Articles

54 Items

Photo of Mark Zuckerberg preparing to resume testimony about user data on Facebook.

(AP Photo/Jacquelyn Martin)

Magazine Article - Belfer Center for Science and International Affairs, Harvard Kennedy School

America Needs to Align Technology with a Public Purpose

| Nov. 25, 2018

The arc of innovative progress has reached an inflection point, writes Ash Carter in The Atlantic. "Recent technological change that has brought immeasurable improvements to billions around the globe now threatens to overwhelm us. Making this disruption positive for all is the chief challenge of our time. We ourselves—not only market forces—should bend the arc of change toward human good. To do so, we must reinvigorate an ethos of public purpose that has become dangerously decoupled from many of today’s leading tech endeavors."

teaser image

Journal Article - IEEE Internet of Things

IIoT Cybersecurity Risk Modeling for SCADA Systems

| Apr. 06, 2018

Abstract:

Urban critical infrastructure such as electric grids, water networks and transportation systems are prime targets for cyberattacks. These systems are composed of connected devices which we call the Industrial Internet of Things (IIoT). An attack on urban critical infrastructure IIoT would cause considerable disruption to society. Supervisory Control and Data Acquisition (SCADA) systems are typically used to control IIoT for urban critical infrastructure. Despite the clear need to understand the cyber risk to urban critical infrastructure, there is no data-driven model for evaluating SCADA software risk for IIoT devices. In this paper, we compare non-SCADA and SCADA systems and establish, using cosine similarity tests, that SCADA as a software subclass holds unique risk attributes for IIoT. We then disprove the commonly accepted notion that the Common Vulnerability Scoring System (CVSS) risk metrics of Exploitability and Impact are not correlated with attack for the SCADA subclass of software. A series of statistical models are developed to identify SCADA risk metrics that can be used to evaluate the risk that a SCADA-related vulnerability is exploited. Based on our findings, we build a customizable SCADA risk prioritization schema that can be used by the security community to better understand SCADA-specific risk. Considering the distinct properties of SCADA systems, a data-driven prioritization schema will help researchers identify security gaps specific to this software subclass that is essential to our society’s operations.

teaser image

Journal Article - Georgetown Journal of International Affairs

Campaign Planning with Cyber Operations

    Author:
  • Michael Sulmeyer
| Dec. 28, 2017

The military not only plans for operations, it also plans to plan. Yet there is no current plan or process in place to integrate cyber initiatives into campaign planning. The US government must determine how to integrate offensive and defensive cybercapabilities into campaign planning in order to leverage these capabilities and pair them with the military’s broad array of tools.

teaser image

Journal Article - Journal of Conflict Resolution

Invisible Digital Front

| Nov. 10, 2017

Recent years have seen growing concern over the use of cyber attacks in wartime, but little evidence that these new tools of coercion can change battlefield events. We present the first quantitative analysis of the relationship between cyber activities and physical violence during war. Using new event data from the armed conflict in Ukraine—and additional data from Syria’s civil war—we analyze the dynamics of cyber attacks and find that such activities have had little or no impact on fighting.

tenth grader attending a class how to investigate a computer network that has been hacked in Beit Shemesh, Israel.

AP

Journal Article - Cyber, Intelligence, and Security

Four Big "Ds" and a Little "r": A New Model for Cyber Defense

| June 2017

This article argues that cyberthreats are not fundamentally different from other asymmetric threats, and it provides a conceptual model for developing a response by drawing on classic principles of military strategy, the "four Ds"— Detection, Deterrence, Defense, and Defeat—as well as resilience (the little "r"). The authors offer a model for how countries can create policies addressing each of these principles that will enhance the security of national cyber systems.