Reports & Papers

Russian cyber operations against the United States aim to both collect information and develop offensive capabilities against future targets. Washington must strengthen its defenses in response.

This paper addresses a growing concern to one of the most fundamental components of our democracy: how cybersecurity risks can influence the integrity of our elections.

While the issue of cyber operations beyond NATO’s own networks is a politically difficult one given the complex mosaic of national, transnational (EU), and international law; the role of national intelligence efforts in certain types of operations; and ever-present disputes over burden-sharing, the Alliance already has invaluable experience in developing policies and procedures for contentious and sensitive tools in the form of the Nuclear Planning Group (NPG). This article begins with a brief overview of actions NATO has already taken to address cyberthreats. It will then explore why these, while important, are insufficient for the present and any imaginable future geopolitical threat environment. Next, it will address the history of the NPG, highlighting some parallels with the present situation regarding cyber and drawing out the challenges faced by, and activities and mechanisms of, the NPG. Finally, it will make the case that a group modeled on the NPG can not only significantly enhance the Alliance’s posture in cyberspace, but can serve as an invaluable space for fostering entente and reconciling differences on key aspects of cyber policy. It concludes that the Alliance needs to consider offensive cyber capabilities and planning, and it needs a Cyber Planning Group to do it.

Internet penetration and the wider adoption of information communications technologies (ICTs) are reshaping many aspects of the world's economies, governments, and societies. Everything from the way goods and services are produced, distributed, and consumed, to how governments deliver services and disseminate information, to how businesses, and citizens interact and participate in the social contract are affected. The opportunities associated with becoming connected and participating in the Internet economy and the potential economic impact cannot be ignored.

"Building on CRI 1.0, Cyber Readiness Index 2.0 examines one hundred twenty-five countries that have embraced, or are starting to embrace, ICT and the Internet and then applies an objective methodology to evaluate each country's maturity and commitment to cyber security across seven essential elements."

The case is designed to support a discussion of the costs and benefits associated with competing models of vulnerability disclosure. The trade in zero-days is a growing area of policy concern. The case can be used in courses on cyber policy, science and technology policy, or national security. It can be used to explore the concepts of public goods, dual-use technologies, and externalities.

In 1992, there were only a million users on the Internet; today, there are nearly three billion, and the Internet has become a substrate of modern economic, social and political life. And the volatility continues. Analysts are now trying to understand the implications of ubiquitous mobility, the "Internet of everything" and analysis of "big data." Over the past 15 years, the advances in technology have far outstripped the ability of institutions of governance to respond, as well as our thinking about governance.

"Cybersecurity is a major concern at companies of all sizes and has a measureable impact on many facets of operations, and certainly profitability. Yet the scale of that impact is often obscured or lost in translation. Unless directors can cut through the technical jargon in what are often massive amounts of information they receive, the size of the risk and the steps to mitigate it may not be clear. Instead, Hathaway says, the risks need to be translated into a language most directors know well: dollars and cents."

The Cyber Readiness Index (CRI) examines thirty-five countries that have embraced ICT and the Internet and compares their maturity and commitment to protecting those investments using an initial objective assessment of where countries stand in cyber security in five areas.