Cyber Statecraft Initiative

Homogeneity and concentration in the browser Web browsers are the gateway to the internet. As browser developers replicate design features and concentrate around shared underlying technologies, they create cybersecurity risks with the potential…

Competition is a cybersecurity issue, but @Jshermcyber.bsky.social says policymakers must “acknowledge how questions of market concentration may not address other questions around the security and resilience of underlying foundational technologies”

The impact of corruption on cybersecurity: Rethinking national strategies across the Global South As the Global South prepares for the next stage in ICT development, governments must prioritize policies that reduce corruption in critical network software procurement to protect those countries'…

In his piece, CSI fellow Robert Peacock highlights the dangers facing countries with outdated and corrupt software acquisition practices - and offers recommendations for how governments should address these challenges. www.atlanticcouncil.org/in-depth-res...

Putin's MAX app could snoop on Russians - ABC listen With almost 100 million users, WhatsApp is Russia's most popular messaging service. But that's about to change. The service - which is owned by Facebook's parent company Meta is widely expected to be...

Russia is pushing a “super app” messenger for all citizens — including so it can ban WhatsApp and reduce reliance on Telegram. What could possibly go wrong?

My 5-minute breakdown on Australian Broadcasting Corporation:

www.abc.net.au/listen/progr...

What the Israel-Iran conflict revealed about wartime cyber operations The cyber operations on display during the recent twelve-day conflict appear to have offered an incremental edge in warfare, rather than a revolutionary one.

What can we learn about the cyber dimension of the Israel-Iran war?
It can be easy to conflate volume of cyber activity with decisive impact, says Nikita Shah, but in truth, it was largely a shaping, augmenting, and enabling function.
🔗

Markets matter: A glance into the spyware industry The Intellexa Consortium is a complex web of holding companies and vendors for spyware and related services. The Consortium represents a compelling example of spyware vendors in the context of the…

What does the spyware market look like in 2024? Dive into our report “Markets Matter: A Glance into the Spyware Industry” to learn more about all the actors in this space: www.atlanticcouncil.org/in-depth-res...

OT cyber policy: The Titanic or the iceberg Current policy does not address the issue of cyber-physical security with a systemic approach, instead focusing with tunnel vision on specific events. This analysis uses the iceberg model for systems…

Current critical infrastructure cybersecurity policy does not address cyber-physical security in a systemic way, failing to reflect the interconnected and interdependent nature of critical infrastructure. Find out why here: www.atlanticcouncil.org/in-depth-res...

Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace If the United States wishes to compete in cyberspace, it must compete against China to secure its offensive cyber supply chain.

China is building offensive cyber capability from the ground up—through student competitions, regional research labs, and private researchers aiding state operations. For the US, says DeSombre Bernsen, supporting homegrown talent is a strategic imperative.

🔗 www.atlanticcouncil.org/in-depth-res...

Thinking about applying to the Congressional Cyber & Digital Policy Program? Join our happy hour with alumni & CSI staff on Thursday, Aug. 7 at Barrel D.C. to learn more!

🍸 Register here:

What the Israel-Iran conflict revealed about wartime cyber operations The cyber operations on display during the recent twelve-day conflict appear to have offered an incremental edge in warfare, rather than a revolutionary one.

In a new publication, CSI senior fellow Nikita Shah discusses four types of cyber activity seen in the ongoing Israel-Iran war—and what it says about the role of cyber in contemporary conflict.
Read the piece here:

O$$ security: Does more money for open source software mean better security? A proof of concept A proof-of-concept study looking for correlation between open source software project funding and security practices at scale.

Sneak Peek: In both the Python and npm ecosystems, funding is correlated with improved scores for both the ⚠️Dangerous Workflows⚠️ and 🗝️Token Permissions🗝️ subchecks, as well as others! Want to know more? Read the full report here report ⬇️ www.atlanticcouncil.org/content-seri...

CSI's recent O$$ report investigates whether open source software projects with general funding have better security practices on average than similar unfunded projects with Open SSF Scorecards. We dove into the subchecks to figure out which ones increased with funding 📈💰🔐

The journey of reprogrammable semiconductors through their supply chain This interactive offers a concise overview of the nuances that make the FPGA supply chain uniquely challenging.

🗺️ For more, check out the full report and explore the supply chain interactive
www.atlanticcouncil.org/in-depth-res...

Four recommendations:
1️⃣   Use existing infrastructure as a data-sharing and analytics hub.
2️⃣    Invest in long-term efforts to improve technical security.
3️⃣    Build a stockpile of critical FPGAs 
4️⃣   Launch cross-sector planning efforts f to accelerate recovery.

Reprogramming the future: The specialized semiconductors reshaping the global supply chain Within three years, Chinese investments in a critical and specialized type of semiconductor—field-programmable gate arrays (FPGAs)—are likely to drive many US firms out of the market.

Given increased PRC involvement in the FPGA supply chain, US government intervention is required to build resilience against availability risks and develop technical measures that mitigate security risks and protect American firms.

🔗: www.atlanticcouncil.org/in-depth-res...

To secure reprogrammable chips, the US must address supply chain risks This policy brief analyzes the FPGA supply chain for US firms and the trade-offs these companies make among risks to cost, availability, and security.

Following the release of the American AI Action Plan, a new report from Andrew Kidd, Celine Lee, and Bruce Schneier explores the importance of the field-programmable gate array (FPGA) supply chain to US national security.

🔗 Read the full report: www.atlanticcouncil.org/in-depth-res...

a spider-man is flying through the air in a city ALT: a spider-man is flying through the air in a city

🗽The cyber world needs heroes — and no, not just the ones in capes.

The New York City #Cyber912 returns virtually on October 10-11, 2025, in partnership with @ColumbiaSIPA. Assemble your team and register now form.jotform.com/251977349018...

Did you know @BlackHatEvents has gifted passes to their conferences in Asia, the US, and Europe for winning teams of the 2024-25 #Cyber912 competition season? 

Through this gift, students from around the world will access timely infosec debates and networking opportunities.

Next week our #Cyber912 competition winners from New York, Austin, and DC will be heading to the Mandalay Bay Convention Center for Black Hat USA 2025! Comment below if we’ll see you there! www.blackhat.com/us-25/

The 5×5—Alumni perspectives on Cyber 9/12 Strategy Challenge Alumni of Cyber 9/12 Strategy Challenge share their experiences, and discuss the impact of such simulated exercises to prepare for real life cyber attacks.

We invited Frances Schroeder, Grant Versfeld, Nitansha Bansal, Gabriel Cajiga, and Tionge Mughogho to give a piece of advice to prospective #Cyber912 competitors in this 5x5. What advice would you give? www.atlanticcouncil.org/content-seri...

Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace If the United States wishes to compete in cyberspace, it must compete against China to secure its offensive cyber supply chain.

The US risks losing its edge in offensive cybersecurity—not due to lack of talent, but lack of support. In her report, Winnona DeSombre Bernsen highlights a gap: US investment currently leaves offensive researchers stuck in a “training valley of death.”
www.atlanticcouncil.org/in-depth-res...

The 5×5—Strengthening the cyber workforce Experts provide insights into ways for the United States and its allies to bolster the cyber workforce.

What is one assumption holding back the cyber workforce? Richard Harris thinks “one problematic assumption is that the market, academia, or government alone can solve the problem of cyber workforce shortages.”

Read the full 5x5 on the cyber workforce here:
www.atlanticcouncil.org/content-seri...

Markets matter: A glance into the spyware industry The Intellexa Consortium is a complex web of holding companies and vendors for spyware and related services. The Consortium represents a compelling example of spyware vendors in the context of the…

Consortium? Group? Alliance? What do all these terms mean for Intellexa and why is it so important to understand the distinction between them all? More in: www.atlanticcouncil.org/in-depth-res...

Avoiding the success trap: Toward policy for open-source software as infrastructure Open-source software (OSS) sits at the center of almost every digital technology moving the world since the early 1980s—laptops, cellphones, widespread internet connectivity, cloud computing, social…

Open source software is the backbone of most digital technology, just like interstates, highways, and other transportation infrastructure.
Boring maintenance now beats catastrophic clean up later!

Read more in:

The 5x5—The XZ backdoor: Trust and open source software Open source software security experts share their insights into the XZ backdoor, and what it means for open source software security.

What role can investments play in supporting open source software? We asked Tobie Langel, Aeva Black, Christopher Robinson, Stewart Scott, and Fiona Karkenburger just that in this edition of 5x5 series.

www.atlanticcouncil.org/content-seri...

Tackling the Spyware Crisis Domestic investment in spyware is undermining national security at all levels of society.

US venture capital is fueling the spyware industry. Companies backed by American dollars have enabled surveillance on US officials and allies. More about how the Trump administration can combat this issue in:

Four myths about the cloud: The geopolitics of cloud computing In competition and cooperation, cloud computing is the canvas on which states conduct significant political, security, and economic activity.

Cloud myth #2: Cloud computing is not a supply chain risk.

Fact: Cloud computing, like telecommunications and other software, has its own complex hardware and software supply chains, which face (and create) their own risks.

Learn more here: www.atlanticcouncil.org/in-depth-res...

Congressional Cyber and Digital Policy Program Open to full time Congressional staffers, this program covers key cybersecurity and digital policy issues.

🚨 Applications are OPEN for our Fall 2025 Congressional Cyber and Digital Policy Program! 🚨 For full-time Congressional staffers ready to build knowledge on cyber and digital issues. Fridays, Sept 26 – Oct 31. 🔗 Learn more here:

Russia’s digital tech isolationism: Domestic innovation, digital fragmentation, and the Kremlin’s push to replace Western digital technology Russia’s technological isolation is both a reality and a desired goal for Moscow. This piece explores the impacts of this phenomenon and offers recommendations for how to deal with that evolving…

Digital isolationism is now a reality in Russia. Western sanctions & 100k+ tech professionals leaving the country fuel the Kremlin’s push for domestic tech solutions and the implications for global tech engagement are vast. Read more here: www.atlanticcouncil.org/in-depth-res...

What do we know about cyber operations during militarized crises? Policymakers must critically examine assumptions and claims that cyber operations can serve as de-escalatory crisis offramps.

When used during times of military crisis, are cyber operations truly de-escalatory crisis offramps, or have they the potential to exacerbate an already accelerated decision making process?

Michael Fischerkeller looks at the implications in this piece:

“Cyber is becoming a business imperative.”

At the launch of the National #CyberWorkforce and Education Strategy, Rob Duhart spoke on how the private sector can support workforce development.

Watch the full event here: www.atlanticcouncil.org/event/unleas...