in this domain, the United States and allies can better prepare for future threats.

About the Authors

Emma Schroeder is an associate director with the Atlantic Council’s Cyber Statecraft Initiative, within the Digital Forensic Research Lab, and leads the team’s work studying conflict in and through cyberspace. Her focus in this role is on developing statecraft and strategy for cyberspace that is useful for both policymakers and practitioners. Schroeder holds an MA in History of War from King’s College London’s War Studies Department and also attained her BA in International Relations & History from the George Washington University’s Elliott School of International Affairs.

Sean Dack was a Young Global Professional with the Cyber Statecraft Initiative during the fall of 2022. He is now a Researcher at the NATO Parliamentary Assembly, where he focuses on the long-term strategic and economic implications of Russia’s invasion of Ukraine. Dack graduated from Johns Hopkins School of Advanced International Studies in December 2022 with his MA in Strategic Studies and International Economics.

Acknowledgements

The authors thank Justin Sherman, Gregory Rattray, and Gavin Wilde for their comments on earlier drafts of this document, and Trey Herr and the Cyber Statecraft team for their support. The authors also thank all the participants, who shall remain anonymous, in multiple Chatham House Rule discussions and one-on-one conversations about the issue.

1 ”The Ministry of Foreign Affairs of the Russian Federation, Convention on International Information Security (2011), https://carnegieendowment.org/files/RUSSIAN-DRAFT-CONVENTION-ON-INTERNATIONAL-INFORMATION-SECURITY.pdf.

2 To learn more about Russian disinformation efforts against Ukraine and its allies, check out the Russian Narratives Reports from the Atlantic Council’s Digital Forensic Research Lab: Nika Aleksejeva et al., Andy Carvin ed., “Narrative Warfare: How the Kremlin and Russian News Outlets Justified a War of Aggression against Ukraine,” Atlantic Council, February 22, 2023, https://www.atlanticcouncil.org/in-depth-research-reports/report/narrative-warfare/; Roman Osadchuk et al., Andy Carvin ed., “Undermining Ukraine: How the Kremlin Employs Information Operations to Erode Global Confidence in Ukraine,” Atlantic Council, February 22, 2023, https://www.atlanticcouncil.org/in-depth-research-reports/report/undermining-ukraine/.

3 Previously, the term RuNet described Russian language portions of the global internet accessible anywhere in the world. However, since Russia passed a domestic internet law in May 2019, RuNet has come to refer to a technically isolated version of the internet that services users within the borders of Russia. Gavin Wilde and Justin Sherman, No Water’s Edge: Russia’s Information War and Regime Security, Carnegie Endowment for International Peace, January 4, 2023, https://carnegieendowment.org/2023/01/04/no-water-s-edge-russia-s-information-war-and-regime-security-pub-88644; Justin Sherman, Reassessing Runet: Russian Internet Isolation and Implications for Russian Cyber Behavior, Atlantic Council, July 7, 2022, https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/reassessing-runet-russian-internet-isolation-and-implications-for-russian-cyber-behavior/.

4 Adam Satariano and Valerie Hopkins, “Russia, Blocked from the Global Internet, Plunges into Digital Isolation,” New York Times, March 7, 2022, https://www.nytimes.com/2022/03/07/technology/russia-ukraine-internet-isolation.html.

5 Gavin Wilde and Justin Sherman, No Water’s Edge: Russia’s Information War and Regime Security, Carnegie Endowment for International Peace, January 4, 2023, https://carnegieendowment.org/2023/01/04/no-water-s-edge-russia-s-information-war-and-regime-security-pub-88644; Stephen Blank, “Russian Information Warfare as Domestic Counterinsurgency,” American Foreign Policy Interests 35, no. 1 (2013): 31–44, https://doi.org/10.1080/10803920.2013.757946.

6 Gavin Wilde, Cyber Operations in Ukraine: Russia’s Unmet Expectations, Carnegie Endowment for International Peace, December 12, 2022, https://carnegieendowment.org/2022/12/12/cyber-operations-in-ukraine-russia-s-unmet-expectations-pub-88607.

7 Tetyana Bohdanova, “Unexpected Revolution: The Role of Social Media in Ukraine’s Euromaidan Uprising,” European View 13, no. 1: (2014), https://doi.org/10.1007/s12290-014-0296-4; Megan MacDuffee Metzger, and Joshua A. Tucker. “Social Media and EuroMaidan: A Review Essay,” Slavic Review 76, no. 1 (2017): 169–91, doi:10.1017/slr.2017.16.

8 Jonathon Cosgrove, “The Russian Invasion of the Crimean Peninsula 2014–2015: A Post-Cold War Nuclear Crisis Case Study,” Johns Hopkins (2020), 11–13, https://www.jhuapl.edu/Content/documents/RussianInvasionCrimeanPeninsula.pdf.

9 Steven Pifer, Ukraine: Six Years after the Maidan, Brookings, February 21, 2020, https://www.brookings.edu/blog/order-from-chaos/2020/02/21/ukraine-six-years-after-the-maidan/.

10 Kenneth Geers, ed., Cyber War in Perspective: Russian Aggression Against Ukraine (Tallinn: NATO CCD COE Publications, 2015), 9; Keir Giles, “Russia and Its Neighbours: Old Attitudes, New Capabilities,” in Geers, Cyber War in Perspective, 25; ‘Кримські регіональні підрозділи ПАТ «Укртелеком» офіційно повідомляють про блокування невідомими декількох вузлів зв’язку на півострові’ [Ukrtelekom officially reports blocking of communications nodes on peninsula by unknown actors], Ukrtelekom, February 28, 2014, http://www.ukrtelecom.ua/presscenter/news/official?id=120327.

11 Pavel Polityuk and Jim Finkle, “Ukraine Says Communications Hit, MPs Phones Blocked,” Reuters, March 4, 2014, https://www.reuters.com/article/ukraine-crisis-cybersecurity/ukraine-says-communications-hit-mps-phones-blocked-idINL6N0M12CF20140304.

12 Jen Weedon, “Beyond ‘Cyber War’: Russia’s Use of Strategic Cyber Espionage and Information Operations in Ukraine,” in Geers, Cyber War in Perspective, 76; Liisa Past, “Missing in Action: Rhetoric on Cyber Warfare,” in Geers, Cyber War in Perspective, 91; “Ukrtelecom’s Crimean Sub-Branches Officially Report that Unknown People Have Seized Several Telecommunications Nodes in the Crimea,” Ukrtelecom, February 28, 2014, http://en.ukrtelecom.ua/about/news?id=120467; “Feb. 28 Updates on the Crisis in Ukraine,” New York Times, February 28, 2014, https://archive.nytimes.com/thelede.blogs.nytimes.com/2014/02/28/latest-updates-tensions-in-ukraine/?_r=0; “The Crimean Regional Units of PJSC ‘Ukrtelecom’ Officially Inform About the Blocking by Unknown Persons of Several Communication Nodes on the Peninsula,” Ukrtelecom, February 28, 2014, https://web.archive.org/web/20140305001208/, http://www.ukrtelecom.ua/presscenter/news/official?id=120327.

13 Polityuk and Finkle, “Ukraine Says Communications Hit”; John Leyden, “Cyber Battle Apparently under Way in Russia–Ukraine Conflict,” The Register, April 25, 2018, https://www.theregister.com/2014/03/04/ukraine_cyber_conflict/.

14 Fontugne, Ermoshina, and Aben, “The Internet in Crimea.”

15 Frédérick Douzet et al., “Measuring the Fragmentation of the Internet: The Case of the Border Gateway Protocol (BGP) During the Ukrainian Crisis,” 2020 12th International Conference on Cyber Conflict (CyCon), Tallinn, Estonia, May 26–29, 2020, 157-182, doi: 10.23919/CyCon49761.2020.9131726; Paul Mozur et al., “‘They Are Watching’: Inside Russia’s Vast Surveillance State,” New York Times, September 22, 2022, https://www.nytimes.com/interactive/2022/09/22/technology/russia-putin-surveillance-spying.html.

16 Yaropolk Brynykh and Anastasiia Lykholat, “Occupied Crimea: Victims and Oppressors,” Freedom House, August 30, 2018, https://freedomhouse.org/article/occupied-crimea-victims-and-oppressors.

17 Halya Coynash, “Internet Providers Forced to Conceal Total FSB Surveillance in Occupied Crimea and Russia,” Kyiv Post, February 2, 2018, https://www.kyivpost.com/article/opinion/op-ed/halya-coynash-internet-providers-forced-conceal-total-fsb-surveillance-occupied-crimea-russia.html.

18 Joseph Cox, “Russia Built an Underwater Cable to Bring Its Internet to Newly Annexed Crimea,” VICE, August 1, 2014, https://www.vice.com/en/article/ypw35k/russia-built-an-underwater-cable-to-bring-its-internet-to-newly-annexed-crimea.

19 Cox, “Russia Built an Underwater Cable.”

20 Romain Fontugne, Ksenia Ermoshina, and Emile Aben, “The Internet in Crimea: A Case Study on Routing Interregnum,” 2020 IFIP Networking Conference, Paris, France, June 22–25, 2020, https://hal.archives-ouvertes.fr/hal-03100247/document.

21 Sebastian Moss, “How Russia Took over the Internet in Crimea and Eastern Ukraine,” Data Center Dynamics, January 12, 2023, https://www.datacenterdynamics.com/en/analysis/how-russia-took-over-the-internet-in-crimea-and-eastern-ukraine/; “Ukraine: Freedom on the Net 2018 Country Report,” Freedom House, 2019, https://freedomhouse.org/country/ukraine/freedom-net/2018.

22 “Crimea: Freedom in the World 2020 Country Report,” Freedom House, https://freedomhouse.org/country/crimea/freedom-world/2020.

23 Kim Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid,” Wired, March 3, 2016, https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/; Andy Greenberg, “The Untold Story of Notpetya, the Most Devastating Cyberattack in History,” Wired, August 22, 2018, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.

24 “Special Report: Ukraine An Overview of Russia’s Cyberattack Activity in Ukraine,” Microsoft Digital Security Unit, April 27, 2022, https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd; Kyle Fendorf and Jessie Miller, “Tracking Cyber Operations and Actors in the Russia–Ukraine War,” Council on Foreign Relations, March 24, 2022, https://www.cfr.org/blog/tracking-cyber-operations-and-actors-russia-ukraine-war.

25 Jakub Przetacznik and Simona Tarpova, “Russia’s War on Ukraine: Timeline of Cyber-Attacks,” European Parliament, June 2022, https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/733549/EPRS_BRI(2022)733549_EN.pdf; Catalin Cimpanu, “Hackers Deface Ukrainian Government Websites,” The Record, January 14, 2022, https://therecord.media/hackers-deface-ukrainian-government-websites/.

26 Tom Burt, “Malware Attacks Targeting Ukraine Government,” Microsoft, January 15, 2022, https://blogs.microsoft.com/on-the-issues/2022/01/15/mstic-malware-cyberattacks-ukraine-government/.

27 Roman Osadchuk, Russian Hybrid Threats Report: Evacuations Begin in Ukrainian Breakaway Regions, Atlantic Council, February 18, 2022, https://www.atlanticcouncil.org/blogs/new-atlanticist/russian-hybrid-threats-report-evacuations-begin-in-ukrainian-breakaway-regions/#cyberattack; Sean Lyngaas and Tim Lister, “Cyberattack Hits Websites of Ukraine Defense Ministry and Armed Forces,” CNN, February 15, 2022, https://www.cnn.com/2022/02/15/world/ukraine-cyberattack-intl/index.html.

28 Microsoft, “Special Report Ukraine.”

29 ESET Research: Ukraine Hit by Destructive Attacks Before and During the Russian Invasion with HermeticWiper and IsaacWiper,” ESET, March 1, 2022, https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-ukraine-hit-by-destructive-attacks-before-and-during-the-russian-invasion-with-hermet/; “Ukraine: Disk-Wiping Attacks Precede Russian Invasion,” Symantec Threat Hunter Team, February 24, 2022, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia; “Ukraine Computers Hit by Data-Wiping Software as Russia Launched Invasion,” Reuters, February 24, 2022, https://www.reuters.com/world/europe/ukrainian-government-foreign-ministry-parliament-websites-down-2022-02-23/.

30 Britney Nguyen, “Telecom Workers in Occupied Parts of Ukraine Destroyed Software to Avoid Russian Control over Data and Communications,” Business Insider, June 22, 2022, https://www.businessinsider.com/telecom-workers-ukraine-destroyed-software-avoid-russian-control-2022-6; Net Blocks (@netblocks), “Confirmed: A major internet disruption has been registered across #Ukraine on national provider #Ukrtelecom; real-time network data show connectivity collapsing …,” Twitter, March 28, 2022, 10:38 a.m., https://twitter.com/netblocks/status/1508453511176065033; Net Blocks (@netblocks), “Update: Ukraine’s national internet provider Ukrtelecom has confirmed a cyberattack on its core infrastructure. Real-time network data show an ongoing and …,” Twitter, March 28, 2022 11:25 a.m., https://twitter.com/netblocks/status/1508465391244304389; Andrea Peterson, “Traffic at Major Ukrainian Internet Service Provider Ukrtelecom Disrupted,” The Record, March 28, 2022, https://therecord.media/traffic-at-major-ukrainian-internet-service-provider-ukrtelecom-disrupted/; James Andrew Lewis, Cyber War and Ukraine, Center for Strategic and International Studies, January 10, 2023, https://www.csis.org/analysis/cyber-war-and-ukraine.

31 Thomas Brewster, “As Russia Invaded, Hackers Broke into A Ukrainian Internet Provider. Then Did It Again As Bombs Rained Down,” Forbes, March 10, 2022, https://www.forbes.com/sites/thomasbrewster/2022/03/10/cyberattack-on-major-ukraine-internet-provider-causes-major-outages/?sh=51d16b9c6573.

32 “Global Communications: Services, Solutions and Satellite Internet,” ViaSat, accessed November 14, 2022, http://data.danetsoft.com/viasat.com; Matt Burgess, “A Mysterious Satellite Hack Has Victims Far beyond Ukraine,” Wired, March 23, 2022, https://www.wired.com/story/viasat-internet-hack-ukraine-russia/.

33 Michael Kan, “ViaSat Hack Tied to Data-Wiping Malware Designed to Shut down Modems,” PCMag, March 31, 2022, https://www.pcmag.com/news/viasat-hack-tied-to-data-wiping-malware-designed-to-shut-down-modems.

34 “Ka-Sat Network Cyber Attack Overview,” ViaSat, September 12, 2022, https://news.viasat.com/blog/corporate/ka-sat-network-cyber-attack-overview.

35 Lee Mathews, “ViaSat Reveals How Russian Hackers Knocked Thousands of Ukrainians Offline,” Forbes, March 31, 2022, https://www.forbes.com/sites/leemathews/2022/03/31/viasat-reveals-how-russian-hackers-knocked-thousands-of-ukrainians-offline/?sh=4683638b60d6; ViaSat, “Ka-Sat Network.”

36 ViaSat, “Ka-Sat Network.”

37 Andrea Valentina, “Why the Viasat Hack Still Echoes,” Aerospace America, November 2022, https://aerospaceamerica.aiaa.org/features/why-the-viasat-hack-still-echoes.

38 Juan Andres Guerrero-Saade and Max van Amerongen, “Acidrain: A Modem Wiper Rains down on Europe,” SentinelOne, April 1, 2022, https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/.

39 Guerrero-Saade and Van Amerongen, “Acidrain.”

40 Joe Uchill, “UK, US, and EU Attribute Viasat Hack Against Ukraine to Russia,” SC Media, June 23, 2022, https://www.scmagazine.com/analysis/threat-intelligence/uk-us-and-eu-attribute-viasat-hack-against-ukraine-to-russia; David E. Sanger and Kate Conger, “Russia Was Behind Cyberattack in Run-Up to Ukraine War, Investigation Finds,” New York Times, May 10, 2022, https://www.nytimes.com/2022/05/10/us/politics/russia-cyberattack-ukraine-war.html.

41 Kim Zetter, “ViaSat Hack ‘Did Not’ Have Huge Impact on Ukrainian Military Communications, Official Says,” Zero Day, September 26, 2022, https://zetter.substack.com/p/viasat-hack-did-not-have-huge-impact; “Satellite Outage Caused ‘Huge Loss in Communications’ at War’s Outset—Ukrainian Official,” Reuters, March 15, 2022, https://www.reuters.com/world/satellite-outage-caused-huge-loss-communications-wars-outset-ukrainian-official-2022-03-15/.

42 ”Reuters, “Satellite Outage.”

43 Sean Lyngaas, “US Satellite Operator Says Persistent Cyberattack at Beginning of Ukraine War Affected Tens of Thousands of Customers, CNN, March 30, 2022, https://www.cnn.com/2022/03/30/politics/ukraine-cyberattack-viasat-satellite/index.html.

44 Zetter, “ViaSat Hack.”

45 Burgess, “A Mysterious Satellite Hack” Zetter, “ViaSat Hack”; Valentino, “Why the ViaSat Hack.”

46 Jurgita Lapienytė, “ViaSat Hack Impacted French Critical Services,” CyberNews, August 22, 2022, https://cybernews.com/news/viasat-hack-impacted-french-critical-services/.

47 International Committee of the Red Cross, Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts (Protocol I), 1125 UNTS 3 (June 8, 1977), accessed January 18, 2023, https://www.refworld.org/docid/3ae6b36b4.html; Zhanna L. Malekos Smith, “No ‘Bright-Line Rule’ Shines on Targeting Commercial Satellites,” The Hill, November 28, 2022, https://thehill.com/opinion/cybersecurity/3747182-no-bright-line-rule-shines-on-targeting-commercial-satellites/; Anaïs Maroonian, “Proportionality in International Humanitarian Law: A Principle and a Rule,” Lieber Institute West Point, October 24, 2022, https://lieber.westpoint.edu/proportionality-international-humanitarian-law-principle-rule/#:~:text=The%20rule%20of%20proportionality%20requires,destruction%20of%20a%20military%20objective; Travis Normand and Jessica Poarch, “4 Basic Principles,” The Law of Armed Conflict, January 1, 2017, https://loacblog.com/loac-basics/4-basic-principles/.

48 “Statement by Deputy Head of the Russian Delegation Mr. Konstantin Vorontsov at the Thematic Discussion on Outer Space (Disarmament Aspects) in the First Committee of the 77th Session of the Unga,” Permanent Mission of the Russian Federation to the United Nations, October 26, 2022, https://russiaun.ru/en/news/261022_v.

49 Mauro Vignati, “LABScon Replay: Are Digital Technologies Eroding the Principle of Distinction in War?” SentinelOne, November 16, 2022, https://www.sentinelone.com/labs/are-digital-technologies-eroding-the-principle-of-distinction-in-war/.

50 Matt Burgess, “Russia Is Taking over Ukraine’s Internet,” Wired, June 15, 2022, https://www.wired.com/story/ukraine-russia-internet-takeover/.

51 Nino Kuninidze et al., “Interim Assessment on Damages to Telecommunication Infrastructure and Resilience of the ICT Ecosystem in Ukraine.”

52 Adam Satariano and Scott Reinhard, “How Russia Took Over Ukraine’s Internet in Occupied Territories,” The New York Times, August 9, 2022, https://www.nytimes.com/interactive/2022/08/09/technology/ukraine-internet-russia-censorship.html; https://time.com/6222111/ukraine-internet-russia-reclaimed-territory/

53 Thomas Brewster, “The Last Days of Mariupol’s Internet,” Forbes, March 31, 2022, https://www.forbes.com/sites/thomasbrewster/2022/03/31/the-last-days-of-mariupols-internet/.

54 Matt Burgess, “Russia Is Taking over Ukraine’s Internet,” Wired, June 15, 2022, https://www.wired.com/story/ukraine-russia-internet-takeover/; Satariano and Reinhard, “How Russia Took.”

55 ”Vera Bergengruen, “The Battle for Control over Ukraine’s Internet,” Time, October 18, 2022, https://time.com/6222111/ukraine-internet-russia-reclaimed-territory/.

56 Herbert Lin, “Russian Cyber Operations in the Invasion of Ukraine,” Cyber Defense Review (Fall 2022): 35, https://cyberdefensereview.army.mil/Portals/6/Documents/2022_fall/02_Lin.pdf, Herb Lin, “The Emergence of Physically Mediated Cyberattacks?,” Lawfare, May 21, 2022, https://www.lawfareblog.com/emergence-physically-mediated-cyberattacks; “Invaders Use Blackmailing and Intimidation to Force Ukrainian Internet Service Providers to Connect to Russian Networks,” State Service of Special Communications and Information Protection of Ukraine, May 13, 2022, https://cip.gov.ua/en/news/okupanti-shantazhem-i-pogrozami-zmushuyut-ukrayinskikh-provaideriv-pidklyuchatisya-do-rosiiskikh-merezh; Satariano and Reinhard, “How Russia Took.”

57 Gian M. Volpicelli, “How Ukraine’s Internet Can Fend off Russian Attacks,” Wired, March 1, 2022, https://www.wired.com/story/internet-ukraine-russia-cyberattacks/; Satariano and Reinhard, “How Russia Took.”

58 David R. Marples, “Russia’s War Goals in Ukraine,” Canadian Slavonic Papers 64, no. 2–3 (March 2022): 207–219, https://doi.org/10.1080/00085006.2022.2107837.

59 David Klepper, “Russian Propaganda ‘Outgunned’ by Social Media Rebuttals,” AP News, March 4, 2022, https://apnews.com/article/russia-ukraine-volodymyr-zelenskyy-kyiv-technology-misinformation-5e884b85f8dbb54d16f5f10d105fe850; Marc Champion and Daryna Krasnolutska, “Ukraine’s TV Comedian President Volodymyr Zelenskyy Finds His Role as Wartime Leader,” Japan Times, June 7, 2022, https://www.japantimes.co.jp/news/2022/02/26/world/volodymyr-zelenskyy-wartime-president/;“Российское Телевидение Сообщило Об ‘Бегстве Зеленского’ Из Киева, Но Умолчало Про Жертвы Среди Гражданских,” Агентство, October 10, 2022, https://web.archive.org/web/20221010195154/https://www.agents.media/propaganda-obstreli/.

60 To learn more about Russian disinformation efforts against Ukraine and its allies, check out the Russian Narratives Reports from the Atlantic Council’s Digital Forensic Research Lab: Nika Aleksejeva et al., Andy Carvin ed., “Narrative Warfare: How the Kremlin and Russian News Outlets Justified a War of Aggression against Ukraine,” Atlantic Council, February 22, 2023, https://www.atlanticcouncil.org/in-depth-research-reports/report/narrative-warfare/; Roman Osadchuk et al., Andy Carvin ed., “Undermining Ukraine: How the Kremlin Employs Information Operations to Erode Global Confidence in Ukraine,” Atlantic Council, February 22, 2023, https://www.atlanticcouncil.org/in-depth-research-reports/report/undermining-ukraine/.

61 Олександр Янковський, “‘Бояться Спротиву’. Для Чого РФ Захоплює Мобільний Зв’язок Та Інтернет На Херсонщині?,” Радіо Свобода, May 7, 2022, https://www.radiosvoboda.org/a/novyny-pryazovya-khersonshchyna-okupatsiya-rosiya-mobilnyy-zvyazok-internet/31838946.html.

62 Volodymyr Zelenskyy, “Tell People in the Occupied Territories about Ukraine, That the Ukrainian Army Will Definitely Come—Address by President Volodymyr Zelenskyy,” President of Ukraine Official Website, June 13, 2022, https://www.president.gov.ua/en/news/govorit-lyudyam-na-okupovanih-teritoriyah-pro-ukrayinu-pro-t-75801.

63 Satariano and Reinhard, “How Russia Took.”

64 Michael Sheldon, “Geolocating Russia’s Indiscriminate Shelling of Kharkiv,” DFRLab, March 1, 2022, https://medium.com/dfrlab/geolocating-russias-indiscriminate-shelling-of-kharkiv-deaccc830846; Michael Sheldon, “Kharkiv Neighborhood Experienced Ongoing Shelling Prior to February 28 Attack,” DFRLab, February 28, 2022, https://medium.com/dfrlab/kharkiv-neighborhood-experienced-ongoing-shelling-prior-to-february-28-attack-f767230ad6f6; https://maphub.net/Cen4infoRes/russian-ukraine-monitor; Michael Sheldon (@Michael1Sheldon), “Damage to civilian houses in the Zalyutino neighborhood of Kharkiv. https://t.me/c/1347456995/38991 …,” Twitter, February 27, 2022, 4:15 p.m., https://twitter.com/Michael1Sheldon/status/1498044130416594947; Michael Sheldon, “Missile Systems and Tanks Spotted in Russian Far East, Heading West,” DFRLab, January 27, 2022, https://medium.com/dfrlab/missile-systems-and-tanks-spotted-in-russian-far-east-heading-west-6d2a4fe7717a; Jay in Kyiv (@JayinKyiv), “Not yet 24 hours after Ukraine devastated Russian positions in Kherson, a massive Russian convoy is now leaving Melitopol to replace them. This is on Alekseev …,” Twitter, July 12, 2022, 7:50 a.m., https://twitter.com/JayinKyiv/status/1546824416218193921; “Eyes on Russia Map,” Centre for Information Resilience, https://eyesonrussia.org/.

65 Katerina Sergatskova, What You Should Know About Life in the Occupied Areas in Ukraine, Wilson Center, September 14, 2022, https://www.wilsoncenter.org/blog-post/what-you-should-know-about-life-occupied-areas-ukraine; Jonathan Landay, “Village near Kherson Rejoices at Russian Rout, Recalls Life under Occupation,” Reuters, November 12, 2022, https://www.reuters.com/world/europe/village-near-kherson-rejoices-russian-rout-recalls-life-under-occupation-2022-11-11/.

66 Andrew Salerno-Garthwaite, “OSINT in Ukraine: Civilians in the Kill Chain and the Information Space,” Global Defence Technology 137 (2022), https://defence.nridigital.com/global_defence_technology_oct22/osint_in_ukraine; “How Has Open-Source Intelligence Influenced the War in Ukraine?” Economist, August 30, 2022, https://www.economist.com/ukraine-osint-pod; Gillian Tett, “Inside Ukraine’s Open-Source War,” Financial Times, July 22, 2022, https://www.ft.com/content/297d3300-1a65-4793-982b-1ba2372241a3; Amy Zegart, “Open Secrets,” Foreign Affairs, January 7, 2023, https://www.foreignaffairs.com/world/open-secrets-ukraine-intelligence-revolution-amy-zegart?utm_source=twitter_posts&utm_campaign=tw_daily_soc&utm_medium=social.

67 Lin, “The Emergence.”

68 “Cyber Security Strategy of Ukraine,” Presidential Decree of Ukraine, March 15, 2016, https://ccdcoe.org/uploads/2018/10/NationalCyberSecurityStrategy_Ukraine.pdf.

69 Eric Geller, “Ukraine Prepares to Remove Data from Russia’s Reach,” POLITICO, February 22, 2022, https://www.politico.com/news/2022/02/22/ukraine-centralized-its-data-after-the-last-russian-invasion-now-it-may-need-to-evacuate-it-00010777.

70 Kuninidze et al., “Interim Assessment.”

71 Kuninidze et al., “Interim Assessment.”

72 “Datagroup to Invest $20 Million into a Large-Scale Network Modernization Project in Partnership with Cisco,” Datagroup, April 8, 2021, https://www.datagroup.ua/en/novyny/datagrup-investuye-20-mln-dolariv-u-masshtabnij-proyekt-iz-m-314.

73 Lauriane Giet, “Eutech4ukraine—Cisco’s Contribution to Bring Connectivity and Cybersecurity to Ukraine and Skills to Ukrainian Refugees,” Futurium, June 22, 2022, https://futurium.ec.europa.eu/en/digital-compass/tech4ukraine/your-support-ukraine/ciscos-contribution-bring-connectivity-and-cybersecurity-ukraine-and-skills-ukrainian-refugees; “Communiqué de Presse Solidarité Européenne Envers l’Ukraine: Nouveau Convoi d’Équipements Informatiques,” Government of France, May 25, 2022, https://minefi.hosting.augure.com/Augure_Minefi/r/ContenuEnLigne/Download?id=4FFB30F8-F59C-45A0-979E-379E3CEC18AF&filename=06%20-%20Solidarit%C3%A9%20europ%C3%A9enne%20envers%20l%E2%80%99Ukraine%20-%20nouveau%20convoi%20d%E2%80%99%C3%A9quipements%20informatiques.pdf.

74 ”Atlantic Council, “Ukraine’s Digital Resilience: A conversation with Deputy Prime Minister of Ukraine Mykhailo Fedorov,” December 2, 2022, YouTube video, https://www.youtube.com/watch?v=Vl75e0QU6uE.

75 “Digital Country—Official Website of Ukraine,” Ukraine Now (Government of Ukraine), accessed January 17, 2023, https://ukraine.ua/invest-trade/digitalization/; Atlantic Council, “Ukraine’s Digital Resilience.”

76 Brad Smith, “Extending Our Vital Technology Support for Ukraine,” Microsoft, November 3, 2022, https://blogs.microsoft.com/on-the-issues/2022/11/03/our-tech-support-ukraine/; “How Amazon Is Assisting in Ukraine,” Amazon, March 1, 2022, https://www.aboutamazon.com/news/community/amazons-assistance-in-ukraine; Phil Venables, “How Google Cloud Is Helping Those Affected by War in Ukraine,” Google, March 3, 2022, https://cloud.google.com/blog/products/identity-security/how-google-cloud-is-helping-those-affected-by-war-in-ukraine.

77 Simon Handler, Lily Liu, and Trey Herr, Dude, Where’s My Cloud? A Guide for Wonks and Users, Atlantic Council, July 7, 2022, https://www.atlanticcouncil.org/in-depth-research-reports/report/dude-wheres-my-cloud-a-guide-for-wonks-and-users/.

78 Handler, Liu, and Herr, “Dude, Where’s My Cloud?”

79 Brad Smith, “Defending Ukraine: Early Lessons from the Cyber War,” Microsoft On the Issues, November 2, 2022, https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/; Smith, “Extending Our Vital Technology.”

80 Amazon, “How Amazon Is Assisting”; Sebastian Moss, “Ukraine Awards Microsoft and AWS Peace Prize for Cloud Services and Digital Support,” Data Center Dynamics, January 12, 2023, https://www.datacenterdynamics.com/en/news/ukraine-awards-microsoft-and-aws-peace-prize-for-cloud-services-digital-support/; Venables, “How Google Cloud”; Kent Walker, “Helping Ukraine,” Google, March 4, 2022, https://blog.google/inside-google/company-announcements/helping-ukraine/.

81 Catherine Stupp, “Ukraine Has Begun Moving Sensitive Data Outside Its Borders,” Wall Street Journal, June 14, 2022, https://www.wsj.com/articles/ukraine-has-begun-moving-sensitive-data-outside-its-borders-11655199002; Atlantic Council, “Ukraine’s Digital Resilience”; Smith, “Defending Ukraine.”

82 Nick Beecroft, Evaluating the International Support to Ukrainian Cyber Defense, Carnegie Endowment for International Peace, November 3, 2022, https://carnegieendowment.org/2022/11/03/evaluating-international-support-to-ukrainian-cyber-defense-pub-88322.

83 Smith, “Defending Ukraine,” 5, 6, 9.

84 Smith, “Defending Ukraine,” 3, 11.

85 Thomas Brewster, “Bombs and Hackers Are Battering Ukraine’s Internet Providers. ‘Hidden Heroes’ Risk Their Lives to Keep Their Country Online,” Forbes, March 15, 2022, https://www.forbes.com/sites/thomasbrewster/2022/03/15/internet-technicians-are-the-hidden-heroes-of-the-russia-ukraine-war/?sh=be5da1428844.

86 Kuninidze et al., “Interim Assessment,” 40.

87 Kuninidze et al., “Interim Assessment,”40; ““Київстар Виділяє 300 Мільйонів Гривень Для Відновлення Цифрової Інфраструктури України,” Київстар, July 4, 2022, https://kyivstar.ua/uk/mm/news-and-promotions/kyyivstar-vydilyaye-300-milyoniv-gryven-dlya-vidnovlennya-cyfrovoyi.

88 Київстар, “Київстар Виділяє”; “Mobile Connection Lifecell—Lifecell Ukraine,” Lifecell UA, accessed January 17, 2023, https://www.lifecell.ua/en/.

89 Ryan Gallagher, “Russia–Ukraine War: Telecom Workers Damage Own Equipment to Thwart Russia,” Bloomberg, June 21, 2022), https://www.bloomberg.com/news/articles/2022-06-21/ukrainian-telecom-workers-damage-own-equipment-to-thwart-russia.

90 Mykhailo Fedorov (@FedorovMykhailo), Twitter, February 26, 2022, 7:06 a.m., https://twitter.com/FedorovMykhailo/status/1497543633293266944?s=20&t=c9Uc7CDXEBr-e5-nd2hEtw.

91 Mykhailo Fedorov (@FedorovMykhailo), “Starlink — here. Thanks, @elonmusk,” Twitter, February 28, 2022, 3:19 p.m., https://twitter.com/FedorovMykhailo/status/1498392515262746630?s=20&t=vtCM9UqgWRkfxfrEHzYTGg.

92 Atlantic Council, “Ukraine’s Digital Resilience.”

93 “How Elon Musk’s Satellites Have Saved Ukraine and Changed Warfare,” Economist, January 5, 2023, https://www.economist.com/briefing/2023/01/05/how-elon-musks-satellites-have-saved-ukraine-and-changed-warfare.

94 Alexander Freund, “Ukraine Using Starlink for Drone Strikes,” Deutsche Welle, March 27, 2022, https://www.dw.com/en/ukraine-is-using-elon-musks-starlink-for-drone-strikes/a-61270528.

95 Mykhailo Fedorov (@FedorovMykhailo), “Over 100 cruise missiles attacked 🇺🇦 energy and communications infrastructure. But with Starlink we quickly restored the connection in critical areas. Starlink …,” Twitter, October 12, 2022 3:12 p.m., https://twitter.com/FedorovMykhailo/status/1580275214272802817.

96 Rishi Iyengar, “Why Ukraine Is Stuck with Elon (for Now),” Foreign Policy, November 22, 2022, https://foreignpolicy.com/2022/11/22/ukraine-internet-starlink-elon-musk-russia-war/.

97 Economist, “How Elon Musk’s.”

98 Freund, “Ukraine Using Starlink”; Nick Allen and James Titcomb, “Elon Musk’s Starlink Helping Ukraine to Win the Drone War,” Telegraph, March 18, 2022, https://www.telegraph.co.uk/world-news/2022/03/18/elon-musks-starlink-helping-ukraine-win-drone-war/; Charlie Parker, “Specialist Ukrainian Drone Unit Picks off Invading Russian Forces as They Sleep,” Times, March 18, 2022, https://www.thetimes.co.uk/article/specialist-drone-unit-picks-off-invading-forces-as-they-sleep-zlx3dj7bb.

99 Matthew Gault, “Mysterious Sea Drone Surfaces in Crimea,” Vice, September 26, 2022, https://www.vice.com/en/article/xgy4q7/mysterious-sea-drone-surfaces-in-crimea.

100 Economist, “How Elon Musk’s.”

101 Akash Sriram, “SpaceX, USAID Deliver 5,000 Satellite Internet Terminals to Ukraine Akash Sriram,” Reuters, April 6, 2022, https://www.reuters.com/technology/spacex-usaid-deliver-5000-satellite-internet-terminals-ukraine-2022-04-06/.

102 Alex Marquardt, “Exclusive: Musk’s Spacex Says It Can No Longer Pay for Critical Satellite Services in Ukraine, Asks Pentagon to Pick up the Tab,” CNN, October 14, 2022, https://www.cnn.com/2022/10/13/politics/elon-musk-spacex-starlink-ukraine.

103 Elon Musk (@elonmusk), “Ukraine-Russia Peace: – Redo elections of annexed regions under UN supervision. Russia leaves if that is will of the people. – Crimea formally part of Russia, as it has been since 1783 (until …” Twitter, October 3, 2022 12:15 p.m., https://twitter.com/elonmusk/status/1576969255031296000; Andrij Melnyk (@MelnykAndrij), Twitter, October 3, 2022, 12:46 p.m., https://twitter.com/MelnykAndrij/status/1576977000178208768.

104 Elon Musk (@elonmusk), Twitter, October 14, 2022, 3:14 a.m., https://twitter.com/elonmusk/status/1580819437824839681; Elon Musk (@elonmusk), Twitter, October 15, 2022, 2:06 p.m., https://twitter.com/elonmusk/status/1581345747777179651.

105 Elon Musk (@elonmusk), Twitter, October 17, 2022, 3:52 p.m., https://twitter.com/elonmusk/status/1582097354576265217; Sawyer Merrit (@SawyerMerritt), “BREAKING: The Pentagon is considering paying for @SpaceX ‘s Starlink satellite network — which has been a lifeline for Ukraine — from a fund that has been used …,” Twitter, October 17, 2022, 3:09 p.m., https://twitter.com/SawyerMerritt/status/1582086349305262080.

106 Alex Marquardt and Sean Lyngaas, “Ukraine Suffered a Comms Outage When 1,300 SpaceX Satellite Units Went Offline over Funding Issues” CNN, November 7, 2022, https://www.cnn.com/2022/11/04/politics/spacex-ukraine-elon-musk-starlink-internet-outage/; Iyengar, “Why Ukraine Is Stuck.”

107 Ryan Browne, “Ukraine Government Is Seeking Alternatives to Elon Musk’s Starlink, Vice PM Says,” CNBC, November 3, 2022, https://www.cnbc.com/2022/11/03/ukraine-government-seeking-alternatives-to-elon-musks-starlink.html.

108 William Harwood, “SpaceX Launches 40 OneWeb Broadband Satellites, Lighting up Overnight Sky,” CBS News, January 10, 2023, https://www.cbsnews.com/news/spacex-launches-40-oneweb-broadband-satellites-in-overnight-spectacle/.

109 Marquardt and Lyngaas, “Ukraine Suffered”; Mehul Srivastava et al., “Ukrainian Forces Report Starlink Outages During Push Against Russia,” Financial Times, October 7, 2022, https://www.ft.com/content/9a7b922b-2435-4ac7-acdb-0ec9a6dc8397.

110 Alex Marquardt and Kristin Fisher, “SpaceX admits blocking Ukrainian troops from using satellite technology,” CNN, February 9, https://www.cnn.com/2023/02/09/politics/spacex-ukrainian-troops-satellite-technology/index.html.

111 Charles R. Davis, “Elon Musk Blocked Ukraine from Using Starlink in Crimea over Concern that Putin Could Use Nuclear Weapons, Political Analyst Says,” Business Insider, October 11, 2022, https://www.businessinsider.com/elon-musk-blocks-starlink-in-crimea-amid-nuclear-fears-report-2022-10; Elon Musk (@elonmusk), Twitter, February 12, 2022, 4:00 p.m., https://twitter.com/elonmusk/status/1624876021433368578.

112 Mykhailo Fedorov (@FedorovMykhailo), “In 21 days of the war, russian troops has already killed 100 Ukrainian children. they are using DJI products in order to navigate their missile. @DJIGlobal are you sure you want to be a …,” Twitter, March 16, 2022, 8:14 a.m., https://twitter.com/fedorovmykhailo/status/1504068644195733504; Cat Zakrzewski, “4,000 Letters and Four Hours of Sleep: Ukrainian Leader Wages Digital War,” Washington Post, March 30, 2022, https://www.washingtonpost.com/technology/2022/03/30/mykhailo-fedorov-ukraine-digital-front/.

113 DJI Global (@DJIGlobal), “Dear Vice Prime Minister Federov: All DJI products are designed for civilian use and do not meet military specifications. The visibility given by AeroScope and further Remote ID …,” Twitter, March 16, 2022, 5:42 p.m., https://twitter.com/DJIGlobal/status/1504206884240183297.

114 Mehul Srivastava and Roman Olearchyk, “Starlink Prices in Ukraine Nearly Double as Mobile Networks Falter,” Financial Times, November 29, 2022, https://www.ft.com/content/f69b75cf-c36a-4ab3-9eb7-ad0aa00d230c.

115 Iyengar, “Why Ukraine Is Stuck.”

116 Michael Sheetz, “SpaceX Raises Another $250 Million in Equity, Lifts Total to $2 Billion in 2022,” CNBC, August 5, 2022, https://www.cnbc.com/2022/08/05/elon-musks-spacex-raises-250-million-in-equity.html.

117 “Starshield,” SpaceX, accessed January 17, 2023, https://www.spacex.com/starshield/; Micah Maidenberg and Drew FitzGerald, “Elon Musk’s Spacex Courts Military with New Starshield Project,” Wall Street Journal, December 8, 2022), https://www.wsj.com/articles/elon-musks-spacex-courts-military-with-new-starshield-project-11670511020.

118 “Maps: Tracking the Russian Invasion of Ukraine,” New York Times, February 14, 2022, https://www.nytimes.com/interactive/2022/world/europe/ukraine-maps.html#:~:text=Ukraine%20has%20reclaimed%2054%20percent,for%20the%20Study%20of%20War; Júlia Ledur, Laris Karklis, Ruby Mellen, Chris Alcantara, Aaron Steckelberg and Lauren Tierney, “Follow the 600-mile front line between Ukrainian and Russian forces,” The Washington Post, February 21, 2023, https://www.washingtonpost.com/world/interactive/2023/russia-ukraine-front-line-map/.

119 Jimmy Rushton (@JimmySecUK), “Ukrainian soldiers deploying a Starlink satellite internet system in liberated Kherson, allowing local residents to communicate with their relatives in other areas of Ukraine,” Twitter, November 12, 2022, 8:07 a.m., https://twitter.com/JimmySecUK/status/1591417328134402050; José Andrés (@chefjoseandres), “@elonmusk While I don’t agree with you about giving voice to people that brings the worst out of all of us, thanks for @SpaceXStarlink in Kherson, a city with no electricity, or in a train from …,” Twitter, November 20, 2022, 1:58 a.m., https://twitter.com/chefjoseandres/status/1594223613795762176.

120 Mykhailo Fedorov (@FedorovMykhailo), “Every front makes its contribution to the upcoming victory. These are Anatoliy, Viktor, Ivan and Andrii from @Vodafone_UA team, who work daily to restore mobile and Internet communications …,” Twitter, April 25, 2022, 1:13 p.m., https://twitter.com/FedorovMykhailo/status/1518639261624455168; Mykhailo Fedorov (@FedorovMykhailo), “Can you see a Starlink? But it’s here. While providers are repairing cable damages, Gostomel’s humanitarian headquarter works via the Starlink. Thanks to @SpaceX …,” Twitter, May 8, 2022, 9:48 a.m., https://twitter.com/FedorovMykhailo/status/1523298788794052615.

121 Thomas Brewster, “Ukraine’s Engineers Dodged Russian Mines to Get Kherson Back Online–with a Little Help from Elon Musk’s Satellites,” Forbes, November 18, 2022, https://www.forbes.com/sites/thomasbrewster/2022/11/18/ukraine-gets-kherson-online-after-russian-retreat-with-elon-musk-starlink-help/?sh=186e24b0ef1e.

122 Mark Didenko, ed., “Ukrtelecom Car Hits Landmine in Sumy Region, One Dead, Three Injured,” Yahoo!, October 2, 2022, https://www.yahoo.com/video/ukrtelecom-car-hits-landmine-sumy-104300649.html.

123 Vera Bergengruen, “The Battle for Control over Ukraine’s Internet,” Time, October 18, 2022, https://time.com/6222111/ukraine-internet-russia-reclaimed-territory/.

124 Bergengruen, “The Battle for Control over Ukraine’s Internet.”

125 Atlantic Council, “Ukraine’s Digital Resilience: A conversation with Deputy Prime Minister of Ukraine Mykhailo Fedorov,” December 2, 2022, YouTube video, https://www.youtube.com/watch?v=Vl75e0QU6uE; “Keeping connected: connectivity resilience in Ukraine,” EU4Digital, February 13, 2022, https://eufordigital.eu/keeping-connected-connectivity-resilience-in-ukraine/.

126 Greg Rattray, Geoff Brown, and Robert Taj Moore, “The Cyber Defense Assistance Imperative Lessons from Ukraine,” The Aspen Institute, February 16, 2023, https://www.aspeninstitute.org/wp-content/uploads/2023/02/Aspen-Digital_The-Cyber-Defense-Assistance-Imperative-Lessons-from-Ukraine.pdf, 8.

127 CRDF Global, “CRDF Global becomes Platform for Cyber Defense Assistance Collaborative (CDAC) for Ukraine,” News 19, November 14, 2022, https://whnt.com/business/press-releases/cision/20221114DC34776/crdf-global-becomes-platform-for-cyber-defense-assistance-collaborative-cdac-for-ukraine/; Dina Temple-Raston, “EXCLUSIVE: Rounding Up a Cyber Posse for Ukraine,” The Record, November 18, 2022, https://therecord.media/exclusive-rounding-up-a-cyber-posse-for-ukraine/; Rattray, Brown, and Moore, “The Cyber Defense Assistance Imperative Lessons from Ukraine.”

128 Beecroft, Evaluating the International Support.

129 Lee Hudson, “‘There’s Not Just SpaceX’: Pentagon Looks Beyond Starlink after Musk Says He May End Services in Ukraine,” POLITICO, October 14, 2022, https://www.politico.com/news/2022/10/14/starlink-ukraine-elon-musk-pentagon-00061896.

The post A parallel terrain: Public-private defense of the Ukrainian information environment appeared first on Atlantic Council.

The 5×5—Strengthening the cyber workforce

Simon Handler — Thu, 23 Feb 2023 05:01:00 +0000

On July 19, 2022, the White House convened leaders from industry, government, and academia at its a National Cyber Workforce and Education Summit. In his remarks at the Summit, recently departed National Cyber Director Chris Inglis committed to developing a National Cyber Workforce and Education Strategy with input from relevant stakeholders to align government resources and efforts toward addressing the many challenges in this area. Among these challenges is finding sufficient talent to fill the United States’ ever-growing number of openings for cyber-related roles across all sectors of the economy. According to research from CyberSeek, US employers posted 714,548 of these job openings in the year leading up to April 2022. While many of the vacancies are oriented toward individuals who are savvy in the more technical aspects of cybersecurity, more organizations are searching for multidisciplinary talent, ranging from international affairs to project management and everything in between.

While we await the White House’s National Cyber Workforce and Education Strategy, we brought together a group of experts to provide insights into bolstering the cyber workforces of the United States and its allies.

#1 What is one assumption about the cyber workforce that is holding the cyber community back?

Nelson Abbott, senior director, advanced program operations, NPower:

“‘We cannot find good talent.’ This sentiment is, in my opinion, a result of companies not broadening their talent acquisition strategies. You will not meet the increasing demand for cyber talent by using the same talent pipelines that are not increasing their output to market.”

Richard Harris, principal cybersecurity policy engineer, MITRE Corporation:

“One problematic assumption is that the market, academia, or government alone can solve the problem of cyber workforce shortages. Developing cyber workforces at the right time, in the right quantities, and with the right skills requires purposeful and persistent public, private, and academic partnerships.”

Ayan Islam, director, cyber workforce, Office of the National Cyber Director:

“There is an assumption that there is a single pathway into the cyber workforce when there are many pathways to recruit cyber workforce talent. To open the job pipeline to those for whom a career in cyber or a related field would be out of reach, new pathways need to be created. We need to fully leverage the potential for community colleges to contribute to the workforce, grow work-based learning programs such as apprenticeships, and further explore non-traditional training opportunities. While some exist today, we need many more pathways to allow for more entrants and career changers into the cyber workforce and to demystify those pathways.”

Eric Novotny, Hurst professor of international relations, emeritus, School of International Service, American University:

“One assumption that I have noticed in employment advertising is the posting of entry-level positions in which the Certified Information Systems Security Professional (CISSP) certification is listed as necessary or desirable. This certification, as is well-known in the community, is a cybersecurity management certification that requires five years of experience in the domain. It may be that human resources representatives do not understand the levels or purpose of cybersecurity certifications. Some organizations may lose qualified job candidates if desired certifications are not aligned with job requirements.”

Merili Soosalu, partner leader and regional coordinator for Latin America and the Caribbean, EU Cyber Resilience for Development Project (Cyber4Dev), Information System Authority of Estonia (RIA):

“Cybersecurity as a topic is on its way to the mainstream. In the more and more digitalized world, cybersecurity is an integral aspect that cannot be overlooked. This should also be reflected in the outlooks of cyber careers that do not only mean highly experienced technical skills but rather a variety of professions and skillsets from the areas of project management and communications to the highly skilled blue- and red-team competencies.”

#2 What government or industry-led programs have had an outsized positive impact on workforce development efforts?

Abbott: “I am of the opinion that there have not been ‘outsized’ positive impacts. There are a lot of great companies and organizations doing good work (NPower, Per Scholas, etc.), but they do not have the capacity to meet the exponential growth in demand for talent. The recent cybersecurity sprint was good to develop interest in that alternative hiring model, but it is still too early to see what the measurable results are.”

Harris: “Some of the most successful workforce development programs have been in local communities. These programs were the result of local businesses, governments, and academic institutions putting their heads together to meet cybersecurity and other technical skill needs. While these efforts help keep people in their communities, they also support workforce mobility where these same skills are in demand outside of the local community.”

Islam: “With over seven hundred thousand (approximately 756,000 as of December 2022, per CyberSeek.org) vacancies in cybersecurity positions across the United States, these numbers constitute a national security risk and must be tackled aggressively. Therefore, it is important for government, industry, education, and training providers to all contribute to workforce development efforts, and work in tandem to address our growing needs. For example, the Office of National Cyber Director hosted a National Cyber Workforce and Education Summit at the White House last summer with government and private sector partners to discuss building the United States’ cyber workforce, increasing skill-based pathways to cyber careers, and equipping Americans to thrive in our increasingly digital society. The event resulted in many new commitments. A cybersecurity apprenticeship sprint was also announced at the Summit, which led to an increase in private-sector participation in the Department of Labor’s apprenticeship program, with 194 new registered participants and over seven thousand apprentices getting jobs.”

Novotny: “Sponsored events to attract new talent into the field, such as Cyber 9/12, AvengerCon, and various Capture the Flag (CTF) exercises are invaluable for stimulating interest in cybersecurity and exposing students and young professionals to executives and experts in the field.”

Soosalu: “In Estonia in recent years, many positive initiatives have been developed for different age groups. For instance, for adults looking to change their careers to information technology (IT), the Kood/Jõhvi, an international coding school, was created and top IT specialists should enter to the job market in the coming months. A private initiative called Unicorn Squad was created in 2018 to popularize technology education among girls. These initiatives, to name some, will hopefully show positive effects in the coming years. The Estonian State Systems Authority, responsible for national cybersecurity, prioritizes the knowledge development of cyber incidents of critical sectors by regularly organizing joint exercises between the national Computer Emergency Response Team (CERT) and the IT teams of different critical service providers.”

#3 Are there any issues or challenges in workforce development have been overstated or immaterial?

Abbott: “‘Anyone can do cyber.’ While it is true that there is a much broader spectrum of roles in cyber than most people realize (non-technical; governance, risk management, and compliance; policy; etc.), these still require a strong working knowledge of information technology and networking concepts.”

Harris: “Many people need to move beyond wringing their hands about cyber workforce shortages or hoping that someone else will solve the problem. Organizations can start at the grassroots level and proactively develop partnerships and plans that result in a tangible workforce development achievement at whatever level is feasible, and then build on that success.”

Islam: “Actually, what is understated and greatly material to the issue and challenge in cyber workforce development is the lack of appropriate resourcing and C-suite appreciation with security program investments. There is still a disconnect in recognizing that cybersecurity is a foundational business risk and not a one-time, niche issue. Without proper investments on the people side of security programs, we will continue to see the same issues or challenges in tackling cybersecurity threats.”

Novotny: “There are some misconceptions that cybersecurity is an exclusively IT-driven, technical field. That is certainly true for some roles and responsibilities, but cybersecurity solutions also embrace people and processes, as well as technology. Professionals with highly developed technical skills will need to include management and people skills in their career development.”

Soosalu: “Today, all studies show that the IT sector, cybersecurity in particular, lacks a qualified workforce. Therefore, all challenges are real and need to be tackled.”

The 5×5—Minding the cyber talent gap

Cyber 9/12 Strategy Challenge

The Cyber Moonshot

#4 How can different types of organizations better assess their cyber talent needs?

Abbott: “By 1) moving from credential-based job descriptions to competency-based job descriptions; 2) better communicating between hiring managers and talent-acquisition teams; 3) changing job descriptions to remove bias and non-negotiable requirements to encourage more candidates to apply; and 4) considering internal upskilling programs and backfilling entry-level roles with new talent.”

Harris: “The National Institute of Standards and Technology’s (NIST) National Initiative for Cybersecurity Education (NICE) Framework is an awesome baseline reference for understanding workforce positions and skills. Organizations, however, must do the work to understand their current and future cyber talent needs, then leverage the NICE Framework, or a similar guide, to connect those business needs with the right positions and skill paths, and build a workforce development plan.”

Islam: “A growing number of organizations are taking advantage of skill-based and aptitude assessments to allow for diverse and multidisciplinary candidates to join the cyber workforce. However, skill-based training and hiring practices are still necessary. Any solution must be inclusive of historically untapped talent, including underserved areas and neurodivergent populations. A cybersecurity career should be within reach for any American who wishes to pursue it, and skills-based training and hiring practices enable inclusive outcomes, give workers a fair shot, and keep the economy strong.”

Novotny: “The size of the existing IT and cybersecurity internal infrastructure plays a huge role here. Medium and small enterprises will have a more difficult time justifying a large cybersecurity staff in most cases. For these organizations, where many cybersecurity functions are outsourced, the skills shift to management and procurement, rather than technical operations, such as staffing a security operations center. In the government sector, having different standards and compliance rules than in the private sector also drives different necessary skill sets. On the other hand, I would argue that any organization that has network operations and valuable information assets to protect has similar security requirements in principle.”

Soosalu: “For assessing needs, some forms of standards are needed. In the European Union, the new European Cybersecurity Skills Framework (ECSF) was created to become a useful tool to help identify the profiles and skills that are most needed and valued. This will help create a European framework for recognizing skills and training programs.”

#5 How have cyber workforce needs shifted in the past five years, and where do you see them going from here?

Abbott: “They have only increased, and almost doubled in 2022. More companies are taking cybersecurity seriously, and are now realizing the importance of having those individuals on their teams. I fear that the demand for cyber talent will only continue unless employers start to create new solutions instead of relying on old habits when it comes to talent acquisition.”

Harris: “Rapid technological change like the current artificial intelligence revolution, and increasingly complex risk dynamics exemplified by greater cyber-physical convergence, require cyber workforces and individuals to embrace continuous learning throughout their careers. More attention needs to be paid to developing interesting and flexible cyber career paths and investing in more career progression training and education.”

Islam: “We need to broaden our thinking about the importance of cyber across occupations and professions in our interconnected society. There are many occupations and professions that have not traditionally required in-depth cybersecurity knowledge or training, but whose work relies on the use of cyber technologies. Greater attention should be paid to ensuring that cybersecurity training and education are part of the professional preparation of these workers.”

Novotny: “Several broad trends are noticeable in workforce requirements that have changed over time. First, as more sectors of the economy are identified as critical infrastructure, professionals that have industry sector experience are in higher demand. Second, the cyber threat intelligence business—in both government and in the private sector—has opened job opportunities for young professionals with language and international relations education. Third, there is an apparent fusion of traditional cybersecurity needs with a growing concern about misinformation, social media, and privacy. A few years ago, these latter issues were largely separate from the cybersecurity domain. That is not the case today.”

Soosalu: “Estonia was the target of one of the first ever national cyberattacks in 2007, and therefore cybersecurity as an issue is not new to our general public. However, being one of the most digitalized countries in the world, Estonia relies heavily on its digital services and needs to both create awareness and invest in being as cyber resilient as possible. The lack of a skilled workforce is clearly a vector of risk. Compared to the period of past five years, the legislation has evolved. Today, many more sectors are obliged to follow information and cybersecurity standards, hire information security officers, and invest budget into dealing with cybersecurity. The topic of cybersecurity is here to stay, and we will need to do our outmost to create interested and competent workforce for these profiles. Hopefully, the initiatives named above (Question #2) will help to contribute to this, and we see soon more women and more IT and cyber enthusiasts in the job market.”

The post The 5×5—Strengthening the cyber workforce appeared first on Atlantic Council.

Soofer quoted in Radio Free Asia on North Korean missile developments

Atlantic Council — Thu, 09 Feb 2023 19:42:53 +0000

original source

On February 9, Forward Defense Senior Fellow Dr. Robert Soofer was quoted in an article by Radio Free Asia on the recent display of long range missiles by North Korea (DPRK) on February 8th during a military parade to mark the 75th Anniversary of the founding of the DPRK’s army. Soofer stressed the ‘alarming’ development of the DPRK’s nuclear arsenal and missile capabilities.

We know they have the missiles and the nuclear warheads. We don’t know for certain whether they can successfully reach the U.S. homeland and survive reentry into the atmosphere…Implications are big for U.S. homeland missile defense

Robert Soofer

Fellow

Robert Soofer

Senior Fellow

Forward Defense

Arms Control Defense Policy

Forward Defense, housed within the Scowcroft Center for Strategy and Security, generates ideas and connects stakeholders in the defense ecosystem to promote an enduring military advantage for the United States, its allies, and partners. Our work identifies the defense strategies, capabilities, and resources the United States needs to deter and, if necessary, prevail in future conflict.

Appendix: Survey results

The post Soofer quoted in Radio Free Asia on North Korean missile developments appeared first on Atlantic Council.

Avoiding the success trap: Toward policy for open-source software as infrastructure

Wed, 08 Feb 2023 14:25:07 +0000

Download pdf

oss Homepage

Two pager

1. Introduction
vvv 1.1 What are we doing here?

2. The open-source ecosystem

3. OSS as infrastructure: Three analogies
vvv 3.1 Defining infrastructure
vvv 3.2 Three analogies
vvvvvv 3.2.1 Water management systems
vvvvvv 3.2.2 Capital markets
vvvvvv 3.2.3 Roads and bridges

4. Real-world infrastructure policy for OSS
vvv 4.1 Government support and funding
vvv 4.2 Ecosystem risk management
vvv 4.3 Responsible use

5. Crafting infrastructure policy for OSS
vvv 5.1 Encouraging sustainable OSS participation
vvv vvv 5.1.1 Start by improving government consumption
vvv vvv 5.1.2 Support private-sector consumption
vvv vvv 5.1.3 Protect OSS Good Samaritans
vvv 5.2 Addressing systemic risk
vvv vvv 5.2.1 Establish an Office of Systemic Risk Management (ODSRM)
vvv 5.3 Provide resources with security and sustainability in mind
vvv vvv 5.3.1 Target of opportunity
vvv vvv 5.3.2 Establish the OSS trust
vvv vvv 5.3.3 Adopt-a-package

6. Conclusion
vvv About the authors and acknowledgements

This report was drafted in collaboration with the Open Source Policy Network, a network of OSS developers, maintainers, and stakeholders convened by the Atlantic Council’s Cyber Statecraft Initiative to develop community-led strategy and policy recommendations for OSS.

Executive summary

High-profile security incidents involving open-source software (OSS) have brought the ubiquity of OSS and the unique challenges its communities face to the attention of policymakers in the United States, EU, and beyond. For policymakers seeking to support the security and sustainability of OSS as a shared resource, this report builds on an important perspective on open-source software: OSS as Infrastructure. OSS is code published under a license that allows anyone to inspect, modify, and re-distribute the source code. This helps developers share and re-use solutions to common problems, creating such efficiencies that some estimate that 97 percent of software depends on OSS. OSS ranges from small components for illustrating graphs to entire operating systems. Contributors include individuals working in their free time, staff at large companies, foundations, and many others. The ecosystem is community-based, with many governance structures to manage contributions and maintenance.

This report compares OSS to three infrastructure systems—water management systems, capital markets, and networks of roads and bridges—and draws on existing policy vehicles from each to suggest policy that supports the sustainability and security of OSS as a communally beneficial resource.

Software borrows metaphors from water systems, including “upstream” and “downstream” relationships between packages and the end products that rely on them. Entities that use water from the ground or rivers do not assume its potability or perpetual availability—instead, they ensure the water is fit for their varying needs. OSS consumers have a responsibility to ensure the OSS they consume is well supported and secure, and the largest OSS users have the most responsibility for supporting ecosystem sustainability. OSS also bears similarity to capital markets, facing compounding, systemic risks, as chains of software dependencies can make a single OSS project a point of failure for many downstream systems. These risks intensify when there is little transparency or accurate reporting available to consumers—or regulators—to evaluate and mitigate risk. Finally, OSS has previously been compared to roads and bridges, and this bears out in the manner that insufficient investment in ongoing support creates risk over time. The collapse of a bridge—or the discovery of a vulnerability in a widely used OSS package—can focus attention and investment, but continuous, mundane maintenance to prevent such crises often falls by the wayside.

Taken together, these infrastructure systems—and the policy vehicles that support them—provide key principles for policymakers looking to support open-source software as infrastructure:

Encouraging responsible OSS consumption:

Get government to “walk the walk” of being a responsible OSS consumer by establishing one or more Open Source Program Offices in the federal government to help agencies manage their OSS strategy, policy, and relationships.
Develop an OSS Best Practices framework through NIST that incorporates risk assessments andcontribution back to the OSS ecosystem. Industry and government could use the framework for self-assessment, and government could use it to help inform procurement evaluations.
Develop, through OSS-mature companies and nonprofits, a standard of best practices for contributing to OSS to bring in more OSS Good Samaritans from smaller organizations.

Mitigating Systemic Risks:

Create an Office of Digital Systemic Risk Management (ODSRM) within the Cybersecurity and Infrastructure Security Agency to identify systemic digital risks, including key widely used and at-risk OSS packages for targeted support.

Providing resources with security and sustainability in mind:

Establish a target-of-opportunity funding program to support maintenance and incident-response work for systemically important OSS projects.
Establish an OSS Trust Fund to provide sustainable and long-lasting investments in the security and maintenance of OSS code and the health and size of OSS maintainer communities.
Develop an adopt-a-package program through which companies provide resources to support ongoing maintenance and vulnerability mitigation for OSS packages they depend on. Such a program could encourage more small and non-IT-sector companies to take part.

1. Introduction

Open-source software (OSS) sits at the center of almost every digital technology moving the world since the early 1980s—laptops, cellphones, widespread internet connectivity, cloud computing, social media, automation, all the rainbow flavors of e-commerce, and even secure communications and anti-censorship tools. OSS, developed without exclusive ownership by globe-spanning communities, has enabled engineers, scientists, and entrepreneurs alike to build great things and make momentous technological advances.

Much like the transcontinental rail systems of the nineteenth century and the intermodal shipping container system of the twentieth, OSS is an infrastructure that enables and shapes social, political, and economic activity across the world. Like the shipping container system and more than the highly visible railroad, OSS has long gone underrecognized outside of expert communities for the influence its code and developers have on the world.

That lack of recognition began changing only recently as OSS has come to the fore outside technology communities, with interest from philanthropic investors and grantmaking as well as congressional hearings after the December 2021 log4shell vulnerability.¹ ²The challenge with much of this attention is its emphasis on there being something wrong with OSS, something “broken” or “inherently weaker” with the code that needs fixing. The mindset of putting out a fire in open source, without critically reevaluating the relationship between OSS developers and consumers as well as the need for material acknowledgment of the importance of open-source code, threatens the long-term sustainability and security of OSS.

Pathbreaking research from Nadia Eghbal³ in 2016 helped present the public-policy challenge regarding OSS used to build essential technology systems. Not just an issue of shortfall in security, the OSS development model poses a basic problem of equity and value. OSS separates sale value, the amount a consumer is willing to pay for a free product, and use value, the amount this consumer gains by using it—an issue called out as early as 1997 by Eric Raymond.⁴ There is no clear market solution when conventional mechanisms to assign a value at sale and fractionally return that value to developers do not work. This kind of gap in a market opens a clear lane for public policy to do more than just support this infrastructure through the public purse. A survey conducted for this report,⁵discussed in more depth in the appendix, shows 65 percent of respondents agreed or strongly agreed on the necessity of a government role for the long-term health of the ecosystem. Moreover, 70 percent saw direct government funding as necessary to ensure this.

Figure 1. Survey response

Figure 2. Survey response

However, this is not to say that government is the only relevant player. Respondents indicated that, while they largely thought a government role in supporting the OSS ecosystem was requisite for its long-term health, they did not necessarily see it as the main party responsible for stepping up to the plate. This reflects a common thread of argument throughout this report: the criticality of OSS projects is determined not by their creators but by those using the package, and accordingly, responsibility for the ecosystem primarily rests in the hands of its largest beneficiaries—here, industry.

What are we doing here?

This report builds on previous research by the Atlantic Council and others, as well as the collected insights of the Open-Source Policy Network,⁶to argue that public policy can address the systems’ shortfalls by approaching OSS as infrastructure. Making policy to support and sustain OSS as infrastructure helps move viewing this code from a place of fear of security vulnerabilities to one that understands OSS as a critical component of an efficient software ecosystem, while still acknowledging the important role policy holds in improving security writ large.

When policy focuses only on terrible, potential outcomes, its ideas tend to reflect that bias toward fear, but this need not be the framing for OSS. Open source enables and solves much more than it imperils. Its security is as much a guarantor of continued value to users large and small, from individuals to national intelligence agencies, as it is a bulwark against malicious intent.

While OSS has come back to attention as an issue of national policy in the European Union (EU), and indeed become one for the first time in the United States in some ways as a product of fear and calamity, opportunities run much deeper. Infrastructure of such scale and magnitude is supported, reinforced, and amplified—not fixed in a brief whirlwind of activity—much like the consistent provisions of clean water, roads and bridges, and healthy capital markets. This report proposes clear models for sustained OSS support and offers guidance on how governments in the United States, European Union (EU), and nations across its member-state constituents can implement such models.

Much like roads or bridges, which anyone can walk or drive on, open source code can be used by anyone…This type of code makes up the digital infrastructure of our society today.
– Roads and Bridges: Unseen Labor ⁷

This report identifies key principles of OSS development and use. It relates them to other physical infrastructures for which there are mature policies and laws in an ensemble approach to combine nuance and tangible recommendations. The report points policymakers toward adaptable policies addressing more familiar forms of infrastructure that serve as case studies for government support of OSS. There are two reasons for this work.

First, as tangible as the infrastructure comparison is, OSS also has useful differences from physical infrastructure that offer opportunities for nuance. The open-source ecosystem is far more varied, complex, and dynamic than most physical infrastructure. Eghbal, for example, explains in detail the many differences between OSS and her chosen roads and bridges analogy.⁸ Obscuring that nuance can lead policymakers to ignore obvious benefits—the substantial human communities involved in building and maintaining OSS, for example. OSS is, ultimately, the product of people with a variety of motivations, not the least of which are pure enthusiasm, curiosity, and a desire for community. Given the ecosystem’s overwhelming variety, it is often more accurate to understand OSS as an expression of social interaction and group problem-solving. Rather than designed top-down, it is infrastructure that emerges.⁹ OSS is fundamentally free speech in machine-readable form, not exquisite public works produced under a single engineering vision. Dynamic, interwoven groups of individuals produce, modify and maintain the code, rather than it being a commodity, product, or service per se, which carries significant ramifications for law and policy, as well as the infrastructure analogy.¹⁰

Second, as policymakers consider OSS in the larger context of significant cybersecurity policy in the United States, a set of guiding principles would help predict and model policies’ impact on OSS. Common physical infrastructure shares similarities to OSS: both support critical functions, provide dependable services, offer subtle and often unseen service delivery, function through systems of decentralized control, and more. Government has long engaged in infrastructure policy, so drawing on those more familiar frameworks offers opportunity to hone engagement with, and support for, the OSS ecosystem.

To better capture the complexity of the OSS ecosystem, this report offers not one but three infrastructure analogies for OSS policy. They are water-management systems, capital markets in the financial services sector, and roads and bridges from Eghbal’s report. The comparison between OSS and water-management systems invokes both systems’ sprawling networks of producers, intermediaries, quality assurers, and varied use cases. It also highlights the relationship between the degrees of usage and responsibility to the overall sustainable functioning of the ecosystem and discusses policy models based on Nevada water law and federal regulations around funding and protecting volunteer clean-up efforts. The comparison to the financial sector focuses on the nature of risk and transparency in both domains, where a variety of modular, interconnected, and aggregated items (projects in OSS, assets in finance) create nodes of risk and leverage and where risk management relies on insight into the location and of function of underlying system components. The section looks at policy efforts to identify and manage systemic risk created in these networks of dependence. Last, the roads and bridges comparison builds on Eghbal’s report, highlighting the importance of continual maintenance, funding, and tailored intervention across an interconnected network. It looks to the Highway Trust Fund (HTF) and adopt-a-highway programs for models of funding and support for key infrastructure.

Open source software is part of the foundation of digital infrastructure that promotes a free and open internet.
– S.4913, The Securing Open Source Software Act of 2022 ¹¹

For each analogy, the report addresses the prominent characteristics shared with the OSS ecosystem, explores the comparison in depth, and surfaces guiding policy principles before offering examples of relevant US and EU policies as potentially useful models for OSS. Following these analogies is a discussion of some existing government policies toward OSS and specific recommendations.

This report aims to develop tangible example policies for the United States and European Union to support OSS as infrastructure and point policymakers toward existing policy vehicles that government can readily modify and adopt to better support and engage with the OSS ecosystem. The report does not seek to make definitive statements about what open source is or is not through these analogies. Rather the goal is to capture a snapshot of its most essential features and most consequential participants. Any of the analogies can be extended far past usefulness, and policymakers should approach each keeping in mind the essential truth that, while all models are wrong, some (including, we believe, these) are useful, nonetheless. Before diving into the analogies though, this report looks to discuss the open-source ecosystem as it is, highlighting key principles and addressing common misconceptions.

2. The open-source ecosystem

While the motives of software developers can vary from securing a paycheck to satisfying personal curiosity, most software itself ultimately strives to carry out a task or solve a problem. Open-source software (OSS) is an acknowledgment that many such problems are similar and repeatedly encountered by developers. OSS works by making one solution to a problem available to all to re-purpose and re-use, which likely results in a strong return on investment (ROI),¹²both financially and socially.¹³ While there are several different legal approaches to defining and licensing what is “open source,” the common OSS philosophy grants forward to users and consumers the rights to inspect, modify, and redistribute software—its source code is “open.”¹⁴ In this, OSS generally differs from closed-source or proprietary software by providing these additional rights.

The result is a vast network of overlapping communities principally involved with developing, maintaining, and integrating OSS. These communities range from volunteers to paid professionals, with participants who exist entirely outside the for-profit technology industry and myriad others who are full-time employees from the likes of Google, Microsoft, and Amazon.

While open source as a philosophy predates the internet—witness the chaotic ballet of licensing and development values that characterized the 1969 birth of Unix and its fractured gestation as one example¹⁵—the internet proved a tremendous accelerant to OSS development. Indeed, the emergence of online communities developing and maintaining open-source code helped meaningfully differentiate the internet from precursor telecommunications networks and gave tangible form to Licklider and Taylor’s vision of creative communications among thinking machines.¹⁶

Figure 3. Dependencies and contributions

There are several key characteristics of the open-source ecosystem for policymakers to keep in mind. First among these is its sheer scale and variety. Though treating open source as a monolithic concept is a convenient abstraction—and for high-level policy, a necessary one at least up to a point—the real landscape is staggeringly diverse. There are communities built around specific programming languages, from commonly known Python to the deliberately esoteric Befunge.¹⁷ Some communities center on specific projects like the Linux kernel, and others orbit downstream functions like encrypted communications tools or specialized statistical analysis packages. Some projects serve simple ends like correctly adding characters to the left of a string or number.¹⁸ Others provide word-processing programs¹⁹or even entire operating systems, such as Linux and its many distributions.²⁰ There are open cloud platforms such as OpenStack and open container orchestration systems like Kubernetes. There are also open-source code compilers, web servers, media players, and so on—some open source functions as standalone applications, some as deeply buried components for repurposing in different contexts. Some assembles programming languages into executable binaries, some builds software, some analyzes code for bugs, and so on.

The relationships between OSS projects and the larger software world are also complex and widely varying. A useful term here is “depth in stack,” referring to how deeply buried within an overall product or application OSS and other components can be. The most straightforward use of OSS might be in user-facing applications—for example, instead of purchasing Microsoft Word, one might download and use LibreOffice, an open-source word processor that provides largely the same functions as Word.²¹ A similar simple example of incorporating OSS into a project could include an academic researcher writing a data-analysis script in R, a commonly used statistics language. They might include the lines “install.packages(ggplot2)” and “library(ggplot2)” at the top of their script, giving them access to a variety of graphing tools and functions as they analyze a dataset.²²

Figure 4. Buried OSS relationships

Other instances of OSS reliance run far deeper and are more challenging to map out. A user in the simple act of watching a show on Netflix relies on an immense variety of OSS, from the streaming platform’s own open-sourced projects to the guts of the underlying Amazon Web Services (AWS) cloud instances,²³ which include server operating systems, container orchestrators, and innumerable component services. The log4shell incident highlighted just how deeply buried OSS dependence can be and, accordingly, how challenging the task of identifying dependence is. One report found that 60 percent of log4j uses were indirectly rather than directly implemented, challenging remediation efforts.²⁴ One study by Qualys found that as of March 2022, some 30 percent of log4j instances remained unpatched.²⁵ This pattern holds across the ecosystem, where dependence is rarely obvious and easily identified when OSS components lie buried beneath indirect relationships and obscure references.

While all the above mainly considers the open-source ecosystem through the lens of the code, keeping its human basis in mind is critical. Members of the open-source ecosystem can wear many hats, from running a hobby project to integrating OSS into industry products in their day job, often moving between different communities, contexts, and ecosystems. Even the common roles for a given open-source project are fluid—a developer might open-source one of their projects and act as its maintainer while they continue to contribute.²⁶ Down the line though, either from lost interest in the project or not enough time to dedicate to its maintenance, a developer might call in a well-known contributor as a maintainer, either transferring the project over entirely or creating a team of maintainers. Different communities rely on different governance models, from maintainer-controls-all to elected positions for a project or select individuals relied upon for commit reviews. These OSS participants also distribute geographically, their contributions enabled by the foundational transparency of the ecosystem.

It is helpful to frame open source as many different, interacting ecosystems. They evolve, respond to stimuli, compete, collaborate, have cultures, and follow norms. Actions that impact an open source ecosystem can have ripple effects beyond that ecosystem – and beyond the world of proprietary technology or even technology altogether.
Julia Ferraioli ²⁷

While OSS directly invokes “the code” and its developers, there also exists a staggering array of intermediary entities supporting and shaping the software side of things. Code hosts (sometimes called “forges”) store the actual code in either public or private repositories—for example, Microsoft’s GitHub, though there are myriad other hosts.²⁸ Registries or indices, like Node Package Manager (npm) and the Python Package Index (PyPI), record official versioning and documentation for some packages, though their code might reside on a code host like GitHub or be mirrored there. Package managers like Python’s Preferred Installer Program (PIP) are the tools that, starting with a user command, retrieve the necessary code from a repository. At the more human level, nonprofits—many of them business leagues, like the Linux Foundation or Open Source Collective²⁹—provide financial support for programs, and others, like the Open Source Initiative, manage licensing definitions.³⁰ Some groups might provide security tooling or developer support to specific projects—for instance, the Alpha-Omega project assists maintainers of critical open-source projects.³¹

Figure 5. Maintainer and contributor relationship

All this is to say that the open-source ecosystem is complex. With that complexity comes disagreement, and assuming consensus among the ecosystem’s participants is an oversimplification similar to presuming that the code is uniform and governance structures straightforward. Some of the key debates among OSS communities will have direct policy implications. Some maintainers worry about where their projects might end up used,³²some are wary of corporate involvement in the space shaping project direction and governance,³³and others see OSS as a path toward a digital right to repair.³⁴ The survey conducted for this report reflects this diversity in priorities well. What respondents considered the greatest source of risk for the OSS ecosystem ranged widely, including technical concerns about memory-safe languages, practices for transferring project ownership, government overregulation, misunderstood or disregarded OSS community values, unknown and deeply intertwined dependencies, the insufficiency of economic models, maintainer burnout and overburdening, and even maintainer sabotage. Similarly, there was little consensus on what metric best captured the overall health and well-being of an open-source project community, with the number of active contributors and maintainers being the only standout answer, and not by a wide margin. As a policy report first and foremost, many of these discussions are out of scope here, but they are nonetheless important to policymakers.³⁵

Figure 6. Survey response

3. OSS as infrastructure: Three analogies

Defining infrastructure

Infrastructure rests as the “…vitally important, if not absolutely essential…” component that enables people to thrive, to create, and to build.³⁶ Infrastructure is the underlying plumbing under great ideas. Some definitions lean toward the tangible, roads, bridges, software code, and computer networks. Others emphasize the economic categorization—infrastructure as a public good. However, not all kinds of infrastructure fulfill the strict economic definition of being both non-excludable and non-rivalrous entailed.

Even physical infrastructure is not so easily defined and sees a significant amount of “know it when you see it” classification—for instance, the Cybersecurity and Infrastructure Security Agency (CISA) lists sixteen critical infrastructure sectors, with the selection criteria emphasizing critical far more than infrastructure.³⁷ OSS is present within traditional critical sectors, serving as infrastructure in a very literal sense.³⁸ For this report’s purposes of guiding policy, significant similarity between OSS and infrastructure is sufficient, and there is plenty to find.

First, OSS handles many of the digital world’s unseen, “nitty-gritty” tasks upon which the larger digital ecosystem relies. Take, for instance, any of the following: OpenSSL, OpenStack, Kubernetes, the GNU Compiler Collection, BIRD, and Linux running on most large internet servers—all these functions are core to digital services and largely hidden from end users.³⁹ Another striking example is cURL, which stands for client Uniform Resource Locator (URL) and pronounced curl informally.⁴⁰ It is a command line tool and library to handle data transfers, residing within internet servers, gaming consoles, automobiles, operating systems, smartphones, and more.⁴¹ Consumers rely on digital systems for communications, financial transactions, transportation, healthcare, and other vital services—and many of those digital systems rely on OSS.

Second, beyond this necessary but less visible support, both OSS and physical infrastructure scale massively beyond their immediate surroundings, enabling huge swathes of the economy, end-user products, and more. One frequently cited report from Synopsys found that 78 percent of code in surveyed codebases was open source, while 97 percent of codebases contained at least some OSS.⁴² Buried in the settings of every iPhone (Settings > General > Legal & Regulatory > Legal Notices) is a four-thousand-line-long, barely navigable list of all the licenses declared by the phone, many of which concern the open-source components it relies on—including, in iconic OSS style, “‘THE BEER-WARE LICENCE’ (Revision 42)…As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return.”⁴³

Third, much of what physical infrastructure accomplishes happens out of immediate public view and is easily taken for granted, despite its centrality to a smoothly functioning society. Rarely does the end user think of complex tangles of transmission lines, transformer hubs, and powerplants when flicking on a light switch—except when the lights stay dark. Similarly, most end users are unaware of the role that OSS plays in the digital systems that underpin their daily lives. Likewise, that dependence remains underappreciated until disruption of the end service.

Fourth and finally, the variety of forms of “ownership” or stewardship of OSS mirror the complex web of federal, state, local, and private ownership of physical infrastructure. In physical infrastructure, some sectors see almost complete federal ownership, some feature neat division among state or local governments and industry, and others rely on the many distribution patterns in between these.⁴⁴ For OSS, some projects are individually maintained, others housed in nonprofits or funded by foundations or trade organizations, some with support from large information technology (IT) vendors, or even maintained and curated by for-profit companies, and more. Some technology companies develop software projects in-house before “open sourcing” them out into the world. The variety of governance models in both domains requires careful, targeted, and flexible policy.

Industry players have repeatedly emphasized that OSS insecurity largely reflects the challenges of securing any kind of software—vulnerabilities are inevitable and agnostic to licensing.“⁴⁵ The US government, meanwhile, has focused its most prominent efforts on OSS through a security lens—the first bill in Congress addressing OSS as an ecosystem, S.4913, is the Securing Open Source Software Act of 2022, and congressional testimony, and other spurts of government attention tend to react to security incidents like log4shell and Heartbleed. In one dataset of OSS government policies, security and modernization were the two most popular stated purposes for US policies related to OSS, with security holding the majority in the proposed legislation.⁴⁶

This security focus does not and should not imply that OSS is in any way less secure than proprietary code. The two are not so easily distinguished, and the ability of anyone to review OSS for vulnerabilities should, at least in theory, make it more securable, if not secure, than obscured proprietary software. Rather, the fact that OSS underpins so much software and modern infrastructure means that its security, which is subject to some different incentives and forces than proprietary offerings, is of notable importance. This is like how CISA focuses on securing infrastructure not because it is innately insecure, but because it is critically important to the national interest. OSS is already as commonplace, structurally critical, and hidden from end users as rebar inside the reinforced concrete of a bridge span. It is equally critical, mundane, and—in some circles—unappreciated as the water treatment plants which ensure healthy drinking water or the catenary wires above an electric train. Where that criticality exceeds the ability of other policy levers to create change, a security lens helps prioritize action and investment, especially when shaping industry behavior.

Three analogies

Treating OSS as infrastructure also invites other forms of engagement without exclusivity. While some governments might focus on supporting the security of OSS insofar as it is infrastructure, others can focus on investing in it for the holistic benefits to society or for the influence it might provide their countries in shaping the future social impact of important technologies. Infrastructure corresponds to investment and provides a ready framework for international cooperation. An infrastructure framing allows stakeholders to hold independent priorities under common, unifying principles.

Different characteristics of the OSS ecosystem evoke different kinds of infrastructure. This section describes the report’s ensemble model: three analogies each mapping from principles shared by open source and a form of infrastructure to offer policy takeaways for the open-source ecosystem. Each analogy uses the language of tangible infrastructure alongside real-world policies that invest in, and support, this infrastructure. The table below summarizes these shared principles, infrastructure comparisons, and policy takeaways, in addition to the broader commonalities between physical infrastructure and OSS noted so far.

None of these analogies is complete on its own. Taken together, they present a practical view of much of what makes OSS work and work well at that. The takeaways intend to steer policymakers toward practical, considerate models for policy action shaped by lessons previously learned and concepts properly ordered.

Figure 7. Table of shared principles of infrastructure and open source

This section also provides several direct models for the beginnings of government support for OSS—these are not prescriptive policy recommendations but rather tangible examples of how the investment of funds and other resources can help better support OSS. These models highlight effective parallels to OSS policy challenges either through the problems and questions they address, the intervention strategies they offer, the systems dynamics they navigate, or some combination.

Water management systems

Water management and distribution systems share two crucial characteristics with the open-source ecosystem. Most visible are both systems’ continuous, directional relationships. Software development speak already roots itself in hydrologic nomenclature. The “upstream” and “downstream” relationships borrow from literal descriptions of rivers to describe how choices along supply chains impact different participants. Often, though not exclusively, these relationships explain the trickle-down impact of upstream incidents—for instance, the downstream users exposed to the recent log4shell vulnerability, or when the deletion of a little-known package called left-pad briefly broke websites across the world.⁴⁷ For water management and distribution systems, an upstream issue with a dam might impact water levels downriver, or changes in weather patterns might disrupt aquifer replenishment, causing shortages for downstream users, whether industrial, agricultural, or otherwise.

Figure 8. Water management and open source

This straightforward language about chains of dependency and shared exposure also describes another similarity between water infrastructure and OSS: the obligation of its users to contribute to the sustainability of the larger ecosystem, from statewide apportionment of the Colorado river to agricultural collectives deciding on the usage of local aquifers. For both water and OSS, a relatively small subset of users relies more heavily on shared resources than others. Hydroelectric facilities and large farms can use more water in an hour than an average household does in a year.⁴⁸ Likewise, massive IT vendors ship widely used products incorporating numerous open-source projects, while a researcher might rely on only a handful of packages aiding in statistical analysis.

While the policy solutions to protect the sustainability of water and the security of OSS do not map perfectly—a hard quota on industry use of OSS makes little sense. For example, as OSS is a non-rivalrous resource, the general ethos is critical: the largest users carry the largest obligations (and capacity) to contribute back to the sustainability of the ecosystem. Just like growing populations and a changing climate mean that water consumers and policymakers need to invest in conservation and sustainability,⁴⁹the growth and increasing criticality of the OSS ecosystem means that OSS consumers and policymakers must understand that the availability and innate usability of the underlying code cannot be guaranteed without support. Few expect that water taken directly from a stream or pond be immediately potable. Neither should consumers assume the security and independent governance capacity for OSS projects as pulled into products without some level of security assurance and code review. Again, not because OSS is any less secure than proprietary offerings, but because it is all too likely that projects were developed without specific consumer usage in mind, and therefore, consumers should not expect them to cater to their exact management needs. An overriding principle of open-source licenses is that this code is delivered “as is.”

Water infrastructure also highlights the immense varieties in use, governance, and creation in the open-source ecosystem. Just as water fuels textile production, energy generation, and individual consumption alike, OSS has a wide variety of use cases, including hobbyist tinkering, academic research, internet functionality, and business- and product-critical operations.Open source and water management systems also feature large networks of intermediaries between easily conceptualized endpoints (e.g., developer and end user, mountain spring and sink faucet). Water does not just flow, uninterrupted, from a stream or spring into a residential tap, but instead twists through a series of reservoirs, canals, treatment facilities, and plumbing. In the same way, much OSS finds itself incorporated into software projects, those projects into others, and over again through other projects maintainers, repository hosts like GitHub, private mirrors within companies, curators like Red Hat, auditors like the Open Source Technology Improvement Fund (OSTIF), transitive dependencies of other projects, and more before ever reaching a user.

Many OSS stakeholders worry that government investment and support will bring onerous obligations and regulations for developers,⁵⁰whether in the form of liability or excessive documentation, that risk dissuading developers from providing open-source systems. Water management systems provide a clear parallel example of an alternate approach. In the same way that companies and individuals do not assume the purity of water in unknown streams or springs, neither should they assume that volunteer developers, often uncompensated for their work, have provided perfectly secure code and will bear total responsibility for repairs and upkeep. Most open-source licensing bears out this relationship, including something to the effect of the Apache 2.0 license’s phrasing: the “licensor provides the work (and each contributor provides its contributions) on an ‘as is’ basis, without warranties or conditions of any kind.”⁵¹ OSS users, especially the largest and best-resourced, should bear more of the responsibility for supporting the security, and appropriate selection, of open-source software, rather than using blithely and thereby trusting warranties never promised. Among more mature OSS consumers—particularly large IT vendors—this relationship is well realized, with vendors like Microsoft, Google, and others investing significant funds and developer time into the OSS ecosystem.⁵² Governments can participate in similar relationships by funding OSS development and potentially even contributing to projects themselves, setting an example that may spur other large entities to act in kind.

The similarities between water management systems and OSS, including directional dependence, complex webs of intermediaries, and the need for sustainable usage, suggest a paradigm for policymakers weighing potential engagement with the open-source ecosystem. Considering directional dependence prompts a more accurate understanding of the importance of intermediaries in OSS as well as a better starting point for understanding the criticality of different OSS components and how to preempt costly incidents. Instead of expecting open-source software to be perfectly stable, well-maintained, and fully secure upon import, OSS consumers can continue to take more responsibility for their usage and all its benefits, consequences, and attendant obligations. Considering those connections also emphasizes the existing network of intermediaries between developer and end user, which government must engage with rather than disrupt. Finally, the water-management comparison emphasizes that a sustainable ecosystem requires a proactive relationship between large users and the source; an affirmative responsibility to contribute back to the ecosystem. Organizations with high expectations for, and dependence on, OSS be they public or private sector should devote substantial resources to supporting the relevant communities in meeting those expectations. Failure to do so will leave the OSS ecosystem perpetually under-supported and increasingly unable to support more complex and systemically critical use cases. The notion that open source might become unsustainable because of such overuse, or integration to critical applications without responsible consideration, would imperil the benefits of OSS to all.

Nevada Water Legislation: Mandate responsible use

Regulations surrounding water use, allocation, and sustainability in the United States are largely the purview of states or multi-state consortiums.⁵³ Even where the federal government does take a more active role in water safety standards, such as with the Clean Water and Safe Drinking Water Acts, considerable room for state governments to take the lead exists, by design.⁵⁴ Water management legislation in Nevada, the country’s most arid state, offers two examples of policy vehicles well-suited to the OSS ecosystem: Senate Bills (SB) 47 and 74, both passed in 2017. First, in SB 47, Nevada adopted the stance that “it is the policy of this State…To manage conjunctively the appropriation, use, and administration of all waters of this State, regardless of the source of the water.”⁵⁵

From the OSS perspective, this is a straightforward acknowledgment of how usage drives criticality—that, regardless of the source of code or water, effective policy lies in governing where and how software is consumed as much or more than how it is developed. In this sense, for OSS particularly, policymaking that takes the existence of OSS as it is rather than aiming toward an unrealized ideal for the code itself is useful, and it is particularly well met by Nevada’s situation, whose primary sources of water generally originate in other states.⁵⁶ SB 74 offers more concrete guidance, requiring water suppliers—here, analogized to OSS intermediaries—to develop water conservation plans,⁵⁷with some additional requirements for larger providers.⁵⁸

Both SB 47 and SB 74 put a large burden for the sustainability of the state’s water use on intermediary water suppliers—ostensibly those pulling water from its sources and sending it to users for various “municipal, industrial, and or domestic purposes” downstream.⁵⁹ For OSS, this compares with ensuring responsibility lies with those who take open-source packages and use them in downstream applications, rather than expecting the river of OSS itself to be clean and self-sustaining to a degree sufficient for uses outside its control (or even on the repositories, similar to aquifers and reservoirs here). These bills focus on water suppliers not just as the users of the resource but the intermediaries with much sway over the connective infrastructure, specifically calling out their role in developing “standards for water efficiency for new developments” and reducing leaks among other provisions.

There is no shortage of OSS,⁶⁰but insofar as conservation serves as a synonym for sustainable use, federal OSS policy can draw on this framing. A policy pivot away from just assessing the risks of using OSS—say as required by many conventional supply chain risk management programs—and toward broader models of enforcing responsible use might include recommending an explicit Sustainable OSS Usage Plan as a signal of large OSS users interacting responsibly with the ecosystem, inclusive of managing their risk posture but also deliberate, systemic efforts to identify and support communities around critical OSS dependencies. There is much to be gained in shifting the focus of OSS policy to improve security from the developers and their code (“the source”) to the framing of aggregate usage, reliance, and responsibility.

Moreover, the specific requirements of the Nevada conservation plans amount to a call for suppliers to explicitly understand their place and role in the larger ecosystem. Regarding intermediaries, more policies both from government and industry might focus on the ability of large code-hosting platforms to leverage their platform as natural bottlenecks in the ecosystem (as the means for many to access repositories and store their code) to provide useful tooling at scale to OSS communities.Some of this work is underway, and this is not a claim that it is insufficient but rather a call for policy to capitalize on those points of outsized returns on tooling investment and integration. Importantly, this is not a call for platforms to be responsible for the safety of all the code they host, but rather useful in the distribution and usability of tools to projects—to provide tools and capability for responsible use and security conscious development. In line with the water analogy, consideration of the context of different use cases is key—just as water powering hydroelectric dams need not be drinkable, different use contexts imply different support obligations and maintenance standards.

Good Samaritan Initiative: Limit liability for volunteers

Federal water law, meanwhile, has useful models for encouraging external support for the OSS ecosystem—specifically, unmaintained dependencies. The Environmental Protection Agency’s Good Samaritan Initiative helps facilitate the cleanup of abandoned mines, a significant source of water pollution, with over half a million abandoned mines estimated throughout the country.“⁶¹ Volunteers assist in the cleanup of these abandoned mines, providing a great benefit to their communities, which often rely on the same water impacted by the pollution. The Good Samaritan guidance protects those volunteers explicitly from liability for their efforts, effectively lowering the bar to entry for helpful ecosystem contributions. Some federal programs go further by directly funding cleanups of water systems, though these often come within larger spending packages rather than pulled from specific funds.⁶²

There are two OSS parallels here: unmaintained projects, and organizations doing support work (e.g., security auditing or incident response support). On the former, a Tidelift study in 2019 found that between 10 and 20 percent of common OSS packages lacked active maintainers, posing obvious security and sustainability challenges, and arising likely as a symptom of limited developer time and resourcing.⁶³ Organizations that support OSS projects are just an extension of this parallel beyond the common language of abandonment.

Government and industry might help improve the overall OSS ecosystem’s health through incentives for Good-Samaritan-style engagement and by continuing to maintain the widely understood protection for OSS developers and maintainers against liability arising from the downstream uses of their components. This comparison points to the importance of policymakers vetting proposed policies relating to security requirements for OSS to ensure they do not create additional compliance-related liability for OSS developers, contributors, or maintainers, which might paradoxically deter individuals and organizations from contributing to the OSS ecosystem.

In addition to liability protection, an OSS policy equivalent could emphasize broader support and investment by funding external support groups (much of which already takes place through the private sector), guiding them toward critical under- or un-supported projects, and rewarding and aiding the “adoption” of orphaned projects still in use. There has already been some consideration of these approaches outside the public sector, such as the Alpha-Omega project and several academic studies⁶⁴— providing the basis less for reinvention than for renewal of government support as part of a broader engagement with the OSS ecosystem.

Environmental regulations, including water management systems, in the EU are guided by the “polluter pays principle,” which states that polluting entities should be responsible for costs like pollution control and prevention.⁶⁵ The principle encompasses a wide variety of regulations targeting different industries including agriculture and manufacturing. The types of cost for which polluters are responsible also vary, funding anything from cleanups of pollution they caused to investigations and permitting efforts. The principle is explicitly included in several important pieces of regulation, such as the Water Framework Directive and Waste Framework Directive.⁶⁶ Not all regulation is in line with the principle yet, but its inclusion in recent regulatory efforts and role guiding future policy demonstrates the EU’s emphasis on ensuring that those who use natural resources, resulting in their degradation, pay for the consequences of their actions so the public need not foot the bill.

Capital markets

A critical feature shared between financial markets and the open-source community is that both liquidity and OSS act as enabling inputs to a wide variety of other industries. Financial backing and loans from investors enable businesses and individuals to raise capital to overcome initial fixed costs, which is vital for getting businesses off the ground. Similarly, OSS allows businesses and individuals to save vast amounts of time and effort that would otherwise be spent re-solving similar problems—a critical input that helps overcome burdensome upfront investment. This enabling-input characteristic is true of many forms of physical infrastructure—in water management systems as noted above, as well as power grids, gas pipelines, transport networks, and more.

Capital markets, however, highlight the relationship between risk and transparency. In capital markets, debt or equity in real-world assets, stocks in companies, and mortgages back numerous financial instruments. Financial actors can manage their risk only by understanding the valuation and risk of these underlying components, and there are many intermediary entities such as ratings agencies that help create and provide this information. The 2008 financial crisis serves as a useful reminder of the consequences of failures in this system—when ratings agencies inaccurately appraised the risk of mortgage-backed securities, huge portions of the financial sector were left holding fundamentally unsound investments believed to be low-risk, leading to disastrous, global consequences.⁶⁷ Without accurate transparency, sources of systemic risk went unidentified, unaddressed, and unmitigated, fueling a financial meltdown.

There are useful parallels for the OSS ecosystem here. Like financial instruments, OSS often serves as the building blocks for other end products. For consumers and producers, visibility into these components is necessary to improve risk-management practices. The entity that assembles a bundle of financial instruments—or a bundle of software that includes OSS components—holds a better perspective than the end user to understand the risks, as well as to know how to manage that risk through investment in upstream packages and projects. More transparency from assemblers can help recipients better understand the components within a product or a project and adjust their incident response and risk-management practices accordingly. The financial sector has developed procedures for assessing and describing risk, due to a combination of regulation, profit motive, and market demand. Industry-led development on tools and data to enable visibility into the use of OSS and other software components are already underway—software bills of materials (SBOMs) offer point-in-time insight into the components in a given piece of software (including open-source components), and ratings systems and metrics platforms like Supply chain Levels for Software Artifacts (SLSA), Community Health Analytics in Open Source Software (CHAOSS), and Open Source Security Foundation (OpenSSF) Scorecards offer aggregated insight into the security posture and maturity of those component projects.

Figure 9. Capital markets and open source

At the systemic level, transparency and visibility into the use of OSS components can highlight where the wider digital ecosystem is leveraged on a small number of critical packages, helping to prioritize support and investment on all fronts. Heartbleed, the left-pad incident, and log4shell illustrate this kind of risk—where disruption in a single upstream component has widespread effects, and in some cases, deep ones.⁶⁸ The Census II report from the Linux Foundation and the Laboratory for Innovation Science at Harvard offers an example of the benefits of such system-scale analysis. The report used aggregated software-composition-analysis (SCA) data to identify open-source components widely depended upon across industry⁶⁹—notably, the report identified log4j, the library impacted by the log4shell vulnerability, as one of those widely used packages (after the incident, unfortunately).⁷⁰

The comparison to the financial sector also offers a model for how government might interact with industry and the open-source ecosystem. As noted, the private sector is already developing many of the tools that will help address risk with transparency. Government’s role in that space is best understood as one that supports and provides appropriate incentives, especially for adoption over prescription—for example, through its procurement policies, rather than supplanting these tools or intensive regulation. As in financial markets, government is well-positioned to guide ecosystem-scale efforts toward a better understanding of aggregated risk concentrations. And, as with financial market data, government may also need to consider how to safeguard data collected for that analysis, which may have proprietary or trade-secret sensitivities. For OSS, a list of critical projects would be as useful to attackers in guiding their efforts as to defenders. Finally, at the most abstract level, the relationship between transparency and risk to the larger system can help guide broad government strategy, emphasizing that transparency and openness are not just rhetorical values but practical tenets of extreme, tangible benefit to the stability of the overall ecosystem.

Financial Stability Oversight Council: Transparency toward proactive stability

Many proposed cybersecurity policies require a substantial level of system knowledge and data availability: they require being able to identify critical OSS packages across entities, the most significant users and beneficiaries of OSS, the overlap between projects that are unmaintained or under-resourced and that are key dependencies, and more. Policy vehicles from the financial sector, particularly those born out of the 2008 crisis, offer models for managing risk through transparency and an ecosystem-scale lens. Formed by the Dodd-Frank Act, the Financial Stability Oversight Council (FSOC) within the Department of Treasury works to “address several potential sources of systemic risk…[by] monitoring financial stability and designating…companies…and utilities as systemic[ally important].⁷¹ Where it identifies systemically important financial market utilities (FMUs), it can subject them to additional regulation in concert with the wide array of relevant government offices and regulators.

A parallel office for OSS would serve to identify projects, dependencies, and even entities that constitute systemically important infrastructure, and, in place of regulations, might offer those nodes of risk more targeted and comprehensive support, coordinating among government cyber authorities and industry, in place of financial regulators. Such a federal office would not need to limit its study to OSS dependencies. It could also contribute to analyzing cyber risk within other complex systems like cloud service providers and critical vendors to government.

Identifying points of risk concentration created by system-scale OSS dependencies points policy immediately toward the next mechanism from the financial system: stress testing. For financial entities, stress testing boils down, in part, to liquidity requirements—minimum asset-liability ratios meant to ensure institutional resilience to market shocks, or more simply having enough cash on hand to cope when things get ugly. For the OSS ecosystem, the first steps toward stress testing might include—once critical dependencies are better identified and understood—by-sector requirements for contingency planning in response to the compromise or degradation of important OSS packages. For example, government might start requiring such risk management of critical infrastructure sectors. This could also include exercises to respond to vulnerabilities in deep-in-the-stack packages or active compromise of developer tools or authentication systems widely depended on by identified software.

Critiques of the FSOC, and the larger Dodd-Frank Act (DFA) of which it is a part, illustrate useful considerations for a parallel body overseeing digital risk management concerning the OSS ecosystem. One notable concern for the DFA was its potential to overburden banks—both compared to other parts of the financial system and compared to international banks not covered by the act—to their detriment.⁷² Crucially for the OSS ecosystem, increasing burdens on open-source project developers and maintainers, already short on time and money, should be a non-starter for any policy. Given the principle that use (rather than the manner of construction) determines the criticality of an OSS project, any responsibilities added to existing regulation will better suit large vendors, and, even there, an OSS FSOC need not create further red tape. Rather, such an entity could focus on gathering data-—perhaps initially focused on the federal government’s most essential digital systems, the process of which could provide insights used to focus later iterations with other entities such as industry-heavy critical infrastructure sectors.

Metric selection is a significant challenge when assessing the risk of OSS projects, requiring careful consideration of both factors that affect a project’s capacity for secure development as well as the levels of dependence on that project across a vast digital ecosystem. When asked about the former, survey respondents for this report were generally split across answers, emphasizing the lack of consensus on key risk heuristics, though they did consistently devalue the number of sponsors, either corporate or individual that a project had and more significantly weighing project popularity, a history of recent vulnerabilities, and community size.

Focus on identifying risk concentrations, over mandating how to address and manage that risk, would also help a potential OSS FSOC equivalent navigate another concern it would share with its financial counterpart, namely, the complexity of the existing network of relevant authorities. The web of federal financial authorities, not to mention the role states play in other portions of that sector, is a challenge for the FSOC to navigate.⁷³ Moreover, the division of powers and controls among federal cyber entities is even less mature. Many key agencies have come into existence only within the past decade. And unresolved and overlapping cybersecurity authorities in the United States remain divided between CISA, the Office of the National Cyber Director, the Office of Management and Budget, sector-specific agencies, chief information officers of agencies, and a variety of other offices and regulators at the federal and state levels. A digital FSOC’s primary focus on information gathering and collation would avoid stepping on the roles and responsibilities of other entities while providing ecosystem visibility to help them regulate more effectively. A mission of identifying nodes of dependence would help avoid messy interagency conflict while still highlighting systemic risk and helping the federal government get its own (cyber) house in better order.

Operating similarly to the FSOC in the United States, the EU’s European Services and Markets Authority (ESMA) oversees European financial markets. ESMA’s four objectives are assessing risks, developing standards for financial entities, ensuring the consistent application of financial regulations across the EU, and directly overseeing specific kinds of financial entities. ESMA releases detailed reports on the European financial markets, with specific releases focused on various securities, derivatives, alternative investment funds, and retail investment products. Like the FSOC, ESMA was created in the aftermath of the 2008 financial crisis as regulators sought more insight into the interactions among complex financial instruments. ESMA focuses more on broader ecosystem risks across the European financial system than on subjecting certain companies or utilities to heightened scrutiny, in line with its advisory role.⁷⁴

Roads and bridges

The titular comparison of Eghbal’s Roads and Bridges report links OSS to critical transportation infrastructure. The comparison draws out key characteristics of the open-source ecosystem, such as the free-rider dynamic and the necessity of consistent, mundane maintenance. The concept of usage driving the need for maintenance deserves particular focus. OSS is used in many varied contexts and is the backbone of most digital technology. Like interstate highways and other transportation infrastructure, open-source software inevitably require maintenance, and waiting too long to address emerging issues can result in a catastrophic incident down the proverbial road.⁷⁵ Responding to individual issues, like the collapse of a bridge or a widely-publicized vulnerability like log4shell, is essential, but is not enough to ensure the stability of the essential infrastructure of transportation systems or OSS. Coupling a recognition of OSS’s essential nature with an understanding that most code is not static and will require additional support over time allows for targeted policies that address the crucial challenges of OSS ecosystems.

Figure 10. Roads and bridges and open source

Relatedly, both physical transportation infrastructure and OSS ecosystems suffer from widely varying support, with no reliable transaction model to capture value from those who use the infrastructure and feed it back to maintenance and support. Eric Raymond identified this issue in The Cathedral and the Bazaar as a discontinuity between sale value and use value—the value of code at the point of transaction vs. its value in use over time.⁷⁶ Roads are costless to use outside of specific toll schemes and yet valuable to their users, especially when well surveyed and maintained. The widespread assumption of availability means that, without sufficient dedicated efforts to overcome this lack of support through consistent maintenance and funding, roads and bridges would collapse due to damage from use, while essential OSS components may degrade in availability or security as their developers fail to receive support commensurate with the criticality of their code.

The roads and bridges analogy also captures well the variety of use within the open-source ecosystem. In the same way that interstate highways receive more traffic than streets in suburban neighborhoods and some roads provide singular access to remote geographies, certain packages are critical due to either the large number of software packages dependent on them or their service of a particularly niche function, while other packages might be relatively less important to the ecosystem due to a lack of widespread use in downstream applications. Importantly, there is no singular way to use any OSS project—each can serve different users and applications differently, much like how roads rarely require or serve a single destination and are agnostic to the route of drivers.

Government has long worked to close resourcing gaps in transportation infrastructure, for example, through the Highway Trust Fund (HTF). While the exact nature of the most useful forms of support for OSS is up for debate—they might include any combination of funding, developer hours, tooling, security auditing, and more—government is uniquely resourced to bolster efforts in closing that gap and help reset market expectations for contribution by the private sector. None of this is to counter or dispute the original Roads and Bridges report. Rather, this report emphasizes the utility of its analogy of choice, adds others to capture different OSS traits, and below strives to connect extant transportation policy to workable OSS models. Figures 11 and 12 capture survey responses to questions on what methods of external support, and investment, for open source projects would be most useful, for open source maintainers/developers and downstream users respectively. The results are notably consistent across both questions, highlighting the link between upstream resources and downstream benefits.

The Highway Trust Fund: Consistent and sustainable support

For transportation systems, the HTF provides an example of consistent funding to maintain critical infrastructure. Maintaining transportation infrastructure requires preventative, systemic investment instead of reactive disaster response; the Highway Trust Fund provides financial support so that bridges do not have to collapse before they receive maintenance. As such, it provides a useful model for how to fund the maintenance of OSS.

HTF funding is spent largely through grants to state and local governments, suggesting the importance of working with existing entities within an ecosystem with regional expertise.⁷⁷ The federal government should not depend only on its own knowledge to identify useful recipients of funding—instead, it should work with industry and the existing web of OSS stakeholders including volunteer networks and paying foundations, relying on their expertise in the domain. Like the HTF, OSS funding could support instead of supplant existing efforts.

The HTF’s explicit focus on construction and maintenance is also a model of a solution for a potential shortcoming in existing OSS funding: several previously mentioned examples of funding intermediaries tend to focus on investing in the development and creation of open-source solutions, but support is also needed for the long-term, less glamorous work of maintaining OSS projects—managing contributions, ongoing security engagement and community governance, and so on. The solution might look like a federal OSS Trust explicitly focused on backing extant projects rather than focusing on spinning up new ones. It might directly pay maintainers of critical projects, as well as support the development of tooling, security support organizations, and other scalable means to support a broader ecosystem of OSS components. Relatedly, survey respondents for this report prioritized tooling, with several specifically calling out automated, scalable solutions, and direct funding to OSS developers as most useful for both OSS project support and downstream security.

Figure11. Survey response

Figure 12. Survey response

It is also worth mentioning the funding source that feeds the HTF: fuel taxes. From an economic perspective, the HTF thus linked (if by happenstance more than economic design) two distinct policy vehicles: a taxed negative externality and a subsidized public good. In a key difference from the HTF’s fuel-tax funding, there is no clear negative externality for OSS usage, and policy should not aim to discourage its use. Instead, it should develop incentives for more responsible usage, such as tax credits for upstream contributions and donations to an OSS fund. Such a model for OSS, a fund supported by consistent contribution premised on use value, would offer another incentive lever for policymakers to encourage large OSS consumers to contribute back to the sustainability of the ecosystem, and could potentially encourage additional industry players heavily reliant on OSS but outside the IT sector to play an increasing role in supporting OSS. These entities might rely just as much on OSS as IT vendors but struggle to mature their own OSS programming and therefore benefit from more general means of upstream support.

Adopt-a-highway: Incentivize direct local support

Transportation policy also provides a useful model for community-specific support. Adopt-a-highway programs are usually state-run endeavors connecting volunteers with stretches of local roads to remove litter. Aside from the convenient marketing phrase—adopt a package⁷⁸—programs linking volunteers to both funding and packages they rely on and benefit from supporting offer another investment vehicle.

Adopt-a-Highway programs have faced challenges with groups seeking to participate in such programs.⁷⁹ While parallel lessons are not as direct here as with the HTF, it is worth clarifying the role of any potential adopt-a-package programs (AAPPs) in OSS. One long-running concern for OSS communities has been the role of large corporations in the governance and direction of open-sourcing products, potentially keeping features behind a paywall with forked proprietary code or swamping independent projects with their sheer volume of contribution.⁸⁰While the appeal of adopt-a-highway programs often lies in the optics of supporting local infrastructure, AAPPs can have a more practical purpose—they should instead focus on enabling and regularizing vendors substantively supporting the OSS projects they rely on, a practice already practiced in some isolated examples in the IT industry, with public recognition a secondary concern. There is a material benefit to these kinds of relationships, from component familiarity to better- managed and -resourced projects. Moreover, any implementation should healthily delegate to industry, which can better identify what projects require support.

Challenges that the HTF and adopt-a-highway programs have encountered can help pave a path forward for similar investment in the OSS ecosystem. The HTF, funded mainly by fuel-tax proceeds, has faced solvency crises requiring congressional intervention.⁸¹ Concerns about the source of funding are pertinent to any potential federal OSS fund. Fortunately, some key differences between OSS and physical infrastructure help here. Road construction is slow and disruptive, but maintenance of OSS projects and support for their developers less so in helping with popularity of investment. While ROI studies for OSS and highways are somewhat spotty, the estimates for OSS ROI are promising if realized,⁸² in addition to the knock-on benefits such investment might provide to national security concerns, workforce shortages, and more. Meanwhile, some OSS incidents can be directly connected to shortcomings in support,⁸³ from unpaid developers pulling down widely used packages to small teams challenged with vulnerability identification and remediation at scale.

Finally, while valid concerns about investment in transportation projects leading to government “picking winners” exist,⁸⁴ the OSS ecosystem indeed already has winners—projects meriting investment by virtue of either their ubiquity, criticality, or both—and there is much benefit to security in identifying those projects to begin with, as noted above. Moreover, the extant field of governance and support infrastructure from industry, nonprofits, and philanthropy already prioritizes some projects and modes of support over others—by necessity and often with more expertise and domain-specific knowledge than currently available to the federal enterprise. Working with and through those entities, rather than in parallel or at odds with them, and focusing on support and maintenance as much or more than project creation is a promising avenue for avoiding the lived shortfalls of some physical infrastructure planning.

These tangible policy vehicles all aim to make the three OSS as infrastructure analogies more readily useful, adding concrete intervention models and consideration of past challenges to the guiding principles and high-level characterizations of the OSS ecosystem already provided. The following section discusses a sampling of existing or proposed initiatives for policy engagement with the OSS ecosystem before converting the analogies into direct recommendations, primarily for government with some items including significant public-private coordination or giving the reins to industry.

Outside the United States, transportation infrastructure also faces a disconnect between the assumption of availability and the lack of support from those depending upon it. To overcome this gap and ensure essential infrastructure is maintained and reliable, the EU has several large funds that provide grants to build or maintain roads and other components of the transportation system. The Connecting Europe Facility (CEF) targets cross-border transport infrastructure, while the Cohesion Fund (CF) provides additional funding to countries in the EU with a Gross National Income per capita below 90 percent of the EU average. These funds help create consistency across the transportation infrastructure of the EU’s member states—difficult to ensure without a coordinating central entity. The CEF and CF are part of the EU’s sustainable development efforts, with both funds committed to ensuring that the infrastructures they build and maintain are energy efficient and cause minimal environmental impact. Though they spend toward slightly different project sets than the HTF—for example, the CEF also supports telecommunications and energy projects—the underlying principle is the same: infrastructure projects generally do not arise sufficiently from industry alone.⁸⁵

4. Real-world infrastructure policy for OSS

The open-source ecosystem and its many stakeholders have long recognized the need for sustained, stable support to projects and responded with the creation of nonprofits and institutions to provide that. Government support, tailored to both community needs and government priorities such as security or innovation, can provide robust, stable backing for the existing patchwork of organizations and projects in the OSS world. This section describes several existing policies for governments to take inspiration from and work with rather than assuming the whole burden of reinventing the wheel of OSS policy.

This section samples relevant policies—sourced principally from the Center for Strategic and International Studies’ (CSIS) newly updated dataset, Government Open Source Software Policies⁸⁶—in three categories synthesized from the three analogies above: government support and funding, ecosystem risk practices, and responsible use by OSS consumers. The CSIS dataset also described other kinds of policy outside these three categories—some establishing offices within governments dedicated to managing various OSS functions, often termed Open Source Program Offices (OSPOs), some requiring the open-sourcing of government-developed data and solutions, and others describing procurement practices.

Government support and funding

Policies establishing government support and funding for OSS were the most common of the three categories discussed here from the CSIS dataset, though there were still relatively few instances of these compared to the many procurement advisories and requirements it contained. Support for open-source projects in many ways is a natural extension of several government priorities—a search for non-proprietary solutions, support for acquired systems, and the logical conclusion of education and training programs—so their relative abundance makes sense. However, the fact that more policies discuss OSS procurement than OSS support is telling—just as in industry, it seems that governments are using OSS more than they are contributing back. The reasons for usage are often clearly laid out: “to reduce the dependency on proprietary software,”⁸⁷ to reduce costs,⁸⁸ and to improve interoperability. Approaching OSS as infrastructure adds depth to this discussion—there are great benefits to using OSS solutions (and recognizing the vast majority of proprietary code incorporates OSS as well) and that usage creates a need to support the underlying projects. Though government support lags government usage, there are some models of supporting OSS projects—even those not acquired and used by government—that can help create the increased market choice so many procurement policies seem to desire.

In Germany, several organizations work to channel government funding toward OSS projects. The German Ministry for Economic Affairs and Climate Action funds Germany’s Sovereign Tech Fund, which launched a pilot round for funding open digital infrastructure in October 2022,⁸⁹ and the Prototype Fund which supports public interest technology—requiring that it be made available under open-source licensing—with investment coming from Germany’s Federal Ministry of Education and Research.⁹⁰

There are nascent efforts in the United States too: the National Science Foundation’s Pathways to Enable Open-Source Ecosystems solicitation program launched in May 2022 to support governance organizations at the ecosystem level.⁹¹ The Open Technology Fund receives funding from the US Agency for Global Media among other entities, part of which goes toward “advancing global Internet freedom” through supporting open-source projects relevant to its mission.⁹² NASA’s Open-Source Science Initiative funds and adjusts policies to encourage open and collaborative scientific processes, including through supporting open-source software and related infrastructure.

More broadly across the world, a 2013 Argentinian policy established a fund with over $2 million in initial backing to build OSS projects.⁹³The Austrian government, in 2016, offered prizes of up to €200,000 for the OSS projects in various categories—the first round of funding shelled out €3.6 million across 31 projects.⁹⁴ One fund in Malaysia, set up in 2003, allocated $36 million for start-ups developing OSS, but further information on the project is scant.⁹⁵ These funds often support the establishment of OSS projects fulfilling an established need. While the support is generally useful, it is worth noting that as important as funding project creation is, supporting existing projects, in the long run, is even more vital to the long-term sustainability of the ecosystem.

Ecosystem risk management

Though no government policies in the dataset explicitly focus on assessing ecosystem-wide risk in the OSS world, interest in dedicated open-source offices provides a possible avenue toward this activity. Recently, governments have begun turning an eye toward formal offices dedicated to the many open-source activities they may undertake, such as project support, license compliance, security evaluation, incident response, public awareness, and providing clear points of contact for government employees and OSS developers. These OSPOs originate in industry as departments for coordinating all manner of open-source efforts.⁹⁶ The World Health Organization recently established an OSPO, for example,⁹⁷ and the European Commission’s Open Source Software Strategy for 2020–2023 includes establishing an Open Source Program Office within the commission to implement relevant OSS actions of the strategy.⁹⁸

Other governments are focusing on information gathering. This year, the Japanese Ministry of Economy, Trade, and Industry released a report from a task force studying Software Security, which studied private sector reliance on OSS. Government initiatives that study the open-source ecosystem can provide crucial information which can then guide future investment and support of OSS.⁹⁹ Similarly, the proposed bill S.4913, the Securing Open Source Software Act of 2022, includes a requirement for the US government to conduct a study assessing its own reliance on OSS as well as its ability to accurately track those dependencies either through SBOM data, existing government programs like the Continuous Diagnostics and Mitigation (CDM) program run by CISA, and other sources of information.

Responsible use

Policies that focus on patterns of responsible use in the OSS landscape were scant. One Armenian document concerning the country’s principles of internet governance noted that the central role of decentralization in the development of the internet, specifically regulation on OSS, should be light, if necessary, at all.¹⁰⁰ Other instances of policy embracing the cultural values of OSS also exist, and the preference of governments to open-source their own solutions and code is notable. However, an explicit discussion of incentive and responsibility structures in the OSS ecosystem is somewhat lacking. Notably, White House conversations about the forthcoming National Cyber Strategy have not included any new mechanisms to explicitly support OSS, addressing little more than a carve out to protect OSS developers from any potential liability regime: a good and warranted item but underwhelming against the totality of need in the ecosystem.

While government policies for OSS exist, they focus more on the government as a consumer than as a regulator or supporter. Government procurement preferences seem driven by a desire for autonomy from large vendors and expensive licenses and patterns in little procedural upstream contribution. Though some funding models exist, by and large, government policies explicitly addressing OSS seem to focus on what government purposes it can serve and what transparent values it might inspire in government practice.

5. Crafting infrastructure policy for OSS

OSS is really not much different from proprietary software: all code can be developed more securely, and the security risks OSS faces are common across most digital systems. For OSS the differences come in the relationships between open-source consumers—from government to the private sector to end users—and the projects they rely on. The lack of clear transactional relationships and the deeply influential role of the diverse, ever-changing contributor community are a challenge for policy and industry to navigate and support sufficiently. The result is an ecosystem that has both enabled digital innovation and often suffered from overburdened developers and under-resourced communities and projects.

Encouraging sustainable OSS participation

The recommendations of this section aim to use policy levers and industry collaboration to provide models for sustainable usage of and support for the OSS ecosystem, emphasizing responsibility driven by usage.

Start by improving government consumption

In the United States, the federal government is not just a regulator but also an enormous consumer of OSS. This enormous use case provides a valuable opportunity for the federal government to test many of the recommendations below on its codebases, which is of immediate benefit to the federal enterprise. If the federal government is to truly assign as much importance to the OSS ecosystem as it has recently signaled,¹⁰¹ it might consider creating institutional entities with an explicit mandate to focus on the federal government’s use of and support for OSS, modeled after OSPOs recently established by other organizations. For the United States, a whole-of-government OSPO-like entity could be established within OMB or (with a focus on government procurement) the General Services Administration (GSA). Alternately, OMB and GSA could provide a coordinating function for smaller OPSO-like entities established in each agency. Such a program could take inspiration from the OPEN Government Data Act, which requires the designation of Chief Data Officers within federal agencies,¹⁰² by requiring agencies to designate a Chief Open Source Officer (COSO).

In addition to setting agency policy around the use of OSS and managing relationships with relevant OSS communities and vendors, agency COSOs could also contribute to a whole-of-government OSS strategy through a structure like an inter-agency Chief Open Source Officers Council, modeled after or housed within the Chief Information Officers Council. S.4913, if enacted into law, would pilot OPSO-like programs in the federal government by directing OMB to select agencies to create pilot OSPO-like entities to develop standards for their agency’s use of OSS and engagement with the OSS ecosystem.¹⁰³ EU member states, where collaboration with the OSS community and consumption of OSS similarly need not tie as closely to cybersecurity regulators, could well replicate this model.

Regardless of whether they have an OSPO, or an existing commitment to OSS consumption and development, (in the United States, see entities like the Department of Defense (DoD) and National Aeronautics and Space Administration (NASA)), all agencies should also encourage and fund travel to OSS community forums for government employees engaged with software development, procurement, and/or technology governance. The social graph of a project defines OSS development, maintenance, and growth. The security of this code and its sustainable integration into government software projects would benefit greatly from wider government employee participation in the myriad conferences and governance bodies that populate the OSS ecosystem. While this may be a practical challenge for some defense and intelligence organizations, it is an important, meaningful way to integrate government needs and contributions more fully into OSS communities and help identify risks and opportunities for sustainable use.

Support private-sector consumption

Develop an OSS Usage Best Practices framework through the National Institute of Standards and Technology (NIST) with significant industry input. Such a framework could include and build on the proposed OSS risk assessment guide recommended by S.4913.¹⁰⁴ However, it should also incorporate consideration of upstream contribution as a foundational measure of organizational maturity around OSS usage. Included among its recommendations should be an organizational plan for sustainable OSS use.

This document would serve as a reference for further policy attempts to incentivize investment in OSS sustainability. For example, government procurement processes could include consideration of for-profit vendor compliance with the NIST OSS Usage Best Practices framework. By framing compliance as a consideration rather than a hard mandate, the goal would be to incentivize for-profit providers without precluding nonprofit and individual contributors lacking the resources to develop a compliance program. A similar framework, which considers financial contributions to upstream projects, could help guide the application of tax credits used to incentivize donations.

Industry, as well, could take a leading role here, developing a common, voluntary OSS-engagement plan across entities under the auspices of a coordinating nonprofit such as OpenSSF. Important too would be including non-IT companies in these considerations. Though understandably less fluent in the technology sphere, large industry manufacturers and other corporations nonetheless have a considerable dependence on OSS projects. Where such large, non-IT companies have their own robust IT resourcing and capacity in-house, they too should build and contribute to models for risk management based on discarding the assumption of availability or functionality of critical OSS packages.

A NIST guide on best practices for OSS usage could also help guide federal developers and agencies in their relationships with vendors, key projects, and larger risk-management practices. Further, federal developers’ and procurers’ experiences with using such a framework could help inform future iterations of the document and bring industry best practices more fully into the federal enterprise.

Protect OSS Good Samaritans

Private-sector firms with existing investments in the open-source community (e.g., Google, Microsoft/GitHub, and IBM/RedHat) and well-established OSS governance and security organizations (e.g., OSI, the Open Source Collective, OpenSSF, and the Internet Security Research Group) should lead on drafting a best-practice standard for contributing to and supporting OSS projects. This document should help define the standard of care associated with volunteer contributions. This standard is not a form of liability protection but a way for firms to design policies encouraging volunteer contributions to OSS packages in a way that best meets corporate risk appetite. These volunteer commitments are an important way to contribute back to OSS used by companies and are a form of contribution-in-kind to support packages used by others.

Addressing systemic risk

The rapid pace of digital innovation and the informal relationships between OSS dependencies and their downstream beneficiaries has led to a digital ecosystem prone to stacking risk in a relatively small number of critical OSS projects, and created challenges for nonprofits, governments or companies seeking to obtain visibility into those points of concentration. These recommendations aim to align government and industry in systematically identifying key dependencies meriting direct support and investment without adding undue regulatory burden. These recommendations take inspiration from the FSOC and ESMA entities in the capital markets analogy.

Establish an Office of Digital Systemic Risk Management (ODSRM)

Modeled after the FSOC or ESMA described above, a central government office would, in close cooperation with industry and OSS community stakeholders, work to identify critical OSS dependencies both in the federal civilian agencies and across critical infrastructure sectors. This office might eventually mature from identifying these points of concentration to stress testing their compromise (either malicious or otherwise) and the related, wider ecosystem effects, modeling and exercising through variations on future log4shell-style events using real-world dependency information.

In the United States, this office should have broad authority to draw on federal expertise wherever it might reside, from the National Security Agency to CISA, and focus both on identifying specific critical OSS projects or systems and methods for producing and collating dependency data that can highlight nodes of risk. Such data might, for instance, include pooling SBOMs provided to government during its procurement processes. Given the large mandate this office would eventually assume, implementation might best start in pilot programs focused on mapping out the dependencies of one or more federal IT systems. Existing programs to map Federal digital assets and existing Federal vendors would be natural partners in the project. However, in the latter case, the implementing agency, perhaps with congressional support, would need to overcome obdurate industry resistance to the inclusion of dependency data about software products in the form of software bills of material, despite being regularly generated and consumed already. While the array of use cases for these SBOMs is still maturing,¹⁰⁵ large organizations, like New York Presbyterian Hospital,¹⁰⁶ already use them regularly. And there is a healthy supply of software tools to generate and process them employed by for- and nonprofit entities.¹⁰⁷

Lessons learned from the analysis of one system could inform a widening aperture across other government systems and eventually across the broader digital domain, particularly considering that there may be significant overlap of key OSS dependencies between similar systems. Establishing an ODSRM is an opportunity for government to better map its own digital systems and assets before using lessons learned in that process to inform its approach to a larger, industry-wide attempt at helping to identify key critical dependencies.

Provide resources with security and sustainability in mind

Throwing funds at a problem is rarely ever a sufficient fix, but where investment shortfalls exist, it can help. These recommendations focus on guiding policymakers toward a resourcing model that helps cover funding gaps, particularly around long-term maintenance and support rather than the creation of new OSS projects, while accounting for non-financial resources (e.g. labor time, expertise) and financial support for important non-technical factors (e.g. encouraging contributor community depth and diversity, governance and good package management policies) and relying on community expertise in directing resources toward critical projects.

There are three important factors to consider in developing schemes for government support to OSS as infrastructure. First, where resources go is as important as how they get there. Direct funding and government-to-project contributions may work well for areas of urgent or existential need, but OSS projects will benefit most from consistent support delivered with local knowledge about the project, its maintainer community, and its user base. Few, if any, government-led schemes will be able to achieve this level of local knowledge on their own, so resources should mostly, flow through trusted intermediaries like software foundations (e.g., Apache, Linux, and Eclipse) and nonprofit groups (e.g., Open Source Collective and the Internet Security Research Group) as well as selected university programs.

Second, support must be sustainable. One of the difficulties of private-sector funding for OSS projects and their security is that, outside of a handful of exceptions, crisis has been the catalyst for much of this support. Monies flow to projects and project classes affected by an ugly vulnerability or momentary disaster without the promise of consistent, long-term commitment that project owners can plan and build around. The good work of several software foundations across the OSS ecosystem is a function of both the resources they bring and the stability they offer.

Third, it bears repeating that resources need not just be financial. Dollars and euros are fungible and necessary—volunteer labor can only bring OSS projects so far and might not account well for specific technical skills or experience needed to audit code or management and governance processes. Governments, generally, possess a scale of financial power available to few in the private sector. But governments also have other policy levers. Changes to government policy can reduce barriers to sustainable OSS adoption, open new opportunities for agency and government employee-level contributions back to OSS projects and punish abusive or malicious behavior targeting OSS communities. These are non-monetary contributions to the long-term security and sustainability of OSS and important alongside financial support.

With that in mind, this report offers three final recommendations on how to shape government support for OSS, keeping security and sustainability as the key goals, instead of massive feature expansion or redevelopment.

Target of opportunity

Governments with the financial and organizational wherewithal should create target-of-opportunity funding programs to support OSS security. The goal of this funding is to award resources in a targeted manner, determined by government need, to OSS projects and activities. These awards should root in criticality and help account for urgent needs, ideally in anticipation of, but perhaps in response to, a crisis. Criticality can be determined by an entity, like the ODSRM, and used to guide single-agency or cross-government resourcing schemes. Smaller than the OSS Trust discussed below, a Target of Opportunity funding pool should scale into the single or tens of millions, allowing governments to resource security and compliance requirements that might fall on OSS programs as well as urgent mitigations and responses to incidents.

In the United States, such a program should be run by the federal agency best positioned to assess and respond to insecurity in technologies supporting critical infrastructure and broad swaths of society—CISA, under the US Department of Homeland Security (DHS). Congress, in S.4913, already views CISA as the logical home for tracking the use of OSS across the federal government and assessing the risks posed to OSS and other software. CISA should have the resources to support the implementation of those efforts and support the OSS projects identified as critical dependencies along the way.

Establish the OSS Trust

Recognition of OSS as the digital infrastructure underneath myriad economic and social activities entails a collective acknowledgment of the failure to-date to support it as such. Across national boundaries, open-source code generates and captures considerable value without consistent government backing, neither for the most critical security updates nor for long-running code maintenance and improvement. New resources will not solve every problem faced by OSS maintainers, and the intention of government support of this kind is not to rewrite the economic relationship between the maintainers of free and “as-is” code and their users.

The OSS Trust should be a mechanism for governments to provide consistent support for the security of OSS code, the integrity of OSS projects, and the health and size of OSS maintainer communities. These funds should scale into the hundreds of millions, enabling broad training and education programs, to support security reviews and mitigation for hundreds of projects at a time, and to bring more maintainers and contributors into OSS communities. These funds can help facilitate widely useful security research and cover the costs associated with long-term hardening, like rewriting a project in a memory-safe language. The Trust’s thesis of what to support should center on activities that produce sustainable, long-term improvements as well as less-well-funded aspects of secure OSS projects like effective governance practices.

In the United States, NIST could aid this effort by developing an inclusive list of metrics by which to gauge the health and needs of OSS packages and communities in close cooperation with extant industry initiatives such as OpenSSF’s Scorecard project, SLSA, S2C2F SIG, CHAOSS, and others.¹⁰⁸ It might focus on determining what best practices signal project maturity and sufficient resourcing, and what shortfalls are most critical for downstream users and thus worth prioritizing in upstream support. This framework should not supplant, but rather aggregate and synthesize extant industry measurement initiatives and could later be part of vendor assessments and best practices documents in government procurement processes.

In the United States, the OSS Trust should rely on both regular congressional appropriations and the diversion of a small portion of corporate taxes. Depending on the structure of the receiving organization, Congress could also consider incentivizing individuals and corporations to contribute to the fund or similar organizations through tax-credited donations. Given the immense room for improved support in the OSS ecosystem, such a fund need not begin at its final potential size, able to satisfy all needs at once, on the first day but can grow incrementally, taking the opportunities to refine its grantmaking processes and partner-organization relationships as it grows.

This can and should eventually be an international scheme. The German-government-backed Sovereign Tech Fund already works to fund OSS projects to “support the development, improvement, and maintenance of open digital infrastructure.”¹⁰⁹ This and similar initiatives at the EU member state level could be subsumed into a broader international effort in the near future or grow in isolation and work to coordinate with U.S. and other national programs absent immediate consolidation.

Like the HTF, CEF, or CF, such a fund should work with intermediaries to identify the best recipients—the central government need not try to locate decrepit concrete and unaddressed potholes itself, but rather can improve the resourcing of organizations with that on-the-ground expertise, relying on the existing web of intermediaries and support groups already present and growing in the OSS ecosystem.

Adopt-a-package

Private sector and nonprofit leaders in OSS should define schemes by which firms and other donors can “adopt” important unmaintained packages and provide resources to support their ongoing maintenance, vulnerability mitigation, and potentially rewrites into memory-safe languages or other structural updates. Rather than the urgent need met by a target-of-opportunity model or the long-term focus and friendliness to cross-cutting research of the OSS Trust. The government can contribute funding and support to existing initiatives or construct one in parallel, similar to Federal Emergency Management Agency’s (FEMA) reservist program. Government teams might supplement private-sector groups or focus on assisting incident response and resourcing for projects critical to government functions.

One entity already working toward this end is the for-profit startup, thanks.dev, which looks to connect users and patrons of open-source packages with a simple way to fund those packages and the packages they depend on. The company builds on several layers of deep dependency graphs using existing bill-of-materials, like data. That part is crucial—because of the web of dependencies across OSS, funding standalone packages is often not enough to drive resources everywhere they are needed. Log4j is a great example of a piece of a whole that turned out to be extremely important in the aggregate but may not have attracted high-profile attention on its own.

6. Conclusion

We do not build most of the code we use. In realizing this and accepting it for the indefinite future, OSS and the many communities developing and maintaining it should loom large in any analysis of cybersecurity and economic health. Open source constitutes the infrastructure to which we trust sensitive data, critical social programs, and cycles of economic development and innovation. That such infrastructure is weakening,¹¹⁰ and in some places crumbling,¹¹¹ from the weight of demands placed on it should no more shock us than the imagery of bridges collapsing and reports of poisoned groundwater due to inadequate sustainment combined with widespread use.

None of this report reflects a belief that OSS is inherently insecure, but rather that it is uniquely central to modern digital systems and that relationships with the OSS community are necessarily, and substantively, different than those government has grown accustomed to with industry and industry within itself. Sustainable use emphasizes the user responsibility for much of the risk associated with software use, including OSS, and addresses OSS-specific features of development and contribution possibly only with open-source code. Addressing systemic risk is an important step for policy efforts to support the security and sustainability of OSS projects with an accurate picture of the considerable interdependency between code bases. Finally, governments must step up to support OSS as the infrastructure that it is. These resources should come alongside expanded private sector support and can manifest in targeted formats as well as a more general support model, the OSS Trust. OSS is infrastructure, and the provision of support for it as such will permit more rapid adoption and considerable innovation in even critical domains of economic and government activity.

Most of us too often take for granted the everyday things, the problems well solved. Yet, ignorance and the failure to protect them come with hefty price tags. Log4shell, a rash of open-source package incidents,¹¹² and the chorus of concern amongst OSS maintainers about an economic model that extracts value from labor without committing back are symptoms of the choice to remain in such ignorance. The risk is the slow collapse of a vibrant ecosystem and a future riven by falling diversity in and capability for digital development outside a concentrated handful of technology firms, imperiling national security and economic competitiveness in equal measure. The good news is that this collapse is neither necessary nor permanent.

Change is possible, indeed much needed, but it must come in the form of investment as well as policy. Pennies on the dollar of value can be gained from a healthy and resilient open-source ecosystem, and such investments provide a means to secure essential digital infrastructure against a myriad of threats. Strong investment in and well-informed policy about OSS is, above all, a gift to the present, not just an abstract donation to future generations, that would impact and protect communities throughout the world.¹¹³

About the authors

Staff

Trey Herr

Director

Cyber Statecraft Initiative Digital Forensic Research Lab

Cybersecurity Digital Policy

Staff

Stewart Scott

Associate Director

Cyber Statecraft Initiative Digital Forensic Research Lab

Cybersecurity Disinformation

Staff

Maia Hamin

Associate director

Cyber Statecraft Initiative Digital Forensic Research Lab

Cybersecurity Technology & Innovation

Sara Ann Brackett is a research assistant at the Atlantic Council’s Cyber Statecraft Initiative under the Digital Forensic Research Lab (DFRLab). She focuses her work on open-source software security, software bills of material, and software supply-chain risk management and is currently an undergraduate at Duke University.

Acknowlegements

The authors owe a continuing debt of gratitude to the members of the Open Source Policy Network whose growing collaboration on open-source security and sustainability policy is an important part of this work. Major thanks to the Open Source as Infrastructure Working Group, including co-sponsor Open Forum Europe and its Executive Director Astor Nummelin Carlberg, whose insights shaped this report across 2022 and 2023. Thank you to Abhishek Arya, Jack Cable, Brian Fox, John Speed Meyers, Sarah Novotny, Jeff Wayman, and David Wheeler for their feedback on this and earlier drafts. Additional thanks to Kathy Butterfield, Estefania Casal Campos, and Abdolhamid Dalili for developing the report’s graphics; to Nancy Messiah and Andrea Raitu for its web design; to Donald Partyka for graphic and document design; and to Jen Roberts for coordinating the project’s many visual and design elements. This work is made possible with support from Craig Newmark Philanthropies, Schmidt Futures, the Open Source Security Foundation, and Omidyar Network.

CSI produced this report’s cover image using in part OpenAI’s DALL-E program, an AI image-generating application. Upon generating the draft image-prompt language, the authors reviewed, edited, and revised the language to their own liking and take ultimate responsibility for the content of this publication.

Appendix: Survey results

As part of this report, the Atlantic Council and the Open Source Policy Network distributed an anonymous survey to several OSS governance, policy, and security communities, including through the OpenSSF’s general Slack channel and Open Forum Europe’s email forum. The survey, which was open from November 20, 2022, through January 8, 2023, aimed to gather attitudes on OSS policy and security from OSS maintainers, developers, and stakeholder communities closer to the problem set than policymakers in Brussels or DC. Despite being open to over two thousand potential respondents, the survey only achieved a sample size of forty-six, limiting the insight into community priorities that it could provide. Nonetheless, there were some noteworthy trends in the responses, and the Atlantic Council and Open Source Policy Network will continue to gather outside perspectives and sentiment trends in this manner.

Government	ICT Vendor	Non-ICT Vendor	Independent Researcher	Academia	Non-profit organization	Other
2	16	4	3	4	9	8
4.3%	34.8%	8.7%	6.5%	8.7%	19.6%	17.4%

1. Main respondent affiliation

Maintainer	Contributor	User	None of the above
29	32	34	5
63.0%	69.6%	73.9%	10.9%

2. Respondent’s primary role with respect to OSS (select all that apply)

ICT Vendors	All Industry	OSS devs	Foundations/Non-profits	Gov	Other
9	20	2	5	8	2
19.6%	43.5%	4.3%	10.9%	17.4%	4.3%

3. If you had to pick one party to assume more responsibility than they currently do for security outcomes associated with the use of open-source software, which would it be?

Project activity	Contributor community	Maintainers	High-activity contributors and maintainers	Community principles	Security expert involvement	Other
7	5	5	12	5	4	8
15.2%	10.9%	10.9%	26.1%	10.9%	8.7%	17.4%

4. Which is the most useful characteristics for assessing the health and well-being of an open-source community, if you had to pick just one?

Public education and awareness	Public-private coordination management	Funding	Licensing + auditing policies	OSS engagement	Other
5	4	14	9	9	5
10.9%	8.7%	30.4%	19.6%	19.6%	10.9%

5. Which is the most critical function of an Open-Source Program Office (OSPO) if you had to pick just one?

Project metadata	Usage data	Vulnerability reporting	Vulnerability info access	Security testing	SBOM generation	Other
1	11	3	2	12	5	12
2%	24%	7%	4%	26%	11%	26%

6. Where do you see the tooling or information gap that might be most harmful to the OSS ecosystem?

	1-Most useful	2	3	4	5-Least useful
Security testing/assessments	14	14	12	5	1
Bug-bounty programs	1	12	11	11	11
Security info-sharing and procedures	2	17	13	1	13
Incident response support	5	16	9	13	3
Direct funding	25	8	6	6	1

7. Please sort these methods of external support for, and investment in, open-source projects from most useful to least useful open-source maintainers and developers, in your opinion and relative to each other. 

	1-Most useful	2	3	4	5	6	7-Least useful
Project popularity	7	11	8	10	2	3	5
Community size and activity	13	13	11	6	1	1	1
Cost of maintenance and usage	3	7	9	7	11	1	8
Fulltime developer count	9	11	10	8	4	2	2
Recent significant vulnerabilities	7	11	12	7	3	6	0
Number of corporate sponsors	4	4	7	8	6	12	5
Number of individual sponsors	2	3	5	5	14	9	8

8. Please sort these heuristics for assessing the risk of using a specific OSS package from most useful to lease useful, in your opinion.

	1-Most useful	2	3	4	5-Least useful
Security testing/assessments	18	13	10	2	3
Bug-bounty programs	1	12	10	12	11
Security infosharing and procedures	4	15	15	2	10
Incident response support	7	17	8	12	2
Direct funding	22	8	6	6	4

9. Please sort these methods of external support for, and investment in, open-source projects from most useful to least useful for the security of downstream users. 

How much do you agree or disagree with the following statements? 

Strongly Agree	Agree	Neutral	Disagree	Strongly Disagree
16	14	8	5	3
34.8%	30.4%	17.4%	10.9%	6.5%

10. A government role in supporting the open-source ecosystem is necessary for its long-term sustainability and success.

Strongly Agree	Agree	Neutral	Disagree	Strongly Disagree
14	18	8	4	1
30.4%	39.1%	17.4%	8.7%	2.2%

11. Government support must include direct financial investment to ensure the open-source ecosystem’s long-term sustainability and success.

12. Tell us about your bogeyman – where do you see the most risk across the OSS community? Answers here can reflect either security risks, dangers posed by policy, or other concerns.

Moving software to memory safe languages and actionable OSS supply chain management are the highest risk issues, IMO.
- Lack of proper project governance, in particular for accepting commits.
  - Rogue maintainers who sabotage their own work for whatever reason.siloing of information about os production and consumption leading to ineffectual allocation of support/resources. lack of coordinated engagement by all relevant stakeholders: the community, foundations and other industry bodies, government and consumers (especially large global ones)I fear that the burden (via law/policy) of ensuring secure software will be set unrealistically (zero bugs) and fall (with serious consequences) on individual contributors. This would effectively kill the OSS ecosystem by creating huge disincentives for anyone to be involved.The volume of mission critical code that is written in a memory unsafe language is highly alarming – it’s so bug-prone and those bugs are often part of an exploit chain. lack of security awareness and efforts by OSS developers.Tragedy of the commons, and assumption that someone else will do “it”. Putting too much of the burden on volunteer maintainers. Companies shouldn’t try to require too much of the free projects that they are using. Any interventions must come with strong community incentives.Increasing and poorly tracked dependency on projects, in some cases individuals, misalignment of funding and resources, treating OSS as a public good (gov investment) is maybe sound, consider tax concepts (really), who benefits more should pay/fund more, cui bono, shouldn’t be a complete gov subsidy.Transitive dependencies, where users evaluate the parent OSS project, but not all of its dependencies to see if they are well maintained and following best practices.Funding. The world is capitalism, and it is not practical for critical open source maintainers to focus on that job full-time without capital.NULLUsers of open source don’t understand that in many/most cases that the software isn’t supported in the same was commercial software is. Example, I recently say a user ask about when some vulnerabilities that have been published would be addressed in the project. This project is widely used and has critical vulnerabilities in it. The single maintainer’s response was “it simply depends on my spare time.” Critical security issues in what is likely critical software for some orgs and it will be addressed when someone has some spare time. That’s not a formula for highly secure software.Education and knowledge gapThe Jeeper CreeperGovernment attempting to regulate an anti-culture which is based entirely on the foundations of helpfulness, novelty, and innovation. Open source is not industry, it is not corporate, and the ideals of it are often at odds as those using it. It’s like volunteer EMTs or Good Samaritans. There should be support and protections for those that do the reasonable right thing without introducing a burden on them.Security loopholes should addressed with caution and strict measures. comprehensive and aligned and equal support for both upstream creators of open source and downstream consumers is criticalRisk: death and burnout. We are currently ignoring both in the name of security and that’s going to bite us.Funding. Governments should require a % of profit – not even revenue, just profit – be invested into their open source stack.Trey Herr really worries me. Don’t let him near a command line.The biggest risk is automation without proper processes and workflows in-place. Automating a process incorrectly is a greater risk than not doing it at all.Biggest risk across OSS community is sustainable – having x-omega and free security trainings is nice but research has shown most of OSS projects have a single maintainer. How can you expect a single maintainer to maintain his/her project and also spent time on security considerations? We need an open source way to give OSS usesr (especially large enterprise) easy insights into OSS usage so they then can undertake action to support the OSS projects vital/critical to them (have seen people use OSS Review Tookit for this) One of the most significant issues is a cultural one. Today, most conversations around open-source software still put too much emphasis on the community aspect and define it as some charity. The solutions are usually related to increasing long-term volunteer contributions from corporations or individuals.However, if the open-source initiatives had the necessary financial resources, like any other businesses, they would already do their best to minimize the risks, hire the needed talents and produce a healthy software solution. Hence, we should recognize the overall economic value of open-source software, see it as a regular business activity in which entrepreneurs contribute to digital public goods, and address investment coordination issues around it.Once the open-source ecosystem receives adequate funding, the competition in the market should sort out the rest.Projects fail or are mismanaged due to lack of organizational support.Not having an asset list of what actually the enterprise has Insider risk or the malicious maintainer – Open source projects can switch hands or be influenced by anyone despite their motivations or backgrounds. This is an incredible difficult security risk to address for OSS. Government overreach would be a concern. Standards would be helpful. A monopoly on the code hosting servicessecurity fatigue due to vendors overselling BS, generally the amount of bad security vendors and productsLack of direct funding for core nodes, central components in wide use. Lack of practical contributions by ENISA, see e.g. their analysis of Heartbleed in someoneshouldhavedonesomething style, bugbounty programs on a too small scale without larger buy-in of officials, no large scale strategic investment in open source with regards to platform dependencies of the economy, that is, no learnings from the Putin gas disaster, dependencies from China in the hardware sector.Security risks. Code bases not checked by real security experts.Throwing OSS under geopolitical busLack of critical thinking and understanding of biaised axiomsGovernment/large corporate business users failing to financially support the open source projects they use. Government stepping in and trying to regulate/control a system that does not want or need this. Government depts. trying to be software developers.Funding Public, Securitysoftware patentsAn inability to objectively and discrete measure risk assocaited with different OSS projects.It’s a fact that very few projects have been undergone independent security review. More funding should go into initiatives that can do that. Furthermore, even “well-supported” projects are prone to vulnerabilities and exploits; so projects need to be consistently evaluated and reviewed based on their risk and usage. License changes in existing and widely used open source components and libraries. For example, Akka is changing its license from OSS license to a commercial license. All the other OSS components and libraries depending on Akka need to change Akka to some other library or try to meet the requirements of the new license (which is not always possible). Regulation that fails to account for the dynamics of the work project that is open source.Most surveys of this ilk have a common top blocker: time available to address this priority with everything else to be done. While there are such time constraints amongst OSS devs and maintainers, the risks are high that security issues won’t get addressed in the optimal way. Blindly relying on projects without ensuring they have a long-term viability.
  - The biggest risk I see is in continuity. If the primary maintainer(s) of a popular project leaves the project for whatever reason (burn-out, interest changes, death, etc.), what can the overall open source community to do help that transition?

88 Federico Chiarelli et al., “Open Source Software Country Intelligence Report – Portugal” (Brussels: European Commission – Interoperability Unit, April 2020), https://joinup.ec.europa.eu/sites/default/files/inline-files/OSS%20Country%20Intelligence%20Report_PT_0.pdf.

1 “Critical Digital Infrastructure Research,” Ford Foundation, accessed January 12, 2023, https://www.fordfoundation.org/campaigns/critical-digital-infrastructure-research/.

2 Full Committee Hearing: “Responding to and Learning from the Log4Shell Vulnerability,” US Senate Committee on Homeland Security & Governmental Affairs, February 8, 2022, https://www.hsgac.senate.gov/hearings/responding-to-and-learning-from-the-log4shell-vulnerability; Hearing: “Securing the Digital Commons: Open-Source Software Cybersecurity,” House Committee on Science, Space, and Technology, May 11, 2022, https://science.house.gov/2022/5/joint.

3 Nadia now goes by Nadia Asparouhova and more on her work can be found here https://nadia.xyz/

4 Eric S. Raymond, The Cathedral & the Bazaar: Musings on Linux and Open Source by an Accidental Revolutionary (O’Reilly Media, Inc., 2001).

5 To the reader, as part of this report, the Atlantic Council and the Open-Source Policy Network distributed an anonymous survey to several OSS governance, policy, and security communities, including through the OpenSSF’s general Slack channel and Open Forum Europe’s email forum. The survey, open from November 20, 2022, through January 8, 2023, aimed to gather attitudes on OSS policy and security from OSS maintainers, developers, and stakeholder communities closer to the problem set than policymakers in Brussels or DC. Despite being open to over two thousand potential respondents, the survey only achieved a sample size of forty-six, limiting the insight into community priorities that it could provide. Nonetheless, there were some noteworthy trends in the responses, and the Atlantic Council and Open-Source Policy Network will continue to gather outside perspectives and sentiment trends in this manner.

6 To the reader, this project and the Open Source Policy Network are made possible with support from Craig Newmark Philanthropies, Schmidt Futures, the Open Source Security Foundation, and the Omidyar Network.

7 Nadia Eghbal, “Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure,” Ford Foundation, June 14, 2016, https://www.fordfoundation.org/media/2976/roads-and-bridges-the-unseen-labor-behind-our-digital-infrastructure.pdf.

8 Eghbal, “Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure.”

9 Julia Ferraioli, “Open Source and Social Systems,” (blog), December 7, 2022, https://juliaferraioli.com/blog/2022/open-source-social-systems/.

10 Alison Dame-Boyle, “EFF at 25: Remembering the Case That Established Code as Speech,” Electronic Frontier Foundation, April 16, 2015, https://www.eff.org/deeplinks/2015/04/remembering-case-established-code-speech.

11 “Securing Open Source Software Act of 2022,” S.4913, 117th Congress (2022), https://www.congress.gov/bill/117th-congress/senate-bill/4913.

12 Frank Nagle, “Government Technology Policy, Social Value, and National Competitiveness,” Harvard Business School Strategy Unit Working Paper No. 19-103, March 3, 2019, https://doi.org/10.2139/ssrn.3355486.

13 Karl Fogel and Cecilia Donnelly, “Open Data for Resilience Initiative and GeoNode: A Case Study on Institutional Investments in Open Source” (Washington, DC: World Bank Group, December 31, 2017), http://documents.worldbank.org/curated/en/713861563520709009/Open-Data-for-Resilience-Initiative-and-GeoNode-A-Case-Study-on-Institutional-Investments-in-Open-Source; Knut Blind et al., “Study about the Impact of Open Source Software and Hardware on Technological Independence, Competitiveness and Innovation in the EU Economy | Shaping Europe’s Digital Future” (Brussels: European Commission, September 6, 2021), https://digital-strategy.ec.europa.eu/en/library/study-about-impact-open-source-software-and-hardware-technological-independence-competitiveness-and; Brian Proffitt, “The ROI of Open Source,” Red Hat Blog, August 26, 2020, https://www.redhat.com/en/blog/roi-open-source. To the reader, while the authors of this report are not aware of replication studies validating these findings, it is worth noting that the sheer ubiquity of OSS already in proprietary offerings indicates the widespread success of the model. Whether that is due to reduced development time, crowd-sourced innovation, or other factors is not clear, however.

14 “The Open Source Definition,” Open Source Initiative, accessed January 13, 2023, https://opensource.org/osd.

15 Peter Salus, The Daemon, The Gnu, and the Penguin, (Reed Media Services, September 2008).

16 Joseph Carl Robnett Licklider and Robert W. Taylor, “The Computer as a Communication Device,” Science and Technology 76 (April 1968), 21–31.

17 befunge, GitHub, accessed January 13, 2023, https://github.com/topics/befunge.

18 Left-Pad, Nonsense Poetry Manager (npm), accessed January 13, 2023, https://www.npmjs.com/package/left-pad.

19 LibreOffice, accessed January 13, 2023, https://www.libreoffice.org/.

20 “Linux Distribution Introduction and Overview,” Linux Training Academy, accessed January 13, 2023, https://www.linuxtrainingacademy.com/linux-distribution-intro/.

21 LibreOffice.

22 ggplot2, accessed January 13, 2023, https://ggplot2.tidyverse.org/.

23 Andrew Spyker and Ruslan Meshenberg, “Evolution of Open Source at Netflix,” Netflix Technology Blog, October 28, 2015, https://netflixtechblog.com/evolution-of-open-source-at-netflix-d05c1c788429.

24 Liran Tai, “The Log4j Vulnerability and Its Impact on Software Supply Chain Security,” Snyk, December 13, 2021, https://snyk.io/blog/log4j-vulnerability-software-supply-chain-security-log4shell/.

25 Mehul Revankar, “New Study Reveals 30% of Log4Shell Instances Remain Vulnerable,” Qualys Security Blog, March 18, 2022, https://blog.qualys.com/qualys-insights/2022/03/18/qualys-study-reveals-how-enterprises-responded-to-log4shell.

26 To the reader, using the term “open-source” as a verb means to make the source code available to all, often on a code hosting platform, with GitHub being one of the most commonly used repository hosts.

27 Ferraioli, “Open Source and Social Systems.”

28 Milo Z. Trujillo, Laurent Hébert-Dufresne, and James Bagrow, “The Penumbra of Open Source: Projects Outside of Centralized Platforms Are Longer Maintained, More Academic and More Collaborative,” EPJ Data Science 11, no. 1 (May 21, 2022): 1–19, https://doi.org/10.1140/epjds/s13688-022-00345-7.

29 To the reader, these fall under the 501(c)(6) classification. Their main difference from a 501(c)(3) nonprofit is that where (c)(3) organizations must serve the public, (c)(6) organizations must their members. For more detail, see Internal Revenue Services, “Business Leagues,” irs.gov, accessed January 12, 2023, https://www.irs.gov/charities-non-profits/other-non-profits/business-leagues.

30 “Licenses & Standards,” Open Source Initiative, accessed January 13, 2023, https://opensource.org/licenses.

31 Alpha-Omega, Open Source Security Foundation, accessed January 13, 2023, https://openssf.org/community/alpha-omega/.

32 David Gray Widder, “Can You Stop Your Open-Source Project from Being Used for Evil?,” Overflow, August 8, 2022, https://stackoverflow.blog/2022/08/08/can-you-stop-your-open-source-project-from-being-used-for-evil/.

33 John Sullivan, “Thinking Clearly about Corporations,” Free Software Foundation, June 24, 2021, https://www.fsf.org/bulletin/2021/spring/thinking-clearly-about-corporations.

34 Sam Williams, Free as in Freedom: Richard Stallman’s Crusade for Free Software (O’Reilly Media, Inc., 2002), https://www.oreilly.com/library/view/free-as-in/9781449323332/.

35 To the reader, footnote entries offer further readings on the larger ecosystem and some of its defining debates.

36 To the reader, Dr. Tracy Miller defines infrastructure as “facilities, structure, equipment, or similar physical assets…vitally important, if not absolutely essential, to people having the capabilities to thrive…in ways critical to their own well-being and that of their society, and the material and other conditions which enable them to.” See: Tracy Miller, “Infrastructure: How to Define It and Why the Definition Matters,” Mercatus Center, July 12, 2021, https://www.mercatus.org/research/policy-briefs/infrastructure-how-define-it-and-why-definition-matters.

37 “Critical Infrastructure Sectors,” Cybersecurity and Infrastructure Security Agency, accessed January 12, 2023, https://www.cisa.gov/critical-infrastructure-sectors.

38 David Wheeler, “Securing Open Source Software Is Securing Critical Infrastructure,” Open Source Security Foundation (blog), October 11, 2022, https://openssf.org/blog/2022/10/11/securing-open-source-software-is-securing-critical-infrastructure/.

39 Steven Vaughan-Nichols, “Can the Internet Exist without Linux?,” ZDNet, October 15, 2015, https://www.zdnet.com/home-and-office/networking/can-the-internet-exist-without-linux/; “Cloud Infrastructure for Virtual Machines, Bare Metal, and Containers,” OpenStack, accessed January 13, 2023, https://www.openstack.org/; “Welcome to OpenSSL!” Open Secure Sockets Layer (OpenSSL) Project, accessed January 13, 2023, https://www.openssl.org/; Nate Matherson, “26 Kubernetes Statistics to Reference,” ContainIQ, July 3, 2022, https://www.containiq.com/post/kubernetes-statistics; “The BIRD Internet Routing Daemon Project,” BIRD, accessed January 12, 2023, https://bird.network.cz/.

40 Curl, accessed January 13, 2023, https://curl.se/.

41 Daniel Stenberg, “The World’s Biggest Curl Installations,” (blog), September 17, 2018, https://daniel.haxx.se/blog/2018/09/17/the-worlds-biggest-curl-installations/.

42 “Open Source Security and Risk Analysis Report,” (Mountain View, California: Synopsys Inc., 2022), https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/rep-ossra-2022.pdf.

43 To the reader, authors tip their hats to the researchers at Chainguard for pointing this out.

44 Jennifer Bennett et al., “Measuring Infrastructure in the Bureau of Economic Analysis National Economic Accounts” (Suitland, MD: Bureau of Economic Analysis, December 1, 220AD).

45 The United States Securing Open Source Software Act: What You Need to Know,” Open Source Security Foundation (blog), September 27, 2022, https://openssf.org/blog/2022/09/27/the-united-states-securing-open-source-software-act-what-you-need-to-know/.

46 “Government Open Source Policies,” Center for Strategic and International Studies, August 2022, https://www.csis.org/programs/strategic-technologies-program/government-open-source-software-policies.

47 Sean Gallagher, “Rage-Quit: Coder Unpublished 17 Lines of JavaScript and ‘Broke the Internet,’” Ars Technica, March 25, 2016, https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/.

48 “How We Use Water,” Overviews and Factsheets, US Environmental Protection Agency, accessed January 13, 2023, https://www.epa.gov/watersense/how-we-use-water.

49 Rachel Estabrook and Michael Elizabeth Sakas, “The Colorado River Is Drying up — but Basin States Have ‘No Plan’ on How to Cut Water Use,” Colorado Public Radio, September 17, 2022, https://www.cpr.org/2022/09/17/colorado-river-drought-basin-states-water-restrictions/.

50 Ashwin Ramaswami, “Securing Open Source Software Act of 2022,” Sustain Open Source Forum, October 3, 2022, https://discourse.sustainoss.org/t/securing-open-source-software-act-of-2022/1098.

51 “Apache License, Version 2.0org,” Open Source Initiative, accessed January 13, 2023, https://opensource.org/licenses/Apache-2.0.

52 “Open Source Security Foundation Raises $10 Million in New Commitments to Secure Software Supply Chains,” Open Source Security Foundation (blog), October 13, 2021, https://openssf.org/press-release/2021/10/13/open-source-security-foundation-raises-10-million-in-new-commitments-to-secure-software-supply-chains/.

53 “Water Law Overview – National Agricultural Law Center,” National Agricultural Law Center, accessed January 12, 2023, https://nationalaglawcenter.org/overview/water-law/.

54 “Drinking Water Laws and New Rules,” Overviews & Factsheets, US Environmental Protection Agency, accessed January 12, 2023, https://www3.epa.gov/region1/eco/drinkwater/laws_regs.html.

55 Pub. L. No. SB47 (2016), https://www.leg.state.nv.us/App/NELIS/REL/79th2017/Bill/4675/Text.

56 Daniel Rothberg, “Everyone in Nevada Is Talking about Water. Here Are Five Things to Know.,” Nevada Independent, May 19, 2022, https://thenevadaindependent.com/article/everyone-in-nevada-is-talking-about-water-here-are-five-things-to-know-efbfbc.

57 To the reader, though originally required in the 90s, it is more precise to say that this legislation updated the requirements for those plans among other related items.

58 Pub. L. No. SB74 (2016), https://www.leg.state.nv.us/App/NELIS/REL/79th2017/Bill/4728/Text.

59 Pub. L. No. SB74 (2016).

60 To the reader, one might argue that there is a shortage of OSS tailored to meet all consumers’ needs, which leads to its constant change.

61 Fact Sheet: Good Samaritan Administrative Tools,” US Environmental Protection Agency, accessed January 13, 2023, https://www.epa.gov/enforcement/fact-sheet-good-samaritan-administrative-tools.

62 Rep. Lori Trahan (D-MA-03), Press Release: “House Passes Comprehensive Legislation to Aid Ukraine, Invest Millions in Third District,” March 9, 2022, https://trahan.house.gov/news/documentsingle.aspx?DocumentID=2411.

63 Havoc Pennington, “Up to 20% of Your Application Dependencies May Be Unmaintained,” Tidelift (blog), April 9, 2019, https://blog.tidelift.com/up-to-20-percent-of-your-application-dependencies-may-be-unmaintained.

64 Théo Zimmermann and Jean-Rémy Falleri, “A Grounded Theory of Community Package Maintenance Organizations-Registered Report,” CoRR 2108.07474 (September 2021), https://dblp.org/rec/journals/corr/abs-2108-07474.html?view=bibtex; Jailton Coelho et al., “Identifying Unmaintained Projects in GitHub,” in Proceedings of the 12th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, 2018, 1–10, https://doi.org/10.1145/3239235.3240501; Jordi Cabot, “Adopt an Open Source Project,” Livable Software, September 21, 2018, https://livablesoftware.com/adopt-abandoned-open-source-project/; Alpha-Omega; Adopt A Project, GitHub, accessed January 13, 2023, https://github.com/jonobacon/adopt-a-project.

65 European Commission, “Specific Principles: Polluter Pays Principle,” Principles of EU Environmental Law, https://www.era-comm.eu/Introduction_EU_Environmental_Law/EN/module_2/module_2_11.html.

66 “Waste Framework Directive,” European Commission, https://environment.ec.europa.eu/topics/waste-and-recycling/waste-framework-directive_en and “Water Framework Directive,” European Commission, https://environment.ec.europa.eu/topics/water/water-framework-directive_en.

67 United States: Financial Crisis Inquiry Commission, “The Financial Crisis Inquiry Report: Final Report of the National Commission on the Causes of the Financial and Economic Crisis in the United States” (Washington DC: US Government Printing Office, February 25, 2011), https://www.govinfo.gov/app/details/GPO-FCIC.

68 To the reader, examples include Heartbleed and log4shell.

69 To the reader, some companies offer as a service scanning of software products to identify with reasonable but varied accuracy the underlying components within.

70 Frank Nagle et al., “Census II of Free and Open Source Software — Application Libraries,” [Linux Foundation, Laboratory for Innovation Sciences at Harvard (LISH), and Open Source Security Foundation (OpenSSF), March 2, 2022], https://lish.harvard.edu/publications/census-ii-free-and-open-source-software-%E2%80%94-application-libraries.

71 ”Jeffrey M Stupak, “Financial Stability Oversight Council (FSOC): Structure and Activities,” Congressional Research Services, February 12, 2018, (https://digital.library.unt.edu/ark:/67531/metadc1157125/, accessed January 13, 2023, University of North Texas Libraries, UNT Libraries Government Documents Department).

72 Walter Frick, “What You Should Know About Dodd-Frank and What Happens If It’s Rolled Back,” Harvard Business Review, March 2, 2017, https://hbr.org/2017/03/what-you-should-know-about-dodd-frank-and-what-happens-if-its-rolled-back.

73 House Hearing 114th Congress: “Oversight of the Financial Stability Oversight Council” (Washington, DC: US Government Publishing Office, December 8, 2015), https://www.govinfo.gov/content/pkg/CHRG-114hhrg99796/html/CHRG-114hhrg99796.htm.

74 “About ESMA,” European Securities and Markets Authority, accessed January 13, 2023, https://www.esma.europa.eu/about-esma.

75 To the reader, it is not the mere act of using code that creates the need for maintenance—binaries do not degrade like asphalt—but rather the fact that downstream dependencies and integrations make it essential for upstream components to keep pace with evolving language and environment features and security practices.

76 Raymond, The Cathedral & the Bazaar.

77 “Highway Trust Fund: Federal Highway Administration Should Develop and Apply Criteria to Assess How Pilot Projects Could Inform Expanded Use of Mileage Fee Systems” (Washington DC: US Government Accountability Office, January 10, 2022), https://www.gao.gov/products/gao-22-104299.

78 Adopt A Project.

79 Lindsey Bever, “KKK Takes Adopt-a-Highway Case to Georgia Supreme Court,” Washington Post, October 26, 2016, sec. Post Nation, https://www.washingtonpost.com/news/post-nation/wp/2016/02/23/kkk-takes-adopt-a-highway-case-to-georgia-supreme-court/.

80 Morten Rand-Hendriksen, “On the Corporate Takeover of the Cathedral and the Bazaar,” MOR10 (blog), February 4, 2019, https://mor10.com/on-the-corporate-takeover-of-the-cathedral-and-the-bazaar/.

81 Committee for a Responsible Federal Budget, “The Infrastructure Bill’s Impact on the Highway Trust Fund,” CFRB, February 3, 2022, https://www.crfb.org/blogs/infrastructure-bills-impact-highway-trust-fund.

82 Frank Nagle, “Why Congress Should Invest in Open-Source Software,” Brookings (blog), October 13, 2020, https://www.brookings.edu/techstream/why-congress-should-invest-in-open-source-software/.

83 To the reader, wording considers both security lapses and wider incidents where developers pull down packages. See: “Awful OSS Incidents” (2022; PayDevs), accessed January 12, 2023, https://github.com/PayDevs/awful-oss-incidents for examples.

84 Hearing [archived webcast]: “Equity in Transportation Infrastructure: Connecting Communities, Removing Barriers, and Repairing Networks Across America,” US Senate Committee on Environment and Public Works, May 11, 2021, https://www.epw.senate.gov/public/index.cfm/2021/5/equity-in-transportation-infrastructure-connecting-communities-removing-barriers-and-repairing-networks-across-america.

85 “Cohesion Fund Fact Sheet,” European Parliament, https://www.europarl.europa.eu/factsheets/en/sheet/96/cohesion-fund, and “Connecting Europe Facility,” Innovation and Networks Executive Agency, December 22, 2022, https://wayback.archive-it.org/12090/20221222151902/https://ec.europa.eu/inea/en/connecting-europe-facility.

86 Eugenia Lostri, Georgia Wood, and Meghan Jain, “Government Open Source Software Policies,” Center for Strategic and International Studies, January 10, 2023, https://www.csis.org/programs/strategic-technologies-program/government-open-source-software-policies.

87 Gijs Hillenius, “Norway to Increase Its Use of Open Source,” Open Source Observatory, November 19, 2008, https://joinup.ec.europa.eu/collection/open-source-observatory-osor/news/norway-increase-its-use.

89 Sovereign Tech Fund, German Ministry for Economic Affairs and Climate Action, accessed January 13, 2023, https://sovereigntechfund.de/en.

90 Prototype Fund, Open Knowledge Foundation Germany, accessed January 13, 2023, https://prototypefund.de/en/.

91 Program Solicitation, NSF 22-572: “Pathways to Enable Open-Source Ecosystems (POSE),” National Science Foundation, https://www.nsf.gov/pubs/2022/nsf22572/nsf22572.htm.

92 “Supporting Internet Freedom Worldwide,” Open Technology Fund, https://www.opentech.fund/.

93 “The Ministry of Science Creates a Cluster for Free Software Companies,” iProfessional, April 26, 2013, https://www.iprofesional.com/tecnologia/159530-el-ministerio-de-ciencia-crea-cluster-para-empresas-de-software-libre.amp.

94 Gijs Hillenius, “Up to EUR 200,000 for Austria… | Joinup,” Open Source Observatory, August 22, 2016, https://joinup.ec.europa.eu/collection/open-source-observatory-osor/news/eur-200000-austria.

95 John Lui, “Malaysia Sets up $36m Open Source Fund – Silicon.Com,” Silicon, October 30, 2003, https://web.archive.org/web/20050411192233/http:/software.silicon.com/os/0,39024651,39116677,00.htm.

96 Chris Anizczyk et al., “Creating an Open Source Program,” Open Source Guides, n.d., https://www.linuxfoundation.org/resources/open-source-guides/creating-an-open-source-program.

97 Astor Nummelin Carlberg, “The WHO Is the Latest Public Administration to Launch an Open Source Programme Office,” Open Source Observatory, March 18, 2022, https://joinup.ec.europa.eu/collection/open-source-observatory-osor/news/who-builds-ospo

98 Think Open, “Communication to the Commission: Open Source Software Strategy 2020 – 2023” (Brussels, October 21, 2020), https://commission.europa.eu/about-european-commission/departments-and-executive-agencies/informatics/open-source-software-strategy_en.

99 “Collection of Use Case Examples Expanded Regarding Management Methods for Utilizing Open Source Software and Ensuring Its Security,” (Tokyo, Japan: Ministry of Economy, Trade and Industry, May 10, 2022), https://www.meti.go.jp/english/press/2022/0510_003.html.

100 “Extract from the Minutes of the Session of the Government of the Republic of Armenia – On the Endorsement of Internet Governance Principles,” http://www.irtek.am, August 2014, http://www.irtek.am/views/act.aspx?aid=77996.

101 Dan Knauss, “Open Source Communities: You May Not Be Interested in CISA, But CISA Is Very Interested in You,” Post Status (blog), October 3, 2022, https://poststatus.com/open-source-communities-you-may-not-be-interested-in-cisa-but-cisa-is-very-interested-in-you/.

102 ”Foundations for Evidence-Based Policymaking Act of 2018,” H.R.4174, 115th Congress (2018), https://www.congress.gov/bill/115th-congress/house-bill/4174.

103 “Securing Open Source Software Act of 2022,” S.4913.

104 “Securing Open Source Software Act of 2022,” S.4913.

105 Amelie Koran et al., “The Cases for Using the SBOMs We Build,” Atlantic Council (blog), November 22, 2022, https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/the-cases-for-using-sboms/.

106 Katie Bratman and Adam Kojak, “SBOM Ingestion and Analysis at New York-Presbyterian Hospital” (Open Source Summit North America 2022, Austin, TX, June 21, 2022), https://ossna2022.sched.com/event/11Q0t/sbom-ingestion-and-analysis-at-new-york-presbyterian-hospital-katie-bratman-adam-kojak-newyork-presbyterian-hospital.

107 To the reader, for more examples of SBOMs already for OSS projects, see the bom-shelter dataset built by John Speed Meyers and Chainguard: “bom-shelter” (Chainguard), https://github.com/chainguard-dev/bom-shelter.

108 Open Source Security Foundation, “Secure Supply Chain Consumption Framework (S2C2F) SIG,” GitHub, accessed January 11, 2023, https://github.com/ossf/s2c2f.

109 Sovereign Tech Fund.

110 James Mcbride and Anshu Siripurapu, “The State of US Infrastructure,” Council on Foreign Relations, November 8, 2021, https://www.cfr.org/backgrounder/state-us-infrastructure.

111 Jim Mone, “NTSB: Design Errors Factor in 2007 Bridge Collapse,” USA Today, November 13, 2008, http://usatoday30.usatoday.com/news/world/2008-11-13-628592230_x.htm.

112 Dan Goodin, “Numerous Orgs Hacked after Installing Weaponized Open Source Apps,” Ars Technica, September 29, 2022, https://arstechnica.com/information-technology/2022/09/north-korean-threat-actors-are-weaponizing-all-kinds-of-open-source-apps/.

113 “OpenSSF Annual Report – 2022,” Open Source Security Foundation, December 2022, https://openssf.org/wp-content/uploads/sites/132/2022/12/OpenSSF-Annual-Report-2022.pdf.

The post Avoiding the success trap: Toward policy for open-source software as infrastructure appeared first on Atlantic Council.

Russia’s cyberwar against Ukraine offers vital lessons for the West

Yurii Shchyhol — Tue, 31 Jan 2023 17:47:28 +0000

Vladimir Putin’s full-scale invasion of Ukraine is fast approaching the one-year mark, but the attack actually started more than a month before columns of Russian tanks began pouring across the border on February 24, 2022. In the middle of January, Russia launched a massive cyberattack that targeted more than 20 Ukrainian government institutions in a bid to cripple the country’s ability to withstand Moscow’s looming military assault.

The January 14 attack failed to deal a critical blow to Ukraine’s digital infrastructure, but it was an indication that the cyber front would play an important role in the coming war. One year on, it is no longer possible to separate cyberattacks from other aspects of Russian aggression. Indeed, Ukrainian officials are currently seeking to convince the International Criminal Court (ICC) in The Hague to investigate whether Russian cyberattacks could constitute war crimes.

Analysis of the Russian cyberwarfare tactics used in Ukraine over the past year has identified clear links between conventional and cyber operations. Ukraine’s experience in countering these cyber threats can provide valuable lessons for the international community while offering a glimpse into a future where wars will be waged both by conventional means and increasingly in the borderless realm of cyberspace.

Subscribe to UkraineAlert

As the world watches the Russian invasion of Ukraine unfold, UkraineAlert delivers the best Atlantic Council expert insight and analysis on Ukraine twice a week directly to your inbox.

Name
First Last
Email*
Phone
This field is for validation purposes and should be left unchanged.

The Russian cyberattack of January 2022 was not unprecedented. On the contrary, Ukraine has been persistently targeted since the onset of Russian aggression with the seizure of Crimea in spring 2014. One year later, Ukraine was the scene of the world’s first major cyberattack on a national energy system. In summer 2017, Ukraine was hit by what many commentators regard as the largest cyberattack in history. These high profile incidents were accompanied by a steady flow of smaller but nonetheless significant attacks.

Following the launch of Russia’s full-scale invasion one year ago, cyberattacks have frequently preceded or accompanied more conventional military operations. For example, prior to the Russian airstrike campaign against Ukraine’s civilian infrastructure, Ukrainian energy companies experienced months of mounting cyberattacks.

These tactics are an attractive option for Russia in its undeclared war against the West. While more conventional acts of aggression would likely provoke an overwhelming reaction, cyberattacks exist in a military grey zone that makes them a convenient choice for the Kremlin as it seeks to cause maximum mayhem in Europe and North America without risking a direct military response. Russia may not be ready to use tanks and missiles against the West, but Moscow will have fewer reservations about deploying the cyberwarfare tactics honed in Ukraine.

In addition to disrupting and disabling government bodies and vital infrastructure, Russian cyberattacks in Ukraine have also sought to manipulate public opinion and spread malware via compromised email accounts. The Ukrainian authorities have found that it is crucial to coordinate efforts with the public and share information with a wide range of stakeholders in order to counter attacks in a timely manner.

The effects of cyberattacks targeting Ukraine have already been felt far beyond the country’s borders. One attack on the satellite communication system used by the Ukrainian Armed Forces during the initial stages of the Russian invasion caused significant disruption for thousands of users across the European Union including private individuals and companies. Given the borderless nature of the digital landscape, similar scenarios are inevitable as cyberwarfare capabilities continue to expand.

Eurasia Center events

After Vilnius: What’s next on Ukraine’s path to NATO?

Eastern Europe NATO Security & Defense Ukraine

From a Russian perspective, cyberwarfare is particularly appealing as it requires fewer human resources than traditional military operations. While Moscow is struggling to find enough men and military equipment to compensate for the devastating losses suffered in Ukraine during the first year of the invasion, the Kremlin should have no trouble finding enough people with the tech skills to launch cyber offensives against a wide range of countries in addition to Ukraine.

Russia can draw from a large pool of potential recruits including volunteers motivated by Kremlin propaganda positioning the invasion of Ukraine as part of a civilizational struggle against the West. Numerous individual attacks against Western targets have already been carried out by such networks.

At the same time, Ukraine’s experience over the past year has underlined that cyberattacks require both time and knowledge to prepare. This helps explain why there have been fewer high-complexity cyber offensives following the initial failure of Russia’s invasion strategy in spring 2022. Russia simply did not expect Ukraine to withstand the first big wave of cyberattacks and did not have sufficient plans in place for such an eventuality.

Ukraine has already carried out extensive studies of Russian cyberwarfare. Thanks to this powerful experience, we have increasing confidence in our ability to withstand further attacks. However, in order to maximize defensive capabilities, the entire Western world must work together. This must be done with a sense of urgency. The Putin regime is desperately seeking ways to regain the initiative in Ukraine and may attempt bold new offensives on the cyber front. Even if Russia is defeated, it is only a matter of time before other authoritarian regimes attempt to wage cyberwars against the West.

The democratic world must adapt its military doctrines without delay to address cyberspace-based threats. Cyberattacks must be treated in the same manner as conventional military aggression and should be subject to the same uncompromising responses. Efforts must also be made to prevent authoritarian regimes from accessing technologies that could subsequently be weaponized against the West.

The Russian invasion of Ukraine is in many ways the world’s first cyberwar but it will not be the last. In the interests of global security, Russia must be defeated on the cyber front as well as on the battlefields of Ukraine.

Yurii Shchyhol is head of Ukraine’s State Service of Special Communications and Information Protection.

Both new and old energy technologies depend on cybersecurity. Rapid digitalization across the energy sector has increased efficiency and decreased emissions, but also has changed and expanded the vulnerabilities the sector must consider. Attackers increasingly target not just information technologies (IT), but operating technologies (OT) as well. Retrofits to existing OT infrastructure like pipelines and legacy generating plants mean these are now often network-connected. Newer technologies like wind and solar depend on digital management.

The cyber threat isn’t limited to big players or the Global North. Recent years have seen successful ransomware against the biggest petroleum products pipeline in the United States, against the biggest electricity supplier in Brazil, and against smaller infrastructure operators like the municipal electricity utility in Johannesburg. We have also seen attacks against subcontractors leveraged to penetrate electric utilities connected to the US grid. This is a global challenge, for organizations large and small.

Faced with a continuous onslaught of cyberattacks, the energy sector will need to establish practices and institutions that drive down the cost of deploying strong cybersecurity across the energy value chain. Startups, subcontractors, and small utilities will become a consistently weak link in the energy ecosystem if affordable, effective cybersecurity remains unavailable.

So how can the energy sector ensure that cybersecurity keeps pace with cyber risk, and seize opportunities to get ahead of attackers? How can public and private sector leaders contribute to building a community of trust?

Regulators in the energy sector should ensure they enable—or at a minimum, don’t stifle—technology innovations that enhance cybersecurity. Cyber innovation will need to keep pace with both the new technologies of the energy transformation and the known risks to those technologies, even if slow-moving regulatory processes have not yet accounted for new business models, technologies, or threats.

Similarly, regulators should consider how to encourage rapid information sharing about threat intelligence. Although threat intelligence can help quickly harden targets against novel attacks, operators may be reluctant to share information if they believe it will later lead to legal and financial liabilities. Tabletop exercises that convene public and private organizations can improve incident response, building relationships and providing actionable insights before a crisis occurs.

Public and private sector leaders can both work to expand the pool of cybersecurity talent—one of the chief cost barriers for stronger cybersecurity. Cybersecurity experts are scarce, and experts who are also familiar with the operating technologies enabling the energy transition even more so. Training programs—public or private—will help meet demand. Solutions that expand the scope and power of automation can also help, as can information-sharing that enables security teams to quickly recognize new threats and efficiently apply patches.

For asset operators (public or private), cybersecurity should be part of decision-making on new projects. Considering how to secure new infrastructure or planned retrofits can help reduce the cost and complexity needed to manage risk. Monitoring operations helps operators and cyber analysts understand how systems interact with each other during normal production—and enables earlier detection of malicious activity. Seeking opportunities for automation of routine tasks can reduce the cost of strong cybersecurity. Advancements in machine learning and artificial intelligence make it easier to rapidly draw useful insights from massive data sets.

Private sector collaborations can help build trust and cyber maturity across the industry. Common standards and certifications can help spread best practices and build confidence that potential partners or clients will not introduce new vulnerabilities. Threat intelligence can sometimes be more comfortably shared across peer organizations than with regulators.

Private sector leaders can assess and improve their own organizations’ cyber risk posture. Boards that accurately understand their cyber risks will be better able to invest appropriately in managing those risks. Likewise, making clear that cybersecurity is a cross-cutting competency key to performance for every business unit helps build a strong security culture. And of course, recognizing that cybersecurity is an ongoing effort across the sector helps build the collaboration across the energy sector needed to contend with a dynamic, interconnected cyber threat landscape.

Finally, an inclusive energy transformation will also require cyber-inclusivity. Even as the Global North continues to build the connective tissue necessary to meet the cyber risks of a digitalized energy system, passing those lessons forward as the developing world pursues electrification and sustainable energy access will be necessary to ensure that the energy system of the Global South is constructed with cyber-resiliency in mind. Using global convenings like the Atlantic Council Global Energy Forum in Abu Dhabi earlier this month to bring cybersecurity to the table alongside discussions of increasing energy access is critical to build community and advance shared security in a digital energy system.

Leo Simonovich is the vice president and global head of industrial cyber and digital security at Siemens Energy.

Reed Blakemore is a deputy director at the Atlantic Council Global Energy Center.

EnergySource Dec 12, 2022

Europe and the Caspian: The gas supply conundrum

By John Roberts and Julian Bowden

The Caspian has emerged as a major player in Europe’s effort to move away from Russian gas. But logistical and political difficulties could prevent crucial Caspian projects from getting off the ground.

Central Asia Energy & Environment

EnergySource Dec 5, 2022

A nascent US offshore wind strategy? Permitting reform and the Inflation Reduction Act

By Joseph Webster

US strategy on offshore wind is steadily evolving. The attendant changes could lay the groundwork for emergence as an offshore wind powerhouse.

Energy & Environment Energy Markets & Governance

EnergySource Nov 10, 2022

Partner perspectives: The next unlock: Why software is key to the energy transition

By Scott Reese

The energy transition requires scale, but it also requires speed. Through the marriage of human ingenuity with data and computing power, software integration can enable the acceleration of electrification and decarbonization, moving the world closer to loftier climate ambitions.

Energy & Environment Energy Transitions

Learn more about the Global Energy Center

The Global Energy Center develops and promotes pragmatic and nonpartisan policy solutions designed to advance global energy security, enhance economic opportunity, and accelerate pathways to net-zero emissions.

The post Unlocking a sustainable future by making cybersecurity more accessible appeared first on Atlantic Council.

The 5×5—China’s cyber operations

Simon Handler — Mon, 30 Jan 2023 05:01:00 +0000

On October 6, 2022, the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and National Security Agency released a joint cybersecurity advisory outlining the top Common Vulnerabilities and Exposures that Chinese state-linked hacking groups have been actively exploiting since 2020 to target US and allied networks. Public reporting indicates that, for the better part of the past two decades, China has consistently engaged in offensive cyber operations, and as the scope of the country’s economic and political ambitions expanded, so has its cyber footprint. The number of China-sponsored and aligned hacking teams are growing, as they develop and deploy offensive cyber capabilities to serve the state’s interests—from economic to national security.

We brought together a group of experts to provide insights into China’s cyber behavior, its structure, and how its operations differ from those of other states.

#1 Is there a particular example that typifies the “Chinese” model of cyber operations?

Dakota Cary, nonresident fellow, Global China Hub, Atlantic Council; consultant, Krebs Stamos Group:

“China’s use of the 2021 Microsoft Exchange Server vulnerability to access email servers captures the essence of modern Chinese hacking operations. A small number of teams exploited a vulnerability in a critical system to collecting intelligence on their targets. After the vulnerability became public and their operation’s stealth was compromised, the number of hacking teams using the vulnerability exploded. China has established a mature operational segmentation and capabilities-sharing system, allowing teams to quickly distribute and use a vulnerability after its use was compromised.”

John Costello, former chief of staff, Office of the National Cyber Director:

“No. China’s approach has evolved too quickly; its actors too heterogenous and many. What has remained consistent over time is the principal focus of China’s cyber operations, which, in general, is the economic viability and growth of China’s domestic industry and advancement of its scientific research, development, and modernization efforts. China does conduct what some would call ‘legitimate’ cyber operations, but these are vastly overshadowed by campaigns that are clearly intended to obtain intellectual property, non-public research, or place Chinese interests in an advantageous economic position.”

Bulelani Jili, nonresident fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council:

“What is unique is how the party-state promotes surveillance technology and cyber operations abroad. It utilizes diplomatic exchanges, law enforcement cooperation, and training programs in the Global South. These initiatives not only advance the promotion of surveillance technologies and cyber tools but also support the government’s goals with regard to international norm-making in multilateral and regional institutions.”

Adam Kozy, independent analyst; CEO and founder, SinaCyber; former official with the FBI’s Cyber Team and Crowdstrike’s Asia-Pacific Analysis Team:

“There is not one typical example of Chinese cyber operations in my opinion, as operations have evolved over time and are uneven in their distribution of tooling, access to the vulnerability supply chain, and organization. However, one individual who typifies how the Chinese Communist Party (CCP) has co-opted domestic hacking talent for state-driven espionage purposes is Tan Dailin (谭戴林/aka WickedRose) of WICKED PANDA/APT41 fame. He first began as a patriotic hacker during his time at university in 2000-2002, conducting defacements during the US-Sino hacker war, but was talent spotted by his local People’s Liberation Army (PLA) branch, the Chengdu Military Region Technical Reconnaissance Bureau (TRB) and asked to compete in a hackathon. This was followed by an “internship” where he and his fellow hackers at the NCPH group taught attack/defense courses and appear to have played a role in the 2003-2006 initial Titan Rain attacks probing US and UK government systems. Tan and his friends continued to do contract work for gaming firms, hacking a variety of South Korean, Japanese, and US gaming firms, which gave them experience with high-level vulnerabilities that are able to manipulate at the kernel level and also afforded them stolen gaming certificates allowing their malware to evade antivirus detection. After a brief period where he was reportedly arrested by the Ministry of Public Security (MPS) for hacking other domestic Chinese groups, he reemerged with several new contracting entities that have been noted to work for the Ministry of State Security (MSS) in Chengdu. Tan has essentially made a very comfortable living out of being a cyber mercenary for the Chinese state, using his legacy hacking network to constantly improve and upgrade tools, develop new intrusion techniques, and stay relevant for over twenty years.”

Jen Roberts, program assistant, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council:

“While no one case study stands out to typify a “Chinese” model, Chinese cyber operations blend components of espionage and entrepreneurship and capitalize on China’s pervasiveness in the international economy. One example of this is the Nortel/Huawei example where espionage, at least in part, caused the collapse of the Canadian telecommunications company.”

#2 What role do non-state actors play in China’s approach to cyber operations?

Cary: “Chinese security services still have a marked preference for using contracted hacking teams. These groups often raise money from committing criminal acts, in addition to work on behalf of intelligence agencies. Whereas in the United States, the government may purchase vulnerabilities to use on an offensive mission or hire a few companies to conduct cyber defense on a network, the US government does not hire firms to conduct specific offensive operations. In China, the government may hire teams for both offensive and defensive work, including offensive hacking operations.”

Costello: “Non-state actors play a myriad number of roles. Most notably, Department of Justice and Federal Bureau of Investigation indictments show clear evidence of contractual relationships between the MSS and non-state actors conducting cyber intelligence operations. Less conventional, Chinese hacktivists have on occasion played a limited but substantive role in certain cases, such as cyberattacks against South Korea’s Lotte group during the US Terminal High Altitude Area Defense (THAAD) system kerfuffle in 2017. Hypothetically, China’s military strategy calls for a cyber defense militia; but the contours or reality of mobilization, training, and reliability are unclear. China’s concept of ‘people’s war’ in cyberspace—a familiar adoption of Maoist jargon for new concepts—has been discussed but has yet to be seen in practice in any meaningful form.”

Jili: “State investment and procurement of public security systems from private firms are driving the development of China’s surveillance ecosystem. Accordingly, private firm work and collaboration with the state are scaling Beijing’s means to conduct surveillance operations on targeted domestic populations that are perceived threats to regime stability. Crucially, given the financial incentives to collaborate with Beijing, private companies have limited reasons not to support state security prerogatives.”

Kozy: “This question has the issue of mirroring bias. We tend to view things from a United States and Western lens when evaluating whether someone is a state actor or not, because we have very defined lines around what an offensive cyber operator can do acting on behalf of the US government. China has thrived in this grey area, relying on patriotic hackers with tacit state approval at times, hackers with criminal businesses, as well as growing its domestic ability to recruit talented researchers from the private sector and universities. The CCP has historically compelled individuals who would be considered traditionally non-state-affiliated actors to aid campaigns when necessary. Under an authoritarian regime like the CCP, any individual who is in China or ethnically Chinese can become a state actor very quickly. Actors like Tan Dailin do constitute a different type of threat because the CCP effectively co-opts their talents, while turning a blind eye to their criminal, for-profit side businesses that are illegal and have worldwide impact.”

Roberts: “Chinese non-state actors are very involved in Chinese cyber operations. A wide variety of non-state entities, such as contractors and technology conglomerates (Alibaba, Huawei, etc.), have worked in tandem with the CCP on a variety of research, development, and execution of cyber operations. This relationship is fortified by Chinese disclosure laws and repercussions of violating them. While Russia’s relationship with non-state actors relies on the opaqueness of non-state groups’ relationships with the government, China’s relationship with non-state entities is much more transparent.”

#3 How do China’s cyber operations differ from those of other states in the region?

Cary: “China has the most hackers and bureaucrats on payroll in Asia. Its operations are not different in kind nor process, but scale. While Vietnam’s or India’s cyber operators are able to have some effect in China, they are not operating at the scale at which China is operating. The most significant differentiator—which is still only speculation—is that China likely collects from the backbone of the Internet via agreements or compromise of telecommunication giants like Huawei, China Unicom, etc., as well as accessing undersea cables.”

Costello: “Scale. The scale of China’s cyber operations dwarfs those of other countries in the region—the complexity and sheer range of targeting, and the number of domestic technology companies whose increasingly global reach may be utilized for intelligence gain and influence. As China’s influence and global reach expands, so too does its self-perceived need to protect and further expand its interests. Cyber serves as a low-risk and often successful tool to accomplish this in economic and security realms.”

Jili: “While most regional and global players’ cyber operations have a domestic bent, Beijing also actively promotes surveillance technology and practices abroad through diplomatic exchanges, law enforcement cooperation, and training programs. These efforts not only advance the proliferation of Chinese public security systems, but they also support the government’s goals concerning international norm-making in multilateral and regional institutions.”

Kozy: “China is by far the most aggressive cyber power in its region. It can be debated that Russian cyber operatives are still more advanced in terms of sophistication, but China aggressively conducts computer network exploitations against all of its regional neighbors with specific advanced persistent threat (APT) groups across the PLA and MSS having regional focuses. Some of its neighbors such as India, Vietnam, Japan, and South Korea have advanced capabilities of their own to combat this, but there are regular public references to successful Chinese cyber campaigns against these countries despite significant defensive spending. Regional countries without cyber capabilities likely have long-standing compromises of critical systems.”

Roberts: “China has a talent for extracting intellectual property and conducting large-scale espionage. While other threat actors in the region, like North Korea, also conduct espionage operations, North Korea’s primary focus is on operations that prioritize fiscal extraction to fund regime activity, while China seems much more intent on collecting data for a variety of purposes. Despite differing capacities, sophistication, and types of operations, the end goals for both states are not all that different—political survival.”

China’s surveillance ecosystem and the global spread of its tools

The 5×5—Russia’s cyber statecraft

The 5×5—The state of cybersecurity in the Middle East

#4 How have China’s offensive cyber operations changed since 2018?

Cary: “China’s emphasis on developing its domestic pipeline of software vulnerabilities is paying off. China has passed policies that co-opt private research on behalf of the security services, support public software vulnerability competitions, and invest in technology to automate software vulnerability discovery. Together, as outlined by Microsoft’s Threat Intelligence Center’s 2022 analysis, China is combining these forces to use more software vulnerabilities now than ever before.”

Costello: “China’s cyber operations have unsurprisingly grown in scale and sophistication. Actors are less ‘noisy’ and China’s tactical approach to cyber operations appears to have evolved towards more scalable operations, namely supply-chain attacks and targeting service providers. These tactics have the advantage of improving the return on investment for an operation or campaign, as they allow compromise of all customers who use the product or service while minimizing risk of discovery. Supply chain attacks or compromise through third-party services can also be more difficult to detect and identify. China’s cyber landscape is not homogenous, and there remains great variability in sophistication across the range of Chinese actors.

As reported by the Director of National Intelligence in the last few years, China has increasingly turned towards targeting US critical infrastructure, particular natural gas pipelines. This is an evolution, though whether it is ‘learning by doing,’ operational preparation of the battlespace, or nascent ventures by a more operationally-focused Strategic Support Force (reorganization into a Space and Cyber Corps from 2015-17) is unclear. Time will most certainly tell.”

Jili: “Since 2018, the party-state has been more active in utilizing platforms like BRICS (Brazil, Russia, India, China, and South Africa), an emerging markets organization, and the Forum on China-Africa Cooperation (FOCAC) to promote digital infrastructure products and investments in the Global South. Principally, through multilateral platforms like FOCAC, Beijing has promoted resolutions to increase aid and cooperation in areas like cybersecurity and cyber operations.”

Kozy: “Intrusions from China have continued unabated since 2018, with a select number of Chinese APTs having periods of inactivity due to COVID-19 shutdowns. The Cyber Security Law and National Intelligence Law, both enacted in 2017, provided additional legal authority for China’s intelligence services to access data and co-opt Chinese companies for use in vaguely worded national security investigations. Of note is China’s efforts to increase the number of domestic cybersecurity conferences and nationally recognized cybersecurity universities as part of ongoing recruitment pipelines for cyber talent. Though there was increased focus from the Western cybersecurity community on MSS-affiliated contractors after the formation of the PLA Strategic Support Force (PLASSF) in 2015, more PLA-affiliated APT groups have emerged since the pandemic with new tactics, techniques, and procedures. The new PLASSF organization means these entities may be compromising high-value targets and then assessing them for use for offensive cyber operations in wartime scenarios or cyber espionage operations.”

Roberts: “Since 2018, Chinese offensive cyber operations have increased in scale. China has reinvigorated its workforce capacity-building efforts to increase the overall quantity and quality of workers. It has tightened its legal regime, cracking down on external vulnerability disclosure. It has also begun significantly investing in disinformation campaigns, especially against Taiwan. This is evident by the Chinese influence in Taiwan’s 2018 and 2020 elections.”

#5 What domestic entities, partnerships, or roles exist in China’s model of cyber operations model that are not present in the United States or Western Europe?

Cary: “China’s emphasis on contracted hackers coincides with divergent levels of trust between the central government and some provincial-level MSS hacking teams. Some researchers maintain that one contracted hacking team pwns targets inside China to do internal security prior to visits by central government leaders. While there is scant evidence that these attitudes and beliefs make their way into operations against foreign targets, they do likely impact the distribution of responsibilities and operations in a way not seen in mature democracies. The politicization of intelligence services is particularly risky in China’s political system.”

Costello: “The extralegal influence of the CCP cannot be overstated. Though the National Security Law, National Intelligence Law, and other laws ostensibly establish a legal foundation for China’s security apparatus, the reality is that the party is not bound strictly to these laws—and they only demonstrate a public indicator of what power it may possess. The lack of any independent judiciary suggests unchecked power of the CCP to co-opt or compel assistance from any citizen or company for which it almost certainly has near-total leverage. While the suspicion of Chinese organizations can be overblown, the idea that the CCP has the power to utilize not each but any organization is sobering and the root of many of these concerns. The lack of rigorous rule of law, in these limited circumstances, is certainly a competitive advantage in the intelligence sphere.”

Jili: “Beijing has nurtured a tech industry and environment that actively support the party-state’s aims to bolster government surveillance and cyber capabilities. From large firms to startups, many companies work with the state to conduct vulnerability research, develop threat detection capabilities, and produce security and intelligence products. While these private firms rely on Chinese venture capital and state loans, they have grown to service a global customer base.”

Kozy: “Starting with the 2015 control of WooYun, China’s largest vulnerability site, the CCP has gained an incredible amount of control of the vulnerability supply chain within China, which affords its cyber actors access to high-value vulnerabilities for use in their campaigns. The aforementioned 2017 laws also made it easier for Chinese authorities to prevent domestic researchers from competing in cyber conferences overseas and improved access to companies doing vulnerability research in China. The CCP’s public crackdowns on Jack Ma, Ant Financial, and many others have shown that the CCP fears the influence its tech firms have and has quickly moved to keep its tech giants loyal to the party; a stark contrast to the relationships that the United States and European Union have with tech giants like Google, Facebook, etc.”

Roberts: “While corporate-government partnerships exist everywhere, what separates the United States and Western Europe from China is the scope and scale of the connective tissue that exists between the two entities. In China, this relationship has more explicit requirements in the cyber domain, especially when it comes to vulnerability disclosure.”

The post The 5×5—China’s cyber operations appeared first on Atlantic Council.

Russian War Report: Russian hacker wanted by the FBI reportedly wins Wagner hackathon prize

Digital Forensic Research Lab — Fri, 13 Jan 2023 19:04:07 +0000

Russian forces claim control of strategic Soledar

Russia said on January 13 that its forces had taken control of the contested city of Soledar. Recent fighting has been concentrated in Soledar and Bakhmut, two cities in the Donetsk region that are strategically important to Ukrainian and Russian forces. Moscow has been trying to take control of the two cities since last summer. Over the past week, Russia has increased its presence on the fronts with the support of Wagner units. Russia wants control of the Soledar-Bakhmut axis to cut supply lines to the Ukrainian armed forces.

On January 10, Russian sources claimed that Wagner forces had advanced into Soledar. Interestingly, Wagner financier Yevgeny Prigozhin denied the claim and said the forces were still engaged in fighting. Wagner’s presence was established in a camp near Bakhmut. Soldiers from the Wagner Group and other special forces deployed to Bakhmut after other military units had failed to break through the Ukrainian defense.

On January 11, Ukrainian Deputy Defense Minister Anna Malyar said that heavy fighting was taking place in Soledar and that Russian forces had replaced the unit operating in the city with fresh troops and increased the number of Wagner soldiers among them. The same day, Prigozhin claimed that Wagner forces had taken control of Soledar. The Ukrainian defense ministry denied the allegation. On January 12, Ukrainian sources shared unconfirmed footage of soldiers driving on the main road connecting Bakhmut and Soledar with Sloviansk and Kostyantynivka to as evidence that the area remained under Ukrainian control.

Elsewhere, on January 11, the Kremlin announced that Valery Gerasimov would replace Sergei Surovikin as commander of Russian forces in Ukraine. The unexpected move could be interpreted as evidence of a struggle for influence in Russian military circles. Surovikin is considered close to Prigozhin’s entourage, which has criticized senior officers recently, including Gerasimov. Some analysts believe that the change signals a possible military escalation from Russia.

Furthermore, on January 8, Ukrainian forces repelled a Russian offensive the vicinity of Makiyivka and Stelmakhivka. Further north of Lysychansk, on January 11, Ukraine also repelled an attack on the city of Kreminna. In the neighboring Kharkiv region, aerial threats remain high. On the southern front, the city of Kherson and several cities across the Zaporizhzhia region remain targets of Russian attacks.

Lastly, a new Maxar satellite image from nearby Bakhmut exemplifies the brutality of war on the frontline in Donetsk. The image shows thousands of craters, indicating the intensity of the artillery shelling and exchange of fire between Ukrainian and Russian forces.

—Valentin Châtelet, Research Associate, Brussels, Belgium

—Ruslan Trad, Resident Fellow for Security Research, Sofia, Bulgaria

Russian hacker wanted by the FBI reportedly wins Wagner hackathon prize

In December 2022, the Wagner Group organized a hackathon at its recently opened headquarters in St. Petersburg, for students, developers, analysts, and IT professionals. Wagner announced the hackathon on social media earlier that month. Organizers created the promotional website hakaton.wagnercentr.ru, but the website went offline soon after. A December 8 archive of the website, accessed via the Internet Archive Wayback Machine, revealed that the objective of the hackathon was to “create UAV [unmanned aerial vehicle] positioning systems using video recognition, searching for waypoints by landmarks in the absence of satellite navigation systems and external control.” Hackathon participants were asked to complete the following tasks: display the position of the UAV on the map at any time during the flight; direct the UAV to a point on the map indicated by the operator; provide a search for landmarks, in case of loss of visual reference points during the flight and returning the UAV to the point of departure, in case of a complete loss of communication with the operator.  

On December 9, Ukrainian programmers noticed that hakaton.wagnercentr.ru was hosted by Amazon Web Services and asked users to report the website to Amazon. Calls to report the channel also spread on Telegram, where the channel Empire Burns asked subscribers to report the website and provided instructions on how to do so. Empire Burns claims hakaton.wagnercentr.ru first went offline on December 9, which tallies with archival posts. However, there is no evidence that reporting the website to Amazon resulted in it being taken offline.  

Snapshots of hakaton.wagnercentr.ru from the Wayback Machine show the website was created in a Bitrix24 online workspace. A snapshot captured on December 13 shows an HTTP 301 status, which redirects visitors to Wagner’s main website, wagnercentr.ru. The Wagner website appears to be geo-restricted for visitors outside Russia.

On December 23, a Wagner Telegram channel posted about the hackathon, claiming more than 100 people applied. In the end, forty-three people divided into twelve teams attended. The two-person team GrAILab Development won first place, the team SR Data-Iskander won second place, and a team from the company Artistrazh received third place. Notably, one of Artistrazh’s co-founders is Igor Turashev, who is wanted by the FBI for his connection to computer malware that the bureau claims infected “tens of thousands of computers, in both North America and Europe, resulting in financial losses in the tens of millions of dollars.” Artistrazh’s team comprised four people who won 200,000 Russian rubles (USD $3,000). OSINT investigators at Molfar confirmed that the Igor Turashev who works at Artistrazh is the same one wanted by the FBI.

Wagner said that one of the key objectives of the hackathon was the development of IT projects to protect the interests of the Russian army, adding that the knowledge gained during the hackathon could already be applied to clear mines. Wagner said it had also invited some participants to collaborate further. The Wagner Center opened in St. Petersburg in early November 2022; the center’s mission is “to provide a comfortable environment for generating new ideas in order to improve Russia’s defense capability, including information.”

– Givi Gigitashvili, DFRLab Research Associate, Warsaw, Poland

Frenzy befalls French company accused of feeding Russian forces on New Year’s Eve

A VKontakte post showing baskets of canned goods produced by the French company Bonduelle being distributed to Russian soldiers on New Year’s Eve has sparked a media frenzy in France. The post alleges that Bonduelle sent Russian soldiers a congratulatory package, telling them to “come back with a win.” The post quotes Ekaterina Eliseeva, the head of Bonduelle’s EurAsia markets. According to a 2019 Forbes article, Eliseeva studied interpretation at an Russian state security academy. 

Bonduelle has issued several statements denying the social media post and calling it fake. However, Bonduelle does maintain operations in Russia “to ensure that the population has access to essential foodstuff.” 

French broadcaster TV 5 Monde discovered that Bonduelle’s Russia division participated in a non-profit effort called Basket of Kindness, sponsored by the Fund of Presidential Grants of Russia. Food and supplies were gathered by food banks to be delivered to vulnerable segments of the population. However, during the collection drive, Dmitry Zharikov, governor of the Russian city of Podolsk, posted on Telegram that the collections would also serve military families.  

The story was shared on national television in France and across several international outlets. The Ukrainian embassy in France criticized Bonduelle for continuing to operate in Russia, claiming it was “making profits in a terrorist country which kills Ukrainians.”

—Valentin Châtelet, Research Associate, Brussels, Belgium

Former head of Russian space agency injured in Donetsk, mails shell fragment to French ambassador

Dmitry Rogozin, former head of the Russian space agency Roscosmos, said he was wounded in Ukrainian shelling on December 21, 2022, at the Shesh hotel in Donetsk while “celebrating his birthday.” In response, Rogozin sent a letter to Pierre Lévy, the French ambassador to Russia, with a fragment of the shell.  

In the letter, Rogozin accused the French government of “betraying [Charles] De Gaulle’s cause and becoming a bloodthirsty state in Europe.” The shell fragment was extracted from Rogozin’s spine during surgery and allegedly came from a French CAESAR howitzer. Rogozin requested the fragment be sent to French President Emmanuel Macron. His message was relayed by Russian news agencies, and on Telegram by pro-Russian and French-speaking conspiracy channels. 

At the time of the attack, Rogozin was accompanied by two members of his voluntary unit, “Tsar’s wolves,” who were killed in the attack, according to reporting from RT, RIA Novosti, and others. 

– Valentin Châtelet, Research Associate, Brussels, Belgium

Sputnik Lithuania’s former chief editor arrested

On January 6, Marat Kasem, the former chief editor of Sputnik Lithuania, was arrested in Riga, Latvia, on suspicion of “providing economic resources” to a Kremlin propaganda resource under EU sanctions.

The following day, pro-Kremlin journalists held a small demonstration in support of Kasem in front of the Latvian embassy in Moscow. Russian journalist Dmitry Kiselyov and politician Maria Butina attended the event.

The demonstration was filmed by Sputnik and amplified with the Russian hashtag #свободуМаратуКасему (#freedomForMaratKasem) on Telegram channels operating in the Baltic states, including the pro-Russian BALTNEWS, Своих не бросаем! | Свободная Балтика!, and on Butina’s personal channel. The news of Kasem’s arrest also reached the Russian Duma’s Telegram channel, which re-shared Butina’s post.

– Valentin Châtelet, Research Associate, Brussels, Belgium

New year brings new military aid for Ukraine

International efforts in support of Ukraine are continuing in full force in 2023. On January 4, Norway announced it had sent Ukraine another 10,000 155mm artillery shells. These shells can be used in several types of artillery units, including the M109 self-propelled howitzer. On January 5, Germany confirmed it would provide Ukraine with Marder fighting vehicles and a Patriot anti-aircraft missile battery. German news outlet Spiegel also reported that talks are underway to supply Ukraine with additional Gepard anti-aircraft guns and ammunition.

In addition, UK Foreign Secretary James Cleverly said the British government would supply Ukraine with military equipment capable of delivering a “decisive” strike from a distance. At the end of 2022, UK Defense Secretary Ben Wallace discussed the possibility of transferring Storm Shadow cruise missiles, with a range of up to 250 kilometers. Finland also reported that it is preparing its twelfth package of military assistance to Ukraine.

US aid to Ukraine is also being reaffirmed with a $2.85 billion package on top of weapon deliveries. Additionally, the US plans to deliver fourteen vehicles equipped with anti-drone systems as part of its security assistance package. The company L3Harris is part of the Pentagon’s contract to develop anti-drone kits. This equipment would help protect Ukrainian civil infrastructure, which has been a frequent Russian target since October 2022.

On January 6, French President Emmanuel Macron announced that France would supply Ukraine with units of the light AMX-10RC armored reconnaissance vehicle. These vehicles were produced in 1970 and have been used in Afghanistan, the Gulf War, Mali, Kosovo, and Ivory Coast. The French defense ministry also announced that the country was to deliver twenty units of ACMAT Bastion armored personnel carriers.

On January 11, Ukrainian President Volodymyr Zelenskyy met with Presidents Andrzej Duda of Poland and Gitanas Nauseda of Lithuania in Lviv. During the visit, Duda announced that Poland would deliver fourteen units of the much-awaited German Leopard combat tanks, and Nauseda announced that his country would provide Ukraine with Zenit anti-aircraft systems.

Meanwhile, the largest manufacturer of containers for the transport of liquified natural gas has ceased operations in Russia. French engineering group Gaztransport & Technigaz (GTT) said it ended operations in Russia after reviewing the latest European sanctions package, which included a ban on engineering services for Russian firms. The group said its contract with Russian shipbuilding company Zvezda to supply fifteen icebreakers to transport liquefied natural gas was suspended effective January 8.

—Valentin Châtelet, Research Associate, Brussels, Belgium

—Ruslan Trad, Resident Fellow for Security Research, Sofia, Bulgaria

Ukrainian envoy to Georgia discusses deteriorating relations between nations

On January 9, Andrii Kasianov, the Ukrainian Chargé d’Affaires in Georgia, published an article discussing the deteriorating relationship between the two countries. The article stated that the top issues affecting relations were military aid to Ukraine, bilateral sanctions against Russia, visa policies for fleeing Russians, and the legal rights of Mikheil Saakashvili, the imprisoned third president of Georgia, who is also a Ukrainian citizen.

Kasianov noted that Tbilisi declined Kyiv’s request for military help, specifically for BUK missile systems, which were given to Georgia by Ukraine during Russia’s 2008 invasion. The diplomat said that the weapons request also included Javelin anti-tank systems supplied to Georgia by the United States.

“Despite the fact that the Georgian government categorically refused to provide military aid, Ukraine opposes the use of this issue in internal political disputes and rejects any accusations of attempts to draw Georgia into a war with the Russian Federation,” Kasianov said.

Since the Russian invasion of Ukraine, the Georgian Dream-led government has accused Ukraine, the US, and the EU of attempting to drag Georgia into a war with Russia.

—Eto Buziashvili, Research Associate, Tbilisi, Georgia

The post Russian War Report: Russian hacker wanted by the FBI reportedly wins Wagner hackathon prize appeared first on Atlantic Council.

The West reaps multiple benefits from backing Ukraine against Russia

Taras Kuzio — Thu, 12 Jan 2023 16:43:23 +0000

As it continues to fight against Russia’s ongoing invasion, Ukraine is often depicted as being heavily reliant on Western military and economic support. However, this relationship is not as one-sided as it might initially appear. Western backing has indeed been crucial in helping Ukraine defend itself, but the democratic world also reaps a wide range of benefits from supporting the Ukrainian war effort.

Critics of Western support for Ukraine tend to view this aid through a one-dimensional lens. They see only costs and risks while ignoring a number of obvious advantages.

The most important of these advantages are being won on the battlefield. In short, Ukraine is steadily destroying Russia’s military potential. This dramatically reduces the threat posed to NATO’s eastern flank. In time, it should allow the Western world to focus its attention on China.

During the initial period of his presidency, Joe Biden is believed to have felt that the US should “park Russia” in order to concentrate on the far more serious foreign policy challenge posed by Beijing. Ukraine’s military success is now helping to remove this dilemma.

Defeat in Ukraine would relegate Russia from the ranks of the world’s military superpowers and leave Moscow facing years of rebuilding before it could once again menace the wider region. Crucially, by supporting Ukraine, the West is able to dramatically reduce Russia’s military potential without committing any of its own troops or sustaining casualties.

Backing Ukraine today makes a lot more strategic sense than allowing Putin to advance and facing a significantly strengthened Russian military at a later date. As former US Secretary of State Condoleezza Rice and former US Secretary of Defense Robert M. Gates wrote recently in The Washington Post, “The way to avoid confrontation with Russia in the future is to help Ukraine push back the invader now. This is the lesson of history that should guide us, and it lends urgency to the actions that must be taken, before it is too late.”

If this lesson is ignored and Ukraine is defeated, Russia will almost certainly go further and attack NATO member countries such as the Baltic nations, Finland, or Poland. At that point, it will no longer be possible to avoid significant NATO casualties.

Subscribe to UkraineAlert

As the world watches the Russian invasion of Ukraine unfold, UkraineAlert delivers the best Atlantic Council expert insight and analysis on Ukraine twice a week directly to your inbox.

Name
First Last
Email*
Phone
This field is for validation purposes and should be left unchanged.

The international response to Russia’s invasion of Ukraine has also reshaped the geopolitical landscape far from the battlefield. Since February 2022, it has reinvigorated the West as a political force.

The war has given NATO renewed purpose and brought about the further enlargement of the military alliance in Scandinavia with the recent membership applications of Sweden and Finland. The EU is also more united than ever and has now overcome a prolonged crisis of confidence brought about by the rise of populist nationalist movements.

In the energy sector, Putin’s genocidal invasion has finally forced a deeply reluctant Europe to confront its debilitating dependency on Russian oil and gas. This has greatly improved European security and robbed the Kremlin of its ability to blackmail Europe with weaponized energy exports. It now looks likely that the era of corrupt energy sector collaboration with the Kremlin is now drawing to a close, in Europe at least.

Eurasia Center events

After Vilnius: What’s next on Ukraine’s path to NATO?

Eastern Europe NATO Security & Defense Ukraine

Western support for Ukraine is bringing a variety of practical military gains. While Ukraine’s Western partners provide Ukraine with vital battlefield intelligence, Ukraine returns the favor by offering equally valuable intelligence on the quality and effectiveness of Russian troops, military equipment, and tactics. The events of the past ten months have confirmed that pre-war perceptions of the Russian army were wildly inaccurate. Thanks to Ukraine’s unique experience and insights, Western military planners now have a far more credible picture of Moscow’s true military capabilities.

Ukraine’s MacGyver-like ability to adapt and deploy NATO weapons using Soviet-era platforms could prove extremely useful to the alliance in future conflicts. Ukrainian troops have proven quick to learn how to use Western weapons, often requiring far shorter training periods than those allocated to Western troops.

The innovative use of digital technologies by the Ukrainian military also offers invaluable lessons for their Western counterparts. Ukraine’s widespread deployment of Elon Musk’s Starlink system in front line locations is unprecedented in modern warfare and offers rare insights for all NATO countries.

Similarly, the war in Ukraine is highlighting the increasingly critical role of drone technologies. This is building on the experience of the Second Karabakh War in 2020, when Israeli and Turkish drones played an important part in Azerbaijan’s victory over Armenia.

Russia failed to invest sufficient resources into the development of military drones and has been forced to rely on relatively unsophisticated Iranian drones. In contrast, Ukraine enjoys a strong military partnership with Turkey that includes a deepening drone component. Turkey’s Bayraktar drones gained iconic status during the early stages of the Russian invasion. The company has since confirmed plans to build a manufacturing plant in Ukraine.

In addition to these Turkish drones, Ukraine’s powerful volunteer movement and tech-savvy military have created a myriad of drone solutions to address the challenges of today’s battlefield. Ukraine’s rapidly evolving drone technologies are extremely interesting to Western military planners and will be studied in great detail for years to come.

Ever since the full-scale invasion of Ukraine began on February 24, 2022, Ukrainian forces have fused courageous fighting spirit with advanced intelligence and innovative use of battle management software. “Tenacity, will, and harnessing the latest technology give the Ukrainians a decisive advantage,” noted General Mark Milley, the current US Chairman of the Joint Chiefs of Staff.

The relationship between Ukraine and the country’s Western partners is very much a two-way street bringing significant benefits and strategic advantages to both sides. While Ukraine is receiving critical military and economic support, the Western world is benefiting from improved security along with important intelligence and unique battlefield experience. There is clearly a strong moral case for standing with Ukraine, but it is worth underlining that the strategic argument is equally convincing.

Taras Kuzio is professor of political science at the National University of Kyiv Mohyla Academy and author of the forthcoming “Russia’s War and Genocide Against Ukrainians.”

Frequently Asked Questions – Virtual

How do I log in to the virtual sessions?

Your team will be sent an invitation to your round’s Zoom meeting the day before the event using the emails provided during registration.

How will I know where to log in, and where is the schedule?

We will send out links to Zoom webinars and meetings, along with an agenda, the day before the event.

How are the virtual sessions being run?

Virtual sessions will be run very close to the traditional competition structure and rules. Each Zoom meeting will be managed by a timekeeper. This timekeeper will ensure that each team and judge logs on to the conference line and will manage the competition round.

At the beginning of the round, decision documents will be shared by the timekeeper via Zoom and judges will have 2 minutes to review the documents prior to the competitors’ briefing.

Teams will have 10 minutes to present their briefing and 10 minutes for Q&A. Judges will be asked to mute themselves for the 10–minute briefing session.

Judges will then be invited to a digital breakout room and will have 5 minutes to discuss scores and fill out their scorecards via JotForm.

After the scoring is over, judges will have 15 minutes to provide direct feedback to the team.

A 10-minute break is scheduled before the start of the next round. Each round has been allotted several minutes of transition time for technical difficulties and troubleshooting.

What do I need to log into a virtual session?

Your team will need a computer (recommended), tablet, or smartphone with a webcam, microphone, and speaker or headphones.

Your team will be provided with a link to the Zoom conference for each competition round your team is scheduled for. If you have any questions about the software, please see Zoom’s internal guide here.

Will my team get scored the same way on Zoom as in-person?

Yes, the rules of the competition remain the same, including the rubric for scoring.

How will my team receive Intel Pack 2 and Pack 3?

We will send out the intelligence packs via email to all qualifying teams.

How will the final round be run?

The final round will be run identically to the traditional final round format except that each the only participants allowed in the competition Zoom conference will be final round judges and the assigned team.

Finalists will not able to watch the presentations of other teams in real time. Final rounds will be recorded and published on the Atlantic Council website after the final round ends.

Frequently Asked Questions – In-person

Where will the event be held in-person?

For participants attending in-person, the Cyber 9/12 Strategy Challenge will be held at American University’s Washington College of Law (WCL). On the evening on Friday, March 17th, there will be a reception held at the Atlantic Council offices downtown. Further information about the Atlantic Council offices can be found here.

What time will the event start and finish?

While the final schedule has yet to be finalized, participants will be expected at American University WCL at 8:00am on Day 1, and the competition will run until approximately 5:00pm, with an evening reception at approximately 6:30pm. Day 2 will commence at approximately 9:00am, and will finish at approximately 4:00pm. The organizing team reserves the right to modify the above timing. The official schedule of events will be distributed to teams in advance of the event. All times are EST.

Can teams who are eliminated on Day 1 still participate in Day 2 events?

Yes! All teams are welcome at all of the side-programming events. We strongly encourage teams eliminated on Day 1 to attend the competition on Day 2.

Will meals be included for in-person attendees?

Yes, breakfast and lunch will be provided for all participants on both days. Light refreshments & finger foods will be provided at the evening reception on Day 1.

What should I pack/bring to a Cyber 9/12 event?

At the event: Please bring at least 4 printed copies of your decision documents for the judges on Day 1. We will help print documents on Day 2. Name tags will be provided to all participants, judges, and staff at registration on March 17. We ask you to wear these name tags throughout the duration of the competition. Name tags will be printed using the exact first and last name provided upon registration.

Dress Code: We recommend that students dress in at least business casual attire as teams will be conducting briefings. You can learn more about business casual attire here.

Electronic Devices: Cell phones and laptops will not be used during presentations but we recommend teams bring their laptops as they will need to draft their decision documents for Day 2 and conduct research. Please refer to the competition rules for additional information.

How do we get to American University?

American University is on the DC Metro Red line. Metro service from both Dulles International Airport (IAD) and Reagan National Airport (DCA) connect with the Metro Red Line at Metro Center.

Zoom

What is Zoom?

Zoom is a free video conferencing application. We will be using it to host the competition remotely.

Do I need to pay for Zoom to participate?

No.

Do I need a Zoom account?

You do not have to have an account BUT we recommend that you do and download the desktop application to participate in the Cyber 9/12 Strategy Challenge.

Please use your real name to register so we can track participation. A free Zoom account is all that is necessary to participate.

What if I don’t have Zoom?

Zoom is available for download online. You can also access Zoom conferences through a browser without downloading any software or registering.

How do I use Zoom on my Mac? Windows? Linux Machine?

Follow the instructions here and here to get started. Please use the same email you registered with for your Zoom to sign up.

Can I use Zoom on my mobile device?

Yes, but we recommend that you use a computer or tablet.

Can each member of my team call into the Zoom conference line independently for our competition round?

Yes.

Can other teams listen-in to my team’s session?

Zoom links to competition sessions are team specific—only your team and your judges will have access to a session and sessions will be monitored once all participants have joined. If an observer has requested to watch your team‘s presentation, your timekeeper will notify you at the start of your round.

Staff will be monitoring all sessions and all meetings will have a waiting room enabled in order to monitor attendance. Any team member or coach in a session they are not assigned to will be removed and disqualified.

Troubleshooting

What if my team loses internet connection or is disconnected during the competition?

If your team experiences a loss of internet connection, we recommend following Zoom’s troubleshooting steps listed here. Please remain in contact with your timekeeper.

If your team is unable to rejoin the Zoom conference – please use one of the several dial-in lines included in the Zoom invitation.

What if there is an audio echo or other audio feedback issue?

There are three possible causes for audio malfunction during a meeting:

A participant has both the computer and telephone audio active.
A participant computer and telephone speakers are too close together.
Multiple participant computers with active audio are in the same room.

If this is the case, please disconnect the computer’s audio from other devices, and leave the Zoom conference on one computer. To avoid audio feedback issues, we recommend each team use one computer to compete.

What if I am unable to use a video conference, can my team still participate?

Zoom has dial-in lines associated with each Zoom conference event and you are able to call directly using any landline or mobile phone.

We do not recommend choosing voice only lines unless absolutely necessary.

Other

Will there be keynotes or any networking activity remotely?

Keynotes will continue as reflected on our agenda and will be broadcast with links to be shared with competitors the day before the event.

We also encourage competitors and judges to join the Cyber 9/12 Strategy Challenge Alumni Group on LinkedIn where we will post job vacancies and internship opportunities.

How should I prepare for a Cyber 9/12?

Check out our preparation materials, which includes past scenarios, playbooks including award-winning policy recommendations and a starter pack for teams that includes templates for requesting coaching support or funding.

Cyber Statecraft Initiative

The post 2023 DC Cyber 9/12 Strategy Challenge appeared first on Atlantic Council.

The 5×5—The cyber year in review

Simon Handler — Wed, 14 Dec 2022 05:01:00 +0000

One year ago, the global cybersecurity community looked back at 2021 as the year of ransomware, as the number of attacks nearly doubled over the previous year and involved high-profile targets such as the Colonial Pipeline—bringing media and policy attention to the issue. Now, a year later, the surge of ransomware has not slowed, as the number of attacks hit yet another record high—80 percent over 2021—despite initiatives from the White House and the Cybersecurity and Infrastructure Security Agency (CISA). The persistence of ransomware attacks shows that the challenge will not be solved by one government alone, but through cooperation with friends, competitors, and adversaries.

Russia’s full-scale invasion of Ukraine, the landmark development of 2022, indicates that this challenge will likely remain unsolved for a while. Roughly three-quarters of all ransomware revenue makes its way back to Russia-linked hacking groups, and cooperation with the Kremlin on countering these groups is unlikely to yield much progress anytime soon. Revelations in the aftermath of Russia’s invasion confirmed suspicions that Russian intelligence services not only tolerate ransomware groups but give some of them direct orders.

Ransomware was not the only cyber issue to define 2022, as other challenges continued, from operational technology to workforce development, and various public and private-sector organizations made notable progress in confronting them. We brought together a group of experts to review the highs and lows of the year in cybersecurity and look forward to 2023.

#1 What organization, public or private, had the greatest impact on cybersecurity in 2022?

Rep. Jim Langevin, US Representative (D-RI); former commissioner, Cyberspace Solarium Commission:

“I think we have really seen the Joint Cyber Defense Collaborative (JCDC) come into its own this year. We saw CISA, through JCDC, lead impressive and coordinated cyber defense efforts in response to some of the most critical cyber emergencies the Nation faced in 2022, including the Log4Shell vulnerability and the heightened threat of Russian cyberattacks after its invasion of Ukraine.”

Wendy Nather, nonresident senior fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council; head of advisory CISOs, Cisco:

“I would argue that Twitter has had the most impact on cybersecurity. As a global nexus for public discourse, security research, threat intelligence sharing, media resources, and more, its recent implosion has disrupted essential communications and driven many cybersecurity stakeholders to seek connectivity elsewhere. We will probably continue to see the effects of this disruption well into 2023 and possibly beyond.”

Sarah Powazek, program director, Public Interest Cybersecurity, UC Berkeley Center for Long-Term Cybersecurity:

“CISA. The cross-sector performance goals and the sector-specific 100-Day Cyber Review Sprints this year are paving the way for a more complete understanding and encouragement of cybersecurity maturity in different industries. It is finally starting to feel like we have a federal home for nationwide cybersecurity defense.”

Megan Samford, nonresident senior fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council; vice president and chief product security officer for energy management, Schneider Electric:

“I think all of us feel that it has to be the warfighting efforts that are going on in the background of the Ukraine war—these are the ‘known unknown’ efforts. If we take that off the table though, I would say it is not an organization at all, it is a standard (IEC 62443). As boring as it is to say that standards work, right now industry most needs time for the standards to be adopted to reach a minimum baseline. If we fail to achieve standardization, we will see regulation—both achieve the same things at different paces with different tradeoffs.”

Gavin Wilde, senior fellow, Technology and International Affairs Program, Carnegie Endowment for International Peace:

“The State Special Communications Service of Ukraine (SSSCIP), which has deftly defended and mitigated against Russian cyberattacks throughout Moscow’s war. SSSCIP’s ability to juggle those demands while coordinating and communicating with a vast array of state and commercial partners has improved the landscape for everyone.”

#2 What was the most impactful cyber policy or initiative of 2022?

Langevin: “The Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA. Its impact lies not only in its effect—which will dramatically improve the federal government’s visibility of cyber threats to critical infrastructure—but also in the example it has set for how Congress, the executive branch, and the private sector can effectively work together to craft major legislation that will make the country fundamentally safer in cyberspace.”

Nather: “I have to call out CISA’s election security support at this crucial point in our Nation’s fragile and chaotic state. It continues to provide excellent information and resources—particularly the wonderfully named “What to Expect When You are Expecting an Election” and video training to help election workers protect themselves and the democratic process. Reaching out directly to stakeholders and citizens with the education they need is every bit as important as the ‘public-private partnership’ efforts that most citizens never encounter.”

Powazek: “CISA’s State and Local Cybersecurity Grant Program and Tribal Cybersecurity Grant Program. The programs will dole out $1 billion in cyber funding to state, local, tribal, and territorial governments over four years, with at least 25 percent of those funds earmarked for rural areas. If that money is invested well, it will be an incredible boon to critical public agencies struggling to improve their cybersecurity maturity, and it can better protect millions of people.”

Samford: “Software bill of materials (SBOM), but not for the reasons people may think. SBOM is a very useful tool in managing risk, provided that organizations already have good asset inventory capability. In operational technology, asset inventory is an area that asset owners continue to struggle with, so the benefit from SBOM is more of a long-term journey. That is why I say SBOM, but not for the reasons people think. In my mind what I think was most impressive around SBOM was that it demonstrated that the industry can successfully rally and rapidly standardize around very specific asks. SBOM came together because it had three things: 1) common industry understanding of the problem; 2) existing tooling that, for the most part, did not require new training; and 3) government policy and right-sized program management.”

Wilde: “The European Union’s proposed Cyber Resilience Act, which is poised to update and harmonize the regulatory environment across twenty-seven member states and set benchmarks for product and software security—particularly as both cybercrime and Internet-of-Things applications continue to proliferate. The proposals offer a stark contrast between a forward-looking regulatory regime, and a crisis-driven reporting and mitigation one.”

#3 What is the most important yet under-covered cyber incident of 2022?

Langevin: “I think it is worth reminding ourselves just how serious the ransomware attacks were that crippled the Costa Rican government this year. This was covered in the news, but from a policy perspective, I think it warrants a deeper conversation about what the United States can be doing on the international stage to double down on capacity-building and incident response efforts with allies, particularly those more vulnerable to such debilitating attacks. Part of that conversation needs to include a commitment to ensuring that our government actors, like the State Department’s Bureau of Cyberspace and Digital Policy, have the appropriate resources and authorities to effectively provide that assistance.”

Nather: “The Twilio breach (although Wired did a good job covering it). It is important because although SMS is a somewhat-reviled part of our security infrastructure, it is utterly necessary, and will continue to be long into the future.”

Powazek: “The Los Angeles Unified School District (LSUSD) ransomware attack by Vice Society was highly covered in the news, but I think the implications are resounding. LAUSD leaders refused to pay the ransom, maintained transparency with students and parents, and were able to move forward with minimal downtime. It was a masterclass in incident management, and I was thrilled to see a public institution take a stand against ransomware actors and recover quickly.”

Samford: “Uber’s chief information security officer (CISO) going to jail. This has turned the industry on its head and forced people to challenge what it means to be an executive in this industry and make decisions that can land you—not the chief executive officer or chief legal counsel—in jail. What is the compensation structure for this amount of risk taking? I have heard of CISOs being called the ‘chief look around the corner officer’ or the ‘chief translation officer,’ but now has the CISO become the ‘chief scapegoat officer?”

Wilde: “The US Department of Justice’s use of ‘search and seizure’ authority (Rule 41 of the federal criminal code) to neutralize a botnet orchestrated by the Russian GRU. So many fascinating elements of this story—including the legal and technical implications of the operation, as well as the cultural shift at DOJ—seem to have gone underexamined. Move over, NSPM-13…”

The cyber strategy and operations of Hamas: Green flags and green hats

GRU 26165: The Russian cyber unit that hacks targets on-site

Wargaming to find a safe port in a cyber storm

#4 What cybersecurity issue went unaddressed in 2022 but deserves greater attention in 2023?

Langevin: “I am hopeful that this answer proves to be wrong before the end of the year, but right now, it is the lack of a fiscal year (FY) 2023 budget. The federal government has a wide array of new cybersecurity obligations stemming from recent legislation and Biden administration policy, but agencies will struggle to fulfill these responsibilities if Congress does not provide appropriate funding for them to do so. Keeping the government at FY22 funding levels simply is not good enough; if we want to see real progress, we need to pass a budget.”

Nather: “One trend I see is that there is almost no check on technological complexity, which is the nemesis of security. Simply slapping another ‘pane of glass’ on top of the muddled heap is not a long-term solution. I believe we will see more efforts to consolidate underlying infrastructure for many reasons, among them cost and ease of administration, but cybersecurity will be one of the loudest stakeholders.”

Powazek: “The United States still does not have a scalable solution for providing proactive cyber assessments to folks who cannot afford to hire a consulting firm. There are lots of toolkits available, but some organizations do not even have the staff or time to consume them, and there is no substitute for face-to-face assistance. We could use more solutions like cybersecurity clinics and regional cyber advisors that address this market failure and help organizations increase resiliency to cyberattacks.”

Samford: “Coordinated incident response as well as whistleblower protection. If you want safety-level protections in cybersecurity, you need safety-level whistleblower protections. In the culture of safety, based on decades of culture development and nurturing, whistleblowing is a key enabler. It is based on a basic truth that anyone in an organization can ‘stop the line’ if they see unsafe behavior. In cyber, we lack ‘stop the line’ power and, in many cases, individuals fail to report risk because of fear of attribution and retaliation. That is why, in my mind, the topic of whether or not whistleblower protection should become a cyber norm remains something that has gotten little attention but it is a critical decision point in how the cyber community wants to move forward. Will we have more of a tech-based culture or a safety-based culture?

As far as coordinated incident response, we estimate that upward of 80 percent of the cyber defense capacity resides in the private sector, yet very few mechanisms exist to coordinate these resources alongside a government-led response. We have not yet figured out how to tap that pool of resources, and I fear that we are going to have to learn it quickly one day should such attacks occur that require rapid and consistent response coordination, such as a targeted campaigned cyberattack linked with physical impact on critical infrastructures. Using Incident Command System could solve for this and the ICS4ICS program is picking up this challenge.”

Wilde: “Privacy and data protection. The ‘Wild West’ of data brokerages and opaque harvesting schemes that enables illicit targeting and exploitation of vulnerable groups poses as much a threat to national security as any foreign-owned applications or state intelligence agencies.”

#5 What do the results of the 2022 midterm elections in the United States portend for cybersecurity legislation in the 118^th Congress?

Langevin: “The cybersecurity needs of the country are too great for Congress to get bogged down in partisan fighting, and I think there are bipartisan groups of lawmakers in both chambers who understand that. There may be philosophical differences on certain issues that are more pronounced in a divided Congress, but I expect that we will still see room for effective policymaking to improve the Nation’s cybersecurity. The key to progress, as it would have been no matter who controlled Congress, will be continuing to build Members’ policy capacity on these issues, lending a broader base of political support to those Members who understand the issues and can lead the charge on legislation.”

Nather: “Some of the centrist leaders from both parties who led on cybersecurity, such as John Katko (R-NY) and Jim Langevin (D-RI), are retiring. And Will Hurd (R-TX), who held a similar role—working across the aisle on cybersecurity issues—in the previous Congress, is gone. As the work on cybersecurity legislation has historically stayed largely above the political fray, it will be interesting to see who steps up to build consensus on this critical topic.”

Powazek: “The retirement of policy powerhouses Rep. John Katko and Rep. Jim Langevin leaves an opening for more cyber leadership, and the recent elections are our first glimpse of who those leaders may be. As a Californian, I am particularly excited about Rep. Ted Lieu and Senator Alex Padilla, both of whom are poised for cyber policy leadership.”

Samford: “More focus on zero trust, supply chain, and security of build environments. These are efforts that all have bipartisan support and engagement.”

Wilde: “The retirement of several of the most driven and conversant members does not bode well for major cybersecurity initiatives in Congress next session. Diminished expertise is not only a hurdle from a substantive perspective, but it also makes it difficult to avoid cyber issues falling victim to other political and legislative agendas from key committees.”

The post The 5×5—The cyber year in review appeared first on Atlantic Council.

Wargaming to find a safe port in a cyber storm

Daniel Grobarcik, William Loomis, Michael Poznansky, Frank Smith — Mon, 12 Dec 2022 15:00:00 +0000

Game takeaways from Newport and Las Vegas

Executive summary

Introduction

Learning through gaming

Scenario and players

Game play

Attack surfaces and lead times

Prioritization and resilience

Competition and coordination

Conclusion

About the authors

Executive summary

With the Maritime Transportation System increasingly reliant on cyberspace, how can cybersecurity be improved within key nodes of this critical infrastructure, particularly cargo ports? Given the close relationship between the cyber and maritime domains, wargaming provides a useful tool for examining the potential threats and opportunities. This includes the attack surfaces, prioritization challenges, and coordination advantages highlighted by the new maritime cyber wargame Hacking Boundary.

Introduction

Critical infrastructure is rarely headline news—not until something goes very wrong—and the maritime transportation system (MTS) is no exception. The MTS, which is responsible for the safe transport of the majority of international trade, is vital to the global economy.¹ From backlogged cargo at port facilities during the COVID-19 pandemic to the Ever Given container ship blocking the Suez Canal, recent events have highlighted the vulnerability of maritime transportation, and how impactful disruptions to that system can be to everyday life.²

Broadly speaking, the MTS consists of all the waterways, vehicles, and ports that are used to move people and goods via water.³ The volume of goods moved in this way is particularly striking, with most of the world’s cargo carried by sea—between 70–90 percent, depending on how the cargo is counted. For the United States, the MTS contributes to nearly 25 percent of gross domestic product, totaling around $5.4 trillion.⁴It is also essential to the US ability to project military power. Today, as for the past century, sealift—the use of cargo ships to deploy military assets—is responsible for transporting the vast majority of US military matériel around the world.⁵

Unfortunately, this critical infrastructure is under threat. Along with natural disasters and human errors, cyberattacks are increasingly threatening the MTS. In 2017, a destructive and rapidly propagating piece of malware known as NotPetya spread from Ukraine around the world.⁶ One of the many NotPetya victims was Maersk, the world’s largest shipping company. This single cyber incident cost the shipping giant approximately $300 million,⁷ and the price would have been much higher, were it not for a single uninfected server in Ghana. During another cyber incident just last year, foreign government-backed hackers were suspected of breaching information systems at the Port of Houston, further demonstrating that maritime transportation is firmly in the crosshairs.⁸ NotPetya, the Port of Houston, and other cyberattacks against various kinds of critical infrastructure—including the ransomware attack on Colonial Pipeline in 2021—provide an ominous glimpse into the threat environment.

Learning through gaming

Global and national security depend on understanding and mitigating threats to the MTS. The US government has taken some steps in this direction, including the National Maritime Cybersecurity Plan released in December 2020. More needs to be done, however, and one approach is to study what’s necessary through cyber wargaming, a useful tool for examining the complex and confusing problems involved with cyber and physical threats to critical infrastructure.

Working with Ed McGrady, the Cyber & Innovation Policy Institute (CIPI) at the US Naval War College in Newport, Rhode Island, hosted government officials, military service members, students, and academics to play Hacking Boundary: A Game of Maritime Cyber Operations.⁹This war game addresses a hypothetical cyberattack against a major US port facility, and the first iteration of the game was played at the CIPI Summer Workshop on Maritime Cybersecurity in June 2022.

The game was developed and run by Ed McGrady at the Center for a New American Security.

The second iteration of the game, conducted in partnership with the Atlantic Council’s Cyber Statecraft Initiative, was held at the Industrial Control Systems Village at the DefCon Hacking Conference in August 2022 in Las Vegas, Nevada. This iteration featured participants from across the maritime ecosystem, including active duty US Navy and Coast Guard personnel, penetration testers, private sector operators, and many more.

This brief describes Hacking Boundary, along with several strategic and policy implications illuminated by repeated game play. The core takeaways include: (1) understanding the large attack surfaces of port facilities and the lead times that may be required to attack them; (2) the difficulties of prioritizing how and when to spend scarce resources; and (3) understanding that the tensions between competition and coordination, if navigated wisely, may offer defenders marginal—but valuable—advantages when providing maritime cybersecurity.

Scenario and players

Imagine a major US port facility, modeled on the Port Elizabeth Intermodal Complex of New York and New Jersey, in the year 2027. The facility includes a terminal along the water. Within the terminal are the yard, gantry cranes, cargo containers, scales, semitrucks, inspection sites, gates, and administrative offices needed to load, offload, process, and move 1.8 million twenty-foot equivalent units (TEUs) annually, or approximately 43 million tonnes of cargo. Connecting all of this equipment, and the people operating it, are local area networks, Wi-Fi, radios, phones, and wires, forming a complex web of near constant communication.

Picture from game play in Las Vegas.

When an ultra large container ship carrying 21,000 TEUs enters port, all of this information and operational technology is put to work. Positioning systems and radio communication with pilot ships helps steer the container ship into a berth; cargo data files are digitally sent to the port authority; local security contractors screen the cargo; and access control handles the hundreds of trucks required to move the cargo. Work that was once handled by thousands of people is now performed by computers, scanners, remote closed-circuit television cameras, and routers working both autonomously and with human support. Underpinned by cyberspace, this daily routine unfolds at a massive scale and pace.

During the wargame, teams of defenders and attackers face off in this cyber-physical environment. On the defending team, the maritime shipping industry is represented by a fictitious private firm called Worldwide Logistics Operations (WLO), which leases the container terminal. WLO runs the information technology (IT) infrastructure for the terminal. It also cooperates with local authorities and the federal government, played by another team of defenders. The attackers are broken into four groups, each representing different kinds of advanced persistent threats (APTs) with their own background, expertise, and modus operandi. These attackers range from independent cyber criminals to mercenaries to groups with ties to foreign intelligence organizations. Overseeing the contest between the attackers and the defenders is a game master, who helps construct and control the game narrative and, in the process, judges the outcome of each team’s moves.

Game play

This game is played over multiple turns, with each turn representing a month in the real world. At the start of each turn, the attacking and defending teams both draw random event cards. Possible events range from good news (e.g., receiving an unexpectedly large budget) to bad news (e.g., a power outage or having members of your team poached by the competition). These events are intended to represent some of the unpredictable realities faced by both parties in the real world. With a random event card in hand, each team plans their course of action.

The defending team’s objective is to prevent port terminal intrusions and establish resilient systems that fail gracefully, minimizing potential disruption or damage. Given a limited budget, represented in the game as coins, the team must make choices that involve difficult trade-offs. For example, defenders could prioritize security training and upgraded hardware but, as a consequence, they may have insufficient resources to conduct penetration testing to identify other potential vulnerabilities. Or, they could choose to conduct penetration testing, but then lack resources to fix the vulnerabilities they find. It is also important to safeguard port facility physical security against theft and illicit access to critical systems. The networked nature of cyber and physical systems means that neglecting one could expose the other to risk.

The objective of the attacking teams is to secure a profit at the expense of the port and the WLO. Attackers start the game with a set budget. They can earn additional coins by completing missions ranging from exfiltrating data to causing physical damage. To complete a mission successfully, an attacking team must allocate limited resources to hiring the right people for the job, which included technical experts to defeat defensive measures. For simplicity, the categories of expertise in this game are: social, physical, network, malware, operating system, applications, electronics, and cryptography. Attackers must also acquire the capabilities needed to accomplish their mission, such as tailored malware or radio-frequency identification scanners. This wargame emphasizes the full breadth of the cyber kill chain, including preplanning and lateral movement over time.¹⁰ Attackers may also take cyber actions that do not have immediate effects, laying the foundation for success later in the game.

The respective plans of attackers and defenders—and the logic behind them—interact via the game master, who determines the likelihood of success or failure. Outcomes are determined through discussion, with each team arguing their case about defensive measures taken at the port terminal, the complexity of the attack, and the personnel and capabilities dedicated to the job. This part of the game is where the collective expertise of each team really shines. Based on these discussions, the game master assesses the probability of an attack succeeding.

Chance is incorporated by rolling dice. For example, an attack with a 50 percent probability of success means that the attacking team must roll an eleven or higher on a twenty-sided die. More difficult attacks require a higher roll to succeed; easier attacks can succeed with a lower roll. The dice rolls determine if the attacker successfully completes all or part of their chosen mission.

Successful missions pay off in coins, building a unique narrative for the game. However, there is also the risk of discovery, modeled in the game as another roll of the dice by the team for “forensic points.” Depending on the complexity of the move, attacking teams incur higher or lower forensic points. Too much bravado or sloppy tradecraft risks teams being discovered by defenders and having all of their coins seized by the authorities. As is sometimes the case in real life, a bit of bad luck can mean the difference between striking it rich or losing it all.

When the success, failure, and payoff of all the teams’ actions have been decided, the next turn of the game begins with another round of event cards, planning, and outcome adjudication. Typically, each turn takes about an hour. There is no constraint on how many turns can be played, with consideration that higher stakes missions take longer to accomplish. Whenever the game ends, a victor is determined just for fun. Defender success is measured by number of attacks successfully repelled vice attempted intrusions into the port or related networks. For attackers, success depends on the number missions accomplished, their coin haul, and not getting caught.

Game takeaways from Newport and Las Vegas

Observations from only a few iterations of this game, with different players, do not constitute authoritative evidence. Even so, preliminary takeaways contain potentially important insights for maritime cyber and broader cybersecurity challenges facing critical infrastructure.

Attack surfaces and lead times

Large and varied attack surfaces challenge defenders and provide attackers with numerous opportunities for exploitation. This wargame only captured some of the complexities of real-world maritime infrastructure. Nevertheless, it illustrated the importance of interrelationships and dependencies in a cyber-physical system. Subject matter experts who played the game showed how hypothetical attackers might probe several points of entry that intersected with even this simplified version of a cargo port. The attempted exploits were both physical (e.g., breaking and entering or conducting reconnaissance at a local pub frequented by port security) and cyber (e.g., phishing, injecting malware via flash drives, or hacking shipboard systems using Raspberry Pi). The various attack options illustrate the myriad vulnerabilities of these complex facilities.

Put another way, no port is an island. Accidents and attacks outside the facility, such as disrupting a pump station or a nearby rail line, could still impact maritime operations by, for example, paralyzing road traffic around the cargo terminal. These interdependencies highlight the need to broaden the conceptual and operational boundaries of maritime cybersecurity as currently and traditionally conceived. In the wargame, defenders overlooked these external relationships, to their detriment.

While the multitude of attack options seemed to afford the attackers with endless choices, carrying out the attacks in this complicated environment took time. Successful attacks often required long lead times for planning and execution. In the game, as in real life, the cyber kill chain had multiple links spread out over time and, in some cases, over physical space. For example, some attacking teams probed physical security at the port early on, in an attempt to gather useful intelligence. Later, they exfiltrated data through lateral moves within the target network, exploiting access gained through phishing.

Both the large attack surfaces and the long lead times reaffirmed a well-known argument in cybersecurity that nevertheless bears repeating: defending a network is a lengthy and dynamic process, comprised of many different steps. Several attacks crossed multiple systems, spanning three or four moves in the game before a full picture of the offensive operation became apparent. The dramatic image of hackers running a rogue ship aground distracts from much of the preparatory, and seemingly mundane, work that would go into such an attack (e.g., orchestrating a phishing campaign against the cleaning company subcontracted to service the port bathrooms).

Key Takeaway

Maritime infrastructure consists of complex systems, which provide numerous opportunities for exploitation but also complicated kill chains.

Prioritization and resilience

The sheer number and variety of vulnerabilities to exploit and defend during game play posed serious challenges for players about how to allocate their scarce resources. Effective prioritization was a deciding factor for both attackers and defenders.

For their part, attackers had to invest in capabilities and staffing to effectively penetrate target systems and accomplish mission objectives. Missteps or bad luck could result in a failed mission, setting attackers back in terms of time and money. For defenders, early investments to bolster security tended to have a large impact on their ability to thwart attacks later in the game. Defenders also needed to retain resources—and acquire skills—to dynamically (re)allocate defensive capabilities and capacities, which were then distributed across physical and network infrastructure, as well as across shipboard and terminal information systems. With limited resources at their disposal, poorly chosen priorities or bad luck could leave defenders struggling to respond to even basic incidents. Lack of defensive planning, or a purely reactive posture, provided attackers with dangerous freedom of movement.

Here again, the wargame only captured some of the real-life complexity, underscoring the very real challenge and necessity of prioritization. While critical infrastructure is, by definition, “critical,” some systems within it are more important than others, and some problems are easier to solve. Prioritizing investments where ease and importance overlap may seem obvious, but many of the tradeoffs are acute, presenting hard choices. As will be discussed, these choices are easier when public agencies and private firms share useful cyber intelligence. Each party may make different decisions about how to prioritize and allocate their respective resources, but both stand to benefit from pooling information about the threat environment.

Making the right investments and allocating the proper resources to defense is only half the battle. When attacked, organizations also need resilience, namely the “ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.¹¹ In this game, as in real life, no defense was perfect: financial data leaked; ransomware jumped from contractor to vendor; and even positioning and navigation systems were compromised. Adapting and responding to unfortunate incidents is difficult, but necessary for minimizing disruptions to the most important MTS administrative and operational functions.

There is little doubt that bolstering the resilience of maritime cybersecurity will remain a challenge. Best practices and high standards can help, such as the US Coast Guard’s Navigation and Vessel Inspection Circular 01-20 and the International Maritime Organization’s guidance on cybersecurity.¹² Since so many different operators and information systems intersect at port facilities, best practices within and across sectors are significant to forming strong links between the diverse entities involved. By providing a platform for practical learning, wargames can help individuals and organizations synthesize risk, identify priorities, build resilience, and highlight the significant—but often unappreciated—role that these various relationships can play in cybersecurity.

Key Takeaway

The range of cyber physical vulnerabilities in the MTS mean that prioritization and resilience are core challenges when allocating scarce resources.

Competition and coordination

Competition and coordination were reoccurring themes in this wargame, with significant policy implications. Attackers not only competed against defenders, but also against each other. Competition over scare resources, access points, and cyber exploits fueled tension among the APTs. In addition, some attacking teams were hurt by the actions, misfortunes, or errors of other team members. Attackers were both beneficiaries and potential victims of the difficulties of attribution in cyberspace, as some enterprising attackers tried to disguise their tracks by imitating others in false flag operations.

Instances of attacking teams directly targeting one another—as opposed to defenders—broke the binary concept of purely offensive and defensive roles in the game. These dynamics mirrored real life, helping dispel the notion that offensive and defensive moves in cyberspace inevitably aggregate to the attacker’s advantage. Different attackers have different motives. While a criminal enterprise may hack a port to steal cargo information to sell for financial gain, a state or hybrid actor may attempt to cripple port automation for political reasons. These different, and sometimes competing, objectives limit attackers’ incentives to cooperate with each other, let alone coordinate their actions. Leaked chat records from the Conti ransomware group highlight this discord inside real attacking teams, with interpersonal squabbles compounding conflicts between different APTs.¹³

Defenders suffered from conflicts of interest as well. The private firms that own and operate port facilities may not have the same incentives as government agencies to share information, especially if doing so invites scrutiny by regulators or law enforcement. These defenders also compete with each other for scarce cybersecurity talent and other resources.

While competition and conflict were evident among both defenders and attackers, Hacking Boundary indicates that defenders enjoy some advantages when it comes to institutionalizing cooperation, including a higher baseline level of trust. Honor among thieves may be harder to come by than even begrudging coordination between industry and government. Although defenders in the government, WLO, and terminal IT security teams had different incentives and threat perceptions, many still found ways to share information and coordinate action. On balance, this coordination gave defenders an edge in the game. Successful defenders established lines of communication sooner rather than later.

Real-world coordination between maritime owners, operators, and government agencies is easier said than done. Nevertheless, the potential payoff is considerable and physical proximity may help. Anecdotal evidence from our wargame suggests that players in the roles of port operators and government representatives conversed more when seated together. Perhaps it is no coincidence that communication between similar organizations in the real world correlates to a significant federal presence—Coast Guard headquarters, Department of Homeland Security regional centers, Federal Bureau of Investigation field offices, and the like—close to port facilities. Cybersecurity is social as well as technical, and face-to-face interaction can make a difference. However these relationships develop, the policies that build them before the next major cyber incident could prove to be invaluable.

Key Takeaway

Real-world coordination, whether among attackers or defenders, is a key dynamic in any cyber operation, and is easier said than done.

Conclusion

Cyber wargaming has demonstrated the potential to demystify and clarify threats and opportunities involving critical maritime infrastructure. The game Hacking Boundary engages players with a challenging, but realistic scenario, that reflects some of the serious risks facing the companies, crews, and government authorities operating port facilities around the country and around the world. The large attack surfaces, the importance of prioritization, and the implications of competition and coordination reinforce many well-established cybersecurity ideas. The relationship of these lessons to the maritime domain warrants further exploration.

The intersection between the maritime and cyber environments will likely grow in the years ahead. How these relationships and dependencies are conceptualized will likely determine our success or failure in protecting the MTS. The same goes for improving systemic resilience, including transportation by road, rail, and air – all of which increasingly relies on automation and networked information technology. Further iterations of this wargame and similar exercises stand to help by encouraging practitioners, academics, corporate executives, and government officials to think through potential threats and responses in order to secure these kinds of critical infrastructure.

About the authors

Daniel Grobarcik is a research associate with the Cyber & Innovation Policy Institute at the U.S. Naval War College.

William Loomis is an associate director at the Atlantic Council’s Cyber Statecraft Initiative, within the Digital Forensic Research Lab.

Dr. Michael Poznansky is an associate professor with the Cyber & Innovation Policy Institute at the U.S. Naval War College.

Dr. Frank Smith is a professor and director of the Cyber & Innovation Policy Institute at the U.S. Naval War College.

The ideas expressed here do not represent the US Naval War College, US Navy, Department of Defense, or US Government.

Former Nonresident Senior Fellow

1 William Loomis et al., Raising the Colors: Signaling for Cooperation on Maritime Cybersecurity, October 4, 2021, https://www.atlanticcouncil.org/in-depth-research-reports/report/raising-the-colors-signaling-for-cooperation-on-maritime-cybersecurity/.

2 US Library of Congress, Congressional Research Service, Supply Chain Bottlenecks at US Ports, by John Frittelli and Liana Wong, IN11800 (2021), https://crsreports.congress.gov/product/pdf/IN/IN11800; Marc Jones, “Snarled-Up Ports Point to Worsening Global Supply Chain Woes – Report,” Reuters, May 3, 2022, https://www.reuters.com/business/snarled-up-ports-point-worsening-global-supply-chain-woes-report-2022-05-03/; Vivian Yee and James Glanz, “How One of the World’s Biggest Ships Jammed the Suez Canal,” New York Times, July 17, 2021, https://www.nytimes.com/2021/07/17/world/middleeast/suez-canal-stuck-ship-ever-given.html.

3 US Department of Transportation, Maritime Administration, “Maritime Transportation System (MTS),” last updated January 8, 2021, https://www.maritime.dot.gov/outreach/maritime-transportation-system-mts/maritime-transportation-system-mts.

4 William Loomis et al., Introduction: Cooperation on Maritime Cybersecurity, October 27, 2021, https://www.atlanticcouncil.org/in-depth-research-reports/report/cooperation-on-maritime-cybersecurity-introduction/.

5 Jason Ileto, “Cyber at Sea: Protecting Strategic Sealift in the Age of Strategic Competition,” Modern War Institute, May 10, 2022, https://mwi.usma.edu/cyber-at-sea-protecting-strategic-sealift-in-the-age-of-strategic-competition/; See also https://www.maritime.dot.gov/national-security/strategic-sealift/strategic-sealift/.

6 Andy Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, August 22, 2018, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.

7 Nina Kollars, Sam J. Tangredi, and Chris C. Demchak, “The Cyber Maritime Environment: A Shared Critical Infrastructure and Trump’s Maritime Cyber Security Plan,” War on the Rocks, February 4, 2021, https://warontherocks.com/2021/02/the-cyber-maritime-environment-a-shared-critical-infrastructure-and-trumps-maritime-cyber-security-plan/.

8 Olafimihan Oshin, “Major US Port Target of Attempted Cyber Attack,” The Hill, September 24, 2021, https://thehill.com/homenews/state-watch/573749-major-us-port-target-of-attempted-cyber-attack/.

9 The game was developed and run by Ed McGrady at the Center for a New American Security.

10 US Department of Homeland Security, Management Directorate, OCRSO, Sustainability and Environmental Programs, Providing a roadmap for the Department in Operational Resilience and Readiness, July 2018, https://www.dhs.gov/sites/default/files/publications/dhs_resilience_framework_july_2018_508.pdf.

11 ”Lockheed Martin, “Cyber Kill Chain,” June 29, 2022, https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.

12 US Department of Homeland Security, United States Coast Guard, Navigation and Vessel Inspection Circular No. 01-20 (Washington, DC, 2002), Commandant Publication P16700.4, https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/5ps/NVIC/2020/NVIC_01-20_CyberRisk_dtd_2020-02-26.pdf?ver=2020-03-19-071814-023; International Maritime Organization, “Guidelines on Maritime Cyber Risk Management,” MSC-FAL.1/Circ.3/Rev.1, June 14, 2021, https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/MSC-FAL.1-Circ.3%20-%20Guidelines%20On%20Maritime%20Cyber%20Risk%20Management%20(Secretariat).pdf.

13 Gareth Corfield, “60,000 Conti Ransomware Gang Messages Leaked,” The Register, February 28, 2022, https://www.theregister.com/2022/02/28/conti_ransomware_gang_chats_leaked/; Maria Henriquez, “Inside Conti Ransomware Group’s Leaked Chat Logs,” Security Magazine, April 6, 2022, https://www.securitymagazine.com/articles/97379-inside-conti-ransomware-groups-leaked-chat-logs.

The post Wargaming to find a safe port in a cyber storm appeared first on Atlantic Council.

360/StratCom: How policymakers can set a democratic tech agenda for the interconnected world

Layla Mashkoor — Thu, 08 Dec 2022 19:48:31 +0000

On December 7, the Atlantic Council’s Digital Forensic Research Lab (DFRLab) hosted 360/StratCom, its annual government-to-government forum, bringing policymakers and civil-society leaders together to drive forward a democratic tech agenda for the increasingly interconnected world—and ensure that is rights-respecting and inclusive.

The day kicked off with a panel on anti-lockdown protests and dissent in China moderated by Kenton Thibaut, DFRLab’s resident fellow for China. Following a deadly fire at a residential building in Xinjiang, protests erupted in cities across China, including on almost eighty university campuses. While the protests have been fueled by frustration with China’s strict zero-COVID policy, Xiao Qiang, a research scientist at the University of California, Berkeley, noted the protests have also grown to object to censorship and Xi Jinping’s leadership. The protests mark the failure of Xi’s “prevention and control” security approach, added Sheena Greitens, associate professor at the University of Texas. “It was really interesting, and I imagine troubling, from the standpoint of China’s leaders, to see that model fail initially at multiple places, multiple cities in China when these protests broke out,” she said. While the panelists agreed that China has publicly used a lighter touch in dealing with the protest organizers than it has historically, they expressed concern that this is because surveillance technology provides authorities the ability to identify and target protesters behind closed doors. Maya Wang, associate director of the Asia division at Human Rights Watch, said an important takeaway from the protests is that many people in China seek democracy.

Next up was a discussion about the Freedom Online Coalition (FOC), a global alliance in pursuit of a democratic tech agenda that ensures a free, open, secure, and interoperable internet for all. With Canada serving as the current chair of the FOC, the session began with remarks from Canadian Deputy Foreign Minister David Morrison. He noted that what unites the FOC is the belief that one of the most pressing challenges is finding a way to benefit from digital technology in a way that protects human rights and upholds democratic values. Morrison noted four essential components of digital inclusion: connectivity, digital literacy, civic participation, and online safety.

With the United States preparing to serve as the incoming FOC chair, Anne Neuberger, deputy national security adviser for cyber and emerging technologies at the White House, also gave her thoughts on the democratic tech agenda. Neuberger noted that, while the internet has transformed the world, it has also led to a series of troubling developments. “The internet remains a critical tool for those on the front lines of the struggle for human rights, activists; and everyday people from Tehran to Shanghai to Saint Petersburg depend on access to an unblocked, unfiltered internet to communicate and gain information otherwise denied to them by their government.” As FOC chair, the United States will have three main priorities, Neuberger outlined: bolstering existing efforts where the FOC adds unique value, such as condemning governments that misuse technology; strengthening coordination between FOC policies and the foreign assistance that participating states are providing to ensure that national-level technology frameworks around the globe are in alignment with human rights; and strengthening the FOC’s operating mechanics to ensure the organization can have a greater impact in the years to come.

Another vital goal for the FOC is to recognize and articulate the connection between pluralistic, open societies and a secure, open internet, said Katherine Maher, nonresident senior fellow at the DFRLab and former chief executive officer of Wikipedia. In a panel focusing on how the FOC can live up to its promise , Maher noted that an open internet is a means to an end, as it helps people protect human rights. Moderator Jochai Ben-Avie, chief executive of Connect Humanity and a DFRLab nonresident fellow, echoed this sentiment. “Never before has the call been louder for democratic countries to take coordinated action in defense of a free and open and secure and interoperable internet,” he noted.

Report

Dec 6, 2022

An introduction to the Freedom Online Coalition

By Rose Jackson, Leah Fiddler, Jacqueline Malaret

The Freedom Online Coalition (FOC) is comprised of thirty-four member countries committed to advancing Internet freedom and human rights online.

Digital Policy International Organizations

Later in the day, the discussion shifted to the European Union’s (EU) approach to tech governance in a session moderated by Rose Jackson, director of the DFRLab’s Democracy and Tech Initiative. Gerard de Graaf, the European Union’s first ambassador to Silicon Valley, remarked on recent tech industry layoffs, saying that he had been reassured by some tech companies that the cuts would not affect compliance with European regulations. “In the industry, there is an awareness that it’s probably not so wise to start cutting into the areas where, frankly, you probably now need to step up rather than reduce your resources,” he said.

Meanwhile, Prabhat Agarwal, one of the lead drafters of EU tech legislation and head of unit at the EU’s DG CONNECT Digital Services and Platforms, said that he is working on designing transparency provisions. He noted three key areas that these provisions will cover: user-facing transparency to ensure tech platforms’ terms and conditions are so clear “that even children can understand”; expert transparency that would allow civil society, journalists, and academics the ability to access data intrinsic to their research; and regulator transparency that would enable governments to inspect what happens “under the hood” of the platforms.

To close out this year’s 360/StratCom programming, Safa Shahwan Edwards, deputy director of the DFRLab’s Cyber Statecraft Initiative, led a conversation with Camille Stewart Gloster, US deputy national cyber director for technology and ecosystem. The discussion centered on how to define and grow a competitive tech workforce. Stewart Gloster noted that technology underpins each person’s life, and it is imperative to raise the collective level of understanding of the tradeoffs people around the world make daily, from privacy to security.

Layla Mashkoor is an associate editor at the DFRLab.

The post 360/StratCom: How policymakers can set a democratic tech agenda for the interconnected world appeared first on Atlantic Council.

The call for coordinated action for a free, open, and interoperable internet

Erika Hsu — Thu, 08 Dec 2022 14:33:27 +0000

The Freedom Online Coalition (FOC), founded a decade ago, is one of a number of coalitions, alliances, and forums that exist to advance human rights online. As part of its annual 360/StratCom event, the Atlantic Council’s Digital Forensic Research Lab, convened a discussion about the FOC, including the need to coordinate action to protect a free, open, secure, and interoperable internet—and how the FOC should establish itself as a useful vehicle for coordinating digital policy. The panelists also discussed what steps the United States should take as it assumes the FOC leadership position from Canada for the years 2023 and 2024.

David Morrison, Canadian deputy foreign minister of global affairs, introduced the conversation. Morrison reflected on the work Canada accomplished in 2022 as chair of the FOC, as well as what challenges remain as the United States takes control in 2023.

This year, the FOC saw crises that required clear pushbacks against repression online, including Russian disinformation campaigns in Ukraine and the Iranian government’s censorship of the internet, both of which proved the value of the FOC. Morrison highlighted how the FOC can play a lead role in speaking out against such infringements of human rights online, in part because the FOC is a collective powered by civil society and industry.

Report

Dec 6, 2022

An introduction to the Freedom Online Coalition

By Rose Jackson, Leah Fiddler, Jacqueline Malaret

The Freedom Online Coalition (FOC) is comprised of thirty-four member countries committed to advancing Internet freedom and human rights online.

Digital Policy International Organizations

Morrison then passed the microphone to Anne Neuberger—deputy national security advisor, cyber and emerging technologies—who spoke about US priorities as incoming FOC chair.

Neuberger highlighted how the United States is happy to build upon Canada’s previous work as chair and revisited the role the United States played in the past, particularly in the organization’s founding. With the support of US President Joe Biden and a strong foundation set by Canada’s leadership in 2022, Neuberger said she is optimistic that the United States can expand the FOC’s role to improve strategic planning, counter the rise of digital misinformation, and promote safe spaces for marginalized groups such as women, LGBTQ communities, and the disability community. In addition, the United States remains committed to speaking out against Russian and Iranian oppression.

Both Morrison and Neuberger celebrated the expansion of the FOC with the addition of Chile. With membership now at thirty-five countries, Morrison noted how the FOC represents a coalition of countries that believe in responding collectively to digital threats against democracy.

To follow up the opening remarks provided by the Canadian and US government representatives, DFRLab nonresident fellow Jochai Ben-Avie moderated a panel featuring Tatiana Tropina, assistant professor in cybersecurity governance at Leiden University; Katherine Maher, nonresident senior fellow at DFRLab; and Jason Pielemeier, executive director of the Global Network Initiative, to provide insight into the role civil society and industry play in the FOC, as well as improving the coalition’s efficacy. The panelists discussed how the FOC should play a greater role in coordinating countries that believe in using democratic norms to advance human rights, acting as a vehicle to accomplish this because it has expertise, global reach, and a coalition of like-minded countries with the potential to work together.

Looking at the potential of the FOC, the panelists noted the difference in geopolitical contexts between when the organization was founded and today, and that the FOC’s utility is particularly salient because of democratic backsliding in many parts of the world. The panel asserted that, while the optimism that the internet would be a democratizing force has fallen away due to the use of its technology to repress citizens, this should spur even greater motivation to engage within and beyond the FOC.

Panelists then discussed another issue facing the FOC: increasing internal coordination. On one hand, they mentioned, the power of the FOC comes from its reach with the countries comprising its membership. On the other hand, there is a disconnect between the norms that the FOC stands for and the difficulties of actualizing these norms. As Tropina noted, the most pressing issue keeping the FOC from being more effective is not membership inclusion but clarifying the FOC’s role, stating how countries cannot play a leading role without doing the work themselves. The FOC should go “go back to basics and extend its membership based on some really identified values and principles,” she concluded.

The panel concluded by acknowledging that, while it feels as if technology constantly outpaces the institutions created in the past, there are core identifying democratic values that stay constant, and that should drive the FOC’s future action.

Erika Hsu is a young global professional with the Digital Forensic Research Lab.  

The post The call for coordinated action for a free, open, and interoperable internet appeared first on Atlantic Council.

The White House’s new deputy cyber director: Tech’s challenges are society’s challenges

Nick Fouriezos — Wed, 07 Dec 2022 23:49:25 +0000

The White House is engaging in a “whole-of-society strategy” with its newly created Office of the National Cyber Director (ONCD), which set an ambitious agenda to diagnose and address the implications of everything from regional cybersecurity and quantum computing to Web3 blockchain technologies and sustainably expanding the tech workforce.

That was the message from Camille Stewart Gloster, the inaugural deputy national cyber director for technology and ecosystem security, who has been charged with crafting the scope of the office empowered to bridge a range of tech equities and help better define and grow a competitive tech workforce.

ONCD “is focused on moving us towards an affirmative vision of a thriving digital ecosystem that is secure, equitable, and resilient that we all can share in,” Gloster said at 360/StratCom, the annual government-to-government forum hosted by the Atlantic Council’s Digital Forensic Research Lab (DFRLab).

This year, 360/StratCom focused on the work of civil society to ensure that universal human rights in the physical world are also protected in the virtual realm. Here are just a few of Gloster’s insights into the Biden administration’s approach, in a conversation with Safa Shahwan Edwards, deputy director of the DFRLab’s Cyber Statecraft Initiative.

Security and education add up to resilience

Gloster noted that the cyber challenge is “a shared problem across the public sector and the private sector.” As such, her office is working to produce a strategy that focuses on both cyber workforce education and digital safety awareness while striving to fill nearly seven hundred thousand open cybersecurity roles. “We don’t want to engage the same players exclusively,” Gloster said. “Yes, the big players must be a part of the conversation, but we want to make sure [to also include] civil society, academia, the small players, the innovators.”
That multifaceted approach led to the administration’s announcement in August a string of partnerships with top tech companies (Google, Apple, IBM, Microsoft), coding credentialing programs (Code.org, Girls who Code), cyber insurers (Coalition, Resilience), and more than 150 electric utility providers (through its expansion of the Industrial Control Systems Cybersecurity Initiative).
Gloster also emphasized that educational institutions will be critical to enhancing cybersecurity at the local level. The University of Texas system recently announced that it would expand its existing short-term credentials in cyber, as well as create new ones, leveraging its UT San Antonio Cybersecurity Manufacturing Innovation Institute.
Later this week, Gloster will speak at Whatcom Community College, a remote college between Vancouver and Seattle, which was chosen in August to be the site for a National Science Foundation cybersecurity center providing education to “fast-track students from college to career.” At the heart of the conversation, Gloster said, is one core question: “How does a community college sit at the intersection of regional cyber awareness, regional technology awareness, and how does that catalyze and support the work that’s going on on a local or regional level?’”

Expanding cyber policy into the unknown

The ONCD isn’t limited to tackling workforce education and training, but it is also well-positioned to address everything from “the emerging tech supply chain, the intersection of human rights and technology, privacy—all of the future-looking pieces of the technology landscape,” Gloster said.
Cyber administrators will need to grapple with critical questions around quantum computing, which holds incredible promise for creating more effective vaccines and predicting threat models, as well as significant risk. “There’s a lot of good work that can come out of that, so how do we both prepare for the threats and the opportunities?”
The increasing use of Web3 technologies built on blockchains will continue to present new security challenges (beyond financial instability threats, such as recent consumer losses caused by the sudden collapse of the crypto exchange FTX). A number of Web3 companies are built with a “collective contribution model that is open source,” Gloster said, which could leave them more vulnerable to cyberattacks.

The role of all sorts of governments

The ONCD will need to work with the State Department and other interagency partners to coordinate around the national-security, economic, and human-rights implications of these new technologies. Groups like the thirty-four-nation Freedom Online Coalition provide an important avenue “to collaborate with our partners to really think about what democracy looks like now and in the future, and how technology underpins that,” Gloster said.
International governments will need to be proactive in addressing pending security concerns around new technologies. Both the White House and international organizations like the European Commission have signaled that more regulation is coming in 2023 to address cryptocurrencies and the metaverse, for instance.
While people often get lost in the conversation about tech, Gloster said preventing cyber threats in the future will require a significant understanding of human nature—and a workforce equipped with not just tech skills but also expertise in social and cultural contexts. “People create, promulgate, use, and are the malicious actors that weaponize or leverage technology. That means that we have to understand them as people.”

Nick Fouriezos is a writer with more than a decade of journalism experience around the globe.

The post The White House’s new deputy cyber director: Tech’s challenges are society’s challenges appeared first on Atlantic Council.

Evanina testifies to Senate Select Committee on Intelligence

Atlantic Council — Fri, 02 Dec 2022 15:11:02 +0000

Original Source

On September 21, the Scowcroft Center for Strategy and Security’s Nonresident Senior Fellow William Evanina testified before the Senate Select Committee on Intelligence. In his testimony, Evanina discussed the growing cyber threat posed to US business and academic institutions.

America faces an unprecedented sophistication and persistence of threats by nation state actors, cyber criminals, hacktivists and terrorist organizations. Corporate America and academia have become the new counterintelligence battlespace for our nation state adversaries, especially the Communist Party of China.

William Evanina

Former fellow

William R. Evanina

Scowcroft Center for Strategy and Security

Cybersecurity Disinformation

The post Evanina testifies to Senate Select Committee on Intelligence appeared first on Atlantic Council.

The cases for using the SBOMs we build

Amelie Koran, Wendy Nather, Stewart Scott, and Sara Ann Brackett — Tue, 22 Nov 2022 18:45:12 +0000

Introduction: SBOMs, public policy, and you

Still fighting yesterday’s battles

Use cases
1. Guiding software procurement and adoption decisions
2. Adding smarts to vulnerability management and threat intelligence
3. Incident response and building a better packing slip
4. A systemic view of software risk

Why define use cases at all?
—So, what should you do about it?

Conclusion

In the beginning, developers created package manifests and header files. Code was formless and required documentation. Tabs and spaces hovered on the surfaces of the editors, and the spirit of Dennis Ritchie hovered over the code.

And then a developer typed, “git commit” and behold, there was a commit, and the developer saw that the commit was good, so they separated BRANCH from MAIN. They called the BRANCH a version and MAIN the source, and there were pulls and pushes and the first release. And yet lo, users often had little idea what was in any of it. This went on to cause many problems, but that did not make it a bad idea.

Introduction: SBOMS, public policy, and you

Anyone in tech, cyber policy, or security circles has probably heard about software bills of materials (SBOMs) by now and considered how they or their organization might use SBOM data. Many recent efforts strive to answer this question—one good example is Microsoft’s Open-Source Software Secure Supply Chain framework.¹ Asking about SBOM use is nonetheless a reasonable act of self-examination given their relatively recent appearance on the policy scene, mostly in the wake of major software supply chain incidents.²

SBOMs themselves are not new. One widely accepted SBOM format, the Software Package Data Exchange (SPDX), dates back to 2011.³ Notably, that original SBOM concept has its roots in complex physical manufacturing processes in industries like the automotive sector to understand intricate supply chains, as well as in legal practices for recording the inheritance of licenses through a business.⁴ Meanwhile, those who have compiled software from source code are likely familiar with build manifests that indicate all the packages, libraries, and other bits of code needed to properly construct a final piece of software. The bigger a project, from a simple application to an entire operating system, the longer and more complex that manifest becomes. An SBOM is similar—a snapshot in time of each component making up a piece of software, with additional metadata tracking provenance (information about component authors and affiliations) and versioning.⁵

While SBOMs are intuitively useful and have received some notable policy attention of late—from the National Telecommunications and Information Administration’s (NTIA) minimum-viable elements project to mentions in executive orders (EOs) and Office of Management and Budget (OMB) memoranda—they are just one tool (more precisely, one class of data) in the wider arsenal for managing risk in software systems.⁶ ⁷ Although conversation about SBOMs has largely (and understandably) focused on their generation, requirements, and format, their growing maturity demands wider consider consideration of next steps: developing clear use cases for SBOMs. An absence of mature, well-understood use cases for SBOMs threatens their future as an effective risk management tool.

Though SBOMs and their widespread adoption face other, arguably more dire, challenges—for example, the risks of mistimed regulation and disconnects between SBOM designers and consumers—policymakers and the security community can directly address use cases now. Letting the challenges of SBOM generation drown out demand signals from the user side of the pipeline risks inundating purchasers, developers, and acquisition officers alike with a torrent of useless spreadsheets and effete compliance certifications.

Indeed, these uses extend beyond just technology-consuming firms to include governments and other central risk assessment bodies. An absence of well-articulated SBOM use cases and illustrated relevance to communities of SBOM consumers holds twin challenges. First, it risks mission creep, where policymakers might begin to frame SBOMs as a silver bullet for all supply-chain woes without clear demarcation of the problems they are designed to address. Second, it undersells SBOMs to those who would consume them, leading to slower adoption, poor tooling, and the malformation of a potentially powerful data standard into yet more bloated security theater.

To address the opportunity for further usage conversations, this paper offers several grounded applications for SBOMs, focusing particularly on the benefits they offer their consumers, from chief information security officers (CISOs) to acquisition officers and from software consumers to the Cybersecurity and Infrastructure Security Agency (CISA). Incident response may be the most intuitive role for SBOMs—a way to determine impacted software when a widespread component is compromised or found vulnerable—but it is far from the only one. SBOMs can help development teams determine what packages they will be managing. They can feed software composition analysis (SCA), acting as an ingredient and source list. They can help compliance officers streamline licensing acquisition and manage the adoption of components produced by sanctioned or entity-listed companies. At the largest scale, they can map out portions of the software ecosystem, highlighting little-known relationships and concentrations of dependence, while shedding light on the benefits of using extant code and the risks of relying on external repositories. First though, this paper considers the state of contemporary SBOM policy conversations.

Still fighting yesterday’s battles

The year 2014 saw one of the first truly widespread, dire software supply-chain events: the OpenSSL “Heartbleed” vulnerability.⁸ Heartbleed put the many systems that relied on OpenSSL at significant risk, allowing malicious actors to extract sensitive information due to a relatively simple software flaw. The incident catalyzed a small surge in private-sector funding to open-source projects to support security efforts and raised questions about ways to effectively track the use of critical, community-developed software in systems spread around the world, as well as ways to coordinate responses to flaws found in such code. The US government immediately asked all federal agencies, as part of alerting the public through the Department of Homeland Security (DHS), to emphasize where websites and other internet services used OpenSSL libraries.⁹ However, that was only the tip of the iceberg—in fact, OpenSSL also lived on many mobile devices, embedded hardware systems, and phone and conference-call systems,¹⁰ as well as much networking infrastructure.

Collecting data on the usage of OpenSSL protocols among websites to understand Heartbleed exposure was a useful first step to an unwieldy triage process. Wider SBOM adoption at the time would have aided long-tail remediation of false negatives and subtle implementations. Further, had a CISA-style entity been able to ingest and use SBOM information on OpenSSL, the true sprawl of the library would have been more immediately apparent and accessible—perhaps even before the vulnerability was found, leading to a better, more targeted response and, crucially, enabling proactive investment and security before the incident.

Discussions of SBOMs and their development have the opportunity now to match the technical solutions enabled by SBOM data to the policy challenges around transparency, processes, and due diligence they can address, and use case refinement will drive that matching. SBOMs offer a mechanical view into the minutiae of documentation for software, summarizing all the pieces of code that make up modern applications and services. If the end goal is for the digital ecosystem to widely adopt SBOMs—both their production and practical use by recipients—much of the necessary intermediary work in ingesting and interpreting SBOM data remains unfinished. This is understandable: in the early SBOM days, deliberate decisions to limit scope—in the NTIA Minimum Elements for an SBOM process, for instance—helped reduce a sprawling problem set to a tractable project.¹¹ Now that SBOMs are moving toward the mainstream, beginning to address broader use scenarios will help drive their adoption and maturity, and industry, in particular, can play a key role in pushing an aggressive development cycle with clearly defined uses for SBOMs, each contributing to different facets of cybersecurity.

The potential role for SBOMs in long-term remediation of Heartbleed-style events to provide a snapshot of the composition of software packages is clear. However, this security model requires that, upon build and deployment, developers and consumers update and transparently publish SBOMs for consumption. SBOMs only work well if they are common, standardized, and quickly updated—all a considerable way off from the current situation,¹² as a February 2022 Linux Foundation (LF) study found that less than half of surveyed organizations were ”using” SBOMs.¹³ This survey likely represents an optimistic upper-bound as well—64 percent of respondents were LF member companies, likely skewing toward SBOM maturity; only 74 percent of the organizations classed as using SBOMs were producing and consuming them; and even partial or marginal organizational use would have counted for the survey (and is helpfully broken down within the analysis, which acknowledges and strives to address potential sample bias well).

This is not a critique of adoption speed and progress to date, but rather an acknowledgment that the next steps for SBOMs will require a gear shift that well-articulated use cases and a clear policy demand signal can help accomplish. The same survey queried about adoption plans, forecasting a promising 66 percent increase in the rate of SBOM production and consumption amongst respondents. Anecdotally, some industries at the forefront of SBOM development are already innovating these use cases. For instance, the healthcare sector—which acted as one of the testbeds for NTIA’s SBOM proof-of-concept studies¹⁴—use SBOM processes to highlight relationships with suppliers and OSS communities that merit increased support, as well as produce human-readable risk analysis information.¹⁵

The most common, general communications to policymakers about SBOMs are that they are ingredient lists most useful for assessing the scale and supporting the recall of tainted, defective components. This describes the minimum viable SBOM: a list of component software, only referred to upon the discovery of a defective part—and in the case of NTIA’s minimum viable SBOM, only one layer of dependencies is tracked.¹⁶

This paper is not a call to reinvent SBOM standards. Like so much of government cybersecurity policy, the extreme visibility of SBOMs is a reaction to crisis. Rather, it argues that use cases can and should shape the production and adoption of SBOM and the tools accompanying them. As mentioned earlier, some of this work is underway,¹⁷ but policy conversations can continue focusing on what SBOM data can enable and what tooling and production/adoption incentives will best drive development there at a sufficient pace. Policies can also help match the different methods of SBOM production to the most applicable usage. Use cases strengthen the SBOM value proposition with both code maintainers and consumers, as well as help overcome obdurate resistance from technology vendors with little desire to have their behavior “shaped.”¹⁸

Use cases

The policy challenge behind SBOMs is the question of adoption—compelling use-cases can motivate that while sensibly shaping the circumstances and specifics of regulation. Below are four foundational use cases for SBOMs, each with their respective audiences, outcomes, and positions in the product and incident lifecycles. This is by no means an exclusive list, but it represents diverse and important usage. Each asks for different levels of SBOM completeness, from a minimum-viable components list to a thorough accounting of support, funding, versioning, and deployment context that no current SBOM standard mandates.

Procurement—for reducing compliance burdens and preventing duplicative purchases.
Vulnerability Management and Threat Intelligence—for tracking compromised components and remediation planning.
Incident Response—for validating liability claims and guiding patch efforts.¹⁹
Ecosystem Mapping—for providing a bird’s-eye view of dependencies in an enterprise’s ecosystem and beyond.

Discussing the role for SBOMS in these cases and the larger impacts of their use, offers clarity for the government on how to incentivize and structure SBOM adoption and, for industry, on what tooling to focus development.

1. Guiding software procurement and adoption decisions

SBOMs can prove useful during the procurement process for any third-party software, beyond obvious security functions. Large organizations often make individual purchases rather than coordinating licensing centrally. So creating an inventory and consolidating duplicate purchases or capabilities for cost savings can make a chief financial officer’s (CFO) day. Licensing checks can also surface instances where entities adopt open-source software but cannot legally incorporate it into other products. These are quick wins because the acceptance or rejection of that software can be binary: if licensing prevents use or an existing contract covers a need, the procurement goes no further. Software asset registers and intellectual property scanners already strive to serve these functions, but, given the overlap in their data and that of SBOMs, there is room for tooling to support quick decisions making for all, as well as for the different data sources to support rather than supplant each other.

Binary decisions can form part of a standard procurement process in pre-negotiations with suppliers, but decisions involving judgment calls (such as the relative criticality of a known bug) tend to slow workflows and create angry calls from executives who want to know the reasons behind a derailed purchase. Again, deciding ahead of time which data points in an SBOM are deal-breakers will streamline the process of software procurement. Simple, written policies such as “never adopt or acquire software with components from X supplier”—which can refer to competitors, companies operating in sanctioned nations, entity-listed organizations, known risky projects, or anything else unambiguously identified—can work well here, especially with automation.

When it comes to adopting and integrating open-source software, many of these policies should already exist at most firms, but SBOM use with a standardized format can streamline validation. One must check on the status of a project referenced in an SBOM: how healthy, deep, and thorough its community support is, how much investment it enjoys, or, if tied to a proprietary offering, how dedicated to support the parent company is—none included in the SBOM per se, but retrievable from tools like OpenSSF Scorecard, SLSA levels, and more once upon identifying dependencies. Many CISOs already struggle with the need to collect supply-chain data at a granular level for risk management. While insufficient for high-security organizations, SBOMs are workable substitutes for medium or small enterprises that lack the in-house expertise to analyze all their software in depth, and their unaltered data can serve to inform and define procurement standards and policies alongside risk-management posture.

2. Adding smarts to vulnerability management and threat intelligence

One of the main use cases for SBOMs is identifying components affected by vulnerabilities. SBOMs provide visibility into software a level or two deeper than is common today, particularly provenance. They allow for better triage, cross-referencing dependencies, and remediation planning for identified vulnerabilities. SBOMs provide the roadmap through software relationships that enable this degree of dedicated care.

One constructive application of SBOMs in this context is improving the usefulness of vulnerability risk ratings to impacted organizations. One organization’s “critical” is not necessarily so for a different environment, use case, or business model. Application security professionals already know this, but wide adoption of SBOMs may change how they design a remediation strategy by clarifying what entity is ultimately responsible for fixing a vulnerability and how those outside an organization’s control might handle that request. Some dependencies may have quite capable maintainers that can be relied on while others might require significant external support. SBOM data highlighting dependencies can help teams identify what external parties they rely on for code support and adjust accordingly and ahead of incidents.

Developers may need to confirm whether a vulnerable component of a package is actually in use. If not, the organization can declare the risk “low” and simply note that policy will change if it incorporates that component in the future. There is a possible resource squeeze in the future for enterprises that need more application development and security staff to investigate the origins of disclosed vulnerabilities, determine remediation responsibilities, pass on notifications and updates to affected parties within the ecosystem, and sign off on version changes to internally generated SBOMs. SBOMs are part of enabling that level of decision-making, allowing better tracking of dependencies and changes to them to provide better insight into actual vulnerability exposure. Again, the data SBOMs provide are just part of the foundation on which to build these processes, complemented by other tools and data like GitBOM and Vulnerability Exploitability eXchange (VEX), highlight the importance of sharpened demand signals from SBOM consumers.

One of the main questions to ask with any SBOM is whether its source and contents are trustworthy. One useful method involves scanning the binary of the software to validate the accuracy of the SBOM—essentially checking that what is under the hood matches the parts list. Binary scanners are imperfect, and if the same scanners help generate an SBOM in the first place,²⁰ they may not produce reliable SBOMs for consumers using them in their own vulnerability scanning.²¹ SBOMs and scanning can help each other, mutually improving the accuracy of package component determination.

The overall risk rating of a software vulnerability informs the risk of a partial or phased remediation. Whether waiting for a third party to deliver a patch or allocating limited internal resources against dependencies that take longer to resolve and downstream requirements from partners, organizations will be able to monitor SBOM-sourced vulnerability data as part of their infrastructure risk-management practices (in conjunction with centralized data like VEX).²² This monitoring can also help threat intelligence analysts better understand organizational exposure. Better dependency knowledge from an SBOM can help clarify where dependencies might be under-resourced, frequently targeted by adversaries, or otherwise deserving of extra scrutiny and resourcing. The frequency of versioning changes can even provide insight into changes that support critical components. Even simply improving organizational visibility into the attack surface of its dependencies will help prioritize resourcing, direct remediation planning, and expand overall cybersecurity for an organization making full use of its SBOMs.

3. Incident response and building a better packing slip

While the above uses focus on using SBOMs for response planning prior to an incident, SBOMs also have utility right of “boom,” or after the fact. In many cases, initially, SBOMs can act as verification for incident reports and recommendations—a pointer to where things went wrong in a compromise. As corroborating evidence, a verified SBOM from an environment, system, or other package can help in the review of an incident and determine the impact on parallel systems or previous system versions. The core value within incident response and forensics is accurately comparing versions, changes, and their respective release times. An SBOM may provide some simple insight—after all, if an organization cannot confirm or deny whether a system was affected, does it have to declare a breach anyway? Having an SBOM that raises unanswerable questions is a business risk to examine with the leadership—business risks that otherwise might not have surfaced.

SBOMs can also aid in crisis communication among partners, affected organizations, and customers during and following an incident. Most product-security organizations already have a workflow to add SBOM information to, but they may require some additional information, such as a timeline matching SBOM versions to the systems under investigation. A challenge with this level of forensics is that organizations rarely have the right level of logging and sufficient log retention to be able to confirm authoritatively which versions of components were in use at the time of an incident. Suppliers may need to help customers determine whether an incident affected them, and sometimes that information may simply be unavailable.

One more use of SBOMs in incident response is to validate that an assertion about the contents listed by an SBOM were reasonably accurate at the time of release and that no known and unaddressed vulnerabilities existed. Organizations can reference attestations later if events or evidence indicate something different. While SBOMs are often compared to the ingredients list on a food-product label for software, another analogy could consider them a packing slip, describing what a supplier claimed was in a box at the time of its sealing. If a checksum to verify the absence of tampering fails, an SBOM can help guide responders to tracking down the discrepancies between shipped and delivered software.

4. A systemic view of software risk

In addition to using SBOMs between and within companies, SBOMs can also serve government agencies and other third parties in mapping dependency chains and concentration risk across the software ecosystem. Recent, widespread vulnerabilities, including log4shell, emphasize the degree to which single dependencies can underpin vast quantities of software. Without a systemic view into dependency patterns, government agencies and others will struggle immensely to assess risk across and within sectors. Given access to SBOMs from multiple sources, government could use that aggregated data to assemble a rough map of dependencies across slices of the digital ecosystem—a picture not just the dependencies of one application, but of many, and more importantly, where they overlap. While contemporary software composition analysis (SCA) can provide similar insight into widely-depended-on software,²³ running SCA tools across the far larger set of software considered here would likely prove far less feasible or replicable. To protect both intellectual property and the critical nodes such a map might highlight, government would need to take extra care in protecting this data, but it would prove useful in identifying under-secured or under-resourced dependencies ripe for proactive investment and support. Vulnerabilities in one company’s codebase or within a popular open-source repository can have global impact. Widespread ignorance about software dependencies hampers proactive support that might include security auditing, maintainer funding, development of alternate dependencies, or any other number of methods to reduce the risk of high-leverage dependency.

Governments and private-sector companies currently lack measures that describe the scale of use of different pieces of software. Metrics such as download counts, license purchases, or userbase size do not provide information about deployment or reliance, either upstream or downstream. A package with only a single user could still be critically important if all kinds of different software depend on it. However, without relationship mapping, the entire ecosystem remains blind to that package’s position as an essential link in the supply chain. SBOMs can reduce this problem by providing data, when aggregated from many sources, for an ecosystem-wide view of software dependencies to CISA and other entities, even if only for part of an enterprise. CISA is likely to be tasked with some of this work should the Securing Open Source Software Act of 2022 (S.4913), pass into law, or under III.B.2 of OMB M-22-18 on Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.²⁴ ²⁵

As more workloads move into the cloud, understanding and assessing the risk present in those systems is vital. One important use of SBOMs for software-as-a-service (SaaS) consumers is encouraging greater transparency in vulnerability reporting and mitigation inside cloud services. Over time, this information will help support more precise decision-making about the security practices of different vendors. While some companies have made policy choices about what to reveal to customers and what to withhold,²⁶ SBOMs are useful tools for other companies to define their own policies, and for customers to push for what they (or regulators) find most comfortable. As part of this effort, good questions will need clear answers regarding how SBOMs can be most useful amidst widely varying configurations and associated products present in different SaaS deployments. Wider generation, use, and consumption provide incentives to determine and sharpen answers to these.

SBOMs can help, though differences between cloud and on-premises software create challenges. One is the speed at which the cloud changes. If SBOMs change minute-to-minute with cloud configurations, they might produce too much information and impede meaningful use by recipients. However, operating off out-of-date information is also risky. Additionally, cloud instances often utilize many different third-party services, so tracking the versioning of each service for each instance or configuration within an SBOM is difficult. Building SBOMs with this aggregate use case in mind will be important to managing this deluge of data, and a key to that is a clearer demand signal from consumers of cloud SBOMs, in and outside of the public sector, about how they aim to incorporate that data into their risk-management practices.

A standardized method for companies (and other entities) to inform each other of dependencies, used and combined at scale, would ease the task of assessing risk across sectors. For SBOMs to fulfill this role, the information contained within them must be consistently organized, filled, and updated, which might pose a challenge to organizational resources. Such data would be most useful when combined with assessments of the context surrounding any piece of software. Even so, SBOMs, as currently imagined, still provide a valuable piece of the puzzle not otherwise measurable. Better data on the arrangement of and relationships with the larger software ecosystem would allow CISA and other agencies to target resources more effectively toward shoring up mission-critical software.

Why define use cases at all?

Clearly defining the use cases will help guide and preserve the inertia of SBOM adoption and development, from shaping the automated tools for SBOM ingestion to pointing toward new product offerings and molding federal procurement policy. Only considering the challenges of SBOM generation while disregarding the other end of the pipe risks drowning purchasers, developers, and acquisition officers alike in a sea of useless spreadsheets and symbolic compliance certifications.

Though SBOMs and this paper’s considered uses of them are as important to proprietary software components as open-source ones, for the latter, they provide the beginnings of a more fundamental guidance, too. Unlike in traditional supply chains for physical goods or in the exchange of proprietary code, OSS dependence rarely sees an exchange of money or a contractual agreement.²⁷. Rather, there is simply a quick “pip install XX –user” and “import YY as ZZ,” often from the public repository. SBOM adoption can eventually change the nature of that informal incorporation, and policymakers still have a chance to sculpt, for better or for worse, the roles and responsibilities that will redefine the ecosystem.

A key policy challenge is determining exactly which entities are ultimately responsible for producing and publishing SBOMs. Suppliers to finished goods manufacturers, due to various global and national regulations, often must detail the source of their materials—whether from forced or child labor, farmed or created under sustainable practices, acquired legally, and so on. The answers have implications for marketing as well as compliance and legal departments. Someone in the chain of the software development lifecycle must be responsible for the creation of SBOMs, but the trust framework for the completeness and veracity of their claims has yet to be developed, and debate over who, precisely, is responsible for making them and what levers are appropriate for achieving compliance persists. Burdening open-source developers and maintainers with that task, though, is an overreach in the absence of ubiquitous tooling to generate SBOMs automatically.

At the regulatory level, all this is challenging, as countries take multiple approaches to what entity is responsible for providing compliance and conformance assurances. This also complicates how governments support the security of open-source software supply chains, as each may have a different goal or preferred method despite aligned motivations. In the United States, CISA wants to assist, even lead, efforts to help support the securing of critical open-source software. However, the culture of open-source communities, the history of their development, and the very tenets that make open source a vital font of innovation all buck against direct government regulation in such stewardship, especially given that open-source code, legally in the United States, is a form of free speech.²⁸Importantly, governments supporting the open-source ecosystem will not be able to rely on blanket requirements, and their assistance in identifying critical projects, supporting tooling development, and investing in developers and communities will provide more fruitful results.

SBOMs, sufficiently standardized and adopted, offer data that can serve critical policy challenges when combined with appropriate tooling and processes, allowing a better understanding of and investment in dependencies before incidents occur, as well as more complete vulnerability remediation fixes afterward. Applied and used correctly, SBOMs can make the ecosystem’s most capable actors responsible for its coherence. Incorrectly executed, burdensome requirements for SBOM generation could sterilize the open-source world’s thriving innovation.

So, what should you do about it?

SBOM generators have an outsized say in the use cases of SBOMs because they determine what each bill of materials contains. In developing tools for aggregation, analysis, and production of SBOMs, generators could do the following to speed adoption and provide a more complete, practical set of capabilities to SBOM consumers:

Develop tooling to convert from raw SBOM data to actionable information more intuitively. CISOs will not have the time or resourcing to parse through vast, rapidly changing informal tracking of dependency information, but automated checks with customizable, risk-tolerance leveling and other policies can make SBOMs a practical tool during acquisition and incorporation decision-making processes. Adding context, alongside SBOMs, that clearly declares what they do and do not contain and what purposes they serve can help here.
Develop tooling to provide more practical and varied information based on SBOM contents. Many of the use cases discussed above require a touch more detail than conveyed by current SBOM formats. This next layer of tooling, in tandem with products that coordinate SBOM consumption, will provide value both to their manufacturers and users.

The OMB and CISA have recently begun moving towards SBOM requirements at the federal level, likely in tandem with updates to government procurement processes and working with critical infrastructure sectors. They face a key challenge:

Provide better support for smaller enterprises that cannot easily adopt and produce SBOMs in a compliant manner. CISA might pursue this through added tooling and support in their small-to-medium business (SMB) programs and by tailoring any legal requirements to the unique needs and exposures of different sectors. These need not be new tools adding more complexity and variation to the SBOM landscape, but rather increased funding and guidance for SMBs to access tools normally available only to larger enterprises. Large IT vendors can also act as an intermediary in this provision by offering tooling and support for SMBs with government subsidies.

CISA could model practices to gather SBOM data beyond that used by a single enterprise. Wider collection of SBOM data is necessary for the envisioned aggregate use case. Although this process is more straightforward for open-source systems, there are valid concerns about SBOMs revealing proprietary information and providing attackers with the tools to identify vulnerable targets, particularly among software-as-a-service vendors, whose products are otherwise difficult to scrutinize. Industry could work with government to identify solutions to this information problem; doing so would increase the supply-chain insight SBOMs could provide. Aggregating and analyzing in-house collections of SBOMs first would be a good starting point and force government and industry to directly address the tradeoffs between identifying nodes of systemic risk to better secure them and pointing attackers to those nodes—some of which will be under-supported—through their identification.

SBOM users will need to provide the demand signals to producers that shape the future utility of software bills of materials. Often, users and consumers will be the same party, or at least departments within the same company, but they may also be small firms less focused on tech development, non-profits, or companies without the resources to do more than implement well-documented tooling. This responsibility is also a chance to extract significant value from SBOMs.

Accept the imperfect SBOM and iterate: If a complete SBOM must trace dependencies all the way down to another complete SBOM, they will rarely exist except for the simplest of components. Imperfect is not impractical. The processes that develop around SBOM use must not assume or depend on complete information. Industry and government could explicitly discuss how to navigate imperfect SBOMs and thresholds for acceptable inaccuracy while ensuring users can adopt and iterate on necessarily imperfect standards.
Innovate your use cases: Depending on the depth of information contained in or pointed to by an SBOM, consuming organizations might highlight the use of memory-unsafe languages, insecure calls, unmaintained libraries, or methods highlighted in Open Web Application Security Project (OWASP) and other “top of” lists to block these technologies from their environment. Risk managers can even develop tools converting detailed SBOMs into tolerable-risk metrics.
Build with ease for the user in mind: Part of strengthening the utility and longevity of SBOMs is enabling the use of this rich source of data in a wide range of possible ways. Tooling should reflect the expectation that many users are non-expert and/or lack considerable resources for IT administration and security, prioritizing simplicity and intelligibility over maximal functionality. Enterprise support for SBOM-tool users can help here too.

Conclusion

Businesses and developers hold mixed sentiments toward requiring SBOM production in regulations. Keen observers will find working groups with names like “SBOMs Everywhere” with employees from the very same companies funding letters (thinly veiled by trade associations), denouncing some efforts to promulgate SBOM requirements through policy.²⁹ Part of this fractured view of SBOMs reflects the early stages of SBOM maturity, and part, the variety of opinions and incentives within large organizations too often treated as monolithic entities. More importantly, it reflects a disconnect among available government levers, SBOM functionality, and industry incentives. Procurement requirements are one of government’s most effective levers for shaping cybersecurity practices, and industry insistence that government wait for trivial or even default compliance before regulation is circular—if SBOMs were standard practice already, there would be no need to specifically request them to begin with, and government requiring higher security standards from its vendors is far from aberrant. The mismatch between federal security needs and the state of SBOM adoption and maturity is a significant opportunity for industry to continue to deepen its partnership with government and other would-be SBOM users to keep up the pace on SBOM development while shaping the tools serving SBOMs and the challenges that they can address.

A key question persists: what do SBOM producers stand to gain, short of compliance, from their considerable toil? Many prior requirements of large suppliers and component suppliers—self-attestations or FedRAMP requirements, for example—might have necessitated great expenditure in return for relatively small benefits to individual entities. Without making a clear case for SBOM use and the resultant tools that provide return on investment, policymakers advancing SBOMs risk mortgaging their future as a marketing tool— another sticker slapped on the proverbial product denoting begrudging compliance with federal requirements. Successful policy supporting SBOMs must put them on a sustainable path, tying hard and fast requirements to clear benefits for the ecosystem and the entities within it. Part of this must translate to better articulating how SBOMs can be consumed and used toward a variety of ends and by a diversity of organizational types.

Lacking a clear, tangible value proposition, particularly to considerations like the bottom line, future contracts, operations, or other more immediately recognizable benefits will create friction between parties that desire to use SBOMs and those that will not willfully provide them, even while governments and other organizations push to have SBOMs a standard part of their procurements. It is worth noting that some of the best analogs to SBOMs share a similarly fraught origin. Nutrition labels, ingredient lists, and food-goods advertising regulations span a century-long tug-of-war between government, industry, and consumer.³⁰ The transition from prepared-from-scratch meals to off-the-shelf purchasing helped spur Food and Drug Administration (FDA) regulation, as consumers required better visibility into their purchases.³¹ Notably, some companies already use SBOMs or similar data internally, of their own accord, and presumably, for some of the benefits enumerated here—Google and Microsoft are easy enough examples to find public records of this.³² ³³

This paper aims to remove some of the friction against SBOM adoption and strengthen their long-term utility as a source of data for important risk management decisions, showing potential consumers clear benefits from using SBOMs, nudging producers and tool developers towards new offerings, and making clear to policymakers the importance of decisions they are already considering. SBOMs, initially marketed in cybersecurity as a solution to the fact that one cannot secure dependencies one does not know about, can enable so much more along the way. It is time they were sold as such.

About the authors:

Amélie Koran is a nonresident senior fellow at the Cyber Statecraft Initiative under the Atlantic Council’s Digital Forensic Research Lab (DFRLab) and the current director of external technology partnerships for Electronic Arts, Inc. Koran has a wide and varied background of nearly thirty years of professional experience in technology and leadership in the public and private sectors.

Wendy Nather is a nonresident senior fellow at the Cyber Statecraft Initiative under the Atlantic Council’s Digital Forensic Research Lab (DFRLab) and leads the Advisory CISO team at Cisco.

Stewart Scott is an assistant director with the Atlantic Council’s Cyber Statecraft Initiative under the Digital Forensic Research Lab (DFRLab). He works on the Initiative’s systems security portfolio, which focuses on software supply chain risk management and open source software security policy.

Sara Ann Bracket is a research assistant at the Atlantic Council’s Cyber Statecraft Initiative under the Digital Forensic Research Lab (DFRLab). She focuses her work on open-source software security, software bills of material, and software supply-chain risk management and is currently an undergraduate at Duke University.

Acknowledgments:

The authors of this paper would like to thank external reviewers John Speed Meyers, Aeva Black, William Bartholomew, and Allan Friedman, who all took significant time to provide input during its development, as well as Donald Partyka and Anais Gonzalez for designing the final document and others who contributed invaluable feedback along the way.

1 “Open Source Software (OSS) Secure Supply Chain (SSC) Framework” (2022; repr., GitHub: Microsoft, August 4, 2022), https://github.com/microsoft/oss-ssc-framework/blob/165ba893f2080e75bc69acaa6ea3fc8550315738/specification/Open_Source_Software_(OSS)_Secure_Supply_Chain_(SSC)_Framework.pdf.

2 Incidents, rather than attacks, as several also included valid use cases and functionality leading to cascading failures or vulnerabilities—all important to recognize.

3 Adrian Bridgwater, “Linux Foundation Eases Open Source Licensing Woes,” Computer Weekly, August 19, 2011, https://web.archive.org/web/20210820144000/https:/www.computerweekly.com/blog/Open-Source-Insider/Linux-Foundation-eases-open-source-licensing-woes.

4 The Linux Foundation, “The Linux Foundation’s SPDX^TM Workgroup Releases New Version of Software Package Data Exchange^TM Standard – Linux Foundation,” August 30, 2012, https://www.linuxfoundation.org/press/press-release/the-linux-foundations-spdx-workgroup-releases-new-version-of-software-package-data-exchange-standard-2.

5 In practice, many real SBOM-generation processes are more complex—build processes might resolve placeholder dependencies, with only the end result reflected in an SBOM, for example.

6 National Telecommunications and Information Administration (NTIA), “The Minimum Elements For a Software Bill of Materials (SBOM)” (Washington, DC: United States Department of Commerce, July 12, 2021), https://www.ntia.doc.gov/report/2021/minimum-elements-software-bill-materials-sbom.

7 Exec. Order. No. 14028 on Improving the Nation’s Cybersecurity, Federal Register, 86 FR 26633 (May 12, 2021), https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity.

8 Timothy B. Lee, “The Heartbleed Bug, Explained,” Vox, May 14, 2015, https://www.vox.com/2014/6/19/18076318/heartbleed.

9 Larry Zelvin, “Reaction on ‘Heartbleed’: Working Together to Mitigate Cybersecurity Vulnerabilities | Homeland Security,” Department of Homeland Security, April 11, 2014 [Updated September 20, 2018], https://www.dhs.gov/blog/2014/04/11/reaction-%E2%80%9Cheartbleed%E2%80%9D-working-together-mitigate-cybersecurity-vulnerabilities-0.

10 Cisco Security, “Cisco Security Advisory: OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products,” Cisco, April 9, 2014, http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed.

11 NTIA, “The Minimum Elements For a Software Bill of Materials (SBOM).”

12 The Cybersecurity Coalition, “Comments on NTIA’s Request for Information (RFI) on ‘Software Bill of Materials Elements and Considerations,’” June 17, 2021, https://assets.website-files.com/60cd84aeadd2475c6229482f/60ec9f0a15e85933daa3b5ca_Coalition%20SBOM%20Response-Final%206-17-21.pdf.

13 Stephen Hendrick, “The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness” (The Linux Foundation | Research, January 2022), https://8112310.fs1.hubspotusercontent-na1.net/hubfs/8112310/LF%20Research/State%20of%20Software%20Bill%20of%20Materials%20-%20Report.pdf. The survey does well acknowledging and striving to address the above-mentioned sources of possible bias explicitly, too.

14 National Telecommunications and Information Administration, “Healthcare SBOM Proof of Concept” (NTIA, April 29, 2021), https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_healthcare_update-2021-04-29.pdf.

15 Sourced from conversations with New York Presbyterian.

16 NTIA, “The Minimum Elements For a Software Bill of Materials (SBOM),” 12.

17 Velichka Atanasova, “Let’s Get SBOM Ready – Open Source Blog,” VMWare, April 14, 2022, https://blogs.vmware.com/opensource/2022/04/14/sbom-ready/.

18 Alliance for Digital Innovation et al., “Cautionary Notes on Codifying Use of SBOMs,” September 14, 2022, https://fcw.com/media/multi_association_letter_on_sbom_final_9.14.2022.pdf.

19 To differentiate vulnerability management and incident response, consider the former tracking vulnerabilities, relevant threat intelligence around dependencies, preemptive response planning, and determining whether a vulnerability impacts an enterprise. The latter comes into play after that determination—guiding patch efforts, outreach to third-party maintainers, mitigation, and tailoring general remediation plans to specific incidents.

20 One of several ways to generate an SBOM.

21 Ariadne Conill, “Not All SBOMs Are Created Equal,” Chainguard, April 22, 2022, https://www.chainguard.dev/unchained/not-all-sboms-are-created-equal.

22 National Telecommunications and Information Administration (NTIA), “Vulnerability-Exploitability eXchange (VEX) – An Overview,” September 27, 2021, https://www.ntia.gov/files/ntia/publications/vex_one-page_summary.pdf.

23 Frank Nagle et al., “Census II of Free and Open Source Software — Application Libraries” (Linux Foundation Research; OpenSSF; Laboratory for Innovation Sciences at Harvard: Harvard Laboratory for Innovation Science (LISH) and Open Source Security Foundation (OpenSSF), March 2, 2022), https://lish.harvard.edu/publications/census-ii-free-and-open-source-software-%E2%80%94-application-libraries.

24 “Securing Open Source Software Act of 2022,” S.4913, 117th Cong. (2022), https://www.congress.gov/bill/117th-congress/senate-bill/4913.

25 Shalanda Young, United States, Office of Management and Budget, OMB Memo to the Heads of Executive Departments and Agencies, M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices,” September 14, 2022, https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf.

26 Kevin Beaumont [@GossiTheDog], “For Anybody Who Doesn’t Know, August 2022’s Windows Patches Included Fixes for NSA and GCHQ Reported Cryptographic Bugs. but MS Didn’t Tell You and Didn’t Issue a CVE.,” Tweet, Twitter, October 12, 2022, https://twitter.com/GossiTheDog/status/1580244775638212608.

27 Iliana Etaoin, “There Is No ‘Software Supply Chain,’” iliana.fyi, September 19, 2022, https://iliana.fyi/blog/software-supply-chain/

28 Alison Dame-Boyle, “EFF at 25: Remembering the Case That Established Code as Speech,” Electronic Frontier Foundation, April 16, 2015, https://www.eff.org/deeplinks/2015/04/remembering-case-established-code-speech.

29 Alliance for Digital Innovation et al., “Cautionary Notes on Codifying Use of SBOMs,” September 14, 2022.

30 Institute of Medicine (US) Committee on Examination of Front-of-Package Nutrition Rating Systems and Symbols, “Front-of-Package Nutrition Rating Systems and Symbols: Phase I Report,” in History of Nutrition Labeling, ed. Ellen A. Wartella, Alice H. Lichtenstein, and Caitlin S. Boon (Washington, DC: National Academies Press (US), 2010), https://www.ncbi.nlm.nih.gov/books/NBK209859/.

31 Department of Nutritional Sciences, University of Texas at Austin, “Factual Food Labels: A Closer Look at the History,” April 6, 2018, https://he.utexas.edu/ntr-news-list/food-labels-history.

32 Jessica Lyons Hardcastle, “Google SLSA, Linux Foundation Drops SBOM for Supply Chain Security Boost,” SDxCentral, June 18, 2021, https://www.sdxcentral.com/articles/news/google-slsa-linux-foundation-drops-sbom-for-supply-chain-security-boost/2021/06/.

33 Simon Bisson, “How Microsoft Will Publish Info to Comply with Executive Order on Software Bill of Materials,” TechRepublic, May 6, 2022, https://www.techrepublic.com/article/microsoft-publish-info-comply-executive-order-software-bill-materials/.

The post The cases for using the SBOMs we build appeared first on Atlantic Council.

GRU 26165: The Russian cyber unit that hacks targets on-site

Justin Sherman — Fri, 18 Nov 2022 13:44:53 +0000

Russian hackers are not always breaching targets from afar, typing on their keyboards in Moscow bunkers or St. Petersburg apartment buildings. For some Russian government hackers, foreign travel is part of the game. They pack up their equipment, get on international flights, and covertly move around abroad to hack into computer systems.

Enter GRU Unit 26165 (of the military intelligence agency Glavnoye Razvedyvatelnoye Upravlenie), a military cyber unit with hackers operating remotely and on-site. Despite the security risks on-site cyber operations pose to governments and international organizations, and the questions they raise about how the West should track and combat Russian state hacking, Russia’s activities in this realm are not receiving sufficient policy attention.

GRU Unit 26165, the 85th Main Special Communications Center

In March 2018, after the GRU tried to murder former Russian intelligence officer Sergei Skripal and his daughter Yulia in Salisbury, England using a Novichok nerve agent, the Kremlin came under international fire. British intelligence officials blamed the GRU, where Skripal used to work (and later became a British informant); the multinational Organization for the Prohibition of Chemical Weapons (OPCW), which enforces the Chemical Weapons Convention, launched an investigation; and in June of the same year, OPCW countries voted to let the body attribute chemical weapons attacks to particular actors. (A year later, the OPCW would formally ban Novichok nerve agents.) Additional journalistic investigations into the perpetrators, meanwhile, continued to point to the GRU’s involvement.

Although the OPCW’s investigation was not made public for months, the Russian government decided to move quickly against the organization, turning to a tactical cyber unit to do so.

OPCW Headquarters

On April 10, 2018, four Russian nationals landed at Amsterdam Schiphol Airport in the Netherlands. With diplomatic passports in hand, they were met by a member of the Russian embassy in The Hague. After loading a car with technical equipment—including a wireless network panel antenna to intercept traffic—the four individuals scouted the OPCW’s headquarters in The Hague for days, taking photos and circling the building before being intercepted by the Dutch General Intelligence and Security Service (Algemene Inlichtingen- en Veiligheidsdienst or AIVD) and sent back to Moscow. Seemingly, the plan had been for the operatives to hack into the OPCW’s systems to disrupt investigations into the attempted GRU chemical weapon attack.

The Netherlands made all of this public on October 4, 2018, with Dutch intelligence identifying the four operators by name—Aleksei Sergeyevich Morenets and Evgenii Mikhaylovich Serebriakov were described as “cyber operators” and Oleg Mikhaylovich Sotnikov and Alexey Valerevich Minin were described as “HUMINT (human intelligence) support.” The AIVD linked all of these individuals to Russia’s GRU. A Department of Justice (DOJ) indictment issued on the same day went a step further, linking the hackers—Morenets and Serebriakov—to GRU Unit 26165.

Unit 26165, otherwise known as Fancy Bear, was already known for breaking into systems from afar, including the Democratic National Committee in 2016 and World Athletics (previously the International Amateur Athletic Federation) in 2017. Yet, the revelations around the attempted OPCW hack made clear that Unit 26165 does much more. The full DOJ indictment, subsequently published by the National Security Archive at The George Washington University, alleged that Morenets “was a member of a Unit 26165 team that traveled with technical equipment to locations around the world to conduct on-site hacking operations to target and maintain persistent access to WiFi networks used by victim organizations and personnel.” Serebriakov also belonged to such a team. While Unit 26165 often conducts remote hacks from Russia, the indictment stated that “if the remote hack was unsuccessful or if it did not provide the conspirators with sufficient access to victims’ networks,” Unit 26165 would carry out “‘on-site’ or ‘close access’ hacking operations.”

The OPCW incident was not the first time these particular hackers went abroad to conduct operations. According to the DOJ, Morenets traveled to Rio de Janeiro, Brazil, and Lausanne, Switzerland, in 2016 to breach the into WiFi networks used by people with access to the US Anti-Doping Agency, the World Anti-Doping Agency, and the Canadian Center for Ethics in Sport. Serebriakov, the indictment stated, also participated in these on-site hacking operations. Both individuals allegedly planned to target the Spiez Laboratory in Switzerland after the OPCW hack. The indictment alleged that Ivan Sergeyevich Yermakov, also part of GRU Unit 26165, provided remote reconnaissance support for his colleagues’ on-site hacking operation against the OPCW.

Additionally, it is speculated that these on-site hackers were supported by another GRU unit, which is where the other two Russians caught in the Netherlands by the AIVD enter the picture. Sotnikov and Minin were described generically by the Dutch as HUMINT support for the two hackers, and as “Russian military intelligence officers” by the DOJ’s full indictment. Neither of these government documents mentions a specific GRU unit associated with Sotnikov or Minin.

Published in tandem with the October 4, 2018 state disclosures was a new Bellingcat investigation linking Morenets’ Russian car to the Unit 26165 building in Russia. It also linked Minin’s car registration to the GRU “Conservatory.” The Conservatory—formally numbered GRU Unit 22177—is the Russian Defense Ministry’s Military Academy and a training site for the GRU, located in Moscow near GRU headquarters and other GRU training facilities. Due to Minin’s connection to 22177 and the Dutch and US governments’ vague references to Sotnikov and Minin as “HUMINT support” and “Russian military intelligence officers” separate from Unit 26165, numerous articles have speculated that operatives from another GRU unit were tasked to support the mission in The Hague.

Stepping back, assessing the picture

Policymakers should use this information as a case study for how Russian government hackers—and, theoretically, state hackers from other adversary countries—move around the world to break into systems. The use of on-site cyber operations abroad seems unique to this GRU team, with many possible motivations at play. It is unclear how high up the oversight chain these on-site operations go. What is clear, though, is that Western governments cannot restrict their hunt for Russian hackers to the digital sphere; they must also remember how Russian hacking fits into broader Russian intelligence activities, including overseas.

There are several takeaways and implications that result from this information. The on-site, overseas cyber operations of GRU Unit 26165 appears to stand out from other Russian government cyber units. Of course, cyber capabilities are a part of intelligence operations more broadly, and many human operations around the world leverage cyber reconnaissance on an ongoing basis. Nonetheless, when the United Kingdom (UK) released its own statement on Russian government cyber activity in October 2018, it clearly differentiated between the activities of Unit 26165 in the Netherlands, Brazil, and Switzerland and those of Unit 74455 (Sandworm), which it stressed “were carried out remotely—by GRU teams based within Russia.” The DOJ indictment appears to suggest, although this is not totally clear, that hackers going abroad are part of at least one specific sub-team within the broader cyber unit. Further, the DOJ indictment lists numerous examples of on-site hacks or hack attempts, but publicly available information has not exposed the same kind of on-site operations by Russia’s Foreign intelligence Service, the SVR.

The motivations behind the on-site operations of Unit 26165 are also a key question. Based on publicly available information, its proclivity for “close access” operations leans toward disrupting high-profile investigations into potentially embarrassing Russian government activity. The first set of reported hacks targeted international investigations into allegations of Russian doping at the Olympics; the second set of hacks targeted the international investigation into the attempted murder of the Skripals with chemical weapons. It is possible, therefore, that protecting the Kremlin’s image is a high priority. Simultaneously, the DOJ indictment stated that Unit 26165 carries out on-site operations when remote operations are unsuccessful, suggesting a more functional, effects-oriented motive for sending hackers overseas.

However, there is another possibility: The GRU may simply be using on-site operations when it needs to draw attention away from its own failures. The botched attempt to murder Sergei and Yulia Skripal was carried out by GRU Unit 29155, a Russian military intelligence and assassination team with close relationships to the Signal Scientific Center federal research facility and the Ministry of Defense’s State Institute for Experimental Military Medicine in St. Petersburg, entities suspected of managing Russia’s Novichok program. GRU operatives are well-known for their high-risk appetites and sometimes overt violence, even relative to other Russian intelligence organs like the Federal Security Service (FSB), Russia’s domestic security agency. (That said, the FSB is a violent organization, too, carrying out repressive tactics in Russia and, in 2019, assassinating a Georgian asylum seeker in Berlin.)

This tendency is playing out in cyberspace already, given that GRU teams are behind the NotPetya malware attack, shutdowns of Ukrainian power grids, and other more destructive, publicly visible operations. Such cyber activities, in line with broader intelligence cultures, stand in contrast to agencies like the SVR, which appears to place a premium on covertness, both online and offline. Wanting to frantically undermine an investigation into its own failed operation, it is not out of the question that the GRU sent Unit 26165 operatives overseas. That Unit 26165 hackers Morenets and Serebriakov may have had support from other parts of the GRU (HUMINT operators Sotbikov and Minin) in the OPCW plot suggests possible broader intra-agency coordination. But again, it is easy—and sometimes misguided—to assume there is more coordination within the Russian security services than actually occurs.

All of this raises a final and more interesting question always at play in the Russian cyber ecosystem: How far up the chain does oversight of on-site hacks go?

Issue Brief

Sep 19, 2022

Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behavior

By Justin Sherman

This issue brief analyzes the range of Russian government’s involvement with different actors in the large, complex, and often opaque cyber web, as well as the risks and benefits the Kremlin perceives or gets from leveraging actors in this group. The issue brief concludes with three takeaways and actions for policymakers in the United States, as well as in allied and partner countries.

Cybersecurity Russia

Cyber and information operations with high political sensitivity, which Moscow conceptualizes more cohesively than in the West, are more likely to be supervised by the Kremlin. The US intelligence community assessed, for example, that the influence actions targeting the 2016 US election were “approved at the highest levels of the Russian government,” and a similar conclusion was reached vis-à-vis President Vladimir Putin and Russia’s election interference in 2020. This may also be true for more traditional intelligence operations. When the UK finished its investigation into the murder of former Russian spy Alexander Litvinenko, who was killed on British soil with the radioactive material Polonium-210, it concluded that Putin and Russian Security Council head Nikolai Patrushev “probably” approved the killing.

The GRU’s botched murder attempt on the Skripals garnered significant international attention. At the time, Russian officials were already criticizing the OPCW’s investigations into the Assad regime’s use of chemical weapons in Syria—called an attempt “to make the OPCW draw hasty but at the same time far-reaching conclusions” by Russia’s deputy foreign minister. When the investigation into the Skripal poisonings began, senior officials like Russian Foreign Minister Sergei Lavrov falsely claimed that a lab used by the OPCW picked up traces of a nerve agent possessed by NATO countries but not Russia. Putin, meanwhile, has always held particular contempt for people he perceives as betraying the Russian nation, once saying that “traitors always meet a bad end,” suggesting a kind of personal anger directed at individuals like Sergei Skripal who became agents for the West. The Olympic doping investigations, too, proved an embarrassment for Moscow.

In this vein, it is quite possible that higher-level Kremlin officials may direct the GRU to act against investigations like OPCW’s, prompting the GRU to deploy Unit 26165 hackers to the Netherlands. It is also plausible that the activities of Unit 26165 merely reflect broader intelligence collection priorities, spying on those trying to “hurt” Russia, such as investigators looking into Russian athlete doping. Since there are few publicly known cases of Unit 26165 conducting “close access” operations, perhaps these are not representative samples, with the GRU carrying out these activities on its own after all.

Regardless, the GRU is clearly sending hackers overseas to carry out operations. Going forward, Western intelligence and law enforcement personnel, as well as multinational organizations, would be wise to pay attention.

The post GRU 26165: The Russian cyber unit that hacks targets on-site appeared first on Atlantic Council.

The 5×5—The rise of cyber surveillance and the Access-as-a-Service industry

Simon Handler — Wed, 16 Nov 2022 05:01:00 +0000

Approximately one year ago, on November 3, 2021, the US Commerce Department added four companies, including Israel-based NSO Group, to its Entity List for supporting cyber surveillance and access-as-a-service activities, “that are contrary to the national security or foreign policy interests of the United States.” Foreign governments used NSO Group’s products, notably its Pegasus spyware, to target individuals, such as journalists and activists, and suppress dissent. Just one month later, reporting indicated that Apple tipped off the US Embassy in Uganda that an undisclosed foreign government had targeted the iPhones of eleven embassy employees.

A New York Times report published on November 12 reveals how close the United States was to using Pegasus for its own investigative purposes. The FBI, which previously acknowledged having acquired a Pegasus license for research and development, contemplated use of the tool in late 2020 and early 2021 and developed guidelines for how federal prosecutors would disclose its use in criminal proceedings. The FBI ultimately decided not to buy from NSO, amid the many stories of abuse of the tool by foreign governments, but the revelation underscores the double-edged nature of cyber surveillance technologies designed to support law enforcement and intelligence missions.

There are dozens of firms in the Access-as-a-Service industry developing and proliferating a powerful class of surveillance technologies. We brought together a group of experts to discuss the rise of cyber surveillance and the impact of this industry on the United States and its allies.

#1 What implications can foreign governments’ domestic cyber surveillance programs have on US national security?

Siena Anstis, senior legal advisor, Citizen Lab, Munk School of Global Affairs & Public Policy, University of Toronto:

“The proliferation of spyware presents a national security risk to the United States. These technologies facilitate not only the targeting of human rights defenders and civil society, but also provide an across-the-board opportunity to undertake acts of espionage through their ability to exploit vulnerabilities in popular applications and operating systems that impact everyone. This was well-illustrated by the targeting of US diplomats in 2021 with NSO Group’s Pegasus spyware. No one is safe from being targeted with this highly intrusive, silent, and increasingly hard to detect technology. This risk extends to the US government.”

Winnona DeSombre, nonresident fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council:

“We live in an increasingly interconnected world when it comes to data and surveillance. From an individual perspective, US citizens who work on national security regularly interface with relatives and friends abroad who may be surveilled. US military service members use Tiktok, an app whose data flows back to China. Domestic surveillance in another country does not just touch that country’s citizens, but it also touches any US national who interfaces with that country’s people and corporations.”

Lars Gjesvik, doctoral research fellow, Norwegian Institute of International Affairs:

“Way back in ancient 2013, the US intelligence community warned that private companies were developing tools that aided foreign states in targeting US systems. Clearly, this has been of some concern for a decade and has some implications for national security. There is no doubt that such commercially available tools have done great harm when it comes to human rights and targeting civil society, and you have some reported cases like Project Raven where commercial tools start to become a national security problem as well.”

Kirsten Hazelrig, policy lead, The MITRE Corporation:

“There are absolutely direct threats to US interests from the use of cyber surveillance abroad—any newspaper will relay confirmed reports of US officials being targeted abroad by tools such as Pegasus. However, this is simply a new tool for an age-old game of espionage. Perhaps more insidious is how tools and programs can be abused to enable the spread of authoritarianism, degrade human rights, and erode democratic values. I am not sure if anyone fully understands the implications to national security if these capabilities are allowed to spread unchecked.”

Ole Willers, postdoctoral researcher, Department of Organisation, Copenhagen Business School:

“Within the context of cyber surveillance programs, the distinction between domestic and foreign operations is not always as clearcut. Domestic campaigns oftentimes target individuals located in other jurisdictions, including the United States. The targeting of Canadian-based activist Omar Abdulaziz by Saudi Arabian surveillance operations is a prominent example.”

#2 Where do cyber capabilities fit into the spectrum of surveillance technologies?

Anstis: “Spyware technology provides governments with the ability to undertake highly intrusive surveillance. Sophisticated versions of this technology provide complete entry into targeted devices, including the contents of encrypted communication apps, camera, microphone, documents stored on the phone, and more. This impacts not only targeted individuals, but also exposes those who communicate with these people such as friends, family, and colleagues. Governments have a variety of surveillance technologies at their disposal, and spyware is undoubtedly one of the most stealthy and intrusive tools on the market that makes it difficult, if not impossible, for journalists, human rights defenders, activists, and other members of civil society critical of the government to do their work.”

DeSombre: “Cyber capabilities that feed into offensive cyber operations are usually far more tailored than surveillance technology writ large, especially compared to dragnet surveillance technologies. The little bit of overlap occurs when governments want to surveil targets who they believe are of higher value or harder to get to, in which case authoritarian governments will break out the more expensive capabilities like zero-days or purchase expensive spyware licenses like those offered by NSO and Candiru.”

Gjesvik: “The term ‘surveillance technologies’ is quite broad, and it depends greatly on how you define it. But if you think about the capabilities and services provided to intelligence, law enforcement, or military agencies, then it is a question of how sophisticated they are and their scope. The most sophisticated cyber capabilities offered by the top-tier companies probably equal the capabilities of most intelligence agencies, and there is no real difference functionally in them being used domestically or against strategic adversaries.”

Hazelrig: “Surveillance technologies are broad sets of tools that enable a human actor to achieve an objective, be it to improve traffic, indict a criminal, track terrorist movements, stalk a partner, or steal a competitor’s data. Cyber capabilities can range as widely as these objectives and their targets. They may range from low-end spyware to extremely sophisticated technology, and are almost always paired with additional tools and tradecraft that make them impossible to evaluate devoid of operational context.”

Willers: “If we define cyber capabilities in terms of the various activities oriented towards gaining stealth access to digital information, their importance for surveillance operations can hardly be overstated. Whereas traditional surveillance technologies continue to play a role, cyber capabilities offer forms of access that are much more comprehensive. Access to a smartphone is fundamentally different from the traditional wiretap and allows for the real-time surveillance of location patterns, communications, web searches, financial transactions, and more.”

#3 What is the Access-as-a-Service industry and what kind of relationship should the United States and its allies have with it?

Anstis: “The Access-as-a-Service industry describes companies that provide services to different actors—often states—to access data or systems. In the past few years, we have seen an acceleration in human rights abuses associated with this industry and a growing formalization of the sector with private investors and states increasingly interested in the growth of these companies. Considering the litany of human rights abuses that follows the growing availability of the technologies and services offered by this industry, the United States and other states have an obligation to regulate and limit the availability of these technologies and the industry’s business practices.”

DeSombre: “The Access-as-a-Service industry makes offensive cyber operations incredibly simple to pull off—aggregating disparate capabilities that take years of investment to make (zero-days, malware, training, infrastructure, processes) into a single solution that a government can purchase off the shelf and use easily. It is not necessarily a bad industry—the United States and its allies also rely on privatized talent to conduct cyber operations. However, the United States and its allies must be proactive about shaping responsible behavior within the industry to ensure these services are not purchased en masse by authoritarian regimes and adversaries.”

Gjesvik: “Simply put, it is an industry that sells access to digital data and systems. A wide swathe of technologies and services fits into this definition. Considering what relationship Western states should have with it should start with acknowledging that most states rely on private contractors and capabilities to some extent. There are clear problems of democratic oversight and misuse, but having their intelligence agencies and law enforcement lose access to digital evidence and data is probably not something governments would accept, and smaller states would struggle to develop the capabilities themselves. It is hard to decide on a relationship with a surveillance industry without deciding on the role of surveillance in modern societies, and I do not think we have done that.”

Hazelrig: “Access-as-a-Service, or the related but more colorfully named “hacker-for-hire” industry, are loose terms for the criminal actors that sell the information, capabilities, and services necessary to conduct cyber intrusions. These actors sell their wares with little regard as to impact and intent, enabling ransomware and other attacks.”

Willers: “The Access-as-a-Service industry is a niche market that sells data access to state agencies, and it has repeatedly been singled out for facilitating the proliferation of offensive cyber capabilities to authoritarian states. The United States and its allies face a dilemma in that they rely on the Access-as-a-Service industry to provide domestic law enforcement and intelligence agencies with cutting edge technology. Simultaneously, they have a strong incentive to limit the availability of these technologies to other customers. Balancing these interests has proven extremely difficult, which is why I see a need to limit our dependency on the private sector within this context.”

A primer on the proliferation of offensive cyber capabilities

Surveillance Technology at the Fair: Proliferation of Cyber Capabilities in International Arms Markets

China’s surveillance ecosystem and the global spread of its tools

#4 In what ways does government surveillance compare and contrast with corporate surveillance?

Anstis: “Government surveillance is similar to corporate surveillance in that both exploit the fact that we increasingly live our lives on internet-connected devices. The data we generate in our daily interactions, which is then collected by companies and governments, can be used for a variety of purposes that target and exploit us—from the crafting of targeted advertising to location tracking to the mapping of a human right activist’s network. However, government surveillance differs in at least one important respect: governments have the power to not only surveil, but also to detain, torture, kidnap, or otherwise enact acts of violence against an individual. Spyware technologies facilitate the government’s ability to engage in these activities.”

DeSombre: “The podcast I help run just made an episode on this! Effectively, corporate surveillance and government surveillance have two separate goals: corporations collect your data to sell (usually to advertisers who then target you with personalized advertisements), while the government collects data for law enforcement or national security purposes. US government surveillance has hard rules it must follow for collecting on US citizens, although some of this is circumvented by buying corporate data. US and EU companies are now getting increasingly constrained by data privacy laws as well. But these types of regulations on both companies and governments differ vastly from country to country.”

Gjesvik: “When you think about who conducts the surveillance, the big difference would be the extent to which government surveillance is supposedly in the end about protecting its citizens while corporate surveillance is mainly about the interests of the corporation. If it is about who actually does the surveillance then the distinction between governments and private actors can be pretty blurry, as can the level of capabilities.”

Hazelrig: “The technical aspects of government and commercial surveillance are similar, and often share tools and techniques. However, the practices around their use are widely different. For a large part, democratic states limit surveillance through public opinion and law. There is admittedly misuse and abuse, but an intent and organizational structure to ‘do good.’ This is not necessarily true of commercial capabilities that may be sold without understanding of or care about intended use. As the opaque commercial market evolves, we are just beginning to understand the full spectrum of uses and impacts. Democratic states need to develop norms for law enforcement and other acceptable uses of cyber intrusion and surveillance capabilities, and to enforce actions against those that violate these norms and the industry that supplies them.”

Willers: “Both can be problematic considering that privacy is a fundamental human right in the European Union. Access to personal information has become a key asset across many industries, but the gathering of this information is a purely private and for-profit undertaking, however problematic it may be. State surveillance derives from a desire to provide public safety, which can be a good thing as long as it remains proportional and rooted in democratic norms—conditions that cannot be taken for granted.”

#5 How has the Access-as-a-Service industry evolved over the past two decades and where do you see it going from here?

Anstis: “The Access-as-a-Service industry has become increasingly formalized in the past two decades, with growing interest from investors and states in terms of funding the industry, as well as accessing the services and technologies offered. I see the next few years as a critical turning point in the industry’s development. Countless human rights abuses have brought increased awareness that the services and technologies offered by the Access-as-a-Service industry have serious human rights ramifications—as well as national security concerns—that need to be addressed. With ongoing investigations in the European Parliament, the United States, and elsewhere into companies that participate in this industry, I hope that we will see more specific steps aimed at curbing and controlling it.”

DeSombre: “Like every part of the cybersecurity ecosystem since the early 2000s, the Access-as-a-Service industry has grown, professionalized, and turned towards mobile, embedded, and other non-desktop systems. Your laptop is not the only place with interesting data!”

Gjesvik: “This is a pretty opaque industry, and there is not a ton of structured encompassing data available that I am aware of, but there are some broad trends. The first is globalization, a quite substantive expansion of tools and technologies available, and a lot more money to be made as well. Going forward, I am probably most interested in the extent to which the industry is controllable by any state actor. Will recent efforts by the United States and the European Union succeed in limiting the worst excesses? Or will it just accelerate the diversification of suppliers?”

Hazelrig: “So long as there have been criminal hackers, there have been ways for those with the right connections to procure intrusion services. However, about a decade ago, we started to see the emergence of professional firms that sold these services commercially, primarily to governments around the globe. The past couple of years has brought casual proliferation and a booming ‘consumer’ market—shady companies advertise euphemistically-phrased services on mainstream platforms such as LinkedIn, and many online criminal marketplaces have whole sections of specialty products and services from which to choose.”

Willers: “The origins of the Access-as-a-Service industry can be traced back to a combination of privatization dynamics in the telecommunication sector during the 1990s, the rise of digital communication systems, and the political focus on surveillance in the aftermath of the September 11 terrorist attacks. Since then, the industry has developed at the speed of technology, and there is good reason to doubt that the United States remains in a position to control it. Limiting access to technology is difficult, especially when it is as mobile as spyware technology. This is why I doubt that the United States or any other country alone can control the operations of the market.”

2. Overview of Hamas’s strategy

The post The 5×5—The rise of cyber surveillance and the Access-as-a-Service industry appeared first on Atlantic Council.

The cyber strategy and operations of Hamas: Green flags and green hats

Simon Handler — Mon, 07 Nov 2022 05:01:00 +0000

Executive summary

“Pwn” goal

1. Introduction

3. Hamas’s cyber strategy

4. Where do Hamas’s cyber operations go from here?

5. Conclusion

About the author

DOWNLOAD PDF

Executive summary

Cyberspace as a domain of conflict often creates an asymmetric advantage for comparably less capable or under-resourced actors to compete against relatively stronger counterparts.¹ As such, a panoply of non-state actors is increasingly acquiring capabilities and integrating offensive cyber operations into their toolkits to further their strategic aims. From financially driven criminal ransomware groups to politically inspired patriot hacking collectives, non-state actors have a wide range of motivations for turning to offensive cyber capabilities. A number of these non-state actors have histories rooted almost entirely in armed kinetic violence, from professional military contractors to drug cartels, and the United States and its allies are still grappling with how to deal with them in the cyber context.² Militant and terrorist organizations have their own specific motivations for acquiring offensive cyber capabilities, and their operations therefore warrant close examination by the United States and its allies to develop effective countermeasures.

While most academic scholarship and government strategies on counterterrorism are beginning to recognize and address the integral role of some forms of online activity, such as digital media and propaganda on behalf of terrorist organizations, insufficient attention has been given to the offensive cyber capabilities of these actors. Moreover, US strategy,³ public intelligence assessments, and academic literature on global cyber threats to the United States overwhelmingly focuses on the “big four” nation-state adversaries—China, Russia, Iran, and North Korea. Before more recent efforts to address the surge in financially driven criminal ransomware operations, the United States and its allies deployed policy countermeasures overwhelmingly designed for use against state actors.

To the extent that US counterterrorism strategy addresses the offensive cyber threat from terrorist organizations, it is focused on defending critical infrastructure against the physical consequences of a cyberattack. Hamas, despite being a well-studied militant and terrorist organization, is expanding its offensive cyber and information capabilities, a fact that is largely overlooked by counterterrorism and cyber analysts alike. Overshadowed by the specter of a catastrophic cyberattack from other entities, the real and ongoing cyber threats posed by Hamas prioritize espionage and information operations.

This report seeks to highlight Hamas as an emerging and capable cyber actor, first by explaining Hamas’s overall strategy, a critical facet for understanding the group’s use of cyber operations. Next, an analysis will show how Hamas’s cyber activities do not indicate a sudden shift in strategy but, rather, a realignment that augments operations. In other words, offensive cyber operations are a new way for Hamas to do old things better. Finally, the policy community is urged to think differently about how it approaches similar non-state groups that may leverage the cyber domain in the future. This report can be used as a case study for understanding the development and implementation of cyber tools by non-state entities.

As the title of this report suggests, Hamas is like a green hat hacker—a term that is not specific to the group but recognized in the information security community as someone who is relatively new to the hacking world, lacking sophistication but fully committed to making an impact and keen to learn along the way.⁴ Hamas has demonstrated steady improvement in its cyber capabilities and operations over time, especially in its espionage operations against internal and external targets. At the same time, the organization’s improvisation, deployment of relatively unsophisticated tools, and efforts to influence audiences are all hallmarks of terrorist strategies. This behavior is in some ways similar to the Russian concept of “information confrontation,” featuring a blend of technical, information, and psychological operations aimed at wielding influence over the information environment.⁵

Understanding these dynamics, as well as how cyber operations fit into the overall strategy, is key to the US development of effective countermeasures against terrorist organizations’ offensive cyber operations.

“Pwn” goal

In the summer of 2018, as teams competed in the International Federation of Association Football (FIFA) World Cup in Russia, Israeli soldiers followed the excitement on their smartphones from an Israel Defense Forces (IDF) base thousands of miles away. Like others in Israel, the soldiers were using a new Android application called Golden Cup, available for free from the Google Play store. The program was promoted in the lead up to the tournament as “the fastest app for live scores and fixtures for the World Cup.”⁶ The easy-to-use application delivered as advertised—and more.

Once installed, the application communicated with its command-and-control server to surreptitiously download malicious payloads onto user devices. The payloads infected the target devices with spyware, a variety of malware that discreetly monitors the target’s device and steals its information, usually for harmful use against the target individual.⁷ In this particular case, the spyware was intentionally deployed after the application was downloaded from the Google Play store in order to bypass Google’s security screening process.⁸ This allowed the spyware operator to remotely execute code on user smartphones to track locations, access cameras and microphones, download images, monitor calls, and exfiltrate files.

Golden Cup users, which included Israeli civilians and soldiers alike, did not realize that their devices were infected with spyware. As soldiers went about their daily routines on bases, the spyware operators reaped reams of data from the compromised smartphones. In just a few weeks of discreet collection, before discovery by IDF security, the adversary successfully collected non-public information about various IDF bases, offices, and military hardware, such as tanks and armored vehicles.⁹

The same adversary targeted Israeli soldiers with several other malicious Android applications throughout the summer of 2018. A fitness application that tracks user running routes collected the phone numbers of soldiers jogging in a particularly sensitive geographic location. After collecting these numbers, the adversary targeted the soldiers with requests to download a second application that then installed spyware. Additional targeting of Israeli soldiers that same summer included social engineering campaigns encouraging targets to download various spyware-laced dating applications with names like Wink Chat and Glance Love, prompting the IDF to launch the aptly named Operation Broken Heart in response.¹⁰

Surprisingly, this cyber espionage campaign was not the work of a nation-state actor. Although the clever tradecraft exhibited in each operation featured many of the hallmarks of a foreign intelligence service, neither Israel’s geopolitical nemesis Iran nor China,¹¹ an increasingly active Middle East regional player, was involved.¹² Instead, the campaign was the work of Hamas.

1. Introduction

The asymmetric advantage afforded by cyberspace is leading a panoply of non-state actors to acquire and use offensive cyber capabilities to compete against relatively stronger counterparts. The cyber threat from criminal ransomware organizations has been well documented, yet a range of other non-state actors traditionally involved in armed kinetic violence, from professional military contractors to drug cartels, is also trying their hand at offensive cyber operations, and the United States and its allies are still grappling with how to respond. Each actor has a discreet motivation for dabbling in cyber activities, and lumping them all into one bucket of non-state actors can complicate efforts to study and address their actions. The operations of militant and terrorist organizations in particular warrant close examination by the United States and its allies in order to develop effective countermeasures.

A robust online presence is essential for modern terrorist organizations. They rely on the internet to recruit members, fund operations, indoctrinate target audiences, and garner attention on a global scale—all key functions for maintaining organizational relevance and for surviving.¹³ The 2022 Annual Threat Assessment from the US Intelligence Community suggests that terrorist groups will continue to leverage digital media and internet platforms to inspire attacks that threaten the United States and US interests abroad.¹⁴ Recent academic scholarship on counterterrorism concurs, acknowledging the centrality of the internet to various organizations, ranging from domestic right-wing extremists to international jihadists, and their efforts to radicalize, organize, and communicate.

The US government has taken major steps in recent years to counter terrorist organizations in and through cyberspace. The declassification of documents on Joint Task Force Ares and Operation Glowing Symphony, which began in 2016, sheds light on complex US Cyber Command efforts to combat the Islamic State in cyberspace, specifically targeting the group’s social media and propaganda efforts and leveraging cyber operations to support broader kinetic operations on the battlefield.¹⁵ The latest US National Strategy for Counterterrorism, published in 2018, stresses the need to impede terrorist organizations from leveraging the internet to inspire and enable attacks.¹⁶

Indeed, continued efforts to counter the evolving social media and propaganda tools of terrorist organizations will be critical, but this will not comprehensively address the digital threat posed by these groups. Counterterrorism scholarship and government strategies have paid scant attention to the offensive cyber capabilities and operations of terrorist organizations, tools that are related but distinct from other forms of online influence. Activities of this variety do not necessarily cause catastrophic physical harm, but their capacity to influence public perception and, potentially, the course of political events should be cause for concern.

Several well-discussed, politically significant non-state actors with histories rooted almost entirely in kinetic violence are developing, or otherwise acquiring, offensive cyber capabilities to further their interests. More scrutiny of these actors, their motivations, and how they strategically deploy offensive cyber capabilities in conjunction with evolving propaganda and kinetic efforts is warranted to better orient toward the threat.

Hamas, a Palestinian political party and militant terrorist organization that serves as the de facto governing body of the Gaza Strip, is one such actor. The group’s burgeoning cyber capabilities, alongside its propaganda tactics, pose a threat to Israel, the Palestinian Authority, and US interests in the region—especially in tandem with the group’s capacities to fund, organize, inspire, and execute kinetic attacks. This combination of capabilities has historically been the dominion of more powerful state actors. However, the integration of offensive cyber capabilities into the arsenals of traditionally kinetic non-state actors, including militant organizations, is on the rise due to partnerships with state guarantors and the general proliferation of these competencies worldwide.

This report seeks to highlight the offensive cyber and information capabilities and behavior of Hamas. First, a broad overview of Hamas’s overall strategy is provided, an understanding of which is key for evaluating its cyber activities. Second, this report analyzes the types of offensive cyber operations in which Hamas engages, showing that the adoption of cyber capabilities does not indicate a sudden shift in strategy but, rather, a realignment of strategy and an augmentation of operations. In other words, offensive cyber operations are a new way to do old things better. Third, this report aims to push the policy community to think differently about its approach to similar non-state groups that may leverage the cyber domain in the future.

2. Overview of Hamas’s strategy

Principles and philosophy

Founded in the late 1980s, Harakat al-Muqawamah al-Islamiyyah, translated as the Islamic Resistance Movement and better known as Hamas, is a Palestinian religious political party and militant organization. After Israel disengaged from the Gaza Strip in 2005, Hamas used its 2006 Palestinian legislative election victory to take over militarily from rival political party Fatah in 2007. The group has served as the de facto ruler of Gaza ever since, effectively dividing the Palestinian Territories into two entities, with the West Bank governed by the Hamas-rejected and Fatah-controlled Palestinian Authority.¹⁷

Hamas’s overarching objectives are largely premised on its founding principles—terminating what it views as the illegitimate State of Israel and establishing Islamic, Palestinian rule.¹⁸ The group’s grand strategy comprises two general areas of focus: resisting Israel and gaining political clout with the Palestinian people. These objectives are interconnected and mutually reinforcing, as Hamas’s public resistance to Israel feeds Palestinian perceptions of the group as the leader of the Palestinian cause.¹⁹

Map of Israel and the Palestinian Territories.
Source: Nations Online Project

Despite Hamas’s maximalist public position on Israel, the organization’s leaders are rational actors who logically understand the longevity and power of the State of Israel. Where the group can make meaningful inroads is in Palestinian politics, trying to win public support from the more secular, ruling Fatah party and positioning itself to lead a future Palestinian state. Looming uncertainty about the future of an already weak Palestinian Authority, led by the aging President Mahmoud Abbas, coupled with popular demand for elections, presents a potential opportunity for Hamas to fill a leadership vacuum.²⁰

To further these objectives, Hamas attracts attention by frequently generating and capitalizing on instability. The group inflames already tumultuous situations to foster an environment of extremism, working against those who are willing to cooperate in the earnest pursuit of a peaceful solution to the Israel–Palestine conflict. Hamas uses terror tactics to influence public perception and to steer political outcomes, but still must exercise strategic restraint to avoid retaliation that could be militarily and politically damaging. Given these self-imposed restraints, Hamas seeks alternative methods of influence that are less likely to result in blowback.

Terrorism strategy

Hamas’s terror tactics have included suicide bombings,²¹ indiscriminate rocket fire,²² sniper attacks,²³ incendiary balloon launches,²⁴ knifings,²⁵ and civilian kidnappings,²⁶ all in support of its larger information strategy to project a strong image and to steer political outcomes. Through these activities, Hamas aims to undermine Israel and the Palestinian Authority²⁷ and challenge the Palestine Liberation Organization’s (PLO)²⁸ standing as the “sole representative of the Palestinian people.”

Terrorism forms the foundation of Hamas’s approach, and the organization’s leadership openly promotes such activities.²⁹ While the group’s terror tactics have evolved over time, they have consistently been employed against civilian targets to provoke fear, generate publicity, and achieve political objectives. Israeli communities targeted by terrorism, as well as Palestinians in Gaza living under Hamas rule, suffer from considerable physical and psychological stress,³⁰ driving Israeli policymakers to carry out military operations, often continuing a vicious cycle that feeds into Hamas’s information campaign.

These terrorist tactics follow a coercive logic that aligns with Hamas’s greater messaging objectives. Robert Pape’s “The Strategic Logic of Suicide Terrorism” specifically names Hamas as an organization with a track record of perpetrating strategically timed suicide terrorist attacks for coercive political effect.³¹ In 1995, for example, Hamas conducted a flurry of suicide attacks, killing dozens of civilians in an attempt to pressure the Israeli government to withdraw from certain locations in the West Bank. Once negotiations were underway between Israel and the PLO, Hamas temporarily suspended the attacks, only to resume them against Israeli targets when diplomatic progress appeared to stall. Israel would eventually partially withdraw from several West Bank cities later that year.³²

Similarly, just several months before Israel’s 1996 general election, incumbent Labor Party Prime Minister Shimon Peres led the polls by roughly 20 percent in his reelection bid against Benjamin Netanyahu and the Likud Party. However, a spate of Hamas suicide bombings cut Peres’s lead and Netanyahu emerged victorious.³³ The attacks were designed to weaken the reelection bid of Peres, widely viewed as the candidate most likely to advance the peace process, and strengthen the candidacy of Netanyahu. Deliberate terror campaigns such as these demonstrate the power Hamas wields over Israeli politics.³⁴

The Israeli security establishment has learned lessons from the phenomenon of suicide terrorism, implementing countermeasures to foil attacks. Since the mid-2000s, Hamas has shifted its focus to firing rockets of various ranges and precision from the Gaza Strip at civilian population centers in Israel.³⁵ The rocket attacks became frequent after Israel’s disengagement from Gaza in 2005, ebbing and flowing in alignment with significant political events.³⁶ For instance, the organization targeted towns in southern Israel with sustained rocket fire in the lead up to the country’s general election in 2009 to discourage Israelis from voting for pro-peace candidates.³⁷

A rocket fired from the Gaza Strip into Israel, 2008.
Source: Flickr/paffairs_sanfrancisco

Strategic restraint

Each of these terror tactics has the powerful potential to generate publicity with Israelis, Palestinians, and audiences elsewhere. However, unrestrained terrorism comes at a cost, something Hamas understands. Hamas must weigh its desire to carry out attacks with the concomitant risks, including an unfavorable international perception, military retaliation, infrastructure damage, and internal economic and political pressures.

Hamas addresses this in a number of ways. First, it limits its operations, almost exclusively, to Israel and the Palestinian Territories. Hamas has learned from the failures of other Palestinian terrorist organizations, whose operations beyond Israel’s borders were often counterproductive, attracting legitimate international criticism of these groups.³⁸ Such operations also run the risk of alienating critical Hamas benefactors like Qatar and Turkey.³⁹ These states, which maintain important relationships with the United States—not to mention burgeoning ties with Israel—could pressure Hamas to course correct, if not outright withdraw their support for the organization.⁴⁰ The continued flow of billions of dollars in funding from benefactors like Qatar is critical, not just to Hamas’s capacity to conduct terror attacks and wage war,⁴¹ but also to its efforts to reconstruct infrastructure and provide social services in the Gaza Strip, both key factors for building its political legitimacy among Palestinians.⁴²

Second, with each terrorist attack, Hamas must weigh the potential for a forceful Israeli military response. The cycle of terrorism and retaliation periodically escalates into full-scale wars that feature Israeli air strikes and ground invasions of Gaza. These periodic operations are known in the Israeli security establishment as “mowing the grass,” a component of Israel’s strategy to keep Hamas’s arsenal of rockets, small arms, and infrastructure, including its elaborate underground tunnel network, from growing out of control like weeds in an unkempt lawn.⁴³ Hamas’s restraint has been apparent since May 2021, when Israel conducted Operation Guardian of the Walls, a roughly two-week campaign of mostly airstrikes and artillery fire aimed at slashing the group’s rocket arsenal and production capabilities, crippling its tunnels, and eliminating many of its top commanders. Hamas is thought to be recovering and restocking since the ceasefire, carefully avoiding engaging in provocations that could ignite another confrontation before the group is ready.

Third, and critically, since mid-2021, the last year-plus of the Israel–Hamas conflict has been one of the quietest in decades due to the Israeli Bennett–Lapid government’s implementation of a sizable civil and economic program for Gaza.⁴⁴ The program expands the number of permits for Palestinians from Gaza to work in Israel, where the daily wages of one worker are enough to support an additional ten Palestinians.⁴⁵ Israel’s Defense Ministry signed off on a plan to gradually increase work permit quotas for Palestinians from Gaza to an unprecedented 20,000, with reports suggesting plans to eventually increase that number to 30,000.⁴⁶ For an impoverished territory with an unemployment rate of around 50 percent, permits to work in Israel improve the lives of Palestinians and stabilize the economy. The program also introduced economic incentives for Hamas to keep the peace—conducting attacks could result in snap restrictions on permits and border crossing closures, leading to a public backlash, as well as internal political blowback within the group. The power of this economic tool was evident throughout Israel’s Operation Breaking Dawn in August 2022, during which Israel conducted a three-day operation to eliminate key military assets and personnel of the Palestinian Islamic Jihad (PIJ), another Gaza-based terrorist organization. Israel was careful to communicate its intention to target PIJ, not Hamas. Ordinarily a ready-and-willing belligerent in such flare-ups, Hamas did nothing to restrain the PIJ but remained conspicuously on the sidelines, refraining from fighting out of its interest in resuming border crossings as quickly as possible.⁴⁷

Searching for alternatives

Given these limitations, blowbacks, and self-imposed restraints, Hamas is finding alternative methods of influence. Under the leadership of its Gaza chief Yahya Sinwar, Hamas is endeavoring to inspire Arab Israelis and West Bank Palestinians to continue the struggle by taking up arms and sparking an intifada while the group nurses itself back to strength.⁴⁸ To further this effort, Hamas is turning to more insidious means of operating in the information space to garner support and ignite conflagrations without further jeopardizing its public reputation, weapons stockpiles, infrastructure, or the economic well-being of the Palestinians living under its control. Like many state actors working to advance strategic ambitions, Hamas has turned to offensive cyber operations as a means of competing below the threshold of armed conflict.

Deploying offensive cyber capabilities involves exceptionally low risks and costs for operators. For groups like Hamas that are worried about potential retaliation, these operations present an effective alternative to kinetic operations that would otherwise provoke an immediate response. Most national cyber operation countermeasures are geared toward state adversaries and, in general, finding an appropriate response to non-state actors in this area has been challenging. Many state attempts to retaliate and deter have been toothless, resulting in little alteration of the adversary’s calculations.⁴⁹

3. Hamas’s cyber strategy

The nature of the cyber domain allows weak actors, like Hamas, to engage and inflict far more damage on powerful actors, like Israel, than would otherwise be possible in conventional conflict.⁵⁰ This asymmetry means that cyberspace offers intrinsically covert opportunities to store, transfer, and deploy consequential capabilities with far less need for organizational resources and financial or human capacity than in industrial warfare. Well-suited to support information campaigns, cyber capabilities are useful for influencing an audience without drawing the attention and repercussions of more conspicuous operations, like terrorism. In these ways, cyber operations fit into Hamas’s overall strategy and emphasis on building public perception and influence. Making sense of this strategy allows a greater understanding of past Hamas cyber operations, and how the group will likely operate in the cyber domain going forward.

More than meets the eye

Aerial imagery of a Hamas cyber operations facility destroyed by the Israel Defense Forces in the Gaza Strip in May 2019.
Source: Israel Defense Forces

Hamas’s cyber capabilities, while relatively nascent and lacking the sophisticated tools of other hacking groups, should not be underestimated. It comes as a surprise to many security experts that Hamas—chronically plagued by electricity shortages in the Gaza Strip, with an average of just ten to twelve hours of electricity per day—even possesses cyber capabilities.⁵¹ Israel’s control over the telecommunications frequencies and infrastructure of the Gaza Strip raises further doubts about how Hamas could operate a cyber program.⁵² However, in 2019, Israel deemed the offensive cyber threat to be critical enough that after thwarting an operation, the IDF carried out a strike to destroy Hamas’s cyber headquarters,⁵³ one of the first acknowledged kinetic operations by a military in response to a cyber operation. However, despite an IDF spokesperson’s claim that “Hamas no longer has cyber capabilities after our strike,” public reporting has highlighted various Hamas cyber operations in the ensuing months and years.⁵⁴

This dismissive attitude toward Hamas’s cyber threat also overlooks the group’s operations from outside the confines of the Gaza Strip. Turkish President Recep Tayyip Erdoğan and his AKP Party share ideological sympathies with Hamas and have extended citizenship to Hamas leadership.⁵⁵ The group’s leaders have allegedly used Turkey as a base for planning attacks and even as a safe haven for an overseas cyber facility.⁵⁶ Hamas maintains even more robust relationships with other state supporters, namely Iran and Qatar, which provide financing, safe havens, and weapons technology.⁵⁷ With the assistance of state benefactors, Hamas will continue to develop offensive cyber and information capabilities that, if overlooked, could result in geopolitical consequences.

For at least a decade, Hamas has engaged in cyber operations against Israeli and Palestinian targets. These operations can be divided in two broad operational categories that align with Hamas’s overall strategy: espionage and information. The first category, cyber espionage operations, accounts for the majority of Hamas’s publicly reported cyber activity and underpins the group’s information operations.

Espionage operations

Like any state or non-state actor, Hamas relies on quality intelligence to provide its leadership and commanders with decision-making advantages in the political and military arenas. The theft of valuable secrets from Israel, rival Palestinian factions, and individuals within its own ranks provides Hamas with strategic and operational leverage, and is thus prioritized in its cyber operations.

The Internal Security Force (ISF) is Hamas’s primary intelligence organization, comprised of members of the al-Majd security force from within the larger Izz al-Din al-Qassam Brigades, a military wing of Hamas. The ISF’s responsibilities range from espionage to quashing political opposition and dissent from within the party and its security apparatus.⁵⁸ The range of the ISF’s missions manifests through Hamas’s cyber operations.

Tactical evolution

Naturally, Israel is a primary target of Hamas’s cyber espionage. These operations have become commonplace over the last several years, gradually evolving from broad, blunt tactics into more tailored, sophisticated approaches. The group’s initial tactics focused on a “spray and pray” approach, distributing impersonal emails with malicious attachments to a large number of targets, hoping that a subset would bite. For example, an operation that began in mid-2013 and was discovered in February 2015 entailed Hamas operators luring targets with the promise of pornographic videos that were really malware apps. The operators relied on their victims—which included targets across the government, military, academic, transportation, and infrastructure sectors—withholding information about the incidents from their workplace information technology departments, out of shame for clicking on pornography at work, thereby maximizing access and time on the target.⁵⁹

Later, Hamas operations implemented various tactical updates to increase their chances of success. In September 2015, the group began including links rather than attachments, non-pornographic lures such as automobile accident videos, and additional encryption of the exfiltrated data.⁶⁰ Another campaign, publicized in February 2017, involved a more personalized approach using social engineering techniques to target IDF personnel with malware from fake Facebook accounts.⁶¹ In subsequent years, the group began rolling out a variety of smartphone applications and marketing websites to surreptitiously install mobile remote access trojans on target devices. In 2018, the group implanted spyware on smartphones by masquerading as Red Alert, a rocket siren application for Israelis.⁶² Similarly in 2020, Hamas targeted Israelis through dating apps with names like Catch&See and GrixyApp.⁶³ As previously mentioned, Hamas also cloaked its spyware in a seemingly benign World Cup application that allowed the group to collect information on a variety of IDF military installations and hardware, including armored vehicles. These are all areas Hamas commanders have demonstrated interest in learning more about in order to gain a potential advantage in a future kinetic conflict.⁶⁴

According to the Israeli threat intelligence firm Cybereason, more recent discoveries indicate a “new level of sophistication” in Hamas’s operations.⁶⁵ In April 2022, a cyber espionage campaign targeting individuals from the Israeli military, law enforcement, and emergency services used previously undocumented malware featuring enhanced stealth mechanisms. This indicates that Hamas is taking more steps to protect operational security than ever.⁶⁶ The infection vector for this particular campaign was through social engineering on platforms like Facebook, a hallmark of many Hamas espionage operations, to dupe targets into downloading trojanized applications. Once the malware is downloaded, Hamas operators can access a wide range of information from the device’s documents, camera, and microphone, acquiring immense data on the target’s whereabouts, interactions, and more. Information collected off of military, law enforcement, and emergency services personnel can be useful on its own or for its potential extortion value.

As part of its power struggle with the Palestinian Authority and rival Fatah party, Hamas targets Palestinian political and security officials with similar operations. In another creative cyber espionage operation targeting the Palestinian Authority, Hamas operators used hidden malware to exfiltrate information from the widely used cloud platform Dropbox.⁶⁷ The same operation targeted political and government officials in Egypt,⁶⁸ an actor Hamas is keen to surveil given its shared border with the Gaza Strip and role brokering ceasefires and other negotiations between Israel and Hamas.

Other common targets of Hamas’s cyber espionage campaigns are members of its own organization. One of the ISF’s roles is counterintelligence, a supremely important field to an organization that is rife with internecine political rivalries,⁶⁹ as well as paranoia about the watchful eyes of Israeli and other intelligence services. According to Western intelligence sources, one of the main missions of Hamas’s cyber facility in Turkey is deploying counterintelligence against Hamas dissenters and spies.⁷⁰ Hamas is sensitive to the possibility of Palestinians within its ranks and others acting as “collaborators” with Israel, and the group occasionally summarily executes individuals on the suspicion of serving as Israeli intelligence informants.⁷¹

Information operations

While the bulk of Hamas’s cyber operations place a premium on information gathering, a subset involves using this information to further its efforts to influence the public. This broadly defined category of information operations comprises everything from hack-and-leaks to defacements to social media campaigns that advance beneficial narratives.

Hack-and-leak operations, when hackers acquire secret or otherwise sensitive information and subsequently make it public, are clear attempts to shift public opinion and “simulate scandal.”⁷² The strategic dissemination of stolen documents, images, and videos—potentially manipulated—at critical junctures can be a windfall for a group like Hamas. In December 2014, Hamas claimed credit for hacking the IDF’s classified network and posting multiple videos taken earlier in the year of Israel’s Operation Protective Edge in the Gaza Strip.⁷³ The clips, which were superimposed with Arabic captions by Hamas,⁷⁴ depicted sensitive details about the IDF’s operation, including two separate instances of Israeli forces engaging terrorists infiltrating Israel—one group infiltrating by sea en route to Kibbutz Zikim and one group via a tunnel under the border into Kibbutz Ein HaShlosha—to engage in kidnappings. One of the raids resulted in a fight that lasted for roughly six hours and the death of two Israelis.⁷⁵ By leaking the footage, including images of the dead Israelis, Hamas sought to project itself as a strong leader to Palestinians and to instill fear among Israelis, boasting about its ability to infiltrate Israel, kill Israelis, and return to Gaza. These operations are intended to demonstrate Hamas’s strength on two levels: first, their ability to hack and steal valuable material from Israel and second, their boldness in carrying out attacks to further the Palestinian national cause.

Defacement is another tool in Hamas’s cyber arsenal. This sort of operation, a form of online vandalism that usually involves breaching a website to post propaganda, is not so much devastating as it is a nuisance.⁷⁶ The operations are intended to embarrass the targets, albeit temporarily, and generate a psychological effect on an audience. In 2012, during Israel’s Operation Cast Lead in the Gaza Strip, Hamas claimed responsibility for attacks on Israeli websites, including the IDF’s Homefront Command, asserting that the cyber operations were “an integral part of the war against Israel.”⁷⁷ Since then, Hamas has demonstrated its ability to reach potentially wider audiences through defacement operations. Notably, in July 2014 during Operation Protective Edge, Hamas gained access to the satellite broadcast of Israel’s Channel 10 television station for a few minutes, broadcasting images purportedly depicting Palestinians injured by Israeli airstrikes in the Gaza Strip. The Hamas hackers also displayed a threat in Hebrew text: “If your government does not agree to our terms, then prepare yourself for an extended stay in shelters.”⁷⁸

Hamas has conducted defacement operations itself and has relied on an army of “patriotic hackers.” Patriotic hacking, cyberattacks against a perceived adversary performed by individuals on behalf of a nation, is not unique to the Israeli–Palestinian conflict. States have turned to sympathetic citizens around the world for support, often directing individual hackers to deface adversaries’ websites, as Ukraine did after Russia’s 2022 invasion.⁷⁹ Similarly, Hamas seeks to inspire hackers from around the Middle East to “resist” Israel, resulting in the defacement of websites belonging to the Tel Aviv Stock Exchange and Israel’s national airline El Al by Arab hackers.⁸⁰

In tandem with its embrace of patriotic hackers, Hamas seeks to multiply its propaganda efforts by enlisting the help of Palestinians on the street for less technical operations. To some extent, Hamas uses social media in similar ways to other terrorist organizations to inspire violence, urging Palestinians to attack Jews in Israel and the West Bank, for instance.⁸¹ However, the group goes a step further, encouraging Palestinians in Gaza to contribute to its efforts by providing guidelines for social media posting. The instructions, provided by Hamas’s Interior Ministry, detail how Palestinians should post about the conflict and discuss it with outsiders, including preferred terminology and practices such as, “Anyone killed or martyred is to be called a civilian from Gaza or Palestine, before we talk about his status in jihad or his military rank. Don’t forget to always add ‘innocent civilian’ or ‘innocent citizen’ in your description of those killed in Israeli attacks on Gaza.” Other instructions include, “Avoid publishing pictures of rockets fired into Israel from [Gaza] city centers. This [would] provide a pretext for attacking residential areas in the Gaza Strip.”⁸² Information campaigns like these extend beyond follower indoctrination and leave a tangible mark on international public discourse, as well as structure the course of conflict with Israel.

Hamas’s ability to leverage the cyber domain to shape the information landscape can have serious implications on geopolitics. Given the age and unpopularity of Palestinian President Mahmoud Abbas—polling shows that 80 percent of Palestinians want him to resign—as well as the fragile state of the Palestinian Authority,⁸³ the Palestinian public’s desire for elections, and general uncertainty about the future, Hamas’s information operations can have a particularly potent effect on a discourse that is already contentious. The same can be said, to some extent, for the information environment in Israel, where political instability has resulted in five elections in just three and a half years.⁸⁴ When executed strategically, information operations can play an influencing, if not deciding, role in electoral outcomes, as demonstrated by Russia’s interference in the 2016 US presidential election.⁸⁵ A well-timed hack-and-leak operation, like Russia’s breach of the Democratic National Committee’s networks and dissemination of its emails, could majorly influence the momentum of political events in both Israel and Palestine.⁸⁶ Continued failure to reach a two-state solution in the Israeli–Palestinian conflict will jeopardize Israel’s diplomatic relationships,⁸⁷ as well as stability in the wider Middle East.⁸⁸

4. Where do Hamas’s cyber operations go from here?

As outlined in its founding charter, as long as Hamas exists, it will place a premium on influencing audiences—friendly, adversarial, and undecided—and mobilizing them to bend political outcomes toward its ultimate objectives.⁸⁹ Terrorism has been a central element of the group’s influence agenda, but cyber and information operations offer alternative and complementary options for engagement. It stands to reason that as Hamas’s cyber capabilities steadily evolve and improve, those of similar organizations will do the same.

Further Israeli efforts to curb terrorism through a cocktail of economic programs and advancements in defensive technologies, such as its integrated air defense system, raise questions about how Hamas and similar groups’ incentive structures may change their calculi in light of evolving state countermeasures. There is no Iron Dome in cyberspace. Militant and terrorist organizations are not changing their strategies of integrating cyber and information operations into their repertoires. Instead, they are finding new means of achieving old goals. Important questions for future research include:

If states like Iran transfer increasingly advanced kinetic weaponry to terrorist organizations like Hamas, PIJ, Hezbollah, Kata’ib Hezbollah, and the Houthis, to what extent does this assistance extend to offensive cyber capabilities? What will this support look like in the future, and will these groups depend on state support to sustain their cyber operations?

What lessons is Hamas drawing from the past year of relative calm with Israel that may influence the cadence and variety of its cyber operations? How might these lessons influence similar organizations around the world?

What sorts of operations, such as financially motivated ransomware and cybercrime, has Hamas not engaged in? Will Hamas and comparable organizations learn from and adopt operations that are similar to other variously motivated non-state actors?

What restrictions and incentives can the United States and its allies implement to curb the transfer of cyber capabilities to terrorist organizations?

Cyber capabilities are advancing rapidly worldwide and more advanced technologies are increasingly accessible, enabling relatively weak actors to compete with strong actors like never before. Few controls exist to effectively counter this proliferation of offensive cyber capabilities, and the technical and financial barriers for organizations like Hamas to compete in this domain remain low.⁹⁰ Either by obtaining and deploying highly impactful tools, or by developing relationships with hacking groups in third-party countries to carry out operations, the threat from Hamas’s cyber and information capabilities will grow.

Just like the group’s rocket terror program, which began with crude, short-range, and inaccurate Qassam rockets that the group cobbled together from scratch, Hamas’s cyber program began with rather unsophisticated tools. Over the years, as the group obtained increasingly sophisticated, accurate, and long-range rockets from external benefactors like Iran, so too have Hamas’s cyber capabilities advanced in scale and sophistication.

Conclusion

Remarking on Hamas’s creative cyber campaigns, a lieutenant colonel in the IDF’s Cyber Directorate noted, “I’m not going to say they are not powerful or weak. They are interesting.”⁹¹ Observers should not view Hamas’s foray into cyber operations as an indication of a sudden organizational strategic shift. For its entire existence, the group has used terrorism as a means of garnering public attention and affecting the information environment, seizing strategic opportunities to influence the course of political events. As outside pressures change the group’s incentives to engage in provocative kinetic operations, cyber capabilities present alternative options for Hamas to advance its strategy. Hamas’s cyber capabilities will continue to advance, and the group will likely continue to leverage these tools in ways that will wield maximum influence over the information environment. Understanding how Hamas’s strategy and incentive structure guides its decision to leverage offensive cyber operations can provide insights, on a wider scale, about how non-state actors develop and implement cyber tools, and how the United States and its allies may be better able to counter these trends.

About the author

Fellow

Simon Handler

Nonresident Fellow

Cyber Statecraft Initiative Digital Forensic Research Lab

Cybersecurity Middle East

Acknowledgements

The author would like to thank several individuals, without whose support this report would not look the same. First and foremost, thank you to Trey Herr and Emma Schroeder, director and associate director of the Atlantic Council’s Cyber Statecraft Initiative, respectively, for helping from the start of this effort by participating in collaborative brainstorming sessions and providing extensive editorial feedback throughout. The author also owes a debt of gratitude to several individuals for generously offering their time to review various iterations of this document. Thanks to Ambassador Daniel Shapiro, Shanie Reichman, Yulia Shalomov, Stewart Scott, Madison Cullinan, and additional individuals who shall remain anonymous for valuable insights and feedback throughout the development of this report. Additionally, thank you to Valerie Bilgri for editing and Donald Partyka and Anais Gonzalez for designing the final document.

1 Michael Schmitt, “Normative Voids and Asymmetry in Cyberspace,” Just Security, December 29, 2014, https://www.justsecurity.org/18685/normative-voids-asymmetry-cyberspace/.

2 Emma Schroeder et al., Hackers, Hoodies, and Helmets: Technology and the Changing Face of Russian Private Military Contractors, Atlantic Council, July 25, 2022, https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/technology-change-and-the-changing-face-of-russian-private-military-contractors; Cecile Schilis-Gallego and Nina Lakhani, “It’s a Free For All: How Hi-Tech Spyware Ends Up in the Hands of Mexico’s Cartels,” Guardian (UK), December 7, 2020, https://www.theguardian.com/world/2020/dec/07/mexico-cartels-drugs-spying-corruption.

3 The White House, National Security Strategy, October 2022, https://www.whitehouse.gov/wp-content/uploads/2022/10/Biden-Harris-Administrations-National-Security-Strategy-10.2022.pdf.; Emma Schroeder, Stewart Scott, and Trey Herr, Victory Reimagined: Toward a More Cohesive US Cyber Strategy, Atlantic Council, June 14, 2022, https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/victory-reimagined/.

4 Clare Stouffer, “15 Types of Hackers + Hacking Protection Tips for 2022,” Norton, May 2, 2022, https://us.norton.com/internetsecurity-emerging-threats-types-of-hackers.html#Greenhat.

5 Janne Hakala and Jazlyn Melnychuk, “Russia’s Strategy in Cyberspace,” NATO Strategic Communications Centre of Excellence, June 2021, https://stratcomcoe.org/cuploads/pfiles/Nato-Cyber-Report_15-06-2021.pdf.

6 Roy Iarchy and Eyal Rynkowski, “GoldenCup: New Cyber Threat Targeting World Cup Fans,” Broadcom Software, July 5, 2018, https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans.

7 “Spyware,” MalwareBytes, https://www.malwarebytes.com/spyware.

8 Taylor Armerding, “Golden Cup App Was a World Cup of Trouble,” Synopsys, July 12, 2022, https://www.synopsys.com/blogs/software-security/golden-cup-app-world-cup-trouble/.

9 Yaniv Kubovich, “Hamas Cyber Ops Spied on Hundreds of Israeli Soldiers Using Fake World Cup, Dating Apps,” Haaretz, July 3, 2018, https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773.

10 Ruth Eglash, “Israel Says Hamas Tried to Infiltrate Its Military Using Dating and Sports Apps,” Boston Globe, July 3, 2018, https://www.bostonglobe.com/news/world/2018/07/03/israel-says-hamas-tried-infiltrate-its-military-using-dating-and-sports-apps/yC2HfakeUXDlhZw5XhMSBN/story.html; https://www.idf.il/en/minisites/hamas/hamas-online-terrorism/.

11 J.D. Work, Troubled Vision: Understanding Recent Israeli–Iranian Offensive Cyber Exchanges, Atlantic Council, July 22, 2020, https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/troubled-vision-understanding-israeli-iranian-offensive-cyber-exchanges/.

12 Amos Harel, “How Deep Has Chinese Intelligence Penetrated Israel?” Haaretz, February 25, 2022, https://www.haaretz.com/israel-news/.premium-how-deep-has-chinese-intelligence-penetrated-israel-1.10633942.

13 “Propaganda, Extremism and Online Recruitment Tactics,” Anti-Defamation League, April 4, 2016, https://www.adl.org/education/resources/tools-and-strategies/table-talk/propaganda-extremism-online-recruitment.

14 Office of the Director of National Intelligence, Annual Threat Assessment of the US Intelligence Community, February 7, 2022, https://www.dni.gov/files/ODNI/documents/assessments/ATA-2022-Unclassified-Report.pdf.

15 National Security Archive, “USCYBERCOM After Action Assessments of Operation GLOWING SYMPHONY,” January 21, 2020, https://nsarchive.gwu.edu/briefing-book/cyber-vault/2020-01-21/uscybercom-after-action-assessments-operation-glowing-symphony.

16 The White House, National Strategy for Counterterrorism of the United States of America, October 2018, https://www.dni.gov/files/NCTC/documents/news_documents/NSCT.pdf.

17 “Hamas: The Palestinian Militant Group That Rules Gaza,” BBC, July 1, 2022, https://www.bbc.com/news/world-middle-east-13331522.

18 “The Covenant of the Islamic Resistance Movement,” August 18, 1988, https://avalon.law.yale.edu/20th_century/hamas.asp.

19 Gur Laish, “The Amorites Iniquity – A Comparative Analysis of Israeli and Hamas Strategies in Gaza,” Infinity Journal 2, no. 2 (Spring 2022), https://www.militarystrategymagazine.com/article/the-amorites-iniquity-a-comparative-analysis-of-israeli-and-hamas-strategies-in-gaza/.

20 Khaled Abu Toameh, “PA Popularity Among Palestinians at an All-Time Low,” Jerusalem Post, November 18, 2021, https://www.jpost.com/middle-east/pa-popularity-among-palestinians-at-an-all-time-low-685438.

21 “16 Killed in Suicide Bombings on Buses in Israel: Hamas Claims Responsibility,” CNN, September 1, 2004, http://edition.cnn.com/2004/WORLD/meast/08/31/mideast/.

22 “Hamas Rocket Fire a War Crime, Human Rights Watch Says,” BBC News, August 12, 2021, https://www.bbc.com/news/world-middle-east-58183968.

23 Isabel Kershner, “Hamas Militants Take Credit for Sniper Attack,” New York Times, March 20, 2007, https://www.nytimes.com/2007/03/20/world/middleeast/19cnd-mideast.html.

24 “Hamas Operatives Launch Incendiary Balloons into Israel,” AP News, September 4, 2021, https://apnews.com/article/technology-middle-east-africa-israel-hamas-6538690359c8de18ef78d34139d05535.

25 Mai Abu Hasaneen, “Israel Targets Hamas Leader after Call to Attack Israelis with ‘Cleaver, Ax or Knife,’” Al-Monitor, May 15, 2022, https://www.al-monitor.com/originals/2022/05/israel-targets-hamas-leader-after-call-attack-israelis-cleaver-ax-or-knife.

26 Ralph Ellis and Michael Schwartz, “Mom Speaks Out on 3 Abducted Teens as Israeli PM Blames Hamas,” CNN, June 15, 2014, https://www.cnn.com/2014/06/15/world/meast/west-bank-jewish-teens-missing.

27 The Palestinian National Authority (PA) is the official governmental body of the State of Palestine, exercising administrative and security control over Area A of the Palestinian Territories, and only administrative control over Area B of the Territories. The PA is controlled by Fatah, Hamas’s most significant political rival, and is the legitimate ruler of the Gaza Strip, although Hamas exercises de facto control of the territory.

28 The Palestine Liberation Organization (PLO) is the political organization that is broadly recognized by the international community as the sole legitimate representative of the Palestinian people. The PLO recognizes Israel, setting it apart from Hamas, which is not a member of the organization.

29 Hamas is designated as a foreign terrorist organization by the US State Department and has earned similar designations from dozens of other countries and international bodies, including Australia, Canada, the European Union, the Organization of American States, Israel, Japan, New Zealand, and the United Kingdom. Jotam Confino, “Calls to Assassinate Hamas Leadership as Terror Death Toll Reaches 19,” Jewish Chronicle, May 12, 2022, https://www.thejc.com/news/world/calls-to-assassinate-hamas-leadership-as-terror-death-tolls-reaches-19-19wCeFxlx3w40gFCKQ9xSx; Byron Kaye, “Australia Lists All of Hamas as a Terrorist Group,” Reuters, March 4, 2022, https://www.reuters.com/world/middle-east/australia-lists-all-hamas-terrorist-group-2022-03-04; Public Safety Canada, “Currently Listed Entities,” Government of Canada, https://www.publicsafety.gc.ca/cnt/ntnl-scrt/cntr-trrrsm/lstd-ntts/crrnt-lstd-ntts-en.aspx; “COUNCIL IMPLEMENTING REGULATION (EU) 2020/19 of 13 January 2020 implementing Article 2(3) of Regulation (EC) No 2580/2001 on Specific Restrictive Measures Directed Against Certain Persons and Entities with a View to Combating Terrorism, and Repealing Implementing Regulation (EU) 2019/1337,” Official Journal of the European Union, January 13, 2020, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2020:008I:FULL&from=EN; Organization of American States, “Qualification of Hamas as a Terrorist Organization by the OAS General Secretariat,” May 17, 2021, https://www.oas.org/en/media_center/press_release.asp?sCodigo=E-051/21; Ministry of Foreign Affairs, “Japan’s Foreign Policy in Major Diplomatic Fields,” Japan, 2005, https://www.mofa.go.jp/policy/other/bluebook/2005/ch3-a.pdf; “UK Parliament Approves Designation of Hamas as a Terrorist Group,” Haaretz, November 26, 2021, https://www.haaretz.com/israel-news/.premium-u-k-parliament-approves-designation-of-hamas-as-a-terrorist-group-1.10419344.

30 Nathan R. Stein et al., “The Differential Impact of Terrorism on Two Israeli Communities,” American Journal of Orthopsychiatry, American Psychological Association, https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3814032/.

31 Robert A. Pape, “The Strategic Logic of Suicide Terrorism,” The American Political Science Review, August 2003, https://www.jstor.org/stable/3117613?seq=6#metadata_info_tab_contents.

32 “Arabs Celebrate Israeli Withdrawal,” South Florida Sun-Sentinel, October 26, 1995, https://www.sun-sentinel.com/news/fl-xpm-1995-10-26-9510260008-story.html.

33 Brent Sadler, “Suicide Bombings Scar Peres’ Political Ambitions,” CNN, May 28, 1996, http://www.cnn.com/WORLD/9605/28/israel.impact/index.html.

34 Akiva Eldar, “The Power Hamas Holds Over Israel’s Elections,” Al-Monitor, February 11, 2020, https://www.al-monitor.com/originals/2020/02/israel-us-palestinians-hamas-donald-trump-peace-plan.html.

35 Yoram Schweitzer, “The Rise and Fall of Suicide Bombings in the Second Intifada,” The Institute for National Security Studies, October 2010, https://www.inss.org.il/wp-content/uploads/sites/2/systemfiles/(FILE)1289896644.pdf; Beverley Milton-Edwards and Stephen Farrell, Hamas: The Islamic Resistance Movement (Polity Press, 2013), https://www.google.com/books/edition/Hamas/ozLNNbwqlAEC?hl=en&gbpv=1.

36 Ministry of Foreign Affairs, “Rocket Fire from Gaza and Ceasefire Violations after Operation Cast Lead (Jan 2009),” State of Israel, March 16, 2016, https://embassies.gov.il/MFA/FOREIGNPOLICY/Terrorism/Pages/Palestinian_ceasefire_violations_since_end_Operation_Cast_Lead.aspx.

37 “PA: Hamas Rockets Are Bid to Sway Israeli Election,” Associated Press, September 2, 2009, https://web.archive.org/web/20090308033654/http://haaretz.com/hasen/spages/1062761.html.

38 National Consortium for the Study of Terrorism and Responses to Terrorism, “Global Terrorism Database,” University of Maryland, https://www.start.umd.edu/gtd/search/Results.aspx?page=2&casualties_type=&casualties_max=&perpetrator=838&count=100&expanded=yes&charttype=line&chart=overtime&ob=GTDID&od=desc#results-table

39 US Congress, House of Representatives, Subcommittee on the Middle East and North Africa and Subcommittee on Terrorism, Nonproliferation, and Trade, Hamas Benefactors: A Network of Terror, Joint Hearing before the Subcommittee on the Middle East and North Africa and the Subcommittee on Terrorism, Nonproliferation, and Trade of the Committee on Foreign Affairs, 113th Congress, September 9, 2014, https://www.govinfo.gov/content/pkg/CHRG-113hhrg89738/html/CHRG-113hhrg89738.htm.

40 “Hamas Faces Risk, Opportunity from Warming Israel–Turkey Ties,” France 24, March 16, 2022, https://www.france24.com/en/live-news/20220316-hamas-faces-risk-opportunity-from-warming-israel-turkey-ties; Sean Mathews, “Israeli Military Officials Sent to Qatar as US Works to Bolster Security Cooperation,” Middle East Eye, July 8, 2022, https://www.middleeasteye.net/news/qatar-israel-military-officials-dispatched-amid-us-efforts-bolster-security.

41 Nitsana Darshan-Leitner, “Qatar is Financing Palestinian Terror and Trying to Hide It,” Jerusalem Post, February 18, 2022, https://www.jpost.com/opinion/article-696824.

42 Shahar Klaiman, “Qatar Pledges $500M to Rebuild Gaza, Hamas Vows Transparency,” Israel Hayom, May 27, 2021, https://www.israelhayom.com/2021/05/27/qatar-pledges-500m-to-gaza-rebuild-hamas-vows-transparency; Jodi Rudoren, “Qatar Emir Visits Gaza, Pledging $400 Million to Hamas,” New York Times, October 23, 2012, https://www.nytimes.com/2012/10/24/world/middleeast/pledging-400-million-qatari-emir-makes-historic-visit-to-gaza-strip.html.

43 Adam Taylor, “With Strikes Targeting Rockets and Tunnels, the Israeli Tactic of ‘Mowing the Grass’ Returns to Gaza,” May 14, 2021, https://www.washingtonpost.com/world/2021/05/14/israel-gaza-history/.

44 “What Just Happened in Gaza?” Israel Policy Forum, YouTube, https://www.youtube.com/watch?v=XqHjQo0ybvM&t=59s.

45 Michael Koplow, “Proof of Concept for a Better Gaza Policy,” Israel Policy Forum, August 11, 2022, https://israelpolicyforum.org/2022/08/11/proof-of-concept-for-a-better-gaza-policy; Tani Goldstein, “The Number of Workers from Gaza Increased, and the Peace Was Maintained,” Zman Yisrael, April 4, 2022, https://www.zman.co.il/302028/popup/.

46 Aaron Boxerman, “Israel to Allow 2,000 More Palestinian Workers to Enter from Gaza,” Times of Israel, June 16, 2022, https://www.timesofisrael.com/israel-to-allow-2000-more-palestinian-workers-to-enter-from-gaza/.

47 “Operation Breaking Dawn Overview,” Israel Policy Forum, August 8, 2022, https://israelpolicyforum.org/2022/08/08/operation-breaking-dawn-overview/.

48 Aaron Boxerman, “Hamas’s Sinwar Threatens a ‘Regional, Religious War’ if Al-Aqsa is Again ‘Violated,’” Times of Israel, April 30, 2022, https://www.timesofisrael.com/sinwar-warns-israel-hamas-wont-hesitate-to-take-any-steps-if-al-aqsa-is-violated/.

49 Safa Shahwan Edwards and Simon Handler, “The 5×5—How Retaliation Shapes Cyber Conflict,” Atlantic Council, https://www.atlanticcouncil.org/commentary/the-5×5-how-retaliation-shapes-cyber-conflict/.

50 Andrew Phillips, “The Asymmetric Nature of Cyber Warfare,” USNI News, October 14, 2012, https://news.usni.org/2012/10/14/asymmetric-nature-cyber-warfare.

51 “Gaza: ICRC Survey Shows Heavy Toll of Chronic Power Shortages on Exhausted Families,” International Committee of the Red Cross, July 29, 2021, https://www.icrcnewsroom.org/story/en/1961/gaza-icrc-survey-shows-heavy-toll-of-chronic-power-shortages-on-exhausted-families.

52 Daniel Avis and Fadwa Hodali, “World Bank to Israel: Let Palestinians Upgrade Mobile Network,” Bloomberg, February 8, 2022, https://www.bloomberg.com/news/articles/2022-02-08/world-bank-to-israel-let-palestinians-upgrade-mobile-network.

53 Israel Defense Forces (@IDF), “CLEARED FOR RELEASE: We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed,” Twitter, May 5, 2019, https://twitter.com/IDF/status/1125066395010699264.

54 Zak Doffman, “Israel Responds to Cyber Attack with Air Strike on Cyber Attackers in World First,” Forbes, May 6, 2019, https://www.forbes.com/sites/zakdoffman/2019/05/06/israeli-military-strikes-and-destroys-hamas-cyber-hq-in-world-first/?sh=654fbba9afb5.

55 “Turkey Said to Grant Citizenship to Hamas Brass Planning Attacks from Istanbul,” Times of Israel, August 16, 2020, https://www.timesofisrael.com/turkey-said-to-grant-citizenship-to-hamas-brass-planning-attacks-from-istanbul/.

56 Anshel Pfeffer, “Hamas Uses Secret Cyberwar Base in Turkey to Target Enemies,” Times (UK), October 22, 2020, https://www.thetimes.co.uk/article/hamas-running-secret-cyberwar-hq-in-turkey-29mz50sxs.

57 David Shamah, “Qatari Tech Helps Hamas in Tunnels, Rockets: Expert,” Times of Israel, July 31, 2014, https://www.timesofisrael.com/qatari-tech-helps-hamas-in-tunnels-rockets-expert; Dion Nissenbaum, Sune Engel Rasmussen, and Benoit Faucon, “With Iranian Help, Hamas Builds ‘Made in Gaza’ Rockets and Drones to Target Israel,” Wall Street Journal, May 20, 2021, https://www.wsj.com/articles/with-iranian-help-hamas-builds-made-in-gaza-rockets-and-drones-to-target-israel-11621535346.

58 “Internal Security Force (ISF) – Hamas,” Mapping Palestinian Politics, European Council on Foreign Relations, https://ecfr.eu/special/mapping_palestinian_politics/internal_security_force/.

59 “Operation Arid Viper: Bypassing the Iron Dome,” Trend Micro, February 16, 2015, https://www.trendmicro.com/vinfo/es/security/news/cyber-attacks/operation-arid-viper-bypassing-the-iron-dome; “Sexually Explicit Material Used as Lures in Recent Cyber Attacks,” Trend Micro, February 18, 2015, https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812.

60 “Operation Arid Viper Slithers Back into View,” Proofpoint, September 18, 2015, https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View.

61 “Hamas Uses Fake Facebook Profiles to Target Israeli Soldiers,” Israel Defense Forces, February 2, 2017, https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/.

62 Yossi Melman, “Hamas Attempted to Plant Spyware in ‘Red Alert’ Rocket Siren App,” Jerusalem Post, August 14, 2018, https://www.jpost.com/arab-israeli-conflict/hamas-attempted-to-plant-spyware-in-red-alert-rocket-siren-app-564789.

63 “Hamas Android Malware on IDF Soldiers—This is How it Happened,” Checkpoint, February 16, 2020, https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/.

64 Yaniv Kubovich, “Hamas Cyber Ops Spied on Hundreds of Israeli Soldiers Using Fake World Cup, Dating Apps,” Haaretz, July 3, 2018, https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773; Ben Caspit, “Gilad Shalit’s Capture, in His Own Words,” Jerusalem Post, March 30, 2013, https://www.jpost.com/features/in-thespotlight/gilad-schalits-capture-in-his-own-words-part-ii-308198.

65 Omer Benjakob, “Exposed Hamas Espionage Campaign Against Israelis Shows ‘New Levels of Sophistication,’” Haaretz, April 7, 2022, https://www.haaretz.com/israel-news/tech-news/2022-04-07/ty-article/.premium/exposed-hamas-espionage-campaign-shows-new-levels-of-sophistication/00000180-5b9c-dc66-a392-7fdf14ff0000.

66 Cybereason Nocturnus, “Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials,” Cybereason, April 6, 2022, https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials?hs_amp=true.

67 Cybereason Nocturnus, “New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign,” Cybereason, December 9, 2020, https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign.

68 Sean Lyngaas, “Hackers Leverage Facebook, Dropbox to Spy on Egypt, Palestinians,” December 9, 2020, CyberScoop, https://www.cyberscoop.com/molerats-cybereason-gaza-espionage-palestine/.

69 Adnan Abu Amer, “Hamas Holds Internal Elections Ahead of Palestinian General Elections,” Al-Monitor, February 26, 2021, https://www.al-monitor.com/originals/2021/02/hamas-internal-elections-gaza-west-bank-palestinian.html.

70 “Hamas Using Secret Cyber Warfare Base in Turkey, Report Says,” Haaretz, October 23, 2020, https://www.haaretz.com/middle-east-news/palestinians/2020-10-23/ty-article/.highlight/hamas-using-secret-cyber-warfare-base-in-turkey-report-says/0000017f-e5f6-df5f-a17f-fffe23920000.

71 “Hamas Kills 22 Suspected ‘Collaborators,’” Times of Israel, August 22, 2014, https://www.timesofisrael.com/hamas-said-to-kill-11-suspected-collaborators; “Hamas Executes Three ‘Israel Collaborators’ in Gaza,” BBC, April 6, 2017, https://www.bbc.com/news/world-middle-east-39513190.

72 James Shires, “Hack-and-Leak Operations and US Cyber Policy,” War on the Rocks, August 14, 2020, https://warontherocks.com/2020/08/the-simulation-of-scandal/.

73 Ben Tufft, “Hamas Claims it Hacked IDF Computers to Leak Sensitive Details of Previous Operations,” Independent, December 14, 2014, https://www.independent.co.uk/news/world/middle-east/hamas-claims-it-hacked-idf-computers-to-leak-sensitive-details-of-previous-operations-9923742.html.

74 Tova Dvorin, “Hamas: ‘We Hacked into IDF Computers,’” Israel National News, December 14, 2014, https://www.israelnationalnews.com/news/188618#.VI2CKiusV8E

75 Ari Yashar, “IDF Kills Hamas Terrorists Who Breached Border,” Israel National News, July 8, 2014, https://www.israelnationalnews.com/news/182666; Gil Ronen and Tova Dvorin, “Terrorists Tunnel into Israel: Two Soldiers Killed,” Israel National News, July 19, 2014, https://www.israelnationalnews.com/news/183076.

76 “Website Defacement Attack,” Imperva, https://www.imperva.com/learn/application-security/website-defacement-attack/.

77 Omer Dostri, “Hamas Cyber Activity Against Israel,” The Jerusalem Institute for Strategy and Security, October 15, 2018, https://jiss.org.il/en/dostri-hamas-cyber-activity-against-israel/.

78 WAQAS, “Israel’s Channel 10 TV Station Hacked by Hamas,” Hackread, July 16, 2014, https://www.hackread.com/hamas-hacks-israels-channel-10-tv-station/.

79 Joseph Marks, “Ukraine is Turning to Hacktivists for Help,” Washington Post, March 1, 2022, https://www.washingtonpost.com/politics/2022/03/01/ukraine-is-turning-hacktivists-help/.

80 “Israeli Websites Offline of ‘Maintenance’ as Hamas Praises Hackers,” The National, January 15, 2012, https://www.thenationalnews.com/world/mena/israeli-websites-offline-of-maintenance-as-hamas-praises-hackers-1.406178.

81 Dov Lieber and Adam Rasgon, “Hamas Media Campaign Urges Attacks on Jews by Palestinians in Israel and West Bank,” Wall Street Journal, May 2, 2022, https://www.wsj.com/articles/hamas-media-campaign-urges-attacks-on-jews-by-palestinians-in-israel-and-west-bank-11651511641.

82 “Hamas Interior Ministry to Social Media Activists: Always Call the Dead ‘Innocent Civilians’; Don’t Post Photos of Rockets Being Fired from Civilian Population Centers,” Middle East Media Research Institute, July 17, 2014, https://www.memri.org/reports/hamas-interior-ministry-social-media-activists-always-call-dead-innocent-civilians-dont-post#_edn1.

83 Joseph Krauss, “Poll Finds 80% of Palestinians Want Abbas to Resign,” AP News, September 21, 2021, https://apnews.com/article/middle-east-jerusalem-israel-mahmoud-abbas-hamas-5a716da863a603ab5f117548ea85379d.

84 Patrick Kingsley and Isabel Kershner, “Israel’s Government Collapses, Setting Up 5th Election in 3 Years,” New York Times, June 20, 2022, https://www.nytimes.com/2022/06/20/world/middleeast/israel-election-government-collapse.html.

85 Patrick Howell O’Neill, “Why Security Experts Are Braced for the Next Election Hack-and-Leak,” MIT Technology Review, September 29, 2020, https://www.technologyreview.com/2020/09/29/1009101/why-security-experts-are-braced-for-the-next-election-hack-and-leak/.

86 Eric Lipton, David E. Sanger, and Scott Shane, “The Perfect Weapon: How Russian Cyberpower Invaded the US,” New York Times, December 13, 2016, https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html.

87 Ben Samuels, “No Normalization with Israel Until Two-State Solution Reached, Saudi FM Says,” Haaretz, July 16, 2022, https://www.haaretz.com/middle-east-news/2022-07-16/ty-article/.premium/no-normalization-with-israel-until-two-state-solution-reached-saudi-fm-says/00000182-0614-d213-adda-17bd7b2d0000.

88 Ibrahim Fraihat, “Palestine: Still Key to Stability in the Middle East,” Brookings Institution, January 28, 2016, https://www.brookings.edu/opinions/palestine-still-key-to-stability-in-the-middle-east/.

89 Israel Foreign Ministry, “The Charter of Allah: The Platform of the Islamic Resistance Movement (Hamas),” Information Division, https://irp.fas.org/world/para/docs/880818.htm.

90 “The Proliferation of Offensive Cyber Capabilities,” Cyber Statecraft Initiative, Digital Forensic Research Lab, Atlantic Council, https://www.atlanticcouncil.org/programs/digital-forensic-research-lab/cyber-statecraft-initiative/the-proliferation-of-offensive-cyber-capabilities/.

91 Neri Zilber, “Inside the Cyber Honey Traps of Hamas,” The Daily Beast, March 1, 2020, https://www.thedailybeast.com/inside-the-cyber-honey-traps-of-hamas.

The post The cyber strategy and operations of Hamas: Green flags and green hats appeared first on Atlantic Council.

The 5×5—Non-state armed groups in cyber conflict

Simon Handler — Wed, 26 Oct 2022 04:01:00 +0000

Non-state organizations native to cyberspace, like patriotic hacking collectives and ransomware groups, continue to impact geopolitics through cyber operations. But, increasingly, non-state armed groups with histories rooted entirely in kinetic violence are adopting offensive cyber capabilities to further their strategic objectives. Each of these groups has its own motivations for acquiring these capabilities and its strategy to employ them, making developing effective countermeasures difficult for the United States and its allies. In Ukraine, the Russian government is increasingly outsourcing military activities to private military companies, such as the Wagner Group, and it may continue to do so for cyber and information operations. In Mexico, drug cartels are purchasing state-of-the-art malware to target journalists and other opponents. Elsewhere, militant and terrorist organizations such as Hezbollah and Boko Haram have employed cyber capabilities to bolster their existing operations and efficacy in violence against various states.

The proliferation of offensive cyber capabilities and low barriers to acquiring and deploying some of these powerful tools suggest that the cyber capacities of non-state armed groups will only continue to grow. We brought together five experts from various backgrounds to assess the emerging cyber threats posed by non-state armed groups and discuss how the United States and its allies can address them.

#1 How significant is the cyber threat posed by non-state armed groups to the United States and its allies? What kinds of entities should they be concerned about?

Sean McFate, nonresident senior fellow, Africa Center, Atlantic Council; professor, Georgetown University’s Walsh School of Foreign Service and the National Defense University:

“Currently, the most powerful non-state armed groups that use cyber do it on behalf of a state, offering a modicum of plausible deniability. For example, The Concord Group in Russia is owned by Yevgeny Prigozhin, an oligarch close to Putin. Under the Concord Group is the Wagner Group (mercenaries) and the Internet Research Agency, also known as “the troll farm.” Outsourcing these capabilities lowers the barrier of entry into modern conflicts and allows the Kremlin to purse riskier stratagems.”

Steph Shample, non-resident scholar, Cyber Program, Middle East Institute; senior analyst, Team Cymru:

“The cyber threat posed by independent actors or criminal groups—not advanced persistent threats (APT)—is high, and the first impact is primarily financial. Ransomware flourishes among non-state groups, and can makes these actors, at times, millions of dollars. Consider the SamSam ransomware operations, carried out by Iranian nationals. According to the publicized indictments, the two actors were not found to have ties to the Iranian government, but they took in $6 million in profit—and that is just what was traceable. The second impact is reputational damage for businesses. Once they are impacted by a cyber incident, building the trust of users back is often more difficult than recouping financial loss. Entities to worry about include fields and industries that do not have robust cyber protection or excessive funds, as malicious actors often go after them. These industries include academia, healthcare, and smaller government entities like cities and municipalities.”

Aaron Brantly, associate professor of political science and director, Tech4Humanity lab, Virginia Tech:

“Non-state armed groups do not pose a significant cyber threat at present to the United States and its allies. There are very few examples of non-state actors not affiliated or acting as proxies for states that have the capacity to develop and utilize vulnerabilities to achieve substantial effect. The threat posed by these groups increases when they act as proxies and leverage state capacity and motivation. It is conceivable that non-state armed groups may use cyberattacks to engage in criminal attacks to achieve financial benefits to fund kinetic activities. Yet, developing the capacity to carry out armed attacks and cyberattacks often require members with different skillsets.”

Maggie Smith, research scientist and assistant professor, Army Cyber Institute, United States Military Academy:

The views expressed are those of the author, and do not reflect the official position of the Army Cyber Institute, United States Military Academy, Department of the Army, or Department of Defense.

“I find the most confounding factor of non-state groups to be their motivations for attacking particular targets. Motivations can be financial, ideological, religious, grievance-based, or entities could be targeted for fun—the options are endless and they are not static. Therefore, our traditional intelligence and the indicators and warnings that typically tip and cue us to threats, may not be there. This makes defending against non-state actors that much more unpredictable, confusing, and challenging than defending against states.”

Jon Lindsay, associate professor, School of Cybersecurity and Privacy, Georgia Institute of Technology (Georgia Tech):

“The greatest threat to the United States remains other nuclear-armed states, as well as collective existential threats like climate change and pandemics. Non-state actors are a serious but less severe threat, and cyber is the least severe tool in their kits. Cyber is a minor feature of a minor threat to the United States and its allies.”

#2 How do strategies vary among different types of non-state armed groups and compare with those of states when it comes to cyber capabilities?

Lindsay: “A really interesting feature of the cyber revolution is the democratization of deception. The classic strategies of intelligence—espionage, subversion, disinformation, counterintelligence, and secret diplomacy—that were once practiced mainly by states are now within reach of many actors. The more interesting variation may be in capabilities—states can do more for many reasons—than in strategy. Like it or not, we are all actors, intermediaries, and targets of intelligence.”

McFate: “Outsourcing cyber threats allows states to circumnavigate international and domestic laws. This creates moral hazard in foreign policymaking because it lessens the likelihood of punishment by the international community.”

Brantly: “Whether terrorist organizations or insurgencies, armed groups historically use violence to achieve effects. The strategy of armed groups is to shift the public view of an organization, or issue in such a way as to compel a state actor to respond. Cyber threats do not achieve the same level of visibility that kinetic violence does, and are therefore strategically and tactically less useful to non-state groups. By contrast, state actors seek intelligence and signaling capabilities that control escalation. Because cyberattacks are frequently considered less impactful due to several factors including reversibility, levels of violence, etc., they are a robust tool to enable broader strategic objectives.”

Shample: “There is often overlap. If we again think about APT groups, or those directly sponsored by state governments—the “big four” US adversaries include Iran, China, North Korea, and Russia. All of these countries have mandatory conscription, so all men (and in selective cases, women) have to serve in these countries’ militaries. That mandatory military training can be fulfilled by going through one of their cyber academies and acting as what the United States and Five Eyes community considers a “malicious cyber actor.” Mandatory service is completed eventually, but then these actors can go and act on their own accord, using the training they received to cover their online tracks. State-trained individuals become part of the non-state actor community. They take their learned skills, they share them with other actors on forums and chat platforms, and voila. With training and sophistication, along with a way to evade tracking from their home countries, these individuals continue to improve their skills and networks online, which is a very serious problem. They are sophisticated and able to keep acting in a criminal capacity. The more sophisticated actors can also sell ready-to-use kits, such as Ransomware-as-a-Service, phishing kits, and so on that are premade and do not take high skill to use. The trained malicious actor can not only act independently, but they could have an additional stream of revenue selling kits and supplies to other malicious actors. It is an entire underground ecosystem that I see on closed forums all the time.”

Smith: “One difference is that strategies are more ad hoc or responsive and shift when a non-state group’s motivation for attacking changes. For example, Killnet, the now-infamous pro-Russian hacker group that has been conducting distributed denial-of-service attacks (DDoS) against European nations since March, started off as a DDoS tool that criminal and threat actors could purchase. Just after updating the version of the tool in March, the non-state, but pro-Russian criminals behind Killnet pulled the tool offline and declared that the name was now an umbrella term applied to hacktivism against Russia’s enemies.”

#3 What makes cyber capabilities attractive (or not) to these kinds of non-state groups?

Lindsay: “The obvious answer: cyber tools are low cost and low risk. Cyber becomes an attractive option to actors that lack the means or resolve to use more effective instruments of power. The more that an actor is concerned about adverse consequences like retaliation, punishment, and law enforcement, the more likely they are to use cyber capabilities.”

McFate: “Cyber is important, but not in ways people often think. It gives us new ways of doing old things: sabotage, theft, propaganda, deception, and espionage. Cyber war’s real power is malign information, not sabotage like Stuxnet. In an information age, disinformation is more important than firepower. Who cares about the sword if you can manipulate the mind that wields it?”

Brantly: “Cyber capabilities are less attractive to non-state armed groups because their cost-to-impact ratio is less than kinetic violence. At present, insurgents are unlikely to win by using cyberattacks, and terrorist organizations are unlikely to draw the desired levels of attention to their cause through cyber means that they would by comparable kinetic means. Where attacks disrupt, embarrass an adversary, or facilitate financial concerns of non-state armed groups, such attacks are more likely.”

Shample: “Pseudo-anonymity, of course. They can act from anywhere, target any entity, use obfuscation technology to cover their tracks, and target cryptocurrency to raise money. First, they can cover their tracks completely/partially. Second, they may have enough obscurity to provide plausible cover and not be officially tracked and charged, despite suspicion. Third, they can make a decent amount of money and/or cause damage without any personal harm that comes back to themselves. Fourth, they are able to be impactful and gain notoriety amongst the criminal contingent. The criminal underground is very ego driven, so if an actor can successfully impact a large business or organization, and in so doing make world-wide news, this only helps them gain traction and followers in their community. And they build, keep learning, and repeat, fueled by their financial success and notoriety.”

Smith: “Cyber capabilities are attractive for a lot of reasons—e.g., they can be executed remotely, purchased, obfuscated, difficult to positively attribute, among other attributes that make them easier to execute than a kinetic attack—but if I were a malicious cyber actor, I would be in the business because nation states are still figuring how to respond to cyberattacks. There is not an internationally agreed upon definition for what constitutes a cyberattack, when a cyberattack becomes an act of war, or any concrete estimation for what a proportional response to a cyberattack should be. Additionally, the legal mechanisms for prosecuting cyber activities are still being developed, so as a criminal, the fuzziness and ability to attack an asset within a country without clear consequences is very attractive—especially when law enforcement cyber capabilities are stretched thin and the courts have yet to catch up to technology (or have judges that do not understand the technology used in a case).”

Hackers, Hoodies, and Helmets: Technology and the changing face of Russian private military contractors

Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behavior

Countering cyber proliferation: Zeroing in on Access-as-a-Service

#4 Where does existing theory or policy fall short in addressing the risks posed by the offensive cyber operations of non-state armed groups?

Lindsay: “Generally, we need more theory and empirical research about intelligence contests of any kind. Secret statecraft, and not only by states, is an understudied area in security studies, and it is also a hot research frontier. I do think that the conventional wisdom tends to overstate the threat of cyber from any kind of group, but it is consistent with the paranoid style of American politics.”

McFate: “How many conferences have you been to where ‘experts’ bicker about whether a cyberattack constitutes war or not? Who cares? US policymakers and academic theorists think about war like pregnancy: you either are or are not. But, in truth, there is no such thing as war or peace; it is really war and peace. Our adversaries do not suffer from this bizarre false dichotomy and exploit our schizoid view of international relations. They wage war but disguise it as peace to us. Cyberattacks are perfect weapons because we spend more time on definitions than on solutions. We need more supple minds at the strategic helm.”

Brantly: “Many scholars have focused on proxy actors operating in and through cyberspace. The theories and policies developed on the motivations and actions of proxies is robust. This subfield has grown substantially within the last three to four years. Some theorizing has focused on the use of cyber means by terrorist organizations, but most of the research in this area has been speculative. Little theorizing has been done on the use of cyberattacks by non-state armed groups that are not operating as proxies or terrorist organizations. Although there are few examples of such organizations using cyberattacks, increased analysis on this area is potentially warranted.”

Shample: “The United States and its allies are overly focused on state-sponsored actors. This is because they can issue things like sanctions against state-tied actors, and have press conferences publicizing pomp and circumstance. They ignore the criminal contingent because they usually cannot publicly sanction them. This is short-sighted. The United States needs to combine its intelligence and military efforts to focus on all malicious actors, state-sponsored, criminal groups, and individual/independent actors. Stop worrying about sanctions—malicious APTs often laugh at sanctions from countries without extradition, and the sanctions will quite literally never impact them. They joke about them on underground forums and then continue attacking.”

Smith: “An area that I am working on is the threats posed by non-state actors during periods of conflict—even ones that we cheer on from afar. The Russian invasion of Ukraine and the subsequent rise of the Ukrainian IT Army and pro-Russian groups like Killnet really complicate the conflict and have shown how organized non-military, non-state-sponsored, and mixed-nationality groups can have a direct impact on the modern battlefield. For entities like US Cyber Command and our foreign counterparts, this is an area of concern, as it is really the modern instantiation of civilians on the battlefield. When do those civilians become enemy combatants and how to we deal with them? Those questions are not answered yet and they are further complicated by the various motivations among groups that I discussed above.”

#5 How can the United States and its allies address the cyber threats posed by the many disparate non-state armed groups around the world?

Lindsay: “We should start by accepting that cyber conflict is both inevitable and tolerable. Cyberattacks are part of the societal search algorithm for identifying vulnerabilities that need to be patched, which helps us to build a better society. The United States and its allies should continue to work on the low-hanging fruit of cybercrime, privacy, and intelligence coordination (which are not really hanging that low), rather than focusing on bigger but more mythical threats. The small stuff will help with the big stuff.”

McFate: “Three ways. First, better defense. Beyond the ‘ones and zeros’ warriors, we need to find ways to make Americans smarter consumers of information. Second, we need to get far more aggressive in our response. I feel like the United States is a goalie at a penalty shootout. If you want to deter cyberattacks, then start punching back hard until the bullies stop. Destroy problematic servers. Go after the people connected to them. Perhaps the United States should explore getting back into the dark arts again, as it once did during the Cold War. Lastly, enlist the private sector. ‘Hack back’ companies can chase down hackers like privateers. It is crazy in 2022 that we do not allow this, especially since the National Security Agency does not protect multinational corporations or civil society’s cybersecurity.”

Brantly: “The United States and its allies have already addressed cyber threats posed by different groups through the establishment of civilian and military organizations designed to identify and counter all manner of cyber threats. The United States has pushed out security standards through the National Institute of Standards and Technology, and US Cyber Command and the military cyber commands have worked to provide continuous intelligence on the cyber activities of potential adversaries. Continuing to strengthen organizations and standards that identify and counter cybersecurity threats remains important. Building norms around what is and is not acceptable behavior in cyberspace and what are critical cybersecurity practices among public and private sector actors will continue to constrain malicious behavior within this evolving domain of interaction. There is no single golden solution. Rather, addressing cybersecurity threats posed by all manner of actors requires multiple ongoing concurrent policy, regulatory, normative, and organizational actions.”

Shample: “If all entities working cyber operations (law enforcement, intelligence, and military) worked together and with the private sector more, the world would benefit. The private sector can move quicker with respect to changing infrastructure and the quickness of tracking malicious actors. Cyber criminals know they need to set up, act, and then usually tear down their infrastructure, change, and rebuild from scratch so as to avoid tracking. Cyber truly takes all efforts, all kinds of people working it together to be effective. There is too much focus on state-sponsored vs. criminal, and there is too much information not shared among practitioners. Counterterrorism focused analysis needs to be combined with combatting weapons and human trafficking and counter-narcotics, which all then come back to a financial focus. Terrorists like ISIS and others have been observed funding their operations by selling weapons, drugs, or humans, and then putting those funds into cryptocurrency. We have pillars of specialists that focus on one area, but there needs to be more combined efforts vs. singular-focused efforts. Underground forums need to be monitored. Telegram, discord, and dark web forums all need more monitoring. There needs to be a collective effort to combat serious cyber threats, versus dividing efforts and keeping ‘separate’ tracking. Government, military, and law enforcement need to work with the private sector and share the appropriate amount of information to take down criminal networks. There are too many solo efforts vs. a collective one to truly eradicate the malicious cyber criminals.”

Smith: “First, there is no silver bullet because there are so many variables to consider for each threat as it arises—context, composition, etc. are all confounding factors to consider. But I think that international partnerships and domestic partnerships with the private sector and critical infrastructure owners are the key to addressing non-state cyber actors and the threats they pose. The more we communicate and share intelligence and information among partners, the better we will be at anticipating threats and mitigating risk, while also ensuring that we are steadily working to create an ecosystem of support, skills, knowledge, processes and partnerships to combat the multi-modal threats coming from non-state cyber actors.”

Nonresident Senior Fellow

The post The 5×5—Non-state armed groups in cyber conflict appeared first on Atlantic Council.

Guevara in El Heraldo de México: on the effectiveness of state’s strategic capabilities (in Spanish)

ktalley — Tue, 25 Oct 2022 17:07:00 +0000

Original Article

Fellow

Inigo Guevara Moyano

Scowcroft Center for Strategy and Security Transatlantic Security Initiative

Americas Arms Control

The Transatlantic Security Initiative, in the Scowcroft Center for Strategy and Security, shapes and influences the debate on the greatest security challenges facing the North Atlantic Alliance and its key partners.

Explore more

The post Guevara in El Heraldo de México: on the effectiveness of state’s strategic capabilities (in Spanish) appeared first on Atlantic Council.

China’s surveillance ecosystem and the global spread of its tools

Bulelani Jili — Mon, 17 Oct 2022 04:00:00 +0000

Executive summary
Introduction
China’s domestic tech environment
Cyber Sovereignty
Public-private partnerships
China’s political and legal environment
Conclusion

Executive summary

This paper seeks to offer insights into how China’s domestic surveillance market and cyber capability ecosystem operate, especially given the limited number of systematic studies that have analyzed its industry objectives. For the Chinese government, investment in surveillance technologies advances both its ambitions of becoming a global technology leader as well as its means of domestic social control. These developments also foster further collaboration between state security actors and private tech firms. Accordingly, the tech firms that support state cyber capabilities range from small cyber research start-ups to leading global tech enterprises. The state promotes surveillance technology and practices abroad through diplomatic exchanges, law enforcement cooperation, and training programs. These efforts encourage the dissemination of surveillance devices, but also support the government’s goals concerning international norm-making in multilateral and regional institutions.

The proliferation of Chinese surveillance technology and cyber tools and the associated linkages between both state and private Chinese entities with those in other states, especially in the Global South, is a valuable component of Chinese state efforts to expand and strengthen their political and economic influence worldwide. Although individual governments purchasing Chinese digital tools have their local ambitions in mind, Beijing’s export and promotion of domestic surveillance technologies shape the adoption of these tools in the Global South. As such, investigating how Chinese actors leverage demand factors for their own aims, does not undercut the ability of other countries to detect and determine outcomes. Rather it demonstrates an interplay between Chinese state strategy and local political environments. This paper specifically focuses on key features in China’s surveillance ecosystem, while the companion to this report will focus on the key ‘pull factors’ from African countries and their significance for US interests.

Introduction

Chinese tech companies are among the largest firms in the world. Initially focused on the domestic market, they now sell various surveillance technologies to a global customer base. Increased collaboration between the party-state and private Chinese actors in the sale of surveillance products inspires trepidations about the proliferation of China’s surveillance tools, ergo the rise of unwarranted surveillance. Namely, researchers scrutinize China’s diplomatic activities, raising questions about the degree to which the government enables surveillance practices abroad. Large Chinese firms and state amplify debate and concerns by pushing to change the norms and mechanisms in the use of public security technology.

This paper seeks to offer insights into how China’s domestic surveillance market and cyber capability ecosystem operate, especially given the limited number of systematic studies on the industry and its growing influence in the Global South. This issue brief focuses on the development of the Chinese surveillance industry and the firms that make it possible, including those firms that sell surveillance tools within the international surveillance market. The brief has four parts. The first discusses the development of China’s surveillance ecosystem. It specifically explores the establishment of the Golden Shield Project (GSP), a national Closed-Circuit Television (CCTV) network intended to digitize the public security sector, and its consequences for surveillance practices in China. The second section investigates China’s conception of “cyber sovereignty,” or wangluo zhuquan, which seeks to influence the governance of cyberspace. This idea and policy prerogative helps Beijing’s promotion of a controlled cyberspace and, therefore, the development of surveillance practices that rely on the use of artificial intelligence, big data, and biometric collection, among other means, to monitor citizens. The third and fourth sections carefully look at how private-public partnerships have empowered China’s cyberpower, while at the same time creating a more restrictive legal and political environment in China. What appears to make the party-state distinct from other exporters is the legal and political system from which these surveillance tools emerge—crucially, how China promotes their use in the Global South.¹ The brief concludes by taking a close look at how the spread of Chinese surveillance tools is both a consequence of China’s supply capacity and local demand factors.

China’s domestic tech environment

In 2014, President Xi Jinping declared that there was “no national security without cybersecurity.”² For the Chinese Communist Party (CCP), surveillance technology research and development support the party’s intention to be a global technology leader while also augmenting its means of domestic social control. Promoting social stability has been the chief policy goal of the party, and therefore the state, for years.³As early as 1990, the State Council approved a proposal to establish a national information system.⁴This includes the Golden Shield, or jindun gongcheng program. GSP is a surveillance initiative launched by the state in 1998. Promoted by public security authorities, the primary aim of the initiative is to create a fully digitized public security sector using a national surveillance network to bolster the means of data management and state security capabilities. Walton’s seminal report, “China’s Golden Shield Corporations and the Development of Surveillance Technology in The People’s Republic of China,” examines the early developments of GSP.⁵Walton’s work examines how the initiative relied on American and Canadian made technology. Recent government bidding documents show further evidence that American companies supply some of the parts necessary for the GSP project.⁶

The first phase of the GSP involved the digitization of the ministry, province, and city, while the second phase’s intent has been to integrate all three levels of public security networks by establishing the means to foster information sharing between the three levels.⁷The project relies on information and communication technology (ICT) systems to enhance the ability of a unified command, rapid response, and coordinated effort to address supposedly the challenges of crime. In its early stages, it was characterized mostly by surveillance cameras paired with more efficient ways of sharing data within state bureaus. The GSP has grown significantly in size and sophistication since its founding. It now includes 416 million surveillance cameras around the country that utilize artificial intelligence (AI) facial recognition technology.⁸ These developments also include many ostensibly benign technologies like geolocation and storage servers that support social control. The Police Geographic, for example, is a geolocation platform made by Tianjin Troila Technology that offers the police real-time spatial visualization data.⁹ This project enables the representation of space into grids for surveillance and knowledge building to serve security objectives. Valentin Weber and Vasilis Ververis bolster this argument in research published in August 2021. Their report examines various technologies, including geolocation, which form part of a layered assemblage of surveillance systems that support the tracking of vehicles and people.¹⁰

The “safe city model,” or Ping an chengshi, evolved from the GSP.¹¹Simply put, it is “a computational model of urban planning that promises to optimize operational efficacy and promote economic growth by leveraging ICT systems.”¹² It is a commodity sold by Huawei at home, but also offered across the Global South. Currently, the safe city relies on integrating data from multiple sources that include utility companies, retail stores, and formal banks. This biometric data then feeds databases run by public security bureaus, which utilize facial recognition tools. The centralized information systems are known as city brains, or Chengshi danao.¹³ These efforts in part bring together civil-commercial actors with the state for the sake of data-driven governance. Underlying the turn towards data-driven governance is Beijing’s belief in a scientific outlook on development, or kexue fazhan guan, a notion that assumes that technical interventions can numerically capture and abate social challenges, like crime.¹⁴

Cyber sovereignty

In 2016, President Xi maintained that legal and political constraints must be accompanied by the development of technology at home and abroad.¹⁵A goal of its lobbying on multilateral institutions like the UN is the adoption of its conception of cyber sovereignty. Simply put, cyber sovereignty refers to respecting a nation’s right to choose the trajectory of its internet development and management.¹⁶These lobbying efforts do not merely focus on technical norms and standards aimed at advancing network security, but also speak to the state’s right to control the flow of information within its borders. As it stands, Beijing’s notion of cyber sovereignty seeks to advocate for a country’s sovereign right to delimit and control data flows based on its domestic security interests. From this vantage point, states should discourage interference in the internal affairs of others. This privileging of the state offers legitimacy and cover to Beijing’s predilection towards delimiting and controlling online activity, but is also in contrast to Western commitments to cyber governance. While the United States and its allies “advocate for a more open, free, and multistakeholder approach, which provides open platforms for private actors and civil society organizations, China wishes to promote a complete counterapproach that asserts the interests of the government over non-state actors.”¹⁷

China’s domestic environment has nurtured a tech industry that supports the state’s aims to monitor, censor, and condition public opinion. The Golden Shield Project, which is popularly referred to as the “Great Firewall of China,” is the best illustration of this project. An initiative managed by the Ministry of Public Security, which crucially relies on filtering and censorship technologies that operate alongside domestic law that limits and seeks to curate online discourse. Margaret Roberts, in her work titled “Censored: Distraction and Diversion Inside China’s Great Firewall,” offers a systematic analysis that demonstrates how state agencies have created social media accounts that flood the internet with approved state media content that seeks to influence public opinion.¹⁸ The state’s attempt to control discourses also includes a desire to influence international opinion about China. Adam Segal’s in-depth 2020 essay describes how Beijing promotes cyber sovereignty, or wangluo zhuquan, as an organizing principle to prevent the flow of online information that threatens domestic political stability, foster technological supremacy and independence from the United States, and counter US global influence.¹⁹

China increasingly acts in accordance with its policy of cyber sovereignty. In 2017, the government told companies like Tencent, a giant internet-based platform and company, to shut down websites that host content deemed as socially and politically threatening.²⁰Weibo, a Chinese social media platform, made changes to its platform in 2018 to allow government censors to tag posts as unsubstantiated rumors.²¹This corporate complicity has made and scaled up surveillance. Likewise, mass surveillance practices in Xinjiang—a matter that Beijing has claimed to be a domestic affair that is beyond international critique—has several corporate actors involved. For instance, H3C has also developed an internet protocol (IP) telephone network for the Xinjiang Public Security authorities.²²State agencies employ a multisource and layered surveillance system that uses mobile apps, biometric collection, artificial intelligence, and big data, among other means, to monitor and control thirteen million Turkic Muslims.

Public-private partnerships

State procurement of public security technology and innovation policy is driving China’s surveillance ecosystem. Surveillance tools scale the party-state’s means to conduct surveillance operations on targeted populations that are presumed to be threats to social stability, which result in legal and extralegal means to address the supposed challenge to security. Chinese tech start-ups are seeking to meet the demands of the country’s security services. Many cybersecurity firms in China focus on vulnerability research, threat detection, and security intelligence products, which they sell to the state.²³While these firms mostly rely on Chinese venture capital, they have grown to service clients globally. For example, Pangu Lab is a cybersecurity research team under Pwnzen Infotech that focuses on advanced security research in offensive and defensive cyber capabilities. Pwnzen Infotech has the backing of Qihoo 360, the largest provider of internet and mobile security products in China.²⁴Pangu Lab aims to be at the forefront of vulnerability research and to offer insights into the offensive and defensive techniques necessary to combat potential infiltration and exploitation. Pangu Lab founder, Han Zhengguang, is well-known in the Chinese cybersecurity industry for cracking the iPhone.²⁵According to Han, Pangu Lab conducts security research on iOS. Moreover, they have discovered hundreds of zero-day security vulnerabilities in mainstream operating systems and popular applications, including Android and other leading mobile operating systems.²⁶ Pangu Lab, like many new Chinese cybersecurity research firms, has connections to more established tech firms, but also forms part of an ecosystem of smaller firms and start-ups increasingly used by security services to conduct defensive and offensive cyber operations.²⁷

Drawing attention to the development of China’s cybersecurity industry also means uncovering China’s national cyber ambitions, which are partly contingent on the rapidly advancing sector. Companies operating in this space are increasingly at the forefront of their respective fields, and their insights and products are sold to public security services in China.²⁸Party-state cyber capacities depend on private-public cooperation, where the state procures interception and intrusion technologies. Unlike the Israeli NSO Group, which claims to only sell products to state actors, Chinese start-ups like Pangu offer products to state and non-state actors. They justify their business model by pointing to the need for cybersecurity, but also how their vulnerability research allows for better software.²⁹

Many tech firms tailor their services to meet the demands of China’s security services. For example, Chinese companies like Haimeng, Jin Ruan, Ruitec, and Goldeweb have developed products to support the police in predictive policing and the management of targeted populations perceived to be threats to social stability.³⁰ Arcvideo, like Megvii, also helps equip public security services and has established relationships with the Beijing Criminal Investigation Corps, the Wuhan Public Security Bureau, and six other local security organs.³¹Megvii offers a range of digital solutions, which includes portable video equipment, covert video tracking capabilities, and AI-based analytics software. Western companies like IBM, Intel, Cisco, and Oracle have also provided hardware and software used in China’s surveillance network. Oracle sold the software to Liaoning police, which has enhanced their tracking of key objects, events, and people to better identify potential suspects.³²Scholars have also noted that other Chinese security services—including the Xinjiang police force—use Oracle’s data security service.³³

Chinese leaders have criticized Chinese cyber researchers for doing work outside of China. Indeed, they have implored them to stay in China in order for the government to realize the strategic value of software vulnerabilities.³⁴As a result, Zhou Hongyi, the chairman and CEO of Qihoo 360, delisted the company from the New York Stock Exchange in 2016. Qihoo 360 then relisted in Shanghai in 2018 in part to qualify for Chinese government and military contracts.³⁵Likewise, Chen Xie, the CEO of Tophant, has claimed that Chinese firms dealing with cloud security, data security, zero trust, and privacy, are more likely to receive contracts and funding from Beijing.³⁶Megvii, a partner of Chinese public security authorities, garnered sixty percent of its revenues from smart city contracts in 2020.³⁷Additionally, such access to mass population data enables firms like Megvii to better train their algorithms to identify human faces.³⁸As such, given the financial incentives to work with the CCP, companies have little interest or limited reasons not to develop and supply technologies for public security officials. Private firms within the technology sector, particularly in the cybersecurity space, are increasingly offering their insights and services to the Chinese government, even as they assert ignorance about their collaborative ventures with the state.³⁹

While encouraging the private-public partnerships that have capacitated its cyber power, the Chinese government has also created a more restrictive environment for researchers. Chinese cyber researchers are now effectively banned from participating in international hacking events and competitions, which they once dominated.⁴⁰If researchers wish to participate in an international competition, they must ask for permission, which the state rarely grants.⁴¹Additionally, they must submit their knowledge of software vulnerabilities to security services before attending any international event, giving Chinese security officials a comparative advantage over the United States concerning defensive or offensive hacking operations.

China’s political and legal environment

While direct engagement with the private and public sectors varies between firms, Chinese technology firms operate under a more restrictive legal environment. The 2016 cybersecurity law, 2021 data security law, and 2017 national intelligence law form a series of laws that obligate firms to cooperate with state security organs when requested.⁴²Lucero contends that this environment of increasing rigidity has exacerbated a bureaucratic architecture that prioritizes political stability over economic efficiency.⁴³ Such a move has reportedly resulted “increased centralization and ideological control with fear and paralysis.”⁴⁴Accordingly, these rules establish obligations for firms to cooperate with party-state organs by sharing data that is believed to threaten or promote national security interests. Certainly, it appears that these changes in recent years to the Chinese system occur without any legal recourse or administrative means to decline requests made by state security officials.⁴⁵

Pointedly, the shift towards public stability and security as the primary objective of the party-state has led to a more strict environment for corporations. For example, the new intelligence law requires companies to contribute to government intelligence work by sharing their data when requested by security officials. Simultaneously, this change is unfolding alongside progress being made in personal consumer rights in China. Two recent legal statements challenge this view of a more restrictive legal environment.⁴⁶The first is by the Beijing-based Zhong Lun law firm, their statement was submitted to the Federal Communications Commission during its proceedings regarding concerns around Huawei. At this time, Huawei representatives were sending documents to state officials and organs around the world in support of company as a safe and reliable vendor. The “Zhong Lun declaration” discusses statutory laws passed by China’s Standing Committee, and crucially contends that the current national cybersecurity law, national intelligence law, and anti-terrorism law do not necessarily require tech firms to cooperate with Beijing or obligate them to offer backdoor access to data. This position is further supported by the second statement made by the British law firm Clifford Chance, which was employed by Huawei to issue a legal opinion supposedly in concurrence with the Zhong Lun declaration. Despite these notable interventions, it is a misstep to simply focus on what Chinese law says about the party-state and what it can demand of firms. It is more salient, I argue, to know what the government can actually do, regardless of what the law says. These interventions on behalf of Huawei assume that Beijing is meaningfully constrained by law.

In this light, scholars, like Donald Clarke, contend these two legal statements offer a misleading conclusion. Indeed, the arguments do not ameliorate US national security concerns.⁴⁷ Because while discussing some key features of the intelligence law, the Zhong Lun declaration focuses on a limited subset of mandatory rules and crucially ignores a number of other rules that ask for cooperation. The declaration contends that companies can simply decline state security official requests, and even take action if their legal rights have been violated, companies can pursue remedy through administrative review and through the court system.⁴⁸This view implies that there are judicial checks to state excesses. However, there is as yet no evidence of such a case resulting in an enterprise or citizen receiving this remedy as a result of such violations. These rights asserted in the Zhong Lun declaration—and supposedly respected—are not clearly defined and stated. For these reasons, it is unlikely that the CCP is meaningfully and substantially constrained by law.⁴⁹

The party-state utilizes all-encompassing surveillance practices that mobilize the national CCTV network and cyber researchers to bolster its cyber power. This policy, in part, relies on a more rigid regulatory environment. Strategies, ranging from buying company shares to requiring the establishment of party committees within firms, allow for state-overseen enterprises. Weber and Ververis contend that the procurement of Chinese surveillance tools may expose Western individuals to privacy risks, as the backdoors used for domestic surveillance in China are exported to foreign markets, unless the tech firms choose to sell a more secure version of public security technologies for international customers.⁵⁰ Researchers like Honovich have unearthed and forewarned the various cybersecurity vulnerabilities in Hikvision cameras.⁵¹Currently, there is no empirical evidence from the ground that demonstrates the systematic coordination between Beijing and Hikvision in the purposeful theft of personal data. This concern, however, remains an escalating vulnerability. For example, African Union’s (AU) staffers discovered that China-based hackers, Bronze President, had “rigged a cluster of servers in the basement of an administrative annex to steal surveillance videos from across the AU’s sprawling campus in Addis Ababa, Ethiopia’s capital.”⁵²As such, it is paramount to promote and advance supply chain integrity given the real risk for designed backdoors in hardware or software.

Conclusion

The global push factors of China’s surveillance tools

In addition to aiming to realize cyber power ambitions at home, China’s drive for tech and cybersecurity leadership extends globally. Research from Steven Feldstein found that Chinese companies supply AI surveillance technology in sixty-three countries, thirty-six of which have signed onto China’s Belt and Road Initiative.⁵³ Accordingly, these technologies, developed for the sake of the GSP program, are now exported across the globe. Much of the establishment of surveillance programs is through third parties and subsidiaries of Chinese companies.⁵⁴To be clear, the selling of digital monitoring tools and cyber capability technologies is not unique to Chinese vendors. Many non-Chinese enterprises, including Western firms, are involved in the sale of cyber capabilities and surveillance tools.⁵⁵This focus on Chinese technology does not aim to obfuscate the broader transnational market of digital surveillance tools, which indubitably includes American actors. Rather, the paper illustrates how the procurement of Chinese technology appears to be a result of both Chinese supply and local demand factors. What is unique about Beijing is how it goes about promoting public security systems in the Global South.

The party-state utilizes multilateral institutions like the BRICS (Brazil, Russia, India, China, and South Africa), an emerging markets group, the Belt and Road Initiative, and the Forum on China-Africa Cooperation (FOCAC) to promote its surveillance platforms across the Global South^.56Particularly, through FOCAC and the China-Africa Defense Forum, China has signed resolutions to increase cooperation in areas like counterterrorism, safe city projects, and cybersecurity.⁵⁷China also supplements this promise with commitments to offer finance, technical assistance, and training to African governments on topics ranging from digital forensic techniques to cybersecurity.⁵⁸These efforts reflect Beijing’s aims to influence international norms through multilateral institutions, which further normalize and seek to legitimize its surveillance practices at home.

These trends are particularly prevalent in a handful of African countries. The China-Africa Internet Development and Cooperation Forum held in August 2021 offers an example of China’s aims to implement a joint China-Africa partnership to advance digitization and promote its notion of cyber sovereignty.⁵⁹Additionally, Beijing’s efforts to shape cybersecurity standards and regulations in part garner legitimacy from its digital development aid and projects in Africa.

The proliferation of surveillance technology has, unsurprisingly, had clear effects on law enforcement practices. For example, the use of Chinese surveillance technologies in South Africa has risen largely in tandem with police-to-police training and cooperation—like the 2018 South African delegation tour of Shanghai’s Public Security Bureaus to learn how to improve policing techniques.⁶⁰Similarly, the Botswana Police Services enlisted Huawei to install 500 surveillance cameras in Gaborone and Francistown, including inside commercial buildings, as part of a two-year deal with the company’s Safe City Project.⁶¹

Utilizing ICT systems and services, the Kenyan government aims to foster a safe city project where digital surveillance systems are incorporated into Nairobi’s city infrastructure to optimize development and security ambitions. Working with Huawei and Safaricom, the government established the first African safe city in Nairobi, which connected 200 high-definition traffic surveillance cameras and 1800 high-definition cameras.⁶²What is more, these integrated platforms include a high-speed private broadband network and command center for the National Police Service, which supports over 9000 police officers in 195 police stations. Through these digital surveillance systems, the safe city platform aims to meet several service delivery demands, including real-time surveillance, evidence collection, and video browsing that purportedly support accelerated police response, recovery missions, and crime prevention.

Namely, Huawei’s safe city platforms are promoted as solutions for crime and rising terroristic threats. Governments in the Global South are procuring their services on the grounds to expand their surveillance capacities to address growing trepidations around crime and terrorism. Yet, in part, due to the dearth of publicly available data, the benefits of the safe city platforms are difficult to verify and appear grossly overstated by Huawei.⁶³According to them, crime rates decreased by 46 percent in areas supported by their platform in 2014 to 2015.⁶⁴However, the Eastern African nation’s police services report lower reduction rates in crime during those years.⁶⁵Unfortunately, Nairobi and Mombasa, the two cities supported by Huawei’s safe city platforms have seen an increase in reported crime between 2017 and 2018.

While China’s surveillance system is confined to its national borders, the companies that make its surveillance state possible are now actively selling their tools abroad. Given the growing influence of these firms and the spread of digital surveillance tools, scholars like Feldstein contend that the party-state is not only supporting the proliferation of digital public security technologies, but also enabling the rise of authoritarianism. This kind of argument, I contend presumes a coordinated effort between the party-state and technology firms as a way to export Chinese norms and repressive practices overseas. Indeed, while this argument draws attention to Chinese push factors, it ignores local demand features. Moreover, it lacks robust empirical evidence from the ground to establish the consequences of Beijing’s promotional efforts.⁶⁶For instance, the use of surveillance tools in Kenya, and across Africa, is supposedly a means to improve service delivery and law enforcement. Accordingly, technologies are adopted in order to address such structural and political challenges.⁶⁷The extent of technology and regulation diffusion, and indeed whether it undercuts civil liberties, is greatly contingent on the political and legal environment of the recipient African country.

We are yet to observe party-state solutions for public instability being promoted in the Global South by Beijing. Currently, Huawei’s safe city technologies are marketed as solutions to local concerns around crime and terror. Indeed, China’s active “push” of domestic surveillance technologies is a critical force in shaping African surveillance ecosystems. As such, highlighting how Beijing leverages local demand factors to advance its own geopolitical interests should not be viewed as an attempt to downplay African state agency in determining the application of public security technologies. For these reasons, Africa, and other regions, must be carefully studied both on their terms and as well as places enmeshed in wider relations. The companion report to this issue brief will focus on the key “pull factors” from African countries and their significance for US interests. More to the point, we must engender even-handed studies that demonstrate the degree to which local agency is shaping relations between Africa-China while also underscoring the interplay between local political commitments and Chinese state ambitions.⁶⁸This more proportional analysis seeks to expand our understanding and offers insights into the perennial consequences of Beijing’s growing cyber power on the global stage.

Endnotes

1 Bulelani Jili, The Rise of Chinese Surveillance Technology in Africa.

2 President Xi Jinping, “China Must Evolve from a Large Internet Nation to a Powerful Internet Nation,” 习近平:把我国从网络大国建设成为网络强国, Xinhuanet, February 27, 2014, http://news.xinhuanet.com/politics/2014- 02/27/c_119538788.htm. Also see, William Wan, “Chinese President Xi Jinping takes charge of new cyber effort,” Washington Post, February 27, 2014, https://www.washingtonpost.com/world/chinese-president-takes-charge-of-new-cyber-effort/2014/02/27/a4bffaac-9fc9-11e3-b8d8-94577ff66b28_story.html

3 Samantha Hoffman, Engineering Global Consent: The Chinese Communist Party’s Data-Driven Power Expansion, Australian Strategic Policy Institute, October 14, 2019, https://www.aspi.org.au/report/engineering-global-consent-chinese-communist-partys-data-driven-power-expansion.

4 See, for example: Peter Mattis, “China’s Adaptive Approach to the Information Counter-Revolution,” Jamestown Foundation China Brief, 11 No.10 (June 3, 2011), https://jamestown.org/program/chinas-adaptive-approach-to-the-information-counter-revolution/; Yu Xu and Hongren Zhou, “Analysis and Forecast on China’s Informatization,” 中国信息化形势分析和预测, Beijing: Social Sciences Academic Press, 2010; and Qin Liang, “Public Security Information Industry Overview.” 公安信息化行业概况, Sealand Securities, 2019, https://web.archive.org/web/20201119002413/pg.jrj.com.cn/acc/Res/CN_RES/INDUS/2016/1/26/3d0f5812-fd68-4045-8dd7-c7a2b04862c6.pdf.

5 Greg Walton, China’s Golden Shield Corporations and the Development of Surveillance Technology in The People’s Republic of China, International Centre for Human Rights and Democratic Development, Montreal, 2001, https://ora.ox.ac.uk/objects/uuid:084840ac-b192-407b-ab6c-f8f810310369/download_file?file_format=pdf&safe_filename=CGS_ENG.pdf&type_of_work=Book.

6 Walton, China’s Golden Shield.

7 Yu Xu and Hongren Zhou, Analysis and Forecast on China’s Informatization, 中国信息化形势分析和预测, Beijing: Social Sciences Academic Press, 2010.

8 Valentin Weber and Vasilis Ververis. “China’s Surveillance State: A Global Project,” Top10VPN, August 2021, https://www.top10vpn.com/assets/2021/07/Chinas-Surveillance-State.pdf.

9 Troila Technology, 2022. “警用地理信息服务平台.” (Police geographic information service platform). Available at: https://www.troila.com/jiejuefangan?id=159

10 Weber and Ververis, “China’s Surveillance State: A Global Project.”

11 Samantha Hoffman, “China’s Tech-Enhanced Authoritarianism.” (Written Testimony before the House Permanent Select Committee on Intelligence), US Congress, May 16, 2019, https://www.congress.gov/116/meeting/house/109462/witnesses/HHRG-116-IG00-Wstate-HoffmanS-20190516.pdf

12 Bulelani Jili, “Chinese ICT and Smart City Initiatives in Kenya,” Asia Policy, 17, no. 3 (July 2022): 44, https://www.nbr.org/wp-content/uploads/pdfs/publications/asiapolicy17.3_africa-china_relations_rt_july2022.pdf; and Shannon Mattern, “A City Is Not a Computer: Other Urban Intelligences,” Princeton: Princeton University Press, 2021, DOI: 10.2307/j.ctv1h9dgtj.

13 See, for example: Sohu, “Shanghai’s ‘Public Security Brain’ Is Upgraded to ‘City Brain’,” 上海“公安大脑”将升级为“城市大脑, 2019, https://www.sohu.com/a/338738299_649849.

14 The concept kexue fazhan guan or scientific outlook on development was initially discussed in CCP circles as early as 2003. However, it was only introduced to the public by Hu Jintao in January 2004. It was later adopted by the National People’s Congress as a new guideline for social and economic development in March 2004.

15 President Xi Jinping, “Speech at the Symposium on Network Security and Informatization,” 习近平在网信工作座谈会上的讲话全文发表, Xinhuanet, April 19, 2016, http://www.xinhuanet.com//politics/2016-04/25/c_1118731175.htm.

16 See, for further elaboration of the concept: President Xi Jinping, “Speech at the Opening Ceremony of the Second World Internet Conference,” 习近平在第二届世界互联网大会开幕式上的讲话, Xinhuannet, December 16, 2015, http://www.xinhuanet.com//politics/2015-12/16/c_1117481089.htm; and Rogier Creemers “China’s Conception of Cyber Sovereignty: Rhetoric and Realization,” in Governing Cyberspace: Behavior, Power, and Diplomacy, SSRN (February 5, 2020) 1-34, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=353242.

17 Bulelani Jili, The Rise of Chinese Surveillance Technology in Africa.; Tian Shaohui, ed., “International Strategy of Cooperation on Cyberspace,” Xinhuanet, March 1, 2017, http://www.xinhuanet.com//english/china/2017-03/01/c_136094371.htm.

18 Margaret Roberts, Censored: Distraction and Diversion Inside China’s Great Firewall, Princeton: Princeton University Press, 2018.

19 Adam Segal, “China’s Vision for Cyber Sovereignty,” National Bureau of Asian Research (NBR) Special Report 87 (2020): 85-117, https://www.nbr.org/publication/chinas-vision-for-cyber-sovereignty-and-the-global-governance-of-cyberspace/.

20 Reuters, “China shuts 128,000 ‘harmful’ websites in 2017 – Xinhua,” January 8, 2018, https://www.reuters.com/article/china-internet/china-shuts-128000-harmful-websites-in-2017-xinhua-idINKBN1EX2GO; and People’s Daily, “Last Year’s Top Ten ‘anti-pornography and Illegal’ Cases Announced,” January 9, 2018, 2018. 去年“扫黄打非”十大案件公布, http://politics.people.com.cn/n1/2018/0109/c1001-29752891.html; Cyberspace Administration of China, “Opinions on Further Intensifying Website Platforms’ Entity Responsibility for Information Content,” China Law Translate, September 15, 2021, https://www.chinalawtranslate.com/en/content-responsibility/.

21 See, for example: Yuan Yang, “Beijing Now Able to Flag Weibo Posts as Rumor,” Financial Times, 2018, https://www.ft.com/content/e21369fe-e0db-11e8-8e70-5e22a430c1ad; Yang Ziyu, “Weibo Gives Media, Government Power to Quash ‘Rumors’,” Sixth Tone, November 3, 2018, https://www.sixthtone.com/news/1003152/weibo-gives-media%2C-government-power-to-quash-rumors.

22 See, for example: H3C, “Xinjiang Public Security Dedicated Line IP Telephone System Project,” 新疆公安专线IP电话系统项目, 2007, https://web.archive.org/web/20210514091329/http:/www.h3c.com/cn/Products___Technology/Products/Router/IP_Voice/Home/Success_Stories/200712/322755_30003_0.htm; Government Procurement of Xinjiang, “Announcement of the Winning Bid for the Upgrade Project of Yili Prefecture Public Security Bureau,” 伊犁州公安局党政军链路升级工程项目中标(成交)结果公告, April 1, 2021, https://web.archive.org/web/20210514094226/http:/www.ccgp-xinjiang.gov.cn/ZcyAnnouncement/ZcyAnnouncement4/ZcyAnnouncement3004/KG3KrdvMzw/o/pLznRbnoQ==.html.

23 Margin Research, “The Chinese Private Sector Cyber Landscape,” April 25, 2022, https://margin.re/media/the-private-sector-chinese-offensive-cyber-landscape.aspx.

24 Pei Li and Cate Cadell, “At Beijing Security Fair, an Arms Race for Surveillance Tech,” Reuters, May 30, 2018, https://www.reuters.com/article/ctech-us-china-monitoring-tech-insight-idCAKCN1IV0OY-OCATC.

25 Qi Anxin Group, “Interview| Qian Pangu, the Strongest Guardian of Mobile Security,” 专访|奇安盘古，做移动安全的最强守护者, https://www.qianxin.com/news/detail?news_id=2664.

26 Qi Anxin Group, “Interview| Qian Pangu.”

27 Margin Research, “The Chinese Private Sector Cyber Landscape.”

28 Winnona DeSombre, Lars Gjesvik, and Johann Ole Willers, Surveillance Technology at the Fair: Proliferation of Cyber Capabilities in International Arms Markets, Atlantic Council, November 8, 2021, https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/surveillance-technology-at-the-fair/.

29 Pangu Lab, “Pangu Research Lab,” https://pangukaitian.github.io/pangu/?lg=en

30 Jin Ruan Science and Technology, “System Solution for the Construction of the Social Security Prevention and Control System,” 社会治安防控体系建设系统解决方案, March 1, 2022, https://archive.ph/Yzlez#selection-381.0-381.16.

31 Arcvideo Tech, “Business Scenario of Security+ AI commercial landing practice,” 安防+AI 业务场景驱动的商业化落地实践, https://web.archive.org/web/20220316140031/http://cpsforum.com.cn/15th/Public/Home/images/dh.pdf.

32 Mara Hvistendahl, “How Oracle Sells Repression in China,” The Intercept, February 18, 2021, https://theintercept.com/2021/02/18/oracle-china-police-surveillance/.

33 Weber and Ververis. “China’s Surveillance State: A Global Project.”

34 See, for example: Cyberspace Administration of China, “Regulations on the Management of Network Product Security Vulnerabilities,” 工业和信息化部国家互联网信息办公室公安部关于印发网络产品安全漏洞管理规定的通知, December 7, 2021, https://archive.ph/9cL8j#selection-713.0-713.41; Sina Technology, Zhou Hongyi interview, 周鸿祎接受采访, September 12, 2017, https://tech.sina.cn/i/gn/2017-09-12/detail-ifykusey8931658.d.html?vt=4 ; and Patrick Howell O’ Neill, “How China Built a One-of-a-Kind Cyber-Espionage Behemoth to Last,” MIT Technology Review, February 28, 2022, https://www.technologyreview.com/2022/02/28/1046575/how-china-built-a-one-of-a-kind-cyber-espionage-behemoth-to-last/#:~:text=Computing-,How%20China%20built%20a%20one%2Dof%2Da%2Dkind%20cyber,is%20paying%20off%20for%20China.&text=The%20%E2%80%9Cmost%20advanced%20piece%20of,to%20use%20was%20revealed%20today.

35 See, for example: Laura He, “Chinese Internet Security Firm Coming Home from US Valued at US$62bn, Drops 10pc on Shanghai Debut,” South China Morning Post, February 28, 2018, https://www.scmp.com/business/companies/article/2135098/chinese-internet-security-firm-coming-home-us-valued-us62bn-drops; and Elsa Kania and Lorand Laskai, Myths and Realities of China’s Military-Civil Fusion Strategy, Center for New American Security, January 28, 2021, https://www.cnas.org/publications/reports/myths-and-realities-of-chinas-military-civil-fusion-strategy.

36 Margin Research, 2022. “The Chinese Private Sector Cyber Landscape.”

37 Megvii Technology Limited, “IPO prospectus of Megvii Technology Limited,” 2020, https://static.sse.com.cn/stock/information/c/202103/bab29f856dc5431d931548cd27304d80.pdf.

38 Bulelani Jili, The Rise of Chinese Surveillance Technology in Africa, Electric Privacy Information Center (EPIC), May 31, 2022, https://epic.org/the-rise-of-chinese-surveillance-technology-in-africa/.

39 Minghe Hu, “Coronavirus: WeChat, Alipay Deny Helping Government Identify 350,000 Users Who Visited Beijing Food Market,” South China Morning Post, June 15, 2020, https://www.scmp.com/tech/apps-social/article/3089068/coronavirus-wechat-alipay-deny-helping-government-identify-350000.

40 Chris Bing, “China’s Government Is Keeping Its Security Researchers from Attending Conferences,” Cyberscoop, March 8, 2018, https://www.cyberscoop.com/pwn2own-chinese-researchers-360-technologies-trend-micro/.

41 See, for example: Cyberspace Administration of China, “Regulations on the Management of Network Product Security Vulnerabilities.”

42 Standing Committee, National Intelligence Law, 中华人民共和国国家情报法, China Law Translate, June 27, 2017, https://www.chinalawtranslate.com/national-intelligence-law-of-the-p-r-c-2017/.

43 Karman Lucero, “In China, Planning Towards AI Policy Paralysis,” New America, January 15, 2020, https://www.newamerica.org/cybersecurity-initiative/digichina/blog/china-planning-towards-policy-paralysis/

44 Karman Lucero, “In China, Planning Towards AI policy Paralysis.”

45 Standing Committee, National Intelligence Law.

46 Chen Jihong and Jianwei Fang, “The Zhong Lun Declaration,” 2018, https://perma.cc/L9BF-4JNY.

47 Donald Clarke, “The Zhong Lun Declaration on the Obligations of Huawei and Other Chinese Companies under Chinese Law,” for George Washington University Law School, SSRN (March 17, 2019), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3354211.

48 Chen and Jianwei, “The Zhong Lun Declaration.”

49 See, for example: 2013. Susan Lawrence and Michael Martin, “Understanding China’s Political System,” Congressional Research Service, March 20, 2013, https://sgp.fas.org/crs/row/R41007.pdf.

50 Weber and Ververis. “China’s Surveillance State: A Global Project.”

51 John Honovich, “Hikvision Has ‘Highest Level of Critical Vulnerability,’ Impacting 100+ Million Devices,” IPVM, September 20, 2021, https://ipvm.com/reports/hikvision-36260.

52 Raphael Satter, “Exclusive-Suspected Chinese Hackers Stole Camera Footage from African Union – Memo,” Reuters, December 16, 2020, https://www.reuters.com/article/us-ethiopia-african-union-cyber-exclusiv-idINKBN28Q1DB.

53 Steven Feldstein, The Global Expansion of AI Surveillance, Carnegie Endowment for International Peace, September 17, 2019, https://carnegieendowment.org/2019/09/17/global-expansion-of-ai-surveillance-pub-79847.

54 Weber and Ververis. “China’s Surveillance State: A Global Project.”

55 See, for example: Feldstein, The Global Expansion of AI Surveillance”; Walton, China’s Golden Shield; Bulelani Jili, The Rise of Chinese Surveillance Technology in Africa.

56 Bulelani Jili, The Rise of Chinese Surveillance Technology in Africa.

57 Michael Kovrig, China Expands its Peace and Security Footprint in Africa, International Crisis Group, October 24, https://www.crisisgroup.org/asia/north-east-asia/china/china-expands-its-peace-and-security-footprint-africa; Yao Jianing, ed., “China to Host First China-Africa Defense Forum,” China Daily, June 1, 2018, http://eng.mod.gov.cn/news/2018-06/01/content_4815796.htm; Yin Hang, “Wei Fenghe Meets with Representatives of the First China-Africa Defense and Security Forum,” 魏凤和会见首届中非防务安全论坛代表, Ministry of National Defense People’s Republic of China, press release, July 10, 2018, http://www.mod.gov.cn/topnews/2018-07/10/content_4818896.htm.

58 Heidi Swart, “Joburg’s New Hi-Tech Surveillance Cameras: A Threat to Minorities That Could See the Law Targeting Thousands of Innocents,” Daily Maverick, September 28, 2018, https://www.dailymaverick.co.za/article/2018-09-28-joburgs-new-hi-tech-surveillance-cameras-a-threat-to-minorities-that-could-see-the-law-targeting-thousands-of-innocents/.

59 State Council Information Office, “China and Africa in the New Era: A Partnership of Equals,” White Paper, November 26, 2021, http://english.scio.gov.cn/whitepapers/2021-11/26/content_77894768_4.htm; Li Zhengwei, “The China-Africa Internet Development and Cooperation Forum Held,” 中非互联网发展与合作论坛举办, Guangming, August 24, 2021, https://m.gmw.cn/baijia/2021-08/24/35106965.html.

60 Li Wanyi, “Delegation of South African Parliament Police Committee Visits Shanghai.” 南非议会警察委员会代表团访问上海, Jiefang Daily, October 4, 2107, http://shzw.eastday.com/shzw/G/20171014/u1a13342865.html.

61 Frank Hersey, “Digital ID in Africa This Week: Biometrics for Tea Workers, Financial Inclusion with a Thumbprint,” Biometric Update, August 23, 2019, https://www.biometricupdate.com/201908/digital-id-in-africa-this-week-biometrics-for-tea-workers-financial-inclusion-with-a-thumbprint.

62 See, for example: Bulelani Jili, “Chinese Surveillance Tools in Africa,” China, Law, and Development, No. 8, June 30, 2020, https://cld.web.ox.ac.uk/files/finaljilipdf; Huawei, “Video Surveillance as the Foundation of ‘Safe City’ in Kenya,” Huawei Industry Insights, 2019, https://www.huawei.com/us/industry- insights/technology/digital-transformation/video/video- surveillance-as-the-foundation-of-safe-city-in-kenya; Steven Feldstein, “Testimony Before the U.S.-China Economic and Security Review Commission Hearing on China’s Strategic Aims in Africa,” US-China Economic and Security Review Commission, May 8, 2020, https://www.uscc.gov/sites/default/files/2020-06/May_8_2020_Hearing_Transcript.pdf.

63 Rachel Bernstein et al, “Expanding Engagement: Perspectives on the Africa-China Relationship,” 46.

64 See, for example: Huawei, “Huawei Hosts Safe City Summit in Africa to Showcase Industry Best Practices,” news release, October 17, 2016, https://www.huawei.com/us/news/2016/10/safe-city-summit-africa; Integrated Solutions, “Safe City Summit in a Safe City,” Hi-Tech Security Solutions, February 2017, http://www.securitysa.com/56445n.

65 National Police Service, Annual Crime Report 2018, National Police Service of the Republic of Kenya, accessed April 25, 2022, http://www.nationalpolice.go.ke/crime-statistics.html.

66 Bulelani Jili, “Chinese Surveillance Tools in Africa.”

67 Bulelani Jili, “Africa: Regulate Surveillance Technologies and Personal Data,” Nature, 607, No. 7919 (2022), 445–448.

68 Bulelani Jili, The Rise of Chinese Surveillance Technology in Africa.

The post China’s surveillance ecosystem and the global spread of its tools appeared first on Atlantic Council.

How the US can focus its fight against foreign influence operations

Jennifer A. Counter — Fri, 30 Sep 2022 14:25:49 +0000

Intelligence is all about decisions: How to allocate limited personnel and technological resources when national security is at stake, and how to convey complex information and resulting assessments to policymakers for awareness and action. The decisions are seemingly endless but are vital to producing the best analysis for key officials on topics that have the greatest impact on national security.

The United States has a massive intelligence ecosystem that gathers more information on more issues than any other country in the world. The true value of this vast amount of information lies in how it is curated, analyzed, and presented to policymakers. To aid in this vital process, the US government has a guide—the National Intelligence Priorities Framework (NIPF)—to identify intelligence priorities and assist agencies and departments with where to focus their efforts.

During the Cold War, the NIPF focused on political, economic, and proliferation issues related to the Soviet Union and its allies, from the performance of the Soviet economy to details about new fighter jets being developed by Moscow and deployed to other countries. In a post-September 11 world, the fight against terrorism took center stage, with an emphasis on determining where the next attack against the United States or its allies could come from as well as gleaning the goals of various organizations and locations of their leaders.

The world is now in another new era, one in which information—and what is viewed as truth—is a central national-security concern. As such, the NIPF needs to include requirements that push analysts to discover how adversaries manipulate the information environment to meet their goals. It should task the Intelligence Community with assessing where, how, and to what extent states and organizations weaponize propaganda, mis- and disinformation, as well as political and social manipulation. While conversations on this issue date back to the mid-1990s, the day-to-day impact of such influence campaigns—combined with the technological capability to spread them quickly—means the United States must finally act.

Tweets, Facebook posts, and YouTube videos are not disparate pieces of content, but rather puzzle pieces that, when combined, reveal to intelligence analysts what their adversaries are working toward. From the actors actually carrying out these influence campaigns across the digital media space to the entities that oversee their strategic implementation, the entire system is akin to a completed piece—one which analysts and policymakers alike need to see in order to fully understand an adversary’s goals and objectives.

Understanding what adversaries plan to do in the short (one-year) and medium (three-year) term is vital to building domestic defenses. That’s why the following questions should serve as a starting point for developing new NIPF requirements:

What are the strategic goals of an adversary’s use of influence campaigns?
Who are the targets of influence campaigns, and why were they chosen?
What are the objectives of influence campaigns against the United States and its allies, and are there any specific timelines?
Who is responsible for crafting each adversary’s influence strategy?
What fiscal allocation is provided to those programs?
What government and non-government ministries, offices, or groups are responsible for conducting influence operations? How and why are they selected?
How are influence activities validated, measured, and evaluated?
What training is provided to tactical- and operational-level influence staff?
What tactics are used in influence campaigns? How are they selected based on target audiences?

Though by no means comprehensive, these basic influence-related requirements in the NIPF can compel the Intelligence Community to allocate resources toward building out a more robust understanding of how adversaries approach influence campaigns and exactly who is calling the shots. Understanding how influence is being used against the United States and its allies could also help the government better position all its agencies—from the State and Commerce departments to members of the Intelligence Community—to build offensive influence campaigns that persuade key audiences of Washington’s own goals and objectives.

Servicing NIPF priorities is no longer exclusively the domain of human-intelligence collectors at the Central Intelligence Agency (CIA) and Department of Defense, the signals-intelligence collectors at the National Security Administration, and counterintelligence agents at the Federal Bureau of Investigation. Open Source Enterprise and similar US government organizations can use their open-source intelligence (OSINT) resources—both human and technology-based—to support the effort. Because foreign-influence operations often play out in the public domain, they can usually be identified, traced, and evaluated to determine their effectiveness against the targeted audience. Experts can piece together the goals and objectives of a specific campaign through OSINT, saving scarce resources such as a CIA operations officer’s time for higher-level collection on those who are actually conceiving, managing, and implementing influence campaigns.

Currently, the US government does not have a lead organization to manage offensive or defensive influence activities. As the Department of Homeland Security recently found, how a government entity frames intelligence-gathering on adversarial actions against US and allied audiences is politically fraught. Americans are culturally sensitive to any suggestion that the government could manipulate their views on issues or their access to information—from traditional news to social media content. A recent effort to establish a government office that works to limit Americans’ exposure to mis- and disinformation was viewed across the political spectrum as untenable and inappropriate.

But that does not mean the task is unnecessary or in violation of American civil liberties. Establishing a multi-agency task force of experts could be a viable first step: It would act as a manager tasking intelligence collection to better understand foreign influence operations; as a consumer of the newly gathered intelligence; and as an analyst producing formal reports for policymakers, as well as educational pieces for the US public to understand what it is seeing and hearing in the media, within social movements, and across politics. The goal would be to understand the “how” and “why” of foreign-influence campaigns and identify offensive campaigns in response that could advance US foreign-policy goals.

Difficult decisions need to be made around what is and is not included in the NIPF. Although there are only so many resources available to collect and analyze intelligence, prioritizing foreign-influence activities is vital. The information space is now at least as important—if not more so—than what happens on the physical battlefield.

Jennifer Counter is a nonresident senior fellow in the Forward Defense practice of the Atlantic Council’s Scowcroft Center for Strategy and Security.

The post How the US can focus its fight against foreign influence operations appeared first on Atlantic Council.

The ITU election pitted the United States and Russia against each other for the future of the internet

Konstantinos Komaitis and Justin Sherman — Thu, 29 Sep 2022 19:17:56 +0000

Earlier this morning, the 193 member states of the International Telecommunication Union (ITU), the United Nations’ (UN) tech agency and oldest institution, elected as Secretary-General the American candidate Doreen Bogdan-Martin, the first-ever woman to head the ITU. Bogdan-Martin is the current head of the ITU’s development bureau, ITU-D. Her now-former opponent, Russian candidate Rashid Ismailov, is president of Russian telecom VimpelCom, former deputy minister of Russia’s Ministry of Communications, and a former executive at Chinese telecom company Huawei. The current Secretary-General is Houlin Zhao, a Chinese citizen who has held the position since 2014.¹

Many challenges to an open and global internet lie ahead, and the US win should provide a sigh of relief to the internet community. Nonetheless, the way the election for the ITU’s leadership unfolded underscores how internet governance processes, international internet policymaking, and internet standards creation are becoming increasingly political issues. In an unprecedented move, for instance, both US President Joe Biden and US Secretary of State Antony Blinken posted messages in support of the US candidate.

For the United States, it was evident that this election was a foreign policy issue—and rightly so. Over the years, the Russian and Chinese governments have grown closer in pushing for a state-controlled vision of internet governance, and both have long wished to see the UN play a central role in the management of the internet. Their vision is gaining traction, especially among African countries, which have historically felt excluded from internet governance conversations and see the ITU as one of the few places they can wield political power. In addition, Vladimir Putin’s invasion of Ukraine might have strained Russia’s relationship with the West, but for many other parts of the world, it remains business as usual.

At the center of the election, therefore, was indeed the future role of the ITU in governing the internet. The organization currently has little involvement, but some governments maintain an interest in the ITU becoming more central to the process. Presently, internet governance is largely the purview of the Internet Engineering Task Force (IETF), a nonprofit, multi-stakeholder internet standards-setting body, and the Internet Corporation for Assigned Names and Numbers (ICANN), a nonprofit that, along with five regional internet registries, manages domain names and internet protocol (IP) addresses globally. This governance system, though imperfect, works because it is agile, inclusive of industry and civil society, and not directly subject to intergovernmental negotiations and maneuvering. It has worked based on a relatively common objective among these institutions: an open, global, and interoperable internet.

However, not every country buys into this system. A number of countries, including Russia, China, and some in both Africa and the Asia-Pacific, look at the ITU as a more appropriate institution to manage the internet. Its broad development agenda has allowed the organization to become increasingly active on issues as wide-ranging as cybersecurity, connectivity, cybercrime, IP number allocation, and network management. At the same time, for decades, the Chinese government and the Russian government have both pushed for the ITU to have a greater role in governing the internet, from suggesting that the ITU literally take over ICANN to pushing for internet standards-setting to move to the ITU almost entirely. The United States, Japan, Australia, Germany, South Korea, and other open-internet supporters have managed to push back, but the tides may be shifting. More governments are adopting a “cyber sovereignty” approach that seeks to increase their perceived decision-making power or increase government surveillance online (or both).

The stakes in the election, therefore, were high. A Russian-led, China-friendly ITU would, most likely, have sought more control over the internet; and from Moscow and Beijing’s past efforts, standards development is one of the likeliest routes. The Chinese government already knows this and has been working towards such a goal with its “New IP,” a proposal that seeks to centralize core functions of networking. The proposal has persisted in the ITU’s study groups for the past two years, and it has recently moved to another study group dealing with issues of the environment. Beijing has even renamed the standard “IPv6+” to repackage the same, top-down protocol proposal as merely a technological advancement. In a similar vein, China, at another study group, submitted a proposal for the standardization of the “metaverse.” In such a volatile environment, Ismailov’s victory would increase the likelihood of passage of government-controlling-internet proposals at the ITU.

Heavy government involvement in standards setting with Russia at the ITU’s helm would be catastrophic for the internet. Presently, internet standards follow an open, participatory process and are voluntarily adopted on a global level; they serve as the building blocks for products and services targeted to meet the needs of consumers and the market. Now, try to imagine 193 different states negotiating standards about, say, privacy or security; the pace and the formality of an organization like the ITU cannot support the technical specificity and informality that is required by internet standards setting. Not to mention, the same issues that have plagued UN cyber norms discussions will become more prominent in the ITU: the Russian and Chinese government pushing for an expansive definition of terms like “information security” or “cybercrime” that allow them to promote censorship and surveillance under the guise of international security.

In order, therefore, to preserve an internet that is relatively open and globally connected while navigating the processes and politics at play, the ITU needed a leader who understands the value of collaboration and bottom-up coordination when it comes to the internet. The United States can deliver on this; Russia cannot.

For Russia, the UN has always been a core part of its internet governance strategy. Although its pushes over the last thirty-or-so years for more UN involvement were unsuccessful, in 2019, Russia achieved an unexpected win when it managed to get the votes for a cybercrime treaty at the UN General Assembly. The Kremlin’s tech envoy celebrated this as a significant win and a sign of Russia’s influence in the UN. For Moscow, this moves a step closer to a multipolar world in which the Russian government takes a more central role. The US victory means Russia doesn’t yet have the votes to continue on this trajectory.

Even with Bogdan-Martin prevailing, it will be a rough road ahead to maintain an ITU that respects existing internet processes and institutions, while also trying to drive genuine progress in areas like internet development and capacity-building (which Bogdan-Martin presently leads at the ITU). Beijing and Moscow will not sit on the sidelines, as the past decades have shown. Not having a voting bloc to pass resolutions has not stopped the Chinese and Russian governments from “flooding the zone” with proposals before. But without a doubt, navigating a rough road with a US leader at the helm, experienced in internet development and a believer in an open internet, is better than cutting the brakes entirely.

Authors

Konstantinos Komaitis (@kkomaitis) is an internet policy expert and author.

Justin Sherman (@jshermcyber) is a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative.

1 Although several candidates, representing different countries, could theoretically run at once, the US and Russian governments were the only ones to throw a candidate’s hat in the ring.

The post The ITU election pitted the United States and Russia against each other for the future of the internet appeared first on Atlantic Council.

The 5×5—The Internet of Things and national security

Simon Handler — Wed, 28 Sep 2022 04:01:00 +0000

The connection of mundane household gadgets, industrial machinery, lifesaving healthcare technologies, vehicles, and more to the Internet has probably helped modern society to be more convenient and efficient. IoT devices worldwide number over 13 billion, a number that is estimated to balloon to over 29 billion by 2030. For all its benefits, the resultant web of connected devices, collectively known as the Internet of Things (IoT), has exposed everyday users, as well as entire economic sectors, to cybersecurity threats. For example, criminal groups have exploited IoT product insecurities to infect hundreds of thousands of devices around the world with malware in order to enlist them in distributed denial-of-service attacks against targets.

Inadequate cybersecurity across the IoT ecosystem is inherently a US national security issue due to IoT’s ubiquity, integration across all areas of life, and potential to put an incredible number of individuals’ data and physical safety at risk. We brought together five experts from various backgrounds to assess the national security challenges posed by IoT and discuss potential solutions.

#1 What isn’t the Internet of Things (IoT)?

Irina Brass, associate professor in regulation, innovation, and public policy, Department of Science, Technology, Engineering, and Public Policy (STEaPP), University College London:

“IoT is not just our everyday physical devices embedded with sensing (data capture) or actuation capabilities, like a smart lightbulb or a thermostat. ‘Smart’ devices are just the endpoint of a much more complex ‘infrastructure of interconnected entities, people, systems and information resources together with services, which processes and reacts to information from the physical world and virtual world’ (ISO/IEC 20924: 2021). This consensus-based definition, agreed in an international standard, is particularly telling of the highly dynamic and pervasive nature of IoT ecosystems which capture, transfer, analyze data, and take actions on our behalf. While IoT ecosystems are functional, poor device security specifications and practices in these highly dynamic environments create infrastructures that are not always secure, transparent, or trustworthy.”

Katerina Megas, program manager, Cybersecurity for the Internet of Things (IoT) Program, National Institute of Standards and Technology (NIST):

“Likely very little, which would explain why the US National Cyber Director, Chris Inglis, at a NIST public workshop [on August 17, 2022] referred to the ‘Internet of Everything.’ IoT is the product of the worlds of information technology (IT) and operational technology (OT) converging. The IoT is a system of interconnected components including devices that sense, actuate, collect/analyze/process data, and are connected to the Internet either directly or through some intermediary system. While a shrinking number of systems still fall outside of this definition, what we used to think of as traditional OT systems based on PLC architectures with no connectivity to the Internet are, in fact, more and more connected to the Internet and meet the above definition of IoT systems.”

Bruce Schneier, fellow, Berkman-Klein Center for Internet and Society, Harvard University; adjunct lecturer in public policy, Harvard Kennedy School:

“Ha! A salami sandwich is not the Internet of Things. A sense of comradeship towards your friends is not the Internet of Things. I am not the Internet of Things. Neither are you. The Internet of Things is the connected totality of computers that are not generally interacted with using traditional keyboards and screens. They’re ‘things’ first and computers second: cars, refrigerators, drones, thermostats, pacemakers.”

Justin Sherman, nonresident fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab):

“There is no single definition of IoT, and how to scope IoT is a key policy and technical question. Regardless, basically every definition of IoT rightfully excludes the core underpinnings of the global Internet itself—internet service provider (ISP) networks that bring online connectivity to people’s homes and offices, submarine cables that haul internet traffic between continents, and so on.”

Sarah Zatko, chief scientist, Cyber ITL:

“IoT is not modern or state of the art. The hardware on the outside may look sleek and shiny, but under the hood there is old software built with out-of-date compilers running on old chip architectures. MIPS, a reduced instruction set computer (RISC) architecture, was used in the largest portion of the IoT products that we have tested.”

#2 Why should national security policymakers care about the cybersecurity of IoT products?

Brass: “Many IoT devices currently on the market have known security vulnerabilities, such as default passwords and unclear software update policies. Users are typically unaware of these vulnerabilities, purchase IoT devices, set and forget them. These practices do not occur just at the consumer level, although there are many examples of how insecure and unsafe our ‘smart homes’ have become. They take place in critical sectors of strategic national importance such as our healthcare system. For instance, the Internet of Medical Things (IoMT) is known to be especially vulnerable to cyberattacks, data leaks, and ransomware because a lot of IoMT devices, such as IV pumps, have known security vulnerabilities but continue to be purchased and remain in constant use for a long time, with limited user awareness of their potential exposure to serious compromise.”

Megas: “I think the combination of the nature and ubiquity of IoT technology are the perfect storm. IoT has taken existing concerns and put them on steroids by increasing both the attack surface and also impacts, if you think of risk as the product of likelihood (IoT is everywhere) and impact (automated interactions with the physical world). In traditional IT systems, a compromised system could produce faulty data to the end user, however, typically there was always a human in the loop that would take (or prevent) action on the physical world based on this data. With the actuating capabilities we are seeing in most IoT and the associated level of automation (which will only increase as IoT systems incorporate AI), the impact of a compromised IoT system is likely going to be higher. As more computing devices are put on the Internet, they become available for botnets to be installed, which can result in significant national economic damage as in the case of Mirai. Lastly, because this technology is so ubiquitous, the vast amount of data collected—from proprietary information from a factory to video footage from a recreational drone to sound sensors collected from around a smart city—can both be accessed through a breach, shared, and used by other nations without anyone’s knowledge, even without a cybersecurity failure.”

Schneier: “Because the security of the IoT affects the security of the nation. It’s all one big network, and everything is connected.”

Sherman: “IoT products are used in a number of critical sectors, ranging from healthcare to energy, and hacks of those products could be financially costly and disrupt those sectors’ operations. There are even IoT devices that can produce physical effects, like small internet-linked machines hooked into manufacturing lines, and hackers could exploit vulnerabilities in those devices to cause real-world damage. In general, securing IoT products is also part of securing the overall internet ecosystem: IoT devices plug into many other internet systems and increasingly constitute a greater percentage of all internet devices used in the world.”

Zatko: “IoT is ubiquitous. Even when a ‘smart’ device is not necessary, at this point it is often difficult or impossible to find a ‘dumb’ one. Their presence often punches holes in network environment security, so they are common access points for attacks.”

#3 What kinds of threats are there to the cybersecurity of IoT devices that differ from information technology (IT) or other forms of operational technology (OT)?

Brass: “The kinds of vulnerabilities per se might not differ—ultimately, you still have devices running software that can be exploited by malicious actors. What differs is the scale and, in some cases, the severity of the outcome. IoT ecosystems are highly interconnected. Compromising a single device is often sufficient to gain the foothold necessary to exploit other devices in the system and even the entire system. The transnational dimension of IoT cybersecurity should also not be neglected. The 2016 Mirai attack showed how compromised IoT devices with poor security specifications (default passwords), located around the world, can be very easily exploited to target internet infrastructure in different jurisdictions.”

Megas: “I am not sure whether there are different threats for IoT, OT, and IT systems. They are converging more and more, so it is not meaningful to try to create artificial lines of distinction. This might be one of those instances where I say the dreaded phrase ‘it depends.’ It is possible that there are some loosely coupled IoT systems in which the components that are IoT devices do not sit behind more security capable components, but are more directly accessing the Internet (and therefore more directly accessible by threat actors). This could mean that vulnerabilities in these IoT systems are more easily exploitable and thus easier targets. Also, the nature of IoT systems that can interact with the physical world could affect the motivations of threat actors. The focus on many risks to traditional IT systems is around the data and its potential theft, but attacks on IoT can impact the real world. For instance, modifying the sensors at a water treatment plant can throw off readings and lead the system to incorrectly adjust how much fluoride is added to the water.”

Schneier: “The IoT is where security meets safety. Insecure spreadsheets can compromise your data. Insecure IoT devices can compromise your life.”

Sherman: “Typically, IoT devices use less energy, have less memory, and have much less computing power than traditional IT devices such as laptops, or even smartphones. This can make it more difficult to integrate traditional IT cybersecurity features and processes into IoT devices. To boot, manufactures often produce IoT devices and products with terrible security—installing default, universal passwords and other bad features on the manufacturing line that end up undermining their cybersecurity once deployed. In part, this happens because smaller manufacturers are essentially pumping IoT devices off the manufacturing line.”

Zatko: “Users often forget to consider IoT devices when they think about their computing environment’s safety, but even if they did, IoT devices are not always able to be patched. Sometimes software bugs in IoT operating systems are hard-coded or otherwise inaccessible, as opposed to purely software products, where changes are much easier to affect. This makes getting the software as safe as possible from the get go particularly important.”

Hackers, Hoodies, and Helmets: Technology and the changing face of Russian private military contractors

Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behavior

Countering cyber proliferation: Zeroing in on Access-as-a-Service

#4 What is the greatest challenge to improving the security of the IoT ecosystem?

Brass: “These days, we very often focus on behavioral change—what can individual users or organizations do to improve their cyber hygiene and general cybersecurity practices? While this is an important step in securing the IoT, it is not sufficient because it places the burden on a large, non-homogenous, distributed set of users. Let us turn the problem around to its origin. Then, the greatest challenge becomes how to ensure that IoT devices and systems produced and sold all over the world have baseline security specifications, that manufacturers have responsible lifecycle care for their products, and that distributors and retailers do not compromise on device security in favor of lower priced items. This is not an easy challenge, but it is not impossible either.”

Megas: “There is a role for everyone in the IoT ecosystem. Setting aside the few organizations developing their own IoT systems for their own use, the majority of IoT technologies are purchased or acquired. One of the challenges that I see is educating everyone that there are two critical roles in supporting cybersecurity of the IoT ecosystem: those of the producers of the IoT products and those of the customers, both enterprise and consumers. While this dynamic is not new between producer and buyers, the relationships in IoT lack maturity. While producers need to build securable products that meet the needs and expectations of their customers, the customers are responsible for securing the product that operates in the customer environment. Identifying cybersecurity baselines for IoT products is a start in defining the cybersecurity capabilities producers should build into a product to meet the needs and expectations of their customers. However, one size does not fit all. A baseline is a good start for minimal cybersecurity, but we want to encourage tailoring baselines commensurate to the risk for those products whose use carries greater higher risk.

Beyond the IoT product manufacturer’s role, there are network-based approaches that can contribute to better cybersecurity (such as using device intent signaling), that might be implemented by other ecosystem members. Vendors of IoT can ensure that their customers recognize the importance of cybersecurity. Enterprises should consider using risk management frameworks, such as the NIST Cybersecurity Framework, to manage their risks that arise out of the use of IoT technology. Formalizing and promoting recognition of the role in product organizations for a Chief Product Security Officer (CPSO) is also critical. Given that most C-suites and boards are starting to recognize the importance of the CISO towards securing their organizations’ operations, we need to also promote the visibility of the CPSO responsible for ensuring that the products that companies sell have the appropriate cybersecurity features that meet the companies’ strategic brand positioning and other factors.”

Schneier: “Economics. The buyers and sellers of the products don’t care, and no one wants to regulate the industry.”

Sherman: “As with many cybersecurity issues, the greatest challenge is getting companies that have been grossly underinvesting in security to do more, while also producing government regulations and guidance that are technically sound, roughly compatible with regulations and guidance in other countries, and that do not raise the barrier too much so as to cut out small players—though, if we want better security, some barrier-raising is necessary. It is a very boring answer, but there has been a lot of great work done already on IoT security by the National Institute of Standards and Technology, other governments, various industry groups, etc. The central challenge is better coordinating those efforts, fixing bad market incentives, and appropriately filling in the gaps.”

Zatko: “There are so many vendors, and many of them are not capable of producing secure products from scratch. It is currently too hard for even a well-meaning vendor to do the ‘right’ thing.”

#5 How can the United States and its allies promote security across the IoT ecosystem when a large portion of devices are manufactured outside their jurisdictions?

Brass: “Achieving an international baseline of responsible IoT security requires political and diplomatic will to adopt and align legislation that promotes the security of internet-connected devices and infrastructures. The good news is that we are seeing policy change in this direction in several jurisdictions, such as the IoT Cybersecurity Improvement Act in the United States, the Product Security and Telecommunications Infrastructure Bill in the United Kingdom, and several cybersecurity certification and labelling schemes such as CLS in Singapore. As IoT cybersecurity becomes a priority for several governments, the United States and its allies can be the driving force behind international cooperation and convergence towards an agreed set of responsible IoT security practices that underpin legislative initiatives around the world.”

Megas: “Continuing to share lessons learned with others. Educating customers, both consumers as well as enterprise customers, on the importance of seeking out products that support minimum cybersecurity.”

Schneier: “Regulation. It is the same that way we handle security and safety with any other product. You are not allowed to sell poisoned baby food or pajamas that catch on fire, even if those products are manufactured outside of the United States.”

Sherman: “US allies and partners are already doing important work on IoT cybersecurity—from security efforts led by the UK government to an emerging IoT labeling scheme in Singapore. The United States can work and collaborate with these other countries to help drive security progress on devices made and sold all around the world. Others have argued that the United States should exert regulatory leverage over whichever US-based companies it can to push progress internationally, too, such as with Nathaniel Kim, Trey Herr, and Bruce Schneier’s “reversing the cascade” idea.”

Zatko: “By open sourcing security-forward tools and secure operating systems for common architectures like MIPS and ARM, the United States could make it easier for vendors to make secure products. Vendors do not intentionally make bad, insecure products—they do it because making secure products is currently too difficult and thus too expensive. However, they often use open-source operating systems, tool kits, and libraries for the base of their products, and securing those resources will do a great deal to improve the whole security stance.”

The post The 5×5—The Internet of Things and national security appeared first on Atlantic Council.

Security in the billions: Toward a multinational strategy to better secure the IoT ecosystem

Mon, 26 Sep 2022 06:30:00 +0000

Two Pager

Executive summary

The explosion of Internet of Things (IoT) devices and services worldwide has contributed to an explosion in data processing and interconnectivity. Simultaneously, this interconnection and resulting interdependence have amplified a range of cybersecurity risks to individuals’ data, company networks, critical infrastructure, and the internet ecosystem writ large. Governments, companies, and civil society have proposed and implemented a range of IoT cybersecurity initiatives to meet this challenge, ranging from introducing voluntary standards and best practices to mandating the use of cybersecurity certifications and labels. However, issues like fragmentation among and between approaches, complex certification schemes, and placing the burden on buyers have left much to be desired in bolstering IoT cybersecurity. Ugly knock-on effects to states, the private sector, and users bring risks to individual privacy, physical safety, other parts of the internet ecosystem, and broader economic and national security.

In light of this systemic risk, this report offers a multinational strategy to enhance the security of the IoT ecosystem. It provides a framework for a clearer understanding of the IoT security landscape and its needs—one that focuses on the entire IoT product lifecycle, looks to reduce fragmentation between policy approaches, and seeks to better situate technical and process guidance into cybersecurity policy. Principally, it analyzes and uses as case studies the United States, United Kingdom (UK), Australia, and Singapore, due to combinations of their IoT security maturity, overall cybersecurity capacity, and general influence on the global IoT and internet security conversation. It additionally examines three industry verticals, smart homes, networking and telecommunications, and consumer healthcare, which cover different products and serve as a useful proxy for understanding the broader IoT market because of their market size, their consumer reach, and their varying levels of security maturity.

This report looks to existing security initiatives as much as possible—both to leverage existing work and to avoid counterproductively suggesting an entirely new approach to IoT security—while recommending changes and introducing more cohesion and coordination to regulatory approaches to IoT cybersecurity. It walks through the current state of risk in the ecosystem, analyzes challenges with the current policy model, and describes a synthesized IoT security framework. The report then lays out nine recommendations for government and industry actors to enhance IoT security, broken into three recommendation sets: setting a baseline of minimally acceptable security (or “Tier 1”), incentivizing above the baseline (or “Tier 2” and above), and pursuing international alignment on standards and implementation across the entire IoT product lifecycle (from design to sunsetting). It also includes implementation guidance for the United States, Australia, UK, and Singapore, providing a clearer roadmap for countries to operationalize the recommendations in their specific jurisdictions—and push towards a stronger, more cohesive multinational approach to securing the IoT worldwide.

Implementation plans by country

Introduction

The billions of Internet of Things (IoT) products used worldwide have contributed to an explosion in data processing and the connection of individuals, buildings, vehicles, and physical machines to the global internet. Work-from-home policies and the need for contact tracing during the COVID-19 pandemic have furthered societal dependence on IoT products. All this interconnection and interdependence have amplified a range of cybersecurity risks to individuals’ data, company networks, critical infrastructure, and the internet ecosystem writ large.

Securing IoT products is inherently critical because IoT products increasingly touch all facets of modern life. Citizens have IoT wearables on their bodies and IoT products in their cars, gathering data on their heartbeats, footsteps, and Global Positioning System (GPS) locations. People also have IoT smart products in their homes—speakers awake to every private conversation, internet-connected door locks, devices that control atmospheric systems, and cameras to monitor young children and pets. Hospitals even use IoT products to control medicine dosages to patients. The ever-growing reliance on IoT products increasingly and inescapably ties users to network and telecommunications systems, including the cloud. IoT insecurity, given this degree of interconnection, poses risks to individual privacy, individual safety, and national security.

The IoT explosion is also poised to impact the security of the internet ecosystem writ large. More IoT products deploy each year, meaning IoT products constitute a significant percentage of devices linked to the global internet. For example, IoT Analytics, a market research firm, estimates that IoT products surpassed traditional internet-connected devices in 2019 and projects that the ratio will be around three to one by 2025.¹ At that scale, poorly secured products (for instance, those with easy-to-guess passwords or with known and unfixed security flaws) can enable attackers to gain footholds in corporate or otherwise sensitive environments and steal data or cause disruption. For instance, hackers could exploit security problems in IoT cameras to break into a building—digitally or physically.² Hackers can break into IoT devices at scale to launch distributed denial of service (DDoS) attacks that bring down internet services for hundreds of thousands or even millions of consumers.

In response to these cybersecurity risks, governments, private companies, industry organizations, and civil society groups have developed a myriad of national and industry frameworks to improve IoT security, each addressing considerations in the product design, development, sale and setup, maintenance, and sunsetting phases. These numerous controls sets and frameworks, however, are a hodgepodge across and within jurisdictions. Within jurisdictions, some governments are charging ahead with detailed IoT security guidance while others have made little substantive headway or have ambiguous policy goals that confuse and impede industry progress. Between jurisdictions, fragmented requirements have chilled efforts by even some of the most security-concerned vendors to act. Consumers, meanwhile, must grapple with IoT product insecurity, bad security outcomes, and ugly knock-on effects to others in their communities and networks—exacerbated by a lack of security information from vendors. Poor outcomes for users, a lack of cross-national harmonization, and gaps between government and industry efforts impede better security in the IoT ecosystem.

Yet, progress is possible. The number of countries and industry actors who have acknowledged one standard alone—European Norm (EN) 303 645, from the European Telecommunication Standards Institute (ETSI)—as a consensus approach alone demonstrates how some baseline security guidance can help drive real, coordinated change.

This report presents a consolidated approach to IoT cybersecurity to reconcile existing national approaches, balance the interest of public and private sectors, and ensure that a product recognized as secure in one jurisdiction will be recognized as secure in others. The framework is not prescriptive to the level of individual controls; rather, it seeks to address the structural priorities of approaches taken by industry coalitions and governments in the United States, United Kingdom (UK), Singapore, and Australia. We focus on these countries because of the maturity of their IoT cybersecurity approaches, their mature cyber policy processes, their historical influence on cybersecurity policy in other countries, and the strong precedent for cooperation across all four.

In considering the effects of this consolidated approach, the report also focuses on three verticals: smart homes, networking and telecommunications, and consumer healthcare. These three provide ready critical IoT product use cases, differentiate in the kinds of technology and products available, and serve as useful proxies for understanding the broader IoT market because of their market size, consumer reach, and varying levels of security maturity.

This report draws on research of IoT security best practices, standards, laws, and regulations; conversations with industry stakeholders and policymakers; and convenings with members of the IoT security community. In principle and wherever possible in practice, the report relies on existing approaches, seeking to create as little new information or guidance as practicable to ease implementation. The first section below describes the state of risk in the IoT ecosystem, including challenges with the current model, insecurity across three IoT industry segments, and a brief history of IoT security efforts and control sets across the United States, UK, Australia, and Singapore as well as industry-led efforts. The second section synthesizes these disparate control sets, mapped against every phase of the IoT product lifecycle. The third (and final section) presents a consolidated approach to IoT security across these four countries and the relevant industry partners—with nine recommendations to address gaps in existing IoT security approaches, disincentivize further fragmentation in standard setting or enforcement, and rationalize the balance between public and private sector security interests. These recommendations come with implementation guidance specific to each of the four countries.

While this report describes some key components of an IoT labeling approach, it deliberately does not prescribe a particular label design. The report leaves open many questions that require more work, including “who” sets label design, “how” companies should pair physical and digital labels, and to “what” extent companies and/or governments should harmonize labels across jurisdictions.

There is an overriding public interest in secure IoT products, and industry players—including source manufacturers, integrators/vendors, and retailers—must be responsive to this interest. The highly disharmonized state of IoT security regulations, however, pulls against that public interest. Moreover, a further doubling down on the current national approaches threatens to worsen the problem. What little compromise in national autonomy this or another consolidated approach might require must be weighed against a more coherent and enforceable scheme where such a scheme produces meaningful security gains for users. To comprehend this need, one should begin by understanding the state of affairs.

The current state of IoT risk

The current IoT ecosystem is rife with insecurity. Companies routinely design and develop IoT products with poor cybersecurity practices, including weak default passwords,³ weak encryption,⁴ limited security update mechanisms,⁵ and minimal data security processes on devices themselves. Governments, consumers, and other companies then purchase these products and deploy them, often without adequately evaluating or understanding the cybersecurity risk they are assuming. For example, while the US government has worked to develop IoT security considerations for products purchased for federal use, private companies routinely buy and deploy insecure IoT products because there is no mandatory IoT security baseline in the United States.⁶

Compromising IoT products is often remarkably easy. IoT products have less computing power, smaller batteries, and smaller amounts of memory than traditional information technology devices like laptops or even smartphones. This makes traditional security software (and its computing and power demands) often impractical in—or less immediately transferrable to—IoT systems. Many IoT botnets (networks of devices infected by malware), such as Mirai and Bashlite, capitalize on this insecurity by seeking to weaponize known vulnerabilities or brute-force access to an IoT product using predefined lists of common passwords. Such passwords may include “123456” or even just “password”.⁷

While these errors seem trivial, they quickly lead to material harm. In late 2016, for example, Mirai infected almost 65,000 IoT devices around the world in its first 20 hours, peaking at 600,000 compromised devices.⁸ The operators of the Mirai botnet subsequently launched a series of DDoS attacks, including against Dyn, a US-based Domain Name System (DNS) provider and registrar.⁹ By taking advantage of security problems in IoT devices, the individuals behind the botnet rendered major websites like PayPal, Twitter, Reddit, GitHub, Amazon, Netflix, and Spotify entirely unavailable to parts of the United States.¹⁰

Criminals infect IoT products with malware that may use the compromised device to execute DDoS attacks, mine for cryptocurrencies on behalf of the attacker, or hold the device hostage pending a ransom paid to the attackers. In 2018, cybercriminals compromised over 200,000 routers in a cryptojacking campaign. They used the computing power of the compromised routers to mine cryptocurrency.¹¹ States also turn to compromising IoT products to create covert infrastructure. A May 2022 report by security firm Nisos revealed that the Russian Federal Security Service (FSB) employed a botnet made up of compromised IoT products to fuel social media manipulation operations.¹²

On top of using IoT devices for larger malware operations, hackers can break into IoT products to spy on people’s everyday lives. They could see adjustments made to a smart thermostat, questions asked to a smart speaker, and workouts logged on fitness wearables. This kind of spying can be a threat to individuals’ privacy and physical safety. In the context of intimate partner violence, abusive individuals may control access to or illicitly access IoT products to spy on and exert control over people, raising serious stalking and physical safety risks.¹³ There are also threats that come from strangers. Trend Micro, in a 2019 report, noted that hackers with access to compromised internet-connected cameras sold subscriptions that allowed others to view the illicitly accessed video streams online. The price of the stream depended on what the camera was looking at, with bedrooms, massage parlors, warehouses, and payments desks at retail shops among the priciest and most sought-after.¹⁴ These products can also be launch points from which attackers conduct further malicious activities. Brazilian fraudsters, for instance, are known to use access to compromised routers to change the compromised devices’ DNS settings to redirect victims to phishing pages for major websites, such as banks and retailers.¹⁵

IoT products, industry segments, and their insecurity

The IoT, on its face, may appear to be a simple concept, but scoping it and understanding the number of systems the IoT touches is more complex. For example, some devices like routers could be “part of” or “separate from” the IoT. There are also questions on the “if, and how” the IoT includes the networks, devices, and products touching it—like IoT sensors linked to outside cloud services to process data, connect to a company’s network to enable administrative oversight and control, and connect to the public internet to communicate with application programming interfaces (APIs). For government and industry policies to be effective, scopes must clearly define the products and services they do and do not include.

For instance, EN 303 645 guidance—ETSI’s key standard document for IoT security—defines a “consumer IoT device” as a “network-connected (and network-connectable) device that has relationships to associated services and are used by the consumer typically in the home or as electronic wearables.”¹⁶ The US National Institute of Standards and Technology (NIST), meanwhile, defines the IoT in NIST SP 1800-16C as “user or industrial devices that are connected to the internet” including “sensors, controllers, and household appliances.”¹⁷ This report focuses primarily on the IoT products themselves, and in part the services directly dependent on IoT products or on which IoT products directly depend (e.g., a cloud software program for managing an IoT device network).

The IoT constitutes a massive technology ecosystem with clusters of IoT product design and deployment models, each of which present differentiated cybersecurity risks. Several key examples of industry IoT product segments and some of their security challenges are detailed here, based on their wide deployment, impact on consumers, and touchpoints into other parts of the digital world, whether home Wi-Fi networks or hospital medical systems.

Smart Homes: Numerous companies sell IoT products to serve as thermostats, doorbell cameras, window locks, speakers, and other components of so-called smart homes. Apple offers HomeKit integration, a software framework for configuring, communicating with, and controlling smart home appliances.¹⁸ Resideo offers a number of smart home-style products, for both consumer environments—such as thermostats, humidifiers, security systems, and programmable light switch timers—as well as professional environments—such as UV treatment systems and fire and burglary alarms.¹⁹ Philips sells smart lighting products, and Wink sells smart doorbells.²⁰ On the software side, companies like Tuya offer IoT management services to automatically control robotic vacuums, smart cameras, smart locks, and other IoT products in the home.²¹ Google and Amazon both manufacture and sell smart home IoT products, from home security products to smart speakers.²² The cybersecurity risks here include spying on individuals in their homes, using IoT products in the home and workplace to break into other systems (e.g., someone’s work laptop on their home Wi-Fi), and harnessing numerous compromised smart products to create a botnet and launch DDoS attacks.²³
Networking and Telecommunications Gear: Traditional internet and telecommunications companies, which supply the devices and some of the infrastructure that fundamentally underpins the internet, are moving more into IoT services and devices. Cisco offers Industrial Wireless solutions that include wireless backhaul, private cellular connectivity, and embedded networking for industrial IoT products.²⁴ Extreme Networks offers a Defender Adapter service to provide in-line security for vulnerable wired devices.²⁵ Arista offers a Cognitive Campus service that includes IoT edge connectivity, real-time telemetry, and Spline platforms for connection reliability.²⁶ The cybersecurity risks here include spying on traffic going across networks, using networking and telecommunications entry points to break into other systems, and degrading or disrupting the flow of network data altogether.
Consumer Health Products: Companies are offering IoT products and services to support the provision of healthcare and medicine. Philips sells fetal and maternal monitors, MR compatible monitors, patient-worn monitors, and other IoT products to monitor vitals.²⁷ Medtronic sells glucose monitoring and heart monitoring products.²⁸ Honeywell Life Sciences offers embedded products and safety solutions for hospitals.²⁹ Dexcom offers a glucose monitoring smart wearable, and ResMed offers a phone-connected product for sleep apnea.³⁰ The cybersecurity risks here include stealing highly sensitive medical data and manipulating device data or disrupting product operations in ways that physically threaten human life.

Numerous companies, from telecommunications gear manufacturers to medical equipment suppliers, have a stake in security debates about IoT products. Many industries do as well, from home security to industrial manufacturing, and many of their products and services overlap and integrate. Yet, similarities between sector products and their cybersecurity risks do not change the fact that widespread IoT insecurity merits meaningful improvement.

Policy challenges to addressing IoT risk

The UK, Singapore, United States, and Australia provide a set of case studies for government approaches to IoT security—due to the maturity of their IoT cybersecurity approaches, the maturity of their overall cyber policy processes, their historical influence on cybersecurity policy in other countries, and the strong precedent for cooperation across all four. There is also fragmentation within the countries’ frameworks, where different parts of a country or different government agencies pursue different IoT security policies and processes. The US, for instance, has the Federal Communications Commission (FCC) focused on communications standards for IoT products and the Federal Trade Commission (FTC) focused on the marketing practices of IoT vendors, but has no agency in charge of enforcing IoT security requirements in design.

At least three key themes stand out across these countries. First, state approaches to IoT security have generally moved from voluntary best practices towards direct intervention. Second, state approaches have predominantly manifested in consumer labeling programs and minimum baseline security legislation. And third, states have made the need for international, agreed-upon standards a key design principle of their IoT security efforts though as yet without sufficient uptake or success.³¹

UK: Mandatory minimum security standards

The UK was an early innovator in holistic responses to IoT insecurity. Its Department for Digital, Culture, Media & Sport (DCMS)—which works on digital economy and some broadband and Internet issues—published a Secure by Design report in March 2018, setting out how it aims to “work with industry to address the challenges of insecure consumer IoT.”³² As a result of its report, in October 2018, DCMS, along with the UK National Cyber Security Centre (NCSC) and industry partners, published the “Code of Practice for Consumer Internet of Things (IoT) Security,” consisting of “thirteen outcomes-focused guidelines that are considered good practice in IoT security.”³³ It aims, as one NCSC official described it, to identify impactful, updatable measures to which a broad coalition could agree³⁴—captured in the below principles

Figure 1: Thirteen Principles of Consumer IoT Security

SOURCE: UK Department for Digital, Culture, Media & Sport.

The UK was not alone in this endeavor, working in tandem as a member of ETSI to launch ETSI Technical Specification 303 645, the first “globally-applicable industry standard on internet-connected consumer devices.”³⁵ In June 2020, this Technical Specification became formalized as a European standard (EN 303 645), and now serves as a common underlying source for many countries’ initiatives.

Despite the initial promise of the Code of Practice, the DCMS found low industry uptake for the guidance and decided to pursue a legislative route. After multiple consultation rounds, the resulting Product Security and Telecommunications Infrastructure (PSTI) Bill was introduced in November 2021, empowering the Secretary of State for DCMS “to specify by regulations security requirements.”³⁶ The new law would require “manufacturers, importers, and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers.”³⁷ Noncompliant firms could face fines up to £10 million or 4 percent of worldwide revenue, and a new regulator—to be delegated following the law’s enactment—would also have the ability to enforce recalls or outright product bans.³⁸ The bill is currently in the Report stage with the House of Lords and would require compliance within twelve months of enactment.

By empowering the DCMS minister to specify security requirements instead of codifying them, the PSTI Bill allows the mandatory baseline requirements to respond to changing circumstances. The current principles outlined by DCMS focus on the “top three” elements of the UK Code of Practice/ETSI EN 303 645: banning default passwords, requiring a vulnerability disclosure process for products, and transparency for consumers on the duration that products will receive security updates. The UK’s NCSC views these three measures as having outsize importance, and “will make the most fundamental difference to the vulnerability of consumer connectable products in the UK, are proportionate given the threats, and universally applicable to devices within scope.”³⁹ Cognizant that good security must require organizational action, not just device-level changes at the point of design and manufacture, a DCMS official has highlighted the additional appeal of the framework in allowing requirements placed on economic actors, not just devices. Indeed, two of the three requirements involve organizational changes or activity. The UK’s framework allows for the introduction of secondary legislation to build on this baseline over time.

Singapore: IoT product labeling

In October 2020, Singapore’s Cyber Security Agency (CSA) launched the Cybersecurity Labelling Scheme (CLS), a labeling program for internet-connected devices that describe the level of security included in their design. The CLS aims to help consumers “easily assess the level of security offered and make informed choices in purchasing a device.”⁴⁰ It also aims to let product manufacturers signal the cybersecurity features of their products—as a senior CSA official put it, “to create the demand” and then “to provide a natural incentive to provide more secure and trusted devices.”

The CLS has four levels of additive and progressively demanding security provision tiers (Figure 2). In the first two levels, developers self-certify, and the CSA can audit compliance. In the third and fourth levels, independent laboratories certified by the nongovernmental International Organization for Standardization (ISO) validate products. At the bottom end, products must have security updates and no universal default passwords, while manufacturers must adhere to secure-by-design principles, such as processes and policies for protecting personal data, securely storing security parameters, and conducting threat risk assessments. At the higher end, authorized labs conduct penetration tests against the product and its communications. Labels are valid as long as developers support the product with security updates, for up to a three-year period.

Figure 2: Singapore’s CLS Four Security Provisions Tiers

SOURCE: Cybersecurity Agency of Singapore.

While the program’s terminology slightly differs, the CLS embraces the same principles as ETSI EN 303 645, doing so in a manner that “groups the clauses and spreads them out across four ranked levels.”⁴¹ And while the program’s higher-tier labels incentivize the adoption of stronger security measures, the Singapore Standards Council concedes that the first-tier labeling requirements “will suffice in staving off [sic] large percentage of attacks encountered on the internet today.”⁴² Finally, Singapore’s CLS shows how a voluntary labeling scheme can work to gradually dial up requirements for products as the market matures. For example, while the CLS is voluntary for most products, new internet routers sold in Singapore must meet the security requirements for the Level 1 label. This “voluntary-mandatory” split can keep evolving over time, both for different product categories as well as specific security measures.

Interviewees at CSA said vendors have reacted positively to the labeling program (e.g., citing the onboarding of major vendors like Google and Asus). As of July 2022, there were 174 certified products, a total that has more than tripled since the start of 2022, and includes diverse items such as smart lights, video doorbells, locks, appliances, routers, and home hubs.⁴³ Despite these positive signs, it is too soon to tell if the CLS program will be a success, and Singapore must continue to monitor the label’s appeal for consumers and firms as well as its broader security impact.

US: State initiatives & government procurement

In the United States, initial action on consumer IoT insecurity began at the state level. The nation’s first IoT security law went into effect in January 2020 with California’s requirement that manufacturers of smart products sold in the state “equip the device with a reasonable security feature or features.” The law explicitly takes aim at universal default passwords, stating that a reasonable security feature could mean “the preprogrammed password is unique to each device manufactured,” or “the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”⁴⁴California’s law—enforced by state attorneys—does not include a private right of action, nor does it put any duties on retailers to ensure that products they sell meet the law’s requirements.

Oregon joined California with its House Bill (HB) 2395, which has much of the same text (e.g., the same definition of “reasonable security feature” the same enforcement mechanisms) but limits its scope to only consumer IoT products (“used primarily for personal, family or household purposes”).⁴⁵ While the two laws may compel companies to adopt better security in all states, it appears that no cases have been brought forward under the law, even though insecure products are doubtlessly still sold in these states.

The United States passed the IoT Cybersecurity Improvement Act into law in December 2020.⁴⁶ It requires NIST to develop cybersecurity standards and guidelines for federally owned IoT products, consistent with NIST’s understanding of “examples of possible security vulnerabilities” and management of those vulnerabilities.⁴⁷ ⁴⁸ Thus, the law seeks to strengthen the security of IoT products procured by the government and intends to influence the private sector’s IoT cybersecurity practices through the federal government’s procurement power.⁴⁹ The 2020 act also shifts the burden of compliance from product vendors to federal agencies,⁵⁰ prohibiting them “[from] procuring or obtain[ing] IoT devices” that an agency’s chief information officer deems out of compliance with NIST’s standards.⁵¹ Finally, the act requires NIST to review and revise its standards at least every five years to ensure that recommendations are current, allowing for technical flexibility.⁵² NIST is empowered to suggest whatever finding it wants, with only vague guidance to consider “secure development” and other high-level cybersecurity items. Figure 3 offers an overview of the act’s recommendations.

Figure 3: Overview of the IoT Cybersecurity Improvement Act of 2020

SOURCE: Liv Rowley for the Atlantic Council.

On May 12, 2021, the Biden administration issued Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity.” The executive order directed NIST, in consultation with the FTC, to develop cybersecurity criteria for an IoT product labeling program aimed at educating consumers about IoT products’ security capabilities.⁵³ It also tasked NIST with examining how to incentivize IoT manufacturers to get on board with such a program. On February 4, 2022, NIST released its recommended criteria for a consumer IoT labeling scheme.⁵⁴ However, NIST has been clear that its aim is to describe the ideal components of a labeling scheme, rather than implement this scheme itself.⁵⁵ While EO 14028 may feel a little toothless at the moment, it effectively outlines specific federal cybersecurity goals. Moreover, it demonstrates a will to move beyond federal procurement power as the sole method for influencing the private sector.

Australia: Starting with voluntary best practices

In August 2020, the Australian Department of Home Affairs (DHA) released a voluntary “Code of Practice: Securing the Internet of Things for Consumers” as part of its 2020 cybersecurity strategy. This code of practice highlighted the thirteen principles outlined in ETSI EN 303 645.

Australia’s voluntary code of practice did not prove to be a panacea. In March 2021, the Australian government published six months of research on the results of its Code of Practice, saying firms “found it difficult to implement voluntary, principles-based guidance,” and many had still not implemented basic security guidelines like a vulnerability disclosure reporting process.⁵⁶ As such, the Australian government appears intent on conducting more direct regulation of its consumer IoT market. In a request for comments that concluded in fall 2021, the DHA solicited public opinion on both a proposed consumer labeling program and a minimum security standards regime.⁵⁷

For the minimum security standards approach, the government proposes to base its requirements on ETSI EN 303 645 and is considering either mandating all 13 guidelines or choosing to focus on just the top three (no default passwords, the existence of vulnerability disclosure programs, and the provision of security updates). The potential regulator within the Australian government is yet to be determined, but it would be empowered to issue fines and other penalties for those who fail to comply.

The potential labeling approaches consider two scenarios. A voluntary “star rating label,” such as Singapore’s CLS program, basing it on an existing international standard, such as ETSI EN 303 645, and involve some component of self-certification and testing within the framework of Australian consumer law’s protection against fraudulent claims. Alternatively, a mandatory “expiry date label” would indicate the period over which the product will receive critical security updates. This second option received a higher recommendation from the government. Minimum security standards could complement either of these approaches.

Industry: Certification models and security standards

Companies have also advanced numerous security approaches. Common industry approaches to IoT security include secure endpoints and stringent encryption requirements for third-party applications, hardware-based security, and the formalization of vulnerability and software communications protocols. The industry verticals for smart homes, networking and telecommunications, and consumer healthcare (recognizing there is overlap and integration between these verticals) see varying implementations of these measures.

For example, the ioXt Alliance, which is composed of dozens of product manufacturers and vendors as well as major software companies, offers self-certified and third-party-validated certification for IoT products. Its five compliance tests cover everything from Android to smart speaker device profiles, measured against eight principles: no universal default passwords, secured interfaces, proven cryptography, security by default, verified software, automatic security updates, vulnerability reporting program, and security expiration date.⁵⁸ The overall certification process has five steps:

Join the ioXt Alliance and register for certification;
Select one of the five base profiles for testing, and then opt to self-certify or use one of the ioXt’s approved laboratories (currently, Bureau Veritas, SGS Brightsight, DEKRA, NCC Group, NowSecure, Onward Security, or Bishop Fox⁵⁹);
Upload production information and test results to the ioXt portal;
ioXt reviews the submissions and approves or rejects certification—with approved submitters receiving “the ioXt SmartCert” for their product; and
“Stay certified with ongoing verification and insights,” like IoT regulatory updates through the Alliance.⁶⁰

The Alliance’s membership includes companies like IBM, Google, Facebook, Silicon Labs, Logitech, Honeywell, Avast, Asus, Motorola, and Lenovo; other associations like the Consumer Technology Association (CTA) and the Internet Infrastructure Coalition; and non-industry organizations like Consumer Reports. Even the UK’s DCMS is an Alliance member.⁶¹ While the membership roster certainly does not cover every IoT product manufacturer or vendor in the United States (where many of its members are based), it does have global representation. It also certified 245 percent more products and membership increased 63 percent in 2021 compared to 2020.⁶²

The IoT Security Foundation, a global nonprofit representing many appliance manufacturers, recommends a framework composed of a few hundred security standards for organizations—spanning management governance, engineering, secure networks and applications, and supply chain.⁶³ Its members include smaller product manufacturers as well as larger companies like Honeywell, Huawei, and Arm, plus many more nongovernmental organizations, like academic institutions, than the ioXt Alliance.⁶⁴ The framework has three different audiences: (1) managers, (2) developers and engineers, and logistics and manufacturing staff, and (3) supply chain managers.⁶⁵ While its membership is not as large as that of the ioXt Alliance, the IoT Security Foundation does have global representation as well, such as the University of Southampton, Huawei, the University of Oxford Department of Computer Science, and Eurofins Digital Testing in France.⁶⁶

The Open Web Application Security Project^® (OWASP) is an open-source community effort that provides IoT security standards tailored to three threat models—attacks only against software, attacks only against hardware, and situations where compromise must be avoided at all costs (e.g., medical products, connected vehicles, due to highly sensitive data, etc.).⁶⁷ OWASP then specifies several dozen security standards based on these threat models, such as standards for bootloader vs. OS configurations vs. Linux.⁶⁸ OWASP is a nonprofit foundation with over 250 local chapters worldwide and tens of thousands of members, and it runs training conferences and other events to bring together experts from industry, academia, and civil society focused on software development and security.⁶⁹ Its capacity to drive change on IoT security is considerably different from the previous two coalitions—for instance, the OWASP community cannot marshal the marketing and lobbying power held by members of the ioXt Alliance or the IoT Security Foundation. However, OWASP draws on its tens of thousands of members around the world and leverages different forms of engagement than the other coalitions. The IoT Security Foundation, for instance, does not run events at the same scale as OWASP.

The GSM Association, an industry group for mobile network operators, has hundreds of industry members—from Amazon to Coinbase to Audi—and has numerous guidance documents for IoT security.⁷⁰ For example, it has security considerations ranging from having password policies protect against hard-coded or default passwords (CLP12_6.11.1.5) to having a process for decommissioning endpoint devices (CLP13_8.10.1).⁷¹

The CTA, a standards and trade organization with over 1,000 company members, runs an IoT Working Group that supports consumer IoT development. Included in those efforts is educating consumers about IoT security best practices and improving the security of IoT products.⁷² The CTA has multiple labeling schemes under development around IoT products, focused on consumer-facing product security descriptions managed through an accreditation system.⁷³ The CTA, in fact, submitted a position paper to NIST in 2021 that described its vision for a cybersecurity labeling system for software and IoT devices—noting that labels should reflect the consensus industry standards, avoid marketplace fragmentation, and look to risk assessment as much as specific security capabilities, among others.⁷⁴ It also has global reach, with Cisco, Google, Panasonic, Samsung, Walmart, Alibaba, Nvidia, and ADT among its members.⁷⁵

The Connectivity Standards Alliance (CSA), which develops and certifies IoT technology standards, has a number of documents and efforts focused on security. For example, the CSA website contains numerous developer resources on IoT security, from security and privacy guidance on the CSA-developed IP-based protocol Matter to documentation around Zigbee, the low-latency communication specification.⁷⁶ The CSA’s product security working group is underway, developing security standards for IoT devices and exploring security options around labeling and it has a recently started IoT privacy effort, as well. Both of these endeavors focus on consumer-facing security considerations (meanwhile, other CTA efforts focus on less consumer-facing aspects of IoT product security). The CSA has nearly 300 participant companies and dozens of sponsors around the world, and it also has hundreds of corporate adopters—ranging from large retailers like Amazon to device and component developers like Arm, Silicon Labs, Schneider Electric, LG, Huawei, and Google.⁷⁷

Individual companies have also provided their own guidance, such as Google’s Cloud IoT Core “device security” guidelines,“⁷⁸ Microsoft’s Edge Secured-core criteria,⁷⁹ and Arm’s Platform Security Architecture for the IoT.⁸⁰ Each emphasizes different threat models and targets different stakeholders in the IoT process, from product engineers to those in management at product manufacturers.

While beneficial, these approaches in the aggregate present a fragmented industry approach to IoT security. Governments looking to industry standards as a reference point find numerous, very different options; for instance, while the ioXt Alliance’s security approach emphasizes testing against specific device profiles, the OWASP approach emphasizes different kinds of threat models that could, hypothetically, apply across device profiles. There are also implementation differences: the ioXt Alliance points to independent, third-party testing and evaluation, whereas OWASP offers a list of standards that organizations can pair to a particular threat model. Some yet (like the ioXt Alliance) create new, IoT security-specific approaches, and others (like Arm) offer rough replicas of their overall cybersecurity guidance, with some tailoring to IoT.

Summarizing challenges

The current government approaches towards IoT security present many challenges—and have many gaps and shortfalls. This matters across the United States, Singapore, Australia, the UK, and many other governments, because industry has failed to appropriately invest in IoT security, leaving governments to step in. Simultaneously, some states are leading aggressively on securing IoT while others appear willing, on a structural level, to cede that leadership to industry (or to not act at all). Australia, for example, has put forward an IoT security framework but has long delayed the publication of specific guidance.

Industry organizations have pursued a range of IoT security approaches across labeling, certification, minimum standards, and best practices. This guidance also varies across industry verticals—for instance, given embedded IoT healthcare devices face many more regulatory security requirements than smart speakers. All these initiatives represent a substantial effort and reflect years of work from individuals in the security community—yet challenges (Table 1) around enforcement and implementation leave room for greater cohesion to tie security actions to particular parts of the product lifecycle.

On the private sector side, ambiguous requirements and policy goals,⁸¹ diverging processes and regulatory requirements across jurisdictions, and duplicative certification schemes all hinder private-sector efforts to boost IoT security. And on the user side, individuals are grappling with little to no information to select more secure products, bad security outcomes and insecurity, and harmful knock-on effects from IoT insecurity that harm others in society and using the internet.

Table 1: Challenges with Current IoT Security Models

SOURCE: Justin Sherman for the Atlantic Council.

State IoT security challenges

State IoT security policies are fragmented across jurisdictions. While the United States, UK, Singapore, and Australia (as well as the EU bloc) have generally moved from a voluntary best practices approach toward a mandatory approach, the states’ policies do not necessarily integrate well with one another. Each country has different specific cybersecurity best practices and places different levels of regulatory requirements on companies. This state-to-state fragmentation makes it more difficult for governments to agree on IoT security goals and operationalize IoT security cooperation—impeding a multinational approach to systemic risk.

Further, when states work to increase cooperation, there is a question of selectivity and exclusion: the ten countries with the most infected devices in the 2016 Mirai botnet were primarily in South America and Southeast Asia. Meanwhile, most high-resourced countries principally focus on IoT security collaboration with one another (e.g., UK-Singapore IoT security collaboration), not on building IoT security capacity in lower-resourced countries.⁸² The latter does happen—for example, Singapore and the Netherlands have engaged the nonprofit, multistakeholder Global Forum on Cyber Expertise on global IoT security issues. Nevertheless, collaboration remains primarily among higher-resourced and higher-capacity states.⁸³

Thus, one set of countries debate solutions while excluding a bevy of impacted stakeholders from the discussion. In doing so, higher-resourced countries may miss important points about their IoT frameworks’ applicability. Notably, cultural contexts greatly matter alongside technical considerations when weighing country adoption, and IoT product reliability may be just as important if not more so than cybersecurity per se in a development context.⁸⁴ In fact, for many countries, increased reliance on information and communication technologies without proper reliability can very well yield suboptimal development outcomes.⁸⁵ For example, while other governments (e.g., Singapore, Australia) reference the UK’s IoT security recommendations, some of the UK standards may require too much investment for lower-resourced states and focus less on reliability per se than security.

Furthermore, regulatory approaches within countries may still be fragmented and leave gaps. For example, in the United States the FCC regulates IoT products’ network connectivity, and the FTC regulates the marketing practices of IoT products.⁸⁶ The FCC has broad authority to regulate product manufacturers and sellers. On the flip side, the FTC’s authority mainly concerns consumer protection to ensure IoT product sellers are not being deceptive.⁸⁷ However, this still leaves gaps, such as not incentivizing security requirements at the device manufacturing stage and leaving national laws to govern IoT cybersecurity for federal agencies, while mostly standards and voluntary guidelines guide the private sector.⁸⁸ In Australia, to give another example, the state’s “privacy, consumer, and corporations laws were not originally intended to address cybersecurity,” leaving the national government trying to make do with a patchwork of laws to address cybersecurity.⁸⁹ Country-internal fragmentation, in total, leaves policy and regulatory gaps in promoting IoT security, forces the government to grapple with an ill-formed patchwork of authorities and procedures, and raises costs and increases confusion for businesses and users—especially when different labels are in play.

Private sector IoT security challenges

Many IoT security approaches in practice have ambiguous requirements and policy goals that make it difficult for the private sector to both understand and implement the government’s vision—and difficult for the state to require or incentivize the private sector to change. Take government procurement requirements, whose aim can be unclear. One aim could be the use of procurement to directly secure specific products, such as by requiring the military to only buy IoT products with a higher cybersecurity bar. Another possibility is using procurement to signal best practices to industry, such as requiring compliance with NIST’s cybersecurity framework—mandatory for US federal agencies and which more than 30 percent of US organizations have voluntarily adopted.⁹⁰ And another possibility is not just signaling best practices but incentivizing companies broadly, even those not doing federal contracting, to increase their own product security. As one standards body expert put it, “if the government only buys products meeting certain standards, that sets a bar for the private sector.”⁹¹

While the security approach may be similar or identical in each case, there are different policy goals in play that may not be articulated (even if they are not mutually exclusive). If most IoT vendors are not government contractors, the use of federal procurement requirements to secure the broader ecosystem may fail.⁵⁸ Danielle Kriz, the senior director of global policy at Palo Alto Networks, argues that government procurement on its own is “not enough to result in full-scale IoT security.”⁹² Using procurement to signal to the broader market could also produce product fragmentation: “If you make the standards too robust,” argues David Hoffman, a Duke University professor of cybersecurity policy, “then you create a situation where there is a profit incentive for contractors to sell two different products: one for government and one for the private sector.”⁹³ Further, if introducing a procurement requirement is meant to signal a coming wave of incentives around that set of security requirements, governments should note that—so industry can begin to get on board.

Differences in cybersecurity and IoT security processes, levels of maturity, and regulatory requirements across jurisdictions likewise complicate the private sector’s implementation of IoT security approaches. When a country’s internal approach to IoT security is fragmented, it becomes harder to coordinate with the private sector as well as other countries—because there is no clear and cohesive national approach. Companies, for their part, often find themselves caught between multiple competing, if not contradictory, IoT cybersecurity regimes. This increases industry confusion about IoT security best practices (particularly for businesses with less institutionalized cybersecurity capacity) and may force IoT manufacturers and vendors to tailor-make products to meet specific, varied regulatory requirements (discussed in the next section). Disjointed IoT security standards also raise the costs of government interaction for companies, especially for smaller players with less budget and in-house governmental relations capacity. Vendors and manufacturers that have more money and resources could therefore have an even more outsized ability to influence the security conversation.

For industry, certification schemes also introduce many challenges. The current IoT security certification approach emphasizes independent, third-party product certification—time-consuming and costly (sometimes in the tens of thousands of dollars)—which may be outright prohibitive for smaller manufacturers and vendors. This approach often excludes lower-cost approaches that could work simultaneously, like self-certification to a lower bar of standards. Certification schemes are also binary, tiered, and descriptive; there is no unified approach for companies to implement and understand. For example, Singapore’s CLS has four progressively demanding security level provision tiers (see Figure 2): security baseline requirements (Tier 1), lifecycle requirements (Tier 2), software binary analysis (Tier 3), and penetration testing (Tier 4).⁹⁴ Others, however, such as many industry certification schemes, are binary, either certifying a product as “secure” under their definition or not doing so at all.

User IoT security challenges

The current approach also presents challenges for users. An Ipsos MORI survey in Australia, Canada, France, Japan, the UK, and the United States found that consumers overwhelmingly think that “connected device manufacturers should comply with legal privacy and security standards” (88 percent), “manufacturers should only produce connected devices that protect privacy and security” (81 percent), and “retailers should ensure the connected devices they sell have good privacy and security standards” (80 percent).⁹⁵ A majority of those that own connected devices (63 percent) “think they are creepy.”⁹⁶ Despite these findings, by and large, users continue to purchase insecure IoT products.

Currently, manufacturers and vendors provide users with little to no information to select more secure products. Where labeling and/or certification schemes do exist, they expect that buyers have a fair knowledge of IoT security and will make purchasing decisions based off that knowledge. This user knowledge assumption is faulty, as all countries surveyed in this report are far from sufficiently educating the public on cybersecurity issues. And in the context of a corporate buyer of IoT products, there is no guarantee many organizations purchasing IoT products have deep, in-house capacity around IoT cybersecurity practices, either.

The current approach also leaves users, and the IoT ecosystem in general, with bad security outcomes and insecurity. Many manufacturers and vendors underinvest in cybersecurity and might not even have any kind of robust cybersecurity processes in place in their organization. This manifests itself in IoT products riddled with bad security practices, like default passwords and weak encryption, which leave products, users, and connected systems vulnerable to data theft and much worse. Merely encouraging organizations to adopt voluntary standards (that some organizations may not even know about) does not widely improve IoT security outcomes, either. Further, the labeling and certification schemes that do exist in some jurisdictions are often expensive—and if manufacturers and vendors choose not to absorb the costs themselves, then they will charge consumers higher prices for IoT products.

Even if companies wanted to invest and buyers had all this knowledge, the current approach would still negatively impact users, the broader internet ecosystem, and other involved individuals. Given the “paradox of choice,” where increasing the number of options available to someone can make it harder to reach a decision, providing users with many different labels and certifications may do the same. The lack of a unified labeling scheme also makes it difficult for consumers to compare labels (binary versus tiered versus descriptive), and the lack of a single global IoT cybersecurity certification means buyers may not even be able to compare IoT security attestations at all. Moreover, there is little indication that introducing labeling and/or certification would necessarily cause a buyer to look anywhere beyond the price tag. And in the narrow cases where manufacturers or vendors provide labels and certification information to buyers, many users only see that information when the product is already unpacked and undergoing setup in their home or work environment. Overall, current IoT security approaches still place a heavy security burden on individuals, rather than systematically mandating and incentivizing product manufacturers and vendors to consider and build in security from the outset. As one DCMS official described it, labels may be attractive because they can avoid the bureaucracy of legislation—yet they still expect consumers to move the security needle.

Addressing these challenges should not devolve into championing one national approach over another. The need for harmonization in specific controls is real, and this need extends to control philosophies and enforcement schemes. The section below synthesizes these previous approaches into a single framework based on the general lifecycle of IoT products as a basis for a path forward.

Creating a synthesized framework

There is no shortage of IoT security frameworks. As noted in the last section, government agencies, private companies, industry organizations, and civil society groups around the world have developed and published a range of IoT security policy frameworks, design best practices, and security certification schemes. This represents a substantial body of work on IoT security, yet there is more to be done—and its range creates complexity heedless of industry cries for coherence and presents a meaningful obstacle to international coordination.

Rather than address each of the four jurisdictions of interest (US, UK, Australia, Singapore) in isolation, this section presents a consolidated framework with existing security regulations, standards, and guidance from all four countries.

The framework’s first goal is to reduce fragmentation between policy approaches by highlighting their contributions and limitations. Operating in multiple jurisdictions with different IoT security regimes can drive up product development and legal compliance costs, disincentivize companies from investing in security or widely selling their products, and even create scenarios where companies must tailor-make IoT products to sell in different countries. Reducing fragmentation addresses these cost issues. It also empowers IoT product users, by giving companies and individuals a clearer set of tradeoffs and information rather than numerous, different stamps of security approval from different places. Lastly, reducing fragmentation helps policymakers forge cooperation internationally and cover the entire IoT security landscape at home.

The framework’s second goal is to better situate technical and process guidance into cybersecurity policy. As previously discussed, some government requirements and guidance on IoT security lack detail and have ambiguous policy goals, which impede the private sector’s progress on better implementing IoT product security. Integrating technical and process details into government policy can help the private sector, especially companies with limited cybersecurity knowledge and capacity, operationalize higher-level IoT security objectives. It would also help governments identify flaws in their own IoT security approaches; for example, an overemphasis on certifications’ policy value has come at the expense of looking at the certification process—which for many organizations is a time-consuming, costly endeavor.

Table 2 presents a synthesized IoT cybersecurity framework—mapping at what stages of the IoT lifecycle various IoT security actions and policies could be applied. This leads to a discussion in this section of how existing government IoT security approaches have enforced, incentivized, or guided these measures. It then leads to the recommendations section, which discusses ways in which governments can better select from these security action options and appropriately enforce, incentivize, or guide them to achieve better cybersecurity across the IoT ecosystem.

Overwhelmingly, this framework highlights that the IoT security approaches in the countries studied focus on the design, development, and sale, and setup phases of the IoT lifecycle, with significant gaps in security actions and policies for the maintenance and sunsetting phases of an IoT product’s lifespan.

Table 2: Synthesized IoT Security Framework

SOURCE: Liv Rowley and Justin Sherman for the Atlantic Council.

Cybersecurity decisions at each lifecycle phase help determine a product’s ultimate security (Figure 4).

Design decisions frame how IoT products are ultimately architected, and they can include or exclude certain cybersecurity considerations from the outset. Security action and policy options at this level include following voluntary and/or mandatory technical standards, following voluntary and/or mandatory best practices, and employing best practice security design principles.

Development decisions begin to put those design ideas into practice, and they impact how higher-level ideas and principles are operationally employed into the creation of products. They also present an opportunity for IoT product manufacturers to tailor additional security requirements based on their product’s risk profile—for instance, adding in extra controls on top of voluntary, minimum best practices for products used in safety-sensitive or critical infrastructure settings.

Sale and setup decisions focus on IoT products going on the shelf and getting configured in their use environment, and they impact the cybersecurity of those products when first activated. Security action and policy options at this level include implementing vulnerability disclosure policies and processes, implementing mechanisms for regularly updating software, employing labeling schemes, and getting products security-certified.

Maintenance decisions focus on IoT products that have already been configured and deployed, and they impact the security of those products for the rest of their lifetime. The security action and policy options at this level include maintaining vulnerability disclosure policies and processes, issuing regular security updates, updating labeling schemes in line with software security updates and disclosed vulnerabilities, and updating certifications in line with software updates and disclosed vulnerabilities.

And finally, sunsetting decisions pertain to the end of a product lifecycle—such as when a vendor stops providing security updates—and how product vendors and users should communicate about, prepare for, and navigate the process of retiring an IoT product.⁹⁷

Figure 4: Overview of Government and Industry Frameworks

Your browser does not support the video tag.

SOURCE: Liv Rowley and Justin Sherman for the Atlantic Council.

When applied to the United States, the UK, Australia, and Singapore, the framework shows that most country IoT security approaches concentrate on the earlier parts of the IoT product lifecycle. The design, development, and sale and setup phases are heavily covered. In the United States, existing NIST publications that provide guidance on security-by-design (like NIST SP 800-160) are applicable to IoT.⁹⁸ The UK’s PSTI Bill, introduced in November 2021 and not yet passed, would require “manufacturers, importers, and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers.”⁹⁹ The provisions leverage recommendations in the UK Code of Practice/ETSI EN 303 645: banning default passwords, requiring vulnerability disclosure processes for products, and providing transparency for consumers on the duration that products will receive security updates.¹⁰⁰ Nonetheless, there are still gaps; the UK PSTI Bill focuses more on design, development, and sale and setup.¹⁰¹

Design and development guidance often overlap in the four countries. The Australian government’s Code of Practice on securing the IoT for consumers uses the 13 principles laid out by the UK and ETSI, including not using default passwords, implementing a vulnerability disclosure policy, and keeping software updated and secure.¹⁰² The provisions around not using default passwords, validating input data, and securely storing credentials are primarily useful in the abstract at the design phase and implemented during the development phase.

The United States, the UK, Australia, and Singapore also have significant guidance and/or requirements at the product sale and setup phase. For the ETSI guidance—which underpins guidelines in the UK, Australia, and Singapore—the implementation of a vulnerability disclosure policy comes into play during sale and setup. Singapore’s CLS has four levels against which companies can certify products, from baseline requirements, certified based on developer self-declaration, to comprehensive penetration testing conducted by ISO-accredited independent laboratories.¹⁰³ And in the United States, the IoT Cybersecurity Improvement Act of 2020 requires NIST to publish “standards and guidance” around IoT product purchasing and shifts the compliance burden from vendors onto federal purchasers.¹⁰⁴ Moreover, federal agencies must consider such factors as secure development, identity management, and patching when looking at buying an IoT product and then prove that said product satisfies NIST’s guidance.¹⁰⁵ E.O. 14028 directs federal agencies to implement secure software verification processes and directs NIST, the FTC, and other agencies to identify “IoT cybersecurity criteria for a consumer labeling program.”¹⁰⁶

Regulations enforced by the FTC and FCC likewise focus on IoT product labeling when consumers look to purchase and deploy products (in the FTC’s case) and IoT network design (in the FCC’s case). This is not to say the US security approach entirely neglects the maintenance and sunsetting phases; NIST’s first IoT publication (NISTIR 8259)¹⁰⁷ includes a category for “post-market” security considerations as well as general recommendations for establishing communication channels for product updates and customer feedback. A subsequent update to the document (NISTIR 8259A) contains recommendations for security update features.¹⁰⁸

All four government approaches focus less on the maintenance phase of the IoT product lifecycle. The UK’s IoT security approach has gaps in providing manufacturers, vendors, and users with maintenance guidance (e.g., once the security update plan is in place and communicated, how will it be continuously followed?) and sunsetting guidance (e.g., if the company stops providing security updates, how should they inform users and what options might users have for replacing devices?). While there is some minimal guidance here—for instance, the UK DCMS Code of Practice includes a provision to make the installation and maintenance of products easy—it hardly provides anything substantively useful for manufacturers, vendors, or buyers. The same therefore goes for Australia, which follows the UK’s guidance. Singapore does provide detailed guidance on the maintenance phase at Tier 2, 3, and 4 of the certification scheme.

Each approach has significant gaps at the sunsetting phase. The United States lacks sunsetting guidance in its IoT security approaches, and regulatory enforcement does not focus on sunsetting (e.g., the FTC focuses on how products are marketed to consumers, not how products are retired). Singapore’s labeling scheme program provides little guidance in the way of notifying users about terminated security updates when products are at their “life’s end” and then, as a result, posing new and greater security risks. The UK’s IoT security approach also lacks sunsetting guidance, such as what happens if a company stops providing security updates as recommended by the DCMS. This means users, and society writ large, may have some protections against IoT insecurity at the earlier phases of the IoT product lifecycle, such as when companies are designing IoT products sold to the government and used in relation to critical infrastructure, or when vendors are advertising their products on the shelf and regulated. Yet, for all the businesses, individuals, and other entities using IoT products that are long past their lifespan, they are exposing themselves to insecurity possibly without even knowing it—and without government policies and security approaches that protect users against the termination of security updates, outdated labels, and other security problems.

It is also important to note that requirements may, in the future, speak to areas outside the device lifecycle as well, concentrating more on an IoT manufacturer’s organizational structure or developer training. NIST notes this in their June 2022 NISTIR 8425 initial public draft, titled “Profile of the IoT Core Baseline for Consumer IoT Products.”¹⁰⁹ Developer activities, as outlined in NISTIR 8425, may include Documentation, Information & Query Reception, Information Dissemination, and Education & Awareness.¹¹⁰ Some industry IoT security frameworks include non-device requirements as well. For instance, the IoT Security Foundation’s framework mandates the existence of certain roles at a company (for example, 2.4.3.1 mandates “There is a person or role, accountable to the Board, who takes ownership of and is responsible for product, service and business level security, and mandates and monitors the security policy”); or specific actions to be included in a company’s security policy (for example, “As part of the Security Policy, provide a dedicated security email address and/or secure online page for Vulnerability Disclosure communications”).¹¹¹ Such standards that apply to elements outside of the scope of the device lifecycle itself are critical to fostering a stronger security environment overall and should be remembered and considered as IoT security becomes stronger.

Toward a consolidated approach

The framework above underscores how some governments and industry actors are making progress in pushing for greater IoT security—but there is a long road ahead to improving cybersecurity in the IoT ecosystem. There are still some governments and many industry actors underinvesting in IoT security. Despite their stated concerns, consumers continue to purchase insecure products. As a result, product manufacturers and vendors need to deliver meaningful transparency and improvements in user security outcomes. Without the predictability of common security standards that impose pressure on all manufacturers and vendors, proactive firms have little incentive to produce secure products, and there are few penalties for laggards.

Overcoming widespread risks

Promisingly, the past few years have seen a flurry of activity on IoT security from governments, industry groups, and consumer advocates. The attitude among those interviewed for this report generally was optimism about the direction of travel, with concern over the pace of the trip. Singapore is nearly two years into a voluntary, four-level labeling scheme that will be gradually expanded as mandatory by product type, as it currently is for internet routers. Australia appears poised to pursue a labeling approach that mirrors Singapore’s four levels (“graded shield”) or a simpler indicator showing the timeframe that security updates will be provided (“icon expiry”). The UK has rejected the concept of labels and is instead on the cusp of passing legislation that empowers regulators to set basic cybersecurity requirements for all smart devices, a baseline that can be ratcheted up over time. In the United States, two states have implemented their own minimum security requirements, federal agencies must purchase products with more robust security, and NIST recently recommended a binary label akin to approaches in Germany and Finland. Consensus standards, enforcement measures, and international cooperation across these four jurisdictions are feasible but not yet close. Nevertheless, there still are threats to progress:

Risk #1: Regulations, standards, and norms diverge between jurisdictions. Despite today’s promising signs, as more jurisdictions take on the problem of IoT insecurity, there is a risk that regulatory divergence worsens with an ‘every-market-for-themselves’ approach where duplicative requirements and confusing enforcement schemes burden IoT vendors who must work to support multiple sets of standards or elect to focus on a small set of jurisdictions.
Risk #2: Cybersecurity labels fail to demonstrate value to both manufacturers and consumers. One interviewee summed up the attitude toward cybersecurity labels with an analogy to Churchill’s famous quote about democracy: “the worst option, except for all the others.” Labels are an increasingly popular approach in national IoT security efforts. Despite a clearly articulated demand for greater security by consumers, some observers are doubtful that consumers can or will make informed cybersecurity decisions even with the benefit of an indicator on the box or the webpage. Others question whether it is correct to task consumers with making such security decisions for themselves, comparing insecure IoT products to an unsafe lightbulb: you do not compare lightbulb brands to see which one is least likely to explode. Like other market signals, cybersecurity labels can suffer from a collective action problem, only arising if both sides of a transaction value them.
Risk #3: Product security requirements become watered down as they approach broader adoption. Particularly in the United States, legislation often becomes less potent as it approaches the federal level. Industry resistance was sufficient to kill prior versions of the IoT Cybersecurity Improvement Act and cut some of the provisions that were finally passed in its 2020 version.¹¹² Given federal law’s preemptive power, consumer IoT security legislation could counteract more ambitious measures at the state level. This dynamic may also occur internationally if jurisdictions are driven to the lowest common denominator in pursuit of consensus.
Risk #4: Guidelines become too rigid, locking in outdated security practices. As Brian Russell and Drew van Duren describe, “The greatest challenge in the security industry is finding methods today of defending against tomorrow’s attacks given that many products and systems are expected to operate years or decades into the future.”¹¹³ Legislation must define processes and outcomes rather than codifying specific security measures that might soon become irrelevant.
Risk #5: The drive for improved consumer IoT security fails to have an impact on product manufacturers in jurisdictions without strong IoT security laws. The national initiatives surveyed in this report focus primarily on efforts to effect change by imposing requirements on products sold in each one’s jurisdiction, as opposed to trying to impact what happens where products tend to be manufactured, citing the challenge of extraterritorial enforcement. Interventions must consider the full range of actors who can put pressure further up the supply chain, with retailers, in particular, having the potential to play an influential role.

The shape of a consolidated approach

What might a better IoT future look like? One description is: “a world in which every IoT ecosystem stakeholder[’s] choices and actions contribute to overall security of IoT where consumers and benefactors are simply secured by default.”¹¹⁴ It could be raising the tolerable level of insecurity to the point where consumers trust IoT products and services as something more than a roll of the dice.

Crucially, this world must reflect different economic incentives for manufacturers, consumers, and attackers. Policy change is necessary to help shape and channel these incentives. When assessing any proposal, one should consider its ability to advance the following outcomes:

Eliminate the most glaring insecurities in consumer IoT products, thus increasing the level of effort and sophistication required for attackers to compromise them.
Promote harmonization across jurisdictions, avoiding needless divergence and duplication, thereby reducing friction for manufacturer uptake.
Sharpen incentives for manufacturers to exceed the minimum baseline of security practices.
Increase consumer awareness of the risks from insecure products and increase interest in security as a feasible and accessible buying criterion.
Provide real impact on user security outcomes in the near term while maintaining flexibility to incorporate new controls through consensus measures as technology evolves.

To drive the above outcomes and closer alignment in policy across these four states, the team proposes a multi-tiered IoT product labeling and certification scheme with basic, easily understandable labels for consumers (Figure 5). This multi-tiered scheme would ensure that minimum security standards are met, give consumers easily digestible ways of understanding the security of a product, and allow manufacturers that invest in higher security to advertise it understandably.

Figure 5: Overview of IoT Security Tiers

SOURCE: Patrick Mitchell for the Atlantic Council.

Tier 1: Minimum Baseline Features. The first tier should be a set of mandatory, baseline, self-attested IoT security standards created by governments in consultation with industry. For each country, the government agency leading this effort should ideally be the organization already in charge of cybersecurity standards, and if there is not one, governments should select an organization with a high degree of transparency, technical competence and capacity, and a track record of working with industry and civil society. The recommended baseline security standards should be rooted in widely agreed upon desirable security outcomes, for instance, the core principles outlined in ETSI EN 303 645—such as eliminating default passwords, mandating a vulnerability reporting contact, and facilitating secure updates for software. Once governments set this tier, manufacturers should apply with the agency administering the program and self-attest that they meet these standards. The agency should then provide qualifying products with a label indicating that they have met these baseline requirements, and the manufacturer and product vendor (if different than the manufacturer) should include this label and information about it in the product description. Random audits can assess compliance without the need for a time-consuming and expensive certification process. Examples of national programs in this tier include the UK’s PSTI Bill, Singapore’s CLS Tier 1 requirement for routers, and California and Oregon’s IoT security laws.

Tier 2: Enhanced Security Features. Building off the first tier of mandatory, baseline, self-attested IoT security standards, governments should then work with industry to set a second tier of security standards—higher, voluntary, and independently tested. The standards to qualify for this second tier should likewise look to the Tier 1 baseline as a starting point, with a particular focus on ensuring products communicate securely and protect consumers’ personal data, inspired by security outcomes that may be drawn from ETSI EN 303 645. Qualifying products will receive a label indicating that they have both met the Tier 1 baseline requirements and the Tier 2 requirements, and the product description should include information about this label. To encourage the uptake of the second tier, securing a label should be a relatively cheap and quick process. Given that some jurisdictions may see more value in a scheme with more than two tiers, national regulators should be able to subdivide this tier into different levels of security. Examples of existing programs that would fall within this tier include Levels 3 and 4 of Singapore’s CLS, Finland’s Cybersecurity Label, Germany’s BSI IT Security Label, and the binary label recommended by NIST in the United States.

Special Standards for Safety Critical Products. Industry-specific regulators should remain in charge of setting the highest bar of security standards for IoT products that present an imminent threat to human life if compromised. For most smart devices, consumers do not bear the brunt of the consequences if their device is vulnerable to an attacker. This dynamic shifts dramatically when the connected device is an automobile or pacemaker and the consequences become potentially lethal. In these instances, however, consumers still lack the expertise to assess risk. These industries tend to already have specific regulators focused on product safety: for example, the FDA certifies medical devices, and the National Highway Traffic Safety Administration (NHTSA) is charged with enforcing motor vehicle safety standards. In this context, an internet connection is merely another feature that introduces new risks to product safety. These regulators should look to standards bodies such as ETSI and NIST as a starting point for guidance on cybersecurity, but the ultimate requirements for these safety-critical applications must extend to the particular security needs of the industry—which are likely even more stringent than the second tier discussed above. Products that fall into this category need not be certified with a label. Instead, if they fail to meet the regulator’s minimum standards, they should not be approved (or should be recalled if they are already on the market).

What does the label look like?

A label for IoT security should consist of a standardized table or graphical description of security features, attached physically to a product box and digitally affixed to product descriptions online. The digital description of an IoT product’s security features is especially important, and—given the constantly changing security landscape—keeping digital labels up-to-date is often easier than doing so for physical labels. Ideally, the standardized-format description of product security features should be mapped to a set of standard IoT security criteria—such as a checklist of product compliance with some NIST security best practices, or a checklist of product compliance with ETSI requirements for IoT security (e.g., does this product use universal default passwords, does it have a security update function in place). Labels, intended for audiences ranging from consumers to enterprise purchasers, should use clear, easily understandable language to describe product security features, rather than referencing specific standards numbers or using highly technical verbiage (such as describing a specific encryption algorithm).

Related to the label, governments should consider cooperating and coordinating with industry to ensure data on labels is easily accessible—to regulators, researchers, and the public generally. One idea is creating a central repository of manufacturer and vendor label information, perhaps maintained by a country’s cybersecurity standards organization or a standards development organization (SDO), into which vendors and manufacturers can upload independently tested and/or self-certified label information about IoT product security. It may be advantageous to develop a single form containing information of interest to multiple major jurisdictions, inspired by the “Common App” form which allows individuals to fill out one form to apply to multiple US-based universities. This would allow regulators and others to access information on company compliance and broader IoT product security trends in a single place and in a single, accessible format; it also potentially streamlines compliance efforts by IoT vendors, allowing them to file security information about their products in one place that is applicable in multiple jurisdictions. Another idea is having companies make this information available from their systems through a standard API—such that all the information is not stored in one single place, and the government does not have to maintain a central repository of IoT security label data, but that individuals can query manufacturer and vendor APIs to get label information.

A note on ambitions

At their simplest, today’s approaches reflect two different philosophies about where governments should focus their efforts: (1) targeting the “low hanging fruit” of higher impact/lower effort measures with mandatory requirements, or (2) setting an optional higher bar and trying to get consumers and industry to care about it. The former arguably views security improvements as a rising tide that fills in the lowest lying areas first, while the latter arguably views it as a distant target that focuses our gaze, even if not everything hits the bullseye. While both strategies have their merits, they need not be mutually exclusive. We cannot content ourselves with merely getting rid of the worst shortcomings. Similarly, the choice for consumers should not be between one class of products that have poor security and another with world-class security.

It would be counterproductive to suggest that these countries should scrap their national approaches in favor of a new consensus program. Given how recent these efforts are—if they have even yet been implemented—it is still too soon to tell how each country’s approach will fare. A degree of national-level experimentation can help determine what does and does not work. Further, as one interviewee noted, while standards may harmonize internationally, enforcement occurs locally. Many jurisdictions have lined up behind the same set of guidelines in ETSI EN 303 645, with some others pursuing slightly differing approaches that nonetheless seek the same outcomes that the ETSI documentation aims to achieve. But the measures chosen to encourage (or compel) industry to generate products with better security must reflect the jurisdiction’s regulatory and consumer cultures. The silver bullet is not necessarily a new global label, new methods of enforcement, or new standards for IoT products. Instead, the world needs a better way of bringing together these efforts and ensuring they continue to avoid contradiction and duplication.

Recommendations

This section lays out nine recommendations for government and industry actors to enhance IoT security, broken into three recommendation sets: setting the baseline of minimally acceptable security, incentivizing above the baseline, and pursuing international alignment on standards and implementation across the entire IoT product lifecycle. While many of these recommendations apply generally to those interested in promoting a more secure IoT ecosystem, the report also aims to identify specific actors and the steps they can take to bring about this multi-tier structure for IoT security (Figure 6). Moreover, these recommendations also aim to address the risks and uncertainties described in the prior section.

Importantly, this report deliberately does not prescribe a particular label design, such as a table or graph. Moreover, it does not prescribe “how” companies should pair physical and digital labels nor to “what” extent companies and/or governments should harmonize specific label designs and digital characteristics across jurisdictions. These areas deserve more work, and the optimal approaches remain unclear at this stage.

Figure 6: Overview of Actors and Actions to Improve IoT Security

SOURCE: Patrick Mitchell for the Atlantic Council.

Recommendation Set: Establish the Baseline of Minimally Acceptable Security (Tier 1): Currently, many governments lack baseline security standards for IoT products, and for some of those that do have such standards enacted, companies must go through a time- and cost-intensive process of independent testing and certification. This substantially raises the barrier to adopting what should be easily achievable and cybersecurity-bolstering baseline standards. By setting this minimum baseline, making it low-cost for companies to comply with, selecting criteria that greatly increase cybersecurity (like no universal default passwords¹¹⁵ and having security updates), and making it mandatory, governments can ensure IoT products within a country have the most basic and critical security measures in place. In some jurisdictions, enforcement might look like a law that requires every IoT manufacturer to implement the government-set IoT security baseline standards; in other countries, enforcement might look like a consumer regulatory agency creating a new rule within its existing authorities.

IoT products are currently so insecure that hacking them is relatively trivial. The insecurities these products have are so glaring and egregious that even relatively unskilled hackers can get into the game and claim their slice of the pie. Implementing mandatory minimum security standards would have an impact on the state of IoT security by plugging those widely known and easy-to-find holes, which raises the cost of knowledge, time, and resources required to compromise IoT products. In other words, this would help push small fry hackers out of the scene, and the more sophisticated hackers would have to invest energy into developing ways to target more secure products.

To illustrate this point, the Global Cyber Alliance’s October 2021 report “IoT Policy and Attack Report” provides a glimpse into just how effective some of these minimum security measures can be.¹¹⁶ Using a “honeyfarm” (a large network of IoT device honeypots), the Global Cyber Alliance was able to measure the number of attacks against different classes of IoT products and determine whether the number of successful attacks against the target changed, given the implementation of different security standards. For instance, the report found that of over 7,000 malicious login attempts, attackers were only able to login and thereby compromise a device in 79 instances. Those 79 instances all involved devices that used default passwords

This section describes two recommendations that aim to influence two critical groups of actors in implementing this baseline: product manufacturers and retailers.

Recommendation 1: Governments should implement regulatory measures to enforce a mandatory baseline on manufacturers selling in their markets (Figure 7). Initially, governments should conduct outreach to encourage compliance and spread awareness among manufacturers about the security requirements. Inevitably, some companies will not implement the Tier 1 security baseline within the required window or in the required way. This could be the result of many factors, including a lack of awareness about the rule (e.g., for smaller IoT manufacturers), feet-dragging, and limited capacity to quickly implement the self-attested label and certification, among others. Governments should therefore develop mechanisms to publicize the new, required security baseline at Tier 1 and encourage companies to implement it within the specified window. Beyond general public education campaigns, for example, this could include such processes as a country’s key standards agency holding sessions with industry to explain new requirements and answer any questions that may arise—well before the requirements go into effect.

Next, governments should set up random audit mechanisms to ensure firms’ claims are accurate and issue penalties as needed. Some companies may self-attest to a security baseline and then take action that deviates from that attestation (e.g., implementing security updates and then ceasing security updates). Other companies may falsely self-attest to the security baseline altogether. If a product has been falsely attested to and does not meet the minimum security standards, the government should begin by issuing a compliance notice to its manufacturer. The compliance notice (or prompt for change) should outline all corrective actions and set a clear deadline for when these actions must be complete. Should a manufacturer continue to produce a noncompliant product with a falsely advertised security label, the government’s relevant enforcement agency should issue a stop notice that orders the manufacturer to cease selling the product until made compliant. The agency’s stop notice (sent to the company and published publicly) should also demand the recall of the noncompliant product. The agency should also consider additional actions depending on its authorities and typical enforcement processes against other companies domestically, such as fines. In line with other contexts in which companies may hold liability, governments carrying out enforcement should weigh whether a reasonable effort was made to attest in good faith, among other factors.

Figure 7: Setting the Baseline of Minimally Acceptable Security (Recommendation 1)

SOURCE: Patrick Mitchell for Atlantic Council

Recommendation 2: Governments should follow the “reversing the cascade” philosophy, where instead of trying to influence manufacturers based abroad, governments put pressure on domestic suppliers and retailers—who may, in turn, put their own pressure on manufacturers to improve security (Figure 8). It is not just governments that make policy decisions that impact product manufacturers. There is considerable power in the terms and conditions for selling through major marketplaces and retailers like Amazon, Walmart, and Target. Many IoT security efforts encounter issues when they try to levy penalties on manufacturers, as many of them are based outside their jurisdiction and may not have incentives to comply with security requirements. Vendors, however, fall within a government’s jurisdiction, making actions more feasible. There are also fewer major IoT vendors than there are IoT product manufacturers, allowing efforts to be more concentrated. In the US, political leaders and regulatory agencies, such as cybersecurity officials in the Department of Commerce and regulators at the FTC, should call upon major retailers to more proactively police the sale of consumer IoT products that lack basic security features. This is because these retailers currently sell products like smart thermostats, smart speakers, and baby monitors that have poor security practices and use default passwords. If engagement does not bring about change, retailers could be held accountable through new laws that penalize them for the sale of noncompliant products. Though, targeting noncompliant smart products that have been sitting for a long time on the shelf may achieve higher security across products more quickly, without creating barriers to entry for small manufacturers. It is also possible that the FTC could pursue action against specific retailers under its “unfair or deceptive acts or practices.^99,¹¹⁷

As the world’s largest online retailer, Amazon, for example, could have an outsized impact with an expansion of its “Restricted Products Policy” to bar unsafe smart devices. When contacted by security researchers about a particularly vulnerable wireless camera (promoted as “Amazon’s Choice”) the firm removed the preferred listing and responded, “We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed in our stores.”¹¹⁸ In this vein, in its Examples of Prohibited Listings in the Electronics category, Amazon should explicitly prohibit smart home products that fail to meet the Tier 1 requirements. The US government has the ability to apply pressure on online retailers (not just Amazon) to do that, such as through public messaging campaigns and convenings with company executives through organizations like NIST. If this fails to stem the presence of insecure products on the site, another measure could include requiring firms to receive approval before listing consumer IoT products—as they must for categories including jewelry, DVDs, and “Made in Italy” items—or just a subset of high priority items like children’s connected toys. This approval could be as simple as submitting a form that attests that the firm does not use universal default passwords and lists a vulnerability reporting point of contact. Amazon’s application form for selling streaming media players could serve as a template. Even without specific laws that force its hand, this policy would be in line with Amazon’s stated goal of allowing customers to buy with confidence on its platform.

Figure 8: Setting the Baseline of Minimally Acceptable Security (Recommendation 2)

SOURCE: Patrick Mitchell for Atlantic Council

Recommendation Set: Incentivize Above the Baseline (Tier 2): Ensuring that all smart devices meet basic security requirements is valuable, but insufficient relative to the present risk in the IoT ecosystem. Some buyers may wish to achieve security at a higher level, and even more likely, some governments may wish to require manufacturers to adopt security standards above the first-tier baseline. Some manufacturers may also pursue a higher level of security as a differentiator. This section outlines four recommendations that will strengthen the development of this higher tier: setting the higher tier, mandating a more stringent degree of security for government-procured smart devices, expanding label recognition between states, and moving towards a consensus certification and labeling program. These actions will grow demand for secure products, increase consumer awareness, and decrease friction for firms that must otherwise navigate multiple certification regimes.

Recommendation 3: Governments should support the creation of a voluntary, higher tier of security requirements, indicated via labeling programs in their markets (Figure 9). The objective of this tier is to encourage firms to adopt more advanced security features and design practices in their products. As with the first tier, the specific security provisions that governments select for this tier should consider outcomes-based approaches, perhaps looking to ETSI EN 303 645 for inspiration. Other provisions, such as those from OWASP and ioXt, can supplement such approaches. Unlike the first tier in which companies self-attest to meeting standards, in this tier, companies should have their products evaluated and their status certified by a third-party testing lab. These approved labs should be certified under ISO/IEC 17025, an internationally accepted standard for Testing and Calibration Laboratories, to ensure consistent application of device security testing procedures. Since product certification at this tier is on a voluntary basis, manufacturers will likely wish to advertise their products’ enhanced security features. Any device that passes the test and therefore shown to meet the Tier 2 requirements will receive an accompanying Tier 2 label. These labeling schemes can be “binary,” indicating the presence or lack of desired security features (e.g., Finland and Germany’s programs), or multi-level, allowing manufacturers to pursue the certification that meets the desired “grade” of security for their product (e.g., Singapore’s CLS). After issuance, random audits should ensure that devices continue to remain in compliance with the provisions of their label. If a product has received a label but no longer meets its requirements, the government should decertify the product. Depending on the jurisdiction, the government may also pursue legal action against those who willfully make false claims about their product’s security features.

The existence of the second tier will aid in raising the security of IoT products above the minimum standards set in tier one. As the multi-tier model evolves over time, governments can also migrate effective standards from the second tier over to the first tier. Further, using outcomes-based approaches such as ETSI EN 303 645 as inspiration for these security requirements will ensure continued momentum around many agreed-upon basic security principles, while the employment of public-private cooperation ensures that standards are actionable. To drive the uptake of labeling programs, governments should engage with industry and the public to spread awareness of the programs’ benefits, and they may also consider defraying start-up costs, such as waiving registration fees and subsidizing testing expenses.

Much like ETSI could serve as a guiding foundation for establishing a set of baseline security requirements for Tier 1, the industry security efforts underway by the CTA and the CSA, among others, could become a foundation for establishing a higher bar of IoT product security paired with a consumer-facing IoT labeling scheme.

Figure 9: Incentivizing Above the Baseline (Recommendation 3)

SOURCE: Patrick Mitchell for the Atlantic Council.

Recommendation 4: Governments should include Tier 2 requirements as part of government procurement contracts (Figure 10). Technology manufacturers and vendors strongly benefit from government contracts, and the inclusion of cybersecurity standards in government procurement requirements can be one mechanism to incentivize large and small manufacturers to adopt them. The cost-benefit is simple for those companies: if they do not meet the specified cybersecurity requirements, they do not qualify for government contracts. Governments should therefore include Tier 2 (or higher) security standards in their procurement requirements such that any IoT manufacturer or vendor who wishes to do business with them must invest in a higher level of security beyond the Tier 1 baseline.

The United States provides a recent case study in this approach with its IoT Cybersecurity Improvement Act of 2020, which requires federal agencies to abide by NIST cybersecurity guidelines when procuring IoT products. Thus, companies will not be able to sell their IoT products and services to the US federal government without complying with NIST cybersecurity guidelines. Procurement requirements in the UK, Singapore, and Australia, especially in the defense apparatuses, can similarly provide a mechanism by which the government can incentivize the adoption of a higher tier of cybersecurity practices. Since it tends to be too unwieldy for companies to produce multiple lines of the same product—one suitable for the government’s requirements and a separate less secure model—the entire market would benefit. This measure would not only incentivize companies to act but would also mean that IoT products used by governments will themselves have a higher bar of security. In turn, procurement is a mechanism by which to better protect government systems and, likely, citizen data against cyber risks as well.

Figure 10: Incentivizing Above the Baseline (Recommendation 4)

SOURCE: Patrick Mitchell for the Atlantic Council.

Recommendation 5: In the short term, governments should reach agreements to mutually recognize each other’s labels. As different national IoT labeling schemes proliferate around the world, it will be important to reduce the burden on manufacturers from duplicative testing and certification requirements. In October 2021, Singapore and Finland agreed to mutually recognize each other’s labels for IoT products, hoping that this agreement will also spur more international collaboration. Through this agreement, companies that receive Finland’s Cybersecurity Label for a product are immediately eligible for Singapore’s Level 3 label, and vice versa. Even though not a country focused on in this report, Germany’s voluntary cybersecurity labeling program went live in January 2022, and it is reportedly in discussions with other countries to further expand mutual recognition. Given ETSI EN 303 645’s role as the backbone of multiple national frameworks, these agreements would likely be relatively simple to establish, recognizing that some agreements might focus on recognizing specific requirements while others might focus on recognizing equivalency—when similar outcomes are achieved with slightly different requirements. Major technology firms that care about improving the security of smart devices can apply for certification, even if it does not immediately benefit them, thus adding to the credibility of labeling programs. Countries with labeling programs already underway should study their impact, consider stakeholder feedback, adjust their schemes as needed, and share lessons learned with other countries interested in adopting this approach. It would be helpful for some of the analysis to focus on how to balance the need for maintaining high standards with reducing the administrative burden on firms going through the certification process. Major IoT vendors have noted how onerous it is to submit their products to multiple IoT security certification processes; for smaller firms, it can only be more difficult. Solutions like a “Common Application form”—inspired by the innovation that allows individuals to apply to multiple US-based universities by filling out one document—could help address this problem, as can regularly reviewing program-specific requirements and dropping ones that do not add value.

Recommendation 6: Over the longer term, governments should compare results of their national labeling programs and move towards a single global model for communicating security characteristics of an IoT product. As regulators in each of the four countries gather performance data on the impact of their approaches, they should work to adopt the attributes of the certification scheme(s) that show the most promise. Labels are already moving well past static data forms with the inclusion of commonly accepted machine-readable formats and more dynamic data sources like SBOMs might be contemplated. Most fundamentally, any future consensus model to communicate the security characteristics of an IoT product (not its packaging) should include basic, easily understandable information affixed to the product, as well as more detailed and dynamic information found online.

Oftentimes, companies’ currently issued IoT security labels and certifications fail to articulate exactly what certification means and how users should understand security. Further, by the time many consumers read an IoT product label, it is already unboxed and undergoing set-up in their home. These shortcomings impede buyers’ ability to understand IoT product labels and certifications—thus undermining their effectiveness. As part of this multi-tier framework, government and industry should ensure that at their respective tiers, labels issued for IoT products have basic, easily understandable information affixed to the product itself. They should also ensure the same information is available online, supplemented with other details that manufacturers and vendors can more easily update over time. Instead of communicating in the highly technical language used by experts, governments and industry should look to their relevant communicators for help employing the clearest language possible: for instance, saying, for Tier 1, “No default passwords” on a box and then include a check mark next to it. Doing so will empower buyers to easily make decisions about the security and privacy of a product through easy-to-understand labels.

Recommendation Set: Pursue international alignment on standards and implementation that cover entire IoT product lifecycle: Coherence between jurisdictions on enforcement mechanisms is important, but consistency in the principles of good security practice that form their foundation is even more critical. Given that security is a moving target, regulators must also be able to adapt as capabilities and threats shift. This section describes three recommendations that are key to these objectives: maintaining consensus on standards and scope, introducing regular reviews to keep IoT security programs up-to-date with technological change, and ensuring that all phases of the IoT lifecycle are appropriately addressed.

Recommendation 7: Governments should pursue outcomes-based approaches to consumer IoT security rooted in agreed-upon basic security principles and maintain similar definitions for products considered “in-scope.” Efforts to secure consumer IoT should be rooted in widely recognized desirable security outcomes, though countries may find benefits in slightly different standards to achieve those outcomes. This focus on outcomes is already evident in the approaches taken by leading standards bodies: NIST notes that its “baseline product criteria for consumer IoT products are expressed as outcomes rather than as specific statements as to how they would be achieved,”¹¹⁹ while ETSI says that its “provisions are primarily outcome-focused, rather than prescriptive, giving organizations the flexibility to innovate and implement security solutions appropriate for their products.”¹²⁰ ETSI EN 303 645 already underpins national efforts in the United Kingdom, Singapore, Australia, Finland, Germany, India, Vietnam, and elsewhere, which goes a long way to ensuring a degree of uniformity in this space. As these countries have implemented national programs, they have supplemented the main ETSI EN 303 645 provisions with additional principles from other bodies, such as Singapore’s Infocomm Media Development Authority (IMDA) and Germany’s Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI). While some variation among requirements is perhaps inevitable, it can risk becoming onerous for IoT vendors as additional provisions proliferate across jurisdictions. This highlights the importance of encouraging countries to strive for similar outcomes and not just standards. Other IoT security frameworks may be referenced to bolster specific aspects of IoT security that are outside the scope of guidance found in standards such as ETSI EN 303 645, particularly those that extend beyond the device hardware and into the product’s related software and apps. For instance, the App Defense Alliance has a framework that may be useful to reference while developing apps that are partnered with physical IoT products.

Similarly, governments must remain aligned on the products they consider “in-scope” for their IoT security efforts. ETSI EN 303 645, for example, covers “consumer IoT products that are connected to network infrastructure (such as the Internet or home network) and their interactions with associated services,” and provides a non-exhaustive list of examples that includes:

Connected children’s toys and baby monitors; connected smoke detectors, door locks and window sensors; IoT gateways, base stations and hubs to which multiple products connect; smart cameras, TVs and speakers; wearable health trackers; connected home automation and alarm systems, especially their gateways and hubs; connected appliances, such as washing machines and fridges; and smart home assistants.”¹²¹

Governments should consider how far to draw the line on systems, devices, and services with which IoT products connect—thinking about IoT cloud applications and other services that might fall under the scope of security baseline enforcement. For instance, the language in the UK’s PSTI Bill—as written—excludes many IoT products from the scope of an IoT device, thus limiting the potential benefits of a mandated security baseline. As a starting point, governments should consider enforcing the baseline on all IoT products as well as on the systems and services on which IoT products depend to function. For example, if an IoT cloud application breaking would stop an IoT product from functioning, governments should consider including that in the scope of a default password mandate. Governments should delegate this task to the relevant cybersecurity standards agency and then embed the recommended definitional scope in legislation, regulation, and other requirements.

Recommendation 8: Governments and industry should review and, if necessary, update their respective tiers of standards every two years. Technology changes quickly, and future efforts must ensure that guidance for security keeps up with the evolving security landscape. Further, there is a question of “moving goalposts”—once a government, for example, has success in requiring industry to meet the Tier 1 baselines, it should aim to raise the baseline even further through additional updates. Nonetheless, while standards can provide more specific guidance for organizations, governments should also consider mapping those evolving standards to a set of broader, desired security outcomes. Then, governments and industry should revisit and, if necessary, update their respective tiers of standards every two years, initiating update processes ahead of that two-year timeline such that the final updated guidance is ready for release at, or ahead of, the end of the two-year interval. Updating requirements each year with appropriate government, industry, and civil society consultation may require too much time and too many resources needed elsewhere, but without regular updates (e.g., every two years), IoT cybersecurity standards will become quickly outdated. On the international stage, standards bodies, including the ETSI and ISO, should continue to adapt guidelines as technological circumstances change and new information becomes available. This process should discard outdated and ineffective standards (or even contradict or undermine new security guidance), modify existing standards based on new technologies and risks, and consider adding new standards to each tier given the current rate of progress. To implement these changes into regulation, the UK’s approach of empowering the DCMS secretary to define baseline security requirements—rather than “hard coding” them into legal text—provides an excellent model for replication. Law is extremely slow to change. However, if the appropriate agency or agencies receive the power to produce regulations and modify enforcement mechanisms within a stated scope of authority—and with appropriate government, industry, and civil society consultation—this would result in more regularly updated and thus more relevant and useful IoT security requirements.

Recommendation 9: Governments should develop additional guidance around the sunsetting phase of the IoT product lifecycle. As illustrated in this report, many existing IoT security frameworks heavily skew towards the design, development, sale and setup, and maintenance phases of the lifecycle. Across best practice guidance, technical standards, and labeling and certification schemes, there is comparatively little IoT security focus on what happens when products are no longer receiving software security updates or must otherwise reach their end of life—and what manufacturers, vendors, and/or buyers should do to prepare for and handle that eventuality. This is a considerable oversight in the existing IoT security approaches. It also risks replicating a problem seen before with more conventional parts of the internet ecosystem, such as organizations needing to use old products and systems long after it is reasonably secure to do so (e.g., those running Windows 95). Governments should therefore develop additional guidance around the sunsetting phase, through their respective organizations designated with technical standard-setting. Producing this sunsetting guidance will take time and should not necessarily hold up the development and deployment of the minimum baseline tier of IoT security certification, but it is essential for addressing all parts of the IoT product lifecycle in a security approach.

These recommendations provide a sensible starting point to address the economic incentive issues that sustain consumer IoT’s insecurity while promoting the core policy objectives of eliminating the most glaring vulnerabilities, harmonizing requirements across jurisdictions, encouraging greater prioritization of security by manufacturers, increasing consumer awareness, and making an overdue impact without further delay. Implemented and updated continuously, this would help drive towards a world in which IoT product manufacturers build in better security from the start—referencing many of the same sets of baseline security standards, roughly consensus and harmonized across jurisdictions—and every other actor in the supply chain follows, with manufacturers and vendors displaying understandable cybersecurity labels on products, retailers enforcing security requirements on those manufacturers and vendors, buyers looking to labels and other security guidance, and regulators ensuring that IoT security is better implemented across the entire device lifecycle.

Measuring success

As with many cybersecurity issues, simple quantification of the problem is challenging. The discovery of a single vulnerability—whether in the product itself or in commonly used software packages—can mean that millions of IoT products are suddenly at risk. But methods to better understand and quantify IoT security risk are needed, both to better understand the nature of the problem and to measure the success of policy interventions and security standards. Several data points may prove helpful in enhancing understanding of the overall threat ecosystem presented to IoT products.

Information on the number of in-scope products: One widely cited study from Transforma Insights, a market research firm, estimates that the number of active IoT products will grow to 24.1 billion by 2030, up from 7.6 billion in 2019, expanding on average 11 percent per year.¹²²
Information on attacks: After coming online, on average, an IoT product is probed within five minutes by tools that scan the web for vulnerable products, and many are targeted by exploits within 24 hours. Attacks on a simulated smart home, constructed by the UK consumer group called “Which?”, reached 12,000 in a single week.¹²³ Kaspersky, a cybersecurity firm, maintains a network of “honeypot” devices to learn more about attacks, and measured 1.5 billion IoT attacks over the first half of 2021, up from 640 million over the same period a year prior.¹²⁴ Defining an “attack” can be another tricky question, with some definitions including activities that range from a relatively benign probe by a popular scanner tool to an all-out compromise of the device. It would perhaps be most fruitful to focus efforts on activities that hint at active malicious activity, such as brute-forcing attempts or attempts to employ remote code execution exploits.
Information on product insecurities: Unit 42, a team of threat intelligence researchers at Palo Alto Networks, estimates that 57 percent of smart devices are susceptible to medium- or high-severity attacks, while 98 percent lack encryption in their communications, putting confidential personal information at risk.¹²⁵ Default manufacturer passwords, often the same for thousands of devices, provide some of the simplest entry points in the compromise of a device. In 2017, researchers at Positive Technologies found that five login/password combinations—support/support, admin/admin, admin/0000, user/user and root/12345—granted access to 10 percent of internet-connected devices.¹²⁶

Measuring the impact of labels, standards, and legislation is harder still. In the UK, DCMS published cost-benefit analysis in parallel with the filing of the PSTI Bill. This report represents one of the more admirable efforts to quantify this risk and the potential benefits of intervention. But as the NCSC notes, analyzing the cost of intrusions specific to connected consumer products is very difficult today, as the user does not necessarily notice the attack, and the line between what is and is not an attack may be blurry from an outside observer’s perspective.¹²⁷ Better methods to measure the impacts of policy interventions must continue to be the subject of research. An initial—and non-exhaustive—list of these metrics may include:

Percent/number of products that meet various levels of security (as defined by ETSI/NIST/other frameworks).
Percent of products using default passwords.
Number of products infected with Mirai and other IoT malware.
Percent of products sold whose company has a vulnerability reporting contact.
Average response time / patch release time for critical vulnerabilities by product.
Percent/number of unpatchable products in operation.
Percent/number of products no longer receiving security updates in operation.
Percent of customers who say they use product security as a key buying criterion.
Percent of customers who say they trust the security of their IoT products.
Number of IoT product vulnerabilities with high CVSS scores publicly disclosed (the assumption being at first a deluge of reporting as researchers start to focus on these products, and with time the number of found vulnerabilities decreasing).

What’s next for labeling

Throughout the conversations with government and industry players, one point of worldwide consensus shines through: there is a solid appetite to adopt some sort of labeling scheme for consumer IoT devices. The benefits of such a scheme are plentiful. The ability to collect information on product security and having that information public offers exciting possibilities. Access to such information empowers purchasers and supports researchers and auditors in doing their work. IoT vendors have also recognized the benefits of labels from a marketing perspective, allowing them to use product security as a clearly articulated, understandable differentiator.

While the interest in labeling is there, the logistics are still lacking. There is a slew of details that need ironing out down the road. Getting them right is important for the IoT, and, as such, labeling merits future dedicated study. Plenty of questions exist around label design: How should it look? What information should it communicate? Beyond that are the bigger questions of how the system itself should work: Who could issue labels? What information would be needed to award a label? Where would that information be kept and stored, and how could it be accessed? Many details need workable answers—and there are lots of proposed ideas to sort through—before a labeling scheme can roll out on a global scale.

Conclusion

Inadequate security for consumer IoT products is just one of many difficult emerging technology issues that require global coordination among public and private sector actors. A range of parallel efforts exist to address wide-ranging digital challenges, such as protecting the privacy of personal data, addressing anti-competitive behavior by tech giants, and countering online misinformation. The steady march of technology means that poorly designed interventions risk irrelevance. Moreover, they leave the IoT more vulnerable to harm from the unintended consequences they should prevent.

Despite the perennially crowded global to-do list, reducing the threats from insecure consumer IoT products is overdue, attainable, and worthy of the world’s attention. This report likely gives short shrift to the many benefits of consumer IoT, but fully realizing its potential requires addressing its worst failings. These deficiencies—rooted not merely in technology but, more so, in economic incentives—means that the IoT demands better policy intervention. A litany of proposals has at last turned into momentum behind some reasonable, consensus measures. As one interviewee said, “we cannot let the perfect become the enemy of the good.”

From botnets that menace internet infrastructure to universal default passwords that allow hackers to invade user privacy, the impact on consumers is real, with risks that multiply in tandem with the number of connected devices. As Nathaniel Kim, Bruce Schneier, and Trey Herr contend, “these attacks are all the byproducts of connecting computing tech to everything, and then connecting everything to the Internet.”¹²⁸ Unlike traditional appliances, which tend to degrade over predictable timescales and stop working individually, “computers fail differently.”¹²⁹ They all work fine, until one day, the discovery of a vulnerability means finding a fix for all products of that particular model. As more and more things continue to become computers, they will increasingly fail like computers. The world needs processes, norms, and global standards that fit for this new reality.

Appendix I

Country-specific implementation plans

This section discusses tangible, high-impact next steps that the UK, Singapore, Australia, and the United States can each take to bring about the global multi-tier system for IoT security detailed in our recommendations.

As noted earlier, this research seeks to capitalize on existing momentum, whether international or intranational. There are multiple viable paths for governments that are consistent with our vision to (1) rid the world of IoT’s most glaring vulnerabilities and (2) harmonize international efforts to make it easier for firms to manufacture and sell products with even stronger security features. This implementation plan aims to nudge their approaches towards greater consistency, as opposed to calling for dramatic about-faces.

UK

Tier 1. Set the Baseline of Minimally Acceptable Security:

Of the four countries examined in this report, the UK is closest to creating a mandatory baseline for a broad range of IoT products sold in its market. The PSTI Bill, currently advancing in the House of Lords, will set minimum security requirements for manufacturers and couple them with potent enforcement mechanisms. By empowering the DCMS secretary to set these guidelines, this baseline can keep pace with technological change without the need to constantly rewrite legislation. The UK government should take the following actions:

Pass the legislation. The most obvious and immediate next step is for parliament to enact the PSTI Bill. Thus far, the proposed law has made its way through the legislative process with its core provisions intact. While it does not address everything on the wish list of security advocates, it is an ambitious effort that lawmakers should approve. The House of Lords has recommended a sensible amendment that will also protect security researchers conducting legitimate vulnerability research from intimidation and lawsuits by manufacturers.¹³⁰ Given that the countdown for firms to comply with the new law begins one year after the bill receives Royal Assent—and that it has already been nearly nine months since its filing—consideration of further amendments should take into account the additional time they will add to the process.
Identify a regulator. While the DCMS will define the cybersecurity provisions that manufacturers must abide by, it will not be the agency that enforces them. At the time of publication, the UK government had not publicly named the regulator responsible for enforcing the baseline product requirements. In its 2021 consultation, the DCMS sought recommendations on agencies well-positioned to serve in this role. Multiple respondents highlighted Trading Standards as a natural fit given its consumer protection role under Schedule 5 of the Consumer Rights Act 2015. Another was Ofcom, the UK’s communications regulator.¹³¹ The DCMS has also consulted with the Office for Product Safety and Standards in the Department for Business, Energy, and Industrial Strategy, another consumer product safety regulator.¹³² This report does not have a specific recommendation as to the best-positioned agency to assume this role, but the government should announce this decision and begin to build out the key elements of its enforcement capacity.

Tier 2. Incentivize Above the Baseline:

Unlike the other three countries profiled in this report, the UK government has for now explicitly rejected the approach of device labeling, choosing to initially focus the bulk of its efforts on setting the first tier of a mandatory baseline. Despite the challenges with cybersecurity labels, the team views them as the best option for encouraging manufacturers to invest in greater security as well as providing consumers with accessible information. In partnership with NCSC, the DCMS should:

Provide “forward guidance” on provisions that it aims to mandate next. Like a good central bank, the DCMS should provide predictability in its intended future actions while remaining flexible to change in the face of new information. While the UK plans to begin with the so-called “top three” measures in its initial list of mandatory requirements, one of the key design principles of its approach is the ability to gradually ratchet up the baseline with new provisions. Through public announcements and meetings with industry, DCMS can telegraph where regulation is headed and allow security-minded firms to bring their products into compliance before the measures become mandatory. For starters, the DCMS should look to the World Economic Forum (WEF) statement that highlights two additional ETSI principles as the logical next steps: ensure that products communicate securely and safeguard personal data.¹³³ Other impactful measures could include a guideline requiring manufacturers to provide security updates for a minimum period consistent with the average length of time consumers use a product, which can vary by product category. The DCMS could go even further by publishing the planned effective dates of new security requirements years in advance. These provisions can change as cybersecurity threats and commercial considerations change.
Study the impact of cybersecurity labels in other markets and be prepared to reevaluate if they achieve results. Thus far, research on cybersecurity labeling for smart devices remains largely limited to surveys about consumers’ hypothetical willingness to pay more for products that have an indicator of greater security. Now that several countries have introduced labeling programs, users should begin to see “real world” data on their performance, both as it relates to changing consumer behavior and in addressing the downstream ills of insecure devices. If it becomes apparent that one or more of these labeling approaches are achieving success—or gaining traction as an international standard—the UK government should remain open to adopting it in its market.

Singapore

Tier 1. Set the Baseline of Minimally Acceptable Security:

While Singapore’s CLS for consumer IoT is largely voluntary, it provides the regulatory infrastructure for a program that gradually expands to establish a baseline level of security for all devices. Internet routers sold in its market already must meet the provisions of the CLS Tier 1 label, which map directly to the UK’s “top three” requirements that will be enforced with its proposed PSTI Bill. In consultation with IMDA and other partners, the CSA should:

Make the Tier 1 label mandatory for more product categories. Internet routers have been a wise starting point: they have an outsize presence in today’s botnets and can have security knock-on effects that threaten consumers’ other smart home devices. Perhaps unsurprisingly, routers now account for over half of the CLS labels issued.¹³⁴ The CSA should consider the next highest priority product categories that will need to meet these minimum security measures, incorporating criteria like the (lack of) maturity in the category’s cybersecurity features and the privacy risk to individuals if compromised. IP cameras, connected baby toys, and smart locks are strong candidates.
Add to the security provisions required as part of the Tier 1 label, especially those related to secure development practices. CLS includes 76 security provisions, with roughly half required by one or more of its tiers, while the others are merely recommended. The first tier currently has 13 required provisions. Tier 2, which primarily concerns product lifecycle and secure development practices, has 17 required provisions—eight drawn from ETSI EN 303 645 and nine from the IMDA’s IoT Cyber Security Guide. Over time, the CSA should aim to collapse the most impactful Level 2 requirements into Level 1, while removing those not seen as value-added. Alternatively, the CSA could keep the same provisions in each CLS level and gradually require that devices meet the second level. Since both CLS Levels 1 and 2 rely on manufacturer self-attestation, these changes should not require any operational changes in administering the program.

Tier 2. Incentivize Above the Baseline:

CLS has seen dramatic growth since the beginning of 2022, with the number of labels issued tripling during that timeframe. But the gains are not evenly distributed: of the 176 labels issued by CSA as of July 2022, 148 are at the Level 1 designation, an additional 16 are at Level 2, and 10 are for Level 4.¹³⁵ As mentioned earlier, many of the recipients of labels are internet routers, where the Level 1 label is mandatory. A key selling point of its multi-tier system is the ability to provide manufacturers with a reason to go above and beyond the bare minimum. To this end, CSA should:

Conduct a review of the program’s effectiveness in addressing the core problems associated with IoT insecurity and publish the findings. As the country with the most mature cybersecurity labeling program, Singapore is in a unique position to gather information on the successes and challenges of this regulatory approach. How have consumers adapted their purchasing behavior since its launch? Has the number of insecure devices sold in Singapore decreased? What have been the challenges for firms? Have there been impacts beyond Singapore’s borders? This review could also help improve the structure of the program. For example, it might review the fitness of the CLS tier structure. The inclusion of more levels makes sense if it adds to the range of choice for consumers and manufacturers to select the appropriate certification level that meets their needs. If no one selects it—currently the case for CLS Level 3—it is possible to simplify the scheme. The report’s “Measuring Success” section includes some example metrics that could help gauge a topic that is notoriously difficult to quantify. The results will be helpful for Singapore, but just as critically, for the large number of countries and industry bodies that are experimenting with cybersecurity labels for IoT products.
Pursue an agreement with Germany for mutual recognition of cybersecurity labels. Finland and Singapore’s agreement shows that binary and multi-tier labeling approaches need not conflict. Germany, which recently launched its own binary label in January 2022, should also join the bilateral agreement between Singapore and Finland for mutual recognition. All three countries draw largely from the same list of ETSI EN 303 645 security provisions. Partnering with a market of Germany’s size will add significant momentum for Singapore’s approach to securing IoT, while reducing the burden of duplicate testing and certification for firms. This approach should be pursued for any country that adopts an IoT labeling program found to be largely compatible with the existing Singaporean program.
Consider measures to encourage broader adoption of the labeling scheme. Anecdotal evidence suggests that many security-minded firms have been eager to participate in the program, but the CSA should continue to search for ways to increase its attractiveness. While the program will eventually need to generate revenue to cover its costs, CSA could extend the moratorium on application fees for an extended period, or even subsidize testing for devices at higher levels of security.

Australia

Tier 1. Set the Baseline of Minimally Acceptable Security:

Since the conclusion of its Call for Views in August 2021, Australia’s DHA has been relatively quiet in public on its path forward for the regulation of consumer IoT. Whatever its ultimate action, it is evident that Australia aims to take a more hands-on approach than its past voluntary measures. To establish this minimum baseline, the DHA should:

Select a regulatory approach for mandating basic security requirements for devices sold in its market. Australia has multiple approaches at its disposal and should continue to study the benefits and drawbacks of programs in the UK, Singapore, and elsewhere. The options it is most seriously considering are either a mirror image of the UK’s minimum security standards or a four-level “graded shield” that appears very similar to Singapore’s CLS. Australia’s voluntary Code of Practice, which aligns with ETSI EN 303 645, should provide a strong foundation that will have prepared Australian businesses for more stringent enforcement.
If pursuing a minimum security standard, align its approach with the PSTI Bill’s planned enforcement measures. At a minimum, these measures should include the “top three,” banning universal default passwords and mandating vulnerability reporting contacts and transparency on security updates. Preferably, it would also include additional provisions on securing personal data, encrypted communications, and minimum acceptable support periods for security updates. Currently, Australian Consumer Law does not require firms to adhere to any principles meant to reduce cyber risk, “only that they cannot make misleading or deceptive representations about the cyber security of their products.”¹³⁶ This baseline could be achieved either through a new law, modeled on the UK’s PSTI Bill, or an expansion of Australia’s existing Consumer Law to incorporate protections against the most basic flaws in cybersecurity in its definition of “acceptable quality” and “fit for purpose.”¹³⁷
If pursuing a multi-level labeling approach, follow a strategy of gradual mandates by product category. Given that it seems most drawn to a multi-tier label mirroring CLS, the clearest path for Australia is to follow Singapore’s strategy and gradually mandate a tier 1 label by product type, beginning with high-priority items like internet routers. The labeling scheme should include a broad definition of in-scope products, drawing from ETSI’s definition of smart devices. In addition to expanding mandates by product category, DHA can also raise the baseline over time by advancing along the other “axis” of incorporating more security provisions from higher security levels into its base tier.

Tier 2. Incentivize Above the Baseline:

The approach for incentivizing action to instill even greater security measures in its smart device market is highly related to Australia’s method for enforcing its baseline. As DHA notes, these measures need not be mutually exclusive. To promote a higher tier of security, it should:

Select a cybersecurity labeling approach. A study conducted by the Behavioral Economics Team of the Australian Government compared the effects of multiple label options on consumers, finding that “participants were more likely to choose a device with a cyber security label than one without a label, by 13–19 percentage points.”¹³⁸ While the graded shield was most impactful, it found that “expiry labels were still effective” and “a high security level or long expiry date increased the likelihood of choosing a device.”¹³⁹ Each of these options appears likely to have its own benefits and drawbacks, but it is time to choose one and move forward with it.
If pursuing an expiry date-label, study its effect and publish the findings. If it follows through on this proposal, Australia would be the first to introduce a label that indicates the length of time manufacturers will provide security updates to the product. Studying this approach can help answer several questions about the impact of cybersecurity labels, particularly around the sunsetting phase. For example, are consumers incentivized to purchase devices at a discount that are about to go “off warranty”? As stated earlier, there is nothing wrong with national-level experimentation, as it can be beneficial in formulating new approaches that may be suitable for broader adoption.
If pursuing a “graded shield” label, agree to mutual recognition with Singapore and other participating countries. The four-level labeling scheme that Australia appears likely to pursue bears many similarities with Singapore’s CLS. In this case, the two countries should aim to bring their programs into close harmony, including the definitions of in-scope devices, the security provisions included in each tier, and the processes for self-attestation and third-party testing. Over time, the DHA should work with the CSA to ensure that the programs evolve together with consistency. Australia should then join the bilateral agreement with Finland for mutual label recognition, as well as a proposed agreement with Germany.

United States

Tier 1. Set the Baseline of Minimally Acceptable Security:

In comparison to other jurisdictions, the United States has preferred a less interventionist approach. There are two main exceptions: the two states that have enacted legislation to impose minimum security standards on IoT products, as well as the IoT Cybersecurity Improvement Act of 2020 which requires federal agencies to only procure devices that meet NIST security guidelines. In this context, the team recommends:

States should pass and enforce their own IoT security laws. California and Oregon led the way but should expand their laws to focus on more specific guidance for organizations and manufacturers less versed in cybersecurity, rather than just focusing on concepts like “reasonable security.” Ideally, they will do so in a way that does not lock in specific security measures into legal text but instead points toward another regulatory mechanism that more easily updates standards, such as the UK’s approach of empowering an agency to maintain these standards, or points them to guidelines set for federal government agencies by NIST. More states should follow in their footsteps, putting forth IoT security laws that incorporate the standards outlined by the US government, as well as considering standards established by others around the world. The states that have implemented these laws should also study their impact. It is not apparent that any enforcement actions have yet occurred, which indicates one of two possible scenarios: all devices sold in their markets are now compliant, or enforcement has been insufficient. The latter seems more likely than the former.
The federal government should adopt the binary labeling approach proposed by NIST. In NIST’s February 2022 publication “Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products,” the organization recommends pursuing a binary labeling approach.¹⁴⁰ In this scenario, there would exist a single label stating that a product has met baseline security standards. Implementing the binary label would be a first step towards goals such as defining minimum security standards, creating and implementing a labeling program, and starting to broadcast to consumers what they should be looking for when purchasing IoT products. Among other details, this will require identifying an owner for the program, and the FTC would be the strongest candidate.

Tier 2. Incentivize Above the Baseline:

President Biden’s 2021 Executive Order 14028 (Improving the Nation’s Cybersecurity) directed NIST to design a labeling program for IoT devices, which should also serve as a mechanism to encourage the adoption of security measures that exceed the minimum baseline. The program’s ultimate owner should:

Provide incentives for industry to obtain labels. The US may look to Singapore and other countries that have adopted labeling programs to see how companies have been encouraged to participate in a labeling program and reach for higher tiers. Fee waivers for label applications may be a good way of incentivizing participation during the first few years of the program. Industry would likely react positively to some form of compensation for the third-party testing required to earn a higher label.
Provide liability protection for firms that pursue the higher, tier 2 security standards. Experts have indicated that many players in industry would be incentivized to pick up higher security standards in exchange for liability protections. There are various types of liability protections that may be considered here, and this report leaves such determination up to the regulatory body. The implementation of such liability protection may take the form of a law passed by Congress outlining these protections, or conversely may come in the shape of a publicly articulated approach by the FTC.

Authors and acknowledgements

Patrick Mitchell is a consultant with the Atlantic Council’s Cyber Statecraft Initiative. He recently graduated from the Master in Public Policy program at Harvard University’s John F. Kennedy School of Government, where he studied issues at the intersection of emerging technology and global affairs, including a second-year thesis on international efforts to improve IoT security. Prior to this, he interned with the UN Secretary-General’s Office and worked for several years as a consultant with Accenture, where he supported federal, state, and local government agencies on projects related to technology strategy and digital transformation. He also holds a B.S. in Management from Boston College.

Justin Sherman is a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative, where his work focuses on the geopolitics, governance, and security of the global Internet. He is also a senior fellow at Duke University’s Sanford School of Public Policy and a contributor at WIRED Magazine.

Liv Rowley is a former assistant director with the Atlantic Council’s Cyber Statecraft Initiative under the Digital Forensic Research Lab (DFRLab). Prior to joining the Atlantic Council, Liv worked as a threat intelligence analyst in both the US and Europe. Much of her research has focused on threats originating from the cybercriminal underground as well as the Latin American cybercriminal space. Liv holds a BA in International Relations from Tufts University. She is based in Barcelona, Spain.

Acknowledgments: The authors thank Kat Megas, James Deacon, and Rob Spiger for their comments on earlier drafts of this document and Trey Herr and Bruce Schneier for support. Thanks to Nancy Messieh for her support with data visualization. The authors also thank all the participants, who shall remain anonymous, in multiple Chatham House Rule discussions about the issues.