Search

Begin New Search Publication Year within 5 Years Publication Year within 3 Years

9821. Unpacking US Cyber Sanctions

Author:
Allison Peters and Pierce MacConaghy
Publication Date:
01-2021
Content Type:
Commentary and Analysis
Institution:
Third Way
Abstract:
Malicious cyber activity poses one of the greatest threats to America’s national, economic, and personal security. Yet, the perpetrators of these crimes largely operate with pure impunity and face little consequences for their actions. This is particularly the case for cybercriminals who cost the US economy anywhere from $57 billion to $109 billion in 2016 alone.1 Since 2015, the United States has imposed targeted sanctions (e.g., asset freezes, travel bans) on over 300 individuals and entities in response to malicious cyber activity.2 Many of these sanctions were issued under the cyber-related sanctions program administered by the Department of Treasury and established by a series of Executive Orders under Presidents Obama and Trump and bills passed by Congress.3 Sanctions have largely been imposed on individuals with ties to Iran, Russia, and North Korea, and, in about half of these cases, sanctions have followed indictments. An overwhelming majority of these sanctions have targeted individuals with suspected links to government entities and, only recently, have cyber sanctions targeted cybercriminals.4 As targeted sanctions increasingly become a tool deployed by the US government to punish malicious cyber actors, it remains unclear whether they are having an impact in changing behavior. Research on the impact of sanctions more broadly indicates that sanctions can be an effective tool to impose consequences on bad actors and change their actions when employed multilaterally, as part of a coherent strategy, and effectively messaged.5 However, imposing sanctions on malicious cyber actors without continuously reassessing their impact and the expected reciprocal actions by the target(s), risks a number of potentially negative outcomes. While Congress introduced legislation in the 116th Congress to impose new or codify existing cyber-related sanctions into law,6 it has not exercised the necessary oversight over the Executive Branch’s strategy in issuing cyber-related sanctions and determining their efficacy. With other countries now following America’s lead in issuing these sanctions, the time is ripe for the new Congress to push for an inter-agency, holistic assessment of the impact of US cyber-related sanctions.7 And with cybercrime increasingly threatening all sectors of the US economy, Congress must call for an evaluation as to whether sanctions on non-state cybercriminals should increasingly be used.
Topic:
Science and Technology, Sanctions, Cyberspace, and Digitalization
Political Geography:
North America and United States of America

9822. Taking Action on Cyber Enforcement: Assessing US Legislative Progress in the 116th Congress

Author:
Michael Garcia and Pat Shilo
Publication Date:
02-2021
Content Type:
Commentary and Analysis
Institution:
Third Way
Abstract:
The 116th Congress experienced events like no other in American history, including unprecedented levels of malicious cyber activity. Global estimates say that ransomware attacks have increased by 148% since February 2020, with many US hospitals and schools falling victim and having their operations suspended.1 Leading up to and during the pandemic, Members of the 116th Congress responded and drafted cybersecurity legislation, introducing 316 bills to tackle the issue—a 40% increase from the previous Congress. This memo presents a comprehensive analysis of the cybersecurity legislation introduced in the 116th Congress and is a successor to our memo assessing the cybersecurity legislation in the previous Congress. Unlike the 115th Congress, the two chambers of the 116th were each under the control of a different party. Still, more than half of the introduced bills were bipartisan, including 85% of the bills signed into law. However, only 11% of the introduced bills focused on imposing consequences for the human actors behind cyberattacks, such as imposing sanctions or strengthening laws to prosecute criminals to hold them accountable for their actions. Following the trend of past congresses, most of the bills focused on protecting data and securing critical infrastructure. But while defending data and infrastructure is important, the lack of legislation to address the challenges of imposing consequences on the human actor suggests that Congress should prioritize introducing and passing bipartisan legislation that reduces the impunity with which malicious cyber actors, particularly cybercriminals, act. Here are the main takeaways from the bills introduced last Congress: Cybersecurity-related legislation increased by 40% since the 115th Congress. Of the 316 bills introduced, 14 became law, with nine related to appropriations or agency authorizations legislation. However, only 36 of the 316 bills introduced in the 116th Congress, and just three of the 14 provisions signed into law, focused on imposing consequences on the human actors behind cyberattacks. Cybersecurity remains a largely bipartisan issue. Over 50% of all legislation and 85% of all bills signed into law had a bipartisan co-sponsor.
Topic:
Security, Science and Technology, Cybersecurity, Legislation, and Cyberspace
Political Geography:
North America and United States of America

9823. Follow the Money: Few Federal Grants are Used to Fight Cybercrime

Author:
Michael Garcia
Publication Date:
02-2021
Content Type:
Special Report
Institution:
Third Way
Abstract:
Like traditional crime, not all cybercrime rises to the level that requires a federal response. And like other crimes, victims will call upon state and local law enforcement to respond.1 They are unprepared. The 18,000 law enforcement agencies in the United States lack the tools, personnel, and resources to respond to cybercrime effectively. State and locals have turned to federal funding to fill these gaps, but federal government grants do not prioritize combatting cybercrime. The Justice Department (DOJ) has never identified cybercrime as an “Area of Emphasis” for their main criminal justice grant that awards state and local criminal justice agencies $400-$550 million annually.2 And while DOJ and the Department of Homeland Security (DHS) provided nearly $2 billion that state and local officials could use for cyber enforcement purposes in Fiscal Year (FY) 2019, data from DHS implies that very little is used for cybercrime. Only 2% of all DHS preparedness grant programs were used for all cybersecurity needs in FY 2019.3 Moreover, just three grants in FY 2019 were solely dedicated to cybercrime with a total budget of $12.7 million.4 As a result, only 45% of local law enforcement agencies have access to adequate digital evidence resources, according to one survey. This leads to a backlog of un-analyzed evidence needed to investigate cybercrime and a sense of futility about law enforcement’s ability to close cases.5 While Members of Congress have introduced several bills to create dedicated cybersecurity grant programs for state and local entities, these proposals tend to not include cyber enforcement needs as an eligible expense.6 Moving forward, Congress should: Call on DOJ and DHS to prioritize combatting cybercrime as a main law enforcement issue within their grants. Require prioritization of cyber enforcement needs in grant programs administered by DOJ and DHS in annual appropriations bills; and List cyber enforcement spending as an eligible expense in any bills creating new cybersecurity grant programs for state and local governments.
Topic:
Crime, Law Enforcement, Cybersecurity, Police, Justice, and Cyberspace
Political Geography:
North America and United States of America

9824. President Biden Has Five Options for Future Negotiations with Iran

Author:
Pat Shilo and Todd Rosenblum
Publication Date:
03-2021
Content Type:
Working Paper
Institution:
Third Way
Abstract:
President Biden has announced plans to re-engage with Iran on the Joint Comprehensive Plan of Action (JCPOA), also known as the Iran Nuclear Deal. In this paper, we briefly outline the five most likely pathways ahead, each of which has strengths and challenges: Return to the JCPOA as it was. Return to the JCPOA plus new commitments that address other security concerns with Iran. Restore the JCPOA as it was plus a set of confidence-building measures to address other security concerns. Formally link a requirement for Iran to address our other concerns as a pre-condition for further talks. Return to the pre-JCPOA Middle East, where US and allies work to rollback Iran’s nuclear program and actively deter its regional actions by confrontation, punishment, and isolating measures. Each path carries risk and opportunity for restoring American leadership in the world, and congressional Democrats should remember the perfect deal does not exist. Members of Congress would be wise to measure the next deal against the status quo ante: an unconstrained, belligerent Iran again racing to a bomb.
Topic:
Arms Control and Proliferation, Diplomacy, Nuclear Weapons, Treaties and Agreements, Military Strategy, Denuclearization, and JCPOA
Political Geography:
Iran, Middle East, North America, and United States of America

9825. The Militarization of Cyberspace? Cyber-Related Provisions in the National Defense Authorization Act

Author:
Michael Garcia
Publication Date:
04-2021
Content Type:
Commentary and Analysis
Institution:
Third Way
Abstract:
With Congress struggling to pass stand-alone cybersecurity legislation, the National Defense Authorization Act (NDAA) is now the primary vehicle to pass all matters of cybersecurity legislation. Because the annual defense bill typically requires provisions to have a tie to national security, other cyber issues, like those pertaining to criminal justice, tend to be excluded. As a result, the authorities and resources awarded to Department of Defense (DoD) cyber mission far outpace those provided to civilian agencies responsible for partnering with state, local, private, and international partners. With ransomware and cyber incidents at an all-time high, Congress should either include a new title in future Defense bills to bolster US cyber enforcement and civilian agencies’ capabilities or pass a cyber-omnibus bill to fix policy gaps and provide commensurate funds to federal and local agencies to combat malicious cyber activity. In this paper, we analyzed the last five NDAAs (2017-2021) to chronicle Washington’s reliance on the NDAA to shepherd through a wide swath of cybersecurity legislation. We found that: Members of Congress included 290 cyber-related provisions in the past five NDAAs, with the past two NDAAs accounting for 60% of those provisions. In fact, the FY 2021 NDAA contained 380% more cyber-related provisions than the FY 2017 NDAA. The 179 cyber-provisions included in the past two NDAAs far outpace the 14 cybersecurity bills that the 116th Congress passed (two of which were those NDAAs). Across 13 categories, three of the top four were aimed at the DOD core cyber missions, such as changing organizational processes and structures, protecting DoD assets, and engaging with foreign partners while deterring nation-state adversaries. In FY 2020, the number of non-DoD-related cyber provisions began increasing, such as supply-chain security and industrial policy, critical infrastructure protection, and election security. The provisions in these NDAAs helped improve US offensive cyber capabilities, implement measures to deter cyber adversaries, and shore up our cybersecurity defenses, all of which are needed. But because cybersecurity is a multifaceted issue that expands beyond national security and touches on criminal justice, workforce development, private-sector collaboration, and privacy issues, Congress must ensure it takes a holistic approach when creating cybersecurity laws.
Topic:
Defense Policy, Science and Technology, Military Strategy, Legislation, and Cyberspace
Political Geography:
North America and United States of America

9826. Digital Currencies' Role in Facilitating Ransomware Attacks: A Brief Explainer

Author:
Kristine Johnson and Michael Garcia
Publication Date:
05-2021
Content Type:
Policy Brief
Institution:
Third Way
Abstract:
This paper details how Bitcoin—the most popular digital currency—is used to facilitate ransomware attacks and how criminals try—and sometimes fail—to cover their tracks. Understanding how criminals use digital currencies for ransomware attacks can lead policymakers to solutions in thwarting and enforcing cybercrimes.
Topic:
Cybersecurity, Digital Economy, Bitcoin, Digitalization, and Digital Currency
Political Geography:
North America and United States of America

9827. Border Regulation Begins with Stronger Capacity at Official Points of Entry

Author:
Todd Rosenblum
Publication Date:
05-2021
Content Type:
Policy Brief
Institution:
Third Way
Abstract:
After the Trump Administration cutbacks, Congress should invest in the U.S. southern border to benefit trade, stop bad actors, and humanely process people with real asylum claims. Managing vehicular, rail, and people throughput at border crossings is an enormous challenge, but one not being met. U.S. inspectors do not properly screen more than a small percentage of incoming commercial and personal vehicles making this the primary means for narco-trafficking into the United States. Investing more in screening capacity at the official land Points of Entry with Mexico will reduce crime, illegal drug importation, guns going southbound, strengthen regulation and order essential for safe trade and opportunity, and make for a safer environment for those seeking legal entry into the United States. Congress has steadily appropriated new funds for more border screening capacity, but additional investment in screening capacity is still needed to make up for Trump Administration cutbacks. President Biden’s U.S. Citizens Act of 2021 has a range of helpful proposals to make us safer and keep commerce moving. Congress should mandate better measures to evaluate actual screening effectiveness. Congress also should conduct stronger oversight to address shortcomings in the US Department of Homeland Security (DHS) and Customs and Border Protection Agency (CBP) acquisition plans to make sure border inspectors spend the money more effectively and field the right capability in a timely fashion. There is a range of reforms we must make across immigration and border regulation to better serve our nation and those seeking to come here. Immigration and border enforcement have strayed from our values as a country and urgently need reform. Our legal immigration system both in asylum and visa-based needs clear modernization. Millions who have known no home but America deserve citizenship. Enforcement alone also will not solve our problems, but we must improve all aspects of American immigration and our border.
Topic:
Migration, Immigration, Law Enforcement, Borders, Illegal Trade, and Commercialization
Political Geography:
North America and United States of America

9828. To Patch or Not to Patch: Improving the US Vulnerabilities Equities Process

Author:
Josh Kenway and Michael Garcia
Publication Date:
06-2021
Content Type:
Commentary and Analysis
Institution:
Third Way
Abstract:
The process that determines when and how the US government discloses unknown cybersecurity vulnerabilities to relevant companies or withholds them for government purposes lacks sufficient accountability, transparency, and public trust. Malicious actors do not hesitate to exploit “zero-day vulnerabilities,” or vulnerabilities that a company has had zero days to patch, with Chinese-based hackers most recently using a zero-day in Microsoft Exchange Servers to infect hundreds of thousands of systems.1 Yet, the government also uses zero-days to carry out activities that are in the nation’s interest and, as a result, does not tell the impacted software or hardware vendor about the vulnerability. In this case, the government determines that the benefit of not disclosing the vulnerability outweighs the consequence of a bad actor potentially exploiting the vulnerability for nefarious purposes. In 2010, the US government created the Vulnerabilities Equities Process (VEP) to convene federal agencies that represent a range of national interests—including security, intelligence, foreign policy, commerce, and civil rights and liberties protection—to weigh distinct perspectives on how vulnerabilities should be patched or briefly kept open for law enforcement, intelligence gathering, or military purposes. However, the VEP is not codified in law and has failed to deliver greater transparency around government retention of vulnerabilities nor ensures accountability for the government’s decisions. Congress and the Biden administration should address deficiencies with the VEP to increase transparency, strengthen accountability, build public and industry trust, and establish a world-leading model for decision-making around what to do about high-value vulnerabilities. This paper details seven steps for the Biden administration to enhance transparency and accountability in the VEP while preserving government priorities, as well as flexibility for the defense of democratic values and institutions.
Topic:
Security, Defense Policy, Science and Technology, Governance, Cybersecurity, and Transparency
Political Geography:
North America and United States of America

9829. 2021 Reader’s Guide to Understanding the Proposed US Cyber Enforcement Budget

Author:
Aaron Clarke
Publication Date:
09-2021
Content Type:
Commentary and Analysis
Institution:
Third Way
Abstract:
Cyber attacks in the United States continue to devastate and disrupt day-to-day operations in the private and public sectors. Marked by events like the ransomware attack on Colonial Pipeline that created gas shortages and increased prices, cybercrime impacts everyday citizens, even if they are not directly targeted by an attack. The Department of Homeland Security (DHS) reported that in 2020 there were “over $4 billion in cybercrime losses reported to the U.S. government.”1 This growing cybersecurity threat has only been exacerbated by the rise of cryptocurrencies like Bitcoin and exposed network vulnerabilities from those working from home during the pandemic.2 In response to this influx of cyber attacks, the Biden Administration has taken steps to both bolster the federal government’s ability to detect and respond to cyber attacks as well as protect its own systems.3 The Department of Energy (DOE) and DHS have both made cybersecurity a top priority in their latest initiatives. President Biden called on DOE to launch a 100 day plan aimed at preventing disrupted services for electric utilities, and DHS announced a series of 60-day “sprints” to support private and public partners against ransomware.4 The FY2021 National Defense Authorization Act also created the first U.S. National Cyber Director, tasked to lead the implementation of U.S. cyber policy and strategy, and rapidly improve cybersecurity defense capabilities. Although ransomware attacks have spiked, the federal government has made inroads on combatting cyber criminals. The Cyber Enforcement Budget for FY2022 should continue funding and seek to build on the key improvements and actions taken by the Biden administration. In this guide, we will look at the budget implications for cyber enforcement, recommendations for Congress, and provide a detailed breakdown of the proposed budget’s funding allocations. Specifically, we recommend that Congress should: Restore the $15 million of funding cut from the State Homeland Security Program. The program provides critical grants to states that require recipients spend at least 10% of their grants on cybersecurity needs. Require an alignment of cybercrime goals and outcomes across law enforcement agencies within the Departments of Homeland Security, Justice, and Treasury. Ensure that federal agencies are prepared to implement President Biden’s cybersecurity executive order.
Topic:
Defense Policy, Science and Technology, Law Enforcement, Budget, and Cybersecurity
Political Geography:
North America and United States of America

9830. The Challenges of Redressing Violations of Economic and Social Rights in the Aftermath of the Eurozone Sovereign Debt Crisis

Author:
Giulia Ciliberto
Publication Date:
06-2021
Content Type:
Journal Article
Journal:
The Goettingen Journal of International Law
Institution:
The Goettingen Journal of International Law
Abstract:
The Eurozone sovereign debt crisis represented an occasion to assess whether the international, European Union, and national systems provide adequate remedies for violation of socio-economic rights caused by austerity measures. Victims of these violations tried to obtain a remedy by lodging complaints before national judicial organs, the Court of Justice of the European Union, international human rights bodies (such the UN Committee on Economic, Social and Cultural Rights, the ILO Committee on Freedom of Association and the European Committee on Social Rights), and the European Court of Human Rights. This article addresses whether one (or more) of these venues indicted adequate remedies of violations of socio-economic rights and whether these mechanisms could have adopted a different (and more human rights- oriented) adjudicative approach with the view of enhancing the effectiveness of socio-economic rights enshrined in international treaties. The paper assumes that the adequacy of the relief depends on two elements. The first is the collective nature of socio-economic rights, which requires structural or systemic remedies rather than individual ones. The second is the need to preserve States’ economic soundness in order to allow Countries to satisfy their international obligations, namely securing a minimum essential level of socio- economic rights and their progressive realization. Against these assumptions, remedies should benefit the victimized class as a whole, alongside avoiding major distributional or unintended consequences to the detriment of public finances. The investigation focuses on the case law and pronouncements concerning Greece, Portugal, and Spain. The paper reaches the conclusion that constitutional review of austerity measures is the most adequate and effective venue to address such sensitive matters. This is especially true where constitutional courts rely on international conventions protecting socio-economic rights as per se parameters of constitutionality or through consistent interpretation – viz. by construing the national bill of rights in line with treaty-based socio-economic rights.
Topic:
Debt, European Union, Economic Cooperation, Socioeconomics, and Economic Rights
Political Geography:
Greece, Spain, and Portugal