Anthony D. Glosson | Aug 10, 2015
This paper seeks to synthesize the available legal resources on active defense. It confronts the intertwined definitional, legal, and policy questions implicated in the active defense debate. The paper then proposes a legal framework to authorize active defenses subject to liability for third-party damages, an approach grounded in the technical and economic realities of the network security market.
Eli Dourado, Andrea Castillo | Jun 22, 2015
This paper will review the laws and standards governing federal cybersecurity policy and will highlight how overlapping responsibilities and unclear lines of authority have accompanied increasing rates of federal information security failures. The paper will then describe how these systemic cybersecurity weaknesses demonstrate the federal government to be an especially poor candidate for managing national systems, and it will explain the shortcomings of a top-down, technocratic approach.
Eli Dourado, Andrea Castillo | Jun 22, 2015
After briefly outlining the current cybersecurity information sharing proposals, we will examine the performance of the many similar programs that the federal government has operated for years. The government’s inability to properly implement previous information sharing systems even internally, along with its ongoing failures to secure its own information systems, casts doubt on the viability of proposed government-led information sharing initiatives to improve the nation’s cybersecurity. We will then examine the flawed assumptions that underlie information sharing advocacy before exploring solutions that can comprehensively address the nation’s cybersecurity vulnerabilities.
Eli Dourado, Andrea Castillo | Apr 17, 2014
This paper will describe the current dynamic provision of cybersecurity and explain how a technocratic solution like the Cybersecurity Framework could weaken this process and ultimately undermine cybersecurity.
Adam Thierer | Jan 25, 2013
This paper will consider the structure of fear appeal arguments in technology policy debates and then outline how those arguments can be deconstructed and refuted in both cultural and economic contexts. Several examples of fear appeal arguments will be offered with a particular focus on online child safety, digital privacy, and cybersecurity. The various factors contributing to “fear cycles” in these policy areas will be documented.
Sean Lawson | Dec 19, 2012
Cybersecurity proponents often rely upon cyber-doom scenarios as a key tactic for calling attention to prospective cyber-threats. This essay critically examines cyber-doom scenarios by placing them into a larger historical context, assessing how realistic they are, and drawing out the policy implications of relying upon such tales. It draws from relevant research in the history of technology, military history, and disaster sociology to examine some of the key assertions and assumptions of cyber-doom scenarios. It argues that cyber-doom scenarios are the latest manifestation of fears about “technology-out-of-control” in Western societies, that they are unrealistic, and that they encourage the adoption of counter-productive, even dangerous policies. The paper concludes by offering alternative principles for the formulation of cybersecurity policy.

Testimony & Comments

Research Summaries & Toolkits

Expert Commentary

Nov 09, 2015

As Congress moves to reconcile each chamber’s version of the Cybersecurity Information Sharing Act (CISA), civil liberties organizations and technology companies alike continue to pan the bill for threatening consumer privacy and covertly expanding government surveillance programs. Critics argue that strong cybersecurity should not come at the expense of diminished privacy — but this is a false dichotomy. CISA is unlikely to meaningfully improve cybersecurity because the bill addresses the wrong issues.
Oct 19, 2015

October is National Cyber Security Awareness Month. It's a good time to remember that America's formidable cybersecurity challenges require smart, targeted policy reforms that will strengthen our network security by encouraging proactive research and robust defenses. Unfortunately, some in Congress instead choose to prop up the Cybersecurity Information Sharing Act of 2015, an unsuitable bill that could ultimately weaken security while promoting government data extraction.
Aug 11, 2015

ast week, the information security industry temporarily dodged a bureaucratic blunder that could have inadvertently criminalized basic software bug testing. Heeding the near-unanimous dissent from cybersecurity professionals, the U.S. Commerce Department wisely rescinded its proposal to impose export controls limiting the selling or sharing of "zero-day exploits," software vulnerabilities that only the discoverer knows about.
Jul 28, 2015

As the threat of cyberwar looms more saliently on the horizon, many countries have turned to controlling the sale of "cyberweapons." But the U.S. government's proposed cyberweapon crackdown, part of a multinational arms-export control agreement called the Wassenaar Arrangement, could be used to criminalize basic bug-testing of software and ultimately weaken Internet security.
Jul 04, 2015

For years, cybersecurity hawks have painted grim pictures of a "cyber Pearl Harbor," when sophisticated hackers will be able to infiltrate and commandeer critical U.S. networks to wreak whatever havoc they choose. Yet for some reason, when the most advanced cyber-espionage malware known was discovered on American systems, the usually indefatigable "tough on cyberterror" crowd was quiet.
May 10, 2015

CISA actually bucks the usual liberty/security trade-off, because it threatens our civil liberties without meaningfully improving cybersecurity—and could potentially even weaken it. We should dump this Trojan and focus on developing bottom-up, collaborative security practices that will actually work.


This week’s charts use data from three sources: a July 8 Government Accountability Office (GAO) report entitled “Information Security: Cyber Threats and Data Breaches Illustrate Need for Stronger Controls across Federal Agencies,” the Office of Management and Budget’s Federal Information Security Management Act (FISMA) Report to Congress for FY 2014, and the White House’s “Cybersecurity Sprint Results” report from July 2015. The charts display reported federal material information security weakness and degree of compliance with prevailing federal cybersecurity standards in fiscal year (FY) 2014.



Eli Dourado | August 04, 2015
The Cybersecurity Information Sharing Act (CISA) is up for a vote in the Senate this week. Eli Dourado talks about the implications of this cyber threat information sharing legislation on Marketplace

Recent Events

Join Adam Thierer, senior research fellow at the Mercatus Center, for a Regulation University to discuss the best course of action for dealing with network technologies, without derailing innovation.

Media Clippings

Adam Thierer | Jun 24, 2013
"High technology companies are among the fastest growing lobbying shops in Washington," said Adam Thierer.
Jerry Brito | Jul 12, 2012
Jerry Brito cited discussing current cybersecurity concerns.
Eli Dourado | Jul 06, 2012
Eli Dourado explains how the United States can combat new threats to a free and open web.
Adam Thierer | Jun 28, 2012
Adam Thierer comments on Federal Communications Commission (FCC) Commissioner Robert McDowell's recent speech.
Jerry Brito | Jun 27, 2012
Jerry Brito cited discussing the possible effects of revisions to the UN's global telecommunications treaty.
' '