Cyber Statecraft Initiative

Mythical Beasts: Diving into the depths of the global spyware market The second edition of the Mythical Beasts project assess how the global spyware market has developed and changed over the past year.

The US is the largest investor in this sample of the spyware market 💰 The implications for both national security and human rights policy are profound. The report contextualizes this trend: www.atlanticcouncil.org/in-depth-res...

The impact of corruption on cybersecurity: Rethinking national strategies across the Global South As the Global South prepares for the next stage in ICT development, governments must prioritize policies that reduce corruption in critical network software procurement to protect those countries'…

In his issue brief, fellow Robert Peacock highlights the oft-overlooked dimension of cybersecurity development - corruption in software acquisition practices. Read more here: www.atlanticcouncil.org/in-depth-res...

With support from @BlackHatEvents.bsky.social for #Cyber912 winners, together, we’ve been providing conference passes and empowering students with access to cutting-edge cybersecurity insights and networking opportunities on a global scale.

Black Hat Europe 2025 Black Hat Europe 2025

Take your next steps in cybersecurity at Black Hat Europe 2025! From specialized Trainings to insightful Briefings, ExCeL London is the place to be from Dec. 8-11 for all things cybersecurity! To learn more and register, visit www.blackhat.com/eu-25/

What do we know about cyber operations during militarized crises? Policymakers must critically examine assumptions and claims that cyber operations can serve as de-escalatory crisis offramps.

“Absent direct experience, all one can rely on is academic research”—cyber operations have never been used during a military crisis between two nuclear-armed states. What happens if this Rubicon is crossed? See this piece from Michael Fischerkeller:

www.atlanticcouncil.org/in-depth-res...

Tackling the Spyware Crisis Domestic investment in spyware is undermining national security at all levels of society.

Despite bans and sanctions, spyware companies keep thriving—with US dollars. US firms are investing in tools that harm US interests. The Trump administration can counter this problem set. Learn how in: nationalinterest.org/blog/techlan...

This year at the 10th annual #Cyber912 in New York, we were joined by 20 teams representing 16 universities and colleges from across USA.

This year, teams tackled a high-stakes scenario where South China Sea tensions escalated into a global cyber crisis.

And that’s a wrap!
Our final standings for the 2025 New York #Cyber912 are:

🥇Husky Hackers of @Northeasternu.bsky.social
🥈 Black Knights of USMA West Point
🥉Golden Mules of USMA West Point

Congratulations to all our teams and thank you to @ColumbiaSIPA.bsky.social

⏳ Don’t miss your chance! Be part of the first-ever #Cyber912 Monterey Challenge happening on Nov 7–8, 2025, at MIIS. Step into a fast-paced cyber crisis simulation, and sharpen your strategy skills.
📝 Register by October 13, by 11:59PM ET: form.jotform.com/Cyber_Statec...

For the 10th annual New York City #Cyber912 with @SIPAcyber, we were joined by 21 teams from 10 states...but only 11 can advance to the semifinal round.

Check out which teams made the cut and good luck to all our semifinalists! ⬇️

The story gets even more complicated when you look at scorecard subchecks, where most funders see a strong correlation with better scores. Read more in the full report ⬇️ www.atlanticcouncil.org/content-seri...

According to our O$$ report, funding with statistically significant increases in average Scorecard scores by ecosystem: 1️⃣ Python: GitHub Organizational, GitHub Individual, Tidelift, and Open Collective 2️⃣ npm: GitHub Organizational and Open Collective.

Are improvements in the security posture of open source software projects different among sources of general funding? Our initial analysis of about 2000 open-source software packages suggests the answer might be vary across software ecosystems. 🚨🔐

The 5x5—The XZ backdoor: Trust and open source software Open source software security experts share their insights into the XZ backdoor, and what it means for open source software security.

Wondering what could prevent another incident like the XZ backdoor? Aeva Black suggests “A healthy dose of caution–particularly for maintainers of low-level system libraries in widespread use–is needed.” Check out the 5x5 to read more:

The politics of internet security: Private industry and the future of the web The private sector plays a crucial role in defining the changing shape of the Internet, especially its security. This report examines two protocols as examples of private sector influence over…

@jshermcyber.bsky.social report "The Politics of Internet Security" dives into the geopolitics of the Internet, examines how governments exert influence to warp its shape, and argues why the US needs to be more active in building a safer, more secure Internet.

How to ‘harden’ open-source software - Binding Hook Much of today's critical infrastructure and military systems rely on open-source software

And for some OSS funding and security history, check out this article from CSI nonresident senior fellow John Speed Meyers and his coauthor, Jacqueline Kazil, in @bindinghook.bsky.social: bindinghook.com/articles-bin...

Does more money for open source software lead to better OSS security? Causality is always hard to show, but correlation is easy! Check out our issue brief here: www.atlanticcouncil.org/content-seri...

a man speaking into a microphone with the words " this is your moment " above him ALT: a man speaking into a microphone with the words " this is your moment " above him

The deadline to sign up your team for the inaugural Monterey #Cyber912 Strategy Challenge has been extended to Monday, October 13 at 11:59PM ET.

If you were thinking about organizing your dream team... consider this your sign! 🔮✨
 
Register here: form.jotform.com/Cyber_Statec...

Securing AI means securing all of its data supply chain. This new framework helps policymakers & technologists see the full picture. Read the issue brief here: www.atlanticcouncil.org/in-depth-res...

Design questions in the software liability debate Software liability—resurgent in the policy debate since its mention in the 2023 US National Cybersecurity Strategy—describes varied potential structures to create legal accountability for vendors of…

Our report, Design Questions in the Software Liability Debate, asks, "what do we agree about in software liability?" and "what do we still have left to figure out?" (Sneak peek: not much, and a lot!)

The 5×5—Strengthening the cyber workforce Experts provide insights into ways for the United States and its allies to bolster the cyber workforce.

“There's still a disconnect in recognizing that cybersecurity is a foundational business risk and not a one-time, niche issue,” says Ayan Islam.

When it comes to workforce development, it takes investment at all levels!

See what other experts thought:

Mythical Beasts: Diving into the depths of the global spyware market The second edition of the Mythical Beasts project assess how the global spyware market has developed and changed over the past year.

The global spyware market is evolving 🌎 The second edition of the Mythical Beasts project details a resilient and expanding ecosystem of surveillance actors. Read more in: www.atlanticcouncil.org/in-depth-res...

Avoiding the success trap: Toward policy for open-source software as infrastructure Open-source software (OSS) sits at the center of almost every digital technology moving the world since the early 1980s—laptops, cellphones, widespread internet connectivity, cloud computing, social…

Shoring up open source software security is essential for advancing a more secure software ecosystem--it's open source all the way down!

Check out our report on policy to advance open source software security to see what policy can do ⬇️
www.atlanticcouncil.org/in-depth-res...

Countering cyber proliferation: Zeroing in on Access-as-a-Service It is imperative that governments reevaluate their approach to countering the proliferation of offensive cyber capabilities.

Access-as-a-Service firms bypass arms control agreements like the Wassenaar Arrangement by hiring foreign nationals. Policymakers must understand this industry to shape and limit the spread of offensive cyber capabilities. More here: www.atlanticcouncil.org/in-depth-res...

Tackling the Spyware Crisis Domestic investment in spyware is undermining national security at all levels of society.

US investment not only funds these companies—it legitimizes them. More money. More talent. More risk to Americans. Overview of this issue set and how to combat it in:

Makings of the Market: Seven perspectives on offensive cyber capability proliferation The marketplace for offensive cyber capabilities continues to grow globally. Their proliferation poses an expanding set of risks to national security and human rights, these capabilities also have…

For the offensive cyber capabilities market there is a "lack of transparency, insight, and monitorability of this global ecosystem when compared to physical equivalents such as small arms, chemical and radiological weapons etc." writes Ollie Whitehouse in

Four myths about the cloud: The geopolitics of cloud computing In competition and cooperation, cloud computing is the canvas on which states conduct significant political, security, and economic activity.

Cloud myth #4: Cloud providers do not influence the shape of the internet.

Fact: the availability of cloud computing has fundamentally reshapes where and how data is processed and thus how it flows across the internet.

More here:

This job post will get you kidnapped: A deadly cycle of crime, cyberscams, and civil war in Myanmar In Myanmar, cybercrime has become an effective vehicle through which nonstate actors can fund and perpetuate conflict.

Cyberscam operations emanating from Myanmar create symbiotic benefit for criminal and armed groups, the operations themselves are intensely parasitic to the global cyber domain, the broader Southeast Asian region, and the population of Myanmar. 🔗

Cyber Security as Counter-Terrorism: Seeking a Better Debate - War on the Rocks Earlier this month, a senior Justice Department official referred to ransomware as a potential “cyber weapon of mass destruction.” When hackers

There's no doubt non-state actors play a big role in cybersecurity. But how should policy reflect that? Hear from Simon Handler, Emma Schroeder, and Trey Herr on lessons for cyber policy from counterterrorism .

Homogeneity and concentration in the browser Web browsers are the gateway to the internet. As browser developers replicate design features and concentrate around shared underlying technologies, they create cybersecurity risks with the potential…

Market centralization is a cybersecurity issue! Having every internet user dependent on certain shared browser technologies creates risk. Learn more in “Homogeneity and Concentration in the Browser.”