On March 2, the Office of the National Cyber Director released the public version of the long-awaited National Cybersecurity Strategy. This document is intended to provide strategic guidance for how the United States should protect its digital ecosystem against malicious criminal and nation-state actors. The document is a welcome and sharp break from a few past practices and principles. If fully implemented, it has the potential to change the U.S. cybersecurity posture significantly for the better.

The scope of the document is limited to cybersecurity, as its title is “National Cybersecurity Strategy” rather than “National Cyber Strategy.” Many press reports (e.g., here and here) on the strategy’s release have conflated the two, but they are not identical in scope. The U.S. government generally operates from a definition of “cybersecurity” promulgated in 2008 under NSPD-54 and HSPD-23:

"cybersecurity'' means prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communication services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation.  

Two omissions from this definition are noteworthy—the lack of reference to information or influence operations and to the use of offensive operations in cyberspace to advance any national goals other than the one explicitly noted. Both of these topics would naturally be included in a National Cyber Strategy, but that is not what this document is—and it should not be criticized for those omissions. The strategy document is also silent on cybersecurity for national security systems, such as those operated by the Department of Defense and the intelligence community.

Although the strategy builds on cybersecurity efforts from the previous three administrations, its most important characteristic is its departure from past perspectives and practices.

Continue reading at lawfareblog.com

The vulnerability of critical infrastructure and financial systems to cyber operations remains a primary concern for national security. Protecting the state from cyber operations requires active deterrent measures through intelligence gathering, monitoring, and public-private cooperation in defense. However, when deterrence fails and malicious cyber activity occurs, questions arise about the ‘approprate’ response that balances escalation and deterrence (Borghard and Lonergan 2019). In seeking to understand how states choose to respond to cyber attacks,1 one important consideration is the significant public debate surrounding them.

Scholars have suggested public support for conflict may encourage governments to engage, while public opposition to conflict can restrain government behavior (Haesebrouck 2019; Kertzer and Brutger 2016; Kertzer et al. 2020; Levendusky and Horowitz 2012; Tomz and Weeks 2020). Currently, there is only a nascent literature on how the public reacts to cyber attacks. Survey work has found the public is less likely to support retaliation against cyber operations than against kinetic operations that produce the same effects (Kreps and Schneider 2019). It is not particularly clear why this is: psychological responses to cyber and conventional terrorism are similar (Gross et al. 2016), and individual concern about cybersecurity issues is low and resistant to change (Kostyuk and Wayne 2020). At least the scale of the cyber attack does seem to matter: scholars have found support for retaliation against cyber attacks with casualties (Kreps and Das 2017; Shandler et al. 2021) but a preference for restraint in response to electoral interference (Tomz et al. 2020). Existing experimental surveys provide an important foundation, but they leave many questions unanswered. While some existing research has found attitudes about cyber and kinetic conflicts differ, many existing surveys do not address the mechanisms by which these differences arise. One exception is Snider et al. 2021 which finds threat perception to be an important moderator for retaliation support.

Continue reading at the Journal of Conflict Resolution.

There are a number of ways to run a legitimate election. But the U.S. has learned in recent years, and Brazil learned in recent weeks, that it’s not always simple.

There are technical mechanics and processes of how votes are cast, collected and counted. But those are ultimately less important than the agreement – among opposing parties, and across a society – to abide by the results of those processes.

In 2020, President Donald Trump alleged, without evidence, that election fraud in several states had caused him to lose. A number of audits in various states found no evidence that irregularities in voting or vote counting processes had any effect on the outcome of balloting in those states.

Some of these results were later challenged in lawsuits seeking to alter the results of the election, and in every case, the election’s outcome was determined to be accurate.

Continue reading at theconversation.com

Mass atrocities—genocide, ethnic cleansing, war crimes and crimes against humanity—constitute a particularly unacceptable assault on ‘the moral conscience of mankind’. Such acts are certainly not unique to the twenty-first century, but what is unique now is the pervasiveness and sophistication of cyberspace. Cyberspace has had an unprecedented effect on how society functions, especially as a tool for fomenting division and organizing violence. The increasing focus on the politics and ethics of cyber operations has occurred alongside recognition of the need to protect vulnerable populations from mass atrocity crimes. In an effort to move away from the ‘right’ to intervene militarily, at the United Nations' 2005 World Summit states unanimously agreed to the Responsibility to Protect (R2P) norm. According to R2P, states have duties to safeguard their populations from genocide, war crimes, ethnic cleansing and crimes against humanity (Pillar I). The international community has a duty to aid states in fulfilling these duties (Pillar II) and has a responsibility to act in a ‘timely and decisive manner’ in cases where a state is ‘manifestly failing’ to protect its population—including, if necessary, via armed humanitarian interventions, subject to UN Security Council (UNSC) authorization (Pillar III).

Continue reading at academic.oup.com with free access available until April 9th. 

Russia’s invasion of Ukraine has been a watershed moment for the world of intelligence. For weeks before the shelling began, Washington publicly released a relentless stream of remarkably detailed findings about everything from Russian troop movements to false-flag attacks the Kremlin would use to justify the invasion. 

This disclosure strategy was new: spy agencies are accustomed to concealing intelligence, not revealing it. But it was very effective. By getting the truth out before Russian lies took hold, the United States was able to rally allies and quickly coordinate hard-hitting sanctions. Intelligence disclosures set Russian President Vladimir Putin on his back foot, wondering who and what in his government had been penetrated so deeply by U.S. agencies, and made it more difficult for other countries to hide behind Putin’s lies and side with Russia.

Continue reading at foreignaffairs.com

The standoff between China and Taiwan (and the U.S.) has heightened tensions to their highest level in decades but — so far at least — economic observers haven’t seen a worst-case scenario.

The island’s crucial semiconductor industry has dodged a direct hit and, while China currently has Taiwan effectively blockaded, that is expected to end this weekend.

But White House officials and other observers say that doesn’t mean Taiwan’s economy and world markets are getting off scot free. There are three key economic ripples — from global shipping to cyber attacks to trade wars — that may be felt across world markets in the weeks and months to come, even if tensions don’t get any worse.

“We will not seek, nor do we want, a crisis,” NSC Coordinator for Strategic Communications John Kirby told reporters Thursday, but he was clear that China’s actions “erode the Cross-Strait status quo” on both economic and military issues.

Here are some of the immediate economic effects likely to be felt even if China stops short of full scale economic (or actual) warfare following House Speaker Nancy Pelosi’s trip to the island.

Continue reading at finance.yahoo.com.

When the Department of Homeland Security’s Advisory Council announces it plan next week for overhauling how the agency combats the spread of disinformation online, its focus will be on “how to achieve greater transparency across our disinformation related work” and how to “increase trust with the public,” according to council meeting minutes released Monday.

Read more at Cyberscoop.com

In late June, Iran’s state-owned Khuzestan Steel Co. and two other steel companies were forced to halt production after suffering a cyberattack. A hacking group claimed responsibility on social media, saying it targeted Iran’s three biggest steel companies in response to the “aggression of the Islamic Republic.”

Read more at The Washington Post.

‘[We’re] less vulnerable against the threats of five years ago. But I see no evidence that the threat has stood still, and in fact, it is likely that it has grown at a faster rate than our defenses,” said Herb Lin, senior research scholar for cyber policy and security at Stanford University.

Read the rest at The Washington Post