Search

Begin New Search Topic Defense Policy Publishing Institution Third Way Publication Year within 10 Years

1. The Militarization of Cyberspace? Cyber-Related Provisions in the National Defense Authorization Act

Author:
Michael Garcia
Publication Date:
04-2021
Content Type:
Commentary and Analysis
Institution:
Third Way
Abstract:
With Congress struggling to pass stand-alone cybersecurity legislation, the National Defense Authorization Act (NDAA) is now the primary vehicle to pass all matters of cybersecurity legislation. Because the annual defense bill typically requires provisions to have a tie to national security, other cyber issues, like those pertaining to criminal justice, tend to be excluded. As a result, the authorities and resources awarded to Department of Defense (DoD) cyber mission far outpace those provided to civilian agencies responsible for partnering with state, local, private, and international partners. With ransomware and cyber incidents at an all-time high, Congress should either include a new title in future Defense bills to bolster US cyber enforcement and civilian agencies’ capabilities or pass a cyber-omnibus bill to fix policy gaps and provide commensurate funds to federal and local agencies to combat malicious cyber activity. In this paper, we analyzed the last five NDAAs (2017-2021) to chronicle Washington’s reliance on the NDAA to shepherd through a wide swath of cybersecurity legislation. We found that: Members of Congress included 290 cyber-related provisions in the past five NDAAs, with the past two NDAAs accounting for 60% of those provisions. In fact, the FY 2021 NDAA contained 380% more cyber-related provisions than the FY 2017 NDAA. The 179 cyber-provisions included in the past two NDAAs far outpace the 14 cybersecurity bills that the 116th Congress passed (two of which were those NDAAs). Across 13 categories, three of the top four were aimed at the DOD core cyber missions, such as changing organizational processes and structures, protecting DoD assets, and engaging with foreign partners while deterring nation-state adversaries. In FY 2020, the number of non-DoD-related cyber provisions began increasing, such as supply-chain security and industrial policy, critical infrastructure protection, and election security. The provisions in these NDAAs helped improve US offensive cyber capabilities, implement measures to deter cyber adversaries, and shore up our cybersecurity defenses, all of which are needed. But because cybersecurity is a multifaceted issue that expands beyond national security and touches on criminal justice, workforce development, private-sector collaboration, and privacy issues, Congress must ensure it takes a holistic approach when creating cybersecurity laws.
Topic:
Defense Policy, Science and Technology, Military Strategy, Legislation, and Cyberspace
Political Geography:
North America and United States of America

2. To Patch or Not to Patch: Improving the US Vulnerabilities Equities Process

Author:
Josh Kenway and Michael Garcia
Publication Date:
06-2021
Content Type:
Commentary and Analysis
Institution:
Third Way
Abstract:
The process that determines when and how the US government discloses unknown cybersecurity vulnerabilities to relevant companies or withholds them for government purposes lacks sufficient accountability, transparency, and public trust. Malicious actors do not hesitate to exploit “zero-day vulnerabilities,” or vulnerabilities that a company has had zero days to patch, with Chinese-based hackers most recently using a zero-day in Microsoft Exchange Servers to infect hundreds of thousands of systems.1 Yet, the government also uses zero-days to carry out activities that are in the nation’s interest and, as a result, does not tell the impacted software or hardware vendor about the vulnerability. In this case, the government determines that the benefit of not disclosing the vulnerability outweighs the consequence of a bad actor potentially exploiting the vulnerability for nefarious purposes. In 2010, the US government created the Vulnerabilities Equities Process (VEP) to convene federal agencies that represent a range of national interests—including security, intelligence, foreign policy, commerce, and civil rights and liberties protection—to weigh distinct perspectives on how vulnerabilities should be patched or briefly kept open for law enforcement, intelligence gathering, or military purposes. However, the VEP is not codified in law and has failed to deliver greater transparency around government retention of vulnerabilities nor ensures accountability for the government’s decisions. Congress and the Biden administration should address deficiencies with the VEP to increase transparency, strengthen accountability, build public and industry trust, and establish a world-leading model for decision-making around what to do about high-value vulnerabilities. This paper details seven steps for the Biden administration to enhance transparency and accountability in the VEP while preserving government priorities, as well as flexibility for the defense of democratic values and institutions.
Topic:
Security, Defense Policy, Science and Technology, Governance, Cybersecurity, and Transparency
Political Geography:
North America and United States of America

3. 2021 Reader’s Guide to Understanding the Proposed US Cyber Enforcement Budget

Author:
Aaron Clarke
Publication Date:
09-2021
Content Type:
Commentary and Analysis
Institution:
Third Way
Abstract:
Cyber attacks in the United States continue to devastate and disrupt day-to-day operations in the private and public sectors. Marked by events like the ransomware attack on Colonial Pipeline that created gas shortages and increased prices, cybercrime impacts everyday citizens, even if they are not directly targeted by an attack. The Department of Homeland Security (DHS) reported that in 2020 there were “over $4 billion in cybercrime losses reported to the U.S. government.”1 This growing cybersecurity threat has only been exacerbated by the rise of cryptocurrencies like Bitcoin and exposed network vulnerabilities from those working from home during the pandemic.2 In response to this influx of cyber attacks, the Biden Administration has taken steps to both bolster the federal government’s ability to detect and respond to cyber attacks as well as protect its own systems.3 The Department of Energy (DOE) and DHS have both made cybersecurity a top priority in their latest initiatives. President Biden called on DOE to launch a 100 day plan aimed at preventing disrupted services for electric utilities, and DHS announced a series of 60-day “sprints” to support private and public partners against ransomware.4 The FY2021 National Defense Authorization Act also created the first U.S. National Cyber Director, tasked to lead the implementation of U.S. cyber policy and strategy, and rapidly improve cybersecurity defense capabilities. Although ransomware attacks have spiked, the federal government has made inroads on combatting cyber criminals. The Cyber Enforcement Budget for FY2022 should continue funding and seek to build on the key improvements and actions taken by the Biden administration. In this guide, we will look at the budget implications for cyber enforcement, recommendations for Congress, and provide a detailed breakdown of the proposed budget’s funding allocations. Specifically, we recommend that Congress should: Restore the $15 million of funding cut from the State Homeland Security Program. The program provides critical grants to states that require recipients spend at least 10% of their grants on cybersecurity needs. Require an alignment of cybercrime goals and outcomes across law enforcement agencies within the Departments of Homeland Security, Justice, and Treasury. Ensure that federal agencies are prepared to implement President Biden’s cybersecurity executive order.
Topic:
Defense Policy, Science and Technology, Law Enforcement, Budget, and Cybersecurity
Political Geography:
North America and United States of America

4. Talking Points for the Top National Security Issues of 2020

Author:
Mieke Eoyang
Publication Date:
05-2020
Content Type:
Working Paper
Institution:
Third Way
Abstract:
In 2020, candidates and elected officials will face questions on national security and foreign policy issues. In this memo, we provide short talking points on these issues that acknowledge the concerns of Americans, critique current approaches and policies, and present a vision for the future: 1. Global Health Security, 2. China & COVID-19, 3. China Trade War, 4. Russia, 5. Terrorism, 6. Domestic Extremism, 7. Iran, 8. Election Security, 9. Saudi Arabia & Yemen, 10. Syria, 11. Alliances, 12. North Korea, 13. Cyberthreats, 14. Venezuela, 15. Afghanistan, 16. Forever War, 17. Border Security, 18. Defense Spending, 19. Impeachment, 20. Climate Change, 21. Corruption
Topic:
Security, Defense Policy, Military Strategy, and Elections
Political Geography:
United States, North America, and Global Focus

5. Where Are We Now? Examining the Trump Administration’s Efforts to Combat Cybercrime

Author:
Michael Garcia and Anisha Hindocha
Publication Date:
06-2020
Content Type:
Special Report
Institution:
Third Way
Abstract:
Amid the COVID-19 pandemic, the United States has seen an acceleration of an already massive cybercrime wave. Daily reports of cybercrime to the FBI’s Internet Crime Complaint Center have nearly quadrupled since the pandemic began, to roughly 4,000 reports per day. Unfortunately, even before this crisis began, the enforcement rates for these crimes are low – for every 1,000 reported cyber incidents, only three arrests of the perpetrators occur. In the fall of 2018, the White House released the “National Cyber Strategy of the United States,” which detailed how the Administration would create or update policies for combating cybercrime. While no implementation plan for this Strategy was ever published, Third Way conducted an analysis of publicly available information of the Administration’s actions and budgetary allocations since the strategy’s release to examine their cybercrime enforcement efforts.
Topic:
Security, Defense Policy, Science and Technology, Cybersecurity, Pandemic, COVID-19, and Digitalization
Political Geography:
North America and United States of America

6. US Global Cybercrime Cooperation: A Brief Explainer

Author:
Allison Peters and Anisha Hindocha
Publication Date:
06-2020
Content Type:
Policy Brief
Institution:
Third Way
Abstract:
Cybercrime is a persistent and transnational threat with the rates in the United States estimated to have up to quadrupled during the COVID-19 pandemic. Unfortunately, law enforcement in the United States and globally has struggled to keep up with this crime, resulting in a considerable enforcement gap that allows cybercriminals to operate with near impunity. In the United States, only 3 in 1,000 malicious cyber incidents will ever see an arrest and the global enforcement gap is likely to be similar.1 The investigation of one cybercrime case often involves criminal justice systems in many different countries, requiring intense international cooperation to bring the perpetrators to justice. The United States is a member of a number of formal and informal mechanisms that help facilitate this cooperation. This includes being a party to a number of binding treaties—particularly the only global cybercrime treaty known as the Budapest Convention—as well as a member of key networks and in multilateral forums. The United States is also a member of a number of entities aimed at developing norms to guide the behavior of nation-states in cyberspace where cooperation in cybercrime investigations is encouraged.
Topic:
Defense Policy, Crime, Cybersecurity, Pandemic, and COVID-19
Political Geography:
North America and United States of America

7. 2020 Thematic Brief: US Cybersecurity Efforts

Author:
Third Way
Publication Date:
09-2020
Content Type:
Policy Brief
Institution:
Third Way
Abstract:
Cybercrime is exploding. Malicious cyber actions by America’s adversaries are becoming more sophisticated. And cybersecurity remains a top national security issue for the United States. But while we are spending huge amounts of effort to secure our systems, our ability to go after attackers is woefully outdated. As COVID-19 continues to ravage the globe, malicious actors are exploiting the pandemic and committing cyberattacks for a variety of motives. Nation-states, terrorists, criminal groups, and lone actors have launched cyberattacks and committed cybercrime against large businesses and private citizens, causing devastating impacts to US national and economic security. While federal, state, and local agencies have taken steps to reduce cyber threats, the Trump Administration has not provided nearly enough resources, does not coordinate efforts, and denies risks posed to election infrastructure. Here’s what Congress must do: Go after the bad actors. We must improve the US government’s capabilities to identify, stop, and punish human cyber attackers in order to close the yawning cyber enforcement gap: the number of cyberattacks launched per year in the United States versus the number of arrests of malicious cyber actors; Secure America’s election infrastructure and combat foreign interference and disinformation efforts; and Re-establish the United States as a global leader in setting policy around how different actors should behave in cyberspace and boost international cooperation and capacity around these issues.
Topic:
Security, Defense Policy, Science and Technology, Cybersecurity, and COVID-19
Political Geography:
North America and United States of America

8. 2020 Thematic Brief: Preventing and Countering Terrorism

Author:
Third Way
Publication Date:
09-2020
Content Type:
Policy Brief
Institution:
Third Way
Abstract:
The Trump Administration’s stated strategies to prevent and counter terrorism have largely continued the approach of the Obama Administration. However, this approach is at odds with the president’s own rhetoric and actions, which make us less safe in the long term. President Trump has verbally attacked and abandoned key allies and partners in the fight against terrorism, including the Kurds in Syria, while embracing counterproductive policies that will make it easier for terrorists to rebuild. At the same time, President Trump has largely ignored the far-right extremism that has spiked under his presidency. Even worse, he has retweeted statements that come from people associated with hate groups. Right-wing extremists, and in particular white supremacists, have caused more deaths than international terrorists in recent years.1They feel they have an ally in President Trump because he has largely refused to condemn them. During the recent protests for racial justice, he completely ignored the threat of right-wing extremists accused of killing Americans and plotting attacks against the military, while at the same time he was inflating other extremist threats.23And he blamed both sides in Charlottesville. To be clear, one side was neo-Nazis and other white supremacists. The United States needs a smart and tough approach to terrorism and extremism that includes: Prioritizing the threat of domestic extremism and dedicating resources to prevent and counter it, including by providing support to organizations working on these issues, cutting off financial flows, evaluating whether further designations of foreign right-wing organizations are warranted, and addressing extremism in the US military;4 Preventing the spread of all forms of violent extremism by addressing the root causes globally and reducing the effectiveness of recruitment efforts; Protecting the American homeland by preventing terrorist attacks and disrupting terrorist networks in the United States; and Eliminating terrorist safe havens abroad and building up the capacity of partner nations to fight terrorism on their own turf.
Topic:
Security, Defense Policy, Terrorism, Military Strategy, and Counter-terrorism
Political Geography:
North America and United States of America

9. A Roadmap to Strengthen US Cyber Enforcement: Where Do We Go From Here?

Author:
Allison Peters and Michael Garcia
Publication Date:
11-2020
Content Type:
Special Report
Institution:
Third Way
Abstract:
The following report is the result of a multiyear effort to define concrete steps to improve the US government’s ability to tackle the scourge of cybercrime by better identifying perpetrators and imposing meaningful consequences on them and those behind their actions
Topic:
Security, Defense Policy, Science and Technology, Governance, and Cybersecurity
Political Geography:
North America and United States of America