Earlier this year, the Belfer Center’s Cyber Project embarked on an ambitious project, but one we believe is achievable: to get a federal data privacy and security law passed. Such a law will have enormous benefits for consumers, businesses, and national security. In the absence of a federal law,  organizations are still free to collect, hold, process, use, and sell data however they wish.

In collaboration with the R Street Institute’s Cybersecurity and Emerging Threats Team, led by Tatyana Bolton, and Cyberspace Solarium Commission’s Senior Advisor Cory Simpson, the Cyber Project is taking a focused approach to the problem. 

Intelligence agencies have struggled to define how open source intelligence fits into its broader work, but the wide breadth of publicly available information about the Ukraine conflict, combined with proactive disclosures of classified information, are providing some clarity about OSINT’s role. Lauren Zabierek and Maria Robson Morrow spoke with the Federal News Network on how the public and private sectors are leveraging open source intelligence, including challenges and opportunities.

This explainer is part of a series considering roadblocks to a federal data security and privacy law, drawing upon research and engagement with stakeholders to identify and recommend appropriate courses of action to find compromise on federal legislation. Ongoing research also includes topics like civil rights in privacy, arbitration and covered entities and data. We offer the following initial recommendations:

With the looming threat of increased conflict in Ukraine, businesses around the world should be preparing now, write Paul R. Kolbe, Maria Robson Morrow, and Lauren Zabierek. Corporate security and intelligence teams have said they’re seeing an increase in cyber probes, and the U.S. Cybersecurity and Infrastructure Security Agency and the European Central Bank have both issued warnings about potential Russian cyberattacks. At this point, companies should be taking the following steps: 1) Review business continuity plans; 2) Closely examine supply chains; 3) Actively engage peer networks, vendors, and law enforcement around cyber intrusions; 4) Instill a security mindset in employees; and 5) Make sure corporate intelligence and IT teams are working closely together on solutions.

Amid a heightened threat environment in which U.S. water infrastructure is increasingly vulnerable to cyberattacks, the time to set cybersecurity regulations--and provide funding for state, local, and private organizations to meet them--is now. 

The increasing tempo of offensive cyber operations by Iran and its adversaries, including the U.S. and Israel, has led many commentators to label them as “tit-for-tat”: a cyclical action-reaction dynamic where each side seeks to respond appropriately to an earlier violation by the other. However, this interpretation has significant theoretical and empirical deficiencies. Why, then, does a tit-for-tat narrative dominate our understanding of Iranian cyber activity, and what are the consequences? This paper explores that question.

With the swift Taliban takeover of Afghanistan, we asked Belfer Center experts for their insights on what this could mean for the region – and what actions concerned countries, including the U.S., might take now. 

National security structures envisioned in the 20th century are inadequate for the cyber threats that America faces in the 21st century. These structures, created to address strategic, external threats on one end, and homeland security emergencies on the other, cannot protect us from ambient cyber conflict, because they were designed for different times and threats. Our nation—comprising the federal government, private sector companies, critical infrastructure operators, state and local governments, nonprofits and universities, and even private citizens—are constantly under attack by a myriad of cyber actors with ever-increasing capabilities. 

The overarching question imparting urgency to this exploration is: Can U.S.-Russian contention in cyberspace cause the two nuclear superpowers to stumble into war? In considering this question we were constantly reminded of recent comments by a prominent U.S. arms control expert: At least as dangerous as the risk of an actual cyberattack, he observed, is cyber operations’ “blurring of the line between peace and war.” Or, as Nye wrote, “in the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code, or simply the intent of a computer program’s user.”

American troops and their allies have been conducting counter-terror operations and working to uphold the security of Afghanistan from Taliban extremists since shortly after the 9/11 attacks in 2001. A deal negotiated between the Taliban and the Trump administration in February 2020 called on Western nations to withdraw all their forces by May 1 of this year. This week, President Biden announced that U.S. troops will complete their exit from Afghanistan by Sept. 11, 2021. We reached out to several Belfer Center experts for their thoughts.