This is the 2nd installment of the Unlocking Economic Development in Latin America and the Caribbean report, which explores five vital opportunities for the private sector to drive socioeconomic progress in LAC, with sixteen corresponding recommendations private firms can consider as they take steps to support the region.

How does the private sector perceive Latin America and the Caribbean (LAC)? What opportunities do firms find most exciting? And what precisely can companies do to seize on these opportunities and support the region’s journey toward recovery and sustainable development? To answer these questions, the Atlantic Council collaborated with the Inter-American Development Bank (IDB) to glean insights from its robust network of private-sector partners. Through surveys and in-depth interviews, this report identified five vital opportunities for the private sector to drive socioeconomic progress in LAC, with sixteen corresponding recommendations private firms can consider as they take steps to support the region.

Accelerating digitalization and innovation

When asked about areas where they see themselves making an important social impact, 47 percent of surveyed services firms selected “digital transformation,” making it the second most impactful area only after “economic growth and job creation” (as shown below in Figure 7). Indeed, the private sector can unlock the three enablers (infrastructure, skills, and adoption), thus helping the region materialize its digital friendliness into better digital outcomes. In particular, firms in the services industries (financial, telecommunications, and information technology) consider digital transformation a vital part of their responsibility and contribution to society.

Recommendations for the private sector

The private sector is well positioned to help LAC economies, governments, and citizens make the most of its digital-innovation potential. As employers, service providers, consumers, partners, and investors, companies can leverage an ecosystem approach to enhance digital infrastructure, skills, and adoption within and across countries, delivering better digital outcomes conducive to economic inclusion and competitiveness.

1. Improving digital infrastructure: Firms can help strengthen digital connectivity in LAC, both operationally (as information and communication technology (ICT) product and service providers and investors can help strengthen digital connectivity in LAC operationally and financially.
2. Fostering skills: Employers and employees should stay innovative and competitive in an increasingly digitized economy through upskilling, reskilling, and workforce-development programs.
3. Promoting adoption: Multinational corporations (MNCs) can accelerate digital development by undertaking internal digital transformation and spurring adoption among suppliers and other businesses within their entrepreneurial ecosystems.

About the author

Staff

Pepe Zhang

Senior Fellow

Adrienne Arsht Latin America Center

China Coronavirus

Related content

Report Jun 5, 2023

Enhancing market size, scalability, and regional integration in Latin America and the Caribbean

By Pepe Zhang

To sustain the ongoing recovery against short-term headwinds and boost inclusive, productive, and sustainable development in the long term, governments cannot, and should not, act alone. The private sector can strengthen the hard and soft infrastructure supporting Latin America and the Caribbean’s economies, while drawing them closer together through trade, regulatory, and other integration.

Americas Economy & Business

Report Jun 20, 2023

Improving state governance, institutional capacity, and transparency

By Pepe Zhang

To sustain the ongoing recovery against short-term headwinds and boost inclusive, productive, and sustainable development in the long term, governments cannot, and should not, act alone. Technological, governance, and other cooperation between the public and private sectors can enhance institutional capacity, integrity, government service delivery, and regulatory quality in LAC.

Americas Inclusive Growth

Report Jun 22, 2023

Addressing multidimensional inequality

By Pepe Zhang

To sustain the ongoing recovery against short-term headwinds and boost inclusive, productive, and sustainable development in the long term, governments cannot, and should not, act alone. Private-sector actions to reduce gender inequality, like level the playing field between SMEs and large firms and narrow the urban-rural divide, can enable a more inclusive economy for LAC.

Americas Inclusive Growth

Report Jun 26, 2023

Meaningfully advancing the green agenda

By Pepe Zhang

To sustain the ongoing recovery against short-term headwinds and boost inclusive, productive, and sustainable development in the long term, governments cannot, and should not, act alone. Private firms can help advance the green agenda by working to create green jobs, taking measures to promote a transition to a circular-economy model, and partaking in green finance.

Americas Climate Change & Climate Action

Online Event Thu, February 17, 2022 • 9:00 am ET

#ProactiveLAC: A digital future for regional prosperity

A virtual conversation on the role of public-private partnerships and policy actions in increasing digital connectivity across Latin America and the Caribbean.

Coronavirus Digital Policy Inclusive Growth Latin America

The Adrienne Arsht Latin America Center broadens understanding of regional transformations and delivers constructive, results-oriented solutions to inform how the public and private sectors can advance hemispheric prosperity.

Explore more

The post Accelerating digitalization and innovation in Latin America and the Caribbean appeared first on Atlantic Council.

The connection of mundane household gadgets, industrial machinery, lifesaving healthcare technologies, vehicles, and more to the Internet has probably helped modern society to be more convenient and efficient. IoT devices worldwide number over 13 billion, a number that is estimated to balloon to over 29 billion by 2030. For all its benefits, the resultant web of connected devices, collectively known as the Internet of Things (IoT), has exposed everyday users, as well as entire economic sectors, to cybersecurity threats. For example, criminal groups have exploited IoT product insecurities to infect hundreds of thousands of devices around the world with malware in order to enlist them in distributed denial-of-service attacks against targets. 

Inadequate cybersecurity across the IoT ecosystem is inherently a US national security issue due to IoT’s ubiquity, integration across all areas of life, and potential to put an incredible number of individuals’ data and physical safety at risk. We brought together five experts from various backgrounds to assess the national security challenges posed by IoT and discuss potential solutions.

#1 What isn’t the Internet of Things (IoT)?

Irina Brass, associate professor in regulation, innovation, and public policy, Department of Science, Technology, Engineering, and Public Policy (STEaPP), University College London:

“IoT is not just our everyday physical devices embedded with sensing (data capture) or actuation capabilities, like a smart lightbulb or a thermostat. ‘Smart’ devices are just the endpoint of a much more complex ‘infrastructure of interconnected entities, people, systems and information resources together with services, which processes and reacts to information from the physical world and virtual world’ (ISO/IEC 20924: 2021). This consensus-based definition, agreed in an international standard, is particularly telling of the highly dynamic and pervasive nature of IoT ecosystems which capture, transfer, analyze data, and take actions on our behalf. While IoT ecosystems are functional, poor device security specifications and practices in these highly dynamic environments create infrastructures that are not always secure, transparent, or trustworthy.”

Katerina Megas, program manager, Cybersecurity for the Internet of Things (IoT) Program, National Institute of Standards and Technology (NIST):

“Likely very little, which would explain why the US National Cyber Director, Chris Inglis, at a NIST public workshop [on August 17, 2022] referred to the ‘Internet of Everything.’ IoT is the product of the worlds of information technology (IT) and operational technology (OT) converging. The IoT is a system of interconnected components including devices that sense, actuate, collect/analyze/process data, and are connected to the Internet either directly or through some intermediary system. While a shrinking number of systems still fall outside of this definition, what we used to think of as traditional OT systems based on PLC architectures with no connectivity to the Internet are, in fact, more and more connected to the Internet and meet the above definition of IoT systems.”

Bruce Schneier, fellow, Berkman-Klein Center for Internet and Society, Harvard University; adjunct lecturer in public policy, Harvard Kennedy School:

“Ha! A salami sandwich is not the Internet of Things. A sense of comradeship towards your friends is not the Internet of Things. I am not the Internet of Things. Neither are you. The Internet of Things is the connected totality of computers that are not generally interacted with using traditional keyboards and screens. They’re ‘things’ first and computers second: cars, refrigerators, drones, thermostats, pacemakers.”

Justin Sherman, nonresident fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab):

“There is no single definition of IoT, and how to scope IoT is a key policy and technical question. Regardless, basically every definition of IoT rightfully excludes the core underpinnings of the global Internet itself—internet service provider (ISP) networks that bring online connectivity to people’s homes and offices, submarine cables that haul internet traffic between continents, and so on.”

Sarah Zatko, chief scientist, Cyber ITL:

“IoT is not modern or state of the art. The hardware on the outside may look sleek and shiny, but under the hood there is old software built with out-of-date compilers running on old chip architectures. MIPS, a reduced instruction set computer (RISC) architecture, was used in the largest portion of the IoT products that we have tested.”

#2 Why should national security policymakers care about the cybersecurity of IoT products?

Brass: “Many IoT devices currently on the market have known security vulnerabilities, such as default passwords and unclear software update policies. Users are typically unaware of these vulnerabilities, purchase IoT devices, set and forget them. These practices do not occur just at the consumer level, although there are many examples of how insecure and unsafe our ‘smart homes’ have become. They take place in critical sectors of strategic national importance such as our healthcare system. For instance, the Internet of Medical Things (IoMT) is known to be especially vulnerable to cyberattacks, data leaks, and ransomware because a lot of IoMT devices, such as IV pumps, have known security vulnerabilities but continue to be purchased and remain in constant use for a long time, with limited user awareness of their potential exposure to serious compromise.”

Megas: “I think the combination of the nature and ubiquity of IoT technology are the perfect storm. IoT has taken existing concerns and put them on steroids by increasing both the attack surface and also impacts, if you think of risk as the product of likelihood (IoT is everywhere) and impact (automated interactions with the physical world). In traditional IT systems, a compromised system could produce faulty data to the end user, however, typically there was always a human in the loop that would take (or prevent) action on the physical world based on this data. With the actuating capabilities we are seeing in most IoT and the associated level of automation (which will only increase as IoT systems incorporate AI), the impact of a compromised IoT system is likely going to be higher. As more computing devices are put on the Internet, they become available for botnets to be installed, which can result in significant national economic damage as in the case of Mirai. Lastly, because this technology is so ubiquitous, the vast amount of data collected—from proprietary information from a factory to video footage from a recreational drone to sound sensors collected from around a smart city—can both be accessed through a breach, shared, and used by other nations without anyone’s knowledge, even without a cybersecurity failure.”

Schneier: “Because the security of the IoT affects the security of the nation. It’s all one big network, and everything is connected.”

Sherman: “IoT products are used in a number of critical sectors, ranging from healthcare to energy, and hacks of those products could be financially costly and disrupt those sectors’ operations. There are even IoT devices that can produce physical effects, like small internet-linked machines hooked into manufacturing lines, and hackers could exploit vulnerabilities in those devices to cause real-world damage. In general, securing IoT products is also part of securing the overall internet ecosystem: IoT devices plug into many other internet systems and increasingly constitute a greater percentage of all internet devices used in the world.”

Zatko: “IoT is ubiquitous. Even when a ‘smart’ device is not necessary, at this point it is often difficult or impossible to find a ‘dumb’ one. Their presence often punches holes in network environment security, so they are common access points for attacks.”

#3 What kinds of threats are there to the cybersecurity of IoT devices that differ from information technology (IT) or other forms of operational technology (OT)?

Brass: “The kinds of vulnerabilities per se might not differ—ultimately, you still have devices running software that can be exploited by malicious actors. What differs is the scale and, in some cases, the severity of the outcome. IoT ecosystems are highly interconnected. Compromising a single device is often sufficient to gain the foothold necessary to exploit other devices in the system and even the entire system. The transnational dimension of IoT cybersecurity should also not be neglected. The 2016 Mirai attack showed how compromised IoT devices with poor security specifications (default passwords), located around the world, can be very easily exploited to target internet infrastructure in different jurisdictions.”

Megas: “I am not sure whether there are different threats for IoT, OT, and IT systems. They are converging more and more, so it is not meaningful to try to create artificial lines of distinction. This might be one of those instances where I say the dreaded phrase ‘it depends.’  It is possible that there are some loosely coupled IoT systems in which the components that are IoT devices do not sit behind more security capable components, but are more directly accessing the Internet (and therefore more directly accessible by threat actors). This could mean that vulnerabilities in these IoT systems are more easily exploitable and thus easier targets. Also, the nature of IoT systems that can interact with the physical world could affect the motivations of threat actors. The focus on many risks to traditional IT systems is around the data and its potential theft, but attacks on IoT can impact the real world. For instance, modifying the sensors at a water treatment plant can throw off readings and lead the system to incorrectly adjust how much fluoride is added to the water.”

Schneier: “The IoT is where security meets safety. Insecure spreadsheets can compromise your data. Insecure IoT devices can compromise your life.”

Sherman: “Typically, IoT devices use less energy, have less memory, and have much less computing power than traditional IT devices such as laptops, or even smartphones. This can make it more difficult to integrate traditional IT cybersecurity features and processes into IoT devices. To boot, manufactures often produce IoT devices and products with terrible security—installing default, universal passwords and other bad features on the manufacturing line that end up undermining their cybersecurity once deployed. In part, this happens because smaller manufacturers are essentially pumping IoT devices off the manufacturing line.”

Zatko: “Users often forget to consider IoT devices when they think about their computing environment’s safety, but even if they did, IoT devices are not always able to be patched. Sometimes software bugs in IoT operating systems are hard-coded or otherwise inaccessible, as opposed to purely software products, where changes are much easier to affect. This makes getting the software as safe as possible from the get go particularly important.”

More from the Cyber Statecraft Initiative:

The reverse cascade: Enforcing security on the global IoT supply chain

Raising the colors: Signaling for cooperation on maritime cybersecurity

The 5×5—Reflections on trusting trust: Securing software supply chains

#4 What is the greatest challenge to improving the security of the IoT ecosystem?

Brass: “These days, we very often focus on behavioral change—what can individual users or organizations do to improve their cyber hygiene and general cybersecurity practices? While this is an important step in securing the IoT, it is not sufficient because it places the burden on a large, non-homogenous, distributed set of users. Let us turn the problem around to its origin. Then, the greatest challenge becomes how to ensure that IoT devices and systems produced and sold all over the world have baseline security specifications, that manufacturers have responsible lifecycle care for their products, and that distributors and retailers do not compromise on device security in favor of lower priced items. This is not an easy challenge, but it is not impossible either.”

Megas: “There is a role for everyone in the IoT ecosystem. Setting aside the few organizations developing their own IoT systems for their own use, the majority of IoT technologies are purchased or acquired. One of the challenges that I see is educating everyone that there are two critical roles in supporting cybersecurity of the IoT ecosystem: those of the producers of the IoT products and those of the customers, both enterprise and consumers. While this dynamic is not new between producer and buyers, the relationships in IoT lack maturity. While producers need to build securable products that meet the needs and expectations of their customers, the customers are responsible for securing the product that operates in the customer environment. Identifying cybersecurity baselines for IoT products is a start in defining the cybersecurity capabilities producers should build into a product to meet the needs and expectations of their customers. However, one size does not fit all. A baseline is a good start for minimal cybersecurity, but we want to encourage tailoring baselines commensurate to the risk for those products whose use carries greater higher risk. 

Beyond the IoT product manufacturer’s role, there are network-based approaches that can contribute to better cybersecurity (such as using device intent signaling), that might be implemented by other ecosystem members. Vendors of IoT can ensure that their customers recognize the importance of cybersecurity. Enterprises should consider using risk management frameworks, such as the NIST Cybersecurity Framework, to manage their risks that arise out of the use of IoT technology. Formalizing and promoting recognition of the role in product organizations for a Chief Product Security Officer (CPSO) is also critical. Given that most C-suites and boards are starting to recognize the importance of the CISO towards securing their organizations’ operations, we need to also promote the visibility of the CPSO responsible for ensuring that the products that companies sell have the appropriate cybersecurity features that meet the companies’ strategic brand positioning and other factors.”

Schneier: “Economics. The buyers and sellers of the products don’t care, and no one wants to regulate the industry.”

Sherman: “As with many cybersecurity issues, the greatest challenge is getting companies that have been grossly underinvesting in security to do more, while also producing government regulations and guidance that are technically sound, roughly compatible with regulations and guidance in other countries, and that do not raise the barrier too much so as to cut out small players—though, if we want better security, some barrier-raising is necessary. It is a very boring answer, but there has been a lot of great work done already on IoT security by the National Institute of Standards and Technology, other governments, various industry groups, etc. The central challenge is better coordinating those efforts, fixing bad market incentives, and appropriately filling in the gaps.”

Zatko: “There are so many vendors, and many of them are not capable of producing secure products from scratch. It is currently too hard for even a well-meaning vendor to do the ‘right’ thing.”

#5 How can the United States and its allies promote security across the IoT ecosystem when a large portion of devices are manufactured outside their jurisdictions?

Brass: “Achieving an international baseline of responsible IoT security requires political and diplomatic will to adopt and align legislation that promotes the security of internet-connected devices and infrastructures. The good news is that we are seeing policy change in this direction in several jurisdictions, such as the IoT Cybersecurity Improvement Act in the United States, the Product Security and Telecommunications Infrastructure Bill in the United Kingdom, and several cybersecurity certification and labelling schemes such as CLS in Singapore. As IoT cybersecurity becomes a priority for several governments, the United States and its allies can be the driving force behind international cooperation and convergence towards an agreed set of responsible IoT security practices that underpin legislative initiatives around the world.”

Megas: “Continuing to share lessons learned with others. Educating customers, both consumers as well as enterprise customers, on the importance of seeking out products that support minimum cybersecurity.”

Schneier: “Regulation. It is the same that way we handle security and safety with any other product. You are not allowed to sell poisoned baby food or pajamas that catch on fire, even if those products are manufactured outside of the United States.”

Sherman: “US allies and partners are already doing important work on IoT cybersecurity—from security efforts led by the UK government to an emerging IoT labeling scheme in Singapore. The United States can work and collaborate with these other countries to help drive security progress on devices made and sold all around the world. Others have argued that the United States should exert regulatory leverage over whichever US-based companies it can to push progress internationally, too, such as with Nathaniel Kim, Trey Herr, and Bruce Schneier’s “reversing the cascade” idea.”

Zatko: “By open sourcing security-forward tools and secure operating systems for common architectures like MIPS and ARM, the United States could make it easier for vendors to make secure products. Vendors do not intentionally make bad, insecure products—they do it because making secure products is currently too difficult and thus too expensive. However, they often use open-source operating systems, tool kits, and libraries for the base of their products, and securing those resources will do a great deal to improve the whole security stance.”

Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

The post The 5×5—The Internet of Things and national security appeared first on Atlantic Council.

Download PDF

Two Pager

Executive summary

The explosion of Internet of Things (IoT) devices and services worldwide has contributed to an explosion in data processing and interconnectivity. Simultaneously, this interconnection and resulting interdependence have amplified a range of cybersecurity risks to individuals’ data, company networks, critical infrastructure, and the internet ecosystem writ large. Governments, companies, and civil society have proposed and implemented a range of IoT cybersecurity initiatives to meet this challenge, ranging from introducing voluntary standards and best practices to mandating the use of cybersecurity certifications and labels. However, issues like fragmentation among and between approaches, complex certification schemes, and placing the burden on buyers have left much to be desired in bolstering IoT cybersecurity. Ugly knock-on effects to states, the private sector, and users bring risks to individual privacy, physical safety, other parts of the internet ecosystem, and broader economic and national security.

In light of this systemic risk, this report offers a multinational strategy to enhance the security of the IoT ecosystem. It provides a framework for a clearer understanding of the IoT security landscape and its needs—one that focuses on the entire IoT product lifecycle, looks to reduce fragmentation between policy approaches, and seeks to better situate technical and process guidance into cybersecurity policy. Principally, it analyzes and uses as case studies the United States, United Kingdom (UK), Australia, and Singapore, due to combinations of their IoT security maturity, overall cybersecurity capacity, and general influence on the global IoT and internet security conversation. It additionally examines three industry verticals, smart homes, networking and telecommunications, and consumer healthcare, which cover different products and serve as a useful proxy for understanding the broader IoT market because of their market size, their consumer reach, and their varying levels of security maturity.

This report looks to existing security initiatives as much as possible—both to leverage existing work and to avoid counterproductively suggesting an entirely new approach to IoT security—while recommending changes and introducing more cohesion and coordination to regulatory approaches to IoT cybersecurity. It walks through the current state of risk in the ecosystem, analyzes challenges with the current policy model, and describes a synthesized IoT security framework. The report then lays out nine recommendations for government and industry actors to enhance IoT security, broken into three recommendation sets: setting a baseline of minimally acceptable security (or “Tier 1”), incentivizing above the baseline (or “Tier 2” and above), and pursuing international alignment on standards and implementation across the entire IoT product lifecycle (from design to sunsetting). It also includes implementation guidance for the United States, Australia, UK, and Singapore, providing a clearer roadmap for countries to operationalize the recommendations in their specific jurisdictions—and push towards a stronger, more cohesive multinational approach to securing the IoT worldwide.

Implementation plans by country

Introduction

The billions of Internet of Things (IoT) products used worldwide have contributed to an explosion in data processing and the connection of individuals, buildings, vehicles, and physical machines to the global internet. Work-from-home policies and the need for contact tracing during the COVID-19 pandemic have furthered societal dependence on IoT products. All this interconnection and interdependence have amplified a range of cybersecurity risks to individuals’ data, company networks, critical infrastructure, and the internet ecosystem writ large.

Securing IoT products is inherently critical because IoT products increasingly touch all facets of modern life. Citizens have IoT wearables on their bodies and IoT products in their cars, gathering data on their heartbeats, footsteps, and Global Positioning System (GPS) locations. People also have IoT smart products in their homes—speakers awake to every private conversation, internet-connected door locks, devices that control atmospheric systems, and cameras to monitor young children and pets. Hospitals even use IoT products to control medicine dosages to patients. The ever-growing reliance on IoT products increasingly and inescapably ties users to network and telecommunications systems, including the cloud. IoT insecurity, given this degree of interconnection, poses risks to individual privacy, individual safety, and national security.

The IoT explosion is also poised to impact the security of the internet ecosystem writ large. More IoT products deploy each year, meaning IoT products constitute a significant percentage of devices linked to the global internet. For example, IoT Analytics, a market research firm, estimates that IoT products surpassed traditional internet-connected devices in 2019 and projects that the ratio will be around three to one by 2025.¹ At that scale, poorly secured products (for instance, those with easy-to-guess passwords or with known and unfixed security flaws) can enable attackers to gain footholds in corporate or otherwise sensitive environments and steal data or cause disruption. For instance, hackers could exploit security problems in IoT cameras to break into a building—digitally or physically.² Hackers can break into IoT devices at scale to launch distributed denial of service (DDoS) attacks that bring down internet services for hundreds of thousands or even millions of consumers.

In response to these cybersecurity risks, governments, private companies, industry organizations, and civil society groups have developed a myriad of national and industry frameworks to improve IoT security, each addressing considerations in the product design, development, sale and setup, maintenance, and sunsetting phases. These numerous controls sets and frameworks, however, are a hodgepodge across and within jurisdictions. Within jurisdictions, some governments are charging ahead with detailed IoT security guidance while others have made little substantive headway or have ambiguous policy goals that confuse and impede industry progress. Between jurisdictions, fragmented requirements have chilled efforts by even some of the most security-concerned vendors to act. Consumers, meanwhile, must grapple with IoT product insecurity, bad security outcomes, and ugly knock-on effects to others in their communities and networks—exacerbated by a lack of security information from vendors. Poor outcomes for users, a lack of cross-national harmonization, and gaps between government and industry efforts impede better security in the IoT ecosystem.

Yet, progress is possible. The number of countries and industry actors who have acknowledged one standard alone—European Norm (EN) 303 645, from the European Telecommunication Standards Institute (ETSI)—as a consensus approach alone demonstrates how some baseline security guidance can help drive real, coordinated change.

This report presents a consolidated approach to IoT cybersecurity to reconcile existing national approaches, balance the interest of public and private sectors, and ensure that a product recognized as secure in one jurisdiction will be recognized as secure in others. The framework is not prescriptive to the level of individual controls; rather, it seeks to address the structural priorities of approaches taken by industry coalitions and governments in the United States, United Kingdom (UK), Singapore, and Australia. We focus on these countries because of the maturity of their IoT cybersecurity approaches, their mature cyber policy processes, their historical influence on cybersecurity policy in other countries, and the strong precedent for cooperation across all four.

In considering the effects of this consolidated approach, the report also focuses on three verticals: smart homes, networking and telecommunications, and consumer healthcare. These three provide ready critical IoT product use cases, differentiate in the kinds of technology and products available, and serve as useful proxies for understanding the broader IoT market because of their market size, consumer reach, and varying levels of security maturity.

This report draws on research of IoT security best practices, standards, laws, and regulations; conversations with industry stakeholders and policymakers; and convenings with members of the IoT security community. In principle and wherever possible in practice, the report relies on existing approaches, seeking to create as little new information or guidance as practicable to ease implementation. The first section below describes the state of risk in the IoT ecosystem, including challenges with the current model, insecurity across three IoT industry segments, and a brief history of IoT security efforts and control sets across the United States, UK, Australia, and Singapore as well as industry-led efforts. The second section synthesizes these disparate control sets, mapped against every phase of the IoT product lifecycle. The third (and final section) presents a consolidated approach to IoT security across these four countries and the relevant industry partners—with nine recommendations to address gaps in existing IoT security approaches, disincentivize further fragmentation in standard setting or enforcement, and rationalize the balance between public and private sector security interests. These recommendations come with implementation guidance specific to each of the four countries.

While this report describes some key components of an IoT labeling approach, it deliberately does not prescribe a particular label design. The report leaves open many questions that require more work, including “who” sets label design, “how” companies should pair physical and digital labels, and to “what” extent companies and/or governments should harmonize labels across jurisdictions.

There is an overriding public interest in secure IoT products, and industry players—including source manufacturers, integrators/vendors, and retailers—must be responsive to this interest. The highly disharmonized state of IoT security regulations, however, pulls against that public interest. Moreover, a further doubling down on the current national approaches threatens to worsen the problem. What little compromise in national autonomy this or another consolidated approach might require must be weighed against a more coherent and enforceable scheme where such a scheme produces meaningful security gains for users. To comprehend this need, one should begin by understanding the state of affairs.

The current state of IoT risk

The current IoT ecosystem is rife with insecurity. Companies routinely design and develop IoT products with poor cybersecurity practices, including weak default passwords,³ weak encryption,⁴ limited security update mechanisms,⁵ and minimal data security processes on devices themselves. Governments, consumers, and other companies then purchase these products and deploy them, often without adequately evaluating or understanding the cybersecurity risk they are assuming. For example, while the US government has worked to develop IoT security considerations for products purchased for federal use, private companies routinely buy and deploy insecure IoT products because there is no mandatory IoT security baseline in the United States.⁶

Compromising IoT products is often remarkably easy. IoT products have less computing power, smaller batteries, and smaller amounts of memory than traditional information technology devices like laptops or even smartphones. This makes traditional security software (and its computing and power demands) often impractical in—or less immediately transferrable to—IoT systems. Many IoT botnets (networks of devices infected by malware), such as Mirai and Bashlite, capitalize on this insecurity by seeking to weaponize known vulnerabilities or brute-force access to an IoT product using predefined lists of common passwords. Such passwords may include “123456” or even just “password”.⁷

While these errors seem trivial, they quickly lead to material harm. In late 2016, for example, Mirai infected almost 65,000 IoT devices around the world in its first 20 hours, peaking at 600,000 compromised devices.⁸ The operators of the Mirai botnet subsequently launched a series of DDoS attacks, including against Dyn, a US-based Domain Name System (DNS) provider and registrar.⁹ By taking advantage of security problems in IoT devices, the individuals behind the botnet rendered major websites like PayPal, Twitter, Reddit, GitHub, Amazon, Netflix, and Spotify entirely unavailable to parts of the United States.¹⁰

Criminals infect IoT products with malware that may use the compromised device to execute DDoS attacks, mine for cryptocurrencies on behalf of the attacker, or hold the device hostage pending a ransom paid to the attackers. In 2018, cybercriminals compromised over 200,000 routers in a cryptojacking campaign. They used the computing power of the compromised routers to mine cryptocurrency.¹¹ States also turn to compromising IoT products to create covert infrastructure. A May 2022 report by security firm Nisos revealed that the Russian Federal Security Service (FSB) employed a botnet made up of compromised IoT products to fuel social media manipulation operations.¹²

On top of using IoT devices for larger malware operations, hackers can break into IoT products to spy on people’s everyday lives. They could see adjustments made to a smart thermostat, questions asked to a smart speaker, and workouts logged on fitness wearables. This kind of spying can be a threat to individuals’ privacy and physical safety. In the context of intimate partner violence, abusive individuals may control access to or illicitly access IoT products to spy on and exert control over people, raising serious stalking and physical safety risks.¹³ There are also threats that come from strangers. Trend Micro, in a 2019 report, noted that hackers with access to compromised internet-connected cameras sold subscriptions that allowed others to view the illicitly accessed video streams online. The price of the stream depended on what the camera was looking at, with bedrooms, massage parlors, warehouses, and payments desks at retail shops among the priciest and most sought-after.¹⁴ These products can also be launch points from which attackers conduct further malicious activities. Brazilian fraudsters, for instance, are known to use access to compromised routers to change the compromised devices’ DNS settings to redirect victims to phishing pages for major websites, such as banks and retailers.¹⁵

IoT products, industry segments, and their insecurity

The IoT, on its face, may appear to be a simple concept, but scoping it and understanding the number of systems the IoT touches is more complex. For example, some devices like routers could be “part of” or “separate from” the IoT. There are also questions on the “if, and how” the IoT includes the networks, devices, and products touching it—like IoT sensors linked to outside cloud services to process data, connect to a company’s network to enable administrative oversight and control, and connect to the public internet to communicate with application programming interfaces (APIs). For government and industry policies to be effective, scopes must clearly define the products and services they do and do not include. 

For instance, EN 303 645 guidance—ETSI’s key standard document for IoT security—defines a “consumer IoT device” as a “network-connected (and network-connectable) device that has relationships to associated services and are used by the consumer typically in the home or as electronic wearables.”¹⁶ The US National Institute of Standards and Technology (NIST), meanwhile, defines the IoT in NIST SP 1800-16C as “user or industrial devices that are connected to the internet” including “sensors, controllers, and household appliances.”¹⁷ This report focuses primarily on the IoT products themselves, and in part the services directly dependent on IoT products or on which IoT products directly depend (e.g., a cloud software program for managing an IoT device network). 

The IoT constitutes a massive technology ecosystem with clusters of IoT product design and deployment models, each of which present differentiated cybersecurity risks. Several key examples of industry IoT product segments and some of their security challenges are detailed here, based on their wide deployment, impact on consumers, and touchpoints into other parts of the digital world, whether home Wi-Fi networks or hospital medical systems. 

• Smart Homes: Numerous companies sell IoT products to serve as thermostats, doorbell cameras, window locks, speakers, and other components of so-called smart homes. Apple offers HomeKit integration, a software framework for configuring, communicating with, and controlling smart home appliances.¹⁸ Resideo offers a number of smart home-style products, for both consumer environments—such as thermostats, humidifiers, security systems, and programmable light switch timers—as well as professional environments—such as UV treatment systems and fire and burglary alarms.¹⁹ Philips sells smart lighting products, and Wink sells smart doorbells.²⁰ On the software side, companies like Tuya offer IoT management services to automatically control robotic vacuums, smart cameras, smart locks, and other IoT products in the home.²¹ Google and Amazon both manufacture and sell smart home IoT products, from home security products to smart speakers.²² The cybersecurity risks here include spying on individuals in their homes, using IoT products in the home and workplace to break into other systems (e.g., someone’s work laptop on their home Wi-Fi), and harnessing numerous compromised smart products to create a botnet and launch DDoS attacks.²³
• Networking and Telecommunications Gear: Traditional internet and telecommunications companies, which supply the devices and some of the infrastructure that fundamentally underpins the internet, are moving more into IoT services and devices. Cisco offers Industrial Wireless solutions that include wireless backhaul, private cellular connectivity, and embedded networking for industrial IoT products.²⁴ Extreme Networks offers a Defender Adapter service to provide in-line security for vulnerable wired devices.²⁵ Arista offers a Cognitive Campus service that includes IoT edge connectivity, real-time telemetry, and Spline platforms for connection reliability.²⁶ The cybersecurity risks here include spying on traffic going across networks, using networking and telecommunications entry points to break into other systems, and degrading or disrupting the flow of network data altogether. 
• Consumer Health Products: Companies are offering IoT products and services to support the provision of healthcare and medicine. Philips sells fetal and maternal monitors, MR compatible monitors, patient-worn monitors, and other IoT products to monitor vitals.²⁷ Medtronic sells glucose monitoring and heart monitoring products.²⁸ Honeywell Life Sciences offers embedded products and safety solutions for hospitals.²⁹ Dexcom offers a glucose monitoring smart wearable, and ResMed offers a phone-connected product for sleep apnea.³⁰ The cybersecurity risks here include stealing highly sensitive medical data and manipulating device data or disrupting product operations in ways that physically threaten human life. 

Numerous companies, from telecommunications gear manufacturers to medical equipment suppliers, have a stake in security debates about IoT products. Many industries do as well, from home security to industrial manufacturing, and many of their products and services overlap and integrate. Yet, similarities between sector products and their cybersecurity risks do not change the fact that widespread IoT insecurity merits meaningful improvement.

Policy challenges to addressing IoT risk

The UK, Singapore, United States, and Australia provide a set of case studies for government approaches to IoT security—due to the maturity of their IoT cybersecurity approaches, the maturity of their overall cyber policy processes, their historical influence on cybersecurity policy in other countries, and the strong precedent for cooperation across all four. There is also fragmentation within the countries’ frameworks, where different parts of a country or different government agencies pursue different IoT security policies and processes. The US, for instance, has the Federal Communications Commission (FCC) focused on communications standards for IoT products and the Federal Trade Commission (FTC) focused on the marketing practices of IoT vendors, but has no agency in charge of enforcing IoT security requirements in design. 

At least three key themes stand out across these countries. First, state approaches to IoT security have generally moved from voluntary best practices towards direct intervention. Second, state approaches have predominantly manifested in consumer labeling programs and minimum baseline security legislation. And third, states have made the need for international, agreed-upon standards a key design principle of their IoT security efforts though as yet without sufficient uptake or success.³¹

UK: Mandatory minimum security standards 

The UK was an early innovator in holistic responses to IoT insecurity. Its Department for Digital, Culture, Media & Sport (DCMS)—which works on digital economy and some broadband and Internet issues—published a Secure by Design report in March 2018, setting out how it aims to “work with industry to address the challenges of insecure consumer IoT.”³² As a result of its report, in October 2018, DCMS, along with the UK National Cyber Security Centre (NCSC) and industry partners, published the “Code of Practice for Consumer Internet of Things (IoT) Security,” consisting of “thirteen outcomes-focused guidelines that are considered good practice in IoT security.”³³ It aims, as one NCSC official described it, to identify impactful, updatable measures to which a broad coalition could agree³⁴—captured in the below principles

Figure 1: Thirteen Principles of Consumer IoT Security

The UK was not alone in this endeavor, working in tandem as a member of ETSI to launch ETSI Technical Specification 303 645, the first “globally-applicable industry standard on internet-connected consumer devices.”³⁵ In June 2020, this Technical Specification became formalized as a European standard (EN 303 645), and now serves as a common underlying source for many countries’ initiatives. 

Despite the initial promise of the Code of Practice, the DCMS found low industry uptake for the guidance and decided to pursue a legislative route. After multiple consultation rounds, the resulting Product Security and Telecommunications Infrastructure (PSTI) Bill was introduced in November 2021, empowering the Secretary of State for DCMS “to specify by regulations security requirements.”³⁶ The new law would require “manufacturers, importers, and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers.”³⁷ Noncompliant firms could face fines up to £10 million or 4 percent of worldwide revenue, and a new regulator—to be delegated following the law’s enactment—would also have the ability to enforce recalls or outright product bans.³⁸ The bill is currently in the Report stage with the House of Lords and would require compliance within twelve months of enactment. 

By empowering the DCMS minister to specify security requirements instead of codifying them, the PSTI Bill allows the mandatory baseline requirements to respond to changing circumstances. The current principles outlined by DCMS focus on the “top three” elements of the UK Code of Practice/ETSI EN 303 645: banning default passwords, requiring a vulnerability disclosure process for products, and transparency for consumers on the duration that products will receive security updates. The UK’s NCSC views these three measures as having outsize importance, and “will make the most fundamental difference to the vulnerability of consumer connectable products in the UK, are proportionate given the threats, and universally applicable to devices within scope.”³⁹ Cognizant that good security must require organizational action, not just device-level changes at the point of design and manufacture, a DCMS official has highlighted the additional appeal of the framework in allowing requirements placed on economic actors, not just devices. Indeed, two of the three requirements involve organizational changes or activity. The UK’s framework allows for the introduction of secondary legislation to build on this baseline over time. 

Singapore: IoT product labeling 

In October 2020, Singapore’s Cyber Security Agency (CSA) launched the Cybersecurity Labelling Scheme (CLS), a labeling program for internet-connected devices that describe the level of security included in their design. The CLS aims to help consumers “easily assess the level of security offered and make informed choices in purchasing a device.”⁴⁰ It also aims to let product manufacturers signal the cybersecurity features of their products—as a senior CSA official put it, “to create the demand” and then “to provide a natural incentive to provide more secure and trusted devices.” 

The CLS has four levels of additive and progressively demanding security provision tiers (Figure 2). In the first two levels, developers self-certify, and the CSA can audit compliance. In the third and fourth levels, independent laboratories certified by the nongovernmental International Organization for Standardization (ISO) validate products. At the bottom end, products must have security updates and no universal default passwords, while manufacturers must adhere to secure-by-design principles, such as processes and policies for protecting personal data, securely storing security parameters, and conducting threat risk assessments. At the higher end, authorized labs conduct penetration tests against the product and its communications. Labels are valid as long as developers support the product with security updates, for up to a three-year period.

Figure 2: Singapore’s CLS Four Security Provisions Tiers

While the program’s terminology slightly differs, the CLS embraces the same principles as ETSI EN 303 645, doing so in a manner that “groups the clauses and spreads them out across four ranked levels.”⁴¹ And while the program’s higher-tier labels incentivize the adoption of stronger security measures, the Singapore Standards Council concedes that the first-tier labeling requirements “will suffice in staving off [sic] large percentage of attacks encountered on the internet today.”⁴² Finally, Singapore’s CLS shows how a voluntary labeling scheme can work to gradually dial up requirements for products as the market matures. For example, while the CLS is voluntary for most products, new internet routers sold in Singapore must meet the security requirements for the Level 1 label. This “voluntary-mandatory” split can keep evolving over time, both for different product categories as well as specific security measures. 

Interviewees at CSA said vendors have reacted positively to the labeling program (e.g., citing the onboarding of major vendors like Google and Asus). As of July 2022, there were 174 certified products, a total that has more than tripled since the start of 2022, and includes diverse items such as smart lights, video doorbells, locks, appliances, routers, and home hubs.⁴³ Despite these positive signs, it is too soon to tell if the CLS program will be a success, and Singapore must continue to monitor the label’s appeal for consumers and firms as well as its broader security impact. 

US: State initiatives & government procurement 

In the United States, initial action on consumer IoT insecurity began at the state level. The nation’s first IoT security law went into effect in January 2020 with California’s requirement that manufacturers of smart products sold in the state “equip the device with a reasonable security feature or features.” The law explicitly takes aim at universal default passwords, stating that a reasonable security feature could mean “the preprogrammed password is unique to each device manufactured,” or “the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”⁴⁴California’s law—enforced by state attorneys—does not include a private right of action, nor does it put any duties on retailers to ensure that products they sell meet the law’s requirements. 

Oregon joined California with its House Bill (HB) 2395, which has much of the same text (e.g., the same definition of “reasonable security feature” the same enforcement mechanisms) but limits its scope to only consumer IoT products (“used primarily for personal, family or household purposes”).⁴⁵ While the two laws may compel companies to adopt better security in all states, it appears that no cases have been brought forward under the law, even though insecure products are doubtlessly still sold in these states. 

The United States passed the IoT Cybersecurity Improvement Act into law in December 2020.⁴⁶ It requires NIST to develop cybersecurity standards and guidelines for federally owned IoT products, consistent with NIST’s understanding of “examples of possible security vulnerabilities” and management of those vulnerabilities.^{47 48} Thus, the law seeks to strengthen the security of IoT products procured by the government and intends to influence the private sector’s IoT cybersecurity practices through the federal government’s procurement power.⁴⁹ The 2020 act also shifts the burden of compliance from product vendors to federal agencies,⁵⁰ prohibiting them “[from] procuring or obtain[ing] IoT devices” that an agency’s chief information officer deems out of compliance with NIST’s standards.⁵¹ Finally, the act requires NIST to review and revise its standards at least every five years to ensure that recommendations are current, allowing for technical flexibility.⁵² NIST is empowered to suggest whatever finding it wants, with only vague guidance to consider “secure development” and other high-level cybersecurity items. Figure 3 offers an overview of the act’s recommendations. 

Figure 3: Overview of the IoT Cybersecurity Improvement Act of 2020

On May 12, 2021, the Biden administration issued Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity.” The executive order directed NIST, in consultation with the FTC, to develop cybersecurity criteria for an IoT product labeling program aimed at educating consumers about IoT products’ security capabilities.⁵³ It also tasked NIST with examining how to incentivize IoT manufacturers to get on board with such a program. On February 4, 2022, NIST released its recommended criteria for a consumer IoT labeling scheme.⁵⁴ However, NIST has been clear that its aim is to describe the ideal components of a labeling scheme, rather than implement this scheme itself.⁵⁵ While EO 14028 may feel a little toothless at the moment, it effectively outlines specific federal cybersecurity goals. Moreover, it demonstrates a will to move beyond federal procurement power as the sole method for influencing the private sector. 

Australia: Starting with voluntary best practices 

In August 2020, the Australian Department of Home Affairs (DHA) released a voluntary “Code of Practice: Securing the Internet of Things for Consumers” as part of its 2020 cybersecurity strategy. This code of practice highlighted the thirteen principles outlined in ETSI EN 303 645. 

Australia’s voluntary code of practice did not prove to be a panacea. In March 2021, the Australian government published six months of research on the results of its Code of Practice, saying firms “found it difficult to implement voluntary, principles-based guidance,” and many had still not implemented basic security guidelines like a vulnerability disclosure reporting process.⁵⁶ As such, the Australian government appears intent on conducting more direct regulation of its consumer IoT market. In a request for comments that concluded in fall 2021, the DHA solicited public opinion on both a proposed consumer labeling program and a minimum security standards regime.⁵⁷

For the minimum security standards approach, the government proposes to base its requirements on ETSI EN 303 645 and is considering either mandating all 13 guidelines or choosing to focus on just the top three (no default passwords, the existence of vulnerability disclosure programs, and the provision of security updates). The potential regulator within the Australian government is yet to be determined, but it would be empowered to issue fines and other penalties for those who fail to comply. 

The potential labeling approaches consider two scenarios. A voluntary “star rating label,” such as Singapore’s CLS program, basing it on an existing international standard, such as ETSI EN 303 645, and involve some component of self-certification and testing within the framework of Australian consumer law’s protection against fraudulent claims. Alternatively, a mandatory “expiry date label” would indicate the period over which the product will receive critical security updates. This second option received a higher recommendation from the government. Minimum security standards could complement either of these approaches. 

Industry: Certification models and security standards 

Companies have also advanced numerous security approaches. Common industry approaches to IoT security include secure endpoints and stringent encryption requirements for third-party applications, hardware-based security, and the formalization of vulnerability and software communications protocols. The industry verticals for smart homes, networking and telecommunications, and consumer healthcare (recognizing there is overlap and integration between these verticals) see varying implementations of these measures. 

For example, the ioXt Alliance, which is composed of dozens of product manufacturers and vendors as well as major software companies, offers self-certified and third-party-validated certification for IoT products. Its five compliance tests cover everything from Android to smart speaker device profiles, measured against eight principles: no universal default passwords, secured interfaces, proven cryptography, security by default, verified software, automatic security updates, vulnerability reporting program, and security expiration date.⁵⁸ The overall certification process has five steps: 

1. Join the ioXt Alliance and register for certification; 
2. Select one of the five base profiles for testing, and then opt to self-certify or use one of the ioXt’s approved laboratories (currently, Bureau Veritas, SGS Brightsight, DEKRA, NCC Group, NowSecure, Onward Security, or Bishop Fox⁵⁹); 
3. Upload production information and test results to the ioXt portal; 
4. ioXt reviews the submissions and approves or rejects certification—with approved submitters receiving “the ioXt SmartCert” for their product; and 
5. “Stay certified with ongoing verification and insights,” like IoT regulatory updates through the Alliance.⁶⁰

The Alliance’s membership includes companies like IBM, Google, Facebook, Silicon Labs, Logitech, Honeywell, Avast, Asus, Motorola, and Lenovo; other associations like the Consumer Technology Association (CTA) and the Internet Infrastructure Coalition; and non-industry organizations like Consumer Reports. Even the UK’s DCMS is an Alliance member.⁶¹ While the membership roster certainly does not cover every IoT product manufacturer or vendor in the United States (where many of its members are based), it does have global representation. It also certified 245 percent more products and membership increased 63 percent in 2021 compared to 2020.⁶² 

The IoT Security Foundation, a global nonprofit representing many appliance manufacturers, recommends a framework composed of a few hundred security standards for organizations—spanning management governance, engineering, secure networks and applications, and supply chain.⁶³ Its members include smaller product manufacturers as well as larger companies like Honeywell, Huawei, and Arm, plus many more nongovernmental organizations, like academic institutions, than the ioXt Alliance.⁶⁴ The framework has three different audiences: (1) managers, (2) developers and engineers, and logistics and manufacturing staff, and (3) supply chain managers.⁶⁵ While its membership is not as large as that of the ioXt Alliance, the IoT Security Foundation does have global representation as well, such as the University of Southampton, Huawei, the University of Oxford Department of Computer Science, and Eurofins Digital Testing in France.⁶⁶

The Open Web Application Security Project^® (OWASP) is an open-source community effort that provides IoT security standards tailored to three threat models—attacks only against software, attacks only against hardware, and situations where compromise must be avoided at all costs (e.g., medical products, connected vehicles, due to highly sensitive data, etc.).⁶⁷ OWASP then specifies several dozen security standards based on these threat models, such as standards for bootloader vs. OS configurations vs. Linux.⁶⁸ OWASP is a nonprofit foundation with over 250 local chapters worldwide and tens of thousands of members, and it runs training conferences and other events to bring together experts from industry, academia, and civil society focused on software development and security.⁶⁹ Its capacity to drive change on IoT security is considerably different from the previous two coalitions—for instance, the OWASP community cannot marshal the marketing and lobbying power held by members of the ioXt Alliance or the IoT Security Foundation. However, OWASP draws on its tens of thousands of members around the world and leverages different forms of engagement than the other coalitions. The IoT Security Foundation, for instance, does not run events at the same scale as OWASP. 

The GSM Association, an industry group for mobile network operators, has hundreds of industry members—from Amazon to Coinbase to Audi—and has numerous guidance documents for IoT security.⁷⁰ For example, it has security considerations ranging from having password policies protect against hard-coded or default passwords (CLP12_6.11.1.5) to having a process for decommissioning endpoint devices (CLP13_8.10.1).⁷¹

The CTA, a standards and trade organization with over 1,000 company members, runs an IoT Working Group that supports consumer IoT development. Included in those efforts is educating consumers about IoT security best practices and improving the security of IoT products.⁷² The CTA has multiple labeling schemes under development around IoT products, focused on consumer-facing product security descriptions managed through an accreditation system.⁷³ The CTA, in fact, submitted a position paper to NIST in 2021 that described its vision for a cybersecurity labeling system for software and IoT devices—noting that labels should reflect the consensus industry standards, avoid marketplace fragmentation, and look to risk assessment as much as specific security capabilities, among others.⁷⁴ It also has global reach, with Cisco, Google, Panasonic, Samsung, Walmart, Alibaba, Nvidia, and ADT among its members.⁷⁵

The Connectivity Standards Alliance (CSA), which develops and certifies IoT technology standards, has a number of documents and efforts focused on security. For example, the CSA website contains numerous developer resources on IoT security, from security and privacy guidance on the CSA-developed IP-based protocol Matter to documentation around Zigbee, the low-latency communication specification.⁷⁶ The CSA’s product security working group is underway, developing security standards for IoT devices and exploring security options around labeling and it has a recently started IoT privacy effort, as well. Both of these endeavors focus on consumer-facing security considerations (meanwhile, other CTA efforts focus on less consumer-facing aspects of IoT product security). The CSA has nearly 300 participant companies and dozens of sponsors around the world, and it also has hundreds of corporate adopters—ranging from large retailers like Amazon to device and component developers like Arm, Silicon Labs, Schneider Electric, LG, Huawei, and Google.⁷⁷

Individual companies have also provided their own guidance, such as Google’s Cloud IoT Core “device security” guidelines,“⁷⁸ Microsoft’s Edge Secured-core criteria,⁷⁹ and Arm’s Platform Security Architecture for the IoT.⁸⁰ Each emphasizes different threat models and targets different stakeholders in the IoT process, from product engineers to those in management at product manufacturers. 

While beneficial, these approaches in the aggregate present a fragmented industry approach to IoT security. Governments looking to industry standards as a reference point find numerous, very different options; for instance, while the ioXt Alliance’s security approach emphasizes testing against specific device profiles, the OWASP approach emphasizes different kinds of threat models that could, hypothetically, apply across device profiles. There are also implementation differences: the ioXt Alliance points to independent, third-party testing and evaluation, whereas OWASP offers a list of standards that organizations can pair to a particular threat model. Some yet (like the ioXt Alliance) create new, IoT security-specific approaches, and others (like Arm) offer rough replicas of their overall cybersecurity guidance, with some tailoring to IoT.

Summarizing challenges 

The current government approaches towards IoT security present many challenges—and have many gaps and shortfalls. This matters across the United States, Singapore, Australia, the UK, and many other governments, because industry has failed to appropriately invest in IoT security, leaving governments to step in. Simultaneously, some states are leading aggressively on securing IoT while others appear willing, on a structural level, to cede that leadership to industry (or to not act at all). Australia, for example, has put forward an IoT security framework but has long delayed the publication of specific guidance. 

Industry organizations have pursued a range of IoT security approaches across labeling, certification, minimum standards, and best practices. This guidance also varies across industry verticals—for instance, given embedded IoT healthcare devices face many more regulatory security requirements than smart speakers. All these initiatives represent a substantial effort and reflect years of work from individuals in the security community—yet challenges (Table 1) around enforcement and implementation leave room for greater cohesion to tie security actions to particular parts of the product lifecycle. 

On the private sector side, ambiguous requirements and policy goals,⁸¹ diverging processes and regulatory requirements across jurisdictions, and duplicative certification schemes all hinder private-sector efforts to boost IoT security. And on the user side, individuals are grappling with little to no information to select more secure products, bad security outcomes and insecurity, and harmful knock-on effects from IoT insecurity that harm others in society and using the internet. 

Table 1: Challenges with Current IoT Security Models

State IoT security challenges 

State IoT security policies are fragmented across jurisdictions. While the United States, UK, Singapore, and Australia (as well as the EU bloc) have generally moved from a voluntary best practices approach toward a mandatory approach, the states’ policies do not necessarily integrate well with one another. Each country has different specific cybersecurity best practices and places different levels of regulatory requirements on companies. This state-to-state fragmentation makes it more difficult for governments to agree on IoT security goals and operationalize IoT security cooperation—impeding a multinational approach to systemic risk. 

Further, when states work to increase cooperation, there is a question of selectivity and exclusion: the ten countries with the most infected devices in the 2016 Mirai botnet were primarily in South America and Southeast Asia. Meanwhile, most high-resourced countries principally focus on IoT security collaboration with one another (e.g., UK-Singapore IoT security collaboration), not on building IoT security capacity in lower-resourced countries.⁸² The latter does happen—for example, Singapore and the Netherlands have engaged the nonprofit, multistakeholder Global Forum on Cyber Expertise on global IoT security issues. Nevertheless, collaboration remains primarily among higher-resourced and higher-capacity states.⁸³

Thus, one set of countries debate solutions while excluding a bevy of impacted stakeholders from the discussion. In doing so, higher-resourced countries may miss important points about their IoT frameworks’ applicability. Notably, cultural contexts greatly matter alongside technical considerations when weighing country adoption, and IoT product reliability may be just as important if not more so than cybersecurity per se in a development context.⁸⁴ In fact, for many countries, increased reliance on information and communication technologies without proper reliability can very well yield suboptimal development outcomes.⁸⁵ For example, while other governments (e.g., Singapore, Australia) reference the UK’s IoT security recommendations, some of the UK standards may require too much investment for lower-resourced states and focus less on reliability per se than security. 

Furthermore, regulatory approaches within countries may still be fragmented and leave gaps. For example, in the United States the FCC regulates IoT products’ network connectivity, and the FTC regulates the marketing practices of IoT products.⁸⁶ The FCC has broad authority to regulate product manufacturers and sellers. On the flip side, the FTC’s authority mainly concerns consumer protection to ensure IoT product sellers are not being deceptive.⁸⁷ However, this still leaves gaps, such as not incentivizing security requirements at the device manufacturing stage and leaving national laws to govern IoT cybersecurity for federal agencies, while mostly standards and voluntary guidelines guide the private sector.⁸⁸ In Australia, to give another example, the state’s “privacy, consumer, and corporations laws were not originally intended to address cybersecurity,” leaving the national government trying to make do with a patchwork of laws to address cybersecurity.⁸⁹ Country-internal fragmentation, in total, leaves policy and regulatory gaps in promoting IoT security, forces the government to grapple with an ill-formed patchwork of authorities and procedures, and raises costs and increases confusion for businesses and users—especially when different labels are in play. 

Private sector IoT security challenges 

Many IoT security approaches in practice have ambiguous requirements and policy goals that make it difficult for the private sector to both understand and implement the government’s vision—and difficult for the state to require or incentivize the private sector to change. Take government procurement requirements, whose aim can be unclear. One aim could be the use of procurement to directly secure specific products, such as by requiring the military to only buy IoT products with a higher cybersecurity bar. Another possibility is using procurement to signal best practices to industry, such as requiring compliance with NIST’s cybersecurity framework—mandatory for US federal agencies and which more than 30 percent of US organizations have voluntarily adopted.⁹⁰ And another possibility is not just signaling best practices but incentivizing companies broadly, even those not doing federal contracting, to increase their own product security. As one standards body expert put it, “if the government only buys products meeting certain standards, that sets a bar for the private sector.”⁹¹

While the security approach may be similar or identical in each case, there are different policy goals in play that may not be articulated (even if they are not mutually exclusive). If most IoT vendors are not government contractors, the use of federal procurement requirements to secure the broader ecosystem may fail.⁵⁸ Danielle Kriz, the senior director of global policy at Palo Alto Networks, argues that government procurement on its own is “not enough to result in full-scale IoT security.”⁹² Using procurement to signal to the broader market could also produce product fragmentation: “If you make the standards too robust,” argues David Hoffman, a Duke University professor of cybersecurity policy, “then you create a situation where there is a profit incentive for contractors to sell two different products: one for government and one for the private sector.”⁹³ Further, if introducing a procurement requirement is meant to signal a coming wave of incentives around that set of security requirements, governments should note that—so industry can begin to get on board. 

Differences in cybersecurity and IoT security processes, levels of maturity, and regulatory requirements across jurisdictions likewise complicate the private sector’s implementation of IoT security approaches. When a country’s internal approach to IoT security is fragmented, it becomes harder to coordinate with the private sector as well as other countries—because there is no clear and cohesive national approach. Companies, for their part, often find themselves caught between multiple competing, if not contradictory, IoT cybersecurity regimes. This increases industry confusion about IoT security best practices (particularly for businesses with less institutionalized cybersecurity capacity) and may force IoT manufacturers and vendors to tailor-make products to meet specific, varied regulatory requirements (discussed in the next section). Disjointed IoT security standards also raise the costs of government interaction for companies, especially for smaller players with less budget and in-house governmental relations capacity. Vendors and manufacturers that have more money and resources could therefore have an even more outsized ability to influence the security conversation. 

For industry, certification schemes also introduce many challenges. The current IoT security certification approach emphasizes independent, third-party product certification—time-consuming and costly (sometimes in the tens of thousands of dollars)—which may be outright prohibitive for smaller manufacturers and vendors. This approach often excludes lower-cost approaches that could work simultaneously, like self-certification to a lower bar of standards. Certification schemes are also binary, tiered, and descriptive; there is no unified approach for companies to implement and understand. For example, Singapore’s CLS has four progressively demanding security level provision tiers (see Figure 2): security baseline requirements (Tier 1), lifecycle requirements (Tier 2), software binary analysis (Tier 3), and penetration testing (Tier 4).⁹⁴ Others, however, such as many industry certification schemes, are binary, either certifying a product as “secure” under their definition or not doing so at all.

User IoT security challenges 

The current approach also presents challenges for users. An Ipsos MORI survey in Australia, Canada, France, Japan, the UK, and the United States found that consumers overwhelmingly think that “connected device manufacturers should comply with legal privacy and security standards” (88 percent), “manufacturers should only produce connected devices that protect privacy and security” (81 percent), and “retailers should ensure the connected devices they sell have good privacy and security standards” (80 percent).⁹⁵ A majority of those that own connected devices (63 percent) “think they are creepy.”⁹⁶ Despite these findings, by and large, users continue to purchase insecure IoT products. 

Currently, manufacturers and vendors provide users with little to no information to select more secure products. Where labeling and/or certification schemes do exist, they expect that buyers have a fair knowledge of IoT security and will make purchasing decisions based off that knowledge. This user knowledge assumption is faulty, as all countries surveyed in this report are far from sufficiently educating the public on cybersecurity issues. And in the context of a corporate buyer of IoT products, there is no guarantee many organizations purchasing IoT products have deep, in-house capacity around IoT cybersecurity practices, either. 

The current approach also leaves users, and the IoT ecosystem in general, with bad security outcomes and insecurity. Many manufacturers and vendors underinvest in cybersecurity and might not even have any kind of robust cybersecurity processes in place in their organization. This manifests itself in IoT products riddled with bad security practices, like default passwords and weak encryption, which leave products, users, and connected systems vulnerable to data theft and much worse. Merely encouraging organizations to adopt voluntary standards (that some organizations may not even know about) does not widely improve IoT security outcomes, either. Further, the labeling and certification schemes that do exist in some jurisdictions are often expensive—and if manufacturers and vendors choose not to absorb the costs themselves, then they will charge consumers higher prices for IoT products. 

Even if companies wanted to invest and buyers had all this knowledge, the current approach would still negatively impact users, the broader internet ecosystem, and other involved individuals. Given the “paradox of choice,” where increasing the number of options available to someone can make it harder to reach a decision, providing users with many different labels and certifications may do the same. The lack of a unified labeling scheme also makes it difficult for consumers to compare labels (binary versus tiered versus descriptive), and the lack of a single global IoT cybersecurity certification means buyers may not even be able to compare IoT security attestations at all. Moreover, there is little indication that introducing labeling and/or certification would necessarily cause a buyer to look anywhere beyond the price tag. And in the narrow cases where manufacturers or vendors provide labels and certification information to buyers, many users only see that information when the product is already unpacked and undergoing setup in their home or work environment. Overall, current IoT security approaches still place a heavy security burden on individuals, rather than systematically mandating and incentivizing product manufacturers and vendors to consider and build in security from the outset. As one DCMS official described it, labels may be attractive because they can avoid the bureaucracy of legislation—yet they still expect consumers to move the security needle. 

Addressing these challenges should not devolve into championing one national approach over another. The need for harmonization in specific controls is real, and this need extends to control philosophies and enforcement schemes. The section below synthesizes these previous approaches into a single framework based on the general lifecycle of IoT products as a basis for a path forward. 

Creating a synthesized framework 

There is no shortage of IoT security frameworks. As noted in the last section, government agencies, private companies, industry organizations, and civil society groups around the world have developed and published a range of IoT security policy frameworks, design best practices, and security certification schemes. This represents a substantial body of work on IoT security, yet there is more to be done—and its range creates complexity heedless of industry cries for coherence and presents a meaningful obstacle to international coordination. 

Rather than address each of the four jurisdictions of interest (US, UK, Australia, Singapore) in isolation, this section presents a consolidated framework with existing security regulations, standards, and guidance from all four countries. 

The framework’s first goal is to reduce fragmentation between policy approaches by highlighting their contributions and limitations. Operating in multiple jurisdictions with different IoT security regimes can drive up product development and legal compliance costs, disincentivize companies from investing in security or widely selling their products, and even create scenarios where companies must tailor-make IoT products to sell in different countries. Reducing fragmentation addresses these cost issues. It also empowers IoT product users, by giving companies and individuals a clearer set of tradeoffs and information rather than numerous, different stamps of security approval from different places. Lastly, reducing fragmentation helps policymakers forge cooperation internationally and cover the entire IoT security landscape at home. 

The framework’s second goal is to better situate technical and process guidance into cybersecurity policy. As previously discussed, some government requirements and guidance on IoT security lack detail and have ambiguous policy goals, which impede the private sector’s progress on better implementing IoT product security. Integrating technical and process details into government policy can help the private sector, especially companies with limited cybersecurity knowledge and capacity, operationalize higher-level IoT security objectives. It would also help governments identify flaws in their own IoT security approaches; for example, an overemphasis on certifications’ policy value has come at the expense of looking at the certification process—which for many organizations is a time-consuming, costly endeavor. 

Table 2 presents a synthesized IoT cybersecurity framework—mapping at what stages of the IoT lifecycle various IoT security actions and policies could be applied. This leads to a discussion in this section of how existing government IoT security approaches have enforced, incentivized, or guided these measures. It then leads to the recommendations section, which discusses ways in which governments can better select from these security action options and appropriately enforce, incentivize, or guide them to achieve better cybersecurity across the IoT ecosystem. 

Overwhelmingly, this framework highlights that the IoT security approaches in the countries studied focus on the design, development, and sale, and setup phases of the IoT lifecycle, with significant gaps in security actions and policies for the maintenance and sunsetting phases of an IoT product’s lifespan. 

Table 2: Synthesized IoT Security Framework

Cybersecurity decisions at each lifecycle phase help determine a product’s ultimate security (Figure 4). 

Design decisions frame how IoT products are ultimately architected, and they can include or exclude certain cybersecurity considerations from the outset. Security action and policy options at this level include following voluntary and/or mandatory technical standards, following voluntary and/or mandatory best practices, and employing best practice security design principles. 

Development decisions begin to put those design ideas into practice, and they impact how higher-level ideas and principles are operationally employed into the creation of products. They also present an opportunity for IoT product manufacturers to tailor additional security requirements based on their product’s risk profile—for instance, adding in extra controls on top of voluntary, minimum best practices for products used in safety-sensitive or critical infrastructure settings. 

Sale and setup decisions focus on IoT products going on the shelf and getting configured in their use environment, and they impact the cybersecurity of those products when first activated. Security action and policy options at this level include implementing vulnerability disclosure policies and processes, implementing mechanisms for regularly updating software, employing labeling schemes, and getting products security-certified. 

Maintenance decisions focus on IoT products that have already been configured and deployed, and they impact the security of those products for the rest of their lifetime. The security action and policy options at this level include maintaining vulnerability disclosure policies and processes, issuing regular security updates, updating labeling schemes in line with software security updates and disclosed vulnerabilities, and updating certifications in line with software updates and disclosed vulnerabilities. 

And finally, sunsetting decisions pertain to the end of a product lifecycle—such as when a vendor stops providing security updates—and how product vendors and users should communicate about, prepare for, and navigate the process of retiring an IoT product.⁹⁷ 

Figure 4: Overview of Government and Industry Frameworks

SOURCE: Liv Rowley and Justin Sherman for the Atlantic Council.

When applied to the United States, the UK, Australia, and Singapore, the framework shows that most country IoT security approaches concentrate on the earlier parts of the IoT product lifecycle. The design, development, and sale and setup phases are heavily covered. In the United States, existing NIST publications that provide guidance on security-by-design (like NIST SP 800-160) are applicable to IoT.⁹⁸ The UK’s PSTI Bill, introduced in November 2021 and not yet passed, would require “manufacturers, importers, and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers.”⁹⁹ The provisions leverage recommendations in the UK Code of Practice/ETSI EN 303 645: banning default passwords, requiring vulnerability disclosure processes for products, and providing transparency for consumers on the duration that products will receive security updates.¹⁰⁰ Nonetheless, there are still gaps; the UK PSTI Bill focuses more on design, development, and sale and setup.¹⁰¹

Design and development guidance often overlap in the four countries. The Australian government’s Code of Practice on securing the IoT for consumers uses the 13 principles laid out by the UK and ETSI, including not using default passwords, implementing a vulnerability disclosure policy, and keeping software updated and secure.¹⁰² The provisions around not using default passwords, validating input data, and securely storing credentials are primarily useful in the abstract at the design phase and implemented during the development phase. 

The United States, the UK, Australia, and Singapore also have significant guidance and/or requirements at the product sale and setup phase. For the ETSI guidance—which underpins guidelines in the UK, Australia, and Singapore—the implementation of a vulnerability disclosure policy comes into play during sale and setup. Singapore’s CLS has four levels against which companies can certify products, from baseline requirements, certified based on developer self-declaration, to comprehensive penetration testing conducted by ISO-accredited independent laboratories.¹⁰³ And in the United States, the IoT Cybersecurity Improvement Act of 2020 requires NIST to publish “standards and guidance” around IoT product purchasing and shifts the compliance burden from vendors onto federal purchasers.¹⁰⁴ Moreover, federal agencies must consider such factors as secure development, identity management, and patching when looking at buying an IoT product and then prove that said product satisfies NIST’s guidance.¹⁰⁵ E.O. 14028 directs federal agencies to implement secure software verification processes and directs NIST, the FTC, and other agencies to identify “IoT cybersecurity criteria for a consumer labeling program.”¹⁰⁶

Regulations enforced by the FTC and FCC likewise focus on IoT product labeling when consumers look to purchase and deploy products (in the FTC’s case) and IoT network design (in the FCC’s case). This is not to say the US security approach entirely neglects the maintenance and sunsetting phases; NIST’s first IoT publication (NISTIR 8259)¹⁰⁷ includes a category for “post-market” security considerations as well as general recommendations for establishing communication channels for product updates and customer feedback. A subsequent update to the document (NISTIR 8259A) contains recommendations for security update features.¹⁰⁸  

All four government approaches focus less on the maintenance phase of the IoT product lifecycle. The UK’s IoT security approach has gaps in providing manufacturers, vendors, and users with maintenance guidance (e.g., once the security update plan is in place and communicated, how will it be continuously followed?) and sunsetting guidance (e.g., if the company stops providing security updates, how should they inform users and what options might users have for replacing devices?). While there is some minimal guidance here—for instance, the UK DCMS Code of Practice includes a provision to make the installation and maintenance of products easy—it hardly provides anything substantively useful for manufacturers, vendors, or buyers. The same therefore goes for Australia, which follows the UK’s guidance. Singapore does provide detailed guidance on the maintenance phase at Tier 2, 3, and 4 of the certification scheme. 

Each approach has significant gaps at the sunsetting phase. The United States lacks sunsetting guidance in its IoT security approaches, and regulatory enforcement does not focus on sunsetting (e.g., the FTC focuses on how products are marketed to consumers, not how products are retired). Singapore’s labeling scheme program provides little guidance in the way of notifying users about terminated security updates when products are at their “life’s end” and then, as a result, posing new and greater security risks. The UK’s IoT security approach also lacks sunsetting guidance, such as what happens if a company stops providing security updates as recommended by the DCMS. This means users, and society writ large, may have some protections against IoT insecurity at the earlier phases of the IoT product lifecycle, such as when companies are designing IoT products sold to the government and used in relation to critical infrastructure, or when vendors are advertising their products on the shelf and regulated. Yet, for all the businesses, individuals, and other entities using IoT products that are long past their lifespan, they are exposing themselves to insecurity possibly without even knowing it—and without government policies and security approaches that protect users against the termination of security updates, outdated labels, and other security problems. 

It is also important to note that requirements may, in the future, speak to areas outside the device lifecycle as well, concentrating more on an IoT manufacturer’s organizational structure or developer training. NIST notes this in their June 2022 NISTIR 8425 initial public draft, titled “Profile of the IoT Core Baseline for Consumer IoT Products.”¹⁰⁹ Developer activities, as outlined in NISTIR 8425, may include Documentation, Information & Query Reception, Information Dissemination, and Education & Awareness.¹¹⁰ Some industry IoT security frameworks include non-device requirements as well. For instance, the IoT Security Foundation’s framework mandates the existence of certain roles at a company (for example, 2.4.3.1 mandates “There is a person or role, accountable to the Board, who takes ownership of and is responsible for product, service and business level security, and mandates and monitors the security policy”); or specific actions to be included in a company’s security policy (for example, “As part of the Security Policy, provide a dedicated security email address and/or secure online page for Vulnerability Disclosure communications”).¹¹¹ Such standards that apply to elements outside of the scope of the device lifecycle itself are critical to fostering a stronger security environment overall and should be remembered and considered as IoT security becomes stronger. 

Toward a consolidated approach

The framework above underscores how some governments and industry actors are making progress in pushing for greater IoT security—but there is a long road ahead to improving cybersecurity in the IoT ecosystem. There are still some governments and many industry actors underinvesting in IoT security. Despite their stated concerns, consumers continue to purchase insecure products. As a result, product manufacturers and vendors need to deliver meaningful transparency and improvements in user security outcomes. Without the predictability of common security standards that impose pressure on all manufacturers and vendors, proactive firms have little incentive to produce secure products, and there are few penalties for laggards. 

Overcoming widespread risks 

Promisingly, the past few years have seen a flurry of activity on IoT security from governments, industry groups, and consumer advocates. The attitude among those interviewed for this report generally was optimism about the direction of travel, with concern over the pace of the trip. Singapore is nearly two years into a voluntary, four-level labeling scheme that will be gradually expanded as mandatory by product type, as it currently is for internet routers. Australia appears poised to pursue a labeling approach that mirrors Singapore’s four levels (“graded shield”) or a simpler indicator showing the timeframe that security updates will be provided (“icon expiry”). The UK has rejected the concept of labels and is instead on the cusp of passing legislation that empowers regulators to set basic cybersecurity requirements for all smart devices, a baseline that can be ratcheted up over time. In the United States, two states have implemented their own minimum security requirements, federal agencies must purchase products with more robust security, and NIST recently recommended a binary label akin to approaches in Germany and Finland. Consensus standards, enforcement measures, and international cooperation across these four jurisdictions are feasible but not yet close. Nevertheless, there still are threats to progress: 

• Risk #1: Regulations, standards, and norms diverge between jurisdictions. Despite today’s promising signs, as more jurisdictions take on the problem of IoT insecurity, there is a risk that regulatory divergence worsens with an ‘every-market-for-themselves’ approach where duplicative requirements and confusing enforcement schemes burden IoT vendors who must work to support multiple sets of standards or elect to focus on a small set of jurisdictions. 
• Risk #2: Cybersecurity labels fail to demonstrate value to both manufacturers and consumers. One interviewee summed up the attitude toward cybersecurity labels with an analogy to Churchill’s famous quote about democracy: “the worst option, except for all the others.” Labels are an increasingly popular approach in national IoT security efforts. Despite a clearly articulated demand for greater security by consumers, some observers are doubtful that consumers can or will make informed cybersecurity decisions even with the benefit of an indicator on the box or the webpage. Others question whether it is correct to task consumers with making such security decisions for themselves, comparing insecure IoT products to an unsafe lightbulb: you do not compare lightbulb brands to see which one is least likely to explode. Like other market signals, cybersecurity labels can suffer from a collective action problem, only arising if both sides of a transaction value them. 
• Risk #3: Product security requirements become watered down as they approach broader adoption. Particularly in the United States, legislation often becomes less potent as it approaches the federal level. Industry resistance was sufficient to kill prior versions of the IoT Cybersecurity Improvement Act and cut some of the provisions that were finally passed in its 2020 version.¹¹² Given federal law’s preemptive power, consumer IoT security legislation could counteract more ambitious measures at the state level. This dynamic may also occur internationally if jurisdictions are driven to the lowest common denominator in pursuit of consensus. 
• Risk #4: Guidelines become too rigid, locking in outdated security practices. As Brian Russell and Drew van Duren describe, “The greatest challenge in the security industry is finding methods today of defending against tomorrow’s attacks given that many products and systems are expected to operate years or decades into the future.”¹¹³ Legislation must define processes and outcomes rather than codifying specific security measures that might soon become irrelevant. 
• Risk #5: The drive for improved consumer IoT security fails to have an impact on product manufacturers in jurisdictions without strong IoT security laws. The national initiatives surveyed in this report focus primarily on efforts to effect change by imposing requirements on products sold in each one’s jurisdiction, as opposed to trying to impact what happens where products tend to be manufactured, citing the challenge of extraterritorial enforcement. Interventions must consider the full range of actors who can put pressure further up the supply chain, with retailers, in particular, having the potential to play an influential role. 

The shape of a consolidated approach 

What might a better IoT future look like? One description is: “a world in which every IoT ecosystem stakeholder[’s] choices and actions contribute to overall security of IoT where consumers and benefactors are simply secured by default.”¹¹⁴ It could be raising the tolerable level of insecurity to the point where consumers trust IoT products and services as something more than a roll of the dice.

Crucially, this world must reflect different economic incentives for manufacturers, consumers, and attackers. Policy change is necessary to help shape and channel these incentives. When assessing any proposal, one should consider its ability to advance the following outcomes: 

• Eliminate the most glaring insecurities in consumer IoT products, thus increasing the level of effort and sophistication required for attackers to compromise them. 
• Promote harmonization across jurisdictions, avoiding needless divergence and duplication, thereby reducing friction for manufacturer uptake. 
• Sharpen incentives for manufacturers to exceed the minimum baseline of security practices. 
• Increase consumer awareness of the risks from insecure products and increase interest in security as a feasible and accessible buying criterion. 
• Provide real impact on user security outcomes in the near term while maintaining flexibility to incorporate new controls through consensus measures as technology evolves. 

To drive the above outcomes and closer alignment in policy across these four states, the team proposes a multi-tiered IoT product labeling and certification scheme with basic, easily understandable labels for consumers (Figure 5). This multi-tiered scheme would ensure that minimum security standards are met, give consumers easily digestible ways of understanding the security of a product, and allow manufacturers that invest in higher security to advertise it understandably.

Figure 5: Overview of IoT Security Tiers

Tier 1: Minimum Baseline Features. The first tier should be a set of mandatory, baseline, self-attested IoT security standards created by governments in consultation with industry. For each country, the government agency leading this effort should ideally be the organization already in charge of cybersecurity standards, and if there is not one, governments should select an organization with a high degree of transparency, technical competence and capacity, and a track record of working with industry and civil society. The recommended baseline security standards should be rooted in widely agreed upon desirable security outcomes, for instance, the core principles outlined in ETSI EN 303 645—such as eliminating default passwords, mandating a vulnerability reporting contact, and facilitating secure updates for software. Once governments set this tier, manufacturers should apply with the agency administering the program and self-attest that they meet these standards. The agency should then provide qualifying products with a label indicating that they have met these baseline requirements, and the manufacturer and product vendor (if different than the manufacturer) should include this label and information about it in the product description. Random audits can assess compliance without the need for a time-consuming and expensive certification process. Examples of national programs in this tier include the UK’s PSTI Bill, Singapore’s CLS Tier 1 requirement for routers, and California and Oregon’s IoT security laws. 

Tier 2: Enhanced Security Features. Building off the first tier of mandatory, baseline, self-attested IoT security standards, governments should then work with industry to set a second tier of security standards—higher, voluntary, and independently tested. The standards to qualify for this second tier should likewise look to the Tier 1 baseline as a starting point, with a particular focus on ensuring products communicate securely and protect consumers’ personal data, inspired by security outcomes that may be drawn from ETSI EN 303 645. Qualifying products will receive a label indicating that they have both met the Tier 1 baseline requirements and the Tier 2 requirements, and the product description should include information about this label. To encourage the uptake of the second tier, securing a label should be a relatively cheap and quick process. Given that some jurisdictions may see more value in a scheme with more than two tiers, national regulators should be able to subdivide this tier into different levels of security. Examples of existing programs that would fall within this tier include Levels 3 and 4 of Singapore’s CLS, Finland’s Cybersecurity Label, Germany’s BSI IT Security Label, and the binary label recommended by NIST in the United States. 

Special Standards for Safety Critical Products. Industry-specific regulators should remain in charge of setting the highest bar of security standards for IoT products that present an imminent threat to human life if compromised. For most smart devices, consumers do not bear the brunt of the consequences if their device is vulnerable to an attacker. This dynamic shifts dramatically when the connected device is an automobile or pacemaker and the consequences become potentially lethal. In these instances, however, consumers still lack the expertise to assess risk. These industries tend to already have specific regulators focused on product safety: for example, the FDA certifies medical devices, and the National Highway Traffic Safety Administration (NHTSA) is charged with enforcing motor vehicle safety standards. In this context, an internet connection is merely another feature that introduces new risks to product safety. These regulators should look to standards bodies such as ETSI and NIST as a starting point for guidance on cybersecurity, but the ultimate requirements for these safety-critical applications must extend to the particular security needs of the industry—which are likely even more stringent than the second tier discussed above. Products that fall into this category need not be certified with a label. Instead, if they fail to meet the regulator’s minimum standards, they should not be approved (or should be recalled if they are already on the market). 

What does the label look like? 

A label for IoT security should consist of a standardized table or graphical description of security features, attached physically to a product box and digitally affixed to product descriptions online. The digital description of an IoT product’s security features is especially important, and—given the constantly changing security landscape—keeping digital labels up-to-date is often easier than doing so for physical labels. Ideally, the standardized-format description of product security features should be mapped to a set of standard IoT security criteria—such as a checklist of product compliance with some NIST security best practices, or a checklist of product compliance with ETSI requirements for IoT security (e.g., does this product use universal default passwords, does it have a security update function in place). Labels, intended for audiences ranging from consumers to enterprise purchasers, should use clear, easily understandable language to describe product security features, rather than referencing specific standards numbers or using highly technical verbiage (such as describing a specific encryption algorithm). 

Related to the label, governments should consider cooperating and coordinating with industry to ensure data on labels is easily accessible—to regulators, researchers, and the public generally. One idea is creating a central repository of manufacturer and vendor label information, perhaps maintained by a country’s cybersecurity standards organization or a standards development organization (SDO), into which vendors and manufacturers can upload independently tested and/or self-certified label information about IoT product security. It may be advantageous to develop a single form containing information of interest to multiple major jurisdictions, inspired by the “Common App” form which allows individuals to fill out one form to apply to multiple US-based universities. This would allow regulators and others to access information on company compliance and broader IoT product security trends in a single place and in a single, accessible format; it also potentially streamlines compliance efforts by IoT vendors, allowing them to file security information about their products in one place that is applicable in multiple jurisdictions. Another idea is having companies make this information available from their systems through a standard API—such that all the information is not stored in one single place, and the government does not have to maintain a central repository of IoT security label data, but that individuals can query manufacturer and vendor APIs to get label information. 

A note on ambitions 

At their simplest, today’s approaches reflect two different philosophies about where governments should focus their efforts: (1) targeting the “low hanging fruit” of higher impact/lower effort measures with mandatory requirements, or (2) setting an optional higher bar and trying to get consumers and industry to care about it. The former arguably views security improvements as a rising tide that fills in the lowest lying areas first, while the latter arguably views it as a distant target that focuses our gaze, even if not everything hits the bullseye. While both strategies have their merits, they need not be mutually exclusive. We cannot content ourselves with merely getting rid of the worst shortcomings. Similarly, the choice for consumers should not be between one class of products that have poor security and another with world-class security. 

It would be counterproductive to suggest that these countries should scrap their national approaches in favor of a new consensus program. Given how recent these efforts are—if they have even yet been implemented—it is still too soon to tell how each country’s approach will fare. A degree of national-level experimentation can help determine what does and does not work. Further, as one interviewee noted, while standards may harmonize internationally, enforcement occurs locally. Many jurisdictions have lined up behind the same set of guidelines in ETSI EN 303 645, with some others pursuing slightly differing approaches that nonetheless seek the same outcomes that the ETSI documentation aims to achieve. But the measures chosen to encourage (or compel) industry to generate products with better security must reflect the jurisdiction’s regulatory and consumer cultures. The silver bullet is not necessarily a new global label, new methods of enforcement, or new standards for IoT products. Instead, the world needs a better way of bringing together these efforts and ensuring they continue to avoid contradiction and duplication. 

Recommendations

This section lays out nine recommendations for government and industry actors to enhance IoT security, broken into three recommendation sets: setting the baseline of minimally acceptable security, incentivizing above the baseline, and pursuing international alignment on standards and implementation across the entire IoT product lifecycle. While many of these recommendations apply generally to those interested in promoting a more secure IoT ecosystem, the report also aims to identify specific actors and the steps they can take to bring about this multi-tier structure for IoT security (Figure 6). Moreover, these recommendations also aim to address the risks and uncertainties described in the prior section. 

Importantly, this report deliberately does not prescribe a particular label design, such as a table or graph. Moreover, it does not prescribe “how” companies should pair physical and digital labels nor to “what” extent companies and/or governments should harmonize specific label designs and digital characteristics across jurisdictions. These areas deserve more work, and the optimal approaches remain unclear at this stage. 

Figure 6: Overview of Actors and Actions to Improve IoT Security

Recommendation Set: Establish the Baseline of Minimally Acceptable Security (Tier 1): Currently, many governments lack baseline security standards for IoT products, and for some of those that do have such standards enacted, companies must go through a time- and cost-intensive process of independent testing and certification. This substantially raises the barrier to adopting what should be easily achievable and cybersecurity-bolstering baseline standards. By setting this minimum baseline, making it low-cost for companies to comply with, selecting criteria that greatly increase cybersecurity (like no universal default passwords¹¹⁵ and having security updates), and making it mandatory, governments can ensure IoT products within a country have the most basic and critical security measures in place. In some jurisdictions, enforcement might look like a law that requires every IoT manufacturer to implement the government-set IoT security baseline standards; in other countries, enforcement might look like a consumer regulatory agency creating a new rule within its existing authorities. 

IoT products are currently so insecure that hacking them is relatively trivial. The insecurities these products have are so glaring and egregious that even relatively unskilled hackers can get into the game and claim their slice of the pie. Implementing mandatory minimum security standards would have an impact on the state of IoT security by plugging those widely known and easy-to-find holes, which raises the cost of knowledge, time, and resources required to compromise IoT products. In other words, this would help push small fry hackers out of the scene, and the more sophisticated hackers would have to invest energy into developing ways to target more secure products. 

To illustrate this point, the Global Cyber Alliance’s October 2021 report “IoT Policy and Attack Report” provides a glimpse into just how effective some of these minimum security measures can be.¹¹⁶ Using a “honeyfarm” (a large network of IoT device honeypots), the Global Cyber Alliance was able to measure the number of attacks against different classes of IoT products and determine whether the number of successful attacks against the target changed, given the implementation of different security standards. For instance, the report found that of over 7,000 malicious login attempts, attackers were only able to login and thereby compromise a device in 79 instances. Those 79 instances all involved devices that used default passwords 

This section describes two recommendations that aim to influence two critical groups of actors in implementing this baseline: product manufacturers and retailers. 

Recommendation 1: Governments should implement regulatory measures to enforce a mandatory baseline on manufacturers selling in their markets (Figure 7). Initially, governments should conduct outreach to encourage compliance and spread awareness among manufacturers about the security requirements. Inevitably, some companies will not implement the Tier 1 security baseline within the required window or in the required way. This could be the result of many factors, including a lack of awareness about the rule (e.g., for smaller IoT manufacturers), feet-dragging, and limited capacity to quickly implement the self-attested label and certification, among others. Governments should therefore develop mechanisms to publicize the new, required security baseline at Tier 1 and encourage companies to implement it within the specified window. Beyond general public education campaigns, for example, this could include such processes as a country’s key standards agency holding sessions with industry to explain new requirements and answer any questions that may arise—well before the requirements go into effect. 

Next, governments should set up random audit mechanisms to ensure firms’ claims are accurate and issue penalties as needed. Some companies may self-attest to a security baseline and then take action that deviates from that attestation (e.g., implementing security updates and then ceasing security updates). Other companies may falsely self-attest to the security baseline altogether. If a product has been falsely attested to and does not meet the minimum security standards, the government should begin by issuing a compliance notice to its manufacturer. The compliance notice (or prompt for change) should outline all corrective actions and set a clear deadline for when these actions must be complete. Should a manufacturer continue to produce a noncompliant product with a falsely advertised security label, the government’s relevant enforcement agency should issue a stop notice that orders the manufacturer to cease selling the product until made compliant. The agency’s stop notice (sent to the company and published publicly) should also demand the recall of the noncompliant product. The agency should also consider additional actions depending on its authorities and typical enforcement processes against other companies domestically, such as fines. In line with other contexts in which companies may hold liability, governments carrying out enforcement should weigh whether a reasonable effort was made to attest in good faith, among other factors. 

Figure 7: Setting the Baseline of Minimally Acceptable Security (Recommendation 1)

Recommendation 2: Governments should follow the “reversing the cascade” philosophy, where instead of trying to influence manufacturers based abroad, governments put pressure on domestic suppliers and retailers—who may, in turn, put their own pressure on manufacturers to improve security (Figure 8). It is not just governments that make policy decisions that impact product manufacturers. There is considerable power in the terms and conditions for selling through major marketplaces and retailers like Amazon, Walmart, and Target. Many IoT security efforts encounter issues when they try to levy penalties on manufacturers, as many of them are based outside their jurisdiction and may not have incentives to comply with security requirements. Vendors, however, fall within a government’s jurisdiction, making actions more feasible. There are also fewer major IoT vendors than there are IoT product manufacturers, allowing efforts to be more concentrated. In the US, political leaders and regulatory agencies, such as cybersecurity officials in the Department of Commerce and regulators at the FTC, should call upon major retailers to more proactively police the sale of consumer IoT products that lack basic security features. This is because these retailers currently sell products like smart thermostats, smart speakers, and baby monitors that have poor security practices and use default passwords. If engagement does not bring about change, retailers could be held accountable through new laws that penalize them for the sale of noncompliant products. Though, targeting noncompliant smart products that have been sitting for a long time on the shelf may achieve higher security across products more quickly, without creating barriers to entry for small manufacturers. It is also possible that the FTC could pursue action against specific retailers under its “unfair or deceptive acts or practices.^{99, 117}

As the world’s largest online retailer, Amazon, for example, could have an outsized impact with an expansion of its “Restricted Products Policy” to bar unsafe smart devices. When contacted by security researchers about a particularly vulnerable wireless camera (promoted as “Amazon’s Choice”) the firm removed the preferred listing and responded, “We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed in our stores.”¹¹⁸ In this vein, in its Examples of Prohibited Listings in the Electronics category, Amazon should explicitly prohibit smart home products that fail to meet the Tier 1 requirements. The US government has the ability to apply pressure on online retailers (not just Amazon) to do that, such as through public messaging campaigns and convenings with company executives through organizations like NIST. If this fails to stem the presence of insecure products on the site, another measure could include requiring firms to receive approval before listing consumer IoT products—as they must for categories including jewelry, DVDs, and “Made in Italy” items—or just a subset of high priority items like children’s connected toys. This approval could be as simple as submitting a form that attests that the firm does not use universal default passwords and lists a vulnerability reporting point of contact. Amazon’s application form for selling streaming media players could serve as a template. Even without specific laws that force its hand, this policy would be in line with Amazon’s stated goal of allowing customers to buy with confidence on its platform. 

Figure 8: Setting the Baseline of Minimally Acceptable Security (Recommendation 2)

Recommendation Set: Incentivize Above the Baseline (Tier 2): Ensuring that all smart devices meet basic security requirements is valuable, but insufficient relative to the present risk in the IoT ecosystem. Some buyers may wish to achieve security at a higher level, and even more likely, some governments may wish to require manufacturers to adopt security standards above the first-tier baseline. Some manufacturers may also pursue a higher level of security as a differentiator. This section outlines four recommendations that will strengthen the development of this higher tier: setting the higher tier, mandating a more stringent degree of security for government-procured smart devices, expanding label recognition between states, and moving towards a consensus certification and labeling program. These actions will grow demand for secure products, increase consumer awareness, and decrease friction for firms that must otherwise navigate multiple certification regimes. 

Recommendation 3: Governments should support the creation of a voluntary, higher tier of security requirements, indicated via labeling programs in their markets (Figure 9). The objective of this tier is to encourage firms to adopt more advanced security features and design practices in their products. As with the first tier, the specific security provisions that governments select for this tier should consider outcomes-based approaches, perhaps looking to ETSI EN 303 645 for inspiration. Other provisions, such as those from OWASP and ioXt, can supplement such approaches. Unlike the first tier in which companies self-attest to meeting standards, in this tier, companies should have their products evaluated and their status certified by a third-party testing lab. These approved labs should be certified under ISO/IEC 17025, an internationally accepted standard for Testing and Calibration Laboratories, to ensure consistent application of device security testing procedures. Since product certification at this tier is on a voluntary basis, manufacturers will likely wish to advertise their products’ enhanced security features. Any device that passes the test and therefore shown to meet the Tier 2 requirements will receive an accompanying Tier 2 label. These labeling schemes can be “binary,” indicating the presence or lack of desired security features (e.g., Finland and Germany’s programs), or multi-level, allowing manufacturers to pursue the certification that meets the desired “grade” of security for their product (e.g., Singapore’s CLS). After issuance, random audits should ensure that devices continue to remain in compliance with the provisions of their label. If a product has received a label but no longer meets its requirements, the government should decertify the product. Depending on the jurisdiction, the government may also pursue legal action against those who willfully make false claims about their product’s security features. 

The existence of the second tier will aid in raising the security of IoT products above the minimum standards set in tier one. As the multi-tier model evolves over time, governments can also migrate effective standards from the second tier over to the first tier. Further, using outcomes-based approaches such as ETSI EN 303 645 as inspiration for these security requirements will ensure continued momentum around many agreed-upon basic security principles, while the employment of public-private cooperation ensures that standards are actionable. To drive the uptake of labeling programs, governments should engage with industry and the public to spread awareness of the programs’ benefits, and they may also consider defraying start-up costs, such as waiving registration fees and subsidizing testing expenses. 

Much like ETSI could serve as a guiding foundation for establishing a set of baseline security requirements for Tier 1, the industry security efforts underway by the CTA and the CSA, among others, could become a foundation for establishing a higher bar of IoT product security paired with a consumer-facing IoT labeling scheme. 

Figure 9: Incentivizing Above the Baseline (Recommendation 3)

Recommendation 4: Governments should include Tier 2 requirements as part of government procurement contracts (Figure 10). Technology manufacturers and vendors strongly benefit from government contracts, and the inclusion of cybersecurity standards in government procurement requirements can be one mechanism to incentivize large and small manufacturers to adopt them. The cost-benefit is simple for those companies: if they do not meet the specified cybersecurity requirements, they do not qualify for government contracts. Governments should therefore include Tier 2 (or higher) security standards in their procurement requirements such that any IoT manufacturer or vendor who wishes to do business with them must invest in a higher level of security beyond the Tier 1 baseline. 

The United States provides a recent case study in this approach with its IoT Cybersecurity Improvement Act of 2020, which requires federal agencies to abide by NIST cybersecurity guidelines when procuring IoT products. Thus, companies will not be able to sell their IoT products and services to the US federal government without complying with NIST cybersecurity guidelines. Procurement requirements in the UK, Singapore, and Australia, especially in the defense apparatuses, can similarly provide a mechanism by which the government can incentivize the adoption of a higher tier of cybersecurity practices. Since it tends to be too unwieldy for companies to produce multiple lines of the same product—one suitable for the government’s requirements and a separate less secure model—the entire market would benefit. This measure would not only incentivize companies to act but would also mean that IoT products used by governments will themselves have a higher bar of security. In turn, procurement is a mechanism by which to better protect government systems and, likely, citizen data against cyber risks as well. 

Figure 10: Incentivizing Above the Baseline (Recommendation 4)

Recommendation 5: In the short term, governments should reach agreements to mutually recognize each other’s labels. As different national IoT labeling schemes proliferate around the world, it will be important to reduce the burden on manufacturers from duplicative testing and certification requirements. In October 2021, Singapore and Finland agreed to mutually recognize each other’s labels for IoT products, hoping that this agreement will also spur more international collaboration. Through this agreement, companies that receive Finland’s Cybersecurity Label for a product are immediately eligible for Singapore’s Level 3 label, and vice versa. Even though not a country focused on in this report, Germany’s voluntary cybersecurity labeling program went live in January 2022, and it is reportedly in discussions with other countries to further expand mutual recognition. Given ETSI EN 303 645’s role as the backbone of multiple national frameworks, these agreements would likely be relatively simple to establish, recognizing that some agreements might focus on recognizing specific requirements while others might focus on recognizing equivalency—when similar outcomes are achieved with slightly different requirements. Major technology firms that care about improving the security of smart devices can apply for certification, even if it does not immediately benefit them, thus adding to the credibility of labeling programs. Countries with labeling programs already underway should study their impact, consider stakeholder feedback, adjust their schemes as needed, and share lessons learned with other countries interested in adopting this approach. It would be helpful for some of the analysis to focus on how to balance the need for maintaining high standards with reducing the administrative burden on firms going through the certification process. Major IoT vendors have noted how onerous it is to submit their products to multiple IoT security certification processes; for smaller firms, it can only be more difficult. Solutions like a “Common Application form”—inspired by the innovation that allows individuals to apply to multiple US-based universities by filling out one document—could help address this problem, as can regularly reviewing program-specific requirements and dropping ones that do not add value. 

Recommendation 6: Over the longer term, governments should compare results of their national labeling programs and move towards a single global model for communicating security characteristics of an IoT product. As regulators in each of the four countries gather performance data on the impact of their approaches, they should work to adopt the attributes of the certification scheme(s) that show the most promise. Labels are already moving well past static data forms with the inclusion of commonly accepted machine-readable formats and more dynamic data sources like SBOMs might be contemplated. Most fundamentally, any future consensus model to communicate the security characteristics of an IoT product (not its packaging) should include basic, easily understandable information affixed to the product, as well as more detailed and dynamic information found online. 

Oftentimes, companies’ currently issued IoT security labels and certifications fail to articulate exactly what certification means and how users should understand security. Further, by the time many consumers read an IoT product label, it is already unboxed and undergoing set-up in their home. These shortcomings impede buyers’ ability to understand IoT product labels and certifications—thus undermining their effectiveness. As part of this multi-tier framework, government and industry should ensure that at their respective tiers, labels issued for IoT products have basic, easily understandable information affixed to the product itself. They should also ensure the same information is available online, supplemented with other details that manufacturers and vendors can more easily update over time. Instead of communicating in the highly technical language used by experts, governments and industry should look to their relevant communicators for help employing the clearest language possible: for instance, saying, for Tier 1, “No default passwords” on a box and then include a check mark next to it. Doing so will empower buyers to easily make decisions about the security and privacy of a product through easy-to-understand labels. 

Recommendation Set: Pursue international alignment on standards and implementation that cover entire IoT product lifecycle: Coherence between jurisdictions on enforcement mechanisms is important, but consistency in the principles of good security practice that form their foundation is even more critical. Given that security is a moving target, regulators must also be able to adapt as capabilities and threats shift. This section describes three recommendations that are key to these objectives: maintaining consensus on standards and scope, introducing regular reviews to keep IoT security programs up-to-date with technological change, and ensuring that all phases of the IoT lifecycle are appropriately addressed. 

Recommendation 7: Governments should pursue outcomes-based approaches to consumer IoT security rooted in agreed-upon basic security principles and maintain similar definitions for products considered “in-scope.” Efforts to secure consumer IoT should be rooted in widely recognized desirable security outcomes, though countries may find benefits in slightly different standards to achieve those outcomes. This focus on outcomes is already evident in the approaches taken by leading standards bodies: NIST notes that its “baseline product criteria for consumer IoT products are expressed as outcomes rather than as specific statements as to how they would be achieved,”¹¹⁹ while ETSI says that its “provisions are primarily outcome-focused, rather than prescriptive, giving organizations the flexibility to innovate and implement security solutions appropriate for their products.”¹²⁰ ETSI EN 303 645 already underpins national efforts in the United Kingdom, Singapore, Australia, Finland, Germany, India, Vietnam, and elsewhere, which goes a long way to ensuring a degree of uniformity in this space. As these countries have implemented national programs, they have supplemented the main ETSI EN 303 645 provisions with additional principles from other bodies, such as Singapore’s Infocomm Media Development Authority (IMDA) and Germany’s Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI). While some variation among requirements is perhaps inevitable, it can risk becoming onerous for IoT vendors as additional provisions proliferate across jurisdictions. This highlights the importance of encouraging countries to strive for similar outcomes and not just standards. Other IoT security frameworks may be referenced to bolster specific aspects of IoT security that are outside the scope of guidance found in standards such as ETSI EN 303 645, particularly those that extend beyond the device hardware and into the product’s related software and apps. For instance, the App Defense Alliance has a framework that may be useful to reference while developing apps that are partnered with physical IoT products. 

Similarly, governments must remain aligned on the products they consider “in-scope” for their IoT security efforts. ETSI EN 303 645, for example, covers “consumer IoT products that are connected to network infrastructure (such as the Internet or home network) and their interactions with associated services,” and provides a non-exhaustive list of examples that includes: 

Connected children’s toys and baby monitors; connected smoke detectors, door locks and window sensors; IoT gateways, base stations and hubs to which multiple products connect; smart cameras, TVs and speakers; wearable health trackers; connected home automation and alarm systems, especially their gateways and hubs; connected appliances, such as washing machines and fridges; and smart home assistants.”¹²¹ 

Governments should consider how far to draw the line on systems, devices, and services with which IoT products connect—thinking about IoT cloud applications and other services that might fall under the scope of security baseline enforcement. For instance, the language in the UK’s PSTI Bill—as written—excludes many IoT products from the scope of an IoT device, thus limiting the potential benefits of a mandated security baseline. As a starting point, governments should consider enforcing the baseline on all IoT products as well as on the systems and services on which IoT products depend to function. For example, if an IoT cloud application breaking would stop an IoT product from functioning, governments should consider including that in the scope of a default password mandate. Governments should delegate this task to the relevant cybersecurity standards agency and then embed the recommended definitional scope in legislation, regulation, and other requirements. 

Recommendation 8: Governments and industry should review and, if necessary, update their respective tiers of standards every two years. Technology changes quickly, and future efforts must ensure that guidance for security keeps up with the evolving security landscape. Further, there is a question of “moving goalposts”—once a government, for example, has success in requiring industry to meet the Tier 1 baselines, it should aim to raise the baseline even further through additional updates. Nonetheless, while standards can provide more specific guidance for organizations, governments should also consider mapping those evolving standards to a set of broader, desired security outcomes. Then, governments and industry should revisit and, if necessary, update their respective tiers of standards every two years, initiating update processes ahead of that two-year timeline such that the final updated guidance is ready for release at, or ahead of, the end of the two-year interval. Updating requirements each year with appropriate government, industry, and civil society consultation may require too much time and too many resources needed elsewhere, but without regular updates (e.g., every two years), IoT cybersecurity standards will become quickly outdated. On the international stage, standards bodies, including the ETSI and ISO, should continue to adapt guidelines as technological circumstances change and new information becomes available. This process should discard outdated and ineffective standards (or even contradict or undermine new security guidance), modify existing standards based on new technologies and risks, and consider adding new standards to each tier given the current rate of progress. To implement these changes into regulation, the UK’s approach of empowering the DCMS secretary to define baseline security requirements—rather than “hard coding” them into legal text—provides an excellent model for replication. Law is extremely slow to change. However, if the appropriate agency or agencies receive the power to produce regulations and modify enforcement mechanisms within a stated scope of authority—and with appropriate government, industry, and civil society consultation—this would result in more regularly updated and thus more relevant and useful IoT security requirements. 

Recommendation 9: Governments should develop additional guidance around the sunsetting phase of the IoT product lifecycle. As illustrated in this report, many existing IoT security frameworks heavily skew towards the design, development, sale and setup, and maintenance phases of the lifecycle. Across best practice guidance, technical standards, and labeling and certification schemes, there is comparatively little IoT security focus on what happens when products are no longer receiving software security updates or must otherwise reach their end of life—and what manufacturers, vendors, and/or buyers should do to prepare for and handle that eventuality. This is a considerable oversight in the existing IoT security approaches. It also risks replicating a problem seen before with more conventional parts of the internet ecosystem, such as organizations needing to use old products and systems long after it is reasonably secure to do so (e.g., those running Windows 95). Governments should therefore develop additional guidance around the sunsetting phase, through their respective organizations designated with technical standard-setting. Producing this sunsetting guidance will take time and should not necessarily hold up the development and deployment of the minimum baseline tier of IoT security certification, but it is essential for addressing all parts of the IoT product lifecycle in a security approach. 

These recommendations provide a sensible starting point to address the economic incentive issues that sustain consumer IoT’s insecurity while promoting the core policy objectives of eliminating the most glaring vulnerabilities, harmonizing requirements across jurisdictions, encouraging greater prioritization of security by manufacturers, increasing consumer awareness, and making an overdue impact without further delay. Implemented and updated continuously, this would help drive towards a world in which IoT product manufacturers build in better security from the start—referencing many of the same sets of baseline security standards, roughly consensus and harmonized across jurisdictions—and every other actor in the supply chain follows, with manufacturers and vendors displaying understandable cybersecurity labels on products, retailers enforcing security requirements on those manufacturers and vendors, buyers looking to labels and other security guidance, and regulators ensuring that IoT security is better implemented across the entire device lifecycle.

Measuring success

As with many cybersecurity issues, simple quantification of the problem is challenging. The discovery of a single vulnerability—whether in the product itself or in commonly used software packages—can mean that millions of IoT products are suddenly at risk. But methods to better understand and quantify IoT security risk are needed, both to better understand the nature of the problem and to measure the success of policy interventions and security standards. Several data points may prove helpful in enhancing understanding of the overall threat ecosystem presented to IoT products. 

• Information on the number of in-scope products: One widely cited study from Transforma Insights, a market research firm, estimates that the number of active IoT products will grow to 24.1 billion by 2030, up from 7.6 billion in 2019, expanding on average 11 percent per year.¹²²
• Information on attacks: After coming online, on average, an IoT product is probed within five minutes by tools that scan the web for vulnerable products, and many are targeted by exploits within 24 hours. Attacks on a simulated smart home, constructed by the UK consumer group called “Which?”, reached 12,000 in a single week.¹²³ Kaspersky, a cybersecurity firm, maintains a network of “honeypot” devices to learn more about attacks, and measured 1.5 billion IoT attacks over the first half of 2021, up from 640 million over the same period a year prior.¹²⁴ Defining an “attack” can be another tricky question, with some definitions including activities that range from a relatively benign probe by a popular scanner tool to an all-out compromise of the device. It would perhaps be most fruitful to focus efforts on activities that hint at active malicious activity, such as brute-forcing attempts or attempts to employ remote code execution exploits. 
• Information on product insecurities: Unit 42, a team of threat intelligence researchers at Palo Alto Networks, estimates that 57 percent of smart devices are susceptible to medium- or high-severity attacks, while 98 percent lack encryption in their communications, putting confidential personal information at risk.¹²⁵ Default manufacturer passwords, often the same for thousands of devices, provide some of the simplest entry points in the compromise of a device. In 2017, researchers at Positive Technologies found that five login/password combinations—support/support, admin/admin, admin/0000, user/user and root/12345—granted access to 10 percent of internet-connected devices.¹²⁶

Measuring the impact of labels, standards, and legislation is harder still. In the UK, DCMS published cost-benefit analysis in parallel with the filing of the PSTI Bill. This report represents one of the more admirable efforts to quantify this risk and the potential benefits of intervention. But as the NCSC notes, analyzing the cost of intrusions specific to connected consumer products is very difficult today, as the user does not necessarily notice the attack, and the line between what is and is not an attack may be blurry from an outside observer’s perspective.¹²⁷ Better methods to measure the impacts of policy interventions must continue to be the subject of research. An initial—and non-exhaustive—list of these metrics may include: 

• Percent/number of products that meet various levels of security (as defined by ETSI/NIST/other frameworks). 
• Percent of products using default passwords. 
• Number of products infected with Mirai and other IoT malware. 
• Percent of products sold whose company has a vulnerability reporting contact. 
• Average response time / patch release time for critical vulnerabilities by product. 
• Percent/number of unpatchable products in operation. 
• Percent/number of products no longer receiving security updates in operation. 
• Percent of customers who say they use product security as a key buying criterion. 
• Percent of customers who say they trust the security of their IoT products. 
• Number of IoT product vulnerabilities with high CVSS scores publicly disclosed (the assumption being at first a deluge of reporting as researchers start to focus on these products, and with time the number of found vulnerabilities decreasing). 

What’s next for labeling 

Throughout the conversations with government and industry players, one point of worldwide consensus shines through: there is a solid appetite to adopt some sort of labeling scheme for consumer IoT devices. The benefits of such a scheme are plentiful. The ability to collect information on product security and having that information public offers exciting possibilities. Access to such information empowers purchasers and supports researchers and auditors in doing their work. IoT vendors have also recognized the benefits of labels from a marketing perspective, allowing them to use product security as a clearly articulated, understandable differentiator.   

While the interest in labeling is there, the logistics are still lacking. There is a slew of details that need ironing out down the road. Getting them right is important for the IoT, and, as such, labeling merits future dedicated study. Plenty of questions exist around label design: How should it look? What information should it communicate? Beyond that are the bigger questions of how the system itself should work: Who could issue labels? What information would be needed to award a label? Where would that information be kept and stored, and how could it be accessed? Many details need workable answers—and there are lots of proposed ideas to sort through—before a labeling scheme can roll out on a global scale.  

Conclusion

Inadequate security for consumer IoT products is just one of many difficult emerging technology issues that require global coordination among public and private sector actors. A range of parallel efforts exist to address wide-ranging digital challenges, such as protecting the privacy of personal data, addressing anti-competitive behavior by tech giants, and countering online misinformation. The steady march of technology means that poorly designed interventions risk irrelevance. Moreover, they leave the IoT more vulnerable to harm from the unintended consequences they should prevent. 

Despite the perennially crowded global to-do list, reducing the threats from insecure consumer IoT products is overdue, attainable, and worthy of the world’s attention. This report likely gives short shrift to the many benefits of consumer IoT, but fully realizing its potential requires addressing its worst failings. These deficiencies—rooted not merely in technology but, more so, in economic incentives—means that the IoT demands better policy intervention. A litany of proposals has at last turned into momentum behind some reasonable, consensus measures. As one interviewee said, “we cannot let the perfect become the enemy of the good.” 

From botnets that menace internet infrastructure to universal default passwords that allow hackers to invade user privacy, the impact on consumers is real, with risks that multiply in tandem with the number of connected devices. As Nathaniel Kim, Bruce Schneier, and Trey Herr contend, “these attacks are all the byproducts of connecting computing tech to everything, and then connecting everything to the Internet.”¹²⁸ Unlike traditional appliances, which tend to degrade over predictable timescales and stop working individually, “computers fail differently.”¹²⁹ They all work fine, until one day, the discovery of a vulnerability means finding a fix for all products of that particular model. As more and more things continue to become computers, they will increasingly fail like computers. The world needs processes, norms, and global standards that fit for this new reality. 

Appendix I

Country-specific implementation plans 

This section discusses tangible, high-impact next steps that the UK, Singapore, Australia, and the United States can each take to bring about the global multi-tier system for IoT security detailed in our recommendations. 

As noted earlier, this research seeks to capitalize on existing momentum, whether international or intranational. There are multiple viable paths for governments that are consistent with our vision to (1) rid the world of IoT’s most glaring vulnerabilities and (2) harmonize international efforts to make it easier for firms to manufacture and sell products with even stronger security features. This implementation plan aims to nudge their approaches towards greater consistency, as opposed to calling for dramatic about-faces. 

UK 

Tier 1. Set the Baseline of Minimally Acceptable Security: 

Of the four countries examined in this report, the UK is closest to creating a mandatory baseline for a broad range of IoT products sold in its market. The PSTI Bill, currently advancing in the House of Lords, will set minimum security requirements for manufacturers and couple them with potent enforcement mechanisms. By empowering the DCMS secretary to set these guidelines, this baseline can keep pace with technological change without the need to constantly rewrite legislation. The UK government should take the following actions: 

• Pass the legislation. The most obvious and immediate next step is for parliament to enact the PSTI Bill. Thus far, the proposed law has made its way through the legislative process with its core provisions intact. While it does not address everything on the wish list of security advocates, it is an ambitious effort that lawmakers should approve. The House of Lords has recommended a sensible amendment that will also protect security researchers conducting legitimate vulnerability research from intimidation and lawsuits by manufacturers.¹³⁰ Given that the countdown for firms to comply with the new law begins one year after the bill receives Royal Assent—and that it has already been nearly nine months since its filing—consideration of further amendments should take into account the additional time they will add to the process. 
• Identify a regulator. While the DCMS will define the cybersecurity provisions that manufacturers must abide by, it will not be the agency that enforces them. At the time of publication, the UK government had not publicly named the regulator responsible for enforcing the baseline product requirements. In its 2021 consultation, the DCMS sought recommendations on agencies well-positioned to serve in this role. Multiple respondents highlighted Trading Standards as a natural fit given its consumer protection role under Schedule 5 of the Consumer Rights Act 2015. Another was Ofcom, the UK’s communications regulator.¹³¹ The DCMS has also consulted with the Office for Product Safety and Standards in the Department for Business, Energy, and Industrial Strategy, another consumer product safety regulator.¹³² This report does not have a specific recommendation as to the best-positioned agency to assume this role, but the government should announce this decision and begin to build out the key elements of its enforcement capacity. 

Tier 2. Incentivize Above the Baseline: 

Unlike the other three countries profiled in this report, the UK government has for now explicitly rejected the approach of device labeling, choosing to initially focus the bulk of its efforts on setting the first tier of a mandatory baseline. Despite the challenges with cybersecurity labels, the team views them as the best option for encouraging manufacturers to invest in greater security as well as providing consumers with accessible information. In partnership with NCSC, the DCMS should: 

• Provide “forward guidance” on provisions that it aims to mandate next. Like a good central bank, the DCMS should provide predictability in its intended future actions while remaining flexible to change in the face of new information. While the UK plans to begin with the so-called “top three” measures in its initial list of mandatory requirements, one of the key design principles of its approach is the ability to gradually ratchet up the baseline with new provisions. Through public announcements and meetings with industry, DCMS can telegraph where regulation is headed and allow security-minded firms to bring their products into compliance before the measures become mandatory. For starters, the DCMS should look to the World Economic Forum (WEF) statement that highlights two additional ETSI principles as the logical next steps: ensure that products communicate securely and safeguard personal data.¹³³ Other impactful measures could include a guideline requiring manufacturers to provide security updates for a minimum period consistent with the average length of time consumers use a product, which can vary by product category. The DCMS could go even further by publishing the planned effective dates of new security requirements years in advance. These provisions can change as cybersecurity threats and commercial considerations change. 
• Study the impact of cybersecurity labels in other markets and be prepared to reevaluate if they achieve results. Thus far, research on cybersecurity labeling for smart devices remains largely limited to surveys about consumers’ hypothetical willingness to pay more for products that have an indicator of greater security. Now that several countries have introduced labeling programs, users should begin to see “real world” data on their performance, both as it relates to changing consumer behavior and in addressing the downstream ills of insecure devices. If it becomes apparent that one or more of these labeling approaches are achieving success—or gaining traction as an international standard—the UK government should remain open to adopting it in its market. 

Singapore 

Tier 1. Set the Baseline of Minimally Acceptable Security:  

While Singapore’s CLS for consumer IoT is largely voluntary, it provides the regulatory infrastructure for a program that gradually expands to establish a baseline level of security for all devices. Internet routers sold in its market already must meet the provisions of the CLS Tier 1 label, which map directly to the UK’s “top three” requirements that will be enforced with its proposed PSTI Bill. In consultation with IMDA and other partners, the CSA should: 

• Make the Tier 1 label mandatory for more product categories. Internet routers have been a wise starting point: they have an outsize presence in today’s botnets and can have security knock-on effects that threaten consumers’ other smart home devices. Perhaps unsurprisingly, routers now account for over half of the CLS labels issued.¹³⁴ The CSA should consider the next highest priority product categories that will need to meet these minimum security measures, incorporating criteria like the (lack of) maturity in the category’s cybersecurity features and the privacy risk to individuals if compromised. IP cameras, connected baby toys, and smart locks are strong candidates. 
• Add to the security provisions required as part of the Tier 1 label, especially those related to secure development practices. CLS includes 76 security provisions, with roughly half required by one or more of its tiers, while the others are merely recommended. The first tier currently has 13 required provisions. Tier 2, which primarily concerns product lifecycle and secure development practices, has 17 required provisions—eight drawn from ETSI EN 303 645 and nine from the IMDA’s IoT Cyber Security Guide. Over time, the CSA should aim to collapse the most impactful Level 2 requirements into Level 1, while removing those not seen as value-added. Alternatively, the CSA could keep the same provisions in each CLS level and gradually require that devices meet the second level. Since both CLS Levels 1 and 2 rely on manufacturer self-attestation, these changes should not require any operational changes in administering the program. 

Tier 2. Incentivize Above the Baseline: 

CLS has seen dramatic growth since the beginning of 2022, with the number of labels issued tripling during that timeframe. But the gains are not evenly distributed: of the 176 labels issued by CSA as of July 2022, 148 are at the Level 1 designation, an additional 16 are at Level 2, and 10 are for Level 4.¹³⁵ As mentioned earlier, many of the recipients of labels are internet routers, where the Level 1 label is mandatory. A key selling point of its multi-tier system is the ability to provide manufacturers with a reason to go above and beyond the bare minimum. To this end, CSA should: 

• Conduct a review of the program’s effectiveness in addressing the core problems associated with IoT insecurity and publish the findings. As the country with the most mature cybersecurity labeling program, Singapore is in a unique position to gather information on the successes and challenges of this regulatory approach. How have consumers adapted their purchasing behavior since its launch? Has the number of insecure devices sold in Singapore decreased? What have been the challenges for firms? Have there been impacts beyond Singapore’s borders? This review could also help improve the structure of the program. For example, it might review the fitness of the CLS tier structure. The inclusion of more levels makes sense if it adds to the range of choice for consumers and manufacturers to select the appropriate certification level that meets their needs. If no one selects it—currently the case for CLS Level 3—it is possible to simplify the scheme. The report’s “Measuring Success” section includes some example metrics that could help gauge a topic that is notoriously difficult to quantify. The results will be helpful for Singapore, but just as critically, for the large number of countries and industry bodies that are experimenting with cybersecurity labels for IoT products. 
• Pursue an agreement with Germany for mutual recognition of cybersecurity labels. Finland and Singapore’s agreement shows that binary and multi-tier labeling approaches need not conflict. Germany, which recently launched its own binary label in January 2022, should also join the bilateral agreement between Singapore and Finland for mutual recognition. All three countries draw largely from the same list of ETSI EN 303 645 security provisions. Partnering with a market of Germany’s size will add significant momentum for Singapore’s approach to securing IoT, while reducing the burden of duplicate testing and certification for firms. This approach should be pursued for any country that adopts an IoT labeling program found to be largely compatible with the existing Singaporean program.  
• Consider measures to encourage broader adoption of the labeling scheme. Anecdotal evidence suggests that many security-minded firms have been eager to participate in the program, but the CSA should continue to search for ways to increase its attractiveness. While the program will eventually need to generate revenue to cover its costs, CSA could extend the moratorium on application fees for an extended period, or even subsidize testing for devices at higher levels of security. 

Australia 

Tier 1. Set the Baseline of Minimally Acceptable Security: 

Since the conclusion of its Call for Views in August 2021, Australia’s DHA has been relatively quiet in public on its path forward for the regulation of consumer IoT. Whatever its ultimate action, it is evident that Australia aims to take a more hands-on approach than its past voluntary measures. To establish this minimum baseline, the DHA should: 

• Select a regulatory approach for mandating basic security requirements for devices sold in its market. Australia has multiple approaches at its disposal and should continue to study the benefits and drawbacks of programs in the UK, Singapore, and elsewhere. The options it is most seriously considering are either a mirror image of the UK’s minimum security standards or a four-level “graded shield” that appears very similar to Singapore’s CLS. Australia’s voluntary Code of Practice, which aligns with ETSI EN 303 645, should provide a strong foundation that will have prepared Australian businesses for more stringent enforcement. 
• If pursuing a minimum security standard, align its approach with the PSTI Bill’s planned enforcement measures. At a minimum, these measures should include the “top three,” banning universal default passwords and mandating vulnerability reporting contacts and transparency on security updates. Preferably, it would also include additional provisions on securing personal data, encrypted communications, and minimum acceptable support periods for security updates. Currently, Australian Consumer Law does not require firms to adhere to any principles meant to reduce cyber risk, “only that they cannot make misleading or deceptive representations about the cyber security of their products.”¹³⁶ This baseline could be achieved either through a new law, modeled on the UK’s PSTI Bill, or an expansion of Australia’s existing Consumer Law to incorporate protections against the most basic flaws in cybersecurity in its definition of “acceptable quality” and “fit for purpose.”¹³⁷
• If pursuing a multi-level labeling approach, follow a strategy of gradual mandates by product category. Given that it seems most drawn to a multi-tier label mirroring CLS, the clearest path for Australia is to follow Singapore’s strategy and gradually mandate a tier 1 label by product type, beginning with high-priority items like internet routers. The labeling scheme should include a broad definition of in-scope products, drawing from ETSI’s definition of smart devices. In addition to expanding mandates by product category, DHA can also raise the baseline over time by advancing along the other “axis” of incorporating more security provisions from higher security levels into its base tier. 

Tier 2. Incentivize Above the Baseline: 

The approach for incentivizing action to instill even greater security measures in its smart device market is highly related to Australia’s method for enforcing its baseline. As DHA notes, these measures need not be mutually exclusive. To promote a higher tier of security, it should: 

• Select a cybersecurity labeling approach. A study conducted by the Behavioral Economics Team of the Australian Government compared the effects of multiple label options on consumers, finding that “participants were more likely to choose a device with a cyber security label than one without a label, by 13–19 percentage points.”¹³⁸ While the graded shield was most impactful, it found that “expiry labels were still effective” and “a high security level or long expiry date increased the likelihood of choosing a device.”¹³⁹ Each of these options appears likely to have its own benefits and drawbacks, but it is time to choose one and move forward with it. 
• If pursuing an expiry date-label, study its effect and publish the findings. If it follows through on this proposal, Australia would be the first to introduce a label that indicates the length of time manufacturers will provide security updates to the product. Studying this approach can help answer several questions about the impact of cybersecurity labels, particularly around the sunsetting phase. For example, are consumers incentivized to purchase devices at a discount that are about to go “off warranty”? As stated earlier, there is nothing wrong with national-level experimentation, as it can be beneficial in formulating new approaches that may be suitable for broader adoption. 
• If pursuing a “graded shield” label, agree to mutual recognition with Singapore and other participating countries. The four-level labeling scheme that Australia appears likely to pursue bears many similarities with Singapore’s CLS. In this case, the two countries should aim to bring their programs into close harmony, including the definitions of in-scope devices, the security provisions included in each tier, and the processes for self-attestation and third-party testing. Over time, the DHA should work with the CSA to ensure that the programs evolve together with consistency. Australia should then join the bilateral agreement with Finland for mutual label recognition, as well as a proposed agreement with Germany. 

United States 

Tier 1. Set the Baseline of Minimally Acceptable Security: 

In comparison to other jurisdictions, the United States has preferred a less interventionist approach. There are two main exceptions: the two states that have enacted legislation to impose minimum security standards on IoT products, as well as the IoT Cybersecurity Improvement Act of 2020 which requires federal agencies to only procure devices that meet NIST security guidelines. In this context, the team recommends: 

• States should pass and enforce their own IoT security laws. California and Oregon led the way but should expand their laws to focus on more specific guidance for organizations and manufacturers less versed in cybersecurity, rather than just focusing on concepts like “reasonable security.” Ideally, they will do so in a way that does not lock in specific security measures into legal text but instead points toward another regulatory mechanism that more easily updates standards, such as the UK’s approach of empowering an agency to maintain these standards, or points them to guidelines set for federal government agencies by NIST. More states should follow in their footsteps, putting forth IoT security laws that incorporate the standards outlined by the US government, as well as considering standards established by others around the world. The states that have implemented these laws should also study their impact. It is not apparent that any enforcement actions have yet occurred, which indicates one of two possible scenarios: all devices sold in their markets are now compliant, or enforcement has been insufficient. The latter seems more likely than the former. 
• The federal government should adopt the binary labeling approach proposed by NIST. In NIST’s February 2022 publication “Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products,” the organization recommends pursuing a binary labeling approach.¹⁴⁰ In this scenario, there would exist a single label stating that a product has met baseline security standards. Implementing the binary label would be a first step towards goals such as defining minimum security standards, creating and implementing a labeling program, and starting to broadcast to consumers what they should be looking for when purchasing IoT products. Among other details, this will require identifying an owner for the program, and the FTC would be the strongest candidate. 

Tier 2. Incentivize Above the Baseline: 

President Biden’s 2021 Executive Order 14028 (Improving the Nation’s Cybersecurity) directed NIST to design a labeling program for IoT devices, which should also serve as a mechanism to encourage the adoption of security measures that exceed the minimum baseline. The program’s ultimate owner should: 

• Provide incentives for industry to obtain labels. The US may look to Singapore and other countries that have adopted labeling programs to see how companies have been encouraged to participate in a labeling program and reach for higher tiers. Fee waivers for label applications may be a good way of incentivizing participation during the first few years of the program. Industry would likely react positively to some form of compensation for the third-party testing required to earn a higher label.  
• Provide liability protection for firms that pursue the higher, tier 2 security standards. Experts have indicated that many players in industry would be incentivized to pick up higher security standards in exchange for liability protections. There are various types of liability protections that may be considered here, and this report leaves such determination up to the regulatory body. The implementation of such liability protection may take the form of a law passed by Congress outlining these protections, or conversely may come in the shape of a publicly articulated approach by the FTC. 

Authors and acknowledgements

Patrick Mitchell is a consultant with the Atlantic Council’s Cyber Statecraft Initiative. He recently graduated from the Master in Public Policy program at Harvard University’s John F. Kennedy School of Government, where he studied issues at the intersection of emerging technology and global affairs, including a second-year thesis on international efforts to improve IoT security. Prior to this, he interned with the UN Secretary-General’s Office and worked for several years as a consultant with Accenture, where he supported federal, state, and local government agencies on projects related to technology strategy and digital transformation. He also holds a B.S. in Management from Boston College.

Justin Sherman is a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative, where his work focuses on the geopolitics, governance, and security of the global Internet. He is also a senior fellow at Duke University’s Sanford School of Public Policy and a contributor at WIRED Magazine.

Liv Rowley is a former assistant director with the Atlantic Council’s Cyber Statecraft Initiative under the Digital Forensic Research Lab (DFRLab). Prior to joining the Atlantic Council, Liv worked as a threat intelligence analyst in both the US and Europe. Much of her research has focused on threats originating from the cybercriminal underground as well as the Latin American cybercriminal space. Liv holds a BA in International Relations from Tufts University. She is based in Barcelona, Spain.

Acknowledgments: The authors thank Kat Megas, James Deacon, and Rob Spiger for their comments on earlier drafts of this document and Trey Herr and Bruce Schneier for support. Thanks to Nancy Messieh for her support with data visualization. The authors also thank all the participants, who shall remain anonymous, in multiple Chatham House Rule discussions about the issues.

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

The post Security in the billions: Toward a multinational strategy to better secure the IoT ecosystem appeared first on Atlantic Council.

Nearly every bit of technology and infrastructure that enables modern society to function runs on software. Lines of code—in some cases millions of them—underpin systems ranging from smart electronic kettles to fifth-generation fighter jets. A significant portion of software is cobbled together with and dependent on many pieces of open-source, non-proprietary code that, by and large, is built and maintained by volunteer software engineers for whom security may not be a top priority. As such, vulnerabilities abound in widely used systems, and securing the entirety of the increasingly complex software supply chain is no easy feat. 

Notable examples like the Sunburst/SolarWinds cyber-espionage campaign shed light on how adversaries are increasingly exploiting vulnerabilities in the software supply chain to compromise critically important public- and private-sector systems, and yet software supply chain security remains an underdeveloped aspect of public policy with meaningful gains starting to be made only more recently. On May 12, 2021, US President Joe Biden signed Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, a portion of which addressed the need to enhance software supply chain security. On May 5, 2022, in accordance with the EO, the National Institute of Standards and Technology (NIST) released its updated Cybersecurity Guidance for Supply Chain Risk Management.  

Between 2010 and 2021, according to the Atlantic Council’s Breaking Trust dataset, at least forty-two attacks or vulnerability disclosures involved open-source projects and repositories. Public policy still has significant room to address how both government and software developers improve the security of software supply chains, especially the wider health of the open-source ecosystem. 

We brought together five experts with a range of perspectives to discuss the implications of insecure software supply chains and realistic paths to securing them. 

#1 How does the security of software supply chains impact national security? 

Jennifer Fernick SVP & global head of research, NCC Group; member of the Governing Board, Open Source Security Foundation (OpenSSF): 

“Software is the core infrastructure of almost every aspect of contemporary life, and a security vulnerability in any aspect of a system or network. Its effect on government, intelligence, defense operations, financial transaction networks, energy companies, telecommunications, food and pharmaceutical supply chains, and other public- or private-sector critical infrastructure can have devastating consequences in the physical world. The now-popular notion of securing the ‘software supply chain’ ultimately reflects a growing apprehension that the security risks of computing systems are many layers deeper, more invisible, and more interdependent and impactful than they initially seemed.” 

Amélie Koran, senior fellow, Cyber Statecraft Initiative; director of external technology partnerships, Electronic Arts, Inc.: 

“Security does not always mean reliability. It is an outcome in most cases, such as resiliency is, but for most, the typical CIA triad of confidentiality, integrity, and availability drives most assessments of basic system and software security. While we can develop a very secure national security system—from defense to utility and other infrastructure—the additional security components sometimes hurt reliability or resiliency, as they must perform a set of steps or lack inclusion of typical convenience features that non-critical or national security systems tend to avoid, as they may just be bad security choices. 

In this case, often the selection of components for ensuring a secure system, including the construction, building and testing, as well as operation of those utilized for national security purposes become very oblique and even harder to manage. For many years those building these systems eschewed open-source software due to the fear of unexpected or unpredictable inclusion in the code base would make systems less secure. Over time, however, they have realized that, in most cases, the transparency of such software sources results in more rapid fixes, and thus it closes the windows of opportunity for potential attackers versus closed-source or even more bespoke systems that do not go under as much scrutiny. In other words, some of the most trusted national security solutions may actually be the most insecure from iterative tests and test of rigor by others. A test is only as good as the test developer, and once you cut those creators and testers down, less issues tend to get caught and resolved.” 

John Speed Meyers, security data scientist, Chainguard: 

“It is not too much of a stretch to say that the functioning of most digital systems—including those of western militaries, governments, and societies—have become deeply reliant on a hard-to-understand and hard-to-secure software supply chain. It is like we built a digital Manhattan on a foundation of quicksand and swamps.” 

Wendy Nather, senior fellow, Cyber Statecraft Initiative; head of advisory CISOs, Cisco: 

“No matter how they are compromised or by whom, software supply chains have an outsized network effect on the security and stability of everything from utilities to emergency response, transportation, healthcare, aviation, and public safety. As everything digitally transforms, the attack surface grows in subtle, remotely accessible ways, and it potentially affects even those populations without access to technology.” 

Stewart Scott, assistant director, Cyber Statecraft Initiative: 

“Software is eating the world, or so I am told, so securing any system or application relevant to national security is critical—everything from computer systems on fighter jets to government-adjacent email accounts. Securing one’s own systems is challenging enough, but modern software services are a patchwork of in-house programs, purchased products, imported libraries, cloud applications, open-source components, and even copy-and-pasted code. Security for software supply chains extends the challenge to using others’ code securely, identifying what products are developed and maintained securely, and even figuring out what dependencies exist. It is incredibly complicated and difficult for security everywhere, and national security especially, as incidents like the Sunburst campaign and log4j illustrate.” 

#2 What are the challenges to building more secure software supply chains? Do developers, intermediaries, consumers know what they need to do? 

Fernick: “Vulnerabilities are cheap to create but expensive to find—even the best programmers in the world regularly write code with security vulnerabilities, and even the best security tools on earth will fail to find all of these vulnerabilities without the time-intensive intervention of human experts. Yet, even theoretically perfectly secure code would more likely than not depend on another piece of software that is full of exploitable vulnerabilities, will run on an insecure operating system on top of flawed hardware, and be deployed through a build pipeline that can be compromised by attackers. Security is very hard, and yet I feel like as an industry we push too much of this responsibility downstream to other developers and users who are not equipped to face it. Instead, we need to ‘shift left’ and assume that vulnerabilities are present, but find ways of reducing them at scale or detecting and remediating them early, through improved programming languages and frameworks, scalable vulnerability-finding tools, and other systematic investments in improving the ecosystem as a whole.” 

Koran: “Complexity is by far one of the greatest challenges to securing software and digital supply chains. Most tools and systems that are available to organizations provide a patchwork of awareness of the overall risk, and require a high level of competence in the minutia of the software or system in order to generate a plan of action, short of a basic “update this code with something deemed more secure.” One of the major issues in all of this also is consumer based. In most cases, it takes extra effort to track back the health of code or source components that may be utilized to build systems. These may be stitched together, but could be, once together, increasing the insecurity or risk of operations in certain configurations.  

Put it this way, while the suggestion of a software bill of materials (SBOM) may tell you what is in the box, it does not tell you if the ingredients are good for you. It is only one portion of a chain of decision-support processes that are necessary to build safer and more secure software supply chains. Imagine standing in the cereal aisle at a grocery store, and while you can look at the ingredients between a toasted whole wheat cereal and “sugar bombs,” what appetite are you satisfying chasing one over the other? Technically, the base components of the grains and such within in them may be very close to one another, but if there is more of one bad item (e.g., preservatives or sugar), while it solves the same task of giving you a breakfast, the satisfaction on consumption may be different. The same goes for software development. Pick a quick and dirty “all-in-one” suite that solves problems quickly, but may be opaque as to what is in it and how it was built, or make an artisan selection of bespoke code—you will have a lot of potential work ahead from choosing a turn-key opportunity provided by the former over the latter.” 

Meyers: “There are many. If you are reading this article on a computer of some sort, ask yourself why you trust the chain of software that allows you to read this article. If you have no answer, try to find a little solace in the knowledge that most experts do not have a great answer either. And nobody really knows what they need to do, although software supply chain integrity frameworks like SLSA (Supply chain Levels for Software Artifacts, pronounced “salsa”) are a good start.” 

Nather: “Software is organic and dynamic; it changes faster than humans can follow, as it is the result of human contributions on a worldwide scale. Software challenges cannot be compared directly to a hardware supply chain or a manufacturing line because of these additional complexities. Only with specific expertise can developers and intermediaries know what they need to do, and many developers do not come from the traditional educational pipelines any more. The answer is NOT to rely on consumers to have this expertise to make their own market-driven choices; it is to ensure that security is baked into the software standards, protocols, tools, and automation at scale.” 

Scott: “Writ large, the challenge is identifying and managing an incredible number of rapidly changing relationships that range everywhere from import lines to massive government acquisition contracts. There is a huge range of understanding about and capability to address software supply chain security. If developers, maintainers, vendors, CIOs, and consumers aren’t all on the same page about how to improve supply chain security—let alone provided with sufficient resources to get things moving—there’s going to be progress in some places and awkward lapses elsewhere. For example, GitHub is moving towards universal multi-factor authentication, which will help secure massive amounts of open-source components, but many entities will not even know the degree to which they are relying on and/or contributing to that code, especially at higher organizational levels.” 

#3 How would you describe the state of public-private sector collaboration on securing software supply chains? Compared to where it could be? 

Fernick: “I am optimistic and encouraged by the proactive and collaborative engagement between senior US government officials and the Open-Source Security Foundation (OpenSSF), a cross-industry effort to improve the security of the open-source ecosystem, which I helped to establish with colleagues across the industry in early 2020. The January 2022 White House meeting on Software Security brought together a powerful alliance of public- and private-sector organizations, including OpenSSF, to discuss initiatives to: (1) prevent open-source software security vulnerabilities, (2) improve coordinated vulnerability disclosure, and (3) reduce vulnerability remediation times. In mid-May, we will be returning to Washington, DC with a bold mobilization plan for exactly that; several carefully-defined initiatives that will together help radically improve the security of the world’s most critical open-source software.” 

Koran: “As much as somebody would want to rehash “I’m from the government, I’m here to help” as an opening line, developers and other technicians tend not to like bureaucracy meddling in their creations and orbits, especially if it means more under-resourced work for them to perform. While compliance is also not the best carrot to achieve results either, a hybrid model of standards that can be modeled and accepted as a method to align, much like NIST’s Special Publication series, which both public and private sectors use to get to a reasonable level of assurance. Possibly a similar Commerce Department/NIST-driven guidance that understands scale and complexity, but also operating methods, such as making recommendations support DevOps that can be better integrated. Ensuring that input for this guidance incorporates not only broad industry input and support, but also addresses needs from small- and medium-sized businesses, as well as enterprises. Most regulations and guidance are selectively chosen due to the lack of timely, affordable and manageable actions to comply. In short, “keep it simple, stupid” (KISS) should be the name of the game to have better than average uptake, and note that all of this should also be iterated upon.” 

Meyers: “Nascent, especially when it comes to the security of the open-source software supply chain. Anecdotally, when I worked at In-Q-Tel, a strategic investor for the US intelligence community, many intelligence community staff used to look at me cross-eyed when my colleagues and I would suggest that they should devote their time and resources to open-source software supply chain security. Log4j and the recent White House meeting on open-source software security suggests, however, that the times are changing.” 

Nather: “There have been excellent ad hoc responses to specific events, but we need to create a more repeatable process that includes not just the ‘biggest and loudest’ private sector companies, but also the ones below the Security Poverty Line, which are equally likely to be victimized by software supply chain attacks. For example, the Blackbaud ransomware incident at last count affected over a thousand organizations, many of them nonprofits who provide critical services. Beyond response, we need to create a way for every organization to understand its supply chain risk. SBOMs are a start in this direction, but it is an after-the-fact report at this point, not a demonstration of secure software development practices. Make no mistake: this is not a chain; it is a vast web in which we are all somewhere in the middle.” 

Scott: “There is building momentum in the federal government around software supply chains, and fora like the Cybersecurity and Infrastructure Security Agency’s (CISA) Joint Cyber Defense Collaborative are a good start at bringing industry to the table. Parts of the private sector, too, have recently started pouring a lot of resources into the issue, especially open source, but it is patchwork. Some companies are piling millions of dollars on to the issue, and some are not ready to take seriously how much it affects their security. It is also unfortunate that a lot of that momentum seems a response to recent incidents—I would love to see more proactive security collaboration capitalize on a well-intentioned reaction to compromise. In that vein, expanding the scope of existing public-private partnerships to include industry consumers outside of the usual IT vendors and, regarding open source, the nonprofits, maintainers, repositories, and package managers responsible for a lot of the actual code in question. Continued formalization of those ventures would be great too—supply chain and open-source security need to be ongoing discussions within among all stakeholders in the cyber policy world.” 

More from the Cyber Statecraft Initiative:

Broken trust: Lessons from Sunburst

MARKUP: Our experts annotate Biden’s new executive order on cybersecurity

Buying down risk: Open source software

#4 How can the United States and European Union most effectively contribute to the security of open-source software?  

Fernick: “Coordination among major stakeholders is key, as open-source software is a vast, complex global ecosystem. Our success at securing the supply chain hinges upon having a singular place where representatives from government, the private sector, and open-source software projects alike come together to work on and make impact-prioritized, coordinated investments in things like security audits of critical software, improving vulnerability disclosure and remediation, and coordinating vendor-neutral emergency response teams to support open-source software maintainers in times of security crisis. Piecemeal initiatives and investments cannot comprehensively solve a lifecycle problem like securing the software supply chain—attackers will simply exploit the weakest remaining link.” 

Koran: “Coordinate. There is a number of international organizations that have attempted to bite off various pieces of the open-source security, and software and digital product security, pie. Organizations may be looking at anything from vulnerability disclosure treatments to secure coding practices, but many of them attempt to reinvent their own wheel for their influence areas. Because of that, there is no single or coordinated voice or guidance as to what to do. The community, private sector, and individuals either choose to strike out on their own or pick and choose those pieces of guidance, frameworks, or regulations that may be best suited to them, or, in the worst case, may be the minimum bar in order for their work to comply. While asked how to “contribute”, it does not always mean having to directly provide technical contributions, like code, infrastructure or other bits and bobs; it can mean doing what governments do best, which is to get the right people talking to one another to share information at various levels. That is where they need to start—get on the same page and the right heads sharing knowledge and experiences.” 

Meyers: “While I welcome transatlantic cooperation on open-source software security, each government probably needs to examine its own software supply chain security practices before there can be an open-source software Atlantic Charter.” 

Nather: “Ensure alignment in the standards, practices, regulations, etc. that are being generated. Like everything else in cyber, open-source software development is cross-border, and world-wide coordination is required to ensure security is effective and aligned with the motivations of the open-source project contributors and maintainers. Tracking the dependencies in open-source software and identifying those ‘linchpin’ components that cross a certain threshold of impact would be a good start, as would a coordinated effort to fill resource gaps for software projects that are under-resourced or abandoned.” 

Scott: “Governments can start by recognizing open source as infrastructure—it is everywhere, comprising 70 to 90 percent of many codebases, and it supports a huge part of the innovation and functionality in the digital economy. Ideally, that kind of framing will lead to regular, proactive investment from government alongside industry and help keep a transatlantic approach from getting bogged down by different approaches towards licensing and privacy. Open-source security is much more about how responsibly consumers are using (and tracking their use of) components, contributing to them, and supporting the ecosystem. An infrastructure approach should also help move away from the simple narrative that its maintainers are not getting paid enough—sometimes that is true, and sometimes maintainers have immense corporate support or even work for premiere IT companies. Usage, tooling, and self-knowledge are all hugely important and point to a much broader solution set than throwing money towards developers and hoping they can ‘fix everything.’ 

#5 What single proposal or idea to better secure software supply chains would you like to see Congress pass in the next year? 

Fernick: “In the legislation that it passes, I would like to see Congress work to incentivize companies to work collaboratively with good-faith security researchers who choose to responsibly report security vulnerabilities that they find in software products to the affected vendors, without fear of retribution or legal risk on behalf of the researcher. Many companies still lack the maturity to see good-faith security vulnerability reports for what they are—a free gift, and an actionable opportunity to improve their own products to help protect their customers, and the world, from threat actors.” 

Koran: “There needs to be focus. Most of the directives that have come since the recent change in administration have been merely addressing the federal government rather than the larger sphere. While that is an admirable focus, it is very top down and scoped very small. If Congress is to engage, it needs to be a wider and more comprehensive action where, possibly driven by some federal stewardship, the onus really lives within the community—among developers, private organizations, and individuals. This also should not be a “thou shalt” type of direction, but a way to structure guidance, oversight and engagement. This could possibly be either addressing which government agency or commission has the lead for certain areas, or by establishing something new to subsume a number of critical roles. This is not going to just to address a technical compliance issue, but also governance and sustainment by possibly providing grant-making capabilities, interfaces to the private sector, academia, and international partners. It will also need to be funded. Good ideas without a budget are just good ideas, not actions that can be relied upon for an outcome.” 

Meyers: “The creation of an open-source software security center within the federal government, perhaps within the Department of Homeland Security, seems like a promising first step. This center could help assess and improve the security of the open-source software that the federal government and critical infrastructure relies upon and even contribute to the security of the overall open-source software ecosystem.” 

Nather: “Securing the software supply chain goes beyond just creating secure software, as the Executive Order points out in calling for basic controls such as multi-factor authentication, monitoring and alerting to secure the development, distribution and production environments as well. The underlying problem is still assessing risk and impact, and prompting those conversations among suppliers and consumers. As this is all currently being piloted by the Biden administration, the next logical step would be for Congress to put it in a statutory framework to ensure effective oversight.” 

Scott: “I would love to see Congress stand up offices in government dedicated to open-source security and sustainability. An official office in CISA, even a small one, would provide a clear place for industry and maintainers to turn to and interface with, and the Critical Technology Security Centers would be great outputs to channel grantmaking. Having that formal infrastructure in place would make it much easier to involve developers and maintainers in open-source policy discussions in which they have not been included much yet. It would also help put to rest any lingering misconceptions that open source is inherently less secure than proprietary code or that open source is something that should—or even could—be avoided. Digital infrastructure everywhere depends in large part on open source, so the challenge is not securing or fixing that community or ecosystem—it is figuring out proactive, leveraged investments that government and industry can regularly make in its security.” 

Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security. He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

The post The 5×5—Reflections on trusting trust: Securing software supply chains appeared first on Atlantic Council.

The post Nia quoted in Bloomberg on the implications of Elon Musk’s overtaking of Twitter for activists and companies appeared first on Atlantic Council.

The post Nia quoted in the Washington Post on long-term implications of Elon Musk’s control over Twitter appeared first on Atlantic Council.

The post Dagres quoted in Voice of America Persian News Network on human rights and internet freedom in Iran appeared first on Atlantic Council.

On a recent joint Georgetown and Atlantic Council masters’ class, GeoTech Director Dr. David Bray shared his insights on the seminar’s question: “Cybersecurity of Space-Based Assets and Why This Is Important.” This masters’ class also featured GeoTech Fellows and experts Dr. William Jeffrey, Chuck Brooks, and Dr. Divya Chander.

We invite you to watch the informative recording below:

Read more about our expert:

Former fellow

David Bray

Former Distinguished Fellow

GeoTech Center

Economy & Business Technology & Innovation

Former fellow

William Jeffrey

Action Council Member

GeoTech Center

Cybersecurity Defense Industry

Former fellow

Divya Chander

Former Nonresident Senior Fellow

GeoTech Center

Cybersecurity Digital Policy

Transcript Jun 23, 2021

Brian Deese on Biden’s vision for ‘a twenty-first-century American industrial strategy’

By Atlantic Council

National Economic Council Director Brian Deese spoke about how the Biden administration can strengthen US economic recovery by working with the private sector and global allies.

Economy & Business Future of Work

GeoTech Cues Aug 10, 2021

Contextualizing COVID-19 and its implications for the future of work

By Matthew Gavieta

As workers around the world adapted to a new normal amid a public health crisis, remote work took on a new meaning. However, questions about how to structure long-term telework arrangements remain. The current landscape of data reveals a tenuous relationship between well-being and telework. To secure a brighter future for our labor force, we must continue developing worker-centered technology policy and doing research on how to improve life at work.

Digital Policy Future of Work

Blog Post Jul 27, 2021

The time for US immigration reform is now

By Jeff Goldstein

The US is currently grappling with a multi-decade long trend of declining population rates leading to fewer and fewer workers. To meet the challenges of the future, US policymakers must manage declining population growth – and one of the best arrows in their economic policy quiver is comprehensive immigration reform.

Future of Work Macroeconomics

The post Cybersecurity of Space-Based Assets and Why this is Important appeared first on Atlantic Council.

WASHINGTON, DC – MAY 26, 2021 – The Atlantic Council’s bipartisan Commission on the Geopolitical Impacts of New Technologies and Data today released a landmark report proposing recommendations for the US government and like-minded allies on global technology and data development policy.

The report’s recommendations are designed to maintain US and allied leadership in science and technology; ensure the trustworthiness and resilience of physical and IT supply chains, infrastructures, and the digital economy at large; improve global health protection; assure commercial space operations for public benefit; and create a digitally fluent and resilient workforce.

The report was developed over months of intensive study and debate by an esteemed panel of commissioners comprised of senior representatives from Congress, academia, industry, and former officials from recent administrations. Sens. Mark Warner (D-VA) and Rob Portman (R-OH) and Reps. Suzan DelBene (D-WA) and Michael McCaul (R-TX) served as honorary co-chairs of the commission. John Goodman, Chief Executive Officer of Accenture Federal Services, and Teresa Carlson, President and Chief Growth Officer of Splunk, served as co-chairs. The commission was housed within the Atlantic Council’s GeoTech Center, which was launched in 2020 to champion positive paths forward to ensure new technologies and data empower people, prosperity, and peace.

Today’s report comes amid the “GeoTech Decade,” in which new technologies and data capabilities will have an outsized impact on geopolitics, economics, and global governance. However, no nation or international organization has created the appropriate governance structures needed to grapple with the complex and destabilizing dynamics of emerging technologies. As a result, new approaches are required for developing and deploying critical technologies, cultivating human capital, rebuilding trust in domestic and global governance, and establishing norms for international cooperation.

Key recommendations from the report include:

• Global science and technology leadership: Develop a National & Economic Security Technology Strategy
• Secure data and communications: Strengthen the National Cyber Strategy Implementation Plan and accelerate quantum information science technologies operationalization
• Enhanced Trust and Confidence in the Digital Economy: Demonstrate AI improvements to delivery of public- and private-services
• Assured Supply Chains and System Resiliency: Broaden federal oversight of supply chain assurance
• Continuous Global Health Protection and Global Wellness: Launch a global pandemic surveillance and warning system
• Assured Space Operations for Public Benefit: Harden security of commercial space industry facilities and space assets
• Future of Work: Create the workforce for the GeoTech Decade and equitable access to opportunity

“The work of the bipartisan GeoTech Commission was 14 months in the making, representing the consensus of public and private sector leaders on practical steps forward for Congress, the White House, private industry, academia, and like-minded nations,” said Dr. David Bray, director of the Atlantic Council’s GeoTech Center. “The sophisticated, but potentially fragile, data and tech systems that now connect people and nations mean we must incorporate resiliency as a necessary foundational pillar of modern life. It is imperative that we promote strategic initiatives that employ data and tech to amplify the ingenuity of people, diversity of talent, strength of democratic values, innovation of companies, and reach of global partnerships.”

“The U.S. stands at a crossroads. New technologies and ready access to data offer exciting opportunities to tackle the world’s greatest challenges. Yet there are also risks that threaten to undermine peace and prosperity in unanticipated ways,” said John Goodman, CEO of Accenture Federal Services. “For the US and its partners to remain economically competitive and protect national security, we must work together to build trust in the digital fabric of the GeoTech decade. We must act now to invest in these new technologies, to develop and expand our skilled workforce, and to establish norms to ensure that technology emerges as a powerful force for good.”

“The GeoTech Decade impacts all countries, people, communities, and businesses from global safety to security and more,” said Teresa Carlson, President, and Chief Growth Officer at Splunk. “The recommendations in this independent report are necessary for innovation in the years to come. With bi-partisan buy-in from U.S. Congress and top industry leaders, executing on these seven areas will help us combine the data and technologies required for success in this new age.”

“We’re in the midst of a titanic technological shift, from IT modernization to artificial intelligence, as organizations from all industries look to harness the power of data to solve complex challenges,” said Max Peterson, Vice President, Worldwide Public Sector, Amazon Web Services. “Advanced computing systems, faster and higher-bandwidth communications networks, and increasingly sophisticated technologies are digitizing the information around us and transforming the way we live, learn, and do business. Together, government and the private sector should work to ensure we grasp the innovative opportunities before us in ways that promote security, trust, and inclusion.”

Commission on the Geopolitical Impacts of New Technologies and Data

Co-Chairs:
John Goodman, Chief Executive Officer, Accenture Federal Services
Teresa Carlson, President and Chief Growth Officer, Splunk

Honorary Co-Chairs:
Sen. Mark R. Warner (D-VA)
Sen. Rob Portman (R-OH)
Rep. Suzan DelBene (D-WA)
Rep. Michael T. McCaul (R-TX)

Commissioners:
Max R. Peterson II, Vice President, Worldwide Public Sector, Amazon Web Services
Paul Daugherty, Chief Executive – Technology & Chief Technology Officer, Accenture
Maurice Sonnenberg, Guggenheim Securities
Michael Chertoff, Former U.S. Secretary of Homeland Security
Michael J. Rogers, Former Chairman of the U.S. House Permanent Select Committee on Intelligence
Pascal Marmier, Head, Economy of Trust Foundation, SICPA
Ramayya Krishnan, PhD, Director, Block Center for Technology and Society, Carnegie Mellon University
Dr. Shirley Ann Jackson, President, Rensselaer Polytechnic Institute
Susan M. Gordon, Former Principal Deputy Director of National Intelligence
Vint Cerf, Internet Pioneer & “Father of the Internet”
Zia Khan, PhD, Vice President for Innovation, The Rockefeller Foundation
Anthony Scriffignano, PhD, Senior Vice President, Chief Data Scientist at Dun & Bradstreet Corporation
Frances F. Townsend, Executive Vice President, Activision Blizzard
Admiral James Stavridis, USN, Ret.

Executive Director:
David Bray, PhD, Director, GeoTech Center, The Atlantic Council

The Commission on the Geopolitical Impacts of New Technologies and Data was made possible by support from Accenture Federal Services and Amazon Web Services. The report’s full findings and recommendations can be found here.

For media inquiries, please contact press@atlanticcouncil.org.

The post Atlantic Council releases landmark recommendations on the geopolitical impacts of new technologies appeared first on Atlantic Council.

Conclusion

The increasing capabilities and availability of data and new technologies change how nations remain competitive and secure. In the coming GeoTech Decade, data and technology will have a disproportionate impact on geopolitics, global competition, and global opportunities for collaboration as new capabilities may eliminate a technical advantage or may enable new processes superior to current methods. The United States and like-minded nations must be able to adapt and demonstrate effective governance, at faster speeds, in employing data and new technologies to promote a more secure, free, and prosperous world.

In 1945, Vannevar Bush, director of the Office of Scientific Research and Development, transmitted a report, Science – the Endless Frontier, with the goal of answering a few key questions asked by then-President Franklin D. Roosevelt in November 1944. In the report, Bush elaborated:

• “With particular reference to the war of science against disease, what can be done now to organize a program for continuing in the future the work which has been done in medicine and related sciences?
• “What can the Government do now and in the future to aid research activities by public and private organizations?
• “Can an effective program be proposed for discovering and developing scientific talent in American youth so that the continuing future of scientific research in this country may be assured on a level comparable to what has been done during the war?”

Among its recommendations, the 1945 report called for the creation of the National Research Foundation. Bush concluded, noting the importance of action by Congress:

• “Legislation is necessary. It should be drafted with great care. Early action is imperative, however, if this nation is to meet the challenge of science and fully utilize the potentialities of science. On the wisdom with which we bring science to bear against the problems of the coming years depends in large measure our future as a nation.”

Now, almost seventy-six years later, the GeoTech Commission similarly seeks to promote freedom and security through initiatives that employ data and new technologies to amplify the ingenuity of people, diversity of talent, strength of democratic values, innovation of companies, and the reach of global partnerships.

There are several areas where data and technology can help, or hinder, the achievement of these goals:

• Communications and networking, data science, cloud computing
• Artificial intelligence, distributed sensors, edge computing, the Internet of Things
• Biotechnologies, precision medicine, genomic technologies
• Space technologies, undersea technologies
• Autonomous systems, robotics, decentralized energy methods
• Quantum information science, nanotechnology, new materials for extreme environments, advanced microelectronics

To maintain national and economic security and competitiveness in the global economy, the United States and its allies must continue to be preeminent in these key areas, and must achieve trustworthy and assured performance of the digital economy and its infrastructure. The GeoTech Commission provided recommendations in the following seven areas where the United States and like-minded nations must succeed:

• Global science and technology leadership
• Secure data and communications
• Enhanced trust and confidence in the digital economy
• Assured supply chains and system resiliency
• Continuous global health protection and global wellness
• Assured space operations for public benefit
• Future of work

The report’s recommendations embody several ideals. First, work to ensure the benefits of new technologies reach all sectors of society. Second, define protocols and standards for permissible ways to develop and use technologies and data, consistent with the norms of the United States and like-minded nations. Third, guide technology cooperation and sharing with nondemocratic nations based on respecting democratic values.

Just as Vannevar Bush urged in 1945, the United States must create new ways to develop and employ future critical and emerging technologies at speed, cultivate the needed human capital, and establish norms for international cooperation with nations. Such creation requires important action by Congress and the new administration to ensure that the United States has the wisdom with which to apply science to the challenges and opportunities of the coming years. If enacted, the report’s recommendations will enable the United States and like-minded nations to employ data capabilities and new technologies intentionally to promote a freer, more secure, and more prosperous world.

Appendices

Appendix A. Additional readings on identifying and countering online misinformation

Appendix B. Improving the software supply chains and system resiliency for the US government

Appendix C. Advancing a data fabric for achieving continuous global health protection

Appendix D. Additional readings on the history and future of global space governance

Appendix E. Informational GeoTech Center synopses

Appendix F. Additional readings and acronyms

Biographies of the GeoTech Commission co-chairs and commissioners

Co-chairs

John Goodman, Chief Executive Officer, Accenture Federal Services

John Goodman is the Chief Executive of Accenture Federal Services (AFS), which serves clients across all sectors of the US federal government – defense, intelligence, public safety, health, and civilian. Since joining Accenture in 1998, he has held a variety of leadership roles – including managing director of Accenture’s Defense & Intelligence portfolio, head of Management Consulting for the global Public Service Operating Group, and most recently Chief Operating Officer of AFS. John began his career at Accenture as a Member of the Communications & High Technology practice.

Prior to joining Accenture, John served for five years in the federal government as Deputy Under Secretary of Defense (Industrial Affairs & Installations), Deputy Assistant Secretary of Defense (Industrial Affairs), and a member of the staff of the National Economic Council, the White House office responsible for coordination of economic policy. He previously served on the Harvard Business School faculty.

John is co-chair of the Atlantic Council’s GeoTech Commission and member of the boards of both the Atlantic Council and the Northern Virginia Technology Council, as well as a member of the Council on Foreign Relations. He is a member, and the immediate past chair, of the Executive Committee of the Professional Services Council, a former member of the Executive Committee of AFCEA, and the former chairman of the Defense Business Board. John was named Executive of the Year by the Greater Washington Government Contractors in 2018; a Wash100 inductee in 2018, 2019, 2020 and 2021; and a Fed100 Award winner in 2015. He has been awarded the Office of the Secretary of Defense Medal for Exceptional Public Service, the Department of Defense Medal for Distinguished Public Service, and the Department of Defense Medal for Outstanding Public Service.

John received his Bachelor of Arts, summa cum laude, from Middlebury College and his Master of Arts and Ph.D. from Harvard University.

Teresa Carlson, President and Chief Growth Officer, Splunk

As President and Chief Growth Officer at Splunk, Teresa Carlson leads our efforts to align and drive our ongoing business transformations across Splunk’s go-to-market segments. Most recently, Carlson served as Vice President, Worldwide Public Sector and Industries, for Amazon Web Services (AWS). After she founded AWS’s Worldwide Public Sector in 2010, Carlson’s role eventually expanded to include financial services, energy services, telecommunications, and aerospace and services industry business units.

Carlson has also been a strong advocate for empowering women in the technology field. That passion led to the creation of “We Power Tech,” AWS’s diversity and inclusion initiative, which aims to ensure underrepresented groups – including women – are reflected throughout all AWS outreach efforts. Carlson dedicates time to philanthropic and leadership roles in support of the global community. Prior to joining AWS in 2010, Carlson led sales, marketing and business development organizations at Microsoft, Keyfile/Lexign and NovaCare. Carlson holds a B.A. and M.S. from Western Kentucky University.

Honorary co-chairs

Mark R. Warner U.S. Senator from Virginia

Senator Warner was elected to the U.S. Senate in November 2008 and reelected to a third term in November 2020. He serves on the Senate Finance, Banking, Budget, and Rules Committees as well as the Select Committee on Intelligence, where he is the Chairman. During his time in the Senate, Senator Warner has established himself as a bipartisan leader who has worked with Republicans and Democrats alike to cut red tape, increase government performance and accountability, and promote private sector innovation and job creation. Senator Warner has been recognized as a national leader in fighting for our military men and women and veterans, and in working to find bipartisan, balanced solutions to address our country’s debt and deficit.

From 2002 to 2006, he served as Governor of Virginia. When he left office in 2006, Virginia was ranked as the best state for business, the best managed state, and the best state in which to receive a public education.

The first in his family to graduate from college, Mark Warner spent 20 years as a successful technology and business leader in Virginia before entering public office. An early investor in the cellular telephone business, he co-founded the company that became Nextel and invested in hundreds of start-up technology companies that created tens of thousands of jobs.

Senator Warner and his wife Lisa Collis live in Alexandria, Virginia. They have three daughters.

Rob Portman U.S. Senator for Ohio

Rob Portman is a United States Senator from the state of Ohio, a position he has held since he was first elected in 2010. Portman previously served as a U.S. Representative, the 14th United States Trade Representative, and the 35th Director of the Office of Management and Budget (OMB). In 1993, Portman won a special election to represent Ohio’s 2nd congressional district in the U.S. House of Representatives and served six terms before President George W. Bush appointed him as U.S. Trade Representative in May 2005. Portman currently serves as the Ranking Member on the Senate Homeland Security and Governmental Affairs Committee, as well as on the Senate Finance and Foreign Relations Committees. He was born and raised in Cincinnati, where he still lives today with his wife Jane. Together they have three children: Jed, Will, and Sally.

Suzan DelBene. U.S. Congresswoman Representing Washington’s 1st District

Congresswoman Suzan DelBene represents Washington’s 1st Congressional District, which spans from northeast King County to the Canadian border and includes parts of King, Snohomish, Skagit, and Whatcom counties. First sworn into the House of Representatives in November 2012, Suzan brings a unique voice to the nation’s capital with more than two decades of experience as a successful technology entrepreneur and business leader. Suzan takes on a wide range of challenges both in Congress and in the 1st District and is a leader on issues of technology, health care, trade, taxes, environmental conservation, and agriculture.

Suzan currently serves as the Vice Chair on the House Ways and Means Committee, which is at the forefront of debate on a fairer tax code, health care reform, trade deals, and lasting retirement security. She serves on the Select Revenue Measures and Trade Subcommittees. Suzan also serves as Chair of the forward-thinking New Democrat Coalition, which is one of the largest ideological coalitions in the House, and is co-chair of the Women’s High Tech Caucus, Internet of Things Caucus, and Dairy Caucus. She is also a member of the Pro-Choice Caucus.

Over more than two decades as an executive and entrepreneur, she helped to start drugstore.com as Vice President of Marketing and Store Development, and served as CEO and President of Nimble Technology, a business software company based on technology developed at the University of Washington. Suzan also spent 12 years at Microsoft, most recently as corporate vice president of the company’s mobile communications business.

Before being elected to Congress, Suzan served as Director of the Washington State Department of Revenue. During her tenure, she proposed reforms to cut red tape for small businesses. She also enacted an innovative tax amnesty program that generated $345 million to help close the state’s budget gap while easing the burden on small businesses.
Suzan and her husband, Kurt DelBene, have two children, Becca and Zach, and a dog named Reily.

Michael T. McCaul, U.S. Congressman Representing Texas’ 10th District

Congressman Michael T. McCaul is currently serving his ninth term representing Texas’ 10th District in the United States Congress. The 10th Congressional District of Texas stretches from the city of Austin to the Houston suburbs and includes Austin, Bastrop, Colorado, Fayette, Harris, Lee, Travis, Washington and Waller Counties.

At the start of the 116th Congress, Congressman McCaul became the Republican Leader of the Foreign Affairs Committee. This committee considers legislation that impacts the diplomatic community, which includes the Department of State, the Agency for International Development (USAID), the Peace Corps, the United Nations, and the enforcement of the Arms Export Control Act. In his capacity as the committee’s Republican Leader, McCaul is committed to ensuring we promote America’s leadership on the global stage. In his view, it is essential the United States bolsters international engagement with our allies, counters the aggressive policies of our adversaries, and advances the common interests of nations in defense of stability and democracy around the globe. He will continue to use his national security expertise to work to counter threats facing the United States, especially the increasing threat we face from nation state actors such as China, Iran, Russia, North Korea, among others.

Prior to Congress, Michael McCaul served as Chief of Counter Terrorism and National Security in the U.S. Attorney’s office, Western District of Texas, and led the Joint Terrorism Task Force charged with detecting, deterring, and preventing terrorist activity. McCaul also served as Texas Deputy Attorney General under current U.S. Senator John Cornyn, and served as a federal prosecutor in the Department of Justice’s Public Integrity Section in Washington, DC.
A fourth generation Texan, Congressman McCaul earned a B.A. in Business and History from Trinity University and holds a J.D. from St. Mary’s University School of Law. In 2009 Congressman McCaul was honored with St. Mary’s Distinguished Graduate award. He is also a graduate of the Senior Executive Fellows Program of the School of Government, Harvard University. Congressman McCaul is married to his wife, Linda. They are proud parents of five children: Caroline, Jewell, and the triplets Lauren, Michael, and Avery.

Commissioners

Max R. Peterson II, Vice President, Worldwide Public Sector, Amazon Web Services

Max Peterson is Vice President for Amazon Web Services’ (AWS) Worldwide Public Sector. In this role, Max supports public sector organizations as they leverage the unique advantages of commercial cloud to drive innovation among government, educational institutions, health care institutions, and nonprofits around the world.

A public sector industry veteran with thirty years of experience, he has an extensive background in developing relationships with public sector customers. He has previously worked with Dell Inc. as Vice President and General Manager for Dell Federal Civilian and Intelligence Agencies, as well as CDWG and Commerce One.

Max earned both a Bachelor’s Degree in Finance and Master’s of Business Administration in Management Information Systems from the University of Maryland.

Paul Daugherty, Accenture Chief Executive – Technology and Chief Technology Officer

Paul Daugherty is Accenture’s Group Chief Executive – Technology & Chief Technology Officer. He leads all aspects of Accenture’s technology business. Paul is also responsible for Accenture’s technology strategy, driving innovation through R&D in Accenture Labs and leveraging emerging technologies to bring the newest innovations to clients globally. He recently launched Accenture’s Cloud First initiative to further scale the company’s market-leading cloud business and is responsible for incubating new businesses such as blockchain, extended reality and quantum computing. He founded and oversees Accenture Ventures, which is focused on strategic equity investments and open innovation to accelerate growth. Paul is responsible for managing Accenture’s alliances, partnerships and senior-level relationships with leading and emerging technology companies, and he leads Accenture’s Global CIO Council and annual CIO and Innovation Forum. He is a member of Accenture’s Global Management Committee.

Maurice Sonnenberg, Guggenheim Securities

Maurice Sonnenberg has served as an outside advisor to five Presidential Administrations in the areas of international trade, finance, international relations, intelligence, and foreign election monitoring. In 1994 and 1995, he served as a member of the US Commission on Protecting and Reducing Government Secrecy, and from 1996 as the Senior Advisor to the US Commission on the Roles and Capabilities of the US Intelligence Community. He was a member of the President’s Foreign Intelligence Advisory Board under President Bill Clinton for 8 years. In 2002, he was a member of the Task Force of Terrorist Financing for the Council on Foreign Relations. From 2007-2010, he served on the Department of Homeland Security Advisory Council and the Panel Advisory Board for the Secretary of the Navy from 2008-2015. In 2012-14, he served as co-Chairman of the National Commission for the Review of the Research and Development Programs for the Intelligence Community. He has also served as an Official US Observer at elections in Latin America. This includes multiple elections in El Salvador, Guatemala, Nicaragua and Mexico. Sonnenberg has worked at the investment banking firms Donaldson Lufkin and Jenrette, Bear Stearns, and J.P. Morgan, and at the law firms Hunton & Williams, Manatt, Phelps & Phillips. Currently, he is with Guggenheim Securities as Senior International Advisor. He is also a Senior Advisor to the Advanced Metallurgical Group, N.V.

Michael Chertoff, Former U.S. Secretary of Homeland Security

Michael Chertoff is the Executive Chairman and Co-Founder of The Chertoff Group. From 2005 to 2009, he served as Secretary of the U.S. Department of Homeland Security. Earlier in his career, Mr. Chertoff served as a federal judge on the U.S. Court of Appeals for the Third Circuit and head of the U.S. Department of Justice’s Criminal Division. He is the Chairman of the Board of Directors of BAE Systems, Inc., the U.S.-based subsidiary of BAE Systems plc. In 2018, he was named the chairman of the Board of Trustees for Freedom House. He currently serves on the board of directors of Noblis and Edgewood Networks. In the last five years, Mr. Chertoff co-chaired the Global Commission in Stability of Cyberspace and also co-chairs the Transatlantic Commission on Election Integrity. Chertoff is magna cum laude graduate of Harvard College and Harvard Law School.

Michael J. Rogers, Former Chairman of the U.S. House Permanent Select Committee on Intelligence

Mike Rogers is a former member of Congress, where he represented Michigan’s Eighth Congressional District for seven terms. While in the U.S. House of Representatives, he chaired the powerful House Permanent Select Committee on Intelligence (HPSCI), authorizing and overseeing a budget of $70 billion that funded the nation’s seventeen intelligence agencies. Mr. Rogers built a legacy as a bipartisan leader on cybersecurity, counterterrorism, intelligence, and national security policy. Mr. Rogers worked with two presidents, congressional leadership, and countless foreign leaders, diplomats, and intelligence professionals. Before joining Congress, he served as an officer in the US Army and as a Special Agent with the FBI. He is currently investing in and helping build companies that are developing solutions for healthcare, energy efficiency, and communications challenges. He also serves as a regular national security commentator on CNN and hosted the channel’s documentary-style original series Declassified. Mr. Rogers is a regular public speaker on global affairs, cybersecurity, and leadership. He is married to Kristi Rogers and has two children.

Pascal Marmier, Head, Economy of Trust Foundation, SICPA

Pascal Marmier is head of SICPA’s Economy of Trust Foundation. Most recently, Marmier held several positions in the United States within Swiss Re, a global reinsurer, focusing on digital strategy and innovation management. Previously, he spent twenty years as a Swiss diplomat as one of the early leaders of the Swissnex network, a private–public partnership dedicated to facilitating collaboration with Swiss universities, startups, and corporations in all fields related to science, technology, and innovation. After spending a decade establishing key partnerships and activities in Boston, Marmier moved to China to establish the Swissnex platform in the region. He holds law degrees from the University of Lausanne and Boston University, as well as an MBA from the MIT Sloan School of Management.

Ramayya Krishnan, PhD, Director, Block Center for Technology and Society, Carnegie Mellon University

Ramayya Krishnan is the W. W. Cooper and Ruth F. Cooper Professor of Management Science and Information Systems at Carnegie Mellon University. He is Dean of the H. John Heinz III College of Information Systems and Public Policy and directs the Block Center for Technology and Society at the university. His scholarly contributions have focused on mathematical modeling of organizational decision making, the design of data driven decision support systems and statistical models of consumer behavior in digital environments. He advises governments, businesses and development banks on digital transformation technology and its consequences.

Dr. Shirley Ann Jackson, President, Rensselaer Polytechnic Institute

The Honorable Shirley Ann Jackson, Ph.D., has served as the 18th president of Rensselaer Polytechnic Institute since 1999. A theoretical physicist described by Time Magazine as “perhaps the ultimate role model for women in science,” Dr. Jackson has held senior leadership positions in academia, government, industry, and research. She is the recipient of many national and international awards, including the National Medal of Science, the United States’ highest honor for achievement in science and engineering. Dr. Jackson served as Co-Chair of the United States President’s Intelligence Advisory Board from 2014 to 2017 and as a member of the President’s Council of Advisors on Science and Technology from 2009 to 2014. Before taking the helm at Rensselaer, she was Chairman of the U.S. Nuclear Regulatory Commission from 1995 to 1999. She serves on the boards of major corporations that include FedEx and PSEG, where she is Lead Director.

Dr. Jackson holds an S.B. in Physics, and a Ph.D. in Theoretical Elementary Particle Physics, both from MIT.

Susan M. Gordon, Former Principal Deputy Director of National Intelligence

The Honorable Susan (Sue) M. Gordon served as Principal Deputy Director of National Intelligence from August 2017 until August 2019. In her more than three decades of experience in the IC, Ms. Gordon served in a variety of leadership roles spanning numerous intelligence organizations and disciplines, including serving as the Deputy Director of the National Geospatial-Intelligence Agency (NGA) from 2015 to 2017. In this role, she drove NGA’s transformation to meet the challenges of a 21st century intelligence agency. Since leaving government service, Ms. Gordon serves on a variety of public and private boards, is a fellow at Duke and Harvard Universities, and consults with a variety of companies on technology—including cyber and space—strategy, and leadership, focusing on shared responsibility for national and global security.

Vint Cerf

Vinton G. Cerf is vice president and Chief Internet Evangelist for Google. Cerf is the codesigner of the TCP/IP protocols and the architecture of the Internet. He has served in executive positions at the Internet Corporation for Assigned Names and Numbers, the Internet Society, MCI, the Corporation for National Research Initiatives, and the Defense Advanced Research Projects Agency. A former Stanford Professor and member of the National Science Board, he is also the past president of the Association for Computing Machinery and serves in advisory capacities at the National Institute of Standards and Technology, the Department of Energy, and the National Aeronautics and Space Administration. Cerf is a recipient of numerous awards for his work, including the US Presidential Medal of Freedom, US National Medal of Technology, the Queen Elizabeth Prize for Engineering, the Prince of Asturias Award, the Tunisian National Medal of Science, the Japan Prize, the Charles Stark Draper Prize, the ACM Turing Award, the Legion d’Honneur, the Franklin Medal, Foreign Member of the British Royal Society and Swedish Academy of Engineering, and twenty-nine honorary degrees. He is a member of the Worshipful Company of Information Technologists and the Worshipful Company of Stationers.

Zia Khan, PhD, Vice President for Innovation, The Rockefeller Foundation

As Senior Vice President for Innovation, Zia Khan oversees the Rockefeller Foundation’s approach to developing solutions that can have a transformative impact on people’s lives through the use of convenings, data and technology, and strategic partnerships. He writes and speaks frequently on leadership, strategy, and innovation. Khan has served on the World Economic Forum Advisory Council for Social Innovation and the US National Advisory Board for Impact Investing. He leads a range of the Rockefeller Foundation’s work in applying data science for social impact and ensuring artificial intelligence contributes to an inclusive and equitable future.

Prior to joining the Rockefeller Foundation, Khan was a management consultant advising leaders in technology, mobility, and private equity sectors. He worked with Jon Katzenbach on research related to leadership, strategy, and organizational performance, leading to their book, Leading Outside the Lines.

Zia holds a BS from Cornell University and MS and PhD from Stanford University.

Anthony Scriffignano, PhD, is Senior Vice President, Chief Data Scientist at Dun & Bradstreet Corporation

Anthony Scriffignano, PhD is Senior Vice President, Chief Data Scientist at Dun & Bradstreet Corporation. He is an internationally recognized data scientist with experience spanning over forty years in multiple industries and enterprise domains. Scriffignano has extensive background in advanced anomaly detection, computational linguistics and advanced inferential algorithms, leveraging that background as primary inventor on multiple patents worldwide. Scriffignano was recognized as the U.S. Chief Data Officer of the Year 2018 by the CDO Club, the world’s largest community of C-suite digital and data leaders. He is also a member of the OECD Network of Experts on AI working group on implementing Trustworthy AI, focused on benefiting people and the planet. He has briefed the US National Security Telecommunications Advisory Committee and contributed to three separate reports to the president, on Big Data Analytics, Emerging Technologies Strategic Vision, and Internet and Communications Resilience. Additionally, Scriffignano provided expert advice on private sector data officers to a group of state Chief Data Officers and the White House Office of Science and Technology Policy. Scriffignano serves on various advisory committees in government, private sector, and academia. Most recently, he has been called upon to provide insight on data science implications in the context of a highly disrupted datasphere and the implications of the global pandemic. He is considered an expert on emerging trends in advanced analytics, the “Big Data” explosion, artificial intelligence, multilingual challenges in business identity and malfeasance in commercial and public-sector contexts.

Frances F. Townsend, Executive Vice President, Activision Blizzard

Frances Fragos Townsend is the Executive Vice President of Corporate Affairs, Chief Compliance Officer and Corporate Secretary at Activision Blizzard. Prior to that, she was Vice Chairman, General Counsel and Chief Administration Officer at MacAndrews & Forbes, Inc. In her 10 years there, she focused internally on financial, legal and personnel issues, as well as international, compliance and business development across MacAndrews’ portfolio companies. Prior to that, she was a corporate partner with the law firm of Baker Botts, LLP. From 2004 to 2008, Ms. Townsend served as Assistant to President George W. Bush for Homeland Security and Counterterrorism and chaired the Homeland Security Council. She also served as Deputy National Security Advisor for Combatting Terrorism from 2003 to 2004. Ms. Townsend spent 13 years at the US Department of Justice under the administrations of President George H. W. Bush, President Bill Clinton and President George W. Bush. She has received numerous awards for her public service accomplishments. Ms. Townsend is a Director on the Board of two public companies: Chubb and Freeport McMoRan. She previously served on the Boards at Scientific Games, SciPlay, SIGA and Western Union. She is an on-air senior national security analyst for CBS News. Ms. Townsend previously served on the Director of National Intelligence’s Senior Advisory Group, the Central Intelligence Agency’s (CIA) External Advisory Board and the US President’s Intelligence Advisory Board. Ms. Townsend is a trustee on the Board of the New York City Police Foundation, the Intrepid Sea, Air & Space Museum, the McCain Institute, the Center for Strategic and International Studies (CSIS) and the Atlantic Council. She also serves on the Board at the Council on Foreign Relations, on the Executive Committee of the Trilateral Commission and the Board of the International Republican Institute. She is a member of the Aspen Strategy Group.

Admiral James Stavridis, USN, Ret.

Admiral James Stavridis is an Operating Executive of The Carlyle Group and Chair of the Board of Counselors of McLarty Global Associates, following five years as the 12th Dean of The Fletcher School of Law and Diplomacy at Tufts University. He also serves as the Chairman of the Board of the Rockefeller Foundation. A retired four-star officer in the U.S. Navy, he led the North Atlantic Treaty Organization (NATO) Alliance in global operations from 2009 to 2013 as Supreme Allied Commander with responsibility for Afghanistan, Libya, the Balkans, Syria, counter piracy and cyber security. He also served as Commander of U.S. Southern Command, with responsibility for all military operations in Latin America from 2006 to 2009. He earned more than 50 medals, including 28 from foreign nations in his 37-year military career. Admiral Stavridis earned a PhD in international relations and has published 10 books and hundreds of articles in leading journals around the world, including the recent novel “2034: A Novel of the Next World War,” which was a New York Times bestseller. His 2012 TED Talk on global security has close to one million views. Admiral Stavridis is a monthly columnist for TIME Magazine and Chief International Security Analyst for NBC News.

Biographies of supporting Atlantic Council staff

Dr. David A. Bray, Director, GeoTech Center, Atlantic Council

Dr. David A. Bray has served in a variety of leadership roles in turbulent environments, including bioterrorism preparedness and response from 2000 to 2005, time on the ground in Afghanistan in 2009, serving as a non-partisan Senior National Intelligence Service Executive directing a bipartisan National Commission for the Review of the Research and Development Programs of the US Intelligence Community, and providing leadership as a non-partisan federal agency Senior Executive where he led a team that received the global CIO 100 Award twice in 2015 and 2017. He is an Eisenhower Fellow, Marshall Memorial Fellow, and Senior Fellow with the Institute for Human & Machine Cognition. Business Insider named him one of the top “24 Americans Who Are Changing the World” and the World Economic Forum named him a Young Global Leader. Over his career, he has advised six different start-ups, led an interagency team spanning sixteen different agencies that received the National Intelligence Meritorious Unit Citation, and received the Joint Civilian Service Commendation Award, the National Intelligence Exceptional Achievement Medal, Arthur S. Flemming Award, as well as the Roger W. Jones Award for Executive Leadership. He is the author of more than forty academic publications, was invited to give the AI World Society Distinguished Lecture to the United Nations in 2019, and was named by HMG Strategy as one of the Global “Executives Who Matter” in 2020.

Dr. Peter Brooks, Consultant, GeoTech Center, Atlantic Council

Peter Brooks is a senior researcher and national security analyst at the Institute for Defense Analyses, a federally funded research and development center. For more than three decades, he has contributed to the understanding of critical national security issues for a wide range of government agencies. His broad expertise includes intelligence analysis, advanced technologies and applications, and joint force analyses, experimentation, strategy, and cost assessments.

Stephanie Wander, Deputy Director, GeoTech Center, Atlantic Council

Stephanie Wander is a technology and innovation strategist with a successful track record of launching large-scale projects to solve global grand challenges. Ms. Wander’s approaches integrate innovation best practices and mindsets, including design thinking, behavior change strategies, foresight techniques, and expert and public crowdsourcing.

Previously, Ms. Wander was a lecturer at the University of Southern California Suzanne Dworak-Peck School of Social Work where she taught graduate social work professionals in design, innovation, and disruptive technology.

Rose Butchart, Senior Adviser, National Security Initiatives, GeoTech Center, Atlantic Council

Rose Butchart is the senior adviser for National Security Initiatives at the Atlantic Council’s GeoTech Center.

As a program manager for the Department of Defense’s National Security Innovation Network, she managed, designed, and scaled a variety of programs, including a technology, transfer, and transition (T3) program designed to bring breakthrough Department of Defense lab technology to market— and to the warfighter. She also managed a workshop series to tackle some of the military’s intractable problems and a fellowship which placed active duty military and Department of Defense civilians at technology start-ups.

Claudia Vaughn Zittle, Program Assistant, Atlantic Council GeoTech Center

Claudia Vaughn Zittle was a program assistant with the Atlantic Council’s GeoTech Center. In this role, she managed a wide range of projects at the intersection of emerging technologies and dynamic geopolitical landscapes. She also conducted research and provided written analysis for publication on Atlantic Council platforms.

Originally from the Washington, DC, area, she received her BA in International Relations from Cornell College. She is continuing her education at American University’s School of International Service, where she studies International Relations with a concentration in US Foreign Policy and National Security.

Claire Branley, Program Assistant, Atlantic Council GeoTech Center

Claire Branley joined the Atlantic Council’s Geotech Center after graduating from the University of Washington with a BS in Public Health and Global Health. She was a research assistant in the Moussavi-Harami Lab, uncovering gene therapies for inherited heart disease. She is deeply passionate about the prevention of disease and has assisted several maternal and child health research projects and volunteered in farm-to-food pantry initiatives to decrease food insecurity in the Seattle area. Her interests include chronic disease burden, global food security, and promoting interdisciplinary solutions.

Biographies of the key contributors to the GeoTech Commission Report

Research and writing on misinformation

Dr. Pablo Breuer, Nonresident Senior Fellow, GeoTech Center, Atlantic Council

Dr. Pablo Breuer is an information/cyber warfare expert and a twenty-two-year veteran of the US Navy with tours including the National Security Agency, US Cyber Command, and United States Special Operations Command. He is a cofounder of the Cognitive Security Collaborative and coauthor of the Adversarial Misinformation and Influence Tactics and Techniques (AMITT) framework.

Dr. Robert Leonhard, National Security Analysis, Johns Hopkins University Applied Physics Laboratory

Robert Leonhard is on the principal professional staff as an analyst in the National Security Analysis Department of Johns Hopkins University’s Applied Physics Laboratory (JHU/APL). His main areas of focus are irregular warfare, nuclear deterrence, and game design. Prior to joining JHU/APL, he earned a PhD in American History from West Virginia University, a Master of Military Arts and Sciences from the US Army, an MS in International Relations from Troy State University, and a BS in European History from Columbus University. He is a retired Army infantry officer and planner. He is the author of The Art of Maneuver (Presidio Press, 1991), Fighting by Minutes: Time and the Art of War (Praeger, 1994), The Principles of War for the Information Age (Presidio Press, 1998), Little Green Men: a primer in Russian Unconventional Warfare, Ukraine 2013-2014 (JHUAPL, 2016), and The Defense of Battle Position Duffer: Cyber-Enabled Maneuver in Multi-Domain Battle (JHUAPL, 2016). He may be contacted at Robert.Leonhard@jhuapl.edu.

John Renda, Program Manager, Army Special Operations, Johns Hopkins University Applied Physics Laboratory

Col. John Renda, USA (Ret), is a program manager for Army Special Operations at the Johns Hopkins University’s Applied Physics Laboratory. He graduated from Tulane University with a degree in Political Science and International Relations, and earned a MS in National Security from the US Naval War College. He served as a career Psychological Operations officer in US Army Special Operations. His key assignments included 75th Ranger Regiment Information Operations Officer, 1st Psychological Operations Battalion Commander, United States Special Operations Command (USSOCOM) Director J39 National Capital Region, and National Security Council Staff, Director for Strategic Communication. He may be contacted at john.renda@jhuapl.edu.

Dr. Sara-Jayne Terp, Nonresident Senior Fellow, GeoTech Center, Atlantic Council

Sara-Jayne Terp builds frameworks to improve how autonomous systems, algorithms, and human communities work together. At Threet Consulting, she creates processes and technologies to support community-led disinformation defence. She is an Atlantic Council Senior Fellow, CogSecCollab lead, and chair at CAMLIS and Defcon AI Village. Her background includes intelligence systems, crowdsourced data gathering, autonomous systems (e.g., human-machine teaming), data strategy, data ethics, policy, nation state development, and crisis response.

Appendix B

Stewart Scott, Assistant Director, GeoTech Center, Atlantic Council

Stewart Scott is an assistant director with the Atlantic Council’s GeoTech Center, where he conducts research and provides written analysis for publication on Atlantic Council platforms and works on joint projects with other centers in the Atlantic Council. He earned his AB, along with a minor in Computer Science, at the School of Public and International Affairs at Princeton University.

We would also like to thank the following members of the Atlantic Council’s Cyber Statecraft Initiative for their contributions to Appendix B: Trey Herr, Simon Handler, Madison Lockett, Will Loomis, Emma Schroeder, and Tianjiu Zuo.

Appendix C and writings on global health

Dr. Divya Chander, Nonresident Senior Fellow, GeoTech Center, Atlantic Council

Dr. Chander is a physician and neuroscientist who trained at Harvard, University of California San Diego, University of California San Francisco, and the Salk Institute. She has been on the Anesthesiology Faculty at Stanford University since 2008 and Neuromedicine Faculty at Singularity University since 2010. Her postdoctoral training in optogenetic technology was conducted in the laboratories of Karl Deisseroth and Luis de Lecea at Stanford University, where she used light-activated ion channels inserted in DNA to study sleep and consciousness switches in brains. She is currently working on applications of neural wearable devices to crossover consumer and medical markets.

Appendix D

Inkoo Kang, Research Consultant, GeoTech Center, Atlantic Council

US Air Force 2nd Lt. Inkoo Kang is a research consultant for the Atlantic Council’s GeoTech Center. At the Atlantic Council, he conducts research and provides written analyses on the increasingly important role of outer space for social, economic, and military operations. His main interest focuses on how emerging technologies are merging military, diplomatic, humanitarian, and economic challenges and how the military must learn to adapt to such threats.

Appendix E

Borja Prado, Research Assistant, GeoTech Center Atlantic Council

Borja Prado holds an MS in Foreign Service (MSFS) from Georgetown University, where he concentrated in Global Politics and Security, focusing on the impact of disruptive technologies on governments, businesses, and societies.

He aims to apply his research experience, language skills, and strong background in technology and global affairs to help governments, businesses, and societies succeed in this increasingly uncertain era.

Acknowledgements

We would like to thank the following members of the Commission Co-Chair teams for their assistance, expertise, and technical review of the report:

• Stoney Burke, Head of Federal Affairs and Public Policy, Amazon Web Services
• Ira Entis, Managing Director, Growth and Strategy Lead, Accenture Federal Services
• Geoffrey Kahn, Managing Director, Government Relations, Accenture
• Pamela Merritt, Managing Director, Federal Marketing and Communications, Accenture Federal Services
• Davis Pace, Professional Staff Member, House Foreign Affairs Committee
• Sean Sweeney, Manager, Government Relations, Accenture
• Clayton Swope, Senior Manager, National Security Public Policy, Amazon Web Services
• Carolyn Vigil, Senior Customer Engagement Manager, Amazon Web Services

We would like to acknowledge the following individuals for their review and commentary on relevant sections of the report: Laura Bate, Natalie Barrett, Pablo Breuer, Mark Brunner, Mung Chiang, Kevin Clark, Donald Codling, Carol Dumaine, Ryan G. Faith, Melissa Flagg, James F. Geurts, Jasper Gilardi, Bob Gourley, Bob Greenberg, Simon Handler, Henry Hertzfeld, Robert Hoffman, Erich James Hösli, Diane M. Janosek, William Jeffrey, Charles Jennings, Declan Kirrane, John J. Klein, Sandra J. Laney, John Logsdon, Robert Lucas, Lauren Maffeo, Jerry Mechling, Ivan Medynskyi, Ben King, Ben Murphy and the team at Reaching the Future Faster LLC, James Olds, Nikhil Raghuveera, Matthew Rose, Benjamin Schatz, Emma Schroeder, Jeremy Spaulding, Keith Strier, Daniella Taveau, Trent Teyema, Bill Valdez, and Tiffany Vora.

We also would like to express sincere appreciation to individuals both internal and external to the Atlantic Council for help in preparing this report for final publication. Their professional and dedicated efforts were essential to this work.

Lastly, we want to thank all the GeoTech Fellows and GeoTech Action Council members, each of whom embodies the spirit of the new Center as we look to the future ahead: Be bold. Be Brave. Be Benevolent.

Transcript Jun 23, 2021

Brian Deese on Biden’s vision for ‘a twenty-first-century American industrial strategy’

By Atlantic Council

National Economic Council Director Brian Deese spoke about how the Biden administration can strengthen US economic recovery by working with the private sector and global allies.

Economy & Business Future of Work

GeoTech Cues Aug 10, 2021

Contextualizing COVID-19 and its implications for the future of work

By Matthew Gavieta

As workers around the world adapted to a new normal amid a public health crisis, remote work took on a new meaning. However, questions about how to structure long-term telework arrangements remain. The current landscape of data reveals a tenuous relationship between well-being and telework. To secure a brighter future for our labor force, we must continue developing worker-centered technology policy and doing research on how to improve life at work.

Digital Policy Future of Work

Blog Post Jul 27, 2021

The time for US immigration reform is now

By Jeff Goldstein

The US is currently grappling with a multi-decade long trend of declining population rates leading to fewer and fewer workers. To meet the challenges of the future, US policymakers must manage declining population growth – and one of the best arrows in their economic policy quiver is comprehensive immigration reform.

Future of Work Macroeconomics

The post Conclusion, appendices, and acknowledgements appeared first on Atlantic Council.

While this report has focused on the technological changes that will impact geopolitics over the next decade, the recommendations contained within will be meaningless if the United States and allied nations ignore the most important ingredient in the success or failure of all endeavors: people. Developing a digitally fluent and resilient workforce that can meet the challenges of the GeoTech Decade will require private and public sectors to pursue several approaches. These include a broadened view of technical competencies and how they are acquired, improved alignment of skills and job requirements, incentives for employer-based training, and data collection to help assess the effectiveness of these investments and their effects on workers. Ensuring that people, especially people from underrepresented communities, are not left behind by the advance of technology—and that societies have the skilled workforces they need to innovate and prosper—will determine whether the GeoTech Decade lives up to its ambition.

From artificial intelligence (AI) to quantum computing, and for applications ranging from augmented reality to smart cities and communities,¹ the technologies that will shape the GeoTech Decade require specialized investments in the US workforce.² Shifting from the “findings and recommendations” format of the previous chapters, this closing chapter discusses key areas needing greater focus and investment from businesses, governments, educational institutions, and stakeholder organizations, as follows.

Create the workforce for the GeoTech Decade

Recognize the diverse competencies that characterize skilled technical workers

Diverse competencies include academic credentials, technical competencies in an industry, and technical competencies in a specific occupation, plus “soft skills” that make for reliable and collegial employees.³ Job descriptions should consider the value of all sources of relevant experience and ability.

Communicate the breadth of pathways for gaining skilled technical work 

Given the current focus on a college degree being a prerequisite to desirable, skilled technical jobs, the workforce should be better informed about the variety of skilled technical occupations, the different ways of acquiring credentials, e.g., college certificates, professional certifications, professional licenses, and digital badges and how such credentials allow more points of entry into desired occupations.

Strengthen skilled technical training and education

Secondary school: Career and technical education (CTE) programs⁴ enable the acquisition of STEM education combined with work experience that teaches technical skills relevant to specific professions. CTE programs can be enhanced through active participation and guidance provided by representatives from local businesses. This could help ensure that the skills training is better matched with employer needs and requirements. The P-TECH program, now operating schools in eleven US states, Australia, Morocco, and Taiwan, is another model for building regional workforces with the needed technical skills and for providing underserved youths with opportunities for gaining relevant technical skills.⁵

Post-secondary school: There are 936 public community colleges in the United States,⁶ representing a nationwide resource for improving the technical skills of the current and future workforce. According to a Community College Resource Center analysis, “6.7 million students were enrolled at community colleges in fall 2017, and nearly 10 million students enrolled at a community college at some point during the 2017-18 academic year. Yet, the overall percent of community college enrollees in 2014 that completed a college degree at a four-year institution within six years is 17 percent.”⁷ Increasing this completion rate through financial incentives and investments could increase the number and qualifications of the technically skilled workforce in the United States.

Non-college credentials: The value to the worker and the employer of non-college degree certification programs—apprenticeships, certifications, certificate programs—could be improved by better linking them to established, defined technical workforce competencies. Improved standards and data on the effectiveness of these credentials will help workers and employers determine the value of these credentials and enable more informed choices for skills training.

Alternative sources of skilled workers: A recent study⁸examined the prevailing practice of a four-year college degree being a prerequisite for skilled jobs. The analysis identified large populations of workers with suitable skills but who did not have a college degree. Of these, the analysis showed that twenty-nine million have skills that would enable them to transition to an occupation with a significantly higher wage. These results suggest that job descriptions should be carefully specified so as to reach the largest qualified talent pool.

Better align employer-based training with needs

Business incentives: Incentives for employers to invest in improving workforce technical skills should help a company remain competitive. The investments would align the employer’s needs for technically skilled workers and the training and education that is offered. One approach could be based on tax incentives for increasing investment in workforce skill development to increase productivity.”⁹

Technology development and training: Workforce organizations can play a role in effectively communicating, between employers and the workforce, issues concerning needed technical skills and the mechanisms and policies being used to manage these requirements. To accelerate identifying and acquiring future technical skills needed by the workforce, technology development programs could also create a training program for the skills associated with using the new technology in a product. This can shorten the link between technology development and the training of workers.

Acquire and analyze human capital development and management data

Human capital development and management data should address projections of the supply and demand for workers according to categories of technical skills, results of the search and hiring process, and how well the employer’s needs were satisfied. The data also should inform how well the training policies provided equitable access to skills training across the workforce.

These data should enable analyses of the expected value of different options for skills education and training for workers, the return on the investment of workforce training for businesses, and options for adjusting workforce training policies.

Foster lifelong learning

The pace at which advanced technology is changing the workplace and the skills needed to maintain a competitive economy makes lifelong learning imperative. Individuals should be able to guide their training and education throughout their working years.

To accomplish this on a national scale will require effort to craft incentives that motivate individuals to embrace this approach. Important elements may involve information on the value of continuing educational programs and the job opportunities that are enabled, funding mechanisms to lower the cost to the individual, and strategies developed with businesses that specify how continuing learning enhances an individual’s work prospects.

To guide individual choices, new tools can facilitate gathering and synthesizing the complex array of information on skills, occupations, training opportunities, and assessments of their value. The tools can also help the individual identify and secure funding from available sources, and help government funding sources be applied efficiently to this long-term challenge.

Equitable access to opportunity

The United States needs to ensure equitable access to opportunity during the GeoTech Decade. From access to affordable broadband to digital literacy, governments and the private sector need to make significant investments and work together to reduce barriers to full participation in the economy.

Access to affordable, high-speed Internet and devices to use it

Ensuring that all people can participate in the GeoTech Decade requires a commitment to equitable access to affordable, high-speed Internet. Millions do not have high-speed broadband, particularly in rural areas.¹⁰ What is more, many with access to high-speed broadband are still unable to afford the high cost of Internet and the devices needed to access it.¹¹ Lack of access and affordability perpetuates systemic inequities. 

While Congress has made significant investments in broadband since the onset of the COVID-19 pandemic, more remains to be done. The Emergency Broadband Benefit Program has helped low-income households afford broadband during the pandemic.

Acquiring digital literacy

Digital literacy, the ability to find, evaluate, utilize, and create information using digital technology, is becoming an essential skill for every individual. Digital literacy is an important element in eliminating a digital divide among nations and within a society. It complements affordable, high-speed Internet access by enabling people to develop and communicate local content, to communicate their issues and concerns, and to help others understand the context in which these issues occur.

Transcript Jun 23, 2021

Brian Deese on Biden’s vision for ‘a twenty-first-century American industrial strategy’

By Atlantic Council

National Economic Council Director Brian Deese spoke about how the Biden administration can strengthen US economic recovery by working with the private sector and global allies.

Economy & Business Future of Work

GeoTech Cues Aug 10, 2021

Contextualizing COVID-19 and its implications for the future of work

By Matthew Gavieta

As workers around the world adapted to a new normal amid a public health crisis, remote work took on a new meaning. However, questions about how to structure long-term telework arrangements remain. The current landscape of data reveals a tenuous relationship between well-being and telework. To secure a brighter future for our labor force, we must continue developing worker-centered technology policy and doing research on how to improve life at work.

Digital Policy Future of Work

Blog Post Jul 27, 2021

The time for US immigration reform is now

By Jeff Goldstein

The US is currently grappling with a multi-decade long trend of declining population rates leading to fewer and fewer workers. To meet the challenges of the future, US policymakers must manage declining population growth – and one of the best arrows in their economic policy quiver is comprehensive immigration reform.

Future of Work Macroeconomics

The post Future of work appeared first on Atlantic Council.

The growing commercial space industry enables ready access to advanced space capabilities for a broader group of actors. To maintain trusted, secure, and technically superior space operations, the United States must ensure it is a leading provider of needed space services and innovation in launch, on-board servicing, remote sensing, communications, and ground infrastructures. A robust commercial space industry not only enhances the resilience of the US national security space system by increasing space industrial base capacity, workforce, and responsiveness, but also further advances a dynamic innovative environment that can bolster US competitiveness across existing industries, while facilitating the development of new ones.

As smaller satellites become more capable, large constellations of government and commercial platforms could increase space mission assurance and deterrence by “eliminating mission critical, single-node vulnerabilities and distributing space operations across hosts, orbits, spectrum, and geography.”¹ Advances in commercial space also enable exploring our planet’s oceans, monitoring for climate change-related risks, and mapping of other parts of our solar system.

The fast-growing critical dependence on space for national security, the global economy, and public-benefit interests makes assured space operations essential for ensuring a more free, secure, and prosperous world.

Finding 6: The US commercial space industry can increase its role in supporting national security.

The National Space Strategy² includes four areas of emphasis: resilience, deterrence, foundational capabilities, and more conducive domestic and international environments. It envisions improved leverage of, and support for, the US commercial industry. The Defense Space Strategy Summary³ highlights that the rapidly growing commercial space industry is introducing new capabilities as well as new threats to US space operations. A main effort in this strategy is to cooperate with industry and other actors to leverage their capabilities.

“Space Policy Directive-2—Streamlining Regulations on Commercial Use of Space,” provides support for the US commercial space industry.⁴ In support of the overall policy of the executive branch to promote economic growth, protect national security, and encourage US leadership in space commerce, the directive requires reviews of the launch and reentry licensing for commercial space flight, the Land Remote Sensing Policy Act of 1992, the Department of Commerce’s organization of its regulation of commercial space flight activities, radio frequency spectrum, and export licensing regulations.⁵

The Government Accountability Office’s (GAO’s) report on the Department of Defense’s (DoD’s) use of commercial satellites⁶ describes several potential benefits of including more responsive delivery of capabilities to space and increasing deterrence and resilience due to the larger number and distribution of commercial constellations of satellites.

Finding 6.1: Large constellations of small satellites are being developed.

The development of small satellites enables the proliferation of very large constellations of satellites. For example, several companies are currently planning constellations of communications satellites comprising an aggregate deployment of several thousand satellites in low Earth orbit (LEO). In total, the communications capacities could exceed tens of terabytes. This enables low-latency, high-bandwidth communications to any region, bringing valuable educational opportunities to underserved populations, and supporting new data-intensive communications in advanced countries.⁷ Small Earth observation satellites are being deployed in constellations of hundreds of platforms by several companies. These can produce global coverage with revisit intervals ranging from minutes to hours. Several types of sensors are being deployed including electro-optical, synthetic aperture radar, and radio signal collection.⁸ Companies in the United States, Europe, Russia, and China are actively pursuing these new capabilities.⁹

The ability to image any area, and to communicate with any area, will become commercially available to any individual, group, or government. Coupled with access to cloud computing and big data analytics, innovations will occur in many fields, e.g., precise, real-time weather and soil condition data for farmers to increase yield, ship tracking to aid logistics, indicators of disease spread to inform a pandemic observation network, and the like.

Large constellations may also contribute to deterrence. The larger number of platforms operating in conjunction with major military satellites may make the entire constellation more resilient.

The commercial space industry is developing satellite servicing capabilities. This helps extend the operating life of each satellite, though the ability to operate near another satellite is viewed negatively by adversaries.

Finding 6.2: There is increasing focus on cybersecurity for commercial space systems.

The “Space Policy Directive 5”¹⁰ specifies the US policy for managing risks¹¹ to the growth and prosperity of its commercial space economy is to rely on “executive departments and agencies to foster practices within Government space operations and across the commercial space industry that protect space assets and their supporting infrastructure from cyber threats and ensure continuity of operations.” Several cybersecurity principles provide the foundation for these efforts, though the directive expects space system owners and operators to be responsible for implementing cybersecurity practices and does not address enforcement actions. No timeline for the development of regulations is provided.

Finding 6.3: The UN Outer Space Treaty (OST) requires interpretation to determine when emerging commercial space platforms become targets.

The growth in the commercial satellite industry will lead to lower-cost satellites with advanced sensors, communications, on-board computation, and security capability. Over time, each small satellite, when operated in large constellations, could be more useful for military purposes.

A key determinant in the application of the UN OST to the question of whether the military can use commercial satellites is “whether the commercial satellite is actively making a contribution to military action.”¹² For example, if the military is using a commercial communications satellite to relay its messages, the UN OST does not view the communications satellite as a military target. Full consideration of the treatment of dual-use commercial satellites is not settled and will evolve as more nations participate in the commercial space industry.¹³ Yet, because nations like China and Russia already target (terrestrial) commercial networks as part of their computer network exploitation campaigns, it stands to reason that they will not necessarily recognize a distinction between commercial and military satellite targets.

Finding 6.4: The development of constellations of small satellites beneficial to the military may require government support.

Commercially viable capabilities in small satellites are advancing, but may not be sufficient for some military needs at this time.  For example, the resolution of an electro-optical sensor for surveilling traffic is not useful for target identification, though it may be useful for tracking troop movements. A balanced policy would require the government to focus on the more exquisite capabilities that only it can provide, while relying on the commercial sector to meet other requirements.  The government can also do more to send a signal to the markets that it supports these constellations and their capabilities by purchasing commercial data and services, thereby helping to ensure a strong commercial industrial base.

Finding 6.5: Government support for commercial space activities can be strengthened.

The growth of the commercial space industry occurring in several major countries¹⁴ requires a review of US commercial space policy¹⁵ as the roles of government and commercial industry change in key areas. The National Aeronautics and Space Administration (NASA) is establishing a wholly commercial capability to land humans on the moon (from lunar orbit), in contrast with the prior approach of government control of human spaceflight.¹⁶ There are efforts to consolidate and streamline the regulatory framework and organizations for US commercial space capabilities.¹⁷ To support greater innovation and bolster US commercial space industries, recently proposed legislation identified ways to make the commercial space licensing process simpler, more timely, and more transparent.¹⁸ These efforts attempt to balance commercial interests against the government’s need to ensure the commercial space capabilities meet national security and foreign policy requirements. Such balancing may be less important as sensitive imagery becomes more available from foreign companies. To address urgent new requirements—e.g., on-orbit servicing of a space force, or continuous global observation in support of climate study, agriculture, and ocean systems—the government may require new policies to support increasing reliance on commercial space industries and new commercial space capabilities.

Approach 6: Accelerate the development and deployment of dual-use commercial satellites, including applications to Earth and space exploration.

The United States should use the emerging commercial space industry, and large constellations of small satellites, to enhance the resilience of national security space missions. This will require a deliberate strategy to guide commercial system developments, and this must be balanced with benefits that accrue to the public. The United States should, with its allies, examine how to interpret current treaties when considering the new commercial space capabilities. The United States, its allies, and private industry should implement global Earth and space observation capabilities.

Recommendation 6: Foster the development of commercial space technologies and develop a cross-agency strategy and approach to space that can enhance national security space operations and improve agriculture, ocean exploration, and climate change activities; align both civilian and military operations, and international treaties to support these uses.

Recommendation 6.1: Ensure federal investments in the commercial space industry deliver public benefits.

Congress should pass legislation that directs the Office of Science and Technology Policy (OSTP) to lead an interagency initiative that develops an economic impact assessment of existing and future government investments in the US commercial space industry, as well as a public-private investment strategy for technology innovations and operating efficiencies that will ensure subsequent benefit to the public interest. Such benefits should contribute to global access to open data sets—via a space-based Internet, space-based cloud storage and computing—of Earth observation, global health, humanitarian applications, and other areas; it should also include suitable sharing of government-funded data collections among other government programs. A cross-agency group including the National Aeronautics and Space Administration (NASA), the National Geospatial-Intelligence Agency (NGA), the Defense Advanced Research Projects Agency (DARPA), relevant federal departments, private industry, and allied nations should develop the plans and partnerships for global Earth and space observation in support of environmental security.

Recommendation 6.2: Foster commercial space technologies of strategic importance and protect these from foreign acquisition.

Congress should direct a cross-agency group including NASA and the Department of Defense to conduct a joint review¹⁹ This does not address foreign acquisition of commercial space technologies of strategic importance of dual-use commercial space technologies and capabilities that are of strategic importance to national security space missions. The scope includes communications, on-orbit storage and computing, large constellations of small platforms, sensing, space situational awareness, satellite protection, launch, and on-orbit servicing. Congress should direct a streamlined licensing process and simplify regulations where appropriate. Such dual-use technologies should be reviewed for protection from foreign acquisition by the expanded authorities of the Committee on Foreign Investment in the United States (CFIUS)²⁰ and by the Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence. The broadened role delineated by the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) enables CFIUS to review noncontrolling foreign investments in critical technologies and critical infrastructure in the US space industrial base. Congress should direct an assessment of how the FIRRMA reforms have been applied and the resulting effect.

Recommendation 6.3: Harden the security of commercial space industry facilities and space assets.

The administration should designate the commercial space industry as a critical infrastructure sector and develop a sector-specific plan for its protection. The Department of Commerce should be assigned as the Sector-Specific Agency and should work with international standards-setting groups to harden select commercial space capabilities, e.g., protect communications against cyber threats.

The cybersecurity of both military and commercial spacecraft is a growing concern. Threat actors are devoting more attention to attacking both the software/IT supply chain as well as vulnerabilities in the cyber defenses on spacecraft. Large commercial mega-constellations of small satellites are performing an increasing range of business and communications functions, yet do not necessarily conform to high cybersecurity standards. The US government does not have standards for the design of cyber-secure commercial satellites, though it is introducing self-certification programs for commercial satellite providers.

The administration should extend the National Institute of Standards and Technology (NIST) cybersecurity maturity standards, guidelines, and best practices to the space domain, covering the space, link, ground, and user segments. The cyber-resilient design principles should consider the following: “Intrusion detection and prevention leveraging signatures and machine learning to detect and block cyber intrusions onboard spacecraft; a supply chain risk management (SCRM) program to protect against malware inserted in parts and modules; software assurance methods within the software supply chain to reduce the likelihood of cyber weaknesses in flight software and firmware; logging onboard the spacecraft to verify legitimate operations and aid in forensic investigations after anomalies; root-of-trust to protect software and firmware integrity; a tamper-proof means to restore the spacecraft to a known good cyber-safe mode; and lightweight cryptographic solutions for use in small satellites.”²¹

Recommendation 6.4: Establish the conformance of emerging commercial space constellations to multinational agreements.

The United States should lead a conference to assess future developments in the commercial space industry with respect to the UN OST, the Artemis Accords,²² and other international agreements that may be constructed. The objective is to clarify the acceptable use of commercial space assets as these become of greater use in supporting militaries.

Commercial capabilities may, over time, provide essential portions of space-based surveillance, reconnaissance, communications, refueling, data storage and processing, and maintenance. As new military space capabilities become possible, there is an increased risk that these will be interpreted as “making an effective contribution to military action” and thereby become legitimate targets. These capabilities may include imaging satellites, communications satellites, space networks, satellite maintenance vehicles, launch vehicles, and so forth. A key area to clarify is the legal and technical assessment of what qualifies as “making an effective contribution to military action” involving space technology.²³

Recommendation 6.5: Develop space technologies for mega-constellations of satellites that support monitoring the entire planet pervasively and persistently, at high resolution and communicate the information in near-real time.

The administration should develop autonomous space operations technologies for large-scale constellations. This program, led by the DoD, NASA, and other elements of the national security space enterprise, would use AI technologies to minimize or eliminate human requirements for satellite control, information collection, and information analysis; and increase the speed of the information-to-decision loop.

The administration should encourage commercial space companies to develop cost-effective technologies that increase the survivability of commercial satellites as the operating regions become more crowded or contested. This may enable commercial satellites to operate in a greater variety of conditions, thereby providing expanded value to the United States.

The administration should develop and conduct Challenge Prizes funding opportunities for autonomous satellite operations on single platforms, i.e., for applications where highly capable satellites autonomously manage their own complex taskings, and also work as part of a large collection of similarly autonomous satellites.

The administration should use the model of the NASA Tipping Point solicitation to develop the capability to continuously monitor the world’s oceans—in particular, using space-based sensors—for the impact of climate change and other issues of global importance. This program would be jointly managed by NASA, NSF, and DARPA with collaborations from the European Union (EU) and other participants. This multiyear initiative would help establish a global, real-time Earth oceans observation network and the supporting autonomous control, communications, and data analytics capabilities. In addition to space technologies, this program could also support the development of surface and underwater vehicles to perform this function. The Department of State should address the treaty implications of large numbers of remotely-piloted and autonomous surface and underwater vehicles and develop new international agreements where needed.

Transcript Jun 23, 2021

Brian Deese on Biden’s vision for ‘a twenty-first-century American industrial strategy’

By Atlantic Council

National Economic Council Director Brian Deese spoke about how the Biden administration can strengthen US economic recovery by working with the private sector and global allies.

Economy & Business Future of Work

GeoTech Cues Aug 10, 2021

Contextualizing COVID-19 and its implications for the future of work

By Matthew Gavieta

As workers around the world adapted to a new normal amid a public health crisis, remote work took on a new meaning. However, questions about how to structure long-term telework arrangements remain. The current landscape of data reveals a tenuous relationship between well-being and telework. To secure a brighter future for our labor force, we must continue developing worker-centered technology policy and doing research on how to improve life at work.

Digital Policy Future of Work

Blog Post Jul 27, 2021

The time for US immigration reform is now

By Jeff Goldstein

The US is currently grappling with a multi-decade long trend of declining population rates leading to fewer and fewer workers. To meet the challenges of the future, US policymakers must manage declining population growth – and one of the best arrows in their economic policy quiver is comprehensive immigration reform.

Future of Work Macroeconomics

The post Assured space operations for public benefit appeared first on Atlantic Council.

The COVID-19 pandemic has disrupted health and economic security, both directly and indirectly, for most of the planet. Inherent to this disruption are three systemic problems: (i) global and national leaders acted slowly to detect and contain the spread of the virus, (ii) global health organizations reacted slowly to contain the spread of the virus, and (iii) a mixture of factors caused the delayed response including late recognition of the threat and where it was circulating, slow incorporation of science and data into decision making, poor political will, and inconsistent messaging to citizens regarding the nature of the threat and precautions to take. The origin and spread of the coronavirus that causes COVID-19 also depended on a number of codependent factors—human encroachment on animal habitats, globalization and an interconnected world, and a global economy that ignored insufficient sanitation and public health standards. But, most importantly, it depended on a failure of adequate monitoring, data sharing, and early warning and mitigation systems.

Viruses and other pathogens know no borders, nor do they discriminate by race or class. Though nations may adopt their own strategies to enhance resilience and future planning, a more global approach to this interconnected system will be essential to keep all humans safe. Continuous global health protection builds upon a foundation of secure data and communications, rapid sharing of biological threat data across the globe, enhanced trust and confidence in the digital economy, and assured supply chains.

Finding 5: There is a need for a continuous biological surveillance, detection, and prevention capability.

The design of a pandemic surveillance, detection, and prevention system would require a multipronged approach, comprising global monitoring, early detection, rapid warning, and capable mitigation and prevention strategies. The system would perform the following main functions: biothreat agent recognition, mobilization of defenses, containing the spread of the biothreat agent, administration of therapeutic treatment, and the ability to recognize new pathogens and form specific neutralizing responses.

Much of the integrative assessments performed by the system would need to rely on a network capable of receiving data from multiple, decentralized information sources, and converting that information into indicators that can be aggregated and evaluated to support decision making at the individual, local community, and population level.¹ A global detection and response system could enable greater resilience and prevention, and decrease the potential that new outbreaks of pathogens lead to global pandemics.²

Finding 5.1: An early detection and warning system³ requires global data collection of pathogen-related indicators, sometimes requiring novel sources to address information gaps.

Early detection would require the funding of a global, interconnected system that relies on partnerships among national governments and regional partners. Where there are gaps in collecting and sharing preferred data, e.g., when a nation or region does not participate, alternative indicators would need to be developed.⁴

The development of novel, authenticated data sources is a key risk factor for pandemic warning systems. As seen at the start of the COVID-19 pandemic, relying on government-provided information led to a delay in identifying the unusual pneumonia-like illness in Wuhan, China, and ultimately in releasing the genetic sequence of the virus.⁵ It cost lives, delayed warnings and the ability for others to detect the circulating virus, delayed containment and mitigation strategies (e.g., vaccine and therapeutic development), and enabled the virus to spread globally via human vectors.⁶

Authenticated data sources from different decentralized sources and edge devices could include both traditional (e.g., positive viral tests, hospitalization rates, excess death rates) and nontraditional sources of health information (e.g., passive monitoring of environment, wastewater, satellite data, human migration trends, market signals) that can be overlaid, combined, and aggregated to understand current public health conditions and to have predictive value.

Finding 5.2: An elevated capacity on the global stage is required.

The components of global capacity in a pandemic include the ability to quickly identify and sequence novel pathogens; to quickly share that information with the world; to rapidly ramp-up testing; to develop and approve targeted vaccines and therapeutics; to have medical supply chain, manufacturing, and distribution capabilities in place; to have sufficient capital health equipment, medical consumables, and healthcare personnel in place; and to provide access to healthcare and reliable health information to all those in need.

These specific functions for creating a comprehensive global alert and response system and coordinating actions, as well as supporting localized capacity strengthening,⁷ were made part of the World Health Organization’s (WHO’s) updated 2005 International Health Regulations (IHR)⁸ and its pandemic preparedness plan.⁹ “To help countries review and, if necessary, strengthen their ability to detect, assess, and respond to public health events, WHO develops guidelines, technical materials, and training and fosters networks for sharing expertise and best practices. WHO’s help supports countries in meeting their commitments under the IHR to build capacity for all kinds of public health events.”¹⁰

To achieve the fullest potential of these approaches, there need to be investments on a global scale to support expanded detection, mitigation, and capacity-building strategies. These efforts should be conducted through public, private, and government partnerships based on mutual agreements to share data and report issues early. These should be multinational collaborations that would be able to overcome the limiting factors discussed in the next section. In developing these approaches, a priority is to strengthen transparency and accountability within the United Nations (UN) system, including at the WHO.¹¹

Finding 5.3: There are several limiting factors.

There often is a lack of trust among groups, institutions, and governments. Governments do not always trust other governments; countries do not always trust global health bodies; nationally, states do not always trust each other or the federal government; and individuals do not always trust governments or health entities or officials. This lack of trust is well-documented. According to the 2020 Edelman Trust Barometer,¹² “no institution is seen as both competent and ethical,” an opinion that includes government, business, nongovernmental organizations (NGOs), and the media. In the statistical model Edelman provides, government is widely seen as the most unethical, and the least competent, institution of the four. According to the International Development Association of the World Bank Group, half of the global population does not trust government institutions.¹³ Similarly, both individual citizens and countries may lack trust in national and global health bodies.

Health institutions are concerned about sharing data on health outbreaks too early, as this could make them look underinformed, or to be “crying wolf” before the true measure of an outbreak is known.¹⁴ Governments may be incentivized to withhold information on outbreaks to maintain appearances of strength and ultimately to control medical supplies to keep their own people safe. Withholding immediate access to information can severely affect outcomes, such as the spread of the virus, allowing it to gain a foothold in other countries unaware. It also prevents the type of global and interdisciplinary cross-collaboration that has been so effective at advancing science, research and development (R&D), and progress toward solutions.

The cost of developing and operating a global pandemic surveillance, detection, and warning and response system must be borne by all nations in an equitable manner. A recent study¹⁵ estimates “[t]his cost includes the cumulative cost of failed vaccine candidates through the research and development process. … [P]rogressing at least one vaccine through to the end of phase 2a for each of the 11 epidemic infectious diseases would cost a minimum of $2.8–3.7 billion ($1.2 billion–$8.4 billion range).” According to a 2002 study, the cost of developing a vaccine—from research and discovery to product registration—is estimated to be between $200 million and $500 million per vaccine.¹⁶ Due to the high costs of developing vaccines and current therapeutics, developing an equitable funding model will rely on new research to make vaccines less expensive to develop, new technologies to conduct wide-area detection of signatures of biological activity, and new techniques for inexpensive diagnostic testing worldwide. The supply chains, manufacturing capabilities, vaccines, and therapeutics must be developed in such a manner that all nations are protected by such a global pandemic prevention system. The concern extends beyond vaccines which have been developed. Some diseases, like Zika, for which no vaccines exist, continue to be studied; and parasites, such as those that cause malaria, may become more widespread due to global climate change.

There are many types and sources of data that need to be identified in order to effectively predict or fight an epidemic. One is vector tracking. It is difficult to track zoonotic vectors that lead to viral spread. It is estimated that wild animals, in particular mammals, harbor an estimated forty thousand unknown viruses, a quarter of which could potentially jump to humans;¹⁷ it is also estimated that 75 percent of all emerging pathogens in the last decade have come from a zoonotic event.¹⁸ Further, it is complicated to surveil and track pathogen genesis, evolution, and global spread. Understanding of the science of viruses, other pathogens, and their mutation and evolution is incomplete, and research continues on new ways to monitor and spot outbreaks.

Insufficient public health infrastructures. A 2017 study conducted by the World Bank and the WHO points out that half of the global population does not have access¹⁹ to necessary health services, and one hundred million people live in extreme poverty.²⁰

Approach 5: Develop a global pandemic surveillance, detection, and response system based on data sensing and integration via trusted networks.

Three important elements of this global system are the early detection and warning system, the rapid response and recovery system, and the elevated capacity building system.

Recommendation 5: Field and test new approaches that enable the world to accelerate the detection of biothreat agents, to universalize treatment methods, and to engage in mass remediation through multiple global means.

Recommendation 5.1: Develop a global early warning system comprised of pandemic surveillance systems coupled with an early warning strategy.

Congress should request the Centers for Disease Control and Prevention (CDC), National Institutes of Health (NIH), United States Agency for International Development (USAID), United States Department of Agriculture (USDA), and other associated agencies to jointly develop an initial demonstration of this system in collaboration with the WHO, private institutions, and partner nations. The foundation is a surveillance system comprised of both active and passive monitoring of multiple environments and biomes—space, atmosphere, water, soil, animal reservoirs. Fundamental to the pandemic surveillance strategy is (i) training locals to conduct routine testing and genomic surveillance where spillovers occur and to regularly report incidences of novel illnesses, and (ii) increased genetic testing to track pathogens and to delineate what is coming from the natural environment versus being weaponized. Funding contributions and expert participation from other nations should be obtained.

Early detection would be enhanced by increasing the ability to identify and aggregate known data signals, identifying novel data signals, and enabling the combination of these signals into meaningful public health insights. This requires data to be labeled in such a way that it is globally recognized, named, and usable. Detection and monitoring also depend on developing distributed networks upon which those secured signals can arrive, inform local testing and response activities, and eventually be aggregated, while protecting personal data privacy, so that insights can be extracted. Finally, after preliminary flags or warning indicators are observed, a threshold is crossed and the warning or alarm could be sent throughout the distributed network, rather than relying upon a single entity or body to release the relevant information.

Key development principles include:

1. First determine a sufficient and obtainable set of data that the surveillance system should collect, and develop the local and regional capabilities to collect these data;
2. Support a global, decentralized network that can authenticate data sources, and enable validated data-sharing amongst validated data producers;
3. Enable cybersecure data aggregation and analysis capabilities while preserving personal data based on the terms specified in Recommendation 3.1 in this report;
4. Empower a surveillance strategy commensurate with civil liberties and privacy protections;
5. Facilitate a surveillance strategy comprised of both active and passive monitoring of multiple environments and biomes (space, atmosphere, water, soil);
6. Facilitate a surveillance strategy comprised of monitoring of traditional health and nontraditional data sources [e.g., excess death rates, viral genome sequences, Internet searches, geographic information systems (GIS), market trends]; and
7. Form distributed networks for global early warning system alerts.

Recommendation 5.2: Reestablish and realign existing pandemic monitoring programs.

The administration should provide R&D funding to current pandemic monitoring and response networks as part of the effort to build a system for continuous global health protection. The primary actions to consider include: reinstate the USAID PREDICT program²¹ for tracking global zoonotic disease, provide additional funding to the EcoHealth Alliance²², and utilize networks to combine data being accumulated through parallel observation networks—e.g., the Strategic Advisory Group of Experts on Immunization (SAGE),²³ the National Ecological Observatory Network (NEON),²⁴ Collective and Augmented Intelligence Against COVID-19 (CAIAC),²⁵ and the Epidemic Intelligence from Open Sources (EIOS).²⁶

Recommendation 5.3: Emphasize privacy protections in pandemic surveillance systems.

The administration should support initiatives that emphasize privacy protections in pandemic surveillance systems. These initiatives should be managed by NIST and NSF in collaboration with the Department of Health and Human Service’s Office of the National Coordinator for Health Information Technology and the lead science institutions in partner nations. The mitigation strategies will (i) identify infected individuals early through robust and frequent testing with a globally-recommended strategy; (ii) deploy contact-tracing strategies (commensurate with civil liberties); (iii) deliver consistent health messaging for disease prevention, spread, and treatment by coordinating centralized information and data reporting with local, on-the-ground, trusted community leaders; and (iv) provide consistent public health guidance for gatherings like air travel, cruises, sporting events, schools, restaurants, stores, and so forth.

Recommendation 5.4: Increase resilience in medical supply chains.

The administration should fund R&D of cellular- and molecular-based manufacturing technologies²⁷ that enhance supply chain assurance.²⁸ Both cellular and molecular manufacturing are specific instances of synthetic biology. In some cases, they can be rapidly deployed by setting up the conditions for production, and then substituting in the genetic sequences of interest to go into high-gear production. This simplifies supply chain and production lead time, can increase capacity, and creates flexible supply chains by producing candidates that are thermostable.

Some of the more forward-looking technologies for bio-sensing, vaccine development, and therapeutics are amenable to this kind of manufacturing and stockpiling. The goal is to develop redundancy at a regional level (components/ingredients; manufacturing), adopt more rigorous methods for validation of authenticity, and support multiregional distribution chains.

Recommendation 5.5: Develop capacity building for vaccine and therapeutics discovery, development, and distribution.

The administration should establish PPPs to improve pandemic protection capacity building. There are three efforts: (i) biomanufacturing and synthetic biology innovations will create therapeutic discovery systems and speed vaccine discovery; (ii) vaccine discovery, development, and distribution coalitions like the Coalition for Epidemic Preparedness Innovations (CEPI) will enable equitable distribution; and (iii) information monitoring and distribution regarding consumables, capital equipment supplies, hospital resources, and healthcare workers will support public and organizational activities during a crisis.

Recommendation 5.6: Develop rapid responses to unknown pathogens, and supporting data collection networks.

NIH should develop and lead a program for the automated development of treatments for unknown pathogens. The goal is to universalize treatment methods; for example, by employing automated methods to massively select bacteriophages as a countermeasure to bacteria—or employ antibody-producing E. coli or cell-free synthetic biology as a countermeasure to viruses. Advanced computational methods such as computational modeling of the 3D molecules of novel pathogens, and AI-based selection of potential treatments, can help automate and speed up this process. New technologies that can change the time for the regulatory approval process, i.e., the time required for human clinical trials, should be researched—for example, in silico testing or artificial organ testing.²⁹

NIH should create a consortium of universities and biotechnology companies to develop rapid, wide-area distribution of vaccines. This program should consider approaches that distribute vaccines through conventional supply channels, and methods to make vaccines that are survivable and transportable in any environment. Treatments in addition to vaccines should be incorporated in this effort.

NSF should create a digital infrastructure that can connect diverse, independent observation networks, databases, and computers—including emerging biosensors and autonomous sequencers deployed in water systems, air filtration systems, and other public infrastructure—to integrate their diverse data for analysis and modeling with protocols for activating rapid analysis of new pathogens, including new strains of extant pathogens to evaluate ongoing vaccine efficacy.

Transcript Jun 23, 2021

Brian Deese on Biden’s vision for ‘a twenty-first-century American industrial strategy’

By Atlantic Council

National Economic Council Director Brian Deese spoke about how the Biden administration can strengthen US economic recovery by working with the private sector and global allies.

Economy & Business Future of Work

GeoTech Cues Aug 10, 2021

Contextualizing COVID-19 and its implications for the future of work

By Matthew Gavieta

As workers around the world adapted to a new normal amid a public health crisis, remote work took on a new meaning. However, questions about how to structure long-term telework arrangements remain. The current landscape of data reveals a tenuous relationship between well-being and telework. To secure a brighter future for our labor force, we must continue developing worker-centered technology policy and doing research on how to improve life at work.

Digital Policy Future of Work

Blog Post Jul 27, 2021

The time for US immigration reform is now

By Jeff Goldstein

The US is currently grappling with a multi-decade long trend of declining population rates leading to fewer and fewer workers. To meet the challenges of the future, US policymakers must manage declining population growth – and one of the best arrows in their economic policy quiver is comprehensive immigration reform.

Future of Work Macroeconomics

The post Continuous global health protection and global wellness appeared first on Atlantic Council.

Both physical and digital supply chain vulnerabilities can have cascading effects on the global economy and national security. Two critical examples include:

• US dependence on foreign production of the main components used in generic drugs. Trade disputes and economic crises can stop the flow of medicines and affect the health and economic welfare of tens of millions of individuals in the United States and other countries.¹
• US dependence on foreign-produced semiconductors for military and commercial products. As the manufacturing and assembly of key components shifts to markets in East Asia, particularly China,² the United States is susceptible to sudden interruptions in supplies and deliberate efforts to degrade the integrity of the products.

The interconnected global networks of manufacturing, transportation,³ and distribution contain many instances where supply chain problems can have magnified effects. To protect against these diverse risks requires understanding which types of goods and sectors of the economy are critical. It also requires assessing the state and characteristics of supplies, trade networks and policies, inventory reserves, and the ability to substitute products or processing facilities. Assuring the performance of physical and software/IT supply chains is essential for a functioning, prosperous society and for national and economic security.

Finding 4: Resilient, trusted supply chains require defense, diversification, and reinvention.

One of the goals of the United States’ National Strategy for Global Supply Chain Security⁴ is to “foster a resilient supply chain.” As part of its strategic approach, the national strategy works to prepare for, withstand, and recover from threats and disruptions. “Executive Order 13806 of July 21, 2017: Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States“⁵ states that “a healthy manufacturing and defense industrial base and resilient supply chains are essential to the economic strength and national security of the United States” and requires a report detailing the current state of supply chains that are essential for national security. The Interagency Task Force report⁶ in response to the executive order recommends decreasing the fragility and single points of failure of supply chains and diversifying away from dependencies on politically unstable countries.

It is difficult to know the full range of potential threats and disruptions for a given supply chain. For multitiered supply chains, the primary suppliers may not have information on each of the suppliers at the third or fourth tier and will not have accurate or up-to-date information on the trustworthiness of the sources of components, e.g., circuit board component suppliers. The multiplying, dynamic effects of supply chain disturbances are often not deterministic. In cases of deliberate sabotage of a resource, there may not be observable indicators, as with the insertion of hidden back doors in software. Resilient supply chains address a portion of these uncertainties through risk-reduction strategies and greater supply chain transparency.

For some supply chains, resilience may be attained by increasing defenses through greater trade enforcement and strengthening key segments. For some supply chains, diversifying the sources and manufacturing locations, in partnership with allies, is an effective strategy. Adversaries are creating strategic vulnerabilities and weaknesses in US supply chains; a key area is the design and manufacture of advanced electronics. To address this growing risk, the strategy exemplified in the Defense Advanced Research Projects Agency’s (DARPA’s) Electronics Resurgence Initiative⁷ involves developing new technologies for alternative materials, designs, and production processes.

Finding 4.1: Critical supply chains are pervasive and challenging to defend.

Presidential Policy Directive 21 (PPD-21), “Critical Infrastructure Security and Resilience,” defines critical infrastructure to be those “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”⁸ There are eighteen critical infrastructure sectors. The Sector-Specific Plans discuss critical infrastructure resilience and include the supply chains in the risk management or risk mitigation section of some sector plans.

Supply chain attacks can be hard to detect and defend against. The Department of Defense’s (DoD’s) report, Department of Defense Strategy for Operating in Cyberspace,⁹ highlights the critical issue of supply chain vulnerabilities and the risks of US reliance on foreign suppliers. The range of supply chain attack opportunities is large—including design, manufacturing, servicing, distribution, and disposal segments of the supply chain—and challenging to detect.

Appendix B discusses the cyberattack of FireEye, involving the theft of its penetration testing toolkit, and the breadth of a comprehensive cyber espionage campaign centered on SolarWinds’ Orion network monitoring software. More than eighteen thousand commercial and government targets, including Intel, Microsoft, California state hospitals,¹⁰ the National Nuclear Security Administration,¹¹ and dozens¹² of federal, state, and local government agencies, downloaded compromised updates, all with the goal of extracting valuable intelligence while remaining undetected.

Finding 4.2: A broadened view of stockpiles increases resiliency.

Creating additional supplies or increasing production capacity contribute to creating stockpiles in a supply network. Adding more production capacity in the United States, or encouraging allies to undertake similar actions, is the focus of recent legislative efforts.

The Coronavirus Aid, Relief, and Economic Security Act (CARES Act; P.L. 116-136) strengthened reporting requirements to delineate the domestic versus foreign production of finished drug products and active pharmaceutical ingredients. While the CARES Act requires the National Academies of Sciences, Engineering, and Medicine to evaluate the US medical product supply chain, options for increasing the security and resilience of this supply chain are still under consideration.¹³

The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021¹⁴ includes provisions to enhance the security of the semiconductor supply chain. It incentivizes investment in facilities and equipment in the United States for semiconductor fabrication, assembly, testing, advanced packaging, or R&D. It strengthens the United States’ capacity to develop and produce cutting-edge semiconductors domestically through federal funding, promotes greater global transparency around subsidies to identify unfair or opaque forms of support that distort global supply chains, and provides funding support to “foreign government partners to participate in a consortium in order to promote consistency in policies related to microelectronics, greater transparency in microelectronic supply chains, and greater alignment in policies toward non-market economies.¹⁵

“Executive Order 13817 of December 20, 2017: A Federal Strategy to Ensure Secure and Reliable Supplies of Critical Minerals” defines “critical mineral” to be “(i) a non-fuel mineral or mineral material essential to the economic and national security of the United States, (ii) the supply chain of which is vulnerable to disruption, and (iii) that serves an essential function in the manufacturing of a product, the absence of which would have significant consequences for our economy or our national security.”¹⁶ Based on country production and import reliance, thirty-five minerals were deemed critical minerals. For some of these critical minerals,¹⁷ increased domestic production is possible,¹⁸ through the policies in the executive order intended to decrease the time to obtain mining permits.

The DoD is working to ensure reliable supplies of rare earth minerals by increasing domestic production and processing capabilities.¹⁹ The department has taken steps to increase stockpiles, reduce reliance on Chinese sources, partner with private industry to increase production of rare earth magnets, and accelerate the development of new rare earth mineral processing technologies, and is seeking to increase funding for domestic production of rare earth minerals for munitions and missiles. To increase domestic production of rare earth minerals, mining-reform legislation is needed. The current mine-permitting process takes approximately ten years, when timelines of two to three years may be possible. Cooperative agreements with like-minded countries may also increase the supply available to the United States. South Africa, Canada, Australia, Brazil, India, Malaysia, and Malawi have rare earth minerals; China, Russia, and the United States hold 82.6 percent of the world’s production and reserves.²⁰

Finding 4.3: By creating new materials and new design and manufacturing technologies, the United States can eliminate critical dependencies on foreign sources.

The DARPA Electronics Resurgence Initiative²¹ is in the fourth year of a long-term, $1.5 billion effort to reinvent defense electronics both to improve performance and to respond to foreign efforts to shift innovation in electronics away from the United States. The program currently includes applications of the new materials, chip designs, chip manufacturing technologies, and new methods for increasing security in a variety of defense systems. At present, the United States imports 80 percent of its rare earth elements directly from China.

The DARPA Electronics Resurgence Initiative supports the goals of the “Executive Order 13953 of September 30, 2020: Addressing the Threat to the Domestic Supply Chain From Reliance on Critical Minerals From Foreign Adversaries and Supporting the Domestic Mining and Processing Industries.” The transformation of microelectronics is DoD’s top modernization priority. A critical, fundamental risk is the US dependence on foreign semiconductor chip manufacturing, dominated by microelectronics fabrication plants in vulnerable Taiwan and South Korea.

Approach 4: Develop supply chain resilience strategies for a broadened set of critical resources, conduct assessments with allies.

The United States must establish criteria for determining which supply chains are critical and develop supply chain assurance strategies based on knowledge of the current supply network and the creation of alternative pathways, processes, and materials.

Such strategies must incorporate:

1. A supplier nation’s trade and export policies and the effects of sudden changes,
2. A nation’s near-monopoly of a key resource,
3. Alternate supply lines available to the United States,
4. Baseline capacities and resources, and
5. The ability to reestablish commercial operations in locations having lower risk.²²

For information systems and networks, the United States should develop and test cybersecurity resilience strategies and performance standards for increased cybersecurity in systems that support supply chains for critical resources.

Recommendation 4: Conduct regularized assessments in the United States and in allied countries to determine critical supply chain resilience and trust, implement risk-based assurance measures. Establish coordinated cybersecurity acquisition across government networks and create more experts.

Recommendation 4.1: Implement a framework that identifies and establishes global data collection on critical resources.

“Executive Order 14017 of February 24, 2021: America’s Supply Chains,” will conduct a review of critical supply chain vulnerabilities affecting both government procurement and also that of the private sector. This review will address the changing nature of critical supply chains as “manufacturing and other needed capacities of the United States modernize to meet future needs.”²³ It will examine dependence on foreign suppliers, measures of resilience, and a range of sectors including energy, semiconductors, key electronics and related technologies, telecommunications infrastructure, and key raw materials. Strategies to increase critical supply chain resilience include “a combination of increased domestic production, strategic stockpiles sized to meet our needs, cracking down on anti-competitive practices that threaten supply chains, implementing smart plans to surge capacity in a time of crisis, and working closely with allies.”²⁴ After this initial review, the administration plans to ask Congress to enact a mandatory quadrennial critical supply chain review to institute this process permanently.

To conduct this critical supply chain review, the administration should develop a set of criteria for determining resources that are critical to the nation with respect to public health, national security, economic security, and technological competitiveness. These criteria should encompass critical resources beyond high-technology products, to include IT and computer systems and infrastructures, and lower technology products that are important for high-technology competitiveness, e.g., steel, auto parts, and other portions of US manufacturing industries. These criteria should be developed by the White House Office of Science and Technology Policy (OSTP) in coordination with relevant executive branch agencies and departments and with the active participation of private industry. Because critical resources are dynamic in nature and are constantly evolving, this should be a recurring, ongoing initiative.

The administration should use existing fora for international outreach to foster data collection and information sharing for assessments of critical resources and critical supply chains. It should also identify where US funding will strengthen supply chain assurance in partner countries, particularly those with a strong rule of law and a commitment to intellectual property protection. The assessments must address where key resources (e.g., pharmaceuticals,²⁵ agricultural products²⁶) are manufactured and sourced, and how this impacts the robustness of US supply chains, the ability to manufacture the key resources in the United States, and other issues concerning supply chain threats and vulnerabilities. The United States-Mexico-Canada Agreement (USMCA) in its “Rules of Origin” chapter provides a model for agreements with like-minded countries.²⁷ The United States Trade Representative would develop trade agreements that help strengthen supply chains.

Recommendation 4.2: Fund and broaden federal oversight of supply chain assurance to include all critical resources.

Congress should establish an annual reporting requirement that assesses the supply chain assurance for all critical resources, to be assigned to the Department of Homeland Security (DHS) with support from the Office of Management and Budget (OMB). The Cybersecurity and Infrastructure Security Agency (CISA) will contribute assessments of the cybersecurity of the supply chains included in the annual report. This report should determine priorities for supply chains deemed critical to US national and economic security and national health. Congress should require that federal budget requests affecting critical supply chains are based on these priorities.

The administration should develop an approach to address risk management for supply chains beyond those already associated with information technology and computer systems. The administration should extend the work by NIST to model critical assets and components for information systems,²⁸ to critical resources as described here. This effort will delineate the data—for both physical supply chains and software/IT supply chains—required to perform supply chain assurance assessments.

Recommendation 4.3: For the United States, the administration must develop a geopolitical deterrence strategy that addresses critical digital resources and digital supply chain assurance.

State-based cyber-enabled threats to the integrity of global supply chains—impacting both physical (as seen in disruption to global logistics and manufacturing activity in the wake of the NotPetya ransomware attack²⁹) and digital (as illustrated in the wake of the SolarWinds compromise) supply chains—increasingly represent costly and high-impact challenges. The national cyber director, as part of the National Cyber Strategy, should develop a geopolitical deterrence strategy that enables the US government to leverage all tools of US power—from diplomacy, to sanctions, cyber, and military activity—to exercise deterrence. The administration should evaluate the potential for (i) continuous evaluation of digital supply chains to enable prompt detection of malicious activity targeting these supply chains, and (ii) prompt detection, combined with improved supply chain resilience and timely actions in response to the detected activity, to decrease the likelihood of cyberattacks. Continuous evaluation of supply chains for critical digital resources³⁰ would be coordinated and managed by CISA as part of its role in managing federal cybersecurity risk.

Recommendation 4.4: Conduct regular physical and software/IT supply chain assessments in the United States and with allies, focused on intersecting vulnerabilities with cascading consequences.

The administration should establish with allies and partner nations a test program for supply chains and reporting on supply chains’ status and test results. This reporting would address the readiness status of both public and private sector supply chains, and the results of exercises that test the preparedness, adequacy, and resiliency of supply chains against a range of conditions and scenarios, much like stress tests for the financial sector.

• Because most of the supply chain data are held by private companies, a key issue is whether the private sector will provide enough data about its supply chains, or can be incentivized to do so. Questions to address include: what is the minimal information that is needed to calculate these performance measures, and will the resultant tests provide useful results across the situations of interest? will the private sector give these data, given its competitive positions? what is the best estimate of the metrics subject to the data availability constraints? Thus, the tests must show these estimates can be developed using acceptable access to the private data, or must determine a narrower set of criteria to test against.

Due to the many factors bearing on cybersecurity resilience, including the growing threat of sophisticated cyberattacks by major adversaries, the administration should develop software/IT supply chain resilience risk assessments that incorporate the effects of new standards and tools to measure cyber vulnerabilities, improved information sharing (including intelligence information on nation state-supported cyberattacks and ransomware denial of service attacks), designs for improvements that protect against systemic vulnerabilities, and new technologies such as cloud-based services.

Transcript Jun 23, 2021

Brian Deese on Biden’s vision for ‘a twenty-first-century American industrial strategy’

By Atlantic Council

National Economic Council Director Brian Deese spoke about how the Biden administration can strengthen US economic recovery by working with the private sector and global allies.

Economy & Business Future of Work

GeoTech Cues Aug 10, 2021

Contextualizing COVID-19 and its implications for the future of work

By Matthew Gavieta

As workers around the world adapted to a new normal amid a public health crisis, remote work took on a new meaning. However, questions about how to structure long-term telework arrangements remain. The current landscape of data reveals a tenuous relationship between well-being and telework. To secure a brighter future for our labor force, we must continue developing worker-centered technology policy and doing research on how to improve life at work.

Digital Policy Future of Work

Blog Post Jul 27, 2021

The time for US immigration reform is now

By Jeff Goldstein

The US is currently grappling with a multi-decade long trend of declining population rates leading to fewer and fewer workers. To meet the challenges of the future, US policymakers must manage declining population growth – and one of the best arrows in their economic policy quiver is comprehensive immigration reform.

Future of Work Macroeconomics

The post Assured supply chains and system resiliency appeared first on Atlantic Council.

Enhanced trust and confidence in the digital economy is founded upon personal privacy, data security, accountability for performance and adherence to standards, transparency of the internal decision-making algorithms, and regulations and governance for digital products and services. Trust and confidence in the digital economy is diminished by practices that do not protect privacy or secure data, and by a lack of legal and organizational governance to advance and enforce accountability.¹ Data breaches, malware embedded in downloaded apps, unfiltered mis- and disinformation, and the lack of governance models to effectively address these harms all contribute to the degradation of social and civic trust. This degradation undermines economic and civic confidence, is costly,² constrains the growth of the digital economy,³ and has destabilizing effects on society, governments, and markets. Trust and confidence in the digital economy is essential for open societies to function, and for resilience against cascading effects of local, regional, or national economic, security, or health instabilities.

Finding 3: To enhance trust and confidence in artificial intelligence and other digital capabilities, technologies must objectively meet the public’s needs for privacy, security, transparency, and accountability.

The growth of digital economies is changing how trust is valued by institutions, businesses, and the public.⁴ The traditional view of trust is expressed in terms of the security of a business transaction. The increase in cyberattacks, identity theft, social media disinformation campaigns, and the use of autonomous decision-making software, introduces new factors that affect trust. Trust in a firm’s reputation and ethical practices, privacy protection, and how personal data are used depend on technology, business practices, and the public’s perception of how well these components of trust are protected.

Not everyone has the same perception of what is trustworthy. However, reaping the benefits of the digital economy requires a high level of trust among users. Therefore, government and industry should work to enhance the transparency and accountability of digital systems to improve trustworthiness. Challenges include the following: (i) views on personal privacy protection are context-dependent, vary by culture or location, and may be formalized in different terms across nations, regions, and states; and (ii) as automated decision-making algorithms proliferate, new applications reveal trust weaknesses regarding implicit bias, unethical use of personal data, and lack of identity protection.

Trustworthiness needs to be prioritized and empirically demonstrated in the evolving market. Building trust involves educating all participants on the fundamental value of trust in the digital economy and ensuring digital systems reflect individual and societal conceptions of trust. There must be national and international standards for judging how well technologies and systems protect trust. Professional organizations that audit for trust in the digital economy will strengthen accountability.

Finding 3.1: The European Union’s General Data Protection Regulation uses data protection rules as a trust-enabler.⁵

As European Union (EU) member nations work to conform national rules and laws to the General Data Protection Regulation (GDPR), the European Commission notes that these steps may strengthen trust relationships. Other nations propose that a global framework for cross-border Internet policies may be able to protect data security and privacy while still allowing national laws and regulations as a part of the approach if certain trust relationships are maintained. For both approaches, a set of rules or principles provides the foundation for trust.

The GDPR⁶ establishes regulations for data security and privacy that apply to any organization that collects or uses data related to people in the EU. The entire data chain is covered by the GDPR, including data collection, processing, storing, and managing.

The GDPR comprises principles that govern data protection and accountability for those who process data. There are technical measures for data security, and organizational design principles for data protection. Data privacy is expressed in terms of privacy rights, including the right: to be informed, to rectification, to erasure, to restrict processing, to data portability, and to object, and the right of access. There are also rights in relation to automated decision-making and profiling. The governance mechanism centers on Data Protection Authorities that work to align each EU member nation’s approach to data security and privacy to conform with the GDPR. These Data Protection Authorities have enforcement powers and the ability to levy fines when a GDPR rule is violated.

Finding 3.2: Current approaches to machine learning and big data analytics risk weakening data protection rules.⁷

Data privacy protection is vulnerable to advanced data analytics that can infer personal identifiable information by joining loosely related data sources. As a result, the growing use of current machine learning methods applied to large, multi-source data sets highlights potential limitations in the GDPR where such computational methods can infer data originally made private. The development of new data science capabilities may require research on new privacy-preserving technologies for nations to remain compliant with the GDPR. With increasing amounts of personal medical and genetic information being held in data repositories, this need is urgent.

Finding 3.3: Evolving US data privacy approaches consider outcome-based methods, versus prescriptive methods.

The development of data privacy laws in the United States is an evolving patchwork, with more than one hundred and fifty state data privacy laws proposed in 2019.⁸ There is no overall federal data privacy law.

One instance of federal legislation for data privacy proposed in the 117^th Congress⁹ includes the following key privacy features, which are viewed as outcome-based.¹⁰

• Transparent communication of the privacy and data use policy
• Affirmative opt-in and opt-out consent
• Preemption, in which the proposed statute would preempt most state laws with limited exceptions for data breaches, and other limited situations
• A right to action, enforced at the federal or state level, to address alleged violations
• Independent audit of the effectiveness and appropriateness of the privacy policy for each entity providing data services

Several bills¹¹ introduced in the 116^th Congress addressed a subset of the above features or are focused on COVID-19 contact tracing, health status, and identifiers. In addition, several bills introduced in the 116^th Congress addressed disclosing how data are used or monetized by social media companies that enhance the accessibility and portability of a user’s data across devices.¹²

The National Institute of Standards and Technology (NIST) Privacy Framework describes a risk- and outcomes-based approach to establishing privacy protection practices in an organization. Organizations can vary the technologies and design of the privacy protection aimed at satisfying performance outcomes. This may be advantageous when the technologies and applications are changing at a fast pace, e.g., artificial intelligence (AI) and the Internet of Things (IoT).¹³

While there are several federal data privacy laws specific to certain industries or groups, e.g., the Health Insurance Portability and Accountability Act (HIPAA),¹⁴ the eventual form and scope of US data protection laws will depend on policy and legal considerations. A key decision concerns the model for data protection laws. The EU GDPR model is prescriptive; GDPR compliance involves demonstrating that the procedural rules were followed. An alternate model for data protection laws is outcome-based, which allows flexibility in how to achieve data protection.¹⁵

A choice between prescriptive versus outcome-based approaches must assess their relative costs and benefits and how the two approaches can work together. The proposed bills in the 116^th Congress identify a robust set of data privacy features while promoting flexibility and innovation in their implementation; the GDPR model has greater worldwide traction, creating opportunities for harmonized regulatory treatment.

Finding 3.4: New information technologies compel automated compliance testing.

New information technologies and advanced data capabilities challenge current methods of compliance and enforcement. The variety of new ways to collect, process, and analyze data is increasing at a fast rate, while compliance often is determined on a case-by-case basis by regulatory and legal experts. To keep pace, automated testing for compliance with data privacy regulations is necessary.

Table 2 portrays some of the challenges and solutions for achieving automated compliance testing. This research agenda identifies the following key developments: standards, new privacy-preserving technologies, and automated methods to establish compliance.

Table 3. Big Data Value Association Strategic Research and Innovation Agenda

Source: Timan and Mann 2019¹⁶

Privacy-preserving technologies are an active research area, and include the following:¹⁷secure multiparty computation, (fully) homomorphic encryption, trusted execution environments, differential privacy, and zero-knowledge proofs.

The value of privacy-preserving technologies involves trade-offs between privacy and utility—how useful is the resulting data—both of which are context dependent.¹⁸ Affecting these trade-offs are the technical methods, the technical definitions of privacy, and the specifications of the privacy laws. The technical methods (e.g., anonymization, sanitization, and encryption) operate on data in different ways. The technical definition of privacy varies by application and the user’s perceptions of risk versus the benefit of making personal data available. Privacy laws vary across nations, challenging the uniform application of technical methods. For both professionals and members of the public, making trade-offs between privacy and utility remains challenging. This is partially due to the absence of definitions of and standards for measuring privacy and the social benefits obtained from making data available for use by others.

Finding 3.5: Trust and confidence in digital capabilities requires businesses and governments to focus on the responsible use of technology.

Increasing trust and confidence in emerging technologies, such as AI, requires a recognition by both businesses and governments that they have an obligation to use technology responsibly, ensuring that technology has a positive impact on society, especially with regards to equality and inclusion.¹⁹ Developing and innovating responsibly means ensuring that (i) ethical frameworks and policies exist to guide organizations during all aspects of a product’s development and deployment, (ii) fairness in design is emphasized from the outset, and that (iii) questions around the manner in which technologies will be used are given the same rigorous examination as technical issues. As technological capabilities evolve and become more deeply intertwined in all aspects of society, businesses and governments must put ethics at the center of everything they do.

Approach 3: Build in trust-enabling technologies, measure performance against standards, conduct independent compliance audits.

The digital economy relies on achieving a high level of trust and confidence on a continuing basis as technologies evolve. Trust and confidence-enabling technologies must be developed and built into the components of the digital economy infrastructure; a detailed understanding of the trade-offs between privacy versus utility is an essential foundation. Such technologies must be paired with similar civic norms, practices, and rules designed to enhance confidence in the digital economy. To assure businesses that they remain compliant with data protection regulations as they modernize their practices, automated compliance testing, accompanied by standards of performance, is needed. To establish transparency for automated decision-making algorithms, standards for the measurable performance, i.e., the output results, are necessary. Independent assessments of the compliance testing and algorithmic transparency by professional auditing organizations could enhance trust among all participants in the digital economy and aid accountability and governance; such methods should be explored. However, mechanisms for compliance testing and auditing by regulators are also necessary.²⁰

Recommendation 3: Develop international standards and best practices for a trusted digital economy that accommodate national rules and regulations, streamline the process of independently assessing adherence to these standards.

Recommendation 3.1: Develop a US data privacy standard.

Congress should create a national data privacy standard that embodies the following principles: (i) appropriate use of data: this defines the intended purpose for the collected data, the scope of what can be collected, the needed security, and the entities that are covered by the principle; (ii) nondiscriminatory use: the collected data cannot be used to discriminate against protected classes; (iii) informed participation: the individuals must receive the privacy policies in a transparent manner before data are collected, and provide affirmative express consent, including the ability to revoke consent and require destruction of the data or the movement of the data as directed by the individual (i.e., portability); (iv) public reporting: covered entities must periodically report on the data collected, retained, and destroyed, and the groups of individuals from whom the data were collected; (v) independent audit: the performance of covered entities with respect to the data privacy standard must be annually audited by an independent auditing organization, with parallel mechanisms to accommodate auditing and review by regulatory agencies; (vi) enforcement: federal and state enforcement organizations are given the authority to pursue violations of the laws for data privacy protection; (vii) preemption: this would preempt state privacy laws that are inconsistent with the proposed national standard; and (viii) consumer protection laws: the privacy standard would not interfere with consumer protection laws on issues apart from data privacy.

The data privacy standard should recognize gradations in the sensitivity of personal data—some personal data are treated more strictly than others. Affirmative express consent should be structured based on the types of data and how they will be used.

Congress should work to develop a national data privacy standard that can achieve global interoperability and should request an analysis of emerging privacy standards and issues that limit this achievement. Congress also should use the proposed national data privacy standard to inform the development of transparent national consumer data privacy laws that preserve individuals’ control of their personal data and facilitate the development of trusted networks and applications.

The results should establish federal data privacy standards for personal data, establish standards for content moderation by information providers, and should regulate platform providers’ ability to conduct experiments or surveys with users and user data without prior consent.

Recommendation 3.2: Develop privacy-preserving technologies for the digital economy and demonstrate in a full-scale test their conformance with the General Data Protection Regulation.

The administration should direct NIST to establish and test privacy-preserving technologies that enable a risk- and outcomes-based approach to trust in the digital economy. The test should evaluate, at scale, conformance with relevant GDPR rules, conformance with existing US laws governing data privacy, and robustness with respect to innovations and advances in information technologies and data capabilities, especially those based on AI, machine learning, and the IoT. This work should include the development of technical definitions of privacy and application-specific measures of the utility of analyses that are based on privacy-protected data. The tests should include end user evaluations.

The administration should establish a near-term program that demonstrates privacy-preserving technologies to aid the trusted collection and sharing of data for the purpose of improving individuals’ access to healthcare during large-scale biological events. This program should be jointly managed by NIST, the Department of Health and Human Services (HHS), the National Institutes of Health (NIH), and the National Science Foundation (NSF). This program will monitor system performance to inform the development of standards for the ethical use of the shared data and how data governance will be formulated.

Recommendation 3.3: Create measurement methods and standards for evaluating trust in the digital economy.

The administration should direct the National Institute of Standards and Technology (NIST) to establish methods for evaluating users’ trust in the digital economy given the increasing use of AI, big data analytics, and automated decision-making algorithms. This work builds on the Commission on Enhancing National Cybersecurity’s Report on Securing and Growing the Digital Economy²¹ and the National Strategy for Trusted Identities in Cyberspace.²² One assessment framework example²³ describes measures of: “(i) user trust in the digital environment, e.g., data privacy, security, private sector efforts to control the spread of misinformation, and private sector adherence to cybersecurity best practices; (ii) the user experience, i.e., the effort needed to interact with the digital environment; (iii) user attitudes, e.g., how trusted are government and business leaders; and (iv) user behavior, i.e., how much do users interact with the digital environment.”²⁴

The administration should create a coalition to develop international standards for achieving trust in the digital economy. The coalition should include representatives from NIST, the Federal Trade Commission (FTC), private industry, Federally Funded Research and Development Centers (FFRDCs), University Affiliated Research Centers (UARCs), and international standards organizations. The United States and like-minded nations and partners should develop national assessments of trust in the digital economy using these standards.

Recommendation 3.4: Empower an organization to audit trust in the digital economy.

Congress should establish or empower an organization to audit the efficacy of measures designed to ensure trust in the digital economy and assess conformance to current and future standards designed to enhance and maintain such trust. Independent third parties or the Government Accountability Office (GAO) are examples of where such auditing organizations could be housed. 

As part of this process, the auditing organization could provide recommendations to Congress on legislation that would enhance existing trust measures, develop new trust measures, and create trust performance standards. The auditing organization should also provide a mechanism through which the public and industry can raise topics and concerns for attention and, for cases where assessments or audits were done, include an ombudsman function for assessment appeals, identification of new information, or adjudication of concerns in a manner distinct from political influence.

The administration should work to establish a similar auditing program with EU members of the International Organization of Supreme Audit Institutions.

Recommendation 3.5: Assess standards relating to the trustworthiness of digital infrastructure.

Congress should direct an assessment by the National Academies of Sciences, Engineering, and Medicine of the current national and international standards relating to the trustworthiness of digital infrastructure to support the digital economy. “Trustworthiness of an information system is defined as the degree to which an information system (including the information technology components that are used to build the system) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the system across the full range of threats.”²⁵

Due to the increasing complexity of the digital infrastructure, the assessment should also review design standards for complex systems-of-systems from the perspective of trustworthiness. The overall assessment focuses on systems that support the digital economy. The study should assess the sufficiency of existing standards to guide improvements in trustworthiness, identify where new standards are needed, and recommend the data collection and testing methods that would enable ongoing assessments.

Recommendation 3.6: Educate the public on trustworthy digital information.

Congress should establish a grant program led by NSF for the purpose of developing a curriculum on trustworthiness of information—distinct from the trustworthiness of information systems—in the digital age. This curriculum should be created by a consortium headed by a university or coalition of universities. The program should be administered by select universities, with the participation of US information providers. The goal should be to educate the public on how to assess the trustworthiness of information—its credibility, truthfulness, and authenticity, and to develop tools that students and members of the public can use and benefit from on a regular basis.

Recommendation 3.7: Conduct demonstration projects involving artificial intelligence to improve delivery of public- and private-sector services at local, state, and federal levels.

Congress should authorize and appropriate funds for AI demonstration projects that improve the delivery of public services.²⁶ The overall program would be managed by one of the National Laboratories or by a newly created FFRDC with the mission to leverage technology to improve the delivery of public services. These testbed projects would be supported by local and state grants, cross-cutting federal government efforts, and public-private partnerships (PPPs) to employ AI to improve healthcare, workforce training, food production and distribution, and other areas. The overarching goals are to increase public trust in, understanding of, and confidence in AI; to learn how to use AI in ways that reduce inequality and enhance, rather than replace, human work; and to improve access, affordability, and availability of such services. At local, state, and federal levels, individual government agencies will gain long-term benefits by acquiring the necessary data infrastructure to employ AI to improve the delivery of public services.

Recommendation 3.8: Produce a framework for assessing ethical, social, trust, and governance considerations associated with specific current and future use cases for AI.

The administration should request the National Academy of Sciences to produce a framework for assessing ethical, social, trust, and governance considerations associated with specific current and future use cases for AI solutions. The framework should identify where new federal standards and rules are needed. This guidance should be developed with the participation of relevant executive branch departments and agencies, and in consultation with private industry, academia, members of the public, and government and industry representatives from foreign partners.

Transcript Jun 23, 2021

Brian Deese on Biden’s vision for ‘a twenty-first-century American industrial strategy’

By Atlantic Council

National Economic Council Director Brian Deese spoke about how the Biden administration can strengthen US economic recovery by working with the private sector and global allies.

Economy & Business Future of Work

GeoTech Cues Aug 10, 2021

Contextualizing COVID-19 and its implications for the future of work

By Matthew Gavieta

As workers around the world adapted to a new normal amid a public health crisis, remote work took on a new meaning. However, questions about how to structure long-term telework arrangements remain. The current landscape of data reveals a tenuous relationship between well-being and telework. To secure a brighter future for our labor force, we must continue developing worker-centered technology policy and doing research on how to improve life at work.

Digital Policy Future of Work

Blog Post Jul 27, 2021

The time for US immigration reform is now

By Jeff Goldstein

The US is currently grappling with a multi-decade long trend of declining population rates leading to fewer and fewer workers. To meet the challenges of the future, US policymakers must manage declining population growth – and one of the best arrows in their economic policy quiver is comprehensive immigration reform.

Future of Work Macroeconomics

The post Enhanced trust and confidence in the digital economy appeared first on Atlantic Council.

This chapter addresses secure data and communications in two timeframes. Part A discusses current cybersecurity concerns and includes recommendations for improving US cybersecurity against an expanding range of vulnerabilities. Part B focuses on quantum information science (QIS) and recommends steps for ensuring the United States, along with its allies and partners, remains a leader in the development and operationalization of QIS technologies.

Part A: Current cybersecurity concerns

Secure data and communications are fundamental to the United States’ digital infrastructure and to attaining the full benefits of the global digital economy. Through the use of standards, risk assessments, monitoring, and technologies, the US government enables the public and private sectors to secure systems, data, and communications.

As the digital economy connects more public and private sector processes, effective cybersecurity for the US government faces several challenges: (i) the US government, through regulations, can affect though not assure the cybersecurity preparedness of the private sector; (ii) the ultimate size of the needed cybersecurity workforce to secure US government and private sector networks requires the private sector to fulfill the larger share, though some small- and medium-sized companies cannot afford a dedicated cybersecurity workforce; and (iii) US government agencies and laws for ensuring cybersecurity are not fully adapted to the evolving characteristics of cyberattacks. The effects of these limitations will lead to more attack vectors, missed early warning indicators, and lower cybersecurity preparedness. To maintain secure data and communications, the United States must overcome these limitations and must also stay ahead of adversaries’ exploitation of US network and endpoint vulnerabilities.

Finding 2A: Expanding cybersecurity vulnerabilities require partnerships between the public and private sectors.

Cybersecurity vulnerabilities are increasing in scope and effect: greater connectivity yields more vectors for attacks, interdependent networks produce cascading effects, data breaches and records exposed are increasing,¹ and disjointed governance limits awareness and speed of action.

Cyberattackers leverage the interdependent parts of digital infrastructure to create complex attacks for the purposes of “coercion, sabotage, espionage, or extortion.”² The greater number of connected devices can give attackers new, less defended points of access to systems and networks; for example, attackers could access the network controller devices in an electrical power network.³ Software supply chains also present new cyberattack vulnerabilities when companies fail to employ industry-best security practices.

• In the recent SolarWinds Orion software supply chain attack, malware was inserted into a trusted software update, which led to significant breaches of government and private networks as the update was downloaded by as many as eighteen thousand SolarWinds customers (including other software and IT vendors). Such exploits of software/IT supply chains require knowledge of software configurations and dependencies. If a software vendor in the supply chain is vulnerable, then its software updates become vectors for diffusing malware.⁴

Interdependencies among networks, including between digital infrastructures and physical systems or people, are a growing type of vulnerability. Three cases illustrate such interdependencies.  In a cyber risk assessment of the election infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) found that “Disinformation campaigns conducted in concert with cyberattacks on election infrastructure can amplify disruptions of electoral processes and public distrust of election results.”⁵ Ransomware attacks cost institutions money, caused inconvenience, and disrupted the healthcare at some hospitals.⁶ An adversary could hold hostage one of the US critical infrastructure sectors⁷ to preempt US military or diplomatic responses.

Data are as important as the networks, and are the foundation for new capabilities to monitor the climate, global health, agriculture, and cyberspace. Large data collections are essential for new applications of AI and innovations in medicine and education. The data infrastructure, including where the data are stored, analyzed, and the networks that communicate the results, are targets for cyberattacks.

Advanced cyberattacks take advantage of the limited information sharing between government cybersecurity experts and private industry, and the limited collection of cyberattack indicator information on private systems. Cyberattackers can spend weeks or months carefully probing the target systems, unnoticed.

Federal and private sector organizations lack sufficient insight into system operations, acquired software dependencies, and vendor practices. Also lacking is an effective system of liability and incentives to promote software supply chain security.

Finding 2A.1: Private sector infrastructure critical for economic or national security needs strengthened cybersecurity.

Private sector enterprises and small businesses can be a vector for significant attacks on critical infrastructure, yet cannot readily access or benefit from US government cybersecurity expertise. According to Securing Cyber Assets, Addressing Urgent Cyber Threats to Critical Infrastructure:⁸

“[M]any outstanding federal capabilities play crucial roles in cyber defense and resilience today. However, their effectiveness is constrained in the following ways:

• Private sector knowledge of these [federal cybersecurity] capabilities and incentives to use them is limited.
• Access [to federal cybersecurity capabilities] is hindered by multiple legal and administrative constraints.
• Government capabilities are scattered across a wide swath of agencies, departments, and their sub-units—a complicated labyrinth comparatively few can effectively navigate.
• Classification of essential threat information can delay and hinder coordinated response.”

The following sources of cyber information and resources, along with improved coordination with the federal government, can address these needs: (i) Government sharing of critical information about cyberthreats, capabilities, and early attack indicators. This information can help private companies focus their cyberdefense resources and be more agile in doing so. (ii) A national cyber strategy that incorporates the private sector as an integral participant. This requires clarifying the laws governing the ability of the US government to direct the cybersecurity actions of private sector entities, including obligatory information sharing from certain private sector entities. (iii) For software/IT supply chains that support critical economic or national security infrastructure, US government provided risk information on vendors and components flowing into the software/IT supply chain, based on comprehensive and up-to-date collection of supply chain data and analysis of supply chain risks. Private industry can use this information to inform their risk assessments. (iv) US government incentives that assist private industry to grow the cybersecurity workforce needed to make the private sector more secure.

Finding 2A.2: Obtaining the needed cybersecurity workforce and expertise requires participation by the public and the private sector.

“Executive Order 13870 of May 2, 2019: America’s Cybersecurity Workforce,”⁹ establishes national requirements to expand both the federal cybersecurity workforce and the cybersecurity workforce for state, territorial, local, and tribal governments, academia, private sector stakeholders, and others. There are five hundred and twenty-one thousand unfilled cybersecurity jobs in the United States, of which thirty-seven thousand are in the federal government.¹⁰

The EO supports workforce mobility between the public and private sector for cybersecurity workers, and directs departments to share recruitment strategies and tools across these sectors. A starting point, for both sectors, is the Workforce Framework for Cybersecurity [National Initiative for Cybersecurity Education (NICE) Framework].¹¹ This defines categories and specialty areas, knowledge, tasks, skills, abilities, and work roles. It can be used by public and private sector employers to better match candidates with sets of needed skills.

To close the workforce gap in nonfederal positions, a flexible approach, consistent with the NICE Framework, may be effective.¹² The strategy is to develop new career models that are better matched to the pool of candidates, aligned with the NICE Framework where possible, and using employee development programs and financial incentives to grow workforce skills.

Finding 2A.3: Cybersecurity governance, which must enable timely protective actions, has not matched the speed of the cyber threat environment.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework comprises five functions: Identify, Protect, Detect, Respond, and Recover.¹³ In each function, timely action is essential for effective cybersecurity. Yet, defensive cybersecurity posture is systemically outpaced by offensive actors.

• Patching quickly is imperative. A FireEye study¹⁴ reports the average time disclosure and patch availability was approximately nine days. Other reports¹⁵ have found longer times to patch though—up to thirty-eight days on average—and some of the most notorious cyber incidents exploited vulnerabilities patched months before their compromise.¹⁶
• Organizational adjustments and implementation of best practices must be rapid to keep up with developing threats. Yet, at the federal level, many agencies have been unable to adopt NIST-recommended best practices for ICT supply chain risk management for years.¹⁷
• Timely and rapid detection and response is necessary to forestall damage and the risk of cascading effects. This capability relies on a system of indicators and warnings, and, at times, comprehensive situational awareness that allows one to monitor cyber events closely and deploy defensive tools with precision. Still, the most sophisticated incursions can remain undetected for months.¹⁸
• Timely recovery depends on having built resilience into the digital infrastructure, and in having efficient decision making. Long-running attacks, however, can take more than a year to fully recover from.¹⁹
• All core cybersecurity functions depend on efficient information sharing between and within the public and private sectors. Yet, industry still complains about their incident response being hampered by liability concerns²⁰ and information sharing challenges.²¹

Approach 2A: Establish comprehensive situational awareness of cybersecurity risks in systems that are critical for national and economic security.

The foundation of an effective cybersecurity strategy is comprehensive situational awareness of the state of the critical infrastructure for economic and national security. This is built upon the continuous collection of key indicators, prioritization of risk, the ability to assess key points in the software/IT supply chain, standards to inform best practices, and assessments of the actual levels of cyberdefense and resilience.

To achieve such comprehensive situational awareness requires that the public and private sectors must develop a partnership that ensures sufficient information is monitored and exchanged; that the authorities for taking action, when needed, are established in law; and that sufficient cybersecurity training and knowledge is available across the private sector to help strengthen the cybersecurity of this sector.

Recommendation 2A: The United States should update and renew the National Cyber Strategy’s Implementation Plan with a focus on streamlining how public and private sector entities monitor their digital environments.

Recommendation 2A.1: Review, update, and reestablish the Implementation Plan for the National Cyber Strategy.

The administration should establish a process to incorporate both regular and ad hoc updates into the National Cyber Strategy so that the strategy remains current and evolves to meet future cybersecurity threats and challenges.²² The strategy should retain focus on streamlining how public and private sector entities continuously monitor their digital environments to include outlining the appropriate roles, responsibilities, and governance. In addition to a single national cyber coordinator²³ that was established in the FY 2021 National Defense Authorization Act (NDAA), the strategy should consider the following components: uniform rules and increased compliance with standards for cybersecurity practices across all government activities (with exceptions for national security activities); skilled cybersecurity officers either in, or embedded in, organizations; and a national educational program to improve individuals’ cybersecurity habits.

Recommendation 2A.2: Establish effective and coordinated continuous monitoring for software and hardware used by the federal government.

As part of COVID-19 pandemic relief, the America Rescue Plan Act of 2021 (Public Law No: 117-2, March 11, 2021)²⁴ includes $1.65 billion for cybersecurity capabilities, readiness, and resilience. This increases the Technology Modernization Fund and helps CISA and the General Services Administration (GSA) complete modernization projects at federal agencies. Additional funds for CISA could bolster cybersecurity across federal civilian agency networks and support pilot programs for shared security and cloud computing services.

The acquisition strategies to achieve cybersecurity resilience should reflect the unique cybersecurity requirements and the need for specialized expertise in operations and networks supporting Title 5 (Government Organization and Employees), Title 10 (Armed Forces), Title 34 (Crime Control and Law Enforcement), and Title 50 (War and National Defense) of the US Code. The acquisition strategies should strengthen compliance with standards for continuous monitoring of cybersecurity performance.

The federal government should seek to achieve continuous cybersecurity monitoring of the hardware and software systems that support US government functions, including critical supply chains and network infrastructure. The approach should ensure coordination across all relevant elements of the federal government. Attributes to monitor include external network traffic, internal network behavior, vulnerability exposure, asset tracking, security posture, vendor compliance, product compliance, and product updates. There are four contributing activities to fully realize a cybersecurity posture informed by continuous monitoring: (i) assess the trustworthiness of software and hardware employed by the US government based on inherent vulnerabilities and risks due to the network position, permissions, and supply chain considerations; (ii) further empower the Department of Homeland Security (DHS) to perform these assessments by strengthening the ties among US government agency chief information officers (CIOs) and DHS for the various government networks; (iii) make these hardware and software risk assessments available to local and state governments to inform their endeavors; and (iv) leverage these assessments to support the private sector, especially small- to mid-sized businesses that do not have the capacity to fully assess their own supply chains yet would benefit from knowing what software is trustworthy. The risk assessments developed by the US government could also be shared with like-minded partners that are seeking to do the same regarding the hardware and software they employ to achieve assured supply chains and trusted digital environments.

There are several lines of effort, described further in Appendix B.

Recommendation 2A.3: Increase compliance with continuous monitoring that is part of the National Institute of Standards and Technology security control guidance.

The administration should require GAO to review the efficacy of agency-specific practices regarding the continuous monitoring portion of its security control guidance. NIST controls dedicated to continuous monitoring for agencies²⁵ are required for all three priority levels of the federal agency information systems.²⁶ OMB memoranda as far back as 2011²⁷ discuss continuous monitoring superseding periodic reviews. While NIST has long recommended the practice, agencies have failed to implement it: in 2019, only about three-quarters had done so,²⁸ marking little improvement over several years. The most recent GAO report²⁹ indicates that general compliance with fundamental risk management practices has turned worse.

To achieve increased compliance, CISA should be empowered to assist lagging agencies in conforming with NIST guidelines and best practices mandated by the Federal Information Security Modernization Act (FISMA).³⁰ This would support a more responsive and uniform implementation of security methods—monitoring, security updates, approaches such as stress tests, assessing vendor security maturity, and certificate transparency. New data disclosure policies must be developed to enable the mapping, visualization, and testing of the software/IT supply chain networks.³¹

More specific understanding of the continuous monitoring practices is needed to guide implementation. There is overlap in the types of continuous monitoring discussed most often. First is the continuous monitoring of vendor compliance with certification regimes— the Federal Risk and Authorization Management Program (FedRAMP), the Department of Defense (DoD) information networks approved product list (DoDIN APL), the new Cybersecurity Maturity Model Certification (CMMC), etc. Each describes and aspires toward continuous assessment of compliance, but they are still organized around monthly, yearly, or three-year review periods. Truly continuous monitoring would bring more rigor and regularity to reviewing changes made to deployed software, a potentially devastating attack vector for adversaries, and changes in vendor security practices and context.

NIST guidelines refer to continuous monitoring of security control efficacy, asset exposure, threat vulnerability, configuration compliance, and other quasi-technical metrics. Between 79 percent and 83 percent of Chief Financial Officers Act of 1990 (CFO Act) federal agencies,³² and between 58 percent and 63 percent of non-CFO Act agencies, fulfill these requirements. This type of continuous monitoring is determined by agency policy, leading to varying standards for how often to perform checks, what to check, and what satisfactory levels are.³³ A program at CISA, the Continuous Diagnostics and Mitigation (CDM) program, is supposed to integrate these activities. It has met systemic implementation difficulties, however,³⁴ and Homeland Security Secretary Alejandro Mayorkas has sought a review of the CDM program, along with CISA’s EINSTEIN program, which monitors inbound and outbound traffic on federal networks.³⁵ It also must overcome great variation among the networks and products that would be checked. There is little agreement and the quality of implementation is not well-known.

Finally, there is the continuous monitoring of actual network behavior. This would include mandating the maintenance of standardized access logs, auditing of those logs, monitoring inbound and outbound traffic, and all the related detailed measurements. More transparency is needed in how much such monitoring occurs within government networks, though CISA’s EINSTEIN program does the work of monitoring traffic in and out of federal civilian agencies.

Recommendation 2A.4: Ensure cybersecurity best practices, expertise, and assurance testing are widely available to industry and government entities.

The administration should provide the private sector technical information on threats on a regular basis, to bolster cybersecurity. The private sector outreach would be linked to the existing Information Sharing and Analysis Centers (ISACs) for US critical infrastructure entities and the Information Sharing and Analysis Organizations (ISAOs) to ensure monitoring of both supply chain risks and cybersecurity performance for vital US private sector companies of all sizes.

The US national security domain requires independent certification of adherence to a set of multinational standards.³⁶ One approach could be to expand CMMC to all of government instead of just DoD. While the program is still facing implementation challenges,³⁷ it could provide useful information on general cybersecurity maturity to industry and government alike, with benefits beyond the specific vendor products. Because DoD is only just beginning to implement CMMC, as a first step the administration should conduct a feasibility assessment for an across-government approach. To improve and streamline cybersecurity requirements, the administration should assess how a government-wide implementation of CMMC would overlap with FedRAMP or any other cybersecurity requirements, and how the broadened implementation of CMMC could improve general industry cyber hygiene.

To implement cybersecurity capabilities and practices, private sector companies must acquire cleared personnel, spaces, and IT equipment. The administration should consider accelerating any necessary prerequisite steps.

Part B: Quantum information sciences

The United States, the European Union (EU), China, Russia, the United Kingdom, Canada, and other nations are expanding their investments in QIS, with national and regional QIS strategies and programs.³⁸ Recent demonstrations of quantum computers increase concerns that aspects of the technical foundation of the United States’ digital security may be vulnerable in the foreseeable future.³⁹ Quantum communication and quantum key distribution (QKD) methods,⁴⁰ though, can enhance the security of the digital infrastructure. These methods may contribute to data and communications security against untrusted and corrupted hardware and also protect against the ability to make inferences about sensitive data based on access to multiple data sources containing nonsensitive data.⁴¹

Finding 2B: Long-term quantum information science priorities include international collaboration, which is limited by national and regional funding and data-sharing policies.

A primary element of leadership in QIS is the ability to set key standards for QIS applications. This relies on developing and deploying devices that operationalize QIS, and in working in collaboration with many nations and partners. While collaboration is identified as a national priority in the US national strategy for QIS, it should be extended beyond basic S&T activities.

Finding 2B.1: The US strategy for quantum information science emphasizes US efforts and benefits.

The National Strategic Overview for Quantum Information Science⁴² provides a strategic approach for achieving US leadership in QIS and its applications to national and economic security. The six policy areas are as follows:

• Choosing a science-first approach to QIS: Strengthen the research foundation and the collaboration across disciplines. Use Grand Challenge problems as a strategic mechanism to coordinate and focus efforts.
• Creating a future quantum-smart workforce: Foster a QIS-skilled workforce through investments in industry, academia, and government laboratories that increase the scope of QIS research, development, and education.
• Deepening engagement with the quantum industry: Increase coordination among the federal government, industry, and academia to enhance awareness of needs, issues, and opportunities.
• Providing critical infrastructure: Encourage necessary investments, create and provide access to QIS infrastructure, and establish testbeds.
• Maintaining national security and economic growth: Maintain awareness of the security benefits and risks of QIS capabilities.
• Advancing international cooperation: Seek opportunities for international cooperation to benefit the US talent pool and raise awareness about other QIS developments.

The US strategy for QIS recognizes the sensitivities of this research, which can both enable new scientific and economic applications, and create new methods for attacking sensitive data and communications. This strategy supports international collaboration in QIS both to advance the basic research and its applications, and to ensure the United States maintains its leadership and competitiveness in QIS.⁴³

In addition to the US strategy for QIS, the National Quantum Initiative Act “authorized $1.2 billion in federal research and development (R&D) spending over five years, established the National Quantum Coordination Office, and called for the creation of new QIS research institutes and consortia around the country.”⁴⁴ Also, the National Science Foundation (NSF) recently established three quantum research centers⁴⁵ and added the opportunity for limited supplemental funding requests to support international collaboration on basic research topics.⁴⁶

Congressional hearings on “Industries of the Future” discussed the importance of QIS and establishing US leadership in QIS.⁴⁷ One effort by the United States to establish international cooperation in QIS is the agreement between the United States and Japan to cooperate on quantum research through activities including “collaborating in venues such as workshops, seminars, and conferences to discuss and recognize the progress of research in QIST, which in turn will lead to the identification of overlapping interests and opportunities for future scientific cooperation.”⁴⁸

Finding 2B.2: China is pursuing quantum information science as a strategic technology.

Quantum communications and computing are among the strategic technologies highlighted in China’s 14^th Five-Year Plan (2021-2025). China aims to be a global leader in innovation, using large demonstration projects to advance its science and technology (S&T), and to build human capital for strategic technology areas. This includes major initiatives in quantum research and development (R&D), demonstrations of QKD and quantum computing, and a major new National Laboratory for Quantum Information Sciences.⁴⁹ China is able to advance in quantum R&D in part due to the close coordination among the government, universities, and industry, which aids both the advancement of the science and the building of a skilled workforce.⁵⁰

Finding 2B.3: EU’s science and technology strategy focuses on EU participation.

The EU’s S&T program includes three components that address QIS and other technology areas: (i) Horizon Europe, which has a seven-year budget of €95.5 billion for 2021-2027, within which the Digital, Industry and Space area is funded at €15.5 billion;⁵¹ (ii) Digital Europe Programme, funded at €7.5 billion;⁵² and (iii) Space Programme, with proposed funding of €13.2 billion.⁵³ The European Commission is soliciting proposals for quantum communications infrastructure, which will be funded by these initiatives. The objective is to enable the EU to be an independent provider of quantum technologies needed to build a quantum communications infrastructure.⁵⁴

Horizon 2020, the predecessor to Horizon Europe, involved US researchers in only 1.5 percent of the Horizon 2020 projects.⁵⁵ In comparison, EU researchers participate at a much greater level considering all National Science Foundation (NSF) and National Institutes of Health (NIH) active grants.⁵⁶ This asymmetry in participation is due to EU rules that require participants in Horizon 2020 projects to sign grant agreements. For US institutions, this raises issues concerning “governing law and jurisdiction, intellectual property treatment, joint and several liability⁵⁷ and indemnification, access to data and implications for export control, and auditing requirements.⁵⁸

Finding 2B.4: Funding policies constrain collaboration.

One issue of concern in the Horizon Europe initiative rules governing participation is the determination of financial contribution by the United States and “third countries” as defined in Article 12 of Horizon Europe—the Framework Programme for Research and Innovation.⁵⁹ The calculated cost of association with the Horizon Europe initiative is based on the relative size of a country’s gross domestic product (GDP) compared with EU GDP. For example, the European Commission has proposed making the UK pay a proportion of the 2021-2027 research budget based on its share of EU GDP, which currently stands at 18 percent. For the United States, this corresponding value is 137 percent, yielding a required contribution of $131.4 billion.

The regulations establishing Horizon Europe contain other potential issues for US participation. These include Article 36, which gives the European Commission rights regarding transfer and licensing, and Article 49, which gives certain EU entities the right to carry out investigations and inspections.

Approach 2B: Coordinate with allies and partners to build human capital for quantum information science and overcome limitations imposed by national and regional funding and data-sharing polices.

In the ongoing competitive R&D of QIS, key determinants of success are the size, skill, and collaboration of the technology workforce spanning a number of disciplines, including those in the fields of science, technology, engineering, mathematics (STEM), and manufacturing. The United States recognizes that it “must work with international partners, even while advancing domestic investments and research strategies.”⁶⁰

Recommendation 2B: With allies and partners, the United States should develop priority global initiatives that employ transformative quantum information science and catalyze the development of human capital and infrastructure for these and other next-generation quantum information science applications.

Recommendation 2B.1: Establish, with other nations, a common set of demonstration milestones for quantum data and communications security.

The administration should extend the technological development portfolio of national investments in QIS to incorporate a common set of milestones with allies. The members of the National Science and Technology Council (NSTC) Subcommittee on Quantum Information Science should develop such milestones in coordination with representatives from collaborating nations. These are to be consonant with plans by the United States and like-minded nations to develop testbeds, demonstrations, standards, and a quantum-skilled workforce. The milestones will inform the practical applications for use with near-, mid-, and long-term levels of quantum information capabilities. The EU’s Horizon Europe initiative is a potential opportunity for such collaboration. The United States should also establish data sharing agreements with other nations for QIS results pertaining to shared economic and national security interests.

Recommendation 2B.2: Create a program of quantum information science research and development focused on emerging issues for digital economies.

The administration should continuously evaluate QIS progress and technologies through the White House Office of Science and Technology Policy (OSTP) and the National Academies of Sciences, Engineering, and Medicine; this could be accomplished by the creation of a standing committee such as they have done for other areas that will be long-lived. This will identify new technology directions, review QIS policies, and revisit priorities and partnerships. The evaluations should focus on entirely new quantum capabilities that can benefit digital economies, e.g., privacy and advances in biotechnology and data capabilities, open sharing of data while maintaining data privacy, principles for systems to be quantum-secure by design, digital supply chain security for both hardware and software, evolution of Internet protocols, network modernization, and other topics.

Recommendation 2B.3: Establish a program to accelerate the operationalization of quantum information science technologies.

Recognizing the need for broad and significant investment in quantum applications to focus and accelerate progress, Congress and the administration should establish a program, led by the Defense Advanced Research Projects Agency (DARPA), to accelerate the operationalization of continually evolving hybrid (classical and quantum) computing architectures. This program will mature prototype demonstrations of quantum computing, communication, sensing, and metrology technologies to yield fieldable capabilities. The program also should include elements that seek to develop a quantum-skilled workforce in the private and public sectors. Several models for such a program are seen in DARPA’s long history of rapidly growing and maturing advanced technology fields, e.g., Grand Challenges for autonomous vehicles, Have Blue for stealth technologies, and AI Next for artificial intelligence.

Recommendation 2B.4: Establish leading roles for the United States in setting international standards for data and communications security as quantum information science evolves.

Building on the results obtained from NDAA FY 2021, SEC. 9414, Study on Chinese Policies and Influence in the Development of International Standards for Emerging Technologies,⁶¹ the administration should take steps to bolster the development of standards for QIS technology development and applications.⁶² This will drive toward a strategy for achieving a leadership role in international quantum standards setting, sharing sensitive security-related advances with allies, responding to China’s efforts to influence international standards,⁶³ and catalyzing private sector investments in quantum technologies. NIST is currently developing quantum resilient encryption standards for the United States.⁶⁴ The administration should direct NIST to broaden the scope of its work to develop standards for QIS technology development and applications.⁶⁵

The administration should develop DoD and Intelligence Community policy guidance to govern the sharing of QIS findings and capabilities with allies and partners. This guidance should be developed with representation from the Department of Commerce’s National Telecommunications and Information Administration (NTIA) and NSF to balance security concerns with the benefits of collaboration; address government and private industry information, both classified and proprietary; and also should include categories of information that the United States is interested in receiving from allies and partners.

Recommendation 2B.5: Establish a national QIS research, development, and testing infrastructure; fund quantum demonstration programs.

The administration should establish a national QIS research, development, and testing infrastructure. This will comprise research centers focused on quantum computing, quantum communications, quantum sensing, and evaluation of QIS (including QIS-secure) applications; a national computational infrastructure to support this initiative; engineering testbeds; programs to build a skilled QIS workforce; and participation by private industry (for example, the Quantum Economic Development Consortium⁶⁶) to advance the development of a national QIS infrastructure and create fielded capabilities. In support of the National Quantum Coordinating Office, an interagency group led by the Department of Energy, NIST, and DARPA should oversee this infrastructure initiative, coordinating federal programs and guiding private industry’s participation.

The administration should develop demonstration programs that show, in operational settings, national security implications of near-term quantum platforms. Some examples include the following:

• Quantum communications: There are two areas of interest: (i) understanding vulnerabilities of various public key cryptographic systems to future quantum computing systems, an effort currently underway at NIST in the development of quantum resilient encryption standards, and (ii) use of QKD in large-scale demonstrations relevant to commercial and security applications, including space communications. QKD provides an approach to post-quantum communications security that is based on quantum phenomena, not algorithmic complexity.
• Quantum computing: Using small quantum computers in networked clusters or in hybrid architectures with classical computers.
• Quantum networks: The use of quantum networks for long-range quantum communications.
• Quantum sensing: Using quantum mechanics phenomena and devices for high-sensitivity and precision applications in sensing and communication, life sciences, and other fields.

The administration, through the National Quantum Coordinating Office, should establish funded competitions to improve the exchange of intellectual property and foster a common understanding across the government, industry, academic communities, and foreign institutions working on QIS.J.⁶⁷

Transcript Jun 23, 2021

Brian Deese on Biden’s vision for ‘a twenty-first-century American industrial strategy’

By Atlantic Council

National Economic Council Director Brian Deese spoke about how the Biden administration can strengthen US economic recovery by working with the private sector and global allies.

Economy & Business Future of Work

GeoTech Cues Aug 10, 2021

Contextualizing COVID-19 and its implications for the future of work

By Matthew Gavieta

As workers around the world adapted to a new normal amid a public health crisis, remote work took on a new meaning. However, questions about how to structure long-term telework arrangements remain. The current landscape of data reveals a tenuous relationship between well-being and telework. To secure a brighter future for our labor force, we must continue developing worker-centered technology policy and doing research on how to improve life at work.

Digital Policy Future of Work

Blog Post Jul 27, 2021

The time for US immigration reform is now

By Jeff Goldstein

The US is currently grappling with a multi-decade long trend of declining population rates leading to fewer and fewer workers. To meet the challenges of the future, US policymakers must manage declining population growth – and one of the best arrows in their economic policy quiver is comprehensive immigration reform.

Future of Work Macroeconomics

The post Secure data and communications appeared first on Atlantic Council.

The United States and like-minded nations, as well as private sector organizations, must continue to invest in and develop the multilateral mechanisms and academic and industrial capabilities, and the human capital needed for continued leadership in key science and technology (S&T) areas. Such leadership is essential for national and economic security and for ensuring that technology is developed and deployed with democratic values and standards in mind. The global development of advanced technologies requires the United States to pursue, as strategic goals and in collaboration with allies and partners, leadership in select areas.¹

Six broad areas of S&T are critical to national and economic security, as follows:²

• Communications and networking, data science, and cloud computing: collectively provide the foundation for secure transmission of data for both the public and private sector and enable robust economies of ideas, resources, and talent. This critical area supports all aspects of a healthy digital economy domestically and internationally.
• Artificial intelligence (AI), distributed sensors, edge computing, and the Internet of Things (IoT): add new capabilities for understanding changes in the world for both physical and digital environments and enhance human governance in key, defined areas.
• Biotechnologies, precision medicine, and genomic technologies: collectively provide the foundation to heal and promote healthy individuals and communities, as well as to improve the performance of agricultural systems with regard to the reduction of atmospheric greenhouse gases, and to develop a system for early warning of emerging natural and human-produced risks such as outbreaks, bioterrorism, and environmental shocks.
• Space technologies, undersea technologies, and new materials for extreme environments: collectively provide for commercial companies and nations around the world to deploy mega-constellations of satellites, or fleets of autonomous ocean platforms, with advanced, persistent surveillance and communications capabilities to monitor the planet, including its oceans and environment, for emerging risks.³
• Autonomous systems, robotics, and decentralized energy methods: collectively provide the foundation to do work in dangerous or hazardous environments without risk to human lives, while at the same time augmenting human teams, potentially prompting long-term dislocations in national workforces, and requiring additional workforce talent for new technology areas.
• Quantum information science (QIS), nanotechnology, and advanced microelectronics: collectively provide the foundation for solving classes of computational problems, next-generation manufacturing, new ways to monitor the trustworthiness of digital and physical supply chains, as well as potentially presenting new challenges to communications security that underpin effective governance and robust economies.

Participation by industry, academia, government labs, and US allies and partners will help ensure a fast pace of discovery and innovation. Achieving global S&T leadership also requires protecting intellectual property and proprietary information, and guiding technology sharing with other nations based on their adherence to shared standards and values for security and privacy.

Technology sharing with non-allied nations poses strategic risks. For example, sharing advanced findings and applications of AI may benefit one nation at the expense of the other—AI-based image understanding algorithms could enhance remote sensing of military activities by commercial satellites. In other cases, new capabilities may benefit all nations, for example, a better disease testing technology.

Finding 1: The US National Strategy for Critical and Emerging Technologies requires an implementation plan to guide both domestic and international coordination to achieve global science and technology leadership.

The National Strategy for Critical and Emerging Technologies supports US national and economic security by promoting the National Security Innovation Base and by protecting the United States’ technological advantage. Priority actions include developing the S&T workforce, establishing technology norms and standards that reflect democratic values and interests, ensuring research and development (R&D) funding of priorities, building strong partnerships with the private sector and with like-minded nations, and protecting the security of the technologies, their development, and how they are shared.⁴ A detailed implementation plan, coordinated across the US government, is needed.⁵

Finding 1.1: Achieving and sustaining technology leadership must be a long-term national priority.

To achieve the long-term goals of technology leadership in key areas, a close and continuing interaction between S&T development and national security policy is essential.

The National Strategy for Critical and Emerging Technologies must be accompanied by long-term S&T goals resulting in demonstrations of significant import, and detailed programmatic plans for achieving these goals. The breadth of these technologies and their interdependencies require that progress should be shared with allies and partners and involve public-private partnerships (PPPs) among government research centers, private industry, and academia. This approach can catalyze human capital development and accelerate innovation.

Finding 1.2: Private sector research and development exceeds that of the government in some areas that are important for national and economic security, underscoring the need for greater coordination.

The annual growth rate of domestic R&D government spending for 2000-2017 places the United States sixth, at 4.3 percent, behind the European Union (EU), Germany, India, South Korea, and China (17.3 percent).⁶ The US government funds the largest share of basic research, while US industry funds the largest share of both applied research and development.⁷

Among the more important critical and emerging technologies are AI, quantum, cyber, digital infrastructure, and health/medical technologies, all areas in which private industry is growing. To strengthen US technology leadership, the United States must increase government R&D funding in critical areas and coordinate government and private industry R&D strategies.

Finding 1.3: Recent proposed legislation addresses policies for guiding permissible technology development and use.

Several countries are developing legislation to strengthen ethical practices underpinning data collection for AI algorithms, protect data privacy, and govern data rights.⁸

“Executive Order 13960 of December 3, 2020: Promoting the Use of Trustworthy Artificial Intelligence in the Federal Government” establishes a set of principles governing the development and use of AI.⁹

A small sampling from recent, proposed US legislation includes the following ideas:

• Require assessments of the impacts of automated decision-making systems, including AI systems. These assessments would evaluate their accuracy, bias, discrimination, privacy, and security.¹⁰
• Recommend approaches that promote the development and use of AI “while protecting civil liberties, civil rights, and economic and national security.¹¹
• Reinforce government regulations for protecting the privacy rights of individuals in terms of how data are collected, protected, used, and shared.
• Establish standards governing the responsible use of data and emerging technologies that include prohibitions on the use of personal data and emerging technologies in a manner that discriminates based on protected classes.

The European Commission established a High-Level Expert Group on Artificial Intelligence that published Ethics Guidelines for Trustworthy AI in April 2019. These guidelines address human agency and oversight, technical robustness and safety, privacy and data governance, transparency, diversity, nondiscrimination and fairness, societal and environmental well-being, and accountability.¹²

The newness of the technologies and their continuing evolution challenges the creation of internationally accepted, harmonized, and tested rules. In areas such as data privacy, harmonization of standards will require a heightening of US standards. In other areas of Internet and technology governance, the United States must have a leadership role in determining international standards and rules.

Finding 1.4: Models for gaining technological leadership encourage innovation, focus on challenges concerning security or economic growth, organize governance, and draw from the global talent pool.

A recent analysis, Innovation Policies in the United States,¹³ discusses how these policies have changed over time, citing five models: “(i) Connected, challenge model, driven by societal challenges during World War II, where innovations are rapidly turned into capabilities, (ii) Basic science-focused, disconnected, decentralized model—the linear model during the Cold War, (iii) ‘Right-left’ translation model wherein the desired technologies motivate the basic science, (iv) Spanning the ‘valley of death’ model in which government initiatives helped bridge from basic research to the use of the innovations by industry, (v) Connected model in which societal needs connect innovation with the production of desired products.” The analysis concludes that “basic research must be complemented with additional institutional elements that reach much further down the innovation pipeline to development and later innovation stages.”

Proposed legislation introduced in the 116^th Congress concerning AI research focused on convening “technical experts across academia, government, and industry to develop a detailed plan for how the United States can build, deploy, govern, and sustain a national AI research cloud.”¹⁴ Another model for research collaboration was included in proposed legislation which would “organize a coordinated national strategy for developing AI, establish and support collaborative ventures or consortia with public or private sector entities, and accelerate the responsible delivery of AI applications from government agencies, academia, and the private sector.”¹⁵ Both of these bills became law in Division E of the National Defense Authorization Act (NDAA): the Artificial Intelligence Initiative Act (Sections 5101-5105 of P.L.116-283) and the National AI Research Resource Task Force Act (Section 5106 of P.L.116-283).

The United States is a founding member of the Global Partnership on Artificial Intelligence (GPAI). “In collaboration with partners and international organizations, GPAI will bring together leading experts from industry, civil society, governments, and academia to collaborate across four Working Group themes: 1) Responsible AI; 2) Data Governance; 3) The Future of Work; and 4) Innovation & Commercialization,” according to a joint statement from the GPAI’s founding members.¹⁶

While the US model for funding R&D allows for multiple, independent lines of inquiry, in QIS, for example,¹⁷ some coordination in international collaboration could help ensure a diversity of approaches is fostered.

Approach 1: Focus the innovative work and talent on long-term capability demonstrations, while emphasizing democratic values.

The United States and like-minded nations must be successful in each of the critical technology areas, or risk a vulnerability affecting national security. Success includes investing in innovative work and talent linked to long-term capability demonstrations. A focused approach sets concrete capability goals, constructs and funds fast-paced programs, and undergoes regular review. Talent from many nations and groups will make essential contributions. In contrast with nondemocratic nations, the United States and its allies and partners possess democratic values that can empower this work.

Recommendation 1: Establish priorities, investments, standards, and rules for technology dissemination; develop across government, private industry, academia, and with allies and partners

Recommendation 1.1: Develop a National and Economic Security Technology Strategy.

To ensure the United States and its allies remain at the forefront of strategic S&T areas, the administration should develop a National and Economic Security Technology Strategy. The administration should create long-term S&T goals informed by assessments of foreign capabilities and plans. The National and Economic Security Technology Strategy should complement the National Security Strategy and draw upon the National Strategy for Critical and Emerging Technologies and other sources. The strategy should establish a long-term plan to direct government activities, incentivize private sector investments, enhance human capital, and develop capabilities in S&T that protect US national and economic security. The US Congress should conduct annual reviews of the milestone progress and budgets for these strategic S&T areas.

The strategy should also articulate a plan to establish a strategic technology ecosystem, including public-private partnerships, academia, industry, nonprofits, and others to accelerate technological development, support experimentation and pilot projects, and facilitate the application of new technologies to national and global challenges. Possible models include the Enduring Security Framework established by the National Security Agency (NSA), sector-specific consortia that include industry and academia, innovation labs that mature technology targeted at specific sectors, national laboratories developing large-scale test and evaluation infrastructure for advanced technology development, and focusing the National Science Foundation to address S&T.¹⁸ The strategy should articulate ways to leverage not just the US workforce, but also the global talent base, while seeking to grow and retain existing highly skilled technical talent in the United States. The strategy should outline an approach that ensures the results of the strategic technology ecosystem provide the greatest public benefit possible from government investments.

The strategy should specifically address the following technology areas, with the strategic S&T goal for each area in italics:

1. Communications and networking, data science, and cloud computing: provide the foundation for trustworthy digital infrastructures.
2. Artificial intelligence (AI), distributed sensors, edge computing, and the Internet of Things (IoT): testable, tunable, and trusted AI algorithms that are robust to limited, sparse, or corrupted data and require significantly less data, power, and time compared with today.
3. Biotechnologies, precision medicine, and genomic technologies: field a global system for fast, automated detection, diagnoses, and discovery of treatments for emerging pathogens, bioterrorism, and other environmental shocks to the planet.
4. Space technologies, undersea technologies, and new materials for extreme environments: monitor the entire planet pervasively and persistently, at high resolution and communicate the information in near-real time.
5. Autonomous systems, robotics, and decentralized energy methods: develop coordinated protocols for testing modular systems and methods and for evaluating emergent behaviors.
6. Quantum information science (QIS), nanotechnology, and advanced microelectronics: establish a national QIS infrastructure comprising research, development, computational, and testing programs, facilities, and skilled personnel; accelerate the operationalization of QIS technologies.

Recommendation 1.2: Establish a Global GeoTech Alliance and Executive Council.

To ensure coordination between the US government and private sector on key S&T issues, the administration should create a Global GeoTech Alliance and Executive Council comprised of US private sector representatives and government representatives from the National Security Council, the Intelligence Community, the Department of Defense (DoD), the Department of State, the Treasury Department, the Department of Commerce, and the Office of the United States Trade Representative. This group—the Global GeoTech Alliance and Executive Council—would advise on issues arising from emerging technologies and data capabilities, technology cooperation, and technology standard-setting efforts, such as those raised in this report, and could provide the existing President’s Intelligence Advisory Board with augmented membership and a honed focus on GeoTech issues of concern across sectors globally.

Recommendation 1.3: Strengthen international collaboration on science and technology.

The administration should develop a strategy and a new multilateral mechanism among like-minded and democratic countries to coordinate technology policy, standards, and development. This strategy should seek to coordinate strategic S&T goals and milestones for collaborations with US allies and partner nations and develop agreements for sharing information, data, and research results. The strategy should also establish a framework for facilitating technical and programmatic information exchanges, with the goal of identifying opportunities for collaboration on specific S&T projects.

The administration should also increase participation by the United States in the GPAI.¹⁹ The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 directs the United States to establish several national AI programs and organizations to “ensure continued US leadership in artificial intelligence and to lead the world in the development and use of trustworthy artificial intelligence systems in the public and private sectors.”²⁰ This requires the United States to take a more active role in the GPAI—in GPAI leadership activities, AI strategy development multi-stakeholder experts group, and in the formulation and execution of the research agenda that supports the work of the multi-stakeholder experts group. Interfacing with the EU in support of the new seven-year Horizon Europe S&T initiative is another potential type of collaboration.

Recommendation 1.4: Conduct annual reviews on how nations use technology—with a focus on privacy, civil liberties, and human rights; use the findings to guide international cooperation.

The administration should conduct an annual review that assesses the extent to which other nations use or develop S&T in ways that infringe upon the privacy, civil liberties, and human rights of their citizens, and undermine global peace and security. The results of the reviews should be used to help the United States prioritize cooperative efforts and facilitate coordination on S&T activities with other nations whose application of technology promotes peace, protects human rights, upholds the rule of law, and benefits global society. There is a recent proposal, for example, by the European Commission for a joint US-EU trade council.²¹ This could be one of the focal points of this approach.

Recommendation 1.5: Develop risk assessments of the ability of technology applications to violate civil rights, human rights, or undermine security.

The administration should develop risk assessments²² for technology applications to determine the potential of a technology application to violate human rights and civil liberties or to undermine security. The assessments also should identify ways to lessen the identified risks. The administration should develop an interagency process, involving the Department of Commerce, the DoD, the Department of State, the Office of the Director of National Intelligence, the Office of Science and Technology Policy, the National Institute of Standards and Technology, and the attorney general,²³ to carry out these risk assessments. The processes, criteria, and metrics should be open, transparent, and consistent with relevant US trade and export and import control laws.

Recommendation 1.6: Establish national-scale training and education programs to foster continuing technological leadership.

The administration should establish national-scale training and education programs to foster continuing technological leadership and to gain the strategic competitive advantage of being able to put advanced technologies to work quickly. The Department of Labor should establish a program that speeds up the matching of people to needed skills and rapidly trains individuals and companies in how to employ advanced technology capabilities. Current training methods cannot handle the fast-changing needs and numbers of students, and new mixtures of methods will evolve.²⁴ To help society participate in deciding how new technologies are developed and used, the administration should establish a national-scale educational program to inform the public about the benefits, risks, and brittleness of critical and emerging technologies.

Transcript Jun 23, 2021

Brian Deese on Biden’s vision for ‘a twenty-first-century American industrial strategy’

By Atlantic Council

National Economic Council Director Brian Deese spoke about how the Biden administration can strengthen US economic recovery by working with the private sector and global allies.

Economy & Business Future of Work

GeoTech Cues Aug 10, 2021

Contextualizing COVID-19 and its implications for the future of work

By Matthew Gavieta

As workers around the world adapted to a new normal amid a public health crisis, remote work took on a new meaning. However, questions about how to structure long-term telework arrangements remain. The current landscape of data reveals a tenuous relationship between well-being and telework. To secure a brighter future for our labor force, we must continue developing worker-centered technology policy and doing research on how to improve life at work.

Digital Policy Future of Work

Blog Post Jul 27, 2021

The time for US immigration reform is now

By Jeff Goldstein

The US is currently grappling with a multi-decade long trend of declining population rates leading to fewer and fewer workers. To meet the challenges of the future, US policymakers must manage declining population growth – and one of the best arrows in their economic policy quiver is comprehensive immigration reform.

Future of Work Macroeconomics

The post Global science and technology leadership appeared first on Atlantic Council.

Executive summary

The advancing speed, scale, and sophistication of new technologies and data capabilities that aid or disrupt our interconnected world are unprecedented. While generations have relied consistently on technologies and tools to improve societies, we now are in an era where new technologies and data reshape societies and geopolitics in novel and even unanticipated ways. As a result, governments, industries, and other stakeholders must work together to remain economically competitive, sustain social welfare and public safety, protect human rights and democratic processes, and preserve global peace and stability.

Emerging technologies also promise new abilities to make our increasingly fragile global society more resilient. To sustain this progress, nations must invest in research, expand their digital infrastructures, and increase digital literacy so that their people can compete and flourish in this new era. Yet, at the same time, no nation or international organization is able to keep pace with the appropriate governance structures needed to grapple with the complex and destabilizing dynamics of these emerging technologies. Governments, especially democratic governments, must work to build and sustain the trust in the algorithms, infrastructures, and systems that could underpin society. The world must now start to understand how technology and data interact with society and how to implement solutions that address these challenges and grasp these opportunities. Maintaining both economic and national security and resiliency requires new ways to develop and deploy critical and emerging technologies, cultivate the needed human capital, build trust in the digital fabric with which our world will be woven, and establish norms for international cooperation.

The Commission on the Geopolitical Impacts of New Technologies and Data (GeoTech Commission) was established by the Atlantic Council in response to these challenges and seeks to develop recommendations to achieve these strategic goals. Specifically, the GeoTech Commission examined how the United States, along with other nations and global stakeholders, can maintain science and technology (S&T) leadership, ensure the trustworthiness and resiliency of physical and software/informational technology (IT) supply chains and infrastructures, and improve global health protection and wellness. The GeoTech Commission identified key recommendations and practical steps forward for the US Congress, the presidential administration, executive branch agencies, private industry, academia, and like-minded nations.

The GeoTech Decade

Data capabilities and new technologies increasingly exacerbate social inequality and impact geopolitics, global competition, and global opportunities for collaboration. The coming decade—the “GeoTech Decade”—must address the sophisticated but potentially fragile systems that now connect people and nations, and incorporate resiliency as a necessary foundational pillar of modern life. Additionally, the rapidity of machines to make sense of large datasets and the speed of worldwide communications networks means that any event can escalate and cascade quickly across regions and borders—with the potential to further entrench economic inequities, widen disparities in access to adequate healthcare, as well as to hasten increased exploitation of the natural environment. The coming years also will present new avenues for criminals and terrorists to do harm; authoritarian nations to monitor, control, and oppress their people; and diplomatic disputes to escalate to armed conflict not just on land, sea, and in the air, but also in space and cyberspace.

Domestically and internationally, the United States must promote strategic initiatives that employ data and new technologies to amplify the ingenuity of people, diversity of talent, strength of democratic values, innovation of companies, and the reach of global partnerships.

Geopolitical impacts of new technologies and data collections

Critical technologies that will shape the GeoTech Decade—and in which the United States and its allies must maintain global S&T leadership—can be grouped into six areas. All technologies in these categories will have broad—and interdependent—effects on people and the way they live and work, on global safety and security, and on the health of people and our planet.

• Technologies that enable a digital economy: communications and networking, data science, and cloud computing: collectively provide the foundation for secure transmission of data for both the public and private sector and establish robust economies of ideas, resources, and talent.
• Technologies for intelligent systems: artificial intelligence, distributed sensors, edge computing, and the Internet of Things: add new capabilities for understanding changes in the world in both physical and digital environments. The resulting data may supplement human intelligence, social engagements, and other sources of insight and analysis. In select, defined areas, intelligent systems may enhance human governance of complex systems or decisions.
• Technologies for global health and wellness: biotechnologies, precision medicine, and genomic technologies: help create new fields of research, development, and practical solutions that promote healthy individuals and communities. Nations and health care organizations can use advances in genomics, or more broadly omics,¹ to provide sentinel surveillance capabilities with respect to natural or weaponized pathogens. Sentinel surveillance² can provide early detection, data about how a new element is appearing and growing, and information to guide our response.
• Technologies that enlarge where people, enterprises, and governments operate: space technologies, undersea technologies: commercial companies and nations around the world are deploying mega-constellations of satellites, or fleets of autonomous ocean platforms, with advanced, persistent surveillance and communications capabilities. 
  Large-scale Earth observation data is important for monitoring the world’s atmosphere, oceans, and climate as a foundation for understanding evolving health and environmental risks and increasing the economic efficiencies in transportation, agriculture, and supply chain robustness.
• Technologies that augment human work: autonomous systems, robotics, and decentralized energy methods: collectively provide the foundation to do work in dangerous or hazardous environments without risk to human lives, while at the same time augmenting human teams, potentially prompting long-term dislocations in national workforces, and requiring additional workforce talent for new technology areas.
• Foundational technologies: quantum information science (QIS), nanotechnology, new materials for extreme environments, and advanced microelectronics: collectively provide the foundation for solving classes of computational problems, catalyzing next-generation manufacturing, setting standards, creating new ways to monitor the trustworthiness of digital and physical supply chains, as well as potentially presenting new challenges and opportunities to communications security that underpin effective governance and robust economies.

In addition to the technology itself, countries and organizations must learn to harness and protect the human element—by recruiting and upskilling workers with the needed skill sets for today and training the next generation with the right knowledge for tomorrow. There is great competition globally for digitally-skilled workers, and some countries or companies invest large amounts to develop or recruit this talent. When like-minded nations collaborate in S&T areas, the talent resources can produce greater benefits than possible otherwise. This requires governments to ensure their entire populations gain the needed digital literacy skills and have the means and opportunities to participate in the global digital economy. Making the whole greater than the sum of the parts represents the important global need for international collaboration.

The broad range of important S&T areas requires several forms of collaboration. In multiple key areas, such as QIS and advanced microelectronics, several nations already have significant government investments underway, and current results span a growing number of application areas. Collaborating on research and coordinating national investments among like-minded nations could benefit all participants. Fast-evolving technical capabilities, such as commercial space or autonomous systems, are supporting global industries that are developing and fielding new products. Effective collaboration relies on a broad ecosystem of domestic and foreign partners, including private sector entities. Collaboration will be limited in certain areas, for example, areas where, due to security considerations, the United States will develop capabilities in a self-reliant manner.

Summary of recommendations

To maintain national and economic security and competitiveness in the global economy, the United States and its allies must

• Continue to be preeminent in key technology areas,
• Take measures to ensure the trustworthiness and sustainability of the digital economy, the analog economy, and their infrastructures.

The GeoTech Commission provides recommendations in the following six areas for achieving these strategic objectives. A seventh area, the Future of Work, discusses ways to ensure the workforce acquires the skills needed for the digital economy, and that there is equitable access to opportunity.

Global science and technology leadership

To ensure that the United States and its allies remain the world leaders in S&T, the federal government, working with industry and stakeholders, should establish a set of prioritized strategic S&T objectives and align those objectives with specific timeframes. Additionally, the United States should establish a technology partnership among like-minded and democratic countries to coordinate actions around those objectives. The president and the US Congress should increase annual federal funding for research and development activities to secure US global leadership in critical new industries and technologies, with priorities determined for the largest impact challenges and gaps. To help people across the United States adapt to the realities of the future, the US government should establish programs to fund reskilling activities for workers displaced by changes brought about by the GeoTech Decade, seek new technologies and increase funding in support of efforts to close the broadband gap, and develop programs to improve the digital literacy of all Americans.

Secure data and communications

To strengthen cybersecurity, the administration should update the implementation plan for the National Cyber Strategy. The strategy should streamline how public and private sector entities monitor the security of their digital environments; encourage new networking, computing, and software designs that strengthen cyber defense; and raise priorities and activities for the cybersecurity of operational technology—the hardware and software that keeps equipment running—to match those of information technology.

Enhanced trust and confidence in the global digital economy

In order to maintain the credibility of government and private industry, as well as to ensure prosperity, security, and stability in the coming data-driven epoch, the US government should establish new frameworks for data that incorporate security, accountability, auditability, transparency, and ethics. This means enacting measures that strengthen data privacy and security, establish transparency and ethics principles in how the government and private sector use data about people, and provide guidance on auditing how such data may be used.

Assured supply chains and system resiliency

To ensure that the United States remains attuned to threats and weaknesses in supply chains and critical systems that power its future, the US government should develop a federal mechanism to assess and prioritize the importance of specific supply chains and systems to the nation, considering physical as well as software/IT supply chains and systems. The government should develop procedures and allocate resources to achieve sufficient resiliency, based on these priorities, for supply chains and critical systems to ensure the economic and national security of the United States.

Continuous global health protection and global wellness

In order to protect the American people and environment from future threats, the US government should develop a global early warning system comprised of pandemic surveillance systems coupled with an early warning strategy, as well as a similar system aimed at providing early indicators of global environmental threats which could significantly impact the safety, security, and wellness of the nation.

Assured space operations for public benefit

The US government should foster the growth of the commercial US space industrial base and leverage the increasing capabilities of large commercial satellite constellations. This could increase space mission assurance and deterrence by eliminating mission critical, single-node vulnerabilities and distributing space operations across hosts, orbits, spectrum, and geography.

Table: Priority recommendations

Note: This table contains a subset of the full collection of recommendations.
Numbers refer to the recommendation sequence as discussed in the main chapters of the report.

Table of contents

Chapter 1: Global science and technology leadership

The United States and like-minded nations, as well as private sector organizations, must continue to invest in and develop the multilateral mechanisms and academic and industrial capabilities, and the human capital needed for continued leadership in key science and technology (S&T) areas.

Chapter 2: Secure data and communications

Secure data and communications are fundamental to the United States’ digital infrastructure and to attaining the full benefits of the global digital economy. Through the use of standards, risk assessments, monitoring, and technologies, the US government enables the public and private sectors to secure systems, data, and communications.

Chapter 3: Enhanced trust and confidence in the digital economy

Enhanced trust and confidence in the digital economy is founded upon personal privacy, data security, accountability for performance and adherence to standards, transparency of the internal decision-making algorithms, and regulations and governance for digital products and services.

Chapter 4: Assured supply chains and system resilience

This report is premised on the arrival of the “GeoTech Decade”, in which new technologies and data capabilities will have an outsized impact on geopolitics, economics and global governance.

Chapter 5: Continuous global health protection and global wellness

Continuous global health protection builds upon a foundation of secure data and communications, rapid sharing of biological threat data across the globe, enhanced trust and confidence in the digital economy, and assured supply chains.

Chapter 6: Assured space operations for public benefit

To maintain trusted and superior space operations, the United States must ensure it is a leading provider of needed space services.

Chapter 7: Future of work

This report is premised on the arrival of the “GeoTech Decade”, in which new technologies and data capabilities will have an outsized impact on geopolitics, economics and global governance.

Conclusion, appendices, and acknowledgements

Conclusion of the Report of the Commission on the Geopolitical Impacts of New Technologies and Data — An in depth report produced by the Commission on the Geopolitical Impacts of New Technologies, making recommendations to maintain economic and national security and new approaches to develop and deploy critical technologies.

Overview: Inflection points

Accelerating global connectedness—of people, supply chains, networks, economies, the environment, and other foundations of society—is changing how nations work together and compete. For example, the global spread of scientific and technology (S&T) knowledge has lessened the United States’ strategic advantage based on advanced technology. The global movement of people allows biological threats to spread worldwide, outpacing the world’s ability to respond. In the digital economy, the economic, governmental, and political parts of society are interconnected, with the potential for cybersecurity threats experienced in one context to reverberate in others.

This interconnectedness can lead to inflection points wherein current assumptions and practices are no longer valid or effective. Sources of strength or advantage can diminish. New vulnerabilities can be discovered, e.g., in global supply chains for hardware and software, and exploited. New approaches to protecting national interests in this globally connected world will rely, in many situations, on the cooperation and collaboration of like-minded nations to increase mutual knowledge and awareness. Without this focus, the detrimental aspects of globally connected systems and infrastructures will grow larger and become more urgent.

Each of the following areas is experiencing rapid change and each is critical for ensuring a secure and peaceful world. This overview discusses, for each chapter, the key issues, the opportunities and risks, and a characterization of what must be solved.

Chapter 1: Global science and technology leadership

The United States, with like-minded nations and partners, must collectively maintain continued leadership in key S&T areas to ensure national and economic security, and that technology is developed and deployed with democratic values and standards in mind. The United States must pursue, as strategic goals, establishing priorities, investments, standards, and rules for technology dissemination, developed across government, private industry, academia, and in collaboration with allies and partners. Collaboration among like-minded nations and partners is essential to the attainment of global S&T leadership.

Chapter 2: Secure data and communications

Sophisticated attacks on the software/information technology (IT) supply chains have led to significant breaches in the security of government and private networks, requiring a new strategy for cybersecurity. This centers on updating and renewing the National Cyber Strategy Implementation Plan with a focus on streamlining how public and private sector entities monitor their digital environments and exchange information about current threats. Beyond these current challenges, advances in quantum information science (QIS) lay the foundation for future approaches to securing data and communications, to include new ways to monitor the trustworthiness of digital and physical supply chains. With allies and partners, the United States should develop priority global initiatives that employ transformative QIS.

Chapter 3: Enhanced trust and confidence in the global digital economy

Diminished trust and confidence in the global digital economy can constrain growth;³ have destabilizing effects on society, governments, and markets; and lessen resilience against cascading effects of local, regional, or national economic, security, or health instabilities. Trust and confidence are diminished by practices that do not protect privacy or secure data, and by a lack of legal and organizational governance to advance and enforce accountability.⁴ Automation and artificial intelligence (AI), essential for digital economies, pose challenges to how we organize and amplify the strength of both while minimizing their weakness or vulnerabilities in open societies. The United States should develop international standards and best practices for a trusted digital economy and should promote adherence to these standards.

Chapter 4: Assured supply chains and system resiliency

Both physical and digital supply chain vulnerabilities can have amplifying effects on the global economy and national security. To protect against these diverse risks requires understanding which types of goods and sectors of the economy are critical, and how to construct supply chains that are inherently more adaptable, resilient, and automated. This requires assessing the state and characteristics of supplies, trade networks and policies, inventory reserves, and the ability to substitute products or processing facilities. The United States should conduct regular assessments in the United States and in allied countries to determine critical supply chain resilience and trust, implement risk-based assurance measures, establish coordinated cybersecurity acquisition across government networks, and create more experts. A critical resource is semiconductor chip manufacturing, for which the vulnerability of foreign suppliers and the long lead time and cost of new production facilities requires the United States to invest in assured supply of semiconductor chips.

Chapter 5: Continuous global health protection and global wellness

Inherent to the disruption caused by the COVID-19 pandemic are three systemic problems: (i) global leaders acted slowly to contain the spread of the virus, (ii) global health organizations reacted slowly to contain the spread of the virus, and (iii) a mixture of factors caused the delayed response, including late recognition of the threat, slow incorporation of science and data into decision making, poor political will, and inconsistent messaging to citizens regarding the nature of the threat and what precautions to take. Though nations may adopt their own strategies to enhance resilience and future planning, a more global approach to this interconnected system will be essential. The United States and its allies should lead the effort to field and test new approaches that enable the world to accelerate the detection of biothreat agents, universalize treatment methods, and deploy mass remediation, through multiple global means. This is needed not only for recovering from the COVID-19 pandemic and future outbreaks, but also for human-developed pathogens.

Chapter 6: Assured space operations for public benefit

The world is transforming from space assets being dominated almost entirely by government to being largely dominated by the private sector.⁵ To maintain trusted, secure, and technically superior space operations, the United States must ensure it is a leading provider of needed space services and innovation in launch, on-board servicing, remote sensing, communications, and ground infrastructures. A robust commercial space industry not only enhances the resilience of the US national security space system by increasing space industrial base capacity, workforce, and responsiveness, but also advances a dynamic innovative environment that can bolster US competitiveness across existing industries, while facilitating the development of new ones. The United States should foster the development of commercial space technologies that can enhance national security space operations and improve agriculture, ocean exploration, and climate change activities, as well as align civilian and military operations and international treaties to support these uses.

Chapter 7: Future of work

People will power the GeoTech Decade, even as technology and data capabilities transform how people live, work, and operate as societies around the world. Successful societies will be those that found ways to augment human strengths with approaches to technology and data that were uplifting, while also working to minimize biases and other shortcomings of both humans and machines. Developing a digitally resilient workforce that can meet these challenges will require private and public sectors to take an all-of-the-above approach, embracing everything from traditional educational pathways to nontraditional avenues that include employer-led apprenticeships and mid-career upskilling. Ensuring that people are not left behind by the advance of technology—and that societies have the workforces they need to innovate and prosper—will determine whether the GeoTech Decade achieves its full promise of improving security and peace.

Appendices

The remainder of the report includes the following appendices that discuss the technical foundations and potential solutions for several important challenges:

• Appendix A. Additional readings on identifying and countering online misinformation
• Appendix B. Improving the software supply chains and system resiliency for the US government
• Appendix C. Advancing a data fabric for achieving continuous global health protection
• Appendix D. Additional readings on the history and future of global space governance
• Appendix E. Informational GeoTech Center synopses

Table: Summary of the GeoTech Commission’s findings and recommendations

This interactive website features the ability to navigate to any of the recommendations via the hyperlinks in any of the tables contained in this Executive summary & overview.

Table: List of all recommendations of the Commission in abridged form

Click the sections under the table above to explore each chapter and their recommendations.

The post Report of the Commission on the Geopolitical Impacts of New Technologies and Data appeared first on Atlantic Council.

On the early morning of 26 May 2021, the Report of the Commission on the Geopolitical Impacts of New Technologies and Data will launch both its interactive report website and downloadable report. Above are two links to our planned events that day.

Transcript Jun 23, 2021

Brian Deese on Biden’s vision for ‘a twenty-first-century American industrial strategy’

By Atlantic Council

National Economic Council Director Brian Deese spoke about how the Biden administration can strengthen US economic recovery by working with the private sector and global allies.

Economy & Business Future of Work

GeoTech Cues Aug 10, 2021

Contextualizing COVID-19 and its implications for the future of work

By Matthew Gavieta

As workers around the world adapted to a new normal amid a public health crisis, remote work took on a new meaning. However, questions about how to structure long-term telework arrangements remain. The current landscape of data reveals a tenuous relationship between well-being and telework. To secure a brighter future for our labor force, we must continue developing worker-centered technology policy and doing research on how to improve life at work.

Digital Policy Future of Work

Blog Post Jul 27, 2021

The time for US immigration reform is now

By Jeff Goldstein

The US is currently grappling with a multi-decade long trend of declining population rates leading to fewer and fewer workers. To meet the challenges of the future, US policymakers must manage declining population growth – and one of the best arrows in their economic policy quiver is comprehensive immigration reform.

Future of Work Macroeconomics

The post Launching 26 May 2021: Report of the Commission on the Geopolitical Impacts of New Technologies and Data appeared first on Atlantic Council.

Yet early signs point to a blind spot—a lack of understanding, measurement, and planning. It comes in the form of “compute divides” that throttle innovation across academia, startups, and industry. Policymakers must make AI compute a core component of their strategic planning in order to fully realize the anticipated economic windfall.

What is AI compute?

AI compute refers to a specialized stack of hardware and software optimized for AI applications or workloads. This “computer” can be located and accessed in different ways (public clouds, private data centers, individual workstations, etc.) and leveraged to solve complex problems across domains from astrophysics to e-commerce and to autonomous vehicles.

Conventional information technology (IT) infrastructure is now widely available as a utility through public cloud service providers. This idea of “infrastructure as a service” includes computing for AI, so the public cloud is duly credited with democratizing access. At the same time, it has created a state of complacency that AI compute will be there when we need it. AI, however, is not the same as IT.

Today, when nations plan for AI, they gloss over AI compute, with policies focused almost exclusively on data and algorithms. No government leader can answer three fundamental questions: How much domestic AI compute capacity do we have? How does this compare to other nations? And do we have enough capacity to support our national AI ambitions? This lack of uniform data, definitions, and benchmarks leaves government leaders (and their scientific advisors) unequipped to formulate a comprehensive plan for AI compute investments.

Recognizing this blind spot, the Organisation for Economic Cooperation and Development (OECD) recently established a new task force to tackle the issue. “There’s nothing that helps our member countries assess what [AI compute] they need and what they have, and so some of them are making large but not necessarily well-informed investments” in AI compute, Karine Perset, head of the OECD AI Policy Observatory, told VentureBeat in January.

Measuring domestic AI compute capacity is a complex task compounded by a paucity of good data. While there are widely accepted standards for measuring the performance of individual AI systems, they use highly technical metrics and don’t apply well to nations as a whole. There is also the nagging question of capacity versus effective use. What if a nation acquires sufficient AI compute capacity but lacks the skills and ecosystem to effectively use it? In this case, more public investment may not lead to more public benefit.

Nonetheless, more than sixty national AI strategies were formulated and published from June 2017 to December 2020. These plans average sixty-five pages and coalesce around a common set of topics including transforming legacy industries, expanding opportunities for AI education, advancing public-sector AI adoption, and promoting responsible or trustworthy AI principles. Many national plans are aspirational and not detailed enough to be operational.

In conducting a survey of forty national AI plans, and analyzing the scope and depth of content around AI compute, we found that on average national AI plans had 23,202 words while sections on AI compute averaged only 269 words. Put simply, 98.8 percent of the content of national AI strategies focuses on vision, and only 1.2 percent covers the infrastructure needed to execute this vision.

Engine for economic growth

This would be the equivalent of a national transportation strategy that devotes less than 2 percent of its recommendations to roads, bridges, and highways. Just like transportation investments, AI compute capacity will be a crucial driver of the future wealth of nations. And yet, national AI plans generally exclude detailed recommendations on this topic. There are exceptions, of course. France, Norway, India, and Singapore had particularly comprehensive sections on AI infrastructure, some with detailed recommendations for AI compute requirements, performance, and system size.

Exponential growth in computational power has led to astonishing improvements in AI capabilities, but it also raises questions of inequality in compute distribution. Fairness, inclusion, and ethics are now center stage in AI policy discussions—and these apply to compute, even though it is often ignored or relegated to side workshops at major conferences. Unequal access to computational power as well as the environmental cost of training computationally complex models require greater attention.

Some of the more popular AI models are large neural networks that run on state-of-the-art machines. For example, AlphaGo Zero and GPT-3 require millions of dollars in AI compute. This has led to AI research being dominated and shaped by a few actors mostly affiliated with big tech companies or elite universities. Governments may have to step up and reduce the compute divide by developing “national research clouds.” Initiatives in Europe and China are underway to develop indigenous high-performance computing (HPC) technologies and related computing supply chains that reduce their dependence on foreign sources and promote technology sovereignty.

Governments in the United States, Europe, China, and Japan have been making substantial investments in the “exascale race,” a contest to develop supercomputers capable of one billion billion (10¹⁸) calculations per second. The rationale behind investments in HPC is that the benefits are now going beyond scientific publications and prestige, as computing capabilities become a necessary instrument for scientific discovery and innovation. The machines are the engine for economic prosperity.

What can policymakers do?

Understanding compute requirements is a non-trivial measurement challenge. At a micro level, it is important to scientifically understand the relative contribution of AI compute to driving AI progress on, for example, natural-language understanding, computer vision, and drug discovery. At a macro level, nations and companies need to assess compute requirements using a data-driven approach that accounts for future industrial pathways. Wouldn’t it be eye-opening to benchmark how much compute power is being used at the company or national level and to help evaluate future compute needs?

In 2019, Stanford University organized a workshop with over one hundred interdisciplinary experts to better understand opportunities and challenges related to measurement in AI policy. The participants unanimously agreed that “growth in computational power is leading to measurable improvements in AI capabilities, while also raising issues of the efficiency of AI models and the inherent inequality of compute distribution.” Getting measurement right will be a stepping stone to addressing this blind spot in national AI policymaking. Going forward, we recommend that governments pivot to develop a national AI compute plan with detailed sections on capacity, effectiveness, and resilience.

• Capacity for AI compute exists along a continuum. This includes public cloud, sovereign cloud (government-owned or controlled), private cloud, enterprise data centers, AI labs/Centers of Excellence, workstations, and “edge clusters” (small AI supercomputers situated outside a data center). Understanding the current state of AI compute capacity across this continuum will inform public priorities and investments. Partnerships with public cloud service providers expand access to AI compute and should be viewed as complementary (not in competition) with investments in domestic AI compute capacity. This hybrid approach will help close compute divides. Over the longer term, capacity planning should consider the shift from data center to edge computing. For example, self-driving trucks will be powered by on-board AI supercomputers, and it may be possible to run AI workloads on fleets of self-driving trucks, leveraging them as a “virtual” AI supercomputer when they are parked and garaged overnight.

• Effectiveness is achieved through a multitude of initiatives, from STEM education to open data policies. Examples include National Youth AI Challenges, industry or government hackathons, mid-career re-training programs, boot camps, and professional certification courses. Diversity across all these programs is key to promoting inclusiveness and creating a foundation for trustworthy AI.
  
• Resilience means nations should have an AI compute continuity plan, and possibly a strategic reserve, to ensure that mission-critical public AI research and governance functions can persist. It’s also important to focus on the carbon impact of national AI infrastructure, given that large-scale computing exacts an increasingly heavy toll on the environment and hence the broader economy. An optimal strategy would be a hybrid, multi-cloud model that blends public, private, and government-owned or controlled (sovereign) infrastructure, with accountability to encourage “Green AI.”

The completeness of a national AI strategy forecasts that nation’s ability to compete in the digital global economy. Few national AI strategies, however, reflect a robust understanding of domestic AI compute capacity, how to use it effectively, and how to structure it in a resilient manner. Nations need to take action by measuring and planning for the computational infrastructure needed to advance their AI ambitions. The future of their economies is at stake.

Saurabh Mishra is an economist and former researcher at Stanford University’s Institute for Human-Centered Artificial Intelligence.

Keith Strier is the chair of the AI Compute Taskforce at the Organization for Economic Cooperation and Development, and vice president for Worldwide AI Initiatives at the NVIDIA corporation.

Further reading

New Atlanticist Mar 24, 2021

How to reverse three decades of escalating cyber conflict

By Jason Healey and Robert Jervis

Cyber conflict has not yet escalated from a fight inside cyberspace to a more traditional armed attack because of cyberspace. In part, this is because countries understand there are some tacit upper limits to escalation above which the response from the offended country will be war. Unfortunately, this happy state may not last.

Cybersecurity Technology & Innovation

New Atlanticist Mar 16, 2021

A mom’s guide to coercion and deterrence

By Emma Ashford, Erica Borghard

There’s a silver lining to parenting in a pandemic: It’s an education in the core concepts of international relations, as well as a useful reminder that we’re all operating in a condition of anarchy. Here’s a mom’s primer on deterrence, coercion, credibility, and reassurance.

Conflict Crisis Management

New Atlanticist Feb 11, 2021

The 5×5—Looking ahead for the Biden administration after a busy year in cybersecurity

By Simon Handler

It’s been a wild twelve months in the world of cybersecurity since the Atlantic Council’s Cyber Statecraft Initiative launched the 5×5 series. In celebration of the series’ one-year anniversary, experts plotted the year ahead.

Cybersecurity Technology & Innovation

The post Computing to win: Addressing the policy blind spot that threatens national AI ambitions appeared first on Atlantic Council.

Find the full GeoTech Hour series here.

Event description

On this episode of the weekly GeoTech Hour, the GeoTech Center is returning to the fourth episode of the Data Salon Series, hosted in partnership with Accenture. This episode focuses on the challenges and opportunities of employing data for social good, and how entrepreneurship can fill a unique gap to ensure sound business practices and ethics concerning how data is used.

Around the world, scores of individuals and organizations work to create a better reality for their communities, their nations, and the world. Yet, with so many players in the field, it is often difficult to coordinate between different streams of public, private, and nongovernmental data seeking to combat overlapping problems. During this episode, panelists discuss their efforts and outlined methods to connect data with the organizations who need it without exposing personal information of anyone involved.

Featuring

Valeria Budinich
Scholar-in-Residence, Legatum Center
MIT’s Sloan School of Management

Derry Goberdhansingh
CEO
Harper Paige

Bevon Moore
CEO
Elevate U

Hosted by

David Bray, PhD
Director, GeoTech Center
Atlantic Council

Related Experts

Former fellow

David Bray

Former Distinguished Fellow

GeoTech Center

Economy & Business Technology & Innovation

Previous episode

Event Recap

Mar 17, 2021

Event recap | Coordinating data privacy and the public interest

By the GeoTech Center

Data usage and the employment of data trusts has maximized individual privacy and private sector benefits. Both the government and the private sector are working towards developing strategies that emphasize individual privacy more than ever before, as the public continues to express greater interest in protecting their data. However, few institutions have landed upon successful solutions in practice that can protect user privacy while allowing for the high levels of analysis they have come to expect. As our digital landscape continues to evolve, panelists in this episode of the GeoTech Hour discuss intentional policy and design choices that could allow for greater data ownership within people-centered structures.

Digital Policy International Norms

The post Event recap | Data science and social entrepreneurship appeared first on Atlantic Council.

Find the full GeoTech Hour series here.

Event description

On this episode of the weekly GeoTech Hour, the GeoTech Center is returning to the third episode of the Data Salon Series, hosted in partnership with Accenture. This episode focuses on data usage and employing data trusts to maximize individual privacy and private sector benefits.

The panelists discuss how governments and the private sector alike are working to develop strategies that emphasize individual privacy more than ever before, as the public continues to express greater interest in protecting their data. However, few institutions have landed upon successful solutions in practice that can protect user privacy while allowing for the high levels of analysis (including machine or AI-enabled learning) they have come to expect. As our digital landscape continues to evolve, it is time to consider what intentional policy and design choices could allow for greater data ownership within people-centered structures.

This recording will be available here, on the Atlantic Council’s YouTube channel, or on the GeoTech Center’s Twitter.

Featuring

Dr. Divya Chander, MD, PhD
Nonresident Senior Fellow, GeoTech Center
Atlantic Council

Krista Pawley
Nonresident Senior Fellow, GeoTech Center
Atlantic Council

Hosted by

David Bray, PhD
Director, GeoTech Center
Atlantic Council

Related Experts

Former fellow

David Bray

Former Distinguished Fellow

GeoTech Center

Economy & Business Technology & Innovation

Previous episode

Event Recap

Mar 17, 2021

Event recap | Coordinating data privacy and the public interest

By the GeoTech Center

Data usage and the employment of data trusts has maximized individual privacy and private sector benefits. Both the government and the private sector are working towards developing strategies that emphasize individual privacy more than ever before, as the public continues to express greater interest in protecting their data. However, few institutions have landed upon successful solutions in practice that can protect user privacy while allowing for the high levels of analysis they have come to expect. As our digital landscape continues to evolve, panelists in this episode of the GeoTech Hour discuss intentional policy and design choices that could allow for greater data ownership within people-centered structures.

Digital Policy International Norms

The post Event recap | Coordinating data privacy and the public interest appeared first on Atlantic Council.

Find the full GeoTech Hour Series here.

Event description

This special edition of the GeoTech Hour pulls from a keynote address originally provided as an AI World Society Distinguished Lecture at the United Nations Headquarters on United Nations Charter Day June 26th, 2019 by Dr. David Bray, the current inaugural director for the GeoTech Center.

The address looks towards 2045: rapid technological change, global questions of governance, and the future of human co-existence. Made relevant even more by the events of 2020, this video will set the stage for a second special GeoTech Hour segment celebrating our first anniversary on March 11, 12:00 – 1:00 p.m.

Featuring

David Bray, PhD
Director, GeoTech Center
Atlantic Council

Related Experts

Former fellow

David Bray

Former Distinguished Fellow

GeoTech Center

Economy & Business Technology & Innovation

Previous episode

Event Recap

Mar 17, 2021

Event recap | Coordinating data privacy and the public interest

By the GeoTech Center

Data usage and the employment of data trusts has maximized individual privacy and private sector benefits. Both the government and the private sector are working towards developing strategies that emphasize individual privacy more than ever before, as the public continues to express greater interest in protecting their data. However, few institutions have landed upon successful solutions in practice that can protect user privacy while allowing for the high levels of analysis they have come to expect. As our digital landscape continues to evolve, panelists in this episode of the GeoTech Hour discuss intentional policy and design choices that could allow for greater data ownership within people-centered structures.

Digital Policy International Norms

The post Event recap | Artificial intelligence, the internet, and the future of data: Where will we be in 2045? appeared first on Atlantic Council.

Find the full GeoTech Hour series here.

Event description

Over the last decade, the business of data has disrupted nearly every business category with its promise of technological, industrial, and human advancement. Data continues to captivate our interest as entrepreneurs, executives, and policymakers for its potential to democratize the next wave of productivity with artificial intelligence and machine-to-machine advancements. To advance this wave of productivity, new models of data have been invented: Synthetic Data 

As it suggests, synthetic data is completely artificial and offers the promise of both usefulness and privacy.  Artificial intelligence that is trained on real-life information often contains a baked-in bias: algorithmic decision-making in fields such as criminal justice and credit scoring shows evidence of racial discrimination. The promise of synthetic data allows organizations and governments to overcome geographical, resource, and political barriers. It can be applied to solving some of the world’s biggest problems, from international medical research, fairness in lending, to reducing fraud and money laundering.  By 2022, Gartner estimates over 25% of training data for AI will be synthetically generated.  It is already being used in healthcare, banking, crime detection, manufacturing, telecom, retail, and several other fast-moving industries to accelerate learning. 

However, its usefulness hinges on privacy: that anybody utilizing synthetic data could make the same statistical decisions as they would from the true data — without being able to identify individual contributions.

On this episode of the GeoTech Hour that took place on Wednesday, February 24, at 12:00 p.m. ET, experts discussed how if the privacy thresholds can be legally and ethically addressed, synthetic data can be the best way to safely unlock the potential of the data economy.

Featuring

Jacqueline Musiitwa
Research Associate, China, Law & Development Project
University of Oxford

Krista Pawley
Nonresident Senior Fellow, GeoTech Center
Atlantic Council

Michael Capps
CEO
Diveplane

Steven Tiell
Nonresident Senior Fellow, GeoTech Center
Atlantic Council

Stuart Brotman
Howard Distinguished Endowed Professor of Media Management and Law, University of Tennessee, Knoxville; International Advisory Council member, APCO Worldwide

Hosted by

David Bray, PhD
Director, GeoTech Center
Atlantic Council

Related experts

Former fellow

David Bray

Former Distinguished Fellow

GeoTech Center

Economy & Business Technology & Innovation

Fellow

Steven Tiell

Nonresident Senior Fellow

GeoTech Center

Cybersecurity Digital Policy

Former fellow

Krista Pawley

Former Nonresident Senior Fellow

GeoTech Center

Digital Policy Economy & Business

Previous episode

Event Recap

Feb 17, 2021

Event recap | Data-informed nutrition policy and practices

By the GeoTech Center

An episode of the GeoTech Hour where panelists discuss challenges and opportunities for data-informed nutrition solutions, and how a multisectoral approach can improve global health.

Climate Change & Climate Action Inclusive Growth

The post Event recap | Synthetic data, privacy, and the future of trust appeared first on Atlantic Council.

Find the full GeoTech Hour Series here.

Event description

Corporations and governments alike continue to struggle with technology policy, especially under the strain of a global pandemic that struck at a moment when the internet was mature enough to alleviate many of COVID’s harms despite facing novel geopolitical challenges to its design and use at the same time. These turbulences have not just tested every facet of the digital world and its ability to handle crises but also altered international relations significantly. Many countries are at a crossroad when it comes to emerging technologies and security during a global pandemic.

On this episode of the GeoTech Hour on Wednesday, February 10, experts shared insights on lessons learned, ongoing challenges, and requisite next steps that can be taken when considering the intersection of geopolitics, modern technologies, and COVID-19 pandemic.

To take a closer look at previous work on transatlantic tech relationships, check out the recap of the partially public, partially private virtual event  held by the Embassy of Finland and the Atlantic Council GeoTech Center in December.

Featuring

Divya Chander, PhD MD
Nonresident Senior Fellow, GeoTech Center
Atlantic Council

Charina Chou, PhD
Global Policy Lead for Emerging Technologies
Google

Andrea Little Limbago, PhD
Vice President, Research and Analysis 
Interos Inc.  

Antti Niemela
Head of Section for Sustainable Growth and Commerce
Embassy of Finland in Washington, D.C.  

Hosted by

David Bray, PhD
Director, GeoTech Center
Atlantic Council

Related experts

Former fellow

David Bray

Former Distinguished Fellow

GeoTech Center

Economy & Business Technology & Innovation

Fellow

Steven Tiell

Nonresident Senior Fellow

GeoTech Center

Cybersecurity Digital Policy

Former fellow

Krista Pawley

Former Nonresident Senior Fellow

GeoTech Center

Digital Policy Economy & Business

Previous episode

Event Recap

Feb 17, 2021

Event recap | Data-informed nutrition policy and practices

By the GeoTech Center

An episode of the GeoTech Hour where panelists discuss challenges and opportunities for data-informed nutrition solutions, and how a multisectoral approach can improve global health.

Climate Change & Climate Action Inclusive Growth

The post Event recap | The geopolitics of emerging tech during the pandemic appeared first on Atlantic Council.

Fellow

August Cole

Nonresident Senior Fellow

Forward Defense Scowcroft Center for Strategy and Security

Defense Industry Defense Policy

Forward Defense, housed within the Scowcroft Center for Strategy and Security, generates ideas and connects stakeholders in the defense ecosystem to promote an enduring military advantage for the United States, its allies, and partners. Our work identifies the defense strategies, capabilities, and resources the United States needs to deter and, if necessary, prevail in future conflict.

Learn more

The post Cole’s “Burn In” named to best sci-fi of 2020 list by Polyon appeared first on Atlantic Council.

The Kremlin has long espoused fears of Western technology, encapsulated by Russian President Vladimir Putin’s 2014 comment that the internet was a “CIA project.” This public skepticism is borne from both economic and security factors, including the Kremlin’s desire to boost Russian domestic technology firms and crack down on internet use by domestic political opposition.

But even if most analysts only discuss the Kremlin’s worries as pretext for domestic censorship, Moscow evinces legitimate concern over the risks of using technology from abroad, especially the United States and the European Union. These foreign governments could conduct espionage and cyber operations through the technological infrastructure sold to Russians. These concerns have garnered serious responses. The Russian government has pushed a domestic operating system replacement in place of Microsoft Windows; Putin signed a law mandating state approval for software on computers sold domestically; and the Russian parliament passed a so-called domestic internet law, which aims to have Russian firms uproot some foreign internet infrastructure to replace it with domestic technology. These and other moves to bring the Russian technology sector under tighter government control are driven in large part by desires to block foreign technology.

With Moscow yearning for an alternative to Western technology and the United States on a campaign to throw Huawei out of Europe and East Asia, the Chinese telecom giant sensed opportunity in Russia. In June 2019, The Moscow Times reported that MTS, Russia’s largest mobile network operator, had signed a deal with Huawei on 5G technology. The agreement was finalized after Chinese President Xi Jinping and Putin met in Moscow that month; it also took place a month after the US Department of Commerce added Huawei to the Entity List, imposing significant restrictions on US firms’ interactions with the company (from selling products to engaging in the same technical standards bodies). Just after MTS and Huawei inked their agreement, Putin stated, “There are unceremonious attempts at pushing Huawei away from the global markets.” Always eager to frame the world in Cold War-esque terms, he then added, “some call it the first technological war of the new digital era.”

Subscribe to Fast Thinking email alerts

Sign up to receive rapid insight in your inbox from Atlantic Council experts on global events as they unfold.

• Email*
• Email
  This field is for validation purposes and should be left unchanged.

Following those remarks, in September 2019, the Russian government supported Huawei competing in a series of commercial 5G trials with Swedish telecom vendor Ericsson. In March 2020, Nikkei reported that Huawei had announced a partnership with Russia’s largest (and US-sanctioned) bank, Sberbank, which is also now moving into cloud computing. Huawei’s inroads in Russia deepened from there: in late August, Russian Foreign Minister Sergei Lavrov said Russia was ready to cooperate with China and Huawei on 5G technology. Later that month, Ren Zhengfei, Huawei’s founder, allegedly said in address, “After the United States included us in the Entity List, we transferred our investment in the United States to Russia, increased Russian investment, expanded the Russian scientist team, and increased the salary of Russian scientists.”

Even more recently, on November 10, the Russian daily paper Vedomosti reported that Huawei participated in an event with numerous Russian technology companies and government agencies, an event which included discussion of Huawei’s ability to support Russia’s digital economy. Huawei also promoted a strategy for the Eurasian region to encourage technological development—again, a clear play to Kremlin visions of a pan-Eurasian digital platform and a means to capitalize on Russian fears of digital dependence on the United States and the EU.

Of course, Russia risks creating a similar dependence on Huawei to the one it fears with Western technology. Russia’s relationship with China is quite different than Beijing’s with the United States, but presumably the espionage and network interference that worry analysts in the United States could also apply to Russian adoption of 5G technology from Huawei; it’s possible that the Chinese government could leverage Huawei’s infrastructural influence to spy on Russia. One analyst at the Russian International Affairs Council in Moscow has in fact argued this very point: he wrote (in addition to suggesting that Chinese technology is “no different” than Western options) that Russian overdependence on Huawei technology could itself pose security and economic risks for the country. It is also quite possible, though, that Russian decisionmakers are making a “lesser of two evils” calculus.

The situation offers clear implications for the United States and the EU: as the Kremlin reduces its digital dependence on the West, opportunities to seize market share will emerge for firms incorporated elsewhere, including those in China. These firms could, in turn, leverage the Russian market to support expansion elsewhere, an opportunity that may exist in other countries with similar fears of Western technology. The Trump administration tried to convince other countries to ban Huawei’s 5G technology with mixed success, but on balance, ever more governments are sidelining Huawei 5G technology—not official bans, but pushing against its use—as a result of myriad political factors (not just American diplomacy).

This will undoubtedly hurt Huawei’s global market share as the firm’s representatives find it much more difficult, if not effectively impossible, to market their 5G equipment to certain countries. Huawei’s ability to expand into the Russian market—a lucrative one if Huawei executives deepen relationships with Russian state officials and power brokers that control said industry—is an important factor in evaluating the company’s global 5G competitiveness. It will also help determine what kinds of data the company might be able to collect from 5G networks outside of China’s borders, because Huawei having equipment in other countries’ telecommunications infrastructure presents an opportunity to at the very least collect metadata.

While Huawei is making gains in Russia, this does not necessarily correlate to broad Russia-China technology cooperation across the board; the countries’ technological engagements in coming years must be assessed in the context of broader political and economic dynamics. But at least on this issue, the verdict is clear: Huawei’s newfound success in selling its 5G technology in Russia is inextricably linked with the Kremlin’s fears of that same technology coming from other parts of the world. US and EU policymakers should thus continue to monitor how anti-Western technology sentiment is impacting 5G adoption worldwide, while also recognizing that these dynamics of distrust might play out elsewhere. In an era of great uncertainty around supply chain security, with many countries instituting checks or raising barriers to protect against perceived security threats, limit domestic political mobilization, and/or preference domestic firms, this is hardly the last time a Chinese technology company may turn to markets outside the United States and the EU to prop up its aspirations elsewhere—and capitalize on distrustful narratives and beliefs to do so.

Justin Sherman (@jshermcyber) is a fellow at the Atlantic Council’s Cyber Statecraft Initiative.

Further reading:

New Atlanticist Nov 5, 2020

China’s fourteenth five-year plan: The technologies that shall not be named

By Jeremy Mark

Amid the CCP Central Committee’s paeans to General Secretary Xi Jinping and a laundry list of expected reforms and goals to be reached by 2025, the plan contains a note of uncertainty about an era that looks to be dominated by competition with the United States over advanced technology.

China International Markets

New Atlanticist Oct 15, 2020

Why Pakistan’s TikTok ban is a bad sign for investors

By Kalsoom Lakhani

Banning content is different from banning platforms. In a conservative country like Pakistan, clear delineations around content standards not only guides players navigating this landscape, it also helps ease the risk of investors looking to operate in the country.

Digital Policy Inclusive Growth

New Atlanticist Sep 11, 2020

India’s growing hostility towards Chinese technology shifts landscape of US-China data and cloud competition

By Justin Sherman and Lily Liu

US and Chinese tech companies, including in the cloud computing space, are competing for users within India. As the Indian government’s relations with Beijing change, so too does the landscape of this technological battleground.

China Cybersecurity

The post Huawei’s push in Russia exploits Kremlin fears of Western technology appeared first on Atlantic Council.

When former Vice President Joe Biden is sworn into office in January 2021, he will face a world in a state of fear and uncertainty, plagued by a deep lack of trust in society. For both the good of the United States and the world, it will be his duty to ensure the United States emerges from the challenges of the COVID-19 pandemic, the deep economic recession, and its polarized society, renewed, revitalized, and rebuilt. Leveraging new technologies will be an integral part of that mission.

Data and new technologies are changing societies around the world. Companies and individuals have gained access to both technological and advanced data capabilities that previously were only available to the national security apparatuses of large nation states thirty to forty years ago. This access is super-empowering private sector entities and some individuals with unprecedented reach and ability.

Not everyone is being empowered equally. Some parts of society lack the needed infrastructure (e.g., broadband internet) or needed new digital literacy skills (e.g., education) or opportunities (e.g., startup ecosystems and ties to venture capital) to flourish in this new era. We call this new decade the “GeoTech Decade”—where data and tech will have disproportionate impacts on geopolitics, global competition, as well as global opportunities for collaboration.

Amid the GeoTech Decade, governments cannot continue to operate as they have in the past, as they no longer have a monopoly on exquisite technologies relative to the private sector. Often it is the private sector that is developing better technologies and government now must play “catch-up”—which means new ways of working and performing the business of civil society must be implemented. Newly empowered citizens want more from their government and governments need to find ways to involve such citizens in the participatory business of government. Without this participation, citizens in open societies will feel disempowered, disenchanted, and dismayed at what appear to be crucial decisions involving data and tech that impact communities, made with little to no public involvement.

Policymakers must be able to adapt and demonstrate effective governance at a speed faster than any time before in the history of the world. We must do this in an era where the private sector and members of the public will increasingly need to use emerging technologies such as artificial intelligence, commercial space satellites, next-generation biosensors, and more—and achieve outcomes heretofore provided solely by governments. We also must find ways to recognize that questions of data and technology are not solely about privacy and intellectual property protections, but also are key questions of individual and community identities, personhood, inclusion, diversity, and tolerance among open societies. Advances in tech and data have produced a world where traditional government activities no longer need to be performed by governments alone; where private sector entities must think beyond just their own individual profits, to include community responsibilities and obligations; and where a public remains mistrustful of both the government and the private sector.

To complicate things further, some transnational entities now have outsized influence, especially when it comes to digital capabilities, datasets, and influence. This represents a new era for both doing the business of civil societies as well as the global business of diplomacy. Such transnational private sector entities need to recognize that functions that previously were done solely by government now require their partnership to successfully continue—such responsibilities cannot be ignored lest the functions of societies fall apart or attempts at regulation take the place of stewardship on both the national and global stage.

From a foreign policy perspective, in the midst of the growing tensions, success for the United States will depend on cooperation with allies and partners—to include both nation-states and transnational private sector entities—on issues like artificial intelligence, the future of space, and data trusts. This includes embracing the largest global democracy India, as well as other nations around the world seeking a future where data and technology empower open societies. To such end, the United States must work to assemble a coalition of “digital democracies and more,” who seek not surveillance states, nor surveillance capitalism. Such a coalition would work across borders and sectors to build a world where we employ data and tech for greater digital empathy, diversity, and shared humanity across nations and economic sectors.

Lastly, the people of the United States must work to empower everyone, including those who have not yet seen the benefits of new technologies or data as visibly as others. We must first identify and define what “Tech for Good” means in relation to the ideals of what the United States can and must be. Then, the United States must fund and support pragmatic initiatives that demonstrate how tech can unite instead of divide.

As we work towards that future, the Atlantic Council GeoTech Center will continue to promote the non-partisan ideas of “tech, data, people, prosperity, and peace,” and lead a path to find consensus, across communities and like-minded nations, on what we mean when we say #GoodTechChoices.

David Bray is director of the Atlantic Council’s GeoTech Center and director of the GeoTech Commission.

Further reading:

GeoTech Cues Jul 23, 2020

#GoodTechChoices: Addressing unjust uses of data against marginalized communities

By Nikhil Raghuveera and Tom Koch (Guest Author)

Data has been weaponized against marginalized communities. Now, it must be transformed to be a force for good.

Civil Society Economy & Business

GeoTech Cues Sep 6, 2020

#GoodTechChoices: Addressing past and current racism in tech and data

By Sara-Jayne Terp

This article examines what the data and tech communities can do about racism, specifically instances where tech products and services provide different treatment based on how people present, specifically their skin color, names, and other markers of not being what ‘white’ which is a term loaded with both non-inclusive and unjust connotations.

Civil Society Economy & Business

GeoTech Cues Sep 15, 2020

Open societies must create a grand strategy framework for data, sensemaking, and trust

By James Schmeling (Guest Author) and David Bray, PhD

Open societies are at a series of crossroads requiring intentional choices for the decade ahead. These choices are forced by new technologies, improvements in data capabilities, and changes in geopolitics globally. While human nature has not changed, the number of people on Earth has changed–up from 1.6 billion people on the planet in 1900, to 2.5 billion in the 1950s, to 7.8 billion in 2020.

Cybersecurity Digital Policy

The post A presidential agenda for the GeoTech Decade that uplifts people, prosperity, and peace appeared first on Atlantic Council.

The post Manning in Foreign Policy: The US finally has a Sputnik moment with China appeared first on Atlantic Council.

With greater than 90 percent of all global trade tonnage transported by sea and vital global energy networks, maritime infrastructure has never been more essential and yet also more at risk. In just the last two weeks, there have been several high-profile attacks on the maritime industry, with both the fourth largest global shopping company and the International Maritime Organization (IMO) targeted.  

To dive deeper on this topic, we asked seven experts—including several who spoke at a recent Scowcroft Center for Strategy and Security event on maritime cybersecurity—about these threats and how policymakers can help protect against them:

What are the most vulnerable aspects of our maritime infrastructure? What makes them such attractive targets?

“When compared to commercial IT, the technologies used within the maritime sector illustrate the difficulties new sectors have to adapt to the Internet of Everything (IoE). Like many other sectors, the maritime sectors used to develop stand-alone software and hardware, inherently “limiting” the risks to internal threats. The new IoE paradigm, however, proves that it is challenging to securely design, develop, and operate a fully connected environment. Current GPS, ECDIS, and AIS systems have demonstrated various vulnerabilities in the last couple of years. So in order for the maritime environment to develop and operate in a secure fashion, it will be essential to have an overall view of the supply chain, from third party manufacturer to the people operating and maintaining the equipment. This view should further evolve over the lifetime of the equipment, with updates, upgrades, and training. 

“In its current state, the maritime industry is a prime target due the many moving parts of ports and vessels, the increasing attack surface (e.g. adding connectivity to devices that had never been thought to be connected), the current lack of security and privacy by design, as well as the inadequacy of cyber-security training. Furthermore, with the industry quickly bridging the gap between IT and Operational Technology (OT), we may soon see wide-spread vulnerabilities impacting the maritime sector as a whole.”

Dr. Xavier Bellekens, Lecturer and Chancellor’s Fellow, Institute for Signals, Sensors, and Communications,University of Strathclyde

From a government standpoint, what can the US government do to incentivize the maritime industry to invest more in cybersecurity?

“I believe that the most impactful things the US government can do to incentivize maritime industry investments in cybersecurity are:

• Promote robust, real-time, maritime-specific cyber threat and incident information sharing between maritime industry stakeholders, and between those stakeholders and the US government (and vice versa), when appropriate.
• Share cybersecurity threat intelligence with cleared maritime industry stakeholders.

I believe that these two measures are critically important as, currently, maritime industry executives have limited information about cybersecurity threats that other companies have experienced. Only by sharing cybersecurity threat and incident information widely with and between maritime companies can their senior executives gain a clear appreciation of the collective threats and potential financial and national security impacts of failing to adequately invest in IT and OT infrastructure improvements and other cybersecurity enhancement measures. Having this complete cybersecurity threat picture is key to making corporate cost-benefit decisions on increased investments in cybersecurity, and to ensuring that those investments achieve the best possible cybersecurity protections.”

Cameron Naron, Director, Office of Maritime Security, Maritime Administration, US Department of Transportation

What kind of players exist in the maritime industry and what role should they play in driving improved cybersecurity outcomes?

“The challenges in driving improvement in cybersecurity programs within the global maritime industry result from the many links in the marine transportation system and the personnel at each of these links. With enhanced technology, the interconnectivity—while improving the efficiency of the system itself—also presents multiple nodes which provide opportunities for cyberattacks. Looking at the system as a whole and starting at the most basic level, the vessel and its systems, interconnected within the ship and interfaced with shore management, is the basic building block. Key links to and from the vessel include shore management (ship owner, operator, or charterer), government agencies requiring electronic reporting of vessel information, third-party contractors including classification societies, vendors, technical service providers, and port and terminal authorities. Simply put, in an ideal world, the entire logistics chain is interconnected and provides stakeholders real-time information essential to scheduling and decision making. Integrating cybersecurity programs at each interface is critical as is also the education of personnel at each interface. In such an integrated system, the cybersecurity programs are only as good as the weakest link, making it critical that all links in the logistics chain collaborate in establishing robust programs, properly training personnel and maintaining the operational efficiency necessary for all parts to work as one.”

Ms. Kathy Metcalf, President and Chief Executive Officer, Chamber of Shipping of America

Cyber-attacks on maritime infrastructure can be especially alarming because of potential compounding effects. What lessons can be taken from other sectors to help better protect maritime infrastructure from systemic threats?

“Three opportunities for maritime to build on the cybersecurity lessons learned by others jump out. First, from the energy sector, how to monitor and alert on malicious system behaviors in technology without a great deal of computing head room left for big commercial IT security applications. Second, from the US financial sector, the importance of regular and realistic joint exercises to build confidence in the collaborative links between stakeholders and raise awareness of channels for cascade failure between them. Third, from the telecommunications sector, how some companies have approached repeated adversarial events as an issue of resilience—building flexibility, capacity to adapt, and deep system expertise as a means of operating through failure rather than endlessly seeking to prevent it.”

Trey Herr, Director, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security, Atlantic Council

What was your biggest takeaway from the Atlantic Council panel conversation? How does it align with what you see as the biggest threat to maritime cybersecurity that needs to be tackled?

“Sustaining a safe, secure, and resilient marine transportation system is foundational to our economic and national security. When we consider evolving risks in the cyber domain, the maritime sector is on par with other more widely recognized sectors, like finance and energy, in terms of the potential for significant consequences. As we have seen from recent incidents, the maritime industry’s growing dependence on continuous network connectivity and converging layers of information and operational technology make it inherently vulnerable to cyber threats. 

“The first step for the maritime industry is to recognize that cyber risk management is not an administrative function that can be left solely to company IT professionals, but rather a strategic and operational imperative that must be managed at the C-suite level. We also need to recognize that cyber security is a team sport; no single public or private entity has the capabilities, authorities, resources, and partnerships to do it alone, so information sharing and collaboration are essential to managing this risk.”

Captain Jason P. Tama, Commander, Sector New York; Captain of the Port of New York and New Jersey, United States Coast Guard

How does cyber insecurity in civilian maritime infrastructure impact military readiness and capabilities? Why should the cybersecurity of our commercial fleets be a priority for the US government and the Department of Defense (DoD)?

“While cyber insecurity in civilian maritime infrastructure has not yet been a hindrance to force projection, it could be in the future, given the right set of circumstances. In the past, we have operated under the assumption of an uncontested homeland and uncontested passage. However, exploring the asymmetric level of effort required for successful cyber-attacks juxtaposed against the damage they may cause, has forced a re-evaluation of whether our infrastructure and routes will remain uncontested in the future. Because the Army relies on the civilian maritime industry to move equipment, when US forces need to be sent overseas quickly, minor delays throughout our civilian critical infrastructure could have a ripple effect on the deployment timeline. The cybersecurity of commercial fleets should be a priority for the US government and DoD because disruptions or delays to military deployments could jeopardize our ability to maintain stability and to support our allies and partners.”

Dr. Erica Mitchell, Critical Infrastructure/Key Resources Research Group Leader, Army Cyber Institute, West Point; Assistant Professor in the Electrical Engineering and Computer Science Department, West Point

How can we help better enable and operationalize the Maritime industry to ensure that cybersecurity is not only understood, but also prioritized? 

“First, to understand and prioritize cybersecurity, persistent visibility into organizations’ own networks, assets, and critical third-party integration must be achieved. This is the spectrum of attack surfaces that requires the same continual monitoring and awareness that we have practiced for centuries at sea: inspections of cargo holds and machinery spaces, watertight enclosures and hatches, and material conditions throughout the vessel to ensure seaworthiness. An understanding of network architecture, what is connected, when it connects, and who may be required to connect is an imperative. Real-time knowledge of business, vessel, and marine terminal networks and technologies presents the greatest power of information to empower stakeholders because what belongs and what doesn’t belong is discoverable and tangible in the present, allowing actions to be taken early, instead of after a breach.  Observable behaviors of how systems react to detectable adversarial activities and breach attempts is convincing and defensible evidence from which to understand then prioritize the risk through informed decisions. This is largely missing—inconsistent at best—across the maritime industry, with some exceptions. Without persistent monitoring in a rapidly advancing digital ecosystem, decisions will be farther behind the curve and based on scanty information.       

“Second, cybersecurity leadership is necessary in the board room to ensure leadership is informed, that all the appropriate considerations are included in strategic planning and governance, and that cybersecurity actions taken are translated to a business language for all leadership and stakeholders to understand. In operating ships and marine terminals where cyber-physical systems integrate with IT, leaders must create and implement unified strategies for how the fleet or facilities will be protected; to support the vessel masters, crews, and employees through the creation of sensible plans to respond and recover, and to maintain safe operations. This is no different from how responsible maritime companies develop strategies to understand and manage other forms of somewhat tangible risk, such as geopolitical, climate change, ballast water, and even obsolescent technology replacement. As an example, many operational and safety checks are required to be performed and logged for a vessel preparing to sail or arrive in port. Very little in the form of pre-departure or arrival cybersecurity checks are provided to the vessel as tested and validated from ashore. This type of assurance and safety due diligence can be organized and led by a maritime Chief Information Security Officer (CISO). At the present, very few maritime companies are staffed with a CISO, with some exceptions. So how can we sail into the digital future without the dedicated leadership and the processes to trust-but-verify?   

“Third, industry would benefit from discreet information sharing exchanges from which stakeholders may meet in private to discuss not only cybersecurity threat information, but also strategy and best practices, and to meet with government representatives as needed. As the deployment of OT monitoring software solutions by vendors increases, we must understand industry’s experiences with the performance of these technologies, the value of the output data, and new unintended security vulnerabilities. These lessons learned should be shared so industry can advance through digitalization together, vice operate in a vacuum. Lastly, as businesses interface with shareholder and government entities in the sharing of cybersecurity information, organizations need the right blend of industry and cyber leadership expertise to represent their equities ahead of regulation.

“We are always thinking ahead in maritime—monitoring through watchkeeping, anticipating, scanning, plotting navigation fixes, inspecting, analyzing trends, and preparing—because the sea is unforgiving, and the duty of care is neither optional nor negotiable. Until now, cyber has run counter to every best practice we have learned and practiced—react, wait for the bad news, then scramble (with some exceptions). Instead, turn the constraints of limited resources, talent, and low priority into advantages and strategy by simplifying the cybersecurity problem through continuous monitoring, dedicated cybersecurity leadership, and discreet collaboration.

Captain Alex Soukhanov, Managing Director & Master Mariner, Moran Cyber

Further reading:

New Atlanticist Oct 7, 2020

The 5×5—Cybersecurity and the 117th Congress

By Simon Handler

Approximately eighty congressional committees and subcommittees claim jurisdiction over at least some dimension of cybersecurity policy. As the agenda for the coming years is only getting more crowded, Congress must improve its agility in order to pass meaningful cybersecurity legislation effectively.

Cybersecurity Disinformation

Report Oct 5, 2020

The politics of internet security: Private industry and the future of the web

By Justin Sherman

The private sector plays a crucial role in defining the changing shape of the Internet, especially its security. This report examines two protocols as examples of private sector influence over presently vulnerable systems key to the Internet’s function: the Border Gateway Protocol (BGP), used to route Internet traffic, and the Domain Name System (DNS), used to address Internet traffic.

Cybersecurity Internet

Report Sep 28, 2020

Dude, where’s my cloud? A guide for wonks and users

By Simon Handler, Lily Liu, and Trey Herr

Cloud computing is transforming society, from interactions between people to the ways by which companies do business, and even how militaries operate. If you have ever been curious about what exactly “the cloud” meant; if you are a policy wonk not a technologist, a user not an admin, then this report is for you.

Cybersecurity Internet

The post Trouble underway: Seven perspectives on maritime cybersecurity appeared first on Atlantic Council.

How many Congressional committees does it take to oversee cybersecurity? Apparently, dozens.

Approximately eighty congressional committees and subcommittees claim jurisdiction over at least some dimension of cybersecurity policy. The topics range from privacy rights to Internet of Things (IoT) safety to defense technologies and everything in between. With many committees and subcommittees overseeing these dimensions of cybersecurity, and Congress’s quickly filling agenda, bills that could protect Americans from cyberattacks may face long waits before being passed. Congress has its hands full and as the agenda for the coming years is only getting more crowded, it must improve its agility in order to pass meaningful cybersecurity legislation.

Cyber Statecraft Initiative experts go 5×5 to assess how Congress should govern over cybersecurity.

#1 What has been the Congress’s greatest legislative win on cybersecurity in the past decade?

David Bray, director, GeoTech Center:

“Congress’s 2018 National Defense Authorization Act which included authorization to conduct background investigations for up to 80 percent of Department of Defense personnel. This was finalized in 2019 with a presidential executive order starting the transfer from what had been the Office of Personnel Management/National Background Investigations Bureau to the new Defense Counterintelligence and Security Agency (DCSA) out of what had been the Defense Security Service. In addition to overseeing 95 percent of all government clearances, DCSA provides oversight to approximately ten thousand cleared companies under the National Industrial Security Program, ensuring that the US government information they are entrusted with and the critical technologies they develop are properly protected.”

Ryan Ellis, assistant professor, Department of Communication Studies, Northeastern University:

“That’s a tough one. There have been bright spots here and there, but the biggest win is possibly a story of inaction. Despite cycles of attention and real political pressure, Congress has not (yet!) passed legislation that seriously undermines the deployment of strong encryption. Legislation mandating backdoors has not come to pass. This is good news. Mandating backdoors would be a disaster for security and privacy.”

Meg King, strategic and national security advisor to the CEO & President; Director of the Science and Technology Innovation Program, The Wilson Center:

“I have to pick two. First, authorizing the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security made the organization a household name. Too few understood the role of CISA’s predecessor (the National Protection and Programs Directorate or NPPD), and the rebrand focused energy and resources on clearer missions. Congress also significantly increased its funding. Second is the United States-Mexico-Canada Agreement (USMCA). Most would be surprised to learn that ratification of the USMCA by Congress earlier this year was a legislative win for cybersecurity. With its adoption, USMCA became one of the first trade agreements in the world to include commitments on cybersecurity policy through its new Digital Trade chapter in which the Parties agreed to principles for cybersecurity policy consistent with America’s NIST Cybersecurity Framework––a widely adopted benchmark for effective management of cyber risks.”

Ronald A. Marks III, president, ZPN National Security and Cyber Strategies; former Central Intelligence Agency and Capitol Hill official:

“Establishing CISA. For the first time you have a non-intelligence, non-military, non-judicial/legal organization that can be an equal with other players in the US government and represent a straight-forward US government ‘buttonhole’ to the private sector.”

Heather West, former head of public policy for the Americas, Mozilla:

“One win is the application of sanctions on countries that have been involved in targeted cybersecurity offensives, especially when it comes to election interference. While cybersecurity in general is an incredibly broad issue to attempt to address, the use of cyberattacks by nation-states and directed towards the United States is much more clear-cut. And while there was potential for partisan infighting over these sanctions, the successful passage of sanctions was a demonstration that Congress is prioritizing protecting Americans and American infrastructure from these actors.”

#2 Where are lawmakers most glaringly falling short on cybersecurity?

Bray: “Very few have done it, or have staffers who have done it, themselves. It has become a partisan issue and one in which there is more theater versus discussion about how to change this from being a series of band-aids after band-aids on the issues to a holistic rethink of new strategies to get at the real root of the issues––for example, a significant number of services on the Internet were not designed for an era of scarce computation cycle or memory storage compared to today’s technologies, and thus, in some cases, were not built with security or attribution as the paramount goal. While not the model for what the United States should do, recently China has proposed New IP demonstrating their interest in technologies that would protect against digital abuse, yet also would take away privacy and free speech. Ideally in 2021, the United States would work with like-minded nations to offer a counter proposal to New IP that embodies the values that open societies have while also striving to find better ways to permit openness, improving security, and protecting against digital abuse.”

Ellis: “It is, I am afraid, hard to pick on just one! But, as many others have pointed out, thinking specifically here of Jason Healey’s piece in Lawfare earlier this summer, one of the biggest failures is the continued comparative lack of funding and attention for ‘defense.’ While the Department of Defense continues to invest in its ‘offensive’ cyber capabilities, spending on defense—meaning support for creating and maintaining secure and resilient software, networks, and devices—lags. Defending forward is all well and good (and maybe even a necessity), but failing to pair these investments with a comparatively serious efforts to fund the Department of Homeland Security (and others) to fulfill their cybersecurity mission is a failure.”

King: “Because of the nature of the threat, cybersecurity committee jurisdiction is extremely broad. At the same time, many possible solutions require governing in a non-traditional way: like co-locating public with private sectors to analyze and respond to threats faster together, relying on tools and information shared by both. That’s a legal mess that isn’t easily fixed by any legislature. Meanwhile, it is extremely difficult to write laws that won’t be quickly overtaken by rapid technology advances. Where most lawmakers tend to fall short on cybersecurity is finding time to keep current on the evolving threat landscape and understanding what technical and policy solutions might evolve to bridge gaps. In the absence of any consistent technology research or training resources, the Wilson Center operates the Congressional Tech Labs to help.”

Marks: “I would say two areas: 1) Cyber Budget/program consolidation through a National Cyber Director for the Executive (working on it) and the same consolidation on interests in the Legislative budget and oversight process; and 2) not getting the right/enough staff talent on the Hill to support the legislators with cutting edge understanding and ideas.”

West: “Despite Congress increasingly understanding the importance of strengthening our cybersecurity stance as a nation, it seems that we’re mostly looking to the products directly used by the government or sold by the largest companies—and open source projects and consumer products are not seeing the same progress. I hope that lawmakers take the time to learn about the huge swaths of internet infrastructure that are open source—and that usually don’t have the same resources as larger companies. Indeed, many bedrock technologies and standards of the internet are not adequately resourced or secured, despite relying on this underlying infrastructure. Incentivizing companies to secure their products should be done in parallel with work to provide resources to secure widely used open source projects and creating secure open standards.”

#3 Has cybersecurity become a partisan issue in Congress? Should it?

Bray: “Things digital and IT have become partisan issues in Congress with regards to how government operates, yes. When a private sector major event happens there also seems to be a lot of visible concern, even if little changes happen as a result. This politicization probably has origins back to the initial stumbles associated with the launch of Healthcare.gov and the subsequent political division over not just the associate policy but also the digital platform. That said I’m not sure the right lessons were learned from Healthcare.gov or other situations; the right lesson was that the government should not require all intended features to be available by a specific date or else they’re going to preclude agile development and force waterfall development which is risky. The private sector does prolonged periods of open betas and phased launches for any major endeavor. I’m not sure if the budgetary cycles of the US government align with doing agile efforts with cybersecurity baked-in to every part of the development process either within government or with industrial base partners.”

Ellis: “Yes and yes. Cybersecurity is partisan for a good reason: decisions about cybersecurity necessarily require difficult trade-offs between often competing goals. There are fundamental and real differences about how best to balance, for example, security, freedom of speech, privacy, and economic efficiency. At a basic level, decisions about security necessarily prioritize certain values (and users and uses) over others. These are fundamentally political questions—they can’t help but be partisan.”

King: “Compared to other policy challenges, cybersecurity largely enjoys bipartisan collaboration. But there’s still a disconnect, especially when it comes to securing elections. According to Pew Research Center, 87 percent of Democrats believe a hostile power will tamper with US elections compared with 66 percent of Republicans. Although political campaigns are by definition partisan, protecting them from foreign influence on the cyber front should not be. As CISA Director Chris Krebs said at a recent Wilson Center event, the United States must fully integrate ‘the Zero Trust concept, where you just assume the network front to back is adversary territory.”

Marks: “Yes, it has to be. Civil liberties questions abound with information control and information use by public and private sector entities. Oversight and debate are crucial. And it’s Congress’s job to debate/control the ‘power of the purse’ guiding spending.”

West: “There are very few issues that benefit from a partisan approach in Congress—so I am very happy to see largely bipartisan efforts around cybersecurity. I hope that cybersecurity doesn’t become more polarized, despite the current state of politics. Recent intelligence reports have made it clear that major efforts are targeting both parties, so this should remain a bipartisan issue.”

More from the Cyber Statecraft Initiative:

The reverse cascade: Enforcing security on the global IoT supply chain

Raising the colors: Signaling for cooperation on maritime cybersecurity

The 5×5—Reflections on trusting trust: Securing software supply chains

#4 Is a consolidated umbrella committee appropriate for managing cybersecurity or should responsibility for cybersecurity’s many topics be layered onto existing authorities?

Bray: “Before consolidating at the committee level, perhaps we should first consider that it doesn’t make sense for the executive branch to have each agency and department doing their own cybersecurity—this wouldn’t happen across different divisions in the private sector. Instead perhaps we need three specific executive branch designees responsible for cybersecurity: 1) one sole designee for cybersecurity elements associated with national security activities, 2) one sole designee for cybersecurity elements associated with justice, law enforcement, critical infrastructure, and public safety activities, and 3) one sole designee for cybersecurity elements associated with all other civilian activities. If we combine these designees into these three groups to be responsible for executive branch actions relating to cloud services, privacy protections, and cybersecurity combined, we’ll get economies of scale. Then we can consider potential Congressional committee-level mergers to match these executive branch designees.”

Ellis: “In terms of Congress, the existing structure of committees should or least could work—the issue here is a lack of political will, not structural or bureaucratic impediments. Prioritizing the CISA—beefing up their budget and capacity—can and should be a priority. Inside the executive branch, we don’t have to reinvent the wheel. Restoring the cybersecurity coordinator within the National Security Council should be a priority. These changes would provide significant upside without having to create a new consolidated committee.”

King: “It is unlikely—for both political and logistical reasons—that cybersecurity issues will ever be contained in single umbrella committees in each chamber. But jurisdiction could be streamlined and the number of committees reduced, which would make oversight more efficient and effective.”

Marks: “The Cyberspace Solarium Commission wants designated oversight committees, but it’s unlikely to happen. Leadership designating the House and Senate Budget Committees with special ‘cyber interest’ might be the next best centralizing alternative––setting limits/guidance on budget and program support issues related to cyber.”

West: “A hybrid approach would be best suited, giving each committee a space to address relevant cybersecurity issues—which is not to say that there aren’t potential ‘umbrella’ bills that should be considered. Cybersecurity provisions can be added to any number of existing laws and authorities, and every government agency should be continually working on their cybersecurity stance and the cybersecurity stance of the companies and entities that they oversee or regulate. That means that there should be somewhere in each committee—potentially a subcommittee—that looks at cybersecurity issues, whether that’s in health, military, or internal administration. We can’t ‘win’ cybersecurity in a single push, but we can make concrete and incremental changes that improve cybersecurity for everyone across sectors and committee jurisdictions.”

#5 What hasn’t Congress tried, or what is it doing that it could do better, to attract more cybersecurity expertise?

Bray: “Launch a Cybersecurity Reserves force that could work full-time jobs in the private sector and spend a specific number of days a month in support of the activities of the US government. Also recognize that cybersecurity is not just about ensuring software, hardware, and networking technologies do what they are intended to do and are not exploited or abused; it is also about social engineering, misinformation and disinformation, and other human element attacks where, even if the machines operate as intended, the humans find novel ways of using machines to trick other humans to do unhelpful or harmful behaviors. This includes bots that spread misinformation, steal digital identities, or polarize the US public in ways that divide us as a nation. Our information environments, which support commercial and essential services, have become both digital and data banks to be robbed and battlegrounds for conflicts.”

Ellis: “A first step—which would have positive impacts beyond cybersecurity—would be to restore and reinvigorate the Office of Technology Assessment (OTA). Long-since defunded and left to rot, OTA provided expert advice to Members of Congress. Deciding how to balance competing aims, as noted above, are political questions. But in order to reasonably assess and weight these competing aims, technical insight and expertise is a necessity. A revitalized OTA would be an important first step (but only a first step) in making sure that political debates are informed by sound science.”

King: “We expect a lot from our legislators: to win elections in a hyper-partisan environment and then not only fix systemic problems that no one person can change alone, but have the expertise to do so. And even if Congress had all the cybersecurity talent in the world at its fingertips, it simply is not possible to address all priorities equally. Especially during overlapping crises like a pandemic and a crumbling economy.

“Non-profit organizations including my own provide a variety of training programs and fellowships to offer Congress trusted access to cybersecurity expertise when needed. The most successful ones put technology directly into the hands of legislators and their staffs—including the upcoming Hack the Capitol—so that they gain experience actually using these tools and understand how the laws they write might be implemented.  

“Perhaps the COVID-19 experience and its impact on the future of work might just be the disruption Congress needed to think differently about how it hires and attracts cybersecurity talent. In many cases, Congress (like many other institutions) relies on an outdated system that prioritizes experience in a professional setting, with an advanced degree. Some of the best software engineers don’t fit into neat molds—and you probably don’t want them to. Looking beyond the usual path and recruiting experts with deep technical expertise who are intrigued by the prospect of public service—even on a remote basis—will be critical.”

Marks: “This is a war of attrition as the Hill rarely moves fast on issues not demanding—in their minds—immediate attention. The older staff and Members of Congress will age out and the newer ones coming in will have greater understanding. As for a program, Congress needs to reinforce its own cyber oversight with talent and commensurate pay the same way they advocate for STEM in the private sector. In the meantime, perhaps a boost in contracting expertise through the Government Accountability Office and Congressional Research Service might ameliorate some of the problem.”

West: “It’s a well-known problem that Congress and cybersecurity experts often speak different languages, have different contexts, and thrive in different cultures. Staff and Members of Congress understand the urgency of cybersecurity issues––even if they’re still working to figure out how to address it. I hope to see Congress continue to bring expertise into all levels of staff and to work in partnership with external experts to understand how to concretely and positively impact the way that we approach securing American infrastructure, from consumer products to sensitive government systems. Congress and staff need to understand that security experts really do work within a different context than Congress—and working to bridge that divide from both sides.

Simon Handler is the assistant director of the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and international security with cyberspace. He is a former special assistant in the United States Senate. Follow him on Twitter @SimonPHandler. 

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

The post The 5×5—Cybersecurity and the 117th Congress appeared first on Atlantic Council.

The piece below originally appeared in the Netherlands Atlantic Association’s magazine Atlantisch Perspectief.

Over the past decades, our reliance on the internet and everything that passes over it has grown exponentially to a point where living without it is hardly imaginable. Even those people who are not active online are indirectly dependent on many goods and services that could no longer be rendered without the government or private sector relying on Information and Communications Technology (ICT). We experience this as progress and have recognized the enormous opportunities and increase in quality of life that have come with it. The discourse that evolved with the emergence of the internet held a promise of increased business opportunities, transparency, and fundamental freedoms (of speech, assembly, etc.) that could now be exercised in an unfettered way like never before.

Waves of democratization, like the Arab Spring, were spurred or amplified by social media. However, with those opportunities and increased interconnectedness came threats and vulnerabilities. And online interdependence has increasingly exposed us to malicious actors with bad intentions. This has sparked an intense international debate and necessitated efforts to fight these evils. Every single part of our government deals with the threats and opportunities that come with the use of ICT, ranging from the Dutch Defense Ministry adding cyber capabilities to its inventory, to the Dutch Ministry of Home Affairs making sure our elections are conducted securely and without foreign interference, to the Dutch Justice Ministry protecting our critical infrastructure and fighting cybercrime. It is now integral to everything the government undertakes, and responses to all these challenges and opportunities must be aligned in a whole-of-government approach, which requires regular updates.

For the Dutch government, cyber diplomacy is a necessity, not a luxury. For an open service-oriented economy, a safe and secure internet is key. Many of the transatlantic internet cables land in the Netherlands, making Amsterdam one of the largest hubs for internet traffic in the world. But most importantly, the Netherlands is one of the few countries in the world that has promotion of the international rules-based order enshrined in our constitution (article ninety). Extending this mission into cyberspace is therefore regarded as a core task of the Ministry of Foreign Affairs (MFA).

The MFA is involved in many of these efforts, particularly where the work of other departments has an international dimension. But it also has defined its own mission, which is derived from the overall foreign and security policy. Obviously, the work of the development-cooperation side and the international-trade side of the house also has a digital dimension, but for the sake of this article, I will focus on cyber diplomacy in the security context of our work. We have a three-pronged approach to promoting a safe, free, and open internet globally.

1. Develop and consolidate the rules of the road in cyberspace

Although to some the internet may seem a lawless place where state actors and their proxies, criminals, and terrorists can perform harmful acts and go unpunished, that is not the case. Our laws, and in particular international law, apply in full in cyberspace. In the opinion of the Netherlands and a growing group of like-minded countries, the notions contained in the United Nations (UN) Charter and Human Rights Conventions are applicable equally online and offline. Your privacy, rights of assembly, and free speech, all are protected by the same laws and treaties. However, discussion amongst experts is still ongoing as to how some international rules exactly apply. For example: what constitutes an armed attack in cyberspace, and when is self-defense warranted? Over the past decades, such discussions have taken place under the aegis of the UN. The most recent set of eleven norms for state behavior was agreed in 2015. Of course, this is a domain that is still very much under development, both in terms of technology and in terms of policy. So, it is only natural that the discussion continues.

Norms of state behavior are currently being further elaborated along two separate UN tracks. And with the development of new technologies, we need to keep developing and strengthening those rules of the road in cyberspace to make sure that use of ICTs and other technologies is safe and secure, and that the fundamental rights of each individual are respected. Also, a number of Confidence Building Measures like transparency and responsible behavior in case of cross-border cyberattacks have been developed within the OSCE. The construct of rules, norms, and principles for state behavior is being elaborated and strengthened all the time. Nevertheless, we see an increase in irresponsible and malicious behavior by many, ranging from theft of intellectual property to benefit national industries, to crippling attacks on critical infrastructure, to interfering in electoral processes. The Global Commission on the Stability of Cyber Space (GCSC), an independent non-governmental organization that the Netherlands MFA initiated, issued an authoritative report on these matters in November 2019.

It stated unequivocally that the public core of the internet as well as critical infrastructure should be off-limits to any tampering and that the latest developments concerning electoral infrastructure and medical infrastructure in the face of the COVID-19 crisis gave particular reason for concern and grounds for their protection. The suggestions from the GCSC have been referenced by many nations during the negotiations at the UN in New York. The GCSC had an important attribute which is vital to the entire debate on shaping the rules of the road in cyberspace: a multi-stakeholder composition. Government representatives, scientists, practitioners, politicians, civil society, tech companies, think-tankers, even hackers: Every single part of our society should be involved in shaping this space for the future. The internet is not like a public road that is owned by the government, which can decide on its own what the maximum speed should be. The internet is owned by us all, and it is still growing as we speak. Every owner should feel responsibility, and every owner should take part in shaping its future. This should remain the organizing principle of future exchanges on our digital future, and I was delighted to see that UN Secretary-General António Guterres has embraced this principle in his recent Roadmap for Digital Cooperation.

2. Hold those who break the rules accountable

Although we all seem to broadly agree on the norms and rules of the road in cyberspace, and on what is and is not acceptable, malicious behavior is on the rise. A recent example is the abuse of the COVID-19 crisis for cyber operations. There is thus a clear need to get better at catching those who break the rules. And this is not easy; actions on the internet are easily disguised, and it is increasingly difficult to ascertain who may be behind an action. So it is of critical importance that we work together with EU partners and like-minded nations across the world, first of all, on the forensic details of cyberattacks. We share information between allies and partners, just as with information on common crime. And then we coordinate on calling out malign practices. Whereas the decision to attribute a cyber operation to another state will always be a sovereign decision by any government, the way to communicate such a move, and the option to impose consequences, will gain meaning and impact when coordinated between nations.

Many individual nations have an attribution framework for these purposes, but on Dutch initiative, the European Union (EU) has also developed a cyber-diplomacy toolbox. The most recent addition to that is an EU cyber-sanctions regime, which allows the EU at twenty-seven to impose sanctions on individuals and entities that are found guilty of malicious cyber operations. In order to be able to agree on such a sanction by unanimity within the EU, we need to able to convince each member state of the facts. For this purpose we draw up evidence packs, which have to be unclassified, because the person or entity targeted by a sanction should have recourse to the European Court of Justice. To facilitate the assembly of such evidence packs, we need to build alliances between the public and private sectors, with the involvement of other stakeholders. We have increasingly realized that many different players hold one or more pieces of the incredibly complex puzzle that is called cyber: police, national cyber-security centers, security services, Computer Emergency Readiness Teams (CERTs), but also private security firms, social media platforms, universities, Interpol/Europol, and so on. We have to get much better at forging alliances between these players to be able to see the full extent of what goes on on the dark side of the internet. And this could help us with getting better at exposing different kinds of interference, including disinformation campaigns.

The Dutch are engaged in diverse diplomatic efforts to promote adherence to international rules and norms. For example, the Netherlands Ministry of Foreign Affairs has initiated the Freedom Online Coalition (FOC). The FOC is a partnership of now thirty-two governments, working to advance and secure internet freedom. Coalition members work closely together to coordinate their diplomatic efforts and engage with civil society and the private sector to support Internet freedom—free expression, association, assembly, and privacy online—worldwide. Similarly, the Dutch MFA supports non-governmental organizations in this field like the Digital Defenders Partnership and Access Now. We seek to serve, guide, and influence decision-makers across sectors through human-rights-focused thought leadership and innovative, evidence-based policy analysis, as well as through events like RightsCon, an annual meeting and a movement that connects and empowers civil society and mobilizes a global community to collaborate on the most pressing issues at the intersection of human rights and technology.

3. Enable all nations to protect themselves

Defense against cyber operations starts with resilience. Resilience means not only being able to withstand an attack, but also being able to continue functioning through an attack. This is vital as today the functioning of our society is increasingly dependent on a functioning internet. Full protection of a country’s critical infrastructure is therefore key. Definitions of critical infrastructure vary from country to country and keep changing and growing all the time. Banks, electrical grids, telecoms, etc. are regarded as critical in every country. But for the Netherlands for instance, where about 35 percent of its territory lies below sea level, the waterworks that keep the sea out are computer operated and are without a doubt critical infrastructure. However, until recently, our medical infrastructure was not regarded as critical in the same way other sectors were. With the COVID-19-related attacks and the realization that hospitals were critical to the continuity of our society, that definition is now under review.

It is very important that countries that are less well-equipped get assistance to achieve the same level of protection. This should not be seen as charity; it is in everyone’s interest. Some major cyber incidents of the past few years have shown that most damage done is actually collateral damage well beyond the initial target, or intentionally random and global in its effect. Think of the Wannacry cyberattack that affected up to 300,000 computers in 150 countries, or NonPetya, the most devastating cyberattack in history that crippled ports, paralyzed entire corporations, and froze government agencies around the world. In that sense we could compare the internet to the earth’s atmosphere; damaging effects from a cyberattack do not stop at our borders, just as climate change knows no boundaries. This capacity building is first of all a matter of building technical resilience, for example by setting up Cyber Emergency Response Teams.

But it could also entail assistance with drafting legislation that ensures internet safety and security, and at the same time respect for human rights. The overall aim should be to make sure that everyone can reap the benefits of new technologies and enjoy a free, safe, and secure internet. And just as important: empower all states to take part in the global debate about our common digital future as equal partners, including the private sector and civil society in these countries. To support this effort, the Netherlands Ministry of Foreign Affairs initiated the Global Forum for Cyber Expertise (GFCE) in 2015. The GFCE is a multi-stakeholder community of more than 115 members and partners from all regions of the world, aimed at strengthening cyber capacity and expertise globally. As a global platform comprising governments, international organizations, non-governmental organizations, civil society, private companies, the technical community, and academia, the GFCE builds global cyber capacity. This Dutch government initiative has now matured into the world’s strongest independent Capacity Building platform.

4. Conclusion

The Dutch government has climbed a steep learning curve over the past years and is still learning every day. Cyber-security reports show that threats are getting worse, not decreasing. International cooperation is vital to consolidate the rules of the road in cyberspace, further their implementation by increasing the chance of exposing and stopping those who break the rules, and assist other countries in upgrading their resilience. With new technological developments like the Internet of Things, the attack surface will increase, and with it, the responsibilities of all involved to protect us from malicious actors. The Dutch Ministry of Foreign Affairs aims to continue to play a leading role in cyber diplomacy both from The Hague and through our dedicated cyber diplomats in selected embassies across the world.

Timo S. Koster was, until September 1, 2020, Ambassador-at-Large for Security Policy and Cyber at the Dutch Ministry of Foreign Affairs. From 2012 to 2018, he was Director for Defense Policy and Capabilities at NATO Headquarters in Brussels.

Further reading:

Elections 2020 Sep 24, 2020

Five big questions as America votes: Cybersecurity

By Cyber Statecraft Initiative

With the next US presidential election looming, the next administration will face no shortage of substantive cyber policy issues. US adversaries such as China and Russia continue to undermine and fracture the free and open internet, while the technology ecosystem has been altered by the rapid adoption of cloud computing, placing immense power and responsibility in the hands of few technology giants, such as Amazon and Microsoft.

Cybersecurity Elections

New Atlanticist Aug 14, 2020

Beyond 5G, Central Europe will be key to countering Chinese technological influence

By Frances Burwell, Jörn Fleck, and Eileen Kannengeiser

In seeking to further roll back China’s influence, the US has targeted Huawei during its CEE visit as the Shenzhen-based telecoms-equipment manufacturer competes for a prominent role in the region’s cellular network infrastructure and 5G expansion.

Central Europe Eastern Europe

In-Depth Research & Reports Aug 4, 2020

Alliance power for cybersecurity

By Kenneth Geers

There is only one internet, and cybersecurity is therefore an inherently international challenge that countries cannot tackle alone. Alliances like NATO and the EU give democratic countries a cyber edge over their authoritarian challengers.

Cybersecurity Europe & Eurasia

The Transatlantic Security Initiative, in the Scowcroft Center for Strategy and Security, shapes and influences the debate on the greatest security challenges facing the North Atlantic Alliance and its key partners.

Explore the Initiative

The post How to counter worsening cyber-security threats: The international strategy of the Dutch government appeared first on Atlantic Council.

As part of the Atlantic Council’s Elections 2020 programming, the New Atlanticist will feature a series of pieces looking at the major questions facing the United States around the world as Americans head to the polls.

With the next US presidential election in less than two months, the next administration will face no shortage of substantive cyber policy issues. US adversaries such as China and Russia continue to undermine and fracture the free and open internet. The technology ecosystem has been altered by the rapid adoption of cloud computing, placing immense power and responsibility in the hands of few technology giants, such as Amazon and Microsoft. The effects of the coronavirus pandemic have forced millions of Americans to rely on remote technologies to work and study from home. These trends and an increasing number of Internet of Things (IoT) connected devices are raising new concerns over privacy and security at the forefront of policy discussions.

Below are the five major questions facing the United States on cybersecurity as the US elections approach, answered by five Atlantic Council experts:

Since the last Bush administration, US attention in cyberspace has largely focused on four adversaries—Russia, China, North Korea (DPRK), and Iran. Who will be the biggest challenge for the United States in the next decade?

“Proliferation of offensive cyber capabilities. Where states like Russia or DPRK develop and share capabilities or intelligence on US and allied targets with non-state groups, either direct proxies, independents, or criminal groups, the threat environment facing the United States becomes decidedly more complex.” – Trey Herr, director, Cyber Statecraft Initiative

 “Russia. At this point, it is more difficult to point out a geopolitical conflict involving Russia that doesn’t have a cyber component instead of one that does. We also need to watch out for China’s advancements in artificial intelligence research and military applications. The real challenge, however, is that the current cyber landscape is such that both the United States and its adversaries are stuck in a prisoner’s dilemma where the individual incentives for surprise attack, preemption, and exploitation of vulnerabilities leave cyberspace collectively insecure for everyone. Challenges from adversaries, old and new, will continue as long as this dynamic persists and as the attack surface increases.” – Jenny Jun, fellow, Cyber Statecraft Initiative; PhD candidate, Columbia University’s Department of Political Science

 “China will be the largest challenge to not just to the United States, but to all of the ‘rule of law’ countries over the next decade. Aggressive intellectual property theft and the influence of their market power combined with the exportation of an authoritarian governance model as a viable alternative to the Western system will be the defining issue of the decade.” – Jeff Moss, nonresident senior fellow, Cyber Statecraft Initiative; founder, Black Hat and DEF CON security conferences

 “Size is not as crucial as a concern; we need to be worried the most about how criminal groups and similar actors working with nation-states to disrupt the West politically. Particularly concerning is the ability of these groups to use nation-state grade cyber capabilities in operations, with the support of nation-states.” – Gregory Rattray, senior fellow, Cyber Statecraft Initiative; partner/co-founder, Next Peak LLC

“These four states will all continue to pose different kinds of threat, in addition to many new players who have obtained or built offensive cyber capabilities in recent years. The biggest challenge for the United States in the next decade will be China; but the challenge is not to prevent China from assuming a more influential role in cyberspace—that cat is out of the bag—but for the United States to find cybersecurity solutions that work in a multipolar and interdependent world. The alternatives of withdrawal from or overmatching in cyberspace do not appear sustainable.” – James Shires, fellow, Cyber Statecraft Initiative; Assistant professor, Cybersecurity Governance, Institute of Security and Global Affairs, University of Leiden

The Cybersecurity and Infrastructure Security Agency (CISA) was established in 2018 to improve cybersecurity across government. What other organizational changes at the federal and/or state levels should be made to best protect Americans from damaging cyberattacks?

Herr: “The United States must revamp its cloud adoption and security regulatory processes. The incumbents, programs like FedRAMP and the DoD Cloud Computing Security Requirements Guide, are slow, emphasize manual processes over automation, and skew towards prescribing design choices instead of security outcomes and performance. Change at the Federal level would be a boon for more secure adoption of cloud computing by states and allies, many of whom are searching for a more flexible and cloud-friendly model.”

Jun: “At this time, instead of making more organizational changes, I think it’s more important to empower existing positions and strengthen regulations for specific policy goals. For example, if the goal is to make businesses exercise more due diligence when manufacturing various products in the supply chain, making acquisition choices, and handling customer data, this can be achieved through congressional legislation and empowering regulatory agencies such as the Securities and Exchange Commission (SEC) for its enforcement by sector. If the goal is to make individuals and enterprises less susceptible to ransomware attacks, federal insurances can be established to pay for victim recovery, and baking in backup and resiliency best practices to insurance premium prices, instead of leaving insurances to pay the ransom itself or simply asking victims to not pay.”

Moss: “Our future will depend on reliable, safe, and secure technology gluing society together. A clearly articulated industrial policy for technology that prioritizes resiliency and security would provide intention and direction to future decisions. The creation of a National Supply Chain Safety and Transparency Agency could act as a coordinator for industry and government risk evaluation, best practices, and policy advice. This would help governments understand the risks before procuring a technology, and companies would be able to address their concerns.”

Rattray: “Beyond CISA, the government needs to establish joint operating capabilities and collaboration with the private sector, through analysis and resilience centers like the FS-ISAC. These should very definitely include enabling state governments through the increase of response capabilities, following the federal level in working directly with the providers of critical national functions.”

Shires: “Greater privacy and data protection will be crucial. Although it would not directly prevent cyberattacks, good privacy and data protection design and regulation would prevent some of the most serious consequences of intrusions and breaches for the general public. Of course, finding a good solution to information sharing on cyberattacks is also key, whether incentive-based or regulatory, and at state and federal levels. Finally, keeping to a single and clear definition of critical infrastructure, enabling states and federal government to focus resources effectively, would definitely help.”

What will be the most influential force on the shape of the internet that the next administration will face?

Herr: “Apathy. The internet’s continued universality and technical integrity are in question, as much because of deliberate Chinese and Russian efforts to drive fragmentation as benign neglect from the United States and key allies. The internet’s original design features which pushed intelligence (and thus much of decision-making power) to the edge of the networks has been eroded in favor of ever more capable intermediaries. The arguments against a single internetwork are being made far more frequently than those in favor.”

Jun: “Increased attack surface from 5G adoption coupled with IoT devices. More dependencies and integration can make it easier to create cascading effects where exploitation of one feature could affect the entire network. As a political scientist, one hope is that perhaps the vulnerabilities will be so great and intertwined such that it will create mutual hostage situations and ironically contribute to stability.”

Moss: “Great power competition and decoupling economies will fundamentally change the nature of the internet over the next decade, and the next four to eight years will be critical. There has been a lot of speculation about the use of cyber retaliation and how infrastructure provider would alter their networks to limit the impacts, and now we are witnessing the emergence of what I call ‘App Diplomacy’ with India banning popular Chinese social media apps such as TikTok. A new capability in the diplomatic toolbelt.”

Rattray: “The internet and cyberspace generally continue to evolve extremely rapidly. I would have the next administration focus particularly on artificial intelligence, the protection of data used to form algorithms, and the reliance of government, economic, and social functions on the use of artificial intelligence.”

Shires: “There are two. The first influence is its own current trajectory. If current ‘clean’ measures are taken to their extremes, the United States itself will reshape the internet into at least two halves (and, maybe, depending on which way Europe goes, three). The second influence will be the continuing surge in internet access worldwide, especially in the Global South.”

How will the novel coronavirus pandemic impact the next administration’s approach to digital privacy?

Herr: “Unclear. Contact tracing through smartphone and wearable apps has not featured in the United States as prominently in other countries and the EU remains a patchwork of different designs and applications. The move to work from home has forced users to more frequently consider where their data lives and how it can be accessed which may improve support for a private authority or more coherent federal privacy protections.”

Jun: “This is a classic commitment problem, for both governments and big tech. Whoever is collecting vast amounts of personal data to a centralized system has a hard time credibly promising that it will use insights from that data or the capacity to collect it for one purpose but not the other. But this problem is not unlike other promises that governments had to make in the past, such as a promise to use military power only against foreign adversaries but not against its own citizens or domestic rivals. While no silver bullet, mechanisms such as tying hands, allowing oneself to be sued, delegating authority, and embedding these mechanisms in institutions so that they are hard to change—stuff democratic governments have known for centuries—can partially mitigate this commitment problem. But voluntarily giving up this power will take an extraordinary event, probably not without a bottom-up demand from consumers.”

Moss: “COVID-19 has forced everyone to embrace online everything, and with that comes a growing awareness that their expectation of privacy is being violated or traded away with only illusory consent. In the absence of a constitutional right to privacy, the next administration could address this by creating legislation that would create a minimum for privacy expectations to provide clarity to both people and to the market, ultimately enabling competition instead of privacy law arbitrage. I know. I’m an optimist.”

Rattray: “The pandemic requires the next administration to both enhance digital privacy and deal with the increased sharing of private information. New, ever more relevant medical information must be shared digitally and must be protected. Simultaneously, remote work increases the necessity of the digital environment, and the amount of private information handled digitally. Finding the right approach to privacy is going to become a fundamental enabler.”

Shires: “It will create some contradictory pressures. For example, the pandemic has forced many personal and professional lives online for the foreseeable future, suggesting investment in digital privacy for online connective services should be a priority; but also generating more of a market for these services and greater opportunities for data-based advertising, threatening privacy. Another example is healthcare data: protecting the privacy of healthcare data should be more important, but finding a balance that also enables the sharing of data when necessary for contact tracing, and avoiding a shadow surveillance economy for doing so, will be difficult.”

The IoT is growing by the day, increasingly morphing the digital and physical worlds and in turn broadening the cyberattack surface. What immediate steps can the next administration take that can result in quick wins for creating a more secure IoT ecosystem?

Herr: “Empower the Federal Trade Commission to enforce a baseline standard of secure design and manufacture for IoT devices. There are numerous proposals of what such a standard might look like and various labeling schemes to support their enforcement but the root of impact is a clear and minimally ambiguous enforcement scheme.”

Jun: “Change incentives of manufacturers and distributors to sell more secure products, like we have done for areas such as food safety and financial products. Don’t rely on the consumers to make security choices, and don’t regard this as a purely technical problem beyond the policy realm. Leverage existing recommendations for manufacturers like NISTIR 8259, create certification mechanisms, and ensure compliance. Coordinate such efforts with like-minded countries to gradually establish global market standards.”

Moss: “While I don’t believe there are any quick wins to be had in IoT, there are some steps that are long overdue, like requiring an update mechanism to fix critical bugs, imposing manufacturer liability for defective products, and requiring transparency on what is inside the device, possibly a Software Bill of Materials (SBOM). Finally legislating clear product labeling laws like we have for food would provide transparency to important questions like how many years will the product be supported? Does the product require you to reveal personal information to activate it after purchase? Will this product be used to track my movements or spy on me?”

Rattray: “In general, I am a skeptic of the notion regarding quick wins, especially when it comes to fundamental changes in the digital ecosystem, like the rise of IoT. The next administration should focus on providing support to those who provide IoT products and services to make sure that they are easily secured and robust, while also increasing the general capacity of individual organizations in the nation to respond to digital disruption.”

Shires: “First, develop consistent standards for IoT security (although this isn’t quick, it should be started immediately). Second, find a way to effectively leverage the cybersecurity community to publicize and patch bugs in IoT systems. Third, for consumer IoT it is privacy and data protection. There will always be successful IoT attacks, and the harder it is to for example exploit access to smart speakers, or pivot from a dumb device to something juicier, the more we can use them with confidence.”

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

See more from CSI’s 5X5 series:

New Atlanticist Jul 29, 2020

The 5×5—Fighting COVID-19 with surveillance: Perspectives from across the globe

By Simon Handler and Lily Liu

As more countries rely on digital tools to contain the spread of COVID-19, how will enhanced surveillance challenge privacy norms in the future? According to the World Health Organization, public health surveillance is critical to containing the pandemic. However, can enhanced surveillance during a public health crisis set precedents for digital surveillance in the future?

Africa Coronavirus

New Atlanticist Jun 22, 2020

The 5×5—Baseball and cybersecurity: Stealing insights from America’s pastime

By Simon Handler

Whether you have played, watched, hated, or never heard of baseball, lessons from the sport can be applied to many things in life—including cybersecurity. Cyber Statecraft Initiative experts go 5×5 to draw parallels between America’s pastime and today’s cybersecurity issues.

Cybersecurity Technology & Innovation

New Atlanticist May 26, 2020

The 5×5—Is it a game or is it real? Simulations and wargaming in cyber

By Simon Handler

Greater insight into risk and response allow public and private sector organizations to better prepare for crisis before it happens and rerun history to stave off defeat in future. Wargames can be complex live events or low-cost simulations. They can even be the basis for major reforms to policy and doctrine, giving us much to understand about them. Shall we play a game?

Cybersecurity

The post Five big questions as America votes: Cybersecurity appeared first on Atlantic Council.

Trade Flows in the Age of Automation

Innovative digital technologies are poised to change the nature of services trade within global value chains in the decade following COVID-19. With trade in services growing 60 percent faster than that of goods, the impact of new digital technologies will be widespread.

This report analyzes four digital innovations that have the potential to disrupt global value chains: the Internet of Things (IoT); blockchain; artificial intelligence (AI); and advanced manufacturing. While advances in information and communication technology have largely worked in concert in the past to support the expansion and fragmentation of global value chains the impact of these innovative digital technologies are unlikely to be uniform. The report evaluates these new technologies in the context of financial, pharmaceutical, and automotive industries to arrive at three key takeaways. First, the private sector’s competitiveness will increasingly depend on an ability to collect, store, organize, and analyze data. Second, regional value chains will emerge as global trade orients more around regional poles. And third, big tech firms could disrupt global value chains, although it appears as likely that they will collaborate with existing firms in established markets. 

As global value chains become more knowledge- and services-intensive, advanced economies should be prime beneficiaries overall. The UK and the United States should be the leaders in adopting digital technologies and establishing global rules and standards to maximize their benefit. The report calls for strong multilateral cooperation to fully realize the potential of these digital technologies within global value chains.

Related experts

Former fellow

Bart Oosterveld

Former Nonresident Senior Fellow

GeoEconomics Center

China Dutch

Fellow

Ole Moehr

Nonresident Fellow

Economic Statecraft Initiative GeoEconomics Center

Economic Sanctions

The post Trade flows in the age of automation appeared first on Atlantic Council.

View the full series here.

Event description

On Thursday, September 17, 2020, the GeoTech Center hosted the fourth episode of the Data Salon Series in partnership with Accenture. The panel featured Ms. Valeria Budinich, Scholar-in-Residence at the Legatum Center in MIT’s Sloan School of Management; Mr. Derry Goberdhansingh, CEO of Harper Paige, and Mr. Bevon Moore, CEO of Elevate U. GeoTech Center Director Dr. David Bray moderated the panel, incorporating questions from a wide range of voices in the data science community.

Around the world, scores of individuals and organizations work to create a better reality for their communities, their nations, and the world . Yet, with so many players in the field, it is often difficult to coordinate between different streams of public, private, and nongovernmental data seeking to combat overlapping problems. The panelists discussed their efforts and outlined methods to connect data with the organizations who need it without exposing personal information of anyone involved. The speakers touched on personal experiences in the field of social entrepreneurship, including both their successes and challenges to learn from.

Watch the whole video above to hear more about how data is revolutionizing the social entrepreneurship space.

Previous episode

Event Recap

Aug 19, 2020

Event recap | Data salon episode 3: Coordinating data privacy and the public interest

By Henry Westerman

On Wednesday, July 30, the GeoTech Center hosted the third episode of the Data Salon series in partnership with Accenture. The virtual event hosted by Dr. Divya Chander, Chair of Neuroscience at Singularity University, and Ms. Krista Pawley, Principal and Culture and Reputation Architect at Imperative Impact, in conversation with audience members from across the data and innovation space.

Cybersecurity Digital Policy

The post Event recap | Data salon episode 4: Data science and social entrepreneurship appeared first on Atlantic Council.

Megatrends that shape the current century point to a future in which our security and environment are inextricably linked. Population changes, exponential technological growth, climate change, and scarcity of resources, both natural and financial, set against rising global insecurity create a situation in which our international institutions must innovate or risk becoming irrelevant and financially unsustainable.

NATO is positioned to lead in this era of risk and innovation. By capitalizing on opportunities such as the ‘Digital Ocean’ NATO can help provide solutions to the megatrends that will define this century, while fulfilling its core mission of providing security to its nearly one billion citizens.

The perfect storm of challenges

The asymmetric demographic change we are already witnessing will shrink the Western working age population remarkably. By mid-century every fourth person in Europe will be over sixty-five years old and by 2080 there will be less than two working age persons per each elderly person in Europe. We know now, decades in advance, that there will be fewer taxpayers. Falling working age population brings shrinking budgets, while the need for resources and workers in numerous sectors are increasing.  

Climate change will impact virtually every aspect of society. More frequent severe weather events will bring high economic costs—heat waves, forest fires, storms, and floods that will test the health of all species. Food and water shortages will accelerate tensions in already fragile regions. Currently, we’re in a hunger crisis with 260 million people predicted to be without enough food by the end of the year. Rising temperatures and extreme events will further harm livestock and diminish crop yields, driving starvation. Around 1.5 billion people live in river basins where the demand of fresh water exceeds the natural recharge level and by 2030 the global water demand will exceed current sustainable supplies by 40 percent. Although 70 percent of the earth is covered with water, only 2.5% of it is freshwater. Ironically, while our freshwater reserves are falling, our oceans are rising as icebergs melt into the sea and eat away at our coastlines, displacing millions of people. Water scarcity, extreme weather events, rising water levels, food shortages, and other climate change calamities will make parts of our world simply unlivable, causing migration pressure and increasing the risk of further cultural tensions and conflicts.

Rapidly developing technologies have already changed the ways people communicate and do business, governments serve their citizens, and societies protect their interests. Exponential growth in technology, computing power, and artificial intelligence has and will be felt by every state and every sector.   

These megatrends have emerged amid an increasingly more complex security environment in which a resurgent Russia aggressively promotes misinformation and engages provocative behavior to create instability around the globe. Further, China is in a race to become the global leader in technology, trade, and both digital and physical infrastructure. This security situation is of course further exacerbated by the global pandemic currently ravaging our health care systems and economies.

Granted the challenges are many, but so too are the opportunities to launch a new era of institutional and technological innovation unrivaled in history.

How NATO can harness the ‘Digital Ocean’ revolution

NATO is well-positioned to lead this new era of innovation. With its thirty Allies and over one trillion dollars in annual defense expenditures dedicated to the collective defense of their nearly one billion citizens, NATO is the largest and most powerful military alliance on the planet. The Alliance is uniquely situated at this nexus of security and environment. 

Perhaps the best illustration of this nexus is NATO’s maritime domain. The seas remain essential for global trade, with 90 percent of the world’s trade conducted by sea. And additional trade routes are opening in the Artic due to climate change and exposing NATO’s northern flank to Russian and Chinese fleets. Furthermore, the global digital economy runs on cables on the ocean’s floor.  It is the sea that connects us all, powers the global economy, and is primed for innovation. 

NATO could lead this innovation, by bringing together key stakeholders across government, academia, and industry to create a ‘digital ocean’ and exploit enormous swaths of data with artificial intelligence-enhanced tools to predict weather patterns, get early warning of appearing changes and risks, ensure the free flow of trade, and keep a close eye on migration patterns and a potential adversary’s ships and submarines. And it could be done in a sustainable carbon-neutral manner by leveraging the “Blue Tech” revolution currently underway. Innovators across Europe and North America continue to design and build a diverse array of maritime surface and subsurface drones. Many of these maritime drones are propelled by wind, wave, and solar energy and carry sensors that can collect data critical to unlocking the yet untapped potential of the ocean.  

If NATO Allies could stich these drones together in a secure digital network, it could essentially create an ‘Internet of Things’ for the ocean, a ‘digital ocean’ spanning from seafloor to satellite that stretches across millions of square miles.  It is clear no single nation could undertake such an effort on their own, nor would they achieve the synergistic network effects an alliance like NATO offers, when such an effort is undertaken in a coherent manner. There are significant fiscal benefits as well, as maritime drones greatly enhance the capabilities of ships, submarines, and other platforms at a fraction of the cost. These savings would be magnified by the fact that the digital ocean would be powered by free and sustainable energy sources like wind, wave, and solar. The digital ocean will drive the ocean economy which is now $2.5 trillion a year. It has the potential to bring in new solutions and to use the tech change megatrend for the benefit of all—to create a more sustainable planet as well as robust economic driver through applications such as offshore wind, sustainable aquaculture, and carbon sequestration through growing food crops like seaweed.

Charting a new course

This type of sustainable innovation needs to occur across all domains and in all our international institutions if we are to meet the challenges of the coming decades. Population trends, technology shifts, climate change, and scarcity of resources make an already complex security situation that much more daunting. But we are not powerless in this face of the ‘Perfect Storm’ when megatrends collide; we have the ability to invent our own future.

Why act now? Because the technological shift is making it is possible to get the data from every specific part of the ocean and use the gathered data to interpolate. We must take bold innovative action now and chart the new course, to ensure the health of our planet and the security of our citizens for generations to come.

Keit Pentus-Rosimannus is a Member of the Estonian Parliament, vice-chairwoman of the biggest parliament party Reform Party. She was the Minister of Foreign Affairs for Estonia from 2014 to 2015 having previously been the Minister of the Environment from 2011 to 2014.

Michael D. Brasseur is the co-founder and first Director of NATO’s Maritime Unmanned Systems Innovation and Coordination Cell (MUSIC^2).  He is a former captain of two US Navy warships and has sailed the world’s oceans partnering with friends and Allies. The views presented here are his own, and not that of NATO or the US Navy.

Further reading:

Blog Post Aug 13, 2020

NATO’s progress on burden sharing remains strong

By Bradley Hazen

While movement towards the two percent may seem slow, it is clear that NATO allies are making significant changes to their defense spending.

Europe & Eurasia NATO

In-Depth Research & Reports Aug 4, 2020

Alliance power for cybersecurity

By Kenneth Geers

There is only one internet, and cybersecurity is therefore an inherently international challenge that countries cannot tackle alone. Alliances like NATO and the EU give democratic countries a cyber edge over their authoritarian challengers.

Cybersecurity Europe & Eurasia

New Atlanticist Jun 5, 2020

Increase NATO’s operational reach: Expanding the NATO SOF network

By Thang Q. Tran

NATO cannot safeguard the coalition’s interests unilaterally. Strategic investments in NATO Special Operations Forces (SOF) to expand the NATO SOF Network will provide political and military leaders the full range of options in response to emerging threats—both hybrid and conventional—through strong partnerships within the Alliance and with partners.

Defense Policy NATO

The post The ‘Digital Ocean’ as a model for innovation in the perfect storm appeared first on Atlantic Council.

At the moment, few around the world can imagine a more disruptive event to our world than the COVID-19 pandemic. After all, the pandemic has shaken up societies on all parts of the planet, calling into question the very nature of our interconnected 21st century society. However, at the GeoTech Center, we recognize that COVID-19 will only be the beginning of a wave of revolutionary change that will be brought on by the next stage of technological innovation. If we as a society fail to properly prepare for what is coming, we stand to suffer even worse consequences than what COVID-19 continues to bring.

Dr. David Bray, the GeoTech Center’s director, envisions a different future, where proper preparedness and a people-centered perspective will allow humanity to harness the incredible innovations anticipated in the coming years for good. On an episode of the “Futurized” podcast with Trond Undheim, PhD, David discussed this vision, and how we at the GeoTech Center are working to make it a reality.

“The takeaway is that the world now needs to ensure that new technologies not only contribute to innovation but also simultaneously empower people, increase prosperity and secure peace. One way we talked about is to develop data trusts to secure that exchanges of data are mutually beneficial and provide ethical and governance support.”

Listen to the entire podcast on the “Futurized” to hear more of Dr. Bray and Dr. Undheim’s analysis of the post-pandemic world to come.

The post Preparing for the post-pandemic tech environment: Dr. David Bray appeared first on Atlantic Council.