The Cyber Statecraft Initiative works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology. This work extends through the competition of state and non-state actors, the security of the internet and computing systems, the safety of operational technology and physical systems, and the communities of cyberspace. The Initiative convenes a diverse network of passionate and knowledgeable contributors, bridging the gap among technical, policy, and user communities.

We’re Hiring!

Assistant Director, Trainings & Competitions, Digital Forensic Research Lab

Associate Director, Capacity Building, Digital Forensic Research Lab

Congressional program

Homogeneity and Concentration in the Browser

01 12 2024

Congressional Cyber and Digital Policy Program

By DFRLab

Our Work

Our Team

Cyber Statecraft Fellows

Events

CSI is dedicated to convening a diverse network of passionate and knowledgeable contributors, bridging the gap among technical, policy, and user communities. Check out our past events here and make sure to keep an eye out for our future events by following us on Twitter and LinkedIn.

CSI Events

Recent Publications

May 2024

The 5×5—The XZ Backdoor: Trust and Open Source Software

by Nitansha Bansal, Stewart Scott

Open source software security experts share their insights into the XZ backdoor, and what it means for open source software security.
Read More
April 2024

Markets Matter: A Glance into the Spyware Industry

by Jen Roberts, Trey Herr, Emma Taylor, Nitansha Bansal

The Intellexa Consortium is a complex web of holding companies and vendors for spyware and related services. The Consortium represents a compelling example of spyware vendors in the context of the market in which they operate—one which helps facilitate the commercial sale of software driving both human rights and national security risk.
Read More
April 2024

O$$ Security: Does More Money for Open Source Software Mean Better Security? A Proof of Concept

by Sara Ann Brackett, John Speed Meyers, Stewart Scott

A proof-of-concept study looking for correlation between open source software project funding and security practices at scale.
Read More
February 2024

The 5×5—Alumni perspectives on Cyber 9/12 Strategy Challenge

by Nitansha Bansal, Isabella Wright

Alumni of Cyber 9/12 Strategy Challenge share their experiences, and discuss the impact of such simulated exercises to prepare for real life cyber attacks.
Read More
February 2024

Hacking with AI

by Maia Hamin, Stewart Scott

Can generative AI help hackers? By deconstructing the question into attack phases and actor profiles, this report analyzes the risks, the realities, and their implications for policy.
Read More
February 2024

Future-Proofing the Cyber Safety Review Board

by Maia Hamin, Alphaeus Hanson, Trey Herr, Stewart Scott

The Cyber Safety Review Board seeks to examine and learn from complex failures in cyberspace. As Congress considers how to design its next iteration, there are ways to make it more effective and adaptable for the increasing challenges to come.
Read More
January 2024

The Great Despiser: The BSA, Memory Safety, and How to Make a Good Argument Badly

by Stewart Scott

Memory-safe programming languages are in the cyber policy mainstream, but some hesitation remains. Looking at the arguments around memory safety is informative for larger cyber policy debates too.
Read More
January 2024

The 5×5—Forewarned is forearmed: Cybersecurity policy in 2024

by Nitansha Bansal, Trey Herr

Members of the Cyber Statecraft Initiative team discuss the regulatory requirements and emerging technology they are closely following in 2024, and forewarn of the year ahead.
Read More
January 2024

Design Questions in the Software Liability Debate

by Maia Hamin, Sara Ann Brackett, and Trey Herr, with Andy Kotz

Software liability—resurgent in the policy debate since its mention in the 2023 US National Cybersecurity Strategy—describes varied potential structures to create legal accountability for vendors of insecure software. This report identifies key design questions for such regimes and tracks their discussion through the decades-long history of the debate.
Read More
November 2023

This Job Post Will Get You Kidnapped: A Deadly Cycle of Crime, Cyberscams, and Civil War in Myanmar

by Emily Ferguson and Emma Schroeder

In Myanmar, cybercrime has become an effective vehicle through which nonstate actors can fund and perpetuate conflict.
Read More

Cyber Statecraft Initiative

An image of browser icons for Edge, Firefox, Chrome, Opera, and Brave browsers

Mon, Oct 30, 2023

Homogeneity and Concentration in the Browser

Web browsers are the gateway to the internet. As browser developers replicate design features and concentrate around shared underlying technologies, they create cybersecurity risks with the potential to impact many internet users at once.

by Justin Sherman and Jessica Edelson

Cybersecurity Telecomms and the Internet

Fri, Oct 27, 2023

The 5×5—The Cybersecurity Implications of Artificial Intelligence

A group of experts with diverse perspectives discusses the intersection of cybersecurity and artificial intelligence.

by Maia Hamin and Simon Handler

Artificial Intelligence Series and Response

Thu, Oct 12, 2023

Driving Software Recalls: Manufacturing Supply Chain Best Practices for Open Source Consumption

Product recalls require practices that can help software vendors move toward better component selection and tracking and better relationships with customers, all while making software vendors responsible for OSS security instead of maintainers.

by Jeff Wayman, Brian Fox

Cybersecurity Open Source Software

Wed, Sep 27, 2023

Kink in the Chain: Eight Perspectives on Software Supply Chain Risk Management

Software supply chain attacks are popular, impactful, and are used to great effect by malicious actors. To dive deeper on this topic, we asked eight experts about these threats and how policymakers can help protect against them.

by Cyber Statecraft Initiative

Cybersecurity Software Supply Chains

Wed, Sep 27, 2023

Software Supply Chain Security: The Dataset

Want to dive deeper into the Breaking Trust database? You have come to the right place.

by Will Loomis, Stewart Scott, Trey Herr, Sara Ann Brackett, Nancy Messieh, and June Lee

Cybersecurity Software Supply Chains

Wed, Jul 19, 2023

Why Do SBOM Haters Hate? Or Why Trade Associations Say the Darndest Things

SBOMs are an important step forward for software supply chain security, so despite pushback and opposition, industry and government should take a page out of Taylor Swift’s book and just keep cruisin’, don’t let SBOM haters get in the way. 

by John Speed Meyers, Sara Ann Brackett, and Trey Herr

Cybersecurity Software Liability

Tue, Jul 18, 2023

The National Cybersecurity Strategy Implementation Plan: A CSI Markup

On July 13, the White House released the Implementation Plan for the 2023 US National Cybersecurity Strategy. Read along with CSI staff, fellows, and experts for commentary and what the NCSIP means for the Strategy.

by Trey Herr, Stewart Scott, Maia Hamin, Will Loomis, Sara Ann Brackett, Jennifer Lin

Cyber Strategy Cybersecurity

Mon, Jul 10, 2023

Critical Infrastructure and the Cloud: Policy for Emerging Risk

Critical infrastructure increasingly depends upon cloud computing. Policy must adapt its approach to risk management accordingly.

by Tianjiu Zuo, Justin Sherman, Maia Hamin, and Stewart Scott

Cloud Computing Cybersecurity

Wed, Jun 28, 2023

Shaping the global spyware market: Opportunities for transatlantic cooperation

The United States and its allies can do more to improve their position on spyware. Further policy action should, through greater collaboration with marketplace operators and allies and partners, work on furthering the development of norms and common understanding of what spyware can and cannot be used for.

by Jen Roberts and Emmeline Nettles

Cyber Strategy Cybersecurity

Wed, Jun 14, 2023

Who’s Afraid of the SEC?

The SEC wants to require fast, public disclosure of cybersecurity incidents. These rules could benefit investors—and the cyber ecosystem.

by Maia Hamin

Cybersecurity Incidents, Vulnerabilities, and Information Sharing

Mon, May 15, 2023

What is driving the adoption of Chinese surveillance technology in Africa?

When examining the proliferation of Chinese surveillance systems and cyber capabilities in Africa, research disproportionately focuses on the motivations and ambitions of the supplier. This perspective, while it highlights Chinese diplomatic ambitions and corporate opportunities, ignores local features that drive the adoption of Chinese surveillance tools.

by Bulelani Jili

Africa China

Mon, Feb 27, 2023

A Parallel Terrain: Public-Private Defense of the Ukrainian Information Environment

The information environment is a key domain through which the war in Ukraine is being contested. By better understanding the key role that private tech companies play in this domain, the USs and Ukraine can better prepare for future threats.

by Emma Schroeder and Sean Dack

Conflict Conflict in and through the Cyber Domain