Reports & Papers

Since its founding in 1948, Israel has been engaged in a series of forever wars. After each war, the IDF, Mossad, Shin Bet, and others in the intelligence and security community analyze what happened and summarize their findings in after-action, or “lessons learned,” reports. Former leaders from these institutions, many of whom retain close relations with their successors, also produce reports on what happened and identify takeaways for the future. Thus, in trying to make sense of what’s happening now, lessons these experts have distilled from their experiences provide a sound starting point.

Establishing norms for state behavior in cyberspace is critical to building a more stable, secure, and safe cyberspace. Norms are defined as “a collective expectation for the proper behavior of actors with a given identity,” and declare what behavior is considered appropriate and when lines have been crossed. Cyberspace is in dire need of such collective expectations. However, despite efforts by the international community and individual states to set boundaries and craft agreements, clear and established cyber norms for state behavior remain elusive. As early as 2005, the UN Group of Governmental Experts (GGE) and UN Open-Ended Working Group (OEWG) both aimed to create shared “rules of the road,” but fundamental disagreements between states and a lack of accountability and enforcement mechanisms have prevented these initiatives from substantively implementing cyber norms. As a result, the international community and individual states are left with no accountability mechanisms or safeguards to protect civilians and critical infrastructure from bad actors in cyberspace.

In this student research paper, Harvard Kennedy School student Coen Williams finds that  The Department of Defense should implement an “effects-driven” acquisitions system rather than “capabilities-based” to effectively acquire and utilize commercially developed capabilities. An effects-driven acquisitions system will increase the diversity of solutions, and by appropriating money to effects-driven portfolios, Congress can still maintain control of the purse while the Department of Defense can more effectively allocate its appropriated funds.

In his Note to Readers of the 2022 National Cyber Power Index, Eric Rosenbach, Belfer Center Co-Director and former Chief of Staff and Assistant Secretary for the U.S. Department of Defense, writes: “With the challenges in the cyber domain only increasing, it is critical for analytical tools to also be available, presenting the full range of cyber power, and informing critical public debates today. The framework that the NCPI provides is one that allows policymakers to consider a fuller range of challenges and threats from other state actors. The incorporation of both qualitative and quantitative models, with more than 1000 existing sources of data and with 29 indicators to measure a state’s capability, is more comprehensive than any other current measure of cyber power.”

The creation of a national supply chain strategy is crucial to responding to the challenge and merits specific attention from both policy and business leaders. This paper proposes specific government and business policy steps that would progress the US’s position on a more unified, strategic supply chain approach.

In this student research paper, Harvard Kennedy School student Julian Baker finds that transition from a point-in-time framework to a method of continuous compliance would raise the level of cybersecurity for critical infrastructure, making these essential services more reliable for the people relying on them. 

The Intelligence and Applied History Projects hosted a National Security Act Essay Contest in 2022 entitled: “Imagining a New National Security Act for the 21st Century.” The contest sought to generate new ideas for improving the intelligence and national security community in the US based on the dynamic security environment we face in the 21st century. The essay prompt offered a variety of hypothetical scenarios where intelligence failure contributed to catastrophic failure and posed the question: what you would change now to improve the intelligence and national security posture of the US?

The winning essays, from a field of approximately 75 applicants, were authored by (1) Russell Travers, (2) Sophie Faaborg-Andersen, and (3) Marie Couture and Laurie LaPorte. The authors' winning essays appear in this report.

This guide will help independent organizations and state and local governments develop a sustainable mechanism for investigating and drawing lessons from cyber Incidents - both in the immediate aftermath and long-term.

This brief outlines what digital standards are and how the United States, European Union, and China approach standards development. It examines the implications of China’s efforts to advance a new model of cyber sovereignty through its “New IP” proposal to illustrate that overhauls of existing infrastructure-level standards are unlikely, but foreshadow the changing nature of standards from a historically apolitical domain to one of geopolitical importance. Finally, it offers considerations for the development of a long-term strategy that focuses on technology areas of strategic interest to the U.S. at the application layer through targeted regulations that promote a free, open, and democratic internet while maintaining a clear and technically informed understanding of what is likely to change (and what is not) at the infrastructure level.

Spanish translation (2022) of original English version of "Sovereignty and Data Localization" paper by Emily Wu.  

Las políticas sobre localización de datos les imponen a las empresas la obligación de almacenar y procesar los datos de manera local, en lugar de utilizar servidores ubicados fuera del país. La adopción de leyes sobre localización de datos ha venido aumentando, impulsada por el temor a que la soberanía de los países se vea amenazada debido a su incapacidad para ejercer pleno control sobre la información que almacenan fuera de sus fronteras. Este es un tema particularmente relevante para los Estados Unidos, si tenemos en cuenta su dominio en múltiples áreas del ecosistema digital, entre otras, la inteligencia artificial (IA) y la computación en la nube.