Cybersecurity poses new questions for old alliances. These questions emerge with special force in the case of the North Atlantic Treaty Organization (NATO). The Russian Federation wields substantial cyber capabilities, but NATO members have been ambivalent about stating what sorts of attacks would trigger the North Atlantic Treaty's Article 5 collective self-defense provisions. Nevertheless, NATO officials state that there are some attacks that would trigger Article 5. This leads to a puzzle: why would an explicit alliance guarantee designed to ensure collective defense against certain forms of attack be informally extended to include others? Because the policy of the United States toward such questions will likely be of great significance in determining NATO policy, we use a series of survey experiments to test American public opinion regarding support for defending allies and friendly countries against cyber operations. Respondents are likelier to support a response to an attack that causes fatalities and when the victim has a treaty alliance with the United States. In contrast, support falls if US participation is likely to provoke further retaliation or the target attacked is civilian rather than military. © 2022 The Author(s) (2022). Published by Oxford University Press on behalf of the International Studies Association.

The failure of the government to provide adequate protection has led
many cybersecurity analysts, scholars, and policymakers to suggest
that there is a need for private-sector self-help. If the government is unable or unwilling to take or threaten credible offensive actions to deter cyberattacks or to punish those who engage in them, it may be incumbent upon private-sector actors to take up an active defense. In other words, the private sector may wish to take actions that go beyond protective software, firewalls, and other passive screening methods—and instead actively deceive, identify, or retaliate against hackers to raise their costs for conducting cyberattacks. Taking into consideration U.S.,foreign, and international law, the U.S. should expressly allow activedefenses that annoy adversaries while allowing only certified actors to engage in attribution-level active defenses. More aggressive active defenses that could be considered counterattacks should be taken only by law enforcement or in close collaboration with them

The spectrum of current threat vectors is far more complex now than ever before. The current threat vectors are kinetic, asymmetric, dual-use, and hybrid, which renders it difficult to assess and, even, distinguish from a routine event. The threats not only jeopardize the security posture but also cyber defense capabilities, the very line of defense that is designed to protect against such threats. Countering threat vectors in multiple domains, viz., social, physical, and informational, is a major challenge and requires technology augmentation to assess, act and thwart such persistent and pervasive threats.

This report aims at providing policy makers with evidence to assess the effectiveness of the existing EU cybersecurity framework specifically through data on how the NIS Directive has influenced cybersecurity investments and overall maturity of organisations in scope. As 2024 is the year of the transposition of NIS 2, this report also intends to capture a pre-implementation snapshot of the relevant metrics for new sectors and entities in scope of NIS 2 to help future assessments of the impact of NIS 2.

The addition of the Prepare step is one of the key updates to the Risk Management Framework (NIST Special Publication 800-37, Revision 2 [SP 800-37r2]). The Prepare step was incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes. Tasks in the Prepare step directly support subsequent RMF steps and are largely derived from guidance in other NIST publications or are required by Office of Management and Budget (OMB) policy (or both). Thus, organizations may have already implemented many of the tasks in the Prepare step as part of organizationwide risk management. The Prepare step intends to reduce complexity as organizations implement the Risk Management Framework, promote IT modernization objectives, conserve security and privacy resources, prioritize security activities to focus protection strategies on the most critical assets and systems, and promote privacy protections for individuals. The organization- and system-level risk management activities conducted in the Prepare step are critical for preparing the organization to execute the remaining RMF steps. Without adequate risk management preparation at the organizational and system levels, security and privacy.

Security and privacy controls are the safeguards and countermeasures employed within an organizational system to protect the confidentiality, integrity, and availability of the system and its information, as well as the privacy of individuals. Selecting and implementing the appropriate controls for a system are important tasks that can have major implications on the operations and assets of an organization, as well as the welfare of individuals and the Nation.

Most research in defence centres on big NATO nations, while much less focus has been given to smaller NATO nations. The paper explores this issue. First, the author redefines the term 'small NATO nations' and introduces a new idea: 'no-capability NATO nation'. Then, the author conducts a systematic literature review on defence acquisition (DA). From 122 records, only five are found to relate to small NATO nations. Moreover, the identified literature is US-dominated and EU concerns prevail over NATO concerns.

This article analyzes the attempts to construct global cybersecurity norms. It differs from much of the existing literature on norm-construction since it moves beyond the interstate level to examine subnational groups and private sector actors that function as norm entrepreneurs in this policy area.

Many of these potential uses raise important social and ethical questions which demand the attention of all those involved in the research, administration, management and regulation of neuroscience research and related technological developments, including those in information and communication technologies (ICT) and robotics. In this Opinion, we suggest that we can increase our ability to identify which programmes and projects of research, development and innovation are ‘of concern’ by applying the principles of Responsible Research and Innovation (RRI) to the concept of ‘dual use’ and distinguishing between ‘responsible’ and ‘irresponsible’ systems of research and technological development. We therefore use the term ‘dual use research of concern’ (DURC) to refer to neuroscience research and technological innovations, and brain inspired developments in information and communication technologies, for use in the political, security, intelligence and military domains, which are either directly of concern because of their potential for use in ways that threaten the peace, health, safety, security and well-being of citizens, or are undertaken without responsible regard to such potential uses.

This article explains the origins and institutionalisation of cyber security in Australia—particularly ‘civilian cyber security’. The authors trace the origin of Australia’s first computer emergency response team and explain how this organisational form spread from the USA. Through it, Australia helped enable international cooperation. Domestically, however, the authors argue that the Australian government has struggled with the delegation, orchestration and abdication of responsibility for civilian cyber security, underinvesting in civilian organisations while overrelying on military and intelligence agencies. The history of this organisational field provides valuable insight into how to improve national policy and operations for cyber security.