Reports & Papers

Where does malicious software - the code designed to exploit the vulnerabilities of computers and computer systems - come from?

This paper presents a new dataset of more than 4,300 vulnerabilities, and estimates vulnerability rediscovery across different vendors and software types. It concludes that rediscovery happens more than twice as often as the 1-9% range previously reported.

Malicious software is adapted, stolen, bought, and used everyday on a global scale. There are better ways to counter this proliferation than export controls. Policymakers should strengthen incentives for researchers and the private sector to rapidly identify software vulnerabilities, disclose them to developers, patch those vulnerabilities, and adopt those patches. Building on previous debates, this paper makes specific recommendations to shorten the lifecycle of vulnerabilities and improve the short term health of the software security ecosystem.

Few areas of national policymaking will remain untouched by artificial intelligence. Though the challenges it poses are complex, the opportunities it offers are tremendous. Simply put, machine learning is too important to ignore.

This paper argues that threats to core internet infrastructure and services can, in fact, rise to the level of a serious national security threat to the United States and will explore scenarios where this may be the case. The paper will discuss several kinds of core internet services and infrastructure and explore the challenges with understanding interdependencies between the internet and critical infrastructure; review recent attack techniques that can cause systemic risk to the internet; discuss various nation state capabilities, intentions and recent activities in this area; and describe how these attacks could be used against the United States to deter the U.S., control escalation, or potentially degrade U.S. warfighting capabilities in a conflict. Finally, the paper concludes with recommendations for what the United States and other governments can do to build defenses and resiliency against systemic threats to the internet.

This paper offers five standards of care that can be used to test individual states' true commitment to the international norms of behaviour. Only with a concerted and coordinated effort across the global community will it be possible to change the new normal of "anything goes" and move forward to ensure the future safety and security of the Internet and Internet-based infrastructures.

Russian cyber operations against the United States aim to both collect information and develop offensive capabilities against future targets. Washington must strengthen its defenses in response.

This paper addresses a growing concern to one of the most fundamental components of our democracy: how cybersecurity risks can influence the integrity of our elections.