Since January 20th, the Biden administration has been focused above all else on tackling Covid-19 and passing a landmark economic relief bill. This is unsurprising. In the context of a global pandemic, with an urgent vaccine rollout taking place, the US government must prioritise tackling Covid-19 and its economic consequences. However, President Biden has a raft of additional problems waiting at his doorstep. In particular, the US faces a two-pronged cybersecurity crisis: the impact of a vast cybersecurity breach known as the SolarWinds attack that was likely perpetrated by Russian intelligence, coupled with the fallout from Trump’s ‘legacy of cyber confusion’.   This leaves Biden with three tasks. First, he must deal with the immediate consequences of SolarWinds: identifying what data has been compromised and doing everything possible to patch exploited systems. Next, he must hold Russia accountable …

As expected, the recent NATO Summit was dominated by President Trump’s blunt criticisms of allies. He accused European member states of taking advantage of the United States, of failing to follow through on the 2014 agreement to raise defence spending to a minimum of 2% of GDP, and cozied up to Russia, perhaps most shockingly given the accusations levelled at his own campaign, of colluding with Russia. The basis for these accusations should be taken seriously, even if the latent threat of the United States withdrawing from NATO and the capricious means of delivery seem designed more to appeal to American domestic political interests than to truly illicit reform of the organisation. Cutting through the hyperbole, we see that there …

Cybersecurity has become a major concern for governments, companies and citizens, as some of their most sensitive information is routinely stored and communicated online. Rogue attackers can steal confidential information or corrupt their databases, potentially leading to critical security incidents ranging from reputational damages and economic losses to national security risks. The threat, however, works in two ways. While companies and governments are concerned about being targets of digital infiltration, they have used these technologies to obtain extensive information from common citizens for crime and terrorism prevention or commercial purposes. Collecting geolocationdata and screening social networks are now common practices, relatively easy to carry out due to the embedded features of modern devices. For years, many surveillance practices were conducted …

Can a non-state actor take down critical infrastructure with a cyberattack? If it is not possible today, will it be possible in the future? Experts disagree about the capabilities of non-state actors in cyberspace, let alone agree on their future capability. There is debate within cybersecurity community and academia whether cyber weapons are getting cheaper and thus within the reach of the self-proclaimed Islamic State or other non-state groups. Although there is some general consensus that offensive cyber operations will be less expensive in the future, there is very little understanding of what influences the costs of a cyber weapon. Making sense of the inputs and defensive environment that drive the cost of a cyber weapon is essential to understanding what actors—whether state, non-state, or criminal—will …

Privateering in information security is back in fashion. This is not the first time: In 2006, Michael Tanji diagnosed parallels between cyberspace and the loosely governed sea in the 17th century and explored privateering as a policy solution. In 2013, Halvar Flake gave a keynote, analogizing the development of the hacking community in the 1990s and 2000s with the development of navies in the 16th and 17th century. His focus was mainly on identifying similarities, not advocating policy.  And earlier this year, Dave Aitel brought up the issue here on Lawfare and advocated for resurrecting privateering in cyberspace. Although I agree that the analogies are striking, the risks of adopting 17th century policy in today’s environment are underappreciated. There are many risks, but the following three stand out: an …

Cybersecurity firms, despite their increasing prominence in light of greater media attention at Russian and Chinese cyber operations, are often criticized for their biases when identifying advanced persistent threat actors (APT). Two critiques are most-often heard. Security researcher Jeffrey Carr accurately put his finger on one of the sore spots: How is it that our largest infosec companies fail to discover APT threat groups from Western nations (w/ @kaspersky as the exception)? — Jeffrey Carr (@jeffreycarr) 4 August 2016 A second issue frequently mentioned is that threat intelligence firms have an incentive to exaggerate the cyber threat. If a firm is able to discover a highly advanced threat, it must mean that it has advanced detection capabilities and you should …