LOS ANGELES--(BUSINESS WIRE)--Zenlayer, a leading global edge cloud service provider, announced the closing of its $50 million Series C financing today. The round was led by a group including Anatole Investment and Prospect Avenue Capital, and included existing investor Volcanics Venture. These investors join F&G Venture, NSFOCUS, and Forebright Capital to bring Zenlayers total financing to $90 million since inception.

Zenlayer will allocate the new financing toward enhancing its edge cloud technology and expanding global network coverage.

I am excited to announce that we have successfully raised $50 million in Series C, said Joe Zhu, Zenlayers Founder & CEO. We'll accelerate the development and adoption of our PaaS solutions, and continue to focus on emerging markets, helping our customers to capture the explosive growth of regions like Southeast Asia and South America. This capital will bring us one step closer to realizing our mission of improving digital experiences for every organization and person, anywhere in the world.

With its unique edge cloud offerings, Zenlayer enables organizations to instantly deploy compute closer to end users and accelerate their networks to deliver the best digital experience possible. Today, Zenlayer can help organizations reach over 85% of the worlds internet population in just 25 milliseconds or less. By using Zenlayer's PaaS solutions, organizations can achieve this without deploying any infrastructure.

Zenlayer Highlights include:

George Yang, Chief Investment Officer, Anatole Investment: Zenlayer is an edge cloud technologies leader uniquely positioned to accelerate digital transformation across the world. IT Infrastructure is a critical need for digital enterprises and Zenlayer has demonstrated the immense value companies gain by improving their users digital experience. Were excited to help Zenlayer accelerate their rapid growth and expansion, and continue to innovate edge cloud computing to new heights.

Ming Liao, Founding Partner, Prospect Avenue Capital: Zenlayer has a remarkable competitive edge. Its exponential growth has made Zenlayer an ideal investment target for Prospect Avenue Capital. Zenlayer is positioned to meet the demands of emerging markets in Southeast Asia, South America, and Northern Africa with its global coverage, low latency edge cloud solutions, and strong infrastructure.

Suyang Zhang, Managing Partner, Volcanics Venture: We began our relationship with Zenlayer in 2019 and have observed the strength and contributions of their team and growth potential first-hand. We are excited to participate in this latest round of financing to continue Zenlayers mission of improving digital experiences for everyone in the world through edge cloud services, instantly.

For more information about Zenlayer, please visit http://www.zenlayer.com.

About Zenlayer

Zenlayer (www.zenlayer.com) offers on-demand edge cloud services in over 180 PoPs around the world, with expertise in fast-growing emerging markets like Southeast Asia, India, China, and South America. Businesses utilize Zenlayers global edge cloud platform to instantly improve digital experiences for their users with ultra-low latency and worldwide connectivity on demand.

About Anatole Investment

Anatole Investment Management Limited is an international investment management firm that manages long-term capital for highly sophisticated professional investors and clients globally.

About Prospect Avenue Capital

Prospect Avenue Capital is a growth equity firm with a focus on IT, financial services, technology, and AI-related sectors.

About Volcanics Venture

Volcanics Venture (www.volcanics.com) is committed to identifying, investing in, and serving the most promising companies and outstanding entrepreneurs in internet innovation, intelligent technology, and healthcare industries. Volcanics Venture brings a powerful combination of global perspective and local experience to investment management, striving to provide sustainable value-added services to portfolio companies.

About F&G Venture

F&G Venture (www.fgventure.com/en/index.jsp) is a venture capital fund focused on companies with exponential growth in IT industries, such as IT infrastructure, cloud computing, IoT, SaaS, big data, etc. It also targets high-end manufacturing businesses, including intelligence devices, robots, and drones.

About Forebright Capital

Forebright Capital (www.forebrightcapital.com) is a differentiated institutional-quality multi-stage growth equity fund manager investing in selected sectors including advanced manufacturing, healthcare, and business services. It is committed to partnering with visionary business leaders, providing value added services, and contributing to the long-term growth of outstanding enterprises.

About NSFOCUS

NSFOCUS (www.nsfocus.com) is a network and cyber security provider for telecom carriers, BFSI, enterprises, healthcare, retail, as well as government agencies. It has a proven track record of protecting over 20% of the Fortune 500 companies, including four of the five largest banks, and six of the worlds top ten telecommunications companies.

View post:
Zenlayer Raises $50MM in Series C Financing to Boost Its Lead in Edge Cloud Services - Business Wire

The Russian Foreign Intelligence Services compromise of U.S. company SolarWinds and a variety of other information technology infrastructures has been described as the greatest cyber intrusion, perhaps, in the history of the world. According to the Biden administration, the hack gave the Russians the ability to compromise or disrupt potentially 16,000 computer systems worldwide, enabling collection of vast amounts of information from federal departments and agencies, private companies, and other victims.

On April 15, the Biden administration outlined its response. The White House formally attributed the campaign to the Russian Foreign Intelligence Service, expelled Russian diplomats from the United States, imposed sanctions on six Russian technology companies that support the intelligence services cyber operations, and issued a new directive imposing sovereign debt sanctions on Russia. The administrations actions were impressive in terms of their scope, drawing on many U.S. response options simultaneously.

While the most newsworthy aspects of Washingtons response to Russia was featured in the first two-thirds of the April 15 statement, the last section outlined important steps that will guide Americas international cyber policy for years to come. The Biden administration explained that it would be supporting a global cybersecurity approach through international capacity-building projects focused on enhancing understanding of the policy and technical aspects of publicly attributing cyber incidents and the provision of training to foreign partners on the applicability of international law in cyberspace. This effort highlights an often overlooked element of U.S. national security and cyberspace policy: Improved cyber security around the world and improved capacity to identify and hold accountable malign actors in cyberspace make the Internet safe for American users and everyone else. When the United States helps its international partners improve their own cyber security, the benefits reverberate across cyberspace.

For the United States, working with foreign governments to make the internet a more secure place is not just a diplomatic opportunity. It should be a key national security priority. International capacity building is particularly critical in cyberspace because threats from hackers, cyber criminals, and hostile intelligence services originate from all over the world. In addition, ensuring the resiliency of cyberspace on a global scale is imperative in countering Chinas growing digital footprint and influence.

As staff of the Cyberspace Solarium Commission, we were tasked with examining all tools of statecraft that contribute to defending the United States from cyber attacks. Not only is it often (unwisely) passed over as a security priority, but current capacity-building infrastructure is inadequate, largely due to outdated legal authorities and processes that insufficiently meet the demands of modern diplomacy and security issues. International cyber security capacity building has a clear and direct benefit for U.S. national security. Congress is currently poised to make major changes to cyberspace policy at the State Department. As it does so, legislators would be wise to ensure that the department has sufficient funding, flexibility, and agility to build global cyber capacity around the globe by creating a fund specifically for cyber capacity building and corresponding authorities to provide emergency assistance.

Capacity Building as a National Security Priority

Capacity-building programs are vehicles for investing strategically in the international community. With respect to cyber security, such programs generally focus on improving national capacity to effectively deliver cyber security (referred to as cyber maturity) and equipping foreign governments with the resources and expertise essential to prevent, detect, withstand, and recover from cyber attacks. In particular, capacity building can help countries build national strategies for enhanced cyber security, collaborate and share information with the private sector on cyber risk management, revise criminal laws and procedures to mitigate cyber crime, bolster incident response and recovery capabilities, advance national cyber security awareness, and grow national cyber security workforces.

Multilateral efforts in the capacity-building arena are well established and supported by U.N. groups and other organizations alike. In particular, the Global Forum on Cyber Expertise has emerged as a leader via its role as a resource clearinghouse. Apart from these multilateral efforts, several states have pursued bilateral or regional cyber capacity-building initiatives. For example, the Australian government has specifically focused on the Indo-Pacific region in its efforts and works with partners across sectors to strengthen cyber security among its neighbors.

Cyber security capacity building serves U.S. national security interests in three ways. First, enabling foreign governments to undertake actions like responding rapidly and effectively to cyber security incidents or tamping down cyber crime makes all of cyberspace a safer place. The United States is not unique in recognizing this. For example, the Canadian government has clearly articulated the linkages between national security and international capacity: The security of Canada is linked to that of other states. When foreign states lack these resources, it can put the security of Canadians and Canadian interests at risk, both at home and abroad. In this sense, cyber security capacity building is a straightforward example of a rising tide lifting all boats.

Second, stronger partners make better partners in countering malign behavior in cyberspace. For example, the United States and Ukraine have worked together for years on cyber security issues, including promoting legal and regulatory reform, cyber workforce development, and private sector engagement. Given the countries longstanding tradition of partnership on law enforcement investigations, not to mention Ukraines unique local cyber security environment, the United States directly strengthens its own security by ensuring that Ukraine is a highly capable cyber security partner. Equipping partner and allied nations with resources for cyber capacity building ensures that beneficiaries are protected from the coercive influence of cyber attacks and enabled to respond effectively. The strength of U.S. partners also helps expand the capacity for enforcing rules of responsible state behavior in cyberspace, promoting collaboration among states that share the U.S. vision for an open, interoperable, reliable, and secure internet. For example, foreign governments must have the independent capability to identify and analyze a cyber attack rapidly in order to engage in the growing trend of issuing a joint attribution and response. This joint enforcement minimizes the burdens any single state faces in holding accountable those who violate rules of responsible state behavior and encourages stability in cyberspace by reinforcing cyber security norms. Projects focused on enhancing joint enforcement and reinforcing cyber norms were precisely those that the Biden administration pledged to support in response to Russian malicious cyber activity, which focused on expanding attribution capacity and providing training regarding the applicability of international law in cyberspace.

Efforts to bolster foreign cyber capacity are distinct from military support for foreign partners in furtherance of hunt forward operations. In hunt forward operations, the U.S. military deploys to other countries to counter threats on foreign networks in partnership with those countries militaries. Capacity-building efforts that strengthen the overall cyber maturity of partner nations can pick up where these efforts leave off, promoting resilience and civilian cyber security without direct engagement of U.S. military personnel. Moreover, these military programs are distinct from incident response teams, whose primary role is to assist victims in the immediate aftermath of a cyber attack. The United States needs different tools for different problems. Capacity-building programs are broader in scope and go even further than existing military programs in strengthening the ability of partners to prevent, withstand, and respond to cyber attacks.

Finally, the national security value of capacity building also implicates efforts to counter Chinas growing investment and influence in the digital infrastructure of countries in the Global South. As countries scramble to keep pace with the digital age, some governments may not have the economic resources to be picky about a source of technical assistance, and the cheapest technology is not always the best suited for promoting open societies. A report from the German Marshall Fund cites as an example, After installing Huawei 4G equipment, video surveillance software, and facial recognition technology, Kenya, Tanzania, Vietnam, and Zimbabwe have to varying degrees seen the adoption of draconian cybercrime laws restricting Internet freedom and clamping down on speech against the government.

Through projects like the Belt and Road Initiative and the Digital Silk Road, leaders in Beijing have found opportunities to both tap into a global customer base for their goods and spur the uptake of technology that aligns with state policy objectives. To give a sense of scale, in 2018, for the second year in a row, investment in African information and communications technology development projects from China alone eclipsed funding from the Infrastructure Consortium for Africa, the organization that combines the efforts of G8 countries and other governments with multilateral efforts like those of the World Bank and the African Development Bank.

U.S. capacity building and cyber diplomacy generally can and should counter growing influence from the Chinese government in the countries that have been dubbed the digital deciders (e.g., Brazil, India, Mexico, and Indonesia). The choices of these actors will have a critical impact on global technology governance and the balance of states that favor an open, global digital infrastructure that protects rights like privacy versus those that favor a closed, sovereign version that enables human rights abuses. U.S. national security reaps very tangible benefits from ensuring that the United States, alongside its partners and allies, is the first and trusted source for cybersecurity expertise, particularly as authoritarian adversaries like the Chinese government compete to influence the future of the internet. Bolstering cyber security capacity enables the United States to advance a free, open, and interoperable Internet and insulates beneficiary nations from Beijings efforts to project power abroad through infrastructure projects.

What Congress Can Do

Congress should create a new capacity-building fund dedicated to cyber security with the authority to provide assistance to countries of all income levels, in all parts of the world, especially during times of crisis. Despite the importance of capacity building as a national security priority, the legal authorities that enable U.S. cyber capacity building are inflexible and slow, often cobbled together from programs that were designed for Cold War-era diplomacy. These tools are insufficient to enable the United States led by the State Department to support foreign partners working to mature their cyber security systems, much less to meet the needs of partner and allied nations during times of crisis. Without specifically dedicated funds, cyber security is forced to compete with a variety of other foreign assistance priorities.

Existing frameworks for distributing aid make it difficult for the United States to support the cyber priorities of certain countries. These difficulties relate to the way foreign governments structure oversight of their cyber security policy and strategy, and to foreign assistance eligibility criteria that are tied to country income level or geographic location.

In the first case, the difficulty stems from otherwise practical limitations like those in the legislation authorizing the Economic Support Fund one of the primary vehicles through which the State Department can fund foreign assistance projects. The law stipulates that the Economic Support Fund may not be used for military or paramilitary purposes. While this is important for ensuring the United States does not fund the development of offensive cyber operations programs in foreign countries, it hamstrings Americas ability to help countries bolster their civilian cyber security when such programs are overseen by military organizations. Colombia, for example, runs its national computer emergency response team through its Ministry of Defense, as does Latvia, and in Spain, the function sits under the national intelligence agency.

In the second case, the difficulty stems from the eligibility requirements associated with the use of certain foreign assistance funds. Congress should consider expanding criteria for cyber security capacity-building programs to allow for the provision of aid to middle-income countries, irrespective of geography. Some funds, like those earmarked for the Assistance to Europe, Eurasia, and Central Asia Fund, are limited to a particular geographic region. Other funds are generally aimed at providing assistance to low- and lower middle-income countries, which is an important means of ensuring that foreign aid is channeled to those countries in greatest need of support. When it comes to cyber security, however, some strategically important countries do not meet these criteria. Singapore, Taiwan, Indonesia, and Thailand, for example, are all considered upper-middle-income economies or high-income economies by the World Bank, but both private companies and government entities have been the target of economically and geopolitically motivated attacks, some of which have been attributed to Chinese groups. As currently structured, existing authorities can make it slow and bureaucratic to get funding to countries such as these, but given the regions strategic importance, there are occasions when doing so may be both critical and time-sensitive.

A specific account dedicated to cyber security could allow Congress to ensure that all foreign assistance priorities including cyber security receive sufficient funding and resources. The March 2020 report of the U.S. Cyberspace Solarium Commission, a congressionally mandated body examining cyberspace policy, specifically recommended legislative action to untangle this issue. Both of the problems highlighted above speak to the short-term priority for strengthening U.S. abilities to build cyber security capacity: building flexible, consolidated funds for cyber security to overcome competing priorities for foreign assistance. Though funds can be cobbled together from the alphabet soup of foreign assistance funds, the absence of a designated fund means that cyber security competes with priorities like bolstering democracy and the rule of law, encouraging the development of free markets, or building peace in conflict-ridden regions. Additionally, a distinct fund would allow for the development of flexible eligibility criteria that are specifically tailored to strategic cyber-related objectives.

Anticipating Challenges

Existing U.S. capacity-building programs also face challenges related to agility and are inadequately positioned within broader efforts to counter Beijings growing influence abroad. Foreign assistance moves slowly. Capacity-building programs are aimed at boosting the cyber maturity of partner and allied nations, a process that can take years, if not decades. And even countries with the most mature cyber capabilities are not immune to crisis. When such crises arrive, it may be critical for the United States to move money immediately to aid with incident response and remediation. Congress should ask the State Department to review in consultation with other federal departments and agencies the process of delivering foreign aid in times of crisis and how the process for cyber security capacity building can be streamlined or expedited during exigent circumstances so that the State Department can support foreign partners when they need it most. Such assistance would be similar to the rapid humanitarian and disaster relief aid that the State Department and USAID distribute during times of crisis.

Additionally, departments and agencies with responsibility for allocating foreign assistance and implementing capacity-building projects should think about how these projects and programs fit into broader U.S. efforts to counter Beijings influence and investment in the Global South. In the face of such a concerted effort, the United States needs a careful, thoughtful strategy, connecting capacity-building efforts with diplomacy, law enforcement, private sector engagement, and more. The Cyber Diplomacy Acts proposed Bureau of International Cyberspace Policy would be an ideal place for some of this coordination to take place.

Beyond the geopolitical issue of China, the Bureau of International Cyberspace Policy is an important place to align capacity-building efforts with broader cyber diplomacy goals addressing competing models of internet governance. Similarly, improved coordination at the White House level via the new office of the national cyber director can help align international capacity-building efforts across U.S. government agencies. In addition to the State Departments work, the Department of Homeland Security is planning an international cyber security capacity-building sprint. Meanwhile, the Cybersecurity and Infrastructure Security Agency launched an international strategy, CISA Global, which aims also to support the State Departments work with international partners on capacity building.

When it comes to international capability in cyberspace, U.S. civilian agencies should take the lead. While the Defense Department has a huge role to play in keeping the country safe in cyberspace, U.S. diplomats are better positioned to advance U.S. cyber security interests in foreign capitals. Ensuring that all tools of international engagement including military, diplomatic, and foreign assistance are aligned is imperative to strengthening the credibility of Americas actions in cyberspace, and the Bureau of International Cyberspace Policy is a good focal point for that coordination within the State Department.

Looking Ahead

The Biden administrations emphasis on capacity building in response to Russian malicious cyber activity is an important reminder that, in cyberspace, Americas safety is wound up with that of the rest of the world. As Congress works to improve the governments structure for engaging internationally on cyber security, it should ensure that the State Department has the authority to provide aid in a timely and concerted fashion. By doing its part to help partners and allies, the United States can take a crucial step in building a resilient cyberspace and protecting vital U.S. interests.

Natalie Thompson is a research analyst with the U.S. Cyberspace Solarium Commission. Previously, she was a research assistant and James C. Gaither Junior Fellow at the Carnegie Endowment for International Peace, working with the Technology and International Affairs Program on projects related to disinformation and cybersecurity. She tweets at @natalierthom.

Zoe Peach-Riley is a research intern with the U.S. Cyberspace Solarium Commission. She is a current student at the University of Southern California, where she is pursuing a major in intelligence & cyber-operations.

Laura Bate is a senior director with the U.S. Cyberspace Solarium Commission and a 2021 Next Generation National Security Fellow with the Center for a New American Security. Previously, she was a policy analyst with New Americas Cybersecurity Initiative and remains an International Security Program Fellow. She tweets at @Laura_K_Bate.

Image: State Department

More:
Cyber Security Begins Abroad - War on the Rocks

The Internet Systems Consortium (ISC) has released an advisory outlining a trio of vulnerabilities that could impact the safety of DNS systems.

This week, the organization said the vulnerabilities impact ISC Berkeley Internet Name Domain (BIND) 9, widely used as a DNS system and maintained as an open source project.

The first vulnerability is tracked as CVE-2021-25216 and has been issued a CVSS severity score of 8.1 (32-bit) or 7.4 (64-bit). Threat actors can remotely trigger the flaw by performing a buffer overflow attack against BIND's GSSAPI security policy negotiation mechanism for the GSS-TSIG protocol, potentially leading to wider exploits including crashes and remote code execution.

However, under configurations using default BIND settings, vulnerable code paths are not exposed -- unless a server's values (tkey-gssapi-keytab/tkey-gssapi-credential) are set otherwise.

"Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers," the advisory reads. "For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built."

The second security flaw, CVE-2021-25215, has earned a CVSS score of 7.5. CVE-2021-25215 is a remotely-exploitable flaw found in the way DNAME records are processed and may cause process crashes due to failed assertions.

The least dangerous bug, tracked as CVE-2021-25214, has been issued a CVSS score of 6.5. This issue was found in incremental zone transfers (IXFR) and if a named server receives a malformed IXFR, this causes the named process to crash due to a failed assertion.

The ISC is not aware of any active exploits for any of the bugs.

Vulnerabilities in BIND are treated seriously as it can take just one bug, successfully exploited, to cause widespread disruption to services.

"Most of the vulnerabilities discovered in BIND 9 are ways to trigger INSIST or ASSERT failures, which cause BIND to exit," the ISC says. "When an external user can reliably cause the BIND process to exit, that is a very effective denial of service (DoS) attack. Nanny scripts can restart BIND 9, but in some cases, it may take hours to reload, and the server is vulnerable to being shut down again."

Subscribers are notified of security flaws ahead of public disclosure, and if patches have not been applied for the latest trio of vulnerabilities, fixes should be issued as quickly as possible.

BIND 9.11.31, 9.16.15, and 9.17.12 all contain patches and the appropriate update should be applied.

CISA has also issued an alert on the security issues.

In other security news this week, Microsoft has disclosed bad memory allocation operations in code used in Internet of Things (IoT) and industrial technologies, with a range of vulnerabilities classified under the name "BadAlloc". Microsoft is working with the US Department of Homeland Security (DHS) to alert impacted vendors.

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Follow this link:
ISC urges updates of DNS servers to wipe out new BIND vulnerabilities - ZDNet

Justin Sherman (@jshermcyber) is a fellow at the Atlantic Councils Cyber Statecraft Initiative. Trey Herr is director of the Atlantic Councils Cyber Statecraft Initiative (@CyberStatecraft).

The SolarWinds incident spurred a flurry of debates about whether the U.S. Department of Defenses 2018 defend forward strategy should, or could, have prevented the calamity. Putting aside that the Russian operation was cyber espionagestealing data rather than denying, disrupting, degrading, or destroying systemssome of these arguments reflected an idea that the United States should defend forward or persistently engage everywhere, all the time.

More on:

Cybersecurity

Digital Policy

However, this idea is not only unrealistic, with resource constraints (in personnel, target information, access to adversary networks, organizational capacity, etc.) limiting the collective reach of U.S. cyber operations at any given time; it also ignores the concept of points of leverage in the broader internet ecosystem.

Net Politics

CFR experts investigate the impact of information and communication technologies on security, privacy, and international affairs.2-4 times weekly.

Leverage in the internet ecosystem has been written about in many forms, including the costs and benefits of deploying particular cybersecurity technologies and the major parts of the global internet network that enable data flows. Yet discourse on persistent engagement that seems to suggest a constant engagement on all parts of the network ignores the very idea of leverage that should be the foundation for the conversation itselfunderstanding how defensive and offensive actions can shift points of leverage on the internet.

The New York Cyber Task Forces 2017 report discusses the idea of leverage, for instance, in a somewhat productized sense vis--vis software and internet security. Cybersecuritys most successful innovations, they wrote, have provided leverage in that they operate on an internet-wide scale and impose the highest costs (roughly measured in both dollars and effort) on attackers with the least cost to defenders. Encryption, automatic software updates, and secure-by-design software were just three examples provided by the task force. The cost-benefit of their deployment favors the defender.

A new report from the Atlantic Council on lessons from the Sunburst campaign likewise argues that government and industry should embrace an idea of persistent flow in cybersecurity, emphasizing that effective cybersecurity is more about speed, agility, and concentrated action than trying to do everything, everywhere, all at once. This concentration is necessary because just as there are cybersecurity technologies that give leverage to a defender, some vectors of compromise give disproportionate leverage to attackers.

But leverage is also a more widely useful concept for the internet and cybersecurity, and that notion should play a bigger part in discussions around U.S. cyber strategy. Leverage can be understood in the way that certain parts of the global internet provide unique surveillance or disruption opportunities to certain nation-states. Henry Farrell and Abraham Newman write in their 2019 article Weaponized Interdependence [PDF] about panopticons in networks, which states can use to gather strategically valuable information, and chokepoints in networks, which provide opportunities to deny network access to adversaries. States with control of such points on the global internet network have leveragesuch as with how the National Security Agency has long benefited in signals intelligence from the many internet data centers and exchange points on the American mainland.

More on:

Cybersecurity

Digital Policy

Similarly, points in the global internet architecture can serve as places of leverage for nation-states looking to secure them or exploit their vulnerabilities. Data routing security is one such example. The Domain Name System, the internets phone book for addressing traffic, and the Border Gateway Protocol, the internets GPS for routing traffic, were both designed with a preference for speed and reliability over security. Both systems are crucial to the global internets very function and yet remain fundamentally insecurevulnerable to outright manipulation. They are also both areas where small changes would yield massive gains in cybersecurity, underscoring that, as we previously argued, one of the best ways to approach a U.S. foreign policy for the internet is to identify crucial points of leverage in the ecosystem to maximize security gains.

This raises the distinction between chokepoints and leverage, however, where leverage provides highly scalable effects on cybersecurity (i.e., small inputs yielding outsized change across a system or ecosystem) and imposes significant costs for comparatively small input. Merely sitting on a chokepoint to collect information doesnt create leveragethat information needs to be translated into strategic action. Information sharing about threats, absent a strong model for interagency collaboration and a specific desired end state, is not enough. Points of leverage on the internet can shift at varying speeds, whether from defensive and offensive cyber actions or physical alterations to the internets topology. U.S. cyber strategy should therefore emphasize that steps within the cyber domain to exploit or protect those points of leverage do more than alter the position of each actor involvedthey also alter the cyber environment itself.

Digital and Cyberspace Update

Digital and Cyberspace Policy program updates on cybersecurity, digital trade, internet governance, and online privacy.Bimonthly.

The Sunburst campaign provides myriad reasons for the U.S. government and industry to reassess their policies and practices on the likes of both cloud and supply chain security[PDF]. Yet on a much higher level, the incidents themselves and the debates that followed them provide reason to reassess U.S. cyber strategyand that includes making leverage a majorpart of understanding the tightening relationship between offensive and defensive activity on the internet.

Read the rest here:
The U.S. Should Make Leverage the Foundation of Its Cyber Strategy - Council on Foreign Relations