Reports & Papers

On June 12-13, 2018, digital HKS welcomed public sector digital services teams from around the world to share stories of success, talk about lessons learned, and discuss the challenges they face in transforming government. The teams convened all agreed on North Star goals of building platform services and putting users at the center; what remains much more difficult is identifying how teams in very different political and technology contexts should think about how to reach that end-state. In this report, digital HKS shares best practices we gleaned from this group, to start a broader conversation for digital services groups around the world about what comes next.

Where does malicious software - the code designed to exploit the vulnerabilities of computers and computer systems - come from?

This paper presents a new dataset of more than 4,300 vulnerabilities, and estimates vulnerability rediscovery across different vendors and software types. It concludes that rediscovery happens more than twice as often as the 1-9% range previously reported.

Malicious software is adapted, stolen, bought, and used everyday on a global scale. There are better ways to counter this proliferation than export controls. Policymakers should strengthen incentives for researchers and the private sector to rapidly identify software vulnerabilities, disclose them to developers, patch those vulnerabilities, and adopt those patches. Building on previous debates, this paper makes specific recommendations to shorten the lifecycle of vulnerabilities and improve the short term health of the software security ecosystem.

Few areas of national policymaking will remain untouched by artificial intelligence. Though the challenges it poses are complex, the opportunities it offers are tremendous. Simply put, machine learning is too important to ignore.

This paper argues that threats to core internet infrastructure and services can, in fact, rise to the level of a serious national security threat to the United States and will explore scenarios where this may be the case. The paper will discuss several kinds of core internet services and infrastructure and explore the challenges with understanding interdependencies between the internet and critical infrastructure; review recent attack techniques that can cause systemic risk to the internet; discuss various nation state capabilities, intentions and recent activities in this area; and describe how these attacks could be used against the United States to deter the U.S., control escalation, or potentially degrade U.S. warfighting capabilities in a conflict. Finally, the paper concludes with recommendations for what the United States and other governments can do to build defenses and resiliency against systemic threats to the internet.