Reports & Papers

Establishing norms for state behavior in cyberspace is critical to building a more stable, secure, and safe cyberspace. Norms are defined as “a collective expectation for the proper behavior of actors with a given identity,” and declare what behavior is considered appropriate and when lines have been crossed. Cyberspace is in dire need of such collective expectations. However, despite efforts by the international community and individual states to set boundaries and craft agreements, clear and established cyber norms for state behavior remain elusive. As early as 2005, the UN Group of Governmental Experts (GGE) and UN Open-Ended Working Group (OEWG) both aimed to create shared “rules of the road,” but fundamental disagreements between states and a lack of accountability and enforcement mechanisms have prevented these initiatives from substantively implementing cyber norms. As a result, the international community and individual states are left with no accountability mechanisms or safeguards to protect civilians and critical infrastructure from bad actors in cyberspace.

In this student research paper, Harvard Kennedy School student Coen Williams finds that  The Department of Defense should implement an “effects-driven” acquisitions system rather than “capabilities-based” to effectively acquire and utilize commercially developed capabilities. An effects-driven acquisitions system will increase the diversity of solutions, and by appropriating money to effects-driven portfolios, Congress can still maintain control of the purse while the Department of Defense can more effectively allocate its appropriated funds.

In his Note to Readers of the 2022 National Cyber Power Index, Eric Rosenbach, Belfer Center Co-Director and former Chief of Staff and Assistant Secretary for the U.S. Department of Defense, writes: “With the challenges in the cyber domain only increasing, it is critical for analytical tools to also be available, presenting the full range of cyber power, and informing critical public debates today. The framework that the NCPI provides is one that allows policymakers to consider a fuller range of challenges and threats from other state actors. The incorporation of both qualitative and quantitative models, with more than 1000 existing sources of data and with 29 indicators to measure a state’s capability, is more comprehensive than any other current measure of cyber power.”

The creation of a national supply chain strategy is crucial to responding to the challenge and merits specific attention from both policy and business leaders. This paper proposes specific government and business policy steps that would progress the US’s position on a more unified, strategic supply chain approach.

In this student research paper, Harvard Kennedy School student Julian Baker finds that transition from a point-in-time framework to a method of continuous compliance would raise the level of cybersecurity for critical infrastructure, making these essential services more reliable for the people relying on them. 

This guide will help independent organizations and state and local governments develop a sustainable mechanism for investigating and drawing lessons from cyber Incidents - both in the immediate aftermath and long-term.

This brief outlines what digital standards are and how the United States, European Union, and China approach standards development. It examines the implications of China’s efforts to advance a new model of cyber sovereignty through its “New IP” proposal to illustrate that overhauls of existing infrastructure-level standards are unlikely, but foreshadow the changing nature of standards from a historically apolitical domain to one of geopolitical importance. Finally, it offers considerations for the development of a long-term strategy that focuses on technology areas of strategic interest to the U.S. at the application layer through targeted regulations that promote a free, open, and democratic internet while maintaining a clear and technically informed understanding of what is likely to change (and what is not) at the infrastructure level.

Spanish translation (2022) of original English version of "Sovereignty and Data Localization" paper by Emily Wu.  

Las políticas sobre localización de datos les imponen a las empresas la obligación de almacenar y procesar los datos de manera local, en lugar de utilizar servidores ubicados fuera del país. La adopción de leyes sobre localización de datos ha venido aumentando, impulsada por el temor a que la soberanía de los países se vea amenazada debido a su incapacidad para ejercer pleno control sobre la información que almacenan fuera de sus fronteras. Este es un tema particularmente relevante para los Estados Unidos, si tenemos en cuenta su dominio en múltiples áreas del ecosistema digital, entre otras, la inteligencia artificial (IA) y la computación en la nube.

The U.S. is grappling with increasingly challenging transnational technology, policy, and security issues, which are complicated further by the economic and supply chain relationships with China. As the Biden administration and Congress look at developing policy solutions that will both reduce dependence on China and strengthen the United States’ resilience, it is important that these policies form a larger, holistic strategy that articulates the national security narrative clearly. 

A report on the interdisciplinary workshop on the development of a national capacity for the investigation of cyber Incidents.