The overarching question imparting urgency to this exploration is: Can U.S.-Russian contention in cyberspace cause the two nuclear superpowers to stumble into war? In considering this question we were constantly reminded of recent comments by a prominent U.S. arms control expert: At least as dangerous as the risk of an actual cyberattack, he observed, is cyber operations’ “blurring of the line between peace and war.” Or, as Nye wrote, “in the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code, or simply the intent of a computer program’s user.”
Forty years ago, an interdisciplinary group of Harvard scholars – professors, researchers and practitioners – came together to tackle the greatest threat of the Cold War: the fear of a nuclear exchange between the Soviet Union and the United States. Today, we seek to recreate that interdisciplinary approach to tackle a new threat: the risk of conflict in cyberspace.
The problems that confront today’s leaders are substantial and diverse: how to protect a nation’s most critical infrastructure from cyber attack; how to organize, train, and equip a military force to prevail in the event of future conflict in cyberspace; how to deter nation-state and terrorist adversaries from conducting attacks in cyberspace; how to control escalation in the event of a conflict in cyberspace; and how to leverage legal and policy instruments to reduce the national attack surface without stifling innovation. These are just a sample of the motivating questions that drive our work.
The aim of the Belfer Center's Cyber Project is to become the premier home for rigorous and policy-relevant study of these and related questions.
For More Information
China’s capabilities and intentions in cyberspace have and will increasingly have a significant impact on the various interests in the international community. However, the study of the intersection between China policy scholarship and cyber policy scholarship is relatively recent, and rapidly evolving. There is limited understanding and analysis on what has happened, what is happening, and what China’s capabilities and intentions may be now and in decades to come.
The China Cyber Policy Initiative, which was active from 2019 to 2020, sought to tackle those questions and offer thoughtful, in-depth, evidence-based analysis to inform public discourse on Chinese cyber issues and assess and communicate both the positive and more challenging consequences for the international community.
The aim of this initiative was to be a leading resource for, and convener of, international policy practitioners, academia, business, technologists, and civil society on China's Cyber policy and the broader question of cyber power and global politics.
We pursued our research through:
- the creation of new frameworks for considering and measuring cyber power in the form of Belfer's National Cyber Power Index.
- the promotion of U.S.-China Track II dialogue on cyber-related issues.
The CCPI team endeavored to communicate our perspective in national and international fora to ensure that evidence-based analysis and nuanced perspectives inform thinking around one of today’s most important, sometimes misunderstood, and complex issues.
Belfer’s National Cyber Power Index
The Belfer National Cyber Power Index (NCPI) measures 30 countries cyber capabilities in the context of seven national objectives, using 32 intent indicators and 27 capability indicators with evidence collected from publicly available data.
In contrast to existing cyber related indices, we believe there is no single measure of cyber power. Cyber Power is made up of multiple components and should be considered in the context of a country’s national objectives. We take an all-of-country approach to measuring cyber power. By considering “all-of-country” we include all aspects under the control of a government where possible. Within the NCPI we measure government strategies, capabilities for defense and offense, resource allocation, the private sector, workforce, and innovation. Our assessment is both a measurement of proven power and potential, where the final score assumes that the government of that country can wield these capabilities effectively.
The overall NCPI assessment measures the “comprehensiveness” of a country as a cyber actor. Comprehensiveness, in the context of NCPI, refers to a country’s use of cyber to achieve multiple objectives as opposed to a few. The most comprehensive cyber power is the country that has (1) the intent to pursue multiple national objectives using cyber means and (2) the capabilities to achieves those objective(s).
We present three different indices. The NCPI, the Cyber Intent Index (CII), and the Cyber Capability Index (CCI). Both the CII and CCI are stand-alone measures. The NCPI is a combination of CII and CCI.
Researchers and practitioners should use the NCPI to gain a more comprehensive understanding of the components that comprise cyber power and how cyber means can be employed to achieve a range of objectives. Users who are interested in a specific national objective can analyze the NCPI by both intent and capabilities by objective to better understand their country of interest.
Track II U.S.-China Cyber Security
The Belfer Center for Science and International Affairs has established a Track II Dialogue with the China Institute for International Strategic Studies (CIISS), to facilitate discussions between the U.S. and China, as well as representatives from both countries’ tech sectors, on the risks of cyber conflict. The Track II will explore existing and new tools for mitigating these risks and possible areas for collaboration.
This Track II Dialogue is made possible through a grant from the Harvard Global Institute (HGI) and the Harvard President’s Office.
Learning from Cyber Incidents
The Belfer Center's Cyber Project is pursuing work on how lessons can be learned from cyber incidents to better inform defense measures. The focus of this work is on expanding the concept of a “Cyber NTSB” and creating a “Near Misses” reporting system, both modeled on how safety improvements are made following an aviation incident. With support from the National Science Foundation and the Hewlett Foundation, the Belfer Center is hosting a series of workshops in 2021.
The page for this iniatiative and all related research, including the final report is linked here: https://www.belfercenter.org/learning-cyber-incidents
Thank you for subscribing.
Harvard Kennedy School is committed to protecting your personal information. By completing this form, you agree to receive communications and to allow HKS to store your data. HKS will never sell your email address or other information to a third party. All communications will include the opportunity to unsubscribe.
The Path to Reaching Consensus for Federal Data Security and Privacy Legislation
The Belfer Center's Cyber Project and the R Street Institute's Cybersecurity and Emerging Threats Team have been working together to identify roadblocks to a federal data security and privacy law, drawing upon research and engagement with stakeholders to identify and recommend appropriate courses of action to find compromise on federal legislation. Ongoing research also includes topics like civil rights in privacy, arbitration and covered entities and data.
INTRO - The Path to Reaching Consensus for Federal Data Security and Privacy Legislation
PART 1 - Preemption in Federal Data Security and Privacy Legislation
PART 2 - The Role of the Federal Trade Commission in Federal Data Security and Privacy Legislation
PART 3 - Limiting a Private Right of Action in Federal Data Security and Privacy Legislation
EXPLAINER - Answer to Tough Questions: The Framework of a Federal Data Security and Privacy Law
Data privacy is one of the nation’s most pressing issues. The current lack of federal privacy legislation affects the economy, national security and consumer safety and is—at its most basic level—not a controversial issue for most Americans. Multiple leaders of top-tier tech companies have, in recent weeks, called for privacy legislation. The major bills on the table are mostly aligned. Where they differ, however, and where Congress must find consensus, is on the most contentious issues: preemption, private right of action (PRA) and the role of the Federal Trade Commission (FTC). Our goal in developing this series is to offer recommendations on the best way to find agreement on these key issues.
The United States is one of the industrialized countries that lacks a single, national data privacy law, which affects our global competitiveness. In the vacuum left by the lack of federal government progress, state laws are passing quickly. But this isn’t the best path forward. Studies have shown that a patchwork of state privacy laws could cost the United States over $1 trillion in out-of-state costs over 10 years. In addition, this patchy landscape would be difficult for businesses to navigate, especially small and medium companies.
Moreover, many countries want to take our data and weaponize it. For example, China—the most significant of these threats—is working to overtake the United States in the technology sector and is actively using our weak cybersecurity and data privacy protections to gather our data and use it against us. This can have many consequences, from blackmailing U.S.-based critics to identifying intelligence agents. Thus, the United States stands to gain significant competitive and national security advantages if our companies keep data private and secure.
The majority of Americans want data privacy regulation. Without a federal standard, consumers are left with unequal protections, or none at all.
Lauren Zabierek, Executive Director, Cyber Project, Belfer Center
Tatyana Bolton, Policy Director, Cybersecurity and Emerging Threats, R Street
Brandon Pugh, Policy Counsel, Cybersecurity and Emerging Threats, R Street
Sofia Lesmes, Senior Research Associate, Cybersecurity & Emerging Threats, R Street
Cory Simpson, Senior Advisor, Cyberspace Solarium Commission
The R Street Institute's Cyber Team, led by Tatyana Bolton, the Belfer Center’s Cyber Project, led by Lauren Zabierek, and Cory Simpson, a senior advisor on the Cyberspace Solarium Commission, have drafted three articles, each of which focuses on one of the main areas of federal privacy law debate, identifies a variety of options for consensus and offers initial recommendations for compromise.
Our articles on preemption, PRA and the role of the FTC are intentionally framed differently than standard academic and think tank products. Our goal is to provide key members who are debating privacy legislation with a guide to the most challenging issues national legislation has faced, offering succinct options for bipartisan consensus. Although we present these topics separately, we recognize that these issues overlap, and progress toward consensus on one may mean a tradeoff on another.
Our work, which is the result of over 130 engagements across a full range of stakeholders, including Congress, the private sector, consumer groups and privacy advocates, builds off of the efforts of other experts, such as the Brookings Institution, Privacy for America and Duke University. Varied perspectives—even if conflicting—were crucial to understanding what an effective, passable bill could look like.
A federal data security and privacy law has never been more necessary, and we are closer to realizing that goal than ever before. For the sake of our economy, national security and consumer rights, the United States must act now rather than continue to hold out for the perfect law.
These papers and projects are examples of research conducted by Harvard Kennedy School students working with the Cyber Project and supported, in part, by the Belfer Center.
Buying What Works: An Acquisitions Strategy for the Reality of Dual-Use Technologies
Coen Williams, October 2022
The Department of Defense should implement an “effects-driven” acquisitions system rather than “capabilities-based.” System requirements should be based on the effects required to wage and win conflicts across a continuum, rather than on specific, domain- and platform-centric capabilities. An effects-driven acquisitions system will increase the diversity of solutions, and by appropriating money to effects-driven portfolios, Congress can still maintain control of the purse while the Department of Defense can more effectively allocate its appropriated funds. Read more.
Continuous Compliance: Enhancing Cybersecurity for Critical Infrastructure by Strengthening Regulation, Oversight, and Monitoring
Julian Baker, August 2022
A transition from a point-in-time framework to a method of continuous compliance would raise the level of cybersecurity for critical infrastructure, making these essential services more reliable for the people relying on them. Continuous compliance represents a security posture and set of operational practices where an organization can persistently monitor, identify, and rectify current or potential lapses in their cybersecurity to ensure adherence to legal standards and industry best practices. The transition to continuous compliance requires a shift in an organization’s mindset to embrace monitoring, evaluation, learning, and adapting in an ongoing manner. It also requires enabling technologies, such as artificial intelligence and a compliance engine, which is software and a service that monitors specified inputs to measure compliance, track progress, and identify noncompliant systems and behaviors. Read more.
Never Breaking the Chain: The Economics and Politics of Creating an Effective National Supply Chain Strategy
Hannah Scott, August 2022
Beyond recent events, one of the longer-term geopolitical trends that has shone a spotlight on supply chains as a strategic issue is the emergence of technological development as a competitive domain. This is especially as a result of the ascendancy of China and its shifting relations with the US, which identified China as its principal competitor for the first time in the Department of Defense’s 2022 National Defense Strategy. As countries vie dominance in specific strategic sectors of the international economy, countries are beginning to maneuver for control over the supply chains that enable manufacturing and trade within these sectors. This increased politicization of supply chains means that now more than ever, businesses have to be aware of the political context from which they operate. Especially in advanced sectors such as energy, health, information communications or advanced manufacturing where governments see a strategic benefit in asserting their dominance in the international trade system, businesses are vulnerable to a swathe of illegal activity conducted by both state and non-state actors, including cyberattacks, IP theft and, ultimately, permanent technology transfer. In their current configuration, the supply chain structures of many firms operating in the US in strategic sectors are set up in such a way that it is all too feasible for hostile actors to exploit their vulnerabilities. This not only poses a threat to the long-term viability of American businesses’ competitiveness, but it also affects national security and prosperity overall. Read more.