top of page


December 01, 2017

Cyber Insecurity Book Review

Harvard Law Journal | Editorial Board

After decades of innovation in computing and the web, cybersecurity regulation remains a new and mysterious frontier. With careful cultivation, Richard M. Harrison and Trey Herr present a comprehensive manual for policymakers concerned about the growing barrage of cyberattacks but unsure how to address them. Part primer, part briefing, and part policy agenda, Harrison and Herr’s compilation is best described as a series of field reports from the Wild West of cybersecurity law. In addition to bringing together the diverse perspectives of military leaders, legal practitioners, and academics, Harrison and Herr outline four categories for discussing and prioritizing avenues of reform...

May 25, 2017

Cyber Insecurity Book Review

Military Review | By Lt. Col. George Hodge, U.S. Army, Retired

Cyber Insecurity provides a comprehensive understanding to the basic complexities of the cyber world. Its purpose is threefold: first, to the layperson, explaining the critical features of cyberspace and simplifying its essential components that include many key policy issues; second, to the initiated generalist, providing relevant details and references with respect to some of the more technical and policy details; and third, to policy makers and staffers, to serve as a resource for informed work in crafting public policy. It is a great introduction to understanding the challenges confronting us in the cyber domain... 

May 19, 2017

To Disclose or Not to Disclose | By Dave Weinstein

In recent days the ransomware campaign known as WannaCry has captivated the attention of information security practitioners, policymakers, and ordinary users around the world. The blame game has predictably ensued, citing multiple parties as responsible. Some have criticized Microsoft, the manufacturer of the vulnerable systems, while others have blamed the National Security Agency, which reportedly knew for years of the vulnerability that WannaCry exploited. There are also those who blame the Shadow Brokers, the hacking group that publicized the stolen tools, thereby subjecting vulnerable computers to what could very well be the largest-scale cyberattack in history...

May 17, 2017

PATCH: Debating Codification of the VEP

Lawfare | By Mailyn Fidler and Trey Herr

Today a bipartisan group of lawmakers introduced in both the House and Senate a billthat would formalize the Vulnerability Equities Process (VEP) into law. The proposed legislation, the Protecting our Ability To Counter Hacking (PATCH) Act, is sponsored by Senators Brian Schatz (D-Hawai‘i), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) (all members of the Senate Committee on Commerce, Science, and Transportation) and Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas)...

April 15, 2017

The Mother of All Lawfare Podcasts: Cyber Insecurity

Lawfare | By Quinta Jurecic

As our dependence on cyberspace increases, so too will the urgency of crafting good cybersecurity policy—but the combination of knotty problems in the realms of both technology and law often makes these issues particularly difficult to iron out. In this episode of the podcast, Susan Hennessey sits down with Trey Herr, Fellow with the Belfer Center's Cyber Security Project at the Harvard Kennedy School; Jane Chong, Deputy Managing Editor of Lawfare and National Security and Law Associate at the Hoover Institution; and Robert M. Lee, nonresident national cybersecurity fellow at New America, to chat about a new book on the subject: Cyber Insecurity: Navigating the Perils of the Next Information Age...

March 09, 2017

Expect More Incidents Like WikiLeaks’ Dump of CIA Hacking Tools | By Trey Herr

Is this going to be a thing now? Political rivals spy on one another all the time, but they seem increasingly willing to track down opponents’ espionage tools and leak them on the web. Last year, it was an older collection of malware likely built by, or for, the National Security Agency. This year, it’s the turn of the newly reorganized Central Intelligence Agency...

March 01, 2017

Cyber Insecurity Book Review

Journal of Strategic Security | By Jeffrey A. James

Cyber-attacks have become commonplace in the last decade. This reviewer’s first familiarity with it began after Richard Clarke, then advisor to President George W. Bush and immediately prior to 9/11 was said to be running around the White House with his hair on fire over the possibilities of attack on the homeland. That metaphor caught the attention of many, and it became an early alert to the importance of cyber security... 

November 03, 2016

The Internet of Things Is a Cyberwar Nightmare

Foreign Policy | By James Stavridis & Dave Weinstein

The world got a glimpse of the future last month when a large-scale cyberattack prevented access to hundreds of key websites, including Twitter, the online New York Times, and Amazon. The “distributed denial of service” attack against the New Hampshire-based DNS provider Dyn, which blocked access to major online services for users as far away as Europe, fulfilled the direst predictions of technologists and security researchers alike...

October 27, 2016


POLITICO | By Tim Starks

Your MC host recently spoke with Trey Herr and Rich Harrison, editors of the forthcoming book “Cyber Insecurity,” a policy anthology set for release Friday at an event hosted by New America. Below are excerpts of the conversation, edited for length and clarity...

October 27, 2016

Cyber Insecurity: Navigating the Perils of the Next Information Age

Lawfare | By Jane Chong

This is a plug for a new cyber policy book out this month: Cyber Insecurity: Navigating the Perils of the Next Information Age, edited by Richard Harrison, Director of Operations and Defense Technology Programs at the American Foreign Policy Council, and Trey Herr, Fellow with the Belfer Center's Cyber Security Project at the Harvard Kennedy School...

October 21, 2016

Sneak peek at a new cybersecurity policy tome

POLITICO | By Tim Starks

SNEAK PREVIEW: NEW BOOK’S EXPERT RECOMMENDATIONS: A forthcoming tome penned by academics and industry will tackle a whole host of cybersecurity policy questions looking out over the next decade. Set for official rollout next week, the book, “Cyber Insecurity,” includes chapters from leading experts. In one, Jane Chong, a national security and law associate with the Hoover Institution, argues that proprietary software vendors should endure “modest” regulation, be subject to public reporting requirements on security measures and receive tax incentives. In another, Herb Lin of the Center for International Cooperation and Taylor Grossman of Clark Street Associates call attention to the problem of “rife” overclassification within cybersecurity...

September 29, 2016

A Better Plan for Internet Governance

U.S. News and World Report | By Richard M. Harrison & Liam Bobyak

The problem with high technology is that it can be difficult to understand, leading to what are often confused policy prescriptions. A perfect example is the proposed upcoming transition of the internet-naming function from U.S. to private control – an event that's scheduled to take place just a few days from now, on Sept. 30. While the transition itself isn't necessarily a bad idea, the Obama administration's current plan has definite flaws.

September 13, 2016

A Response to “The Tech”: Continuing the Vulnerability Equities Process Debate

Just Security | By Mailyn Fidler

In my recent Just Security piece, I argued that Aitel and Tait’s suggestions in Lawfare to focus the Vulnerability Equities Process (VEP) more narrowly on strategic intelligence concerns would neuter other important purposes the VEP serves. Aitel and Tait disagreed with me on Twitter and in a post Aitel independently authored.

September 02, 2016

The Vulnerability Equities Process Should Consider More than Intelligence Community Needs

Just Security | By Mailyn Fidler

Dave Aitel and Matt Tait’s recent post in Lawfare argued that the U.S. government’s procedure for deciding whether to withhold unknown or little-known vulnerabilities in software and hardware for use by the national security and law enforcement communities or to publicly disclose them for the benefit of broader cybersecurity – a procedure known as the Vulnerability Equities Process, or VEP – is inherently harmful to American intelligence operations.

Please reload

bottom of page