Technology & Trade

Cyber Security

Developing practical approaches to cyber risk management with the guidance of advisors from the cyber security and broader risk management communities
Project Info

The Cyber Security Project brings together Stimson’s cross-cutting work on defense, deterrence and cybersecurity from Stimson’s nuclear security, regional security, and global governance experts. The project combines rigorous research with the guidance and experience of diverse stakeholders and advisors drawn from the cyber security and risk management communities.

Our cyber security work is global and diverse, addressing risks to critical infrastructure such as nuclear power plants; implications of domestic cybersecurity for regional and international security; and issues of international cyber-governance.

Building on our expertise in these and related areas, we plan a new effort focused on deterrence and accountability in the cyber domain, with the goal of developing practical models for a governance framework to manage international cybersecurity risks. By applying lessons from other domestic and international efforts to manage new global risks, the project will provide policymakers with both legal and technical expertise on accountability in the cyber domain, as well as perspectives from both government and industry on potential paths for better addressing cyber security threats.


Join the Washington Foreign Law Society and the Stimson Center in this second in a series of discussions dissecting cyber issues as they relate to current and potential legal accountability: Cyber Accountability – Who did it? Is it wrong? Can they be stopped?

The 2017 NotPetya cyberattack cost businesses hundreds of millions of dollars, and the attack is still roiling through insurance markets and some courts. A key issue is under what circumstances state-backed hacks are covered by various kinds of insurance policies or are excluded for being “hostile or warlike acts.” Lloyd’s Market Association is still reviewing alternative industry approaches that can satisfy market needs. Meanwhile, what can/should businesses do in terms of insurance coverage, especially given the difficulties in the classic NMA 464 exclusions, to make sure they have appropriate coverage? How might thresholds be set so that the insurance market itself is sustainable? And might any of these solutions lead to holding threat actors more accountable?

The internet, computers and related technologies are all fabulous. Except when they are not. Cyber intrusions continue to cost us untold hours of grief and trillions of dollars in losses. The issue is not only cyber criminals stealing our data or locking our info with ransomware; we have been deluged with fake news, tricked into cyber addictions, and – in some countries – had our lights turned off. This series of discussions – Cyber Accountability – Who did it? Is it wrong? Can they be stopped? – seeks to dissect cyber issues as they relate to current and potential legal accountability.

For decades, the United Nations has been trying to establish agreement around norms for cyberspace. The year 2015 brought some victory when the report of the UN Governmental Group of Experts on information and communication technologies, consisting of 20 states, won support in the UN General Assembly. Discussions then stumbled over humanitarian and human rights laws inclusion. In 2019, with the Russian Government and others pushing for broader stakeholder engagement in cyber discussions, the UN established two tracks of work that are now underway. What is the hope for any real progress and state accountability to come out of these efforts, and how might progress be found in a new framework that France, Egypt and others propose?

In the News
All items loaded
No more items to load
Choose Your Subscription Topics
* indicates required
I'm interested in...
38 North: News and Analysis on North Korea
South Asian Voices