278 Items

Eric Rosenbach testifying in front of the United States Senate Committee on Homeland Security and Governmental Affairs in Washington. April 24, 2018 (Credit: Senate Committee on Homeland Security and Governmental Affairs website).

Senate Committee on Homeland Security and Governmental Affairs

Testimony - Belfer Center for Science and International Affairs, Harvard Kennedy School

America, Democracy and Cyber Risk: Time to Act

| Apr. 24, 2018

Eric Rosenbach, Co-Director of the Belfer Center for Science and International Affairs at Harvard Kennedy School, and former Chief of Staff to the Secretary of Defense and Assistant Secretary of Defense for Homeland Defense and Global Security, testified before the United States Senate Committee on Homeland Security and Governmental Affairs on April 24, 2018, on "Mitigating America's Cybersecurity Risk."

 

teaser image

Analysis & Opinions - Cipher Brief

How to Run a Cyber War…Game

| Apr. 22, 2018

The Cipher Brief hosted its second annual threat conference at beautiful Cloister Resort on Sea Island, Ga., this month. While there, Dmitri Alperovitch and I ran cyber exercises that pushed participants, many of whom are former senior government leaders, to step into the shoes of U.S. national security decision-makers to resolve international crisis situations. Because the sessions were entirely off-the-record, I won’t discuss how specific participants reacted and what they recommended, but rather I will reflect on what lessons can be learned from these types of exercises and how The Cipher Brief’s can be a model for others.

A view of the National Cybersecurity and Communications Integration Center before remarks by President Barack Obama, on Tuesday, Jan. 13, 2015, in Arlington, Va.

AP Photo/Evan Vucci

Paper - Cyber Security Project, Belfer Center

Understanding Federal Cybersecurity

    Author:
  • Kate Charlet
| April 2018

There are no silver bullets for federal cybersecurity. The system will retain its inherent complexity, necessitating close coordination and partnership. Federal cybersecurity will be an enduring mission, always evolving and changing to stay ahead of the threat. In other words, there is no “finish line”—only continual improvement, adaptation, and cooperation to secure the federal government and those it serves.

Atlanta Cyber Attack

John Spink / Atlanta Journal-Constitution

Analysis & Opinions - San Francisco Chronicle

To defend cities from cyberattack, think like a hacker

| Apr. 06, 2018

Our cities are under attack. In the past two months, two major cyberattacks have targeted urban critical infrastructure and services. In February, Colorado’s Department of Transportation had to shut down 2,000 employee workstations after an attack. The department website reported issues for more than a week after the attack. In late March, 8,000 city employees in Atlanta resorted to using pen and paper for work after a cyberattack compromised their computers. Both attacks caused havoc.

teaser image

Journal Article - IEEE Internet of Things

IIoT Cybersecurity Risk Modeling for SCADA Systems

| Apr. 06, 2018

Abstract:

Urban critical infrastructure such as electric grids, water networks and transportation systems are prime targets for cyberattacks. These systems are composed of connected devices which we call the Industrial Internet of Things (IIoT). An attack on urban critical infrastructure IIoT would cause considerable disruption to society. Supervisory Control and Data Acquisition (SCADA) systems are typically used to control IIoT for urban critical infrastructure. Despite the clear need to understand the cyber risk to urban critical infrastructure, there is no data-driven model for evaluating SCADA software risk for IIoT devices. In this paper, we compare non-SCADA and SCADA systems and establish, using cosine similarity tests, that SCADA as a software subclass holds unique risk attributes for IIoT. We then disprove the commonly accepted notion that the Common Vulnerability Scoring System (CVSS) risk metrics of Exploitability and Impact are not correlated with attack for the SCADA subclass of software. A series of statistical models are developed to identify SCADA risk metrics that can be used to evaluate the risk that a SCADA-related vulnerability is exploited. Based on our findings, we build a customizable SCADA risk prioritization schema that can be used by the security community to better understand SCADA-specific risk. Considering the distinct properties of SCADA systems, a data-driven prioritization schema will help researchers identify security gaps specific to this software subclass that is essential to our society’s operations.

Photo of state and local election officials at D3P conference.

Benn Craig/Belfer Center

News - Belfer Center for Science and International Affairs, Harvard Kennedy School

Election Officials from 38 States Learn to Fortify Elections Against Attacks

| Mar. 29, 2018

More than 120 election officials from 38 states gathered in Cambridge, Massachusetts, this week to participate in role-playing exercises that provided them with tips, tools, and training to fortify their election systems against cyber attacks and information operations. Organized by the Defending Digital Democracy Project (D3P) at Harvard Kennedy School’s Belfer Center for Science and International Affairs, the two-day event featured a tabletop exercise (TTX) scenario for officials that simulated attacks on election systems ranging from hacks and social media misinformation to  manipulation of voter information and trust. The state and local election officials learned how to better prepare, defend, and respond to a range of attacks on the integrity of American elections and how to empower their colleagues back home with this knowledge as they prepare for the 2018 and 2020 elections.   

teaser image

Video - Center for Strategic & International Studies

"Star Wars" and Cyber: Can history help us build today's defenses?

| Mar. 23, 2018

Building effective cyber defenses is a major challenge for defense planners, just as missile defense has been since the original Strategic Defense Initiative. In both realms the offense has the advantage, making effective defense difficult. Missile defense, however, now has several decades of experience producing and fielding new technologies. The Project on Military and Diplomatic History hosted a panel discussion of CSIS experts and Michael Sulmeyer of the Belfer Center on the history of missile defense, its experience in developing new technologies, and what these tell us about the prospects for building effective cyber defenses.

teaser image

Analysis & Opinions - Foreign Affairs

How the U.S. Can Play Cyber-Offense

| Mar. 22, 2018

The focus on cyber-deterrence is understandable but misplaced. Deterrence aims to change the calculations of adversaries by persuading them that the risks of an attack outweigh the rewards or that they will be denied the benefits they seek. But in seeking merely to deter enemies, the United States finds itself constantly on the back foot. Instead, the United States should be pursuing a more active cyberpolicy, one aimed not at deterring enemies but at disrupting their capabilities. In cyberwarfare, Washington should recognize that the best defense is a good offense.