The Latest from A Multi-stakeholder Approach to Cybersecurity Risk Management

Oct 20, 2017 | Nilsu Goren, Theresa Hitchens

Cybersecurity transcends national boundaries in many ways: The internet’s technical infrastructure is global in scope; threat actors based in one country can disguise their identities by taking control of computers in other countries; global businesses sell software, hardware, and security services that may introduce or combat vulnerabilities; and the consequences from a disruptive attack can spread far beyond the initial victim. Even the most cyber-savvy country cannot protect itself completely unless it wants to disconnect from the global internet and...

Aug 10, 2017 | Charles Harry

The Mirai botnet attack on the DYN network in October 2016 highlighted to many policymakers the potential problems associated with IoT devices. The compromise and concerted use of thousands of webcams and DVRs to disrupt key Internet services focused attention on the poor implementation of security controls on millions of devices newly connected to the Internet.

The introduction of the IoT Cybersecurity Improvement Act of 2017 by a bipartisan group of US senators seeks to address the inherent threat IoT...

Jul 3, 2017 | David Mussington

Bill C-59 – the National Security Act 2017 – outlines a new vision for Canadian national security. Reading between the lines of this “anti-terror” bill, there is a clear attempt here to comprehensively rework decision-making mechanisms to enhance oversight and ministerial control over counter terrorism, surveillance and cyberspace operations.

While it’s new measures demonstrate a clarity of vision as to where this administration would like its counter-terror efforts to go, the document reveals something else that is much more interesting....

Apr 11, 2017 | Nancy Gallagher, Charles Harry

Faced with a rapidly growing volume and range of cyber attacks, policymakers and organizational leaders have had difficulty setting priorities, allocating resources, and responding effectively without a standard way to categorize cyber events and estimate their consequences. Presidential Policy Directive 41 laid out the Obama administration’s principles for executive branch responses to significant cyber incidents in the public or private sector. But it neither drew important distinctions between different types of cyber incidents, nor gave a standard way to determine...

Jan 10, 2017 | David Mussington

January is typically the month of new beginnings. However, the first portion of 2017 has offered everything but a break from the tumultuous wreckage seen in the past year. This past week the U.S. intelligence community released its first public assessment of Russian interference in the US elections.

The results of this assessment leave the United States and Western nations with a choice on how they will respond to Russian actions designed to disrupt and undermine the integrity of democratic...

Aug 4, 2015 | Charles Harry
While significant media attention has been given to the volume and range of cyber attacks, the inability to measure and categorize disruptive events has complicated efforts of policy makers to push comprehensive responses that address the range of cyber activity. While organizations and public officials have spent significant time and resources attempting to grapple with the complex nature of these threats, a systematic and comprehensive approach to categorize and measure disruptive attacks remains elusive. This paper addresses this issue by...
Mar 31, 2011 |

This paper evaluates the prospects for protecting critical social functions from “cyber” attacks carried out over electronic information networks. In particular, it focuses on the feasibility of devising international laws, conventions or agreements to deter and/or punish perpetrators of such attacks. First,it briefly summarizes existing conventions and laws, and explains to which technological issues they can apply. The paper then turns to a technical discussion of the threats faced by critical infrastructure. By distinguishing between the different types of attacks...

Dec 9, 2010 |

The global proliferation of networked computer systems within the public and private sectors presents an increased opportunity for malicious cyber attacks to disrupt the daily functions of governments, national emergency systems, the global economy, and our modern way of life. The potentially pandemic nature of network failures presents opportunities for states to work together to identify key infrastructure sectors of shared interest and formulate international norms and strategies to protect them from cyber attacks and prevent cascading failures within modern...

Dec 1, 2011 | John Steinbruner

The Obama administration has issued four documents dealing with issues of cybersecurity. Two are concerned with protecting the United States against the many real and imagined forms of cyberattack, one announces an effort to establish protective norms of behavior among “like-minded” countries, and one accuses China and Russia of stealing economic information by cyberintrusion, making it evident that they are not included among the like-minded countries.

The documents feature basic principles and generally worded aspirations with very little...

Apr 23, 2013 |

Threats to cyberspace and to information security are emerging as central elements of Russian-U.S. security relations. As much as U.S. officials have expressed concerns about Russian-sponsored cyber-activities, Russia is equally concerned about U.S. military intentions in the cyber domain. Differing definitions of what activities pose a threat complicates relations on this issue. While the United States is concerned primarily with threats to technology and economic well-being, Russia is also concerned about activities that threaten interference in Russian sovereign affairs. Russian...