UNITED STATES https://us.onair.cc The People's Network for Democracy Sat, 11 Apr 2026 19:36:14 +0000 en-US hourly 1 CISA https://us.onair.cc/cisa/ https://us.onair.cc/cisa/#comments Mon, 20 Oct 2025 14:48:30 +0000 https://us.onair.cc/?p=72431

The Cybersecurity and Infrastructure Security Agency (CISA)  works with partners to defend against today’s threats and collaborate to build a more secure and resilient infrastructure for the future.

As the National Coordinator for Critical Infrastructure Security and Resilience, CISA works with partners at every level to identify and manage risk to the cyber and physical infrastructure that Americans rely on every hour of every day. CISA works with partners to defend against today’s threats and collaborate to build a more secure and resilient infrastructure for the future. Read CISA’s Fact Sheet to learn more.

Mission

We lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.

Vision

A secure and resilient critical infrastructure for the American people.

Source: CISA website

OnAir Post: CISA

]]> Summary

The Cybersecurity and Infrastructure Security Agency (CISA)  works with partners to defend against today’s threats and collaborate to build a more secure and resilient infrastructure for the future.

As the National Coordinator for Critical Infrastructure Security and Resilience, CISA works with partners at every level to identify and manage risk to the cyber and physical infrastructure that Americans rely on every hour of every day. CISA works with partners to defend against today’s threats and collaborate to build a more secure and resilient infrastructure for the future. Read CISA’s Fact Sheet to learn more.

Mission

We lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.

Vision

A secure and resilient critical infrastructure for the American people.

Source: CISA website

OnAir Post: CISA

About

Web Links

Wikipedia

This article is about CISA. For CSIAC, see Cyber Security and Information Systems Information Analysis Center.

The Cybersecurity and Infrastructure Security Agency (CISA), headquartered in Arlington, Virginia, is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government’s cybersecurity protections against private and nation-state hackers.[4]

The agency began in 2007 as the National Protection and Programs Directorate (NPPD).[4][5] With the Cybersecurity and Infrastructure Security Agency Act of 2018, CISA’s footprint expanded to include roles protecting the census, managing National Special Security Events, and the U.S. response to the COVID-19 pandemic. It has also been involved in overseeing 5G network security, securing elections, and strengthening the US grid against electromagnetic pulses (EMPs).[6] The Office for Bombing Prevention leads the national counter-IED effort.[7]

History

The National Protection and Programs Directorate (NPPD) was formed in 2007 as a component of the United States Department of Homeland Security.[8] NPPD’s goal was to advance the Department’s national security mission by reducing and eliminating threats to U.S. critical physical and cyber infrastructure.

On November 16, 2018, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018, which established the Cybersecurity and Infrastructure Security Agency (CISA), a successor agency to the National Protection and Programs Directorate (NPPD).[9] CISA assists other government agencies and private sector organizations in addressing cybersecurity issues.[10] Former NPPD Under-Secretary Christopher Krebs was CISA’s first Director, and former Deputy Under-Secretary Matthew Travis was its first deputy director.[11][12]

On January 22, 2019, CISA issued its first Emergency Directive (19-01: Mitigate DNS Infrastructure Tampering)[13] warning that “an active attacker is targeting government organizations” using DNS spoofing techniques to perform man-in-the-middle attacks.[14] Research group FireEye stated that “initial research suggests the actor or actors responsible have a nexus to Iran.”[15]

In 2020, CISA created a website, titled Rumor Control, to rebut disinformation associated with the 2020 United States presidential election.[16] On November 12, 2020, CISA issued a press release asserting, “There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”[17] On the same day, Director Krebs indicated that he expected to be dismissed from his post by the Trump administration.[18] Krebs was subsequently fired by President Trump on November 17, 2020[19] via tweet for his comments regarding the security of the election.[20] According to various reports and statistics, the scale and frequency of cyber-attacks have been steadily increasing in recent years. For example, the number of data breaches reported in 2020 alone reached a record high of 3,932, a 48% increase compared to the previous year, with over 37 billion records exposed globally, and also the average cost of a data breach in 2020 was estimated to be $3.86 million, with an average time to identify and contain a breach of 280 days.[21]

Secretary of Homeland Security Alejandro Mayorkas at CISA’s current headquarters in Arlington, Virginia in 2021

On July 12, 2021, the Senate confirmed Jen Easterly by a voice vote.[22] Easterly’s nomination had been reported favorably out of Senate Committee on Homeland Security and Governmental Affairs on June 16, but a floor vote had been reportedly held (delayed) by Senator Rick Scott over broader national security concerns, until the President or Vice President had visited the southern border with Mexico.[23] Easterly hired new staff to monitor online disinformation to enhance what she called the nation’s “cognitive infrastructure” and utilized the existing rumor control website during the 2021 elections.[24]

In September 2022, CISA released its 2023–2025 CISA Strategic Plan, the first comprehensive strategy document since the agency’s establishment in 2018.[25]

In 2025, CISA began dismantling parts of its organization at the direction of the Trump administration.[26][27] A lapse in DHA funding in early 2026 forced the agency to scale back even more, resulting in the layoff of more than one-third of its staff since January 2025.[28][29]

Organization

Real Fake, a 2020 graphic novel from CISA about disinformation and misinformation campaigns

CISA divisions include the:[30]

  • Cybersecurity Division
  • Infrastructure Security Division
    • Bombing Prevention
    • Chemical Security
    • Exercises
    • Infrastructure Assessment & Analysis
    • School Safety
    • Strategy, Performance & Resources
  • Emergency Communications Division
  • National Risk Management Center
  • Integrated Operations Division
    • Regions 1 through 10[31]
  • Stakeholder Engagement Division
    • Council Management
    • International
    • Sector Management
    • Strategic Relations

Programs

The Continuous Diagnostics and Mitigations program provides cybersecurity tools and services to federal agencies.[32][33]

CISA issues “binding operational directives” that require federal government agencies to take action against specific cybersecurity risks.[34]

In March 2021, CISA assumed control of the .gov top-level domain (TLD) from the General Services Administration. CISA manages the approval of domains and operates the TLD Domain Name System nameservers. In April 2021, CISA removed the fee for registering domains.[35] In January 2023, Cloudflare received a $7.2M contract to provide DNS registry and hosting services for the TLD.[36]

CISA provides incident response services to the federal executive branch and US-based entities.

CISA manages the EINSTEIN intrusion detection system to detect malicious activity on federal government agency networks.

The National Defense Authorization Act for Fiscal Year 2021 granted CISA the authority to issue administrative subpoenas in order to identify the owners of internet connected critical infrastructure related devices with specific vulnerabilities. In 2021, CISA issued 47 subpoenas.[37]

In 2021, CISA released a report that provided guidance for how to navigate and prevent ransomware incidents. This was due to a significant jump in recent attacks related to ransomware.[38]

Committees

Cybersecurity Advisory Committee

In 2021, the Agency created the Cybersecurity Advisory Committee with the following members:[39]

  • Steve Adler, Mayor, City of Austin, Texas
  • Marene Allison, Chief Information Security Officer, Johnson & Johnson
  • Lori Beer, Chief Information Officer, JPMorgan Chase
  • Robert Chesney, James A. Baker III Chair in the Rule of Law and World Affairs, University of Texas School of Law
  • Thomas Fanning, chairman, President and CEO, Southern Company
  • Vijaya Gadde
  • Patrick D. Gallagher, Chancellor, University of Pittsburgh
  • Ronald Green, Executive Vice President and Chief Security Officer, Mastercard
  • Niloofar Razi Howe, board member, Tenable
  • Kevin Mandia, chief executive officer, Mandiant
  • Jeff Moss, President, DEF CON Communications
  • Nuala O’Connor, Senior Vice President & Chief Counsel, Digital Citizenship, Walmart
  • Nicole Perlroth, Cybersecurity journalist
  • Matthew Prince, chief executive officer, Cloudflare
  • Ted Schlein, General Partner, Kleiner Perkins; and Caufield & Byers
  • Stephen Schmidt, Chief Information Security Officer, Amazon Web Services
  • Suzanne Spaulding, Senior Advisor for Homeland Security, CSIS
  • Alex Stamos, Partner, Krebs Stamos Group
  • Kate Starbird, Associate Professor, Human Centered Design & Engineering, University of Washington
  • George Stathakopoulos, Vice President of Corporate Information Security, Apple
  • Alicia Tate-Nadeau (ARNG-Ret.), Director, Illinois Emergency Management Agency
  • Nicole Wong, Principal, NWong Strategies
  • Chris Young, Executive Vice President of Business Development, Strategy, and Ventures, Microsoft

Directors

Main article: Director of the Cybersecurity and Infrastructure Security Agency
No. Director Term
Portrait Name Took office Left office Term length
1
Chris C. Krebs
 Krebs, Chris C.Chris C. Krebs 16 November 2018 17 November 2020 2 years, 1 day
2
Jen M. Easterly
 Easterly, Jen M.Jen M. Easterly 13 July 2021 20 January 2025 3 years, 191 days
Acting
Nick Andersen
 Andersen, NickNick Andersen February 26, 2026 incumbent

See also

References

  1. ^ “CISA Hiring Hits High Score, and We’re Not Done!!”. August 21, 2023. Retrieved August 24, 2023.
  2. ^ “Leadership”. US Department of Homeland Security. September 7, 2006.
  3. ^ “Madhu Gottumukkala”. Department of Homeland Security. June 4, 2025. Archived from the original on June 4, 2025. Retrieved June 4, 2025.
  4. ^ a b Cimpanu, Catalin (November 16, 2018). “Trump signs bill that creates the Cybersecurity and Infrastructure Security Agency”. ZDNet. Archived from the original on February 19, 2019. Retrieved December 16, 2018.
  5. ^ “About CISA”. Department of Homeland Security. November 19, 2018. Archived from the original on July 6, 2019. Retrieved December 16, 2018. Public Domain This article incorporates text from this source, which is in the public domain.
  6. ^ “National Risk Management Center”. Cybersecurity and Infrastructure Security Agency. Archived from the original on February 24, 2023. Retrieved August 24, 2023.
  7. ^ “OBP Fact Sheet”. Cybersecurity and Infrastructure Security Agency. June 8, 2023. Retrieved August 24, 2023.
  8. ^ “DHS | About the National Protection and Programs Directorate”. Dhs.gov. August 26, 2011. Archived from the original on September 25, 2011. Retrieved September 27, 2011.
  9. ^ “Cybersecurity and Infrastructure Security Agency”. DHS.gov. Archived from the original on November 23, 2018. Retrieved November 24, 2018.
  10. ^ Ropek, Lucas (July 28, 2020). “Will CISA Be the Savior of State and Local Cybersecurity?”. Government Technology. Retrieved November 18, 2020.
  11. ^ Johnson, Derek B. (March 18, 2018). “NPPD taps vendor for No. 2 role”. Federal Computer Week. Archived from the original on September 30, 2019. Retrieved March 15, 2019.
  12. ^ Rockwell, Mark (December 20, 2018). “Standing up CISA”. Federal Computer Week. Archived from the original on September 30, 2019. Retrieved March 15, 2019.
  13. ^ “Emergency Directive 19-01”. cyber.dhs.gov. Department of Homeland Security. January 22, 2019. Archived from the original on July 3, 2019. Retrieved February 16, 2019.
  14. ^ Krebs, Christopher. “Why CISA issued our first Emergency Directive”. cyber.dhs.gov. Department of Homeland Security. Archived from the original on July 6, 2019. Retrieved February 16, 2019.
  15. ^ Hirani, Muks; Jones, Sarah; Read, Ben. “Global DNS Hijacking Campaign: DNS Record Manipulation at Scale”. FireEye. Archived from the original on June 25, 2019. Retrieved February 16, 2019.
  16. ^ Courtney, Shaun; Sebenius, Alysa; Wadhams, Nick (November 12, 2020). “Turmoil Hits Cyber Agency Engaged in Election as Staff Leave”. Bloomberg News. Retrieved November 18, 2020.
  17. ^ “Federal cybersecurity agency calls election ‘most secure in American history’. Engadget. November 13, 2020. Retrieved November 17, 2020.
  18. ^ Geller, Eric; Bertrand, Natasha (November 12, 2020). “Top cyber official expecting to be fired as White House frustrations hit agency protecting elections”. Politico. Retrieved November 13, 2020.
  19. ^ “Trump fires head of U.S. election cybersecurity who debunked conspiracy theories”. NBC News. November 18, 2020. Retrieved July 1, 2022.
  20. ^ Kaitlan Collins and Paul LeBlanc (November 18, 2020). “Trump fires director of Homeland Security agency who had rejected President’s election conspiracy theories”. CNN. Retrieved November 18, 2020.
  21. ^ Riskhan, Basheer 1 (2024). “Physical Security to Cybersecurity (Challenges and Implications in the Modern Digital Landscape)”. Physical Security to Cybersecurity (Challenges and Implications in the Modern Digital Landscape): 692–702. ProQuest 3073676315.{{cite journal}}: CS1 maint: numeric names: authors list (link)
  22. ^ “PN420 – Nomination of Jen Easterly for Department of Homeland Security, 117th Congress (2021-2022)”. www.congress.gov. June 16, 2021. Retrieved July 12, 2021.
  23. ^ Miller, Maggie (June 23, 2021). “Rick Scott blocks Senate vote on top cyber nominee until Harris visits border”. The Hill. Retrieved July 12, 2021.
  24. ^ Maggie Miller. (10 November 2021). “Cyber agency beefing up disinformation, misinformation team”. The Hill website Retrieved 18 December 2023.
  25. ^ “Strategic Plan | CISA”. cisa.gov. Retrieved September 17, 2022.
  26. ^ David E. Sanger; Nick Corasaniti (April 5, 2025). “Trump Weakens U.S. Cyberdefenses at a Moment of Rising Danger”. The New York Times.
  27. ^ “Client Alert: Government Shutdown Creates a “Perfect Storm” for U.S. Cybersecurity – Shumaker, Loop & Kendrick, LLP”. October 10, 2025. Retrieved February 27, 2026.
  28. ^ “CISA will shutter some missions to prioritize others | Cybersecurity Dive”. www.cybersecuritydive.com. Retrieved February 27, 2026.
  29. ^ “POLITICO Pro: CISA shuts down as Congress fails to approve DHS funding”. subscriber.politicopro.com. Retrieved February 27, 2026.
  30. ^ “Cybersecurity and Infrastructure Security Agency Divisions & Offices”. Retrieved March 26, 2023.
  31. ^ Cybersecurity and Infrastructure Security Agency. “CISA Regions”. Retrieved March 26, 2023.
  32. ^ Miller, Jason (November 7, 2022). “CISA signature federal cyber program warrants more than a passing anniversary nod”. Federal News Network. Retrieved March 26, 2023.
  33. ^ Cybersecurity and Infrastructure Security Agency. “Continuous Diagnostics and Mitigations Program”. Retrieved March 26, 2023.
  34. ^ Cybersecurity and Infrastructure Security Agency (May 18, 2022). “Cybersecurity Directives”. Retrieved March 26, 2023.
  35. ^ Cybersecurity and Infrastructure Security Agency (April 27, 2021). “A new day for .gov”. Retrieved March 26, 2023.
  36. ^ Cloudflare (January 13, 2023). “Cloudflare Wins CISA Contract for Registry and Authoritative Domain Name System (DNS) Services”. Retrieved March 26, 2023.
  37. ^ “CY2021 ADMINISTRATIVE SUBPOENA FOR VULNERABILITY NOTIFICATION YEAR IN REVIEW” (PDF). Retrieved June 16, 2023.
  38. ^ Piper, D L A (July 2021). “Cybersecurity and infrastructure security agency releases guidance regarding ransomware”. Journal of Internet Law. 25 (1): 1–17.
  39. ^ “CISA Names 23 Members to New Cybersecurity Advisory Committee | CISA”. cisa.gov. December 2021. Retrieved January 17, 2023.


source: https://en.wikipedia.org/wiki/Cybersecurity_and_Infrastructure_Security_Agency

]]> https://us.onair.cc/cisa/feed/ 5 NIST https://us.onair.cc/nist/ https://us.onair.cc/nist/#respond Mon, 20 Oct 2025 14:28:26 +0000 https://us.onair.cc/?p=72432

The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation’s oldest physical science laboratories. Congress established the agency to remove a major challenge to U.S. industrial competitiveness at the time—a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany, and other economic rivals.

From the smart electric power grid and electronic health records to atomic clocks, advanced nanomaterials, and computer chips, innumerable products and services rely in some way on technology, measurement, and standards provided by the National Institute of Standards and Technology.

Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations—from nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair up to earthquake-resistant skyscrapers and global communication networks.

OnAir Post: NIST

]]> Summary

The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation’s oldest physical science laboratories. Congress established the agency to remove a major challenge to U.S. industrial competitiveness at the time—a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany, and other economic rivals.

From the smart electric power grid and electronic health records to atomic clocks, advanced nanomaterials, and computer chips, innumerable products and services rely in some way on technology, measurement, and standards provided by the National Institute of Standards and Technology.

Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations—from nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair up to earthquake-resistant skyscrapers and global communication networks.

OnAir Post: NIST

About

Web Links

NIST Framework

Wikipedia

“NIST” redirects here. For other uses, see NIST (disambiguation).

The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST’s activities are organized into physical science laboratory programs that include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement. From 1901 to 1988, the agency was named the National Bureau of Standards.[4]

The NIST Historic District was listed on the National Register of Historic Places in 2021.[5]

History

Background

The Articles of Confederation, ratified by the colonies in 1781, provided:

The United States in Congress assembled shall also have the sole and exclusive right and power of regulating the alloy and value of coin struck by their own authority, or by that of the respective states—fixing the standards of weights and measures throughout the United States.[6]

Article 1, section 8, of the Constitution of the United States, ratified in 1789, granted these powers to the new Congress: “The Congress shall have power … To coin money, regulate the value thereof, and of foreign coin, and fix the standard of weights and measures”.[7]

In January 1790, President George Washington, in his first annual message to Congress, said, “Uniformity in the currency, weights, and measures of the United States is an object of great importance, and will, I am persuaded, be duly attended to.”[8]

On October 25, 1791, Washington again appealed to Congress:

A uniformity of the weights and measures of the country is among the important objects submitted to you by the Constitution and if it can be derived from a standard at once invariable and universal, must be no less honorable to the public council than conducive to the public convenience.[9]

In 1821, President John Quincy Adams declared, “Weights and measures may be ranked among the necessities of life to every individual of human society.”.[10] Nevertheless, it was not until 1838 that the United States government adopted a uniform set of standards.[7]

From 1830 until 1901, the role of overseeing weights and measures was carried out by the Office of Standard Weights and Measures, which was part of the Survey of the Coast—renamed the United States Coast Survey in 1836 and the United States Coast and Geodetic Survey in 1878—in the United States Department of the Treasury.[11][12][13]

Bureau of Standards (1901–1988)

In 1901, in response to a bill proposed by Congressman James H. Southard (R, Ohio), the Bureau of Standards was founded with the mandate to provide standard weights and measures, and to serve as the national physical laboratory for the United States. Southard had previously sponsored a bill for metric conversion of the United States.[14]

A chart of Bureau of Standards activities, 1915

President Theodore Roosevelt appointed Samuel W. Stratton as the first director. The budget for the first year of operation was $40,000. The Bureau took custody of the copies of the kilogram and meter bars that were the standards for US measures, and set up a program to provide metrology services for United States scientific and commercial users. A laboratory site was constructed in Washington, DC, and instruments were acquired from the national physical laboratories of Europe. In addition to weights and measures, the Bureau developed instruments for electrical units and for measurement of light. In 1905 a meeting was called that would be the first “National Conference on Weights and Measures”.

Initially conceived as purely a metrology agency, the Bureau of Standards was directed by Herbert Hoover to set up divisions to develop commercial standards for materials and products.[14] Some of these standards were for products intended for government use, but product standards also affected private-sector consumption. Quality standards were developed for products including some types of clothing, automobile brake systems and headlamps, antifreeze, and electrical safety. During World War I, the Bureau worked on multiple problems related to war production, even operating its own facility to produce optical glass when European supplies were cut off.

Between the wars, Harry Diamond of the Bureau developed a blind approach radio aircraft landing system. During World War II, military research and development was carried out, including development of radio propagation forecast methods, the proximity fuze and the standardized airframe used originally for Project Pigeon, and shortly afterwards the autonomously radar-guided Bat anti-ship guided bomb and the Kingfisher family of torpedo-carrying missiles.

A mass spectrometer in use at the NBS in 1948

In 1948, financed by the United States Air Force, the Bureau began design and construction of SEAC, the Standards Eastern Automatic Computer. The computer went into operation in May 1950 using a combination of vacuum tubes and solid-state diode logic. About the same time the Standards Western Automatic Computer, was built at the Los Angeles office of the NBS by Harry Huskey and used for research there. A mobile version, DYSEAC, was built for the Signal Corps in 1954.

The Bureau of Standards headquarters in Gaithersburg, Maryland being constructed in 1964.

National Institute of Standards and Technology (from 1988)

Due to a changing mission, the “National Bureau of Standards” became the “National Institute of Standards and Technology” in 1988.[11] Following the September 11, 2001, attacks, under the National Construction Safety Team Act (NCST), NIST conducted the official investigation into the collapse of the World Trade Center buildings. Following the 2021 Surfside condominium building collapse, NIST sent engineers to the site to investigate the cause of the collapse.[15]

In 2019, NIST launched a program named NIST on a Chip to decrease the size of instruments from lab machines to chip size. Applications include aircraft testing, communication with satellites for navigation purposes, and temperature and pressure.[16]

In 2023, the Biden administration began plans to create a U.S. AI Safety Institute within NIST to coordinate AI safety matters. According to The Washington Post, NIST is considered “notoriously underfunded and understaffed”, which could present an obstacle to these efforts.[17]

Constitution

NIST, known between 1901 and 1988 as the National Bureau of Standards (NBS), is a measurement standards laboratory, also known as the National Metrological Institute (NMI), which is a non-regulatory agency of the United States Department of Commerce. The institute’s official mission is to:[18]

Promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

— NIST

NIST had an operating budget for fiscal year 2007 (October 1, 2006 – September 30, 2007) of about $843.3 million. NIST’s 2009 budget was $992 million, and it also received $610 million as part of the American Recovery and Reinvestment Act.[19] NIST employs about 2,900 scientists, engineers, technicians, and support and administrative personnel. About 1,800 NIST associates (guest researchers and engineers from American companies and foreign countries) complement the staff. NIST partners with 1,400 manufacturing specialists and staff at nearly 350 affiliated centers around the country. NIST publishes the Handbook 44 that provides the “Specifications, tolerances, and other technical requirements for weighing and measuring devices”.

Metric system

The Congress of 1866 made use of the metric system in commerce a legally protected activity through the passage of Metric Act of 1866.[20] In May 1875, 17 out of 20 countries signed a document known as the Metric Convention or the Treaty of the Meter, which established the International Bureau of Weights and Measures under the control of an international committee elected by the General Conference on Weights and Measures.[21]

Organization

Advanced Measurement Laboratory Complex in Gaithersburg
An aerial view of the Gaithersburg campus in 2019
Boulder Laboratories

NIST is headquartered in Gaithersburg, Maryland, and operates a facility in Boulder, Colorado, which was dedicated by President Eisenhower in 1954.[22][23][24] NIST’s activities are organized into laboratory programs and extramural programs. Effective October 2010, NIST was realigned by reducing the number of NIST laboratory units from ten to six.[25] NIST Laboratories include:[26]

  • Communications Technology Laboratory (CTL)[27]
  • Engineering Laboratory (EL)[28]
  • Information Technology Laboratory (ITL)[29]
  • Center for Neutron Research (NCNR)[30]
  • Material Measurement Laboratory (MML)[31]
  • Physical Measurement Laboratory (PML)[32]

Extramural programs include:

  • Hollings Manufacturing Extension Partnership (MEP),[33] a nationwide network of centers to assist small and mid-sized manufacturers to create and retain jobs, improve efficiencies, and minimize waste through process improvements and to increase market penetration with innovation and growth strategies;
  • Technology Innovation Program (TIP), a grant program where NIST and industry partners cost share the early-stage development of innovative but high-risk technologies;
  • Baldrige Performance Excellence Program, which administers the Malcolm Baldrige National Quality Award, the nation’s highest award for performance and business excellence.

NIST’s Boulder laboratories are known for housing NIST‑F1, an atomic clock. NIST‑F1 serves as the source of the nation’s official time. From its measurement of the natural resonance frequency of cesium—which defines the second—NIST broadcasts time signals via longwave radio station WWVB near Fort Collins, Colorado, and shortwave radio stations WWV and WWVH, located near Fort Collins and Kekaha, Hawaii, respectively.[34]

NIST also operates a neutron science user facility: the NIST Center for Neutron Research (NCNR). The NCNR provides scientists access to a variety of neutron scattering instruments, which they use in many research fields (materials science, fuel cells, biotechnology, etc.).

The SURF III Synchrotron Ultraviolet Radiation Facility is a source of synchrotron radiation, in continuous operation since 1961. SURF III now serves as the US national standard for source-based radiometry throughout the generalized optical spectrum. All NASA-borne, extreme-ultraviolet observation instruments have been calibrated at SURF since the 1970s, and SURF is used for the measurement and characterization of systems for extreme ultraviolet lithography.

The Center for Nanoscale Science and Technology (CNST) performs research in nanotechnology, both through internal research efforts and by running a user-accessible cleanroom nanomanufacturing facility. This “NanoFab” is equipped with tools for lithographic patterning and imaging (e.g., electron microscopes and atomic force microscopes).

Committees

NIST has seven standing committees:

Projects

A 40 nm wide NIST logo made with cobalt atoms

Measurements and standards

As part of its mission, NIST supplies industry, academia, government, and other users with over 1,300 Standard Reference Materials (SRMs). These artifacts are certified as having specific characteristics or component content, used as calibration standards for measuring equipment and procedures, quality control benchmarks for industrial processes, and experimental control samples.

Handbook 44

NIST publishes the Handbook 44 each year after the annual meeting of the National Conference on Weights and Measures (NCWM). Each edition is developed through cooperation of the Committee on Specifications and Tolerances of the NCWM and the Weights and Measures Division (WMD) of NIST. The purpose of the book is a partial fulfillment of the statutory responsibility for “cooperation with the states in securing uniformity of weights and measures laws and methods of inspection”.

NIST has been publishing various forms of what is now the Handbook 44 since 1918 and began publication under the current name in 1949. The 2010 edition conforms to the concept of the primary use of the SI (metric) measurements recommended by the Omnibus Foreign Trade and Competitiveness Act of 1988.[35][36]

Homeland security

NIST is developing government-wide identity document standards for federal employees and contractors to prevent unauthorized persons from gaining access to government buildings and computer systems.[37]

World Trade Center collapse investigation

In 2002, the National Construction Safety Team Act mandated NIST to conduct an investigation into the collapse of the World Trade Center buildings 1 and 2 and the 47-story 7 World Trade Center. The “World Trade Center Collapse Investigation”, directed by lead investigator Shyam Sunder,[38] covered three aspects, including a technical building and fire safety investigation to study the factors contributing to the probable cause of the collapses of the WTC Towers (WTC 1 and 2) and WTC 7. NIST also established a research and development program to provide the technical basis for improved building and fire codes, standards, and practices, and a dissemination and technical assistance program to engage leaders of the construction and building community in implementing proposed changes to practices, standards, and codes.[39]

NIST also is providing practical guidance and tools to better prepare facility owners, contractors, architects, engineers, emergency responders, and regulatory authorities to respond to future disasters. In November 2008, the investigation portion of the response plan was completed, with the release of the final report on 7 World Trade Center. The final report on the WTC Towers—including 30 recommendations for improving building and occupant safety—was released in October 2005.[39]

Election technology

NIST works in conjunction with the Technical Guidelines Development Committee of the Election Assistance Commission to develop the Voluntary Voting System Guidelines for voting machines and other election technology.

Further information: Certification of voting machines

Cybersecurity Framework

In February 2014, NIST published the NIST Cybersecurity Framework that serves as voluntary guidance for organizations to manage and reduce cybersecurity risk.[40] It was later amended and Version 1.1 was published in April 2018.[41] Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, made the Framework mandatory for U.S. federal government agencies.[40] An extension to the NIST Cybersecurity Framework is the Cybersecurity Maturity Model (CMMC) which was introduced in 2019 (though the origin of CMMC began with Executive Order 13556).[42] On August 25, 2025, the 48 CFR CMMC rule cleared regulatory review. According to ISI,[43] it published on September 10, 2025.

It emphasizes the importance of implementing Zero-trust architecture (ZTA) which focuses on protecting resources over the network perimeter. ZTA utilizes zero trust principles which include “never trust, always verify”, “assume breach” and “least privileged access” to safeguard users, assets, and resources. Since ZTA holds no implicit trust to users within the network perimeter, authentication and authorization are performed at every stage of a digital transaction. This reduces the risk of unauthorized access to resources.[44]

NIST released a draft of the CSF 2.0 for public comment to November 4, 2023. NIST decided to update the framework to make it more applicable to small and medium size enterprises that use the framework, as well as to accommodate the constantly changing nature of cybersecurity.[45]

In August 2024, NIST released a final set of encryption tools designed to withstand the attack of a quantum computer. These post-quantum encryption standards secure a wide range of electronic information, from confidential email messages to e-commerce transactions that propel the modern economy.[46]

Moonlight Calibration Initiative

In May 2025, NIST announced the Moonlight data project to enhance satellite calibration. By providing precise measurements of the Moon’s brightness, the initiative aims to improve the accuracy of Earth observation satellites, supporting applications such as agriculture, meteorology, and environmental monitoring.[47]

People

Four scientific researchers at NIST have been awarded Nobel Prizes for work in physics: William Daniel Phillips in 1997, Eric Allin Cornell in 2001, John Lewis Hall in 2005 and David Jeffrey Wineland in 2012, which is the largest number for any US government laboratory. All four were recognized for their work related to laser cooling of atoms, which is directly related to the development and advancement of the atomic clock.

In 2011, Dan Shechtman was awarded the Nobel Prize in chemistry for his work on quasicrystals in the Metallurgy Division from 1982 to 1984. John Werner Cahn was awarded the 2011 Kyoto Prize for Materials Science. The National Medal of Science has been awarded to NIST researchers Cahn (1998) and Wineland (2007). Other notable people who have worked at NBS or NIST include:

Directors

Main article: List of directors of the National Institute of Standards and Technology

Since 1989, the director of NIST has been a Presidential appointee and is confirmed by the United States Senate.[48] Since 1989, the average tenure of NIST directors has fallen from 11 years to 2 years in duration. Since the 2011 reorganization of NIST, the director also holds the title of Under Secretary of Commerce for Standards and Technology. Seventeen individuals have officially held the position, in addition to seven acting directors who have served on a temporary basis.

Patents

NIST holds patents on behalf of the Federal government of the United States,[49] with at least one of them being custodial to protect public domain use, such as one for a Chip-scale atomic clock, developed by a NIST team as part of a DARPA competition.[50]

Controversy regarding NIST standard SP 800-90

In September 2013, both The Guardian and The New York Times reported that NIST allowed the National Security Agency (NSA) to insert a cryptographically secure pseudorandom number generator called Dual EC DRBG into NIST standard SP 800-90 that had a kleptographic backdoor that the NSA can use to covertly predict the future outputs of this pseudorandom number generator thereby allowing the surreptitious decryption of data.[51] Both papers report[52][53] that the NSA worked covertly to get its own version of SP 800-90 approved for worldwide use in 2006.

The whistle-blowing document states that “eventually, NSA became the sole editor”. The reports confirm suspicions and technical grounds publicly raised by cryptographers in 2007 that the EC-DRBG could contain a kleptographic backdoor (perhaps placed in the standard by NSA).[54]

NIST responded to the allegations, stating that “NIST works to publish the strongest cryptographic standards possible” and that it uses “a transparent, public process to rigorously vet our recommended standards”.[55] The agency stated that “there has been some confusion about the standards development process and the role of different organizations in it…The National Security Agency (NSA) participates in the NIST cryptography process because of its recognized expertise. NIST is also required by statute to consult with the NSA.”[56]

Recognizing the concerns expressed, the agency reopened the public comment period for the SP800-90 publications, promising that “if vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible”.[57] Due to public concern of this cryptovirology attack, NIST rescinded the EC-DRBG algorithm from the NIST SP 800-90 standard.[58]

Publications

Guide to NIST in PDF

In addition to these journals, NIST, and the National Bureau of Standards before it, has a robust technical reports publishing arm. NIST technical reports are published in several dozen series, which cover a wide range of topics, from computer technology to construction to aspects of standardization including weights, measures and reference data.[59] In addition to technical reports, NIST scientists publish many journal and conference papers each year; an database of these, along with more recent technical reports, can be found on the NIST website.[60]

See also

Main article: Outline of metrology and measurement

References

  1. ^ “NIST General Information”. NIST. National Institute of Standards and Technology. December 24, 2008. Archived from the original on August 1, 2021. Retrieved July 18, 2021.
  2. ^ “FY 2022: Presidential Budget Request Summary”. NIST. National Institute of Standards and Technology. June 8, 2021. Archived from the original on August 1, 2021. Retrieved July 18, 2021.
  3. ^ “NIST Senior Leadership”. NIST. National Institute of Standards and Technology. April 24, 2009. Retrieved January 22, 2025.
  4. ^ “National Institute of Standards and Technology”. U.S. Department of Commerce. Archived from the original on September 5, 2021. Retrieved September 5, 2021.
  5. ^ “National Register of Historic Places Weekly List of Actions Taken on Properties: 7/30/2021 THROUGH 8/6/2021” (PDF). National Park Service. August 6, 2021. Retrieved January 14, 2026.
  6. ^ Articles of Confederation of 1781, article IX, paragraph 4.
  7. ^ a b NBS special publication 447 Archived October 17, 2011, at the Wayback Machine-Retrieved September 28, 2011
  8. ^ “Founders Online: From George Washington to the United States Senate and House o …”. founders.archives.gov. Archived from the original on September 17, 2021. Retrieved November 16, 2021.
  9. ^ “History of the standard weights and measures of the United States” (PDF). Archived from the original (PDF) on June 4, 2018.
  10. ^ “Presidential Measurements Timeline”. NIST. February 5, 2014. Archived from the original on October 2, 2021. Retrieved October 2, 2021.
  11. ^ a b Records of the National Institute of Standards and Technology (NIST) Archived October 19, 2017, at the Wayback Machine, National Archives and Records Administration website, (Record Group 167), 1830–1987.
  12. ^ “noaa.gov NOAA History: NOAA Legacy Timeline 1807–1899”. Archived from the original on September 5, 2018. Retrieved December 16, 2020.
  13. ^ Theberge, Captain Albert E., The Coast Survey 1807–1867: Volume I of the History of the Commissioned Corps of the National Oceanic and Atmospheric Administration, “THE HASSLER LEGACY: FERDINAND RUDOLPH HASSLER and the UNITED STATES COAST SURVEY: THE REBIRTH OF THE SURVEY,” no publisher listed, NOAA History, 1998. Archived November 9, 2014, at the Wayback Machine
  14. ^ a b Perry, John (1953). The Story of Standards. Funk and Wagnalls. p. 123. LCCN 55-11094. OL 2132574W.
  15. ^ Leibowitz, Aaron; Blaskey, Sarah; Robertson, Linda; Weaver, Jay (July 6, 2021). “Agency that studied fall of Twin Towers in line to probe collapse of condo near Miami Beach”. Miami Herald. Archived from the original on June 27, 2021. Retrieved July 8, 2021.
  16. ^ sarah.henderson@nist.gov (December 17, 2019). “NIST on a Chip Introduction”. NIST. Archived from the original on February 16, 2022. Retrieved February 16, 2022.
  17. ^ Faiola, Anthony; Zakrzewski, Cat (November 2, 2023). “Governments used to lead innovation. On AI, they’re falling behind”. The Washington Post. Archived from the original on November 3, 2023. Retrieved November 6, 2023.
  18. ^ NIST General Information. Archived August 23, 2016, at the Wayback Machine Retrieved on August 21, 2010.
  19. ^ “NIST Budget, Planning and Economic Studies”. NIST. National Institute of Standards and Technology. October 5, 2010. Archived from the original on September 22, 2010. Retrieved October 6, 2010.
  20. ^ “Weights and Measures Standards of the United States a brief history” (PDF). ts.nist.gov. p. 41. Archived from the original (PDF) on October 26, 2011. Retrieved September 28, 2011.
  21. ^ “Weights and Measures Standards of the United States a brief history” (PDF). ts.nist.gov. p. 22. Archived from the original (PDF) on October 26, 2011. Retrieved September 28, 2011.
  22. ^ “Ike dedicates lab, voices peace hopes”. Deseret News. Salt Lake City, Utah. United Press. September 14, 1954. p. A1. Archived from the original on October 10, 2021. Retrieved March 23, 2021.
  23. ^ “Ike dedicates two labs;’New type of frontier’. Meriden Record. Connecticut. Associated Press. September 15, 1954. p. 22. Archived from the original on October 10, 2021. Retrieved March 23, 2021.
  24. ^ “Significant papers from the first 50 years of the Boulder Labs” (PDF). United States Department of Commerce: Boulder Laboratories. August 2004. p. 4. Archived (PDF) from the original on August 1, 2021. Retrieved July 23, 2021.
  25. ^ “NIST Strengthens Laboratory Mission Focus with New Structure”. NIST. September 28, 2010. Archived from the original on August 28, 2016.
  26. ^ NIST Laboratories Archived August 26, 2016, at the Wayback Machine. National Institute of Standards and Technology. Retrieved on May 10, 2016.
  27. ^ Communications Technology Laboratory Archived October 7, 2017, at the Wayback Machine (CTL)
  28. ^ Engineering Laboratory Archived July 12, 2017, at the Wayback Machine (EL)
  29. ^ Information Technology Laboratory Archived July 12, 2017, at the Wayback Machine (ITL)
  30. ^ NIST Center for Neutron Research Archived July 12, 2017, at the Wayback Machine (NCNR)
  31. ^ Material Measurement Laboratory Archived July 12, 2017, at the Wayback Machine (MML)
  32. ^ Physical Measurement Laboratory Archived July 12, 2017, at the Wayback Machine (PML)
  33. ^ Hollings Manufacturing Extension Partnership Archived July 12, 2017, at the Wayback Machine (MEP)
  34. ^ [1]. NIST. Retrieved on March 18, 2014.[dead link]
  35. ^ Handbook 44 Archived October 20, 2011, at the Wayback Machine– “Forward; page 5” Retrieved: September 28, 2011
  36. ^ Daniel Rostenkowski (June 16, 1988). “H.R. 4848”. Legislation. GovTrack.us. Archived from the original on October 10, 2021. Retrieved September 28, 2011. Omnibus Trade and Competitiveness Act of 1988
  37. ^ “Personal Identity Verification (PIV) of Federal Employees and Contractors” (PDF). National Institute of Standards and Technology. U.S. Department of Commerce. Retrieved July 13, 2024.
  38. ^ Eric Lipton (August 22, 2008). “Fire, Not Explosives, Felled 3rd Tower on 9/11, Report Says”. New York Times. Archived from the original on March 9, 2011.
  39. ^ a b “Final Reports of the Federal Building and Fire Investigation of the World Trade Center Disaster”. National Institute of Standards and Technology. October 2005. Archived from the original on November 24, 2005.
  40. ^ a b “Questions and Answers”. NIST. February 13, 2018. Archived from the original on March 3, 2022. Retrieved March 3, 2022.
  41. ^ “Cybersecurity Framework Documents”. NIST. February 5, 2018.
  42. ^ Sharpe, Waits (October 6, 2022). “The History of CMMC”. CORPORATE INFORMATION TECHNOLOGIES. Retrieved April 8, 2023.
  43. ^ “CMMC 48 CFR Clears Regulatory Review: What Defense Contractors Need to Know”. isidefense.com. August 31, 2025. Retrieved September 11, 2025.
  44. ^ Teerakanok, Songpon; Uehara, Tetsutaro; Inomata, Atsuo; Li, Qi (January 1, 2021). “Migrating to Zero Trust Architecture: Reviews and Challenges”. Security and Communication Networks. 2021: 1–10. doi:10.1155/2021/9947347. ISSN 1939-0114.
  45. ^ “Discussion Draft of the NIST Cybersecurity Framework 2.0 Core with Implementation Examples”. National Institute of Standards and Technology (NIST). August 8, 2023. Retrieved October 19, 2023.
  46. ^ “NIST Releases First 3 Finalized Post-Quantum Encryption Standards”. NIST. August 13, 2024.
  47. ^ “NIST Moonlight Data Will Help Satellites Get a More Accurate Look at Earth”. NIST. May 2025. Retrieved May 24, 2025.
  48. ^ “2012 Plum Book”. Government Printing Office. 2012. Archived from the original on November 30, 2016. Retrieved December 2, 2016.
  49. ^ “Results of Search in US Patent Collection db for: AANM/NIST”. U.S. Patent and Trademark Office. Archived from the original on October 10, 2021. Retrieved December 12, 2020.
  50. ^ Ost, Laura (December 2, 2011). “Success Story: Chip-Scale Atomic Clock”. NIST. National Institute of Standards and Technology. Archived from the original on December 9, 2020. Retrieved December 12, 2020.
  51. ^ Konkel, Frank (September 6, 2013). “What NSA’s influence on NIST standards means for feds”. FCW. 1105 Government Information Group. Archived from the original on September 10, 2013. Retrieved September 10, 2013.
  52. ^ James Borger; Glenn Greenwald (September 6, 2013). “Revealed: how US and UK spy agencies defeat internet privacy and security”. The Guardian. Archived from the original on September 18, 2013. Retrieved September 7, 2013.
  53. ^ Nicole Perlroth (September 5, 2013). “N.S.A. Able to Foil Basic Safeguards of Privacy on Web”. The New York Times. Archived from the original on September 8, 2013. Retrieved September 7, 2013.
  54. ^ Schneier, Bruce (November 15, 2007). “Did NSA Put a Secret Backdoor in New Encryption Standard?”. Wired. Condé Nast. Retrieved September 10, 2013.{{cite magazine}}: CS1 maint: deprecated archival service (link)
  55. ^ Byers, Alex (September 6, 2013). “NSA encryption info could pose new security risk – NIST weighs in”. Politico. Archived from the original on September 27, 2013. Retrieved September 10, 2013.
  56. ^ Perlroth, Nicole (September 10, 2013). “Government Announces Steps to Restore Confidence on Encryption Standards”. The New York Times. Archived from the original on October 29, 2013. Retrieved September 11, 2013.
  57. ^ Office of the Director, NIST (September 10, 2013). “Cryptographic Standards Statement”. NIST. National Institute of Standsards in Technology. Archived from the original on September 12, 2013. Retrieved September 11, 2013.
  58. ^ “NIST Removes Cryptography Algorithm from Random Number Generator Recommendations”. National Institute of Standards and Technology. April 21, 2014. Archived from the original on August 29, 2016.
  59. ^ NIST (February 8, 2011). “NIST Series Publications”. NIST Reference Library. Retrieved April 24, 2024.
  60. ^ “Publications”. NIST Publications. April 24, 2024. Archived from the original on April 24, 2024. Retrieved April 24, 2024.


source: https://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology

]]> https://us.onair.cc/nist/feed/ 0 Japan Cyber Challenges https://us.onair.cc/cyber-challenges/ https://us.onair.cc/cyber-challenges/#respond Sat, 11 Oct 2025 07:00:57 +0000 https://us.onair.cc/?p=21179

Cybersecurity or information technology security (IT security) is the protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.

Top cybersecurity challenges include evolving ransomware, AI-powered attacks, advanced social engineering, and securing multi-cloud environments. The increasing use of AI by both attackers and defenders is rapidly shaping the threat landscape, while the expansion of remote work has broadened the attack surface for vulnerabilities in areas like IoT devices and supply chains.

OnAir Post: Cyber Challenges

]]> Summary

Cybersecurity or information technology security (IT security) is the protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.

Top cybersecurity challenges include evolving ransomware, AI-powered attacks, advanced social engineering, and securing multi-cloud environments. The increasing use of AI by both attackers and defenders is rapidly shaping the threat landscape, while the expansion of remote work has broadened the attack surface for vulnerabilities in areas like IoT devices and supply chains.

OnAir Post: Japan Cyber Challenges

About

Top Cyber Challenges

Top cybersecurity challenges include the evolving threat landscape, the use of AI for sophisticated attacks, and the continued prevalence of human error. Other major threats involve ransomware, cloud vulnerabilities, supply chain attacks, and the expansion of the attack surface due to the Internet of Things (IoT).

1. AI-powered threats

Attackers are increasingly using artificial intelligence (AI) to enhance the speed, scale, and sophistication of cyberattacks. 
  • Deepfakes: AI is used to create highly realistic fake audio, video, and images to deceive individuals during social engineering attacks.
  • Automated attacks: AI can automate various stages of an attack, from scanning for vulnerabilities to creating convincing phishing campaigns and evolving malware in real time to evade detection. 

2. Phishing

This threat exploits human psychology to manipulate individuals into compromising security procedures. AI has made these attacks, including phishing, more convincing and harder to detect. 
  • Targeted phishing: Cybercriminals use AI to craft highly personalized spear-phishing emails that are difficult to distinguish from legitimate communications.
  • Multichannel attacks: Attackers combine emails, text messages (smishing), and voice calls (vishing) to increase their chances of success. 

3. Sophisticated ransomware and extortion

Ransomware attacks continue to be one of the most profitable and disruptive cybercrimes. 
  • Double extortion: Threat actors exfiltrate sensitive data before encrypting a victim’s systems, adding the threat of data leakage to pressure organizations into paying.
  • Evolving models: Ransomware-as-a-Service (RaaS) is prevalent, with new groups emerging as law enforcement takes action against established players. 

4. Cloud environment vulnerabilities

As organizations migrate more resources to the cloud, vulnerabilities in these environments are becoming prime targets for attackers. 
  • Misconfigurations: Errors in the setup of cloud services are one of the most common causes of data breaches. It is easy to inadvertently give an entire group unlimited privileged access.
  • Lack of visibility: The distributed nature of cloud infrastructure makes it difficult for security teams to get full visibility into all assets, including unauthorized “shadow IT”.
  • Insecure APIs: Application Programming Interfaces (APIs) with inadequate security can give attackers direct access to cloud environments, enabling data theft and service disruption. 

5. Supply chain attacks

These attacks compromise an organization by targeting a less secure third-party vendor or software component within its supply chain. 
  • Exploiting trust: Supply chain attacks exploit the trust inherent in relationships between vendors and customers. A single compromised software update, as in the SolarWinds attack, can have a devastating ripple effect across thousands of users.
  • Open-source risk: The widespread use of open-source software and third-party code in modern development introduces vulnerabilities that can affect an exponentially larger number of downstream users. 

6. Expanding IoT attack surface

The proliferation of internet-connected devices has expanded the potential entry points for attackers, both in corporate networks and homes. 
  • Weak authentication: Many IoT devices are shipped with weak or default passwords that users often fail to change.
  • Lack of updates: In their rush to market, many manufacturers neglect to provide robust security updates or patch mechanisms, leaving devices vulnerable to modern exploits.
  • Resource limitations: Many IoT devices have limited computing power, leaving little room for robust security software.

7. Zero-day vulnerabilities

Zero-day vulnerabilities are software flaws unknown to the vendor and for which no patch exists. Attackers can exploit this time gap, or “zero days,” to gain access to a system. 
  • Severe threat: Because no defense or patch is available, zero-day attacks are highly likely to succeed.
  • Targeted attacks: State-sponsored or advanced groups may save zero-day exploits to target high-value entities, such as government agencies or critical infrastructure. 

8. Identity and authentication failures

Poor identity and access management (IAM) is a common security challenge, especially in cloud environments. 
  • Credential theft: Attackers frequently steal or abuse credentials to gain unauthorized access. Multi-factor authentication (MFA) bypasses are an increasing problem, especially through AI-driven phishing.
  • Insider threats: Whether malicious or unintentional, insiders with privileged access can pose a significant risk, particularly if they are not properly off-boarded from cloud services. 

9. Poor cyber hygiene

Basic security negligence remains a common cause of cyberattacks. 
  • Weak passwords: The continued use of weak, reused, or compromised passwords provides attackers with an easy way in.
  • Patching delays: Failure to promptly apply software updates and security patches leaves known vulnerabilities open to exploitation.
  • Endpoint security: With the prevalence of remote work, poorly secured devices and networks offer easy entry points into corporate systems. 

10. Nation-state attacks

State-sponsored groups and hacktivists continue to conduct sophisticated cyberattacks to achieve geopolitical or ideological goals. 
  • Espionage and disruption: These groups often target critical infrastructure, government agencies, and corporations to steal intellectual property, conduct espionage, or disrupt services.
  • Propaganda: State actors increasingly use AI to create sophisticated disinformation campaigns to manipulate public perception

Source: Gemini AI Overview – 10/20/2025

Implement AI-driven security tools

As AI-powered attacks become more sophisticated, defensive AI will be crucial for effective threat detection and response. 
  • AI-driven malware detection: Integrate AI and machine learning to analyze network traffic and endpoints for new malware variants that can morph and evade traditional, signature-based defenses.
  • Deepfake detection: Combat sophisticated social engineering attacks with AI-driven tools that analyze videos and audio for inconsistencies that betray manipulated content.
  • Security Operations Center (SOC) co-pilot: Deploy AI co-pilots within your SOC to automate mundane tasks and analyze massive data sets from firewalls and other logs. This allows human analysts to focus on complex, high-priority threats.
  • AI incident response: Build an automated, AI-powered incident response system that can react instantly to predefined events like DDoS attacks or malware detection by performing tasks such as blocking IPs or isolating endpoints.

Source: Gemini AI Overview – 10/20/2025

Strengthen security for expanding digital environments

The April 1967 session organized by Willis Ware at the Spring Joint Computer Conference, and the later publication of the Ware Report, were foundational moments in the history of the field of computer security. Ware’s work straddled the intersection of material, cultural, political, and social concerns.

A 1977 NIST publication introduced the “CIA triad” of Confidentiality, Integrity, and Availability as a clear and simple way to describe key security goals. While still relevant, many more elaborate frameworks have since been proposed.

However, the 1970s and 1980s didn’t have any grave computer threats because computers and the internet were still developing, and security threats were easily identifiable. Most often, threats came from malicious insiders who gained unauthorized access to sensitive documents and files. Although malware and network breaches existed during the early years, they did not use them for financial gain. However, by the second half of the 1970s, established computer firms like IBM started offering commercial access control systems and computer security software products.

Failed offensive strategy

The National Security Agency (NSA) is responsible for both the protection of U.S. information systems and also for collecting foreign intelligence. These two duties are in conflict with each other. Protecting information systems includes evaluating software, identifying security flaws, and taking steps to correct the flaws, which is a defensive action. Collecting intelligence includes exploiting security flaws to extract information, which is an offensive action. Correcting security flaws makes the flaws unavailable for NSA exploitation.

The agency analyzes commonly used software in order to find security flaws, which it reserves for offensive purposes against competitors of the United States. The agency seldom takes defensive action by reporting the flaws to software producers so they can eliminate the security flaws.

The offensive strategy worked for a while, but eventually other nations, including Russia, Iran, North Korea, and China have acquired their own offensive capability, and tend to use it against the United States. NSA contractors created and sold “click-and-shoot” attack tools to U.S. agencies and close allies, but eventually the tools made their way to foreign adversaries. In 2016, NSAs own hacking tools were hacked and have been used by Russia and North Korea. NSAs employees and contractors have been recruited at high salaries by adversaries, anxious to compete in cyberwarfare.

For example, in 2007, the United States and Israel began exploiting security flaws in the Microsoft Windows operating system to attack and damage equipment used in Iran to refine nuclear materials. Iran responded by heavily investing in their own cyberwarfare capability, which they began using against the United States.

Web Links

2025 Cyber Challenges

Source

Implement AI-driven security tools

As AI-powered attacks become more sophisticated, defensive AI will be crucial for effective threat detection and response. 
  • AI-driven malware detection: Integrate AI and machine learning to analyze network traffic and endpoints for new malware variants that can morph and evade traditional, signature-based defenses.
  • Deepfake detection: Combat sophisticated social engineering attacks with AI-driven tools that analyze videos and audio for inconsistencies that betray manipulated content.
  • Security Operations Center (SOC) co-pilot: Deploy AI co-pilots within your SOC to automate mundane tasks and analyze massive data sets from firewalls and other logs. This allows human analysts to focus on complex, high-priority threats.
  • AI incident response: Build an automated, AI-powered incident response system that can react instantly to predefined events like DDoS attacks or malware detection by performing tasks such as blocking IPs or isolating endpoints.

 

Strengthen security for expanding digital environments

Modern IT environments stretch across multiple clouds, remote devices, and the Internet of Things (IoT), each presenting a unique set of vulnerabilities.
  • Refine your Zero Trust architecture: Implement continuous verification and robust access controls for every user and device, whether internal or external.
  • Secure your supply chain: Vet third-party vendors and conduct regular risk assessments to mitigate supply chain attacks, which can compromise many downstream organizations through a single breach. A risk simulator can help model different scenarios.
  • Improve cloud security posture: Implement Cloud Security Posture Management (CSPM) tools to automatically detect misconfigurations and vulnerabilities across your multi-cloud environment.
  • Enhance IoT security: Develop stronger authentication measures, unique device credentials, and automated patching for the rapidly growing number of IoT devices on your network.
  • Integrate IT and OT security: As industrial control systems (OT) converge with IT, implement specialized OT security software and micro-segmentation to protect against attackers disrupting production or infrastructure

Solidify foundational security practices

A layered defense is built on strong fundamentals. Prioritize these projects to raise your overall security baseline.
  • Advanced authentication: Move beyond simple passwords by implementing phishing-resistant and passwordless solutions such as passkeys, biometrics, and multi-factor authentication (MFA) across your organization.
  • Proactive incident response readiness: Create and regularly test detailed incident response playbooks for various threat scenarios, including ransomware and insider attacks. Conduct tabletop exercises to ensure all teams are prepared for a coordinated response.
  • Establish human-centric security awareness: Invest in gamified or interactive training programs that simulate social engineering attacks like phishing, vishing, and pretexting to better educate employees on human-centric threats.
  • Automate patch and vulnerability management: Integrate automated patching into your DevOps pipelines and orchestration frameworks to reduce the manual overhead of keeping all systems and devices updated.
  • Continuous risk assessment: Regularly evaluate your attack surface through continuous vulnerability scans and penetration testing to keep pace with evolving threats.

Top Cyber Market Sectors

Source: Other

The top 10 target cybersecurity markets by sector and growth area:

  1. Financial Services (BFSI): This market, which includes banking, financial services, and insurance, is one of the most targeted sectors for cyberattacks due to the vast amount of sensitive and financial data it holds.
  2. Healthcare: The healthcare industry is a high-growth market for cybersecurity, driven by the increasing digitalization of patient data (electronic health records), telemedicine, and interconnected medical devices. The high value of patient data makes it a prime target for breaches and ransomware.
  3. Government and Defense: Governments are significant investors in cybersecurity to protect national security, critical infrastructure, and citizen data from state-sponsored attacks and cyber warfare.
  4. IT and Telecommunications: The IT and telecom sector is a major consumer of cybersecurity, as it is highly vulnerable to attacks on its expansive networks and critical communication infrastructure. The rollout of 5G networks and the proliferation of IoT devices further increase the attack surface.
  5. Cloud Security: The rapid, global migration to cloud platforms has made cloud security a high-growth market, with an estimated CAGR of over 15% through 2032. Cloud-based solutions are essential for protecting data in hybrid and multi-cloud environments.
  6. Critical Infrastructure: This includes securing essential services such as energy and utilities, transportation, and power grids. The growing interconnectivity of these systems makes them vulnerable to cyber-physical threats.
  7. Industrial Cybersecurity: The convergence of Information Technology (IT) and Operational Technology (OT) in manufacturing and other industrial environments is creating significant demand for industrial cybersecurity to protect automated systems and production lines.
  8. Retail and E-commerce: The rise of online shopping and digital payments exposes retailers to risks like data breaches, credit card fraud, and phishing attacks. The need to protect payment systems and customer data is a key driver for this market.
  9. Small and Medium Enterprises (SMEs): As SMEs undergo digital transformation, they are increasingly targeted by cybercriminals. This market is a high-growth segment, with demand for scalable, cost-effective security solutions.
  10. Managed Security Services (MSSPs): Growing security threats and a shortage of cybersecurity professionals drive demand for Managed Security Service Providers across all sectors. MSSPs offer outsourced services like continuous monitoring, threat detection, and incident response. 

Wikipedia

An example of a physical security measure: a metal lock on the back of a personal computer to prevent hardware tampering.

Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It focuses on protecting computer software, systems, and networks from threats that can lead to unauthorized information disclosure, theft, or damage to hardware, software, or data, as well as to the disruption or misdirection of the services they provide.[1][2]

The growing significance of computer security reflects the increasing dependence on computer systems, the Internet,[3] and evolving wireless network standards. This reliance has expanded with the proliferation of smart devices, including smartphones, televisions, and other components of the Internet of things (IoT).

As digital infrastructure becomes more embedded in everyday life, cybersecurity has emerged as a critical concern. The complexity of modern information systems—and the societal functions they underpin—has introduced new vulnerabilities. Systems that manage essential services, such as power grids, electoral processes, and finance, are particularly sensitive to security breaches.[4][5]

Although many aspects of computer security involve digital security, such as electronic passwords and encryption, physical security measures, such as metal locks, are still used to prevent unauthorized tampering. IT security is not a perfect subset of information security and therefore does not completely align with the security convergence schema.

Vulnerabilities and attacks

Main article: Vulnerability (computing)

A vulnerability refers to a flaw in the structure, execution, functioning, or internal oversight of a computer or system that compromises its security. Most of the vulnerabilities that have been discovered are documented in the Common Vulnerabilities and Exposures (CVE) database.[6] An exploitable vulnerability is one for which at least one working attack or exploit exists.[7] Actors maliciously seeking vulnerabilities are known as threats. Vulnerabilities can be researched, reverse-engineered, hunted, or exploited using automated tools or customized scripts.[8][9]

Various people or parties are vulnerable to cyber attacks; however, different groups are likely to experience different types of attacks more than others.[10]

In April 2023, the United Kingdom Department for Science, Innovation & Technology released a report on cyber attacks over the previous 12 months.[11] They surveyed 2,263 UK businesses, 1,174 UK registered charities, and 554 education institutions. The research found that “32% of businesses and 24% of charities overall recall any breaches or attacks from the last 12 months.” These figures were much higher for “medium businesses (59%), large businesses (69%), and high-income charities with £500,000 or more in annual income (56%).”[11] Yet, although medium or large businesses are more often the victims, since larger companies have generally improved their security over the last decade, small and midsize businesses (SMBs) have also become increasingly vulnerable as they often “do not have advanced tools to defend the business.”[10] SMBs are most likely to be affected by malware, ransomware, phishing, man-in-the-middle attacks, and Denial-of Service (DoS) Attacks.[10]

Normal internet users are most likely to be affected by untargeted cyberattacks.[12] These are where attackers indiscriminately target as many devices, services, or users as possible. They do this using techniques that take advantage of the openness of the Internet. These strategies mostly include phishing, ransomware, water holing and scanning.[12]

To secure a computer system, it is important to understand the attacks that can be made against it, and these threats can typically be classified into one of the following categories:

Backdoor

A backdoor in a computer system, a cryptosystem or an algorithm, is any secret method of bypassing normal authentication or security controls. These weaknesses may exist for many reasons, including original design or poor configuration.[13] Due to the nature of backdoors, they are of greater concern to companies and databases as opposed to individuals.

Backdoors may be added by an authorized party to allow some legitimate access or by an attacker for malicious reasons. Criminals often use malware to install backdoors, giving them remote administrative access to a system.[14] Once they have access, cybercriminals can “modify files, steal personal information, install unwanted software, and even take control of the entire computer.”[14]

Backdoors can be difficult to detect, as they often remain hidden within source code or system firmware and may require intimate knowledge of the operating system to identify.

Denial-of-service attack

Denial-of-service attacks (DoS) are designed to make a machine or network resource unavailable to its intended users.[15] Attackers can deny service to individual victims, such as by deliberately entering an incorrect password enough consecutive times to cause the victim’s account to be locked, or they may overload the capabilities of a machine or network and block all users at once. While a network attack from a single IP address can be blocked by adding a new firewall rule, many forms of distributed denial-of-service (DDoS) attacks are possible, where the attack comes from a large number of points. In this case, defending against these attacks is much more difficult. Such attacks can originate from the zombie computers of a botnet or from a range of other possible techniques, including distributed reflective denial-of-service (DRDoS), where innocent systems are fooled into sending traffic to the victim.[15] With such attacks, the amplification factor makes the attack easier for the attacker because they have to use little bandwidth themselves. To understand why attackers may carry out these attacks, see the ‘attacker motivation’ section.

Physical access attacks

Main article: Physical access

A direct-access attack is when an unauthorized user (an attacker) gains physical access to a computer, typically to copy data from it or steal information.[16] Attackers may also compromise security by making operating system modifications, installing software worms, keyloggers, covert listening devices or using wireless microphones. Even when the system is protected by standard security measures, these may be bypassed by booting another operating system or tool from a CD-ROM or other bootable media. Disk encryption and the Trusted Platform Module standard are designed to prevent these attacks.

Direct service attackers are related in concept to direct memory attacks which allow an attacker to gain direct access to a computer’s memory.[17] The attacks “take advantage of a feature of modern computers that allows certain devices, such as external hard drives, graphics cards, or network cards, to access the computer’s memory directly.”[17]

Eavesdropping

Eavesdropping is the act of surreptitiously listening to a private computer conversation (communication), usually between hosts on a network. It typically occurs when a user connects to a network where traffic is not secured or encrypted and sends sensitive business data to a colleague, which, when listened to by an attacker, could be exploited.[18] Data transmitted across an open network can be intercepted by an attacker using various methods.

Unlike malware, direct-access attacks, or other forms of cyber attacks, eavesdropping attacks are unlikely to negatively affect the performance of networks or devices, making them difficult to notice.[18] In fact, “the attacker does not need to have any ongoing connection to the software at all. The attacker can insert the software onto a compromised device, perhaps by direct insertion or perhaps by a virus or other malware, and then come back some time later to retrieve any data that is found or trigger the software to send the data at some determined time.”[19]

Using a virtual private network (VPN), which encrypts data between two points, is one of the most common forms of protection against eavesdropping. Using the best form of encryption possible for wireless networks is best practice, as well as using HTTPS instead of an unencrypted HTTP.[20]

Programs such as Carnivore and NarusInSight have been used by the Federal Bureau of Investigation (FBI) and the NSA to eavesdrop on the systems of internet service providers. Even machines that operate as a closed system (i.e., with no contact with the outside world) can be eavesdropped upon by monitoring the faint electromagnetic transmissions generated by the hardware. TEMPEST is a specification by the NSA referring to these attacks.

Malware

Malicious software (malware) is any software code or computer program “intentionally written to harm a computer system or its users.”[21] Once present on a computer, it can leak sensitive details such as personal information, business information and passwords, can give control of the system to the attacker, and can corrupt or delete data permanently.[22][23]

Types of malware

  • Viruses are a specific type of malware, and are normally a malicious code that hijacks software with the intention to “do damage and spread copies of itself.” Copies are made with the aim of spreading to other programs on a computer.[21]
  • Worms are similar to viruses, however viruses can only function when a user runs (opens) a compromised program. Worms are self-replicating malware that spread between programs, apps and devices without the need for human interaction.[21]
  • Trojan horses are programs that pretend to be helpful or hide themselves within desired or legitimate software to “trick users into installing them.” Once installed, a RAT (Remote Access Trojan) can create a secret backdoor on the affected device to cause damage.[21]
  • Spyware is a type of malware that secretly gathers information from an infected computer and transmits the sensitive information back to the attacker. One of the most common forms of spyware is keyloggers, which record all of a user’s keyboard inputs/keystrokes, to “allow hackers to harvest usernames, passwords, bank account and credit card numbers.”[21]
  • Scareware, as the name suggests, is a form of malware that uses social engineering (manipulation) to scare, shock, trigger anxiety, or suggest the perception of a threat in order to manipulate users into buying or installing unwanted software. These attacks often begin with a “sudden pop-up with an urgent message, usually warning the user that they’ve broken the law or their device has a virus.”[21]
  • Ransomware is when malware installs itself onto a victim’s machine, encrypts their files, and then turns around and demands a ransom (usually in Bitcoin) to return that data to the user.

Man-in-the-middle attacks

Man-in-the-middle attacks (MITM) involve a malicious attacker trying to intercept, surveil or modify communications between two parties by spoofing one or both party’s identities and injecting themselves in-between.[24] Types of MITM attacks include:

  • IP address spoofing is where the attacker hijacks routing protocols to reroute the targets traffic to a vulnerable network node for traffic interception or injection.
  • Message spoofing (via email, SMS or OTT messaging) is where the attacker spoofs the identity or carrier service while the target is using messaging protocols like email, SMS or OTT (IP-based) messaging apps. The attacker can then monitor conversations, launch social attacks or trigger zero-day-vulnerabilities to allow for further attacks.
  • WiFi SSID spoofing is where the attacker simulates a Wi-Fi base station SSID to capture and modify internet traffic and transactions. The attacker can also use local network addressing and reduced network defenses to penetrate the target’s firewall by breaching known vulnerabilities. Sometimes known as a Pineapple attack thanks to a popular device. See also Malicious association.
  • DNS spoofing is where attackers hijack domain name assignments to redirect traffic to systems under the attackers control, in order to surveil traffic or launch other attacks.
  • SSL hijacking, typically coupled with another media-level MITM attack, is where the attacker spoofs the SSL authentication and encryption protocol by way of Certificate Authority injection in order to decrypt, surveil and modify traffic. See also TLS interception[24]

Multi-vector, polymorphic attacks

Surfacing in 2017, a new class of multi-vector,[25] polymorphic[26] cyber threats combine several types of attacks and change form to avoid cyber security controls as they spread.

Multi-vector polymorphic attacks, as the name describes, are both multi-vectored and polymorphic.[27] Firstly, they are a singular attack that involves multiple methods of attack. In this sense, they are “multi-vectored” (i.e. the attack can use multiple means of propagation such as via the Web, email and applications). However, they are also multi-staged, meaning that “they can infiltrate networks and move laterally inside the network.”[27] The attacks can be polymorphic, meaning that the cyberattacks used such as viruses, worms or trojans “constantly change (“morph”) making it nearly impossible to detect them using signature-based defences.”[27]

Phishing

An example of a phishing email, disguised as an official email from a (fictional) bank. The sender is attempting to trick the recipient into revealing confidential information by confirming it at the phisher’s website. Note the misspelling of the words received and discrepancy as recieved and discrepency, respectively. Although the URL of the bank’s webpage appears to be legitimate, the hyperlink points at the phisher’s webpage.

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details directly from users by deceiving the users.[28] Phishing is typically carried out by email spoofing, instant messaging, text message, or on a phone call. They often direct users to enter details at a fake website whose look and feel are almost identical to the legitimate one.[29] The fake website often asks for personal information, such as login details and passwords. This information can then be used to gain access to the individual’s real account on the real website.

Preying on a victim’s trust, phishing can be classified as a form of social engineering. Attackers can use creative ways to gain access to real accounts. A common scam is for attackers to send fake electronic invoices[30] to individuals showing that they recently purchased music, apps, or others, and instructing them to click on a link if the purchases were not authorized. A more strategic type of phishing is spear-phishing which leverages personal or organization-specific details to make the attacker appear like a trusted source. Spear-phishing attacks target specific individuals, rather than the broad net cast by phishing attempts.[31]

Privilege escalation

Privilege escalation describes a situation where an attacker with limited access is able, without authorization, to elevate their privileges or access level.[32] For example, a standard computer user may be able to exploit a vulnerability in the system to gain access to restricted data; or even become root and have full unrestricted access to a system. The severity of attacks can range from attacks simply sending an unsolicited email to a ransomware attack on large amounts of data. Privilege escalation usually starts with social engineering techniques, often phishing.[32]

Privilege escalation can be separated into two strategies, horizontal and vertical privilege escalation:

  • Horizontal escalation (or account takeover) is where an attacker gains access to a normal user account that has relatively low-level privileges. This may be through stealing the user’s username and password. Once they have access, they have gained a foothold, and using this foothold the attacker then may move around the network of users at this same lower level, gaining access to information of this similar privilege.[32]
  • Vertical escalation, however, targets people higher up in a company and often with more administrative power, such as an employee in IT with a higher privilege. Using this privileged account will then enable the attacker to invade other accounts.[32]

Side-channel attack

Main article: Side-channel attack

Any computational system affects its environment in some form. This effect it has on its environment can range from electromagnetic radiation, to residual effect on RAM cells which as a consequence make a Cold boot attack possible, to hardware implementation faults that allow for access or guessing of other values that normally should be inaccessible. In Side-channel attack scenarios, the attacker would gather such information about a system or network to guess its internal state and as a result access the information which is assumed by the victim to be secure. The target information in a side channel can be challenging to detect due to its low amplitude when combined with other signals.[33]

Social engineering

Social engineering, in the context of computer security, aims to convince a user to disclose secrets such as passwords, card numbers, etc. or grant physical access by, for example, impersonating a senior executive, bank, a contractor, or a customer.[34] This generally involves exploiting people’s trust, and relying on their cognitive biases. A common scam involves emails sent to accounting and finance department personnel, impersonating their CEO and urgently requesting action. One of the main techniques of social engineering are phishing attacks.

In early 2016, the FBI reported that such business email compromise (BEC) scams had cost US businesses more than $2 billion in about two years.[35]

In May 2016, the Milwaukee Bucks NBA team was the victim of this type of cyber scam with a perpetrator impersonating the team’s president Peter Feigin, resulting in the handover of all the team’s employees’ 2015 W-2 tax forms.[36]

Spoofing

Main article: Spoofing attack

Spoofing is an act of pretending to be a valid entity through the falsification of data (such as an IP address or username), in order to gain access to information or resources that one is otherwise unauthorized to obtain. Spoofing is closely related to phishing.[37][38] There are several types of spoofing, including:

In 2018, the cyber security firm Trellix published research on the life-threatening risk of spoofing in the healthcare industry.[40]

Tampering

Tampering describes a malicious modification or alteration of data. It is an intentional but unauthorized act resulting in the modification of a system, components of systems, its intended behavior, or data. So-called Evil Maid attacks and security services planting of surveillance capability into routers are examples.[41]

HTML smuggling

HTML smuggling allows an attacker to smuggle a malicious code inside a particular HTML or web page.[42] HTML files can carry payloads concealed as benign, inert data in order to defeat content filters. These payloads can be reconstructed on the other side of the filter.[43]

When a target user opens the HTML, the malicious code is activated; the web browser then decodes the script, which then unleashes the malware onto the target’s device.[42]

Information security practices

Information security (InfoSec) and cybersecurity are closely related but not identical. While cybersecurity addresses external and malicious threats related to the exposure to the internet, information security also covers internal policies, roles, and controls.
Employee behavior can have a big impact on information security in organizations. Cultural concepts can help different segments of the organization work effectively or work against effectiveness toward information security within an organization. Information security culture is the “…totality of patterns of behavior in an organization that contributes to the protection of information of all kinds.”[44]

Andersson and Reimers (2014) found that employees often do not see themselves as part of their organization’s information security effort and often take actions that impede organizational changes.[45] Indeed, the Verizon Data Breach Investigations Report 2020, which examined 3,950 security breaches, discovered 30% of cyber security incidents involved internal actors within a company.[46] Research shows information security culture needs to be improved continuously. In “Information Security Culture from Analysis to Change”, authors commented, “It’s a never-ending process, a cycle of evaluation and change or maintenance.” To manage the information security culture, five steps should be taken: pre-evaluation, strategic planning, operative planning, implementation, and post-evaluation.[47]

  • Pre-evaluation: To identify the awareness of information security within employees and to analyze the current security policies.
  • Strategic planning: To come up with a better awareness program, clear targets need to be set. Assembling a team of skilled professionals is helpful to achieve it.
  • Operative planning: A good security culture can be established based on internal communication, management buy-in, security awareness and a training program.[47]
  • Implementation: Four stages should be used to implement the information security culture. They are:
  1. Commitment of the management
  2. Communication with organizational members
  3. Courses for all organizational members
  4. Commitment of the employees[47]
  • Post-evaluation: To assess the success of the planning and implementation, and to identify unresolved areas of concern.

Computer protection (countermeasures)

In computer security, a countermeasure is an action, device, procedure or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.[48][49][50]

Some common countermeasures are listed in the following sections:

Security by design

Main article: Secure by design

Security by design, or alternately secure by design, means that the software has been designed from the ground up to be secure. In this case, security is considered a main feature.

The UK government’s National Cyber Security Centre separates secure cyber design principles into five sections:[51]

  1. Before a secure system is created or updated, companies should ensure they understand the fundamentals and the context around the system they are trying to create and identify any weaknesses in the system.
  2. Companies should design and centre their security around techniques and defences which make attacking their data or systems inherently more challenging for attackers.
  3. Companies should ensure that their core services that rely on technology are protected so that the systems are essentially never down.
  4. Although systems can be created which are safe against a multitude of attacks, that does not mean that attacks will not be attempted. Despite one’s security, all companies’ systems should aim to be able to detect and spot attacks as soon as they occur to ensure the most effective response to them.
  5. Companies should create secure systems designed so that any attack that is successful has minimal severity.

These design principles of security by design can include some of the following techniques:

  • The principle of least privilege, where each part of the system has only the privileges that are needed for its function. That way, even if an attacker gains access to that part, they only have limited access to the whole system.
  • Automated theorem proving to prove the correctness of crucial software subsystems.
  • Code reviews and unit testing, approaches to make modules more secure where formal correctness proofs are not possible.
  • Defense in depth, where the design is such that more than one subsystem needs to be violated to compromise the integrity of the system and the information it holds.
  • Default secure settings, and design to fail secure rather than fail insecure (see fail-safe for the equivalent in safety engineering). Ideally, a secure system should require a deliberate, conscious, knowledgeable and free decision on the part of legitimate authorities in order to make it insecure.
  • Audit trails track system activity so that when a security breach occurs, the mechanism and extent of the breach can be determined. Storing audit trails remotely, where they can only be appended to, can keep intruders from covering their tracks.
  • Full disclosure of all vulnerabilities, to ensure that the window of vulnerability is kept as short as possible when bugs are discovered.

Security architecture

Security architecture can be defined as the “practice of designing computer systems to achieve security goals.”[52] These goals have overlap with the principles of “security by design” explored above, including to “make initial compromise of the system difficult,” and to “limit the impact of any compromise.”[52] In practice, the role of a security architect would be to ensure the structure of a system reinforces the security of the system, and that new changes are safe and meet the security requirements of the organization.[53][54]

Similarly, Techopedia defines security architecture as “a unified security design that addresses the necessities and potential risks involved in a certain scenario or environment. It also specifies when and where to apply security controls. The design process is generally reproducible.” The key attributes of security architecture are:[55]

  • the relationship of different components and how they depend on each other.
  • determination of controls based on risk assessment, good practices, finances, and legal matters.
  • the standardization of controls.

Practicing security architecture provides the right foundation to systematically address business, IT and security concerns in an organization.

Security measures

A state of computer security is the conceptual ideal, attained by the use of three processes: threat prevention, detection, and response. These processes are based on various policies and system components, which include the following:

  • Limiting the access of individuals using user account access controls and using cryptography can protect systems files and data, respectively.
  • Firewalls are by far the most common prevention systems from a network security perspective as they can (if properly configured) shield access to internal network services and block certain kinds of attacks through packet filtering. Firewalls can be both hardware and software-based. Firewalls monitor and control incoming and outgoing traffic of a computer network and establish a barrier between a trusted network and an untrusted network.[56]
  • Intrusion Detection System (IDS) products are designed to detect network attacks in-progress and assist in post-attack forensics, while audit trails and logs serve a similar function for individual systems.
  • Response is necessarily defined by the assessed security requirements of an individual system and may cover the range from simple upgrade of protections to notification of legal authorities, counter-attacks, and the like. In some special cases, the complete destruction of the compromised system is favored, as it may happen that not all the compromised resources are detected.
  • Cyber security awareness training to cope with cyber threats and attacks.[57]
  • Forward web proxy solutions can prevent the client to visit malicious web pages and inspect the content before downloading to the client machines.

Today, computer security consists mainly of preventive measures, like firewalls or an exit procedure. A firewall can be defined as a way of filtering network data between a host or a network and another network, such as the Internet. They can be implemented as software running on the machine, hooking into the network stack (or, in the case of most UNIX-based operating systems such as Linux, built into the operating system kernel) to provide real-time filtering and blocking.[56] Another implementation is a so-called physical firewall, which consists of a separate machine filtering network traffic. Firewalls are common amongst machines that are permanently connected to the Internet.

Some organizations are turning to big data platforms, such as Apache Hadoop, to extend data accessibility and machine learning to detect advanced persistent threats.[58]

In order to ensure adequate security, the confidentiality, integrity and availability of a network, known as the CIA triad, must be protected and is considered the foundation of information security.[59] To achieve those objectives, administrative, physical and technical security measures should be employed. The amount of security afforded to an asset can only be determined when its value is known.[60]

Vulnerability management

Main article: Vulnerability management

Vulnerability management is the cycle of identifying, fixing or mitigating vulnerabilities,[61] especially in software and firmware. Vulnerability management is integral to computer security and network security.

Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities,[62] such as open ports, insecure software configuration, and susceptibility to malware. In order for these tools to be effective, they must be kept up to date with every new update the vendor releases. Typically, these updates will scan for the new vulnerabilities that were introduced recently.

Beyond vulnerability scanning, many organizations contract outside security auditors to run regular penetration tests against their systems to identify vulnerabilities. In some sectors, this is a contractual requirement.[63]

Reducing vulnerabilities

The act of assessing and reducing vulnerabilities to cyber attacks is commonly referred to as information technology security assessments. They aim to assess systems for risk and to predict and test for their vulnerabilities. While formal verification of the correctness of computer systems is possible,[64][65] it is not yet common. Operating systems formally verified include seL4,[66] and SYSGO‘s PikeOS[67][68] – but these make up a very small percentage of the market.

It is possible to reduce an attacker’s chances by keeping systems up to date with security patches and updates and by hiring people with expertise in security. Large companies with significant threats can hire Security Operations Centre (SOC) Analysts. These are specialists in cyber defences, with their role ranging from “conducting threat analysis to investigating reports of any new issues and preparing and testing disaster recovery plans.”[69]

Whilst no measures can completely guarantee the prevention of an attack, these measures can help mitigate the damage of possible attacks. The effects of data loss/damage can be also reduced by careful backing up and insurance.

Outside of formal assessments, there are various methods of reducing vulnerabilities, including hardening systems.[70] Two factor authentication is a method for mitigating unauthorized access to a system or sensitive information.[71] It requires something you know: a password or PIN, and something you have: a card, dongle, cellphone, or another piece of hardware. This increases security as an unauthorized person needs both of these to gain access.

Protecting against social engineering and direct computer access (physical) attacks can only happen by non-computer means, which can be difficult to enforce, relative to the sensitivity of the information. Training is often involved to help mitigate this risk by improving people’s knowledge of how to protect themselves and by increasing people’s awareness of threats.[72] However, even in highly disciplined environments (e.g. military organizations), social engineering attacks can still be difficult to foresee and prevent.

Inoculation, derived from inoculation theory, seeks to prevent social engineering and other fraudulent tricks and traps by instilling a resistance to persuasion attempts through exposure to similar or related attempts.[73]

Hardware protection mechanisms

See also: Computer security compromised by hardware failure

Hardware-based or assisted computer security also offers an alternative to software-only computer security. Using devices and methods such as dongles, trusted platform modules, intrusion-aware cases, drive locks, disabling USB ports, and mobile-enabled access may be considered more secure due to the physical access (or sophisticated backdoor access) required in order to be compromised. Each of these is covered in more detail below.

  • USB dongles are typically used in software licensing schemes to unlock software capabilities,[74] but they can also be seen as a way to prevent unauthorized access to a computer or other device’s software. The dongle, or key, essentially creates a secure encrypted tunnel between the software application and the key. The principle is that an encryption scheme on the dongle, such as Advanced Encryption Standard (AES) provides a stronger measure of security since it is harder to hack and replicate the dongle than to simply copy the native software to another machine and use it. Another security application for dongles is to use them for accessing web-based content such as cloud software or Virtual Private Networks (VPNs).[75] In addition, a USB dongle can be configured to lock or unlock a computer.[76]
  • Trusted platform modules (TPMs) secure devices by integrating cryptographic capabilities onto access devices, through the use of microprocessors, or so-called computers-on-a-chip. TPMs used in conjunction with server-side software offer a way to detect and authenticate hardware devices, preventing unauthorized network and data access.[77]
  • Computer case intrusion detection refers to a device, typically a push-button switch, which detects when a computer case is opened. The firmware or BIOS is programmed to show an alert to the operator when the computer is booted up the next time.
  • Drive locks are essentially software tools to encrypt hard drives, making them inaccessible to thieves.[78] Tools exist specifically for encrypting external drives as well.[79]
  • Disabling USB ports is a security option for preventing unauthorized and malicious access to an otherwise secure computer. Infected USB dongles connected to a network from a computer inside the firewall are considered by the magazine Network World as the most common hardware threat facing computer networks.
  • Disconnecting or disabling peripheral devices (like camera, GPS, removable storage, etc.), that are not in use.[80]
  • Mobile-enabled access devices are growing in popularity due to the ubiquitous nature of cell phones.[81] Built-in capabilities such as Bluetooth, the newer Bluetooth low-energy (LE), near-field communication (NFC) on non-iOS devices and biometric validation such as thumbprint readers, as well as QR code reader software designed for mobile devices, offer new, secure ways for mobile phones to connect to access control systems. These control systems provide computer security and can also be used for controlling access to secure buildings.[82]
  • IOMMUs allow for hardware-based sandboxing of components in mobile and desktop computers by utilizing direct memory access protections.[83][84]
  • Physical Unclonable Functions (PUFs) can be used as a digital fingerprint or a unique identifier to integrated circuits and hardware, providing users the ability to secure the hardware supply chains going into their systems.[85][86]

Secure operating systems

Main article: Security-evaluated operating system

One use of the term computer security refers to technology that is used to implement secure operating systems. Using secure operating systems is a good way of ensuring computer security. These are systems that have achieved certification from an external security-auditing organization, the most popular evaluations are Common Criteria (CC).[87]

Secure coding

Main article: Secure coding

In software engineering, secure coding aims to guard against the accidental introduction of security vulnerabilities. It is also possible to create software designed from the ground up to be secure. Such systems are secure by design. Beyond this, formal verification aims to prove the correctness of the algorithms underlying a system;[88]
important for cryptographic protocols for example.

Capabilities and access control lists

Main articles: Access control list, Role-based access control, and Capability-based security

Within computer systems, two of the main security models capable of enforcing privilege separation are access control lists (ACLs) and role-based access control (RBAC).

An access-control list (ACL), with respect to a computer file system, is a list of permissions associated with an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.

Role-based access control is an approach to restricting system access to authorized users,[89][90][91] used by the majority of enterprises with more than 500 employees,[92] and can implement mandatory access control (MAC) or discretionary access control (DAC).

A further approach, capability-based security has been mostly restricted to research operating systems. Capabilities can, however, also be implemented at the language level, leading to a style of programming that is essentially a refinement of standard object-oriented design. An open-source project in the area is the E language.

User security training

The end-user is widely recognized as the weakest link in the security chain[93] and it is estimated that more than 90% of security incidents and breaches involve some kind of human error.[94][95] Among the most commonly recorded forms of errors and misjudgment are poor password management, sending emails containing sensitive data and attachments to the wrong recipient, the inability to recognize misleading URLs and to identify fake websites and dangerous email attachments. A common mistake that users make is saving their user id/password in their browsers to make it easier to log in to banking sites. This is a gift to attackers who have obtained access to a machine by some means. The risk may be mitigated by the use of two-factor authentication.[96]

As the human component of cyber risk is particularly relevant in determining the global cyber risk[97] an organization is facing, security awareness training, at all levels, not only provides formal compliance with regulatory and industry mandates but is considered essential[98] in reducing cyber risk and protecting individuals and companies from the great majority of cyber threats.

The focus on the end-user represents a profound cultural change for many security practitioners, who have traditionally approached cyber security exclusively from a technical perspective, and moves along the lines suggested by major security centers[99] to develop a culture of cyber awareness within the organization, recognizing that a security-aware user provides an important line of defense against cyber attacks.

Digital hygiene

Related to end-user training, digital hygiene or cyber hygiene is a fundamental principle relating to information security and, as the analogy with personal hygiene shows, is the equivalent of establishing simple routine measures to minimize the risks from cyber threats. The assumption is that good cyber hygiene practices can give networked users another layer of protection, reducing the risk that one vulnerable node will be used to either mount attacks or compromise another node or network, especially from common cyberattacks.[100] Cyber hygiene should also not be mistaken for proactive cyber defence, a military term.[101]

The most common acts of digital hygiene can include updating malware protection, cloud back-ups, passwords, and ensuring restricted admin rights and network firewalls.[102] As opposed to a purely technology-based defense against threats, cyber hygiene mostly regards routine measures that are technically simple to implement and mostly dependent on discipline[103] or education.[104] It can be thought of as an abstract list of tips or measures that have been demonstrated as having a positive effect on personal or collective digital security. As such, these measures can be performed by laypeople, not just security experts.

Cyber hygiene relates to personal hygiene as computer viruses relate to biological viruses (or pathogens). However, while the term computer virus was coined almost simultaneously with the creation of the first working computer viruses,[105] the term cyber hygiene is a much later invention, perhaps as late as 2000[106] by Internet pioneer Vint Cerf. It has since been adopted by the Congress[107] and Senate of the United States,[108] the FBI,[109] EU institutions[100] and heads of state.[101]

Difficulty of responding to breaches

Responding to attempted security breaches is often very difficult for a variety of reasons, including:

  • Identifying attackers is difficult, as they may operate through proxies, temporary anonymous dial-up accounts, wireless connections, and other anonymizing procedures which make back-tracing difficult – and are often located in another jurisdiction. If they successfully breach security, they have also often gained enough administrative access to enable them to delete logs to cover their tracks.
  • The sheer number of attempted attacks, often by automated vulnerability scanners and computer worms, is so large that organizations cannot spend time pursuing each.
  • Law enforcement officers often lack the skills, interest or budget to pursue attackers. Furthermore, identifying attackers across a network may necessitate collecting logs from multiple locations within the network and across various countries, a process that can be both difficult and time-consuming.

Where an attack succeeds and a breach occurs, many jurisdictions now have in place mandatory security breach notification laws.

Types of security and privacy

Systems at risk

The growth in the number of computer systems and the increasing reliance upon them by individuals, businesses, industries, and governments means that there are an increasing number of systems at risk.

Financial systems

The computer systems of financial regulators and financial institutions like the U.S. Securities and Exchange Commission, SWIFT, investment banks, and commercial banks are prominent hacking targets for cybercriminals interested in manipulating markets and making illicit gains.[110] Websites and apps that accept or store credit card numbers, brokerage accounts, and bank account information are also prominent hacking targets, because of the potential for immediate financial gain from transferring money, making purchases, or selling the information on the black market.[111] In-store payment systems and ATMs have also been tampered with in order to gather customer account data and PINs.

The UCLA Internet Report: Surveying the Digital Future (2000) found that the privacy of personal data created barriers to online sales and that more than nine out of 10 internet users were somewhat or very concerned about credit card security.[112]

The most common web technologies for improving security between browsers and websites are named SSL (Secure Sockets Layer), and its successor TLS (Transport Layer Security), identity management and authentication services, and domain name services allow companies and consumers to engage in secure communications and commerce. Several versions of SSL and TLS are commonly used today in applications such as web browsing, e-mail, internet faxing, instant messaging, and VoIP (voice-over-IP). There are various interoperable implementations of these technologies, including at least one implementation that is open source. Open source allows anyone to view the application’s source code, and look for and report vulnerabilities.

The credit card companies Visa and MasterCard cooperated to develop the secure EMV chip which is embedded in credit cards. Further developments include the Chip Authentication Program where banks give customers hand-held card readers to perform online secure transactions. Other developments in this arena include the development of technology such as Instant Issuance which has enabled shopping mall kiosks acting on behalf of banks to issue on-the-spot credit cards to interested customers.

Utilities and industrial equipment

Computers control functions at many utilities, including coordination of telecommunications, the power grid, nuclear power plants, and valve opening and closing in water and gas networks. The Internet is a potential attack vector for such machines if connected, but the Stuxnet worm demonstrated that even equipment controlled by computers not connected to the Internet can be vulnerable. In 2014, the Computer Emergency Readiness Team, a division of the Department of Homeland Security, investigated 79 hacking incidents at energy companies.[113]

Aviation

The aviation industry is very reliant on a series of complex systems which could be attacked.[114] A simple power outage at one airport can cause repercussions worldwide,[115] much of the system relies on radio transmissions which could be disrupted,[116] and controlling aircraft over oceans is especially dangerous because radar surveillance only extends 175 to 225 miles offshore.[117] There is also potential for attack from within an aircraft.[118]

Implementing fixes in aerospace systems poses a unique challenge because efficient air transportation is heavily affected by weight and volume. Improving security by adding physical devices to airplanes could increase their unloaded weight, and could potentially reduce cargo or passenger capacity.[119]

In Europe, with the (Pan-European Network Service)[120] and NewPENS,[121] and in the US with the NextGen program,[122] air navigation service providers are moving to create their own dedicated networks.

Many modern passports are now biometric passports, containing an embedded microchip that stores a digitized photograph and personal information such as name, gender, and date of birth. In addition, more countries[which?] are introducing facial recognition technology to reduce identity-related fraud. The introduction of the ePassport has assisted border officials in verifying the identity of the passport holder, thus allowing for quick passenger processing.[123] Plans are under way in the US, the UK, and Australia to introduce SmartGate kiosks with both retina and fingerprint recognition technology.[124] The airline industry is moving from the use of traditional paper tickets towards the use of electronic tickets (e-tickets). These have been made possible by advances in online credit card transactions in partnership with the airlines. Long-distance bus companies[which?] are also switching over to e-ticketing transactions today.

The consequences of a successful attack range from loss of confidentiality to loss of system integrity, air traffic control outages, loss of aircraft, and even loss of life.

Consumer devices

Desktop computers and laptops are commonly targeted to gather passwords or financial account information or to construct a botnet to attack another target. Smartphones, tablet computers, smart watches, and other mobile devices such as quantified self devices like activity trackers have sensors such as cameras, microphones, GPS receivers, compasses, and accelerometers which could be exploited, and may collect personal information, including sensitive health information. WiFi, Bluetooth, and cell phone networks on any of these devices could be used as attack vectors, and sensors might be remotely activated after a successful breach.[125]

The increasing number of home automation devices such as the Nest thermostat are also potential targets.[125]

Healthcare

Today many healthcare providers and health insurance companies use the internet to provide enhanced products and services. Examples are the use of tele-health to potentially offer better quality and access to healthcare, or fitness trackers to lower insurance premiums.[126] Patient records are increasingly being placed on secure in-house networks, alleviating the need for extra storage space.[127]

Large corporations

Large corporations are common targets. In many cases attacks are aimed at financial gain through identity theft and involve data breaches. Examples include the loss of millions of clients’ credit card and financial details by Home Depot,[128] Staples,[129] Target Corporation,[130] and Equifax.[131]

Medical records have been targeted in general identify theft, health insurance fraud, and impersonating patients to obtain prescription drugs for recreational purposes or resale.[132] Although cyber threats continue to increase, 62% of all organizations did not increase security training for their business in 2015.[133]

Not all attacks are financially motivated, however: security firm HBGary Federal had a serious series of attacks in 2011 from hacktivist group Anonymous in retaliation for the firm’s CEO claiming to have infiltrated their group,[134][135] and Sony Pictures was hacked in 2014 with the apparent dual motive of embarrassing the company through data leaks and crippling the company by wiping workstations and servers.[136][137]

Automobiles

See also: Autonomous car § Potential disadvantages, Automated driving system § Risks and liabilities, and Automotive hacking

Vehicles are increasingly computerized, with engine timing, cruise control, anti-lock brakes, seat belt tensioners, door locks, airbags and advanced driver-assistance systems on many models. Additionally, connected cars may use WiFi and Bluetooth to communicate with onboard consumer devices and the cell phone network.[138] Self-driving cars are expected to be even more complex. All of these systems carry some security risks, and such issues have gained wide attention.[139][140][141]

Simple examples of risk include a malicious compact disc being used as an attack vector,[142] and the car’s onboard microphones being used for eavesdropping. However, if access is gained to a car’s internal controller area network, the danger is much greater[138] – and in a widely publicized 2015 test, hackers remotely carjacked a vehicle from 10 miles away and drove it into a ditch.[143][144]

Manufacturers are reacting in numerous ways, with Tesla in 2016 pushing out some security fixes over the air into its cars’ computer systems.[145] In the area of autonomous vehicles, in September 2016 the United States Department of Transportation announced some initial safety standards, and called for states to come up with uniform policies.[146][147][148]

Additionally, e-Drivers’ licenses are being developed using the same technology. For example, Mexico’s licensing authority (ICV) has used a smart card platform to issue the first e-Drivers’ licenses to the city of Monterrey, in the state of Nuevo León.[149]

Shipping

Shipping companies[150] have adopted RFID (Radio Frequency Identification) technology as an efficient, digitally secure, tracking device. Unlike a barcode, RFID can be read up to 20 feet away. RFID is used by FedEx[151] and UPS.[152]

Government

Government and military computer systems are commonly attacked by activists[153][154][155] and foreign powers.[156][157][158][159] This includes local and regional government infrastructure such as traffic light controls, police and intelligence agency communications, personnel records, as well as student records.[160]

Internet of things and physical vulnerabilities

The Internet of things (IoT) is the network of physical objects such as devices, vehicles, and buildings that are embedded with electronics, software, sensors, and network connectivity that enables them to collect and exchange data.[161] Concerns have been raised that this is being developed without appropriate consideration of the security challenges involved.[162][163]

While the IoT creates opportunities for more direct integration of the physical world into computer-based systems,[164][165]
it also provides opportunities for misuse. In particular, as the Internet of Things spreads widely, cyberattacks are likely to become an increasingly physical (rather than simply virtual) threat.[166] If a front door’s lock is connected to the Internet, and can be locked/unlocked from a phone, then a criminal could enter the home at the press of a button from a stolen or hacked phone. People could stand to lose much more than their credit card numbers in a world controlled by IoT-enabled devices. Thieves have also used electronic means to circumvent non-Internet-connected hotel door locks.[167]

An attack aimed at physical infrastructure or human lives is often called a cyber-kinetic attack. As IoT devices and appliances become more widespread, the prevalence and potential damage of cyber-kinetic attacks can increase substantially.

Medical systems

See also: Medical device hijack and Medical data breach

Medical devices have either been successfully attacked or had potentially deadly vulnerabilities demonstrated, including both in-hospital diagnostic equipment[168] and implanted devices including pacemakers[169] and insulin pumps.[170] There are many reports of hospitals and hospital organizations getting hacked, including ransomware attacks,[171][172][173][174] Windows XP exploits,[175][176] viruses,[177][178] and data breaches of sensitive data stored on hospital servers.[179][172][180][181] On 28 December 2016 the US Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of Internet-connected devices – but no structure for enforcement.[182][183]

Energy sector

In distributed generation systems, the risk of a cyber attack is real, according to Daily Energy Insider. An attack could cause a loss of power in a large area for a long period of time, and such an attack could have just as severe consequences as a natural disaster. The District of Columbia is considering creating a Distributed Energy Resources (DER) Authority within the city, with the goal being for customers to have more insight into their own energy use and giving the local electric utility, Pepco, the chance to better estimate energy demand. The D.C. proposal, however, would “allow third-party vendors to create numerous points of energy distribution, which could potentially create more opportunities for cyber attackers to threaten the electric grid.”[184]

Telecommunications

Perhaps the most widely known digitally secure telecommunication device is the SIM (Subscriber Identity Module) card, a device that is embedded in most of the world’s cellular devices before any service can be obtained. The SIM card is just the beginning of this digitally secure environment.

The Smart Card Web Servers draft standard (SCWS) defines the interfaces to an HTTP server in a smart card.[185] Tests are being conducted to secure OTA (“over-the-air”) payment and credit card information from and to a mobile phone.
Combination SIM/DVD devices are being developed through Smart Video Card technology which embeds a DVD-compliant optical disc into the card body of a regular SIM card.

Other telecommunication developments involving digital security include mobile signatures, which use the embedded SIM card to generate a legally binding electronic signature.

Cost and impact of security breaches

Serious financial damage has been caused by security breaches, but because there is no standard model for estimating the cost of an incident, the only data available is that which is made public by the organizations involved. “Several computer security consulting firms produce estimates of total worldwide losses attributable to virus and worm attacks and to hostile digital acts in general. The 2003 loss estimates by these firms range from $13 billion (worms and viruses only) to $226 billion (for all forms of covert attacks). The reliability of these estimates is often challenged; the underlying methodology is basically anecdotal.”[186]

However, reasonable estimates of the financial cost of security breaches can actually help organizations make rational investment decisions. According to the classic Gordon-Loeb Model analyzing the optimal investment level in information security, one can conclude that the amount a firm spends to protect information should generally be only a small fraction of the expected loss (i.e., the expected value of the loss resulting from a cyber/information security breach).[187]

Attacker motivation

As with physical security, the motivations for breaches of computer security vary between attackers. Some are thrill-seekers or vandals, some are activists, others are criminals looking for financial gain. State-sponsored attackers are now common and well resourced but started with amateurs such as Markus Hess who hacked for the KGB, as recounted by Clifford Stoll in The Cuckoo’s Egg.

Attackers motivations can vary for all types of attacks from pleasure to political goals.[15] For example, hacktivists may target a company or organization that carries out activities they do not agree with. This would be to create bad publicity for the company by having its website crash.

High capability hackers, often with larger backing or state sponsorship, may attack based on the demands of their financial backers. These attacks are more likely to attempt more serious attack. An example of a more serious attack was the 2015 Ukraine power grid hack, which reportedly utilised the spear-phising, destruction of files, and denial-of-service attacks to carry out the full attack.[188][189]

Additionally, recent attacker motivations can be traced back to extremist organizations seeking to gain political advantage or disrupt social agendas.[190] The growth of the internet, mobile technologies, and inexpensive computing devices have led to a rise in capabilities but also to the risk to environments that are deemed as vital to operations. All critical targeted environments are susceptible to compromise and this has led to a series of proactive studies on how to migrate the risk by taking into consideration motivations by these types of actors. Several stark differences exist between the hacker motivation and that of nation state actors seeking to attack based on an ideological preference.[191]

A key aspect of threat modeling for any system is identifying the motivations behind potential attacks and the individuals or groups likely to carry them out. The level and detail of security measures will differ based on the specific system being protected. For instance, a home personal computer, a bank, and a classified military network each face distinct threats, despite using similar underlying technologies.[192]

Computer security incident management

Computer security incident management is an organized approach to addressing and managing the aftermath of a computer security incident or compromise with the goal of preventing a breach or thwarting a cyberattack. An incident that is not identified and managed at the time of intrusion typically escalates to a more damaging event such as a data breach or system failure. The intended outcome of a computer security incident response plan is to contain the incident, limit damage and assist recovery to business as usual. Responding to compromises quickly can mitigate exploited vulnerabilities, restore services and processes and minimize losses.[193]
Incident response planning allows an organization to establish a series of best practices to stop an intrusion before it causes damage. Typical incident response plans contain a set of written instructions that outline the organization’s response to a cyberattack. Without a documented plan in place, an organization may not successfully detect an intrusion or compromise and stakeholders may not understand their roles, processes and procedures during an escalation, slowing the organization’s response and resolution.

There are four key components of a computer security incident response plan:

  1. Preparation: Preparing stakeholders on the procedures for handling computer security incidents or compromises
  2. Detection and analysis: Identifying and investigating suspicious activity to confirm a security incident, prioritizing the response based on impact and coordinating notification of the incident
  3. Containment, eradication and recovery: Isolating affected systems to prevent escalation and limit impact, pinpointing the genesis of the incident, removing malware, affected systems and bad actors from the environment and restoring systems and data when a threat no longer remains
  4. Post incident activity: Post mortem analysis of the incident, its root cause and the organization’s response with the intent of improving the incident response plan and future response efforts.[194]

Notable attacks and breaches

Further information: List of cyber-attacks and List of data breaches

Some illustrative examples of different types of computer security breaches are given below.

Robert Morris and the first computer worm

Main article: Morris worm

In 1988, 60,000 computers were connected to the Internet, and most were mainframes, minicomputers and professional workstations. On 2 November 1988, many started to slow down, because they were running a malicious code that demanded processor time and that spread itself to other computers – the first internet computer worm.[195] The software was traced back to 23-year-old Cornell University graduate student Robert Tappan Morris who said “he wanted to count how many machines were connected to the Internet”.[195]

Rome Laboratory

In 1994, over a hundred intrusions were made by unidentified crackers into the Rome Laboratory, the US Air Force’s main command and research facility. Using trojan horses, hackers were able to obtain unrestricted access to Rome’s networking systems and remove traces of their activities. The intruders were able to obtain classified files, such as air tasking order systems data and furthermore able to penetrate connected networks of National Aeronautics and Space Administration‘s Goddard Space Flight Center, Wright-Patterson Air Force Base, some Defense contractors, and other private sector organizations, by posing as a trusted Rome center user.[196]

TJX customer credit card details

In early 2007, American apparel and home goods company TJX announced that it was the victim of an unauthorized computer systems intrusion[197] and that the hackers had accessed a system that stored data on credit card, debit card, check, and merchandise return transactions.[198]

Stuxnet attack

In 2010, the computer worm known as Stuxnet reportedly ruined almost one-fifth of Iran’s nuclear centrifuges.[199] It did so by disrupting industrial programmable logic controllers (PLCs) in a targeted attack. This is generally believed to have been launched by Israel and the United States to disrupt Iran’s nuclear program[200][201][202][203] – although neither has publicly admitted this.

Global surveillance disclosures

Main article: Global surveillance disclosures (2013–present)

In early 2013, documents provided by Edward Snowden were published by The Washington Post and The Guardian[204][205] exposing the massive scale of NSA global surveillance. There were also indications that the NSA may have inserted a backdoor in a NIST standard for encryption.[206] This standard was later withdrawn due to widespread criticism.[207] The NSA additionally were revealed to have tapped the links between Google‘s data centers.[208]

Target and Home Depot breaches

A Ukrainian hacker known as Rescator broke into Target Corporation computers in 2013, stealing roughly 40 million credit cards,[209] and then Home Depot computers in 2014, stealing between 53 and 56 million credit card numbers.[210] Warnings were delivered at both corporations, but ignored; physical security breaches using self checkout machines are believed to have played a large role. “The malware utilized is absolutely unsophisticated and uninteresting,” says Jim Walter, director of threat intelligence operations at security technology company McAfee – meaning that the heists could have easily been stopped by existing antivirus software had administrators responded to the warnings. The size of the thefts has resulted in major attention from state and Federal United States authorities and the investigation is ongoing.

Office of Personnel Management data breach

In April 2015, the Office of Personnel Management discovered it had been hacked more than a year earlier in a data breach, resulting in the theft of approximately 21.5 million personnel records handled by the office.[211] The Office of Personnel Management hack has been described by federal officials as among the largest breaches of government data in the history of the United States.[212] Data targeted in the breach included personally identifiable information such as Social Security numbers, names, dates and places of birth, addresses, and fingerprints of current and former government employees as well as anyone who had undergone a government background check.[213][214] It is believed the hack was perpetrated by Chinese hackers.[215]

Ashley Madison breach

Main article: Ashley Madison Data Breach

In July 2015, a hacker group known as The Impact Team successfully breached the extramarital relationship website Ashley Madison, created by Avid Life Media. The group claimed that they had taken not only company data but user data as well. After the breach, The Impact Team dumped emails from the company’s CEO, to prove their point, and threatened to dump customer data unless the website was taken down permanently.[216] When Avid Life Media did not take the site offline the group released two more compressed files, one 9.7GB and the second 20GB. After the second data dump, Avid Life Media CEO Noel Biderman resigned; but the website remained to function.

Colonial Pipeline ransomware attack

Main article: Colonial Pipeline ransomware attack

In June 2021, the cyber attack took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast.[217]

International legal issues of cyber attacks are complicated in nature. There is no global base of common rules to judge, and eventually punish, cybercrimes and cybercriminals – and where security firms or agencies do locate the cybercriminal behind the creation of a particular piece of malware or form of cyber attack, often the local authorities cannot take action due to lack of laws under which to prosecute.[218][219] Proving attribution for cybercrimes and cyberattacks is also a major problem for all law enforcement agencies. “Computer viruses switch from one country to another, from one jurisdiction to another – moving around the world, using the fact that we don’t have the capability to globally police operations like this. So the Internet is as if someone [had] given free plane tickets to all the online criminals of the world.”[218] The use of techniques such as dynamic DNS, fast flux and bullet proof servers add to the difficulty of investigation and enforcement.

Role of government

The role of the government is to make regulations to force companies and organizations to protect their systems, infrastructure and information from any cyberattacks, but also to protect its own national infrastructure such as the national power-grid.[220]

The government’s regulatory role in cyberspace is complicated. For some, cyberspace was seen as a virtual space that was to remain free of government intervention, as can be seen in many of today’s libertarian blockchain and bitcoin discussions.[221]

Many government officials and experts think that the government should do more and that there is a crucial need for improved regulation, mainly due to the failure of the private sector to solve efficiently the cyber security problem. R. Clarke said during a panel discussion at the RSA Security Conference in San Francisco, he believes that the “industry only responds when you threaten regulation. If the industry doesn’t respond (to the threat), you have to follow through.”[222] On the other hand, executives from the private sector agree that improvements are necessary, but think that government intervention would affect their ability to innovate efficiently. Daniel R. McCarthy analyzed this public-private partnership in cyber security and reflected on the role of cyber security in the broader constitution of political order.[223]

On 22 May 2020, the UN Security Council held its second ever informal meeting on cyber security to focus on cyber challenges to international peace. According to UN Secretary-General António Guterres, new technologies are too often used to violate rights.[224]

International actions

Many different teams and organizations exist, including:

Europe

On 14 April 2016, the European Parliament and the Council of the European Union adopted the General Data Protection Regulation (GDPR). The GDPR, which came into force on 25 May 2018, grants individuals within the European Union (EU) and the European Economic Area (EEA) the right to the protection of personal data. The regulation requires that any entity that processes personal data incorporate data protection by design and by default. It also requires that certain organizations appoint a Data Protection Officer (DPO).

The IT Security Association TeleTrusT exist in Germany since June 1986, which is an international competence network for IT security.

National actions

Computer emergency response teams

Main article: Computer emergency response team

Most countries have their own computer emergency response team to protect network security.

Canada

Since 2010, Canada has had a cyber security strategy.[230][231] This functions as a counterpart document to the National Strategy and Action Plan for Critical Infrastructure.[232] The strategy has three main pillars: securing government systems, securing vital private cyber systems, and helping Canadians to be secure online.[231][232] There is also a Cyber Incident Management Framework to provide a coordinated response in the event of a cyber incident.[233][234]

The Canadian Cyber Incident Response Centre (CCIRC) is responsible for mitigating and responding to threats to Canada’s critical infrastructure and cyber systems. It provides support to mitigate cyber threats, technical support to respond & recover from targeted cyber attacks, and provides online tools for members of Canada’s critical infrastructure sectors.[235] It posts regular cyber security bulletins[236] & operates an online reporting tool where individuals and organizations can report a cyber incident.[237]

To inform the general public on how to protect themselves online, Public Safety Canada has partnered with STOP.THINK.CONNECT, a coalition of non-profit, private sector, and government organizations,[238] and launched the Cyber Security Cooperation Program.[239][240] They also run the GetCyberSafe portal for Canadian citizens, and Cyber Security Awareness Month during October.[241]

Public Safety Canada aims to begin an evaluation of Canada’s cyber security strategy in early 2015.[232]

Australia

Australian federal government announced an $18.2 million investment to fortify the cyber security resilience of small and medium enterprises (SMEs) and enhance their capabilities in responding to cyber threats. This financial backing is an integral component of the 2023-2030 Australian Cyber Security Strategy. A substantial allocation of $7.2 million is earmarked for the establishment of a voluntary cyber health check program, facilitating businesses in conducting a comprehensive and tailored self-assessment of their cyber security upskill.

This avant-garde health assessment serves as a diagnostic tool, enabling enterprises to ascertain the robustness of Australia’s cyber security regulations. Furthermore, it affords them access to a repository of educational resources and materials, fostering the acquisition of skills necessary for an elevated cyber security posture. This groundbreaking initiative was jointly disclosed by Minister for Cyber Security Clare O’Neil and Minister for Small Business Julie Collins.[242]

Hong Kong

Hong Kong’s Protection of Critical Infrastructures (Computer Systems) Bill (the “Bill”) was passed by the Legislative Council on 19 March 2025, with the purpose to “establish legal requirements for organisations designated as critical infrastructure operators”.[243]. To defend the economy and public safety against the cyber threats of severe disruption, Hong Kong’s new Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap.653) (Ordinance), together with its Code of Practice (CoP) guidelines for gatekeepers at the front line of defence, came into effect on 1 January 2026.[244]

India

Some provisions for cyber security have been incorporated into rules framed under the Information Technology Act 2000.[245]

The National Cyber Security Policy 2013 is a policy framework by the Ministry of Electronics and Information Technology (MeitY) which aims to protect the public and private infrastructure from cyberattacks, and safeguard “information, such as personal information (of web users), financial and banking information and sovereign data”. CERT- In is the nodal agency which monitors the cyber threats in the country. The post of National Cyber Security Coordinator has also been created in the Prime Minister’s Office (PMO).

The Indian Companies Act 2013 has also introduced cyber law and cyber security obligations on the part of Indian directors. Some provisions for cyber security have been incorporated into rules framed under the Information Technology Act 2000 Update in 2013.[246]

South Korea

Following cyberattacks in the first half of 2013, when the government, news media, television stations, and bank websites were compromised, the national government committed to the training of 5,000 new cyber security experts by 2017. The South Korean government blamed its northern counterpart for these attacks, as well as incidents that occurred in 2009, 2011,[247] and 2012, but Pyongyang denies the accusations.[248]

United Kingdom

In 2016 the National Cyber Security Centre was formed as the central body overseeing cyber-security in the UK, as part of GCHQ.[249][250] The UK government published a National Cyber Security Strategy in 2022 assigning £2.6bn for industry, skills and national security.[251][252] In addition, the National Cyber Force, launched in 2020, works with GCHQ and the Ministry of Defence and aims to “transform the UK’s ability to contest adversaries in cyber space, to protect the country, its people and our way of life”.[253]

United States

Cyber Plan

The United States has its first fully formed cyber plan in 15 years, as a result of the release of this National Cyber plan.[254] In this policy, the US says it will: Protect the country by keeping networks, systems, functions, and data safe; Promote American wealth by building a strong digital economy and encouraging strong domestic innovation; Peace and safety should be kept by making it easier for the US to stop people from using computer tools for bad things, working with friends and partners to do this; and increase the United States’ impact around the world to support the main ideas behind an open, safe, reliable, and compatible Internet.[255]

The new U.S. cyber strategy[256] seeks to allay some of those concerns by promoting responsible behavior in cyberspace, urging nations to adhere to a set of norms, both through international law and voluntary standards. It also calls for specific measures to harden U.S. government networks from attacks, like the June 2015 intrusion into the U.S. Office of Personnel Management (OPM), which compromised the records of about 4.2 million current and former government employees. And the strategy calls for the U.S. to continue to name and shame bad cyber actors, calling them out publicly for attacks when possible, along with the use of economic sanctions and diplomatic pressure.[257]

Legislation

The 1986 18 U.S.C. § 1030, the Computer Fraud and Abuse Act is the key legislation. It prohibits unauthorized access or damage of protected computers as defined in 18 U.S.C. § 1030(e)(2). Although various other measures have been proposed[258][259] – none have succeeded.

In 2013, executive order 13636 Improving Critical Infrastructure Cybersecurity was signed, which prompted the creation of the NIST Cybersecurity Framework.

In response to the Colonial Pipeline ransomware attack[260] President Joe Biden signed Executive Order 14028[261] on May 12, 2021, to increase software security standards for sales to the government, tighten detection and security on existing systems, improve information sharing and training, establish a Cyber Safety Review Board, and improve incident response.

Standardized government testing services

The General Services Administration (GSA) has[when?] standardized the penetration test service as a pre-vetted support service, to rapidly address potential vulnerabilities, and stop adversaries before they impact US federal, state and local governments. These services are commonly referred to as Highly Adaptive Cybersecurity Services (HACS).

Further information: Penetration test § Standardized government penetration test services
Agencies

The Department of Homeland Security has a dedicated division responsible for the response system, risk management program and requirements for cyber security in the United States called the National Cyber Security Division.[262][263] The division is home to US-CERT operations and the National Cyber Alert System.[263] The National Cybersecurity and Communications Integration Center brings together government organizations responsible for protecting computer networks and networked infrastructure.[264]

The third priority of the FBI is to: “Protect the United States against cyber-based attacks and high-technology crimes”,[265] and they, along with the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA) are part of the multi-agency task force, The Internet Crime Complaint Center, also known as IC3.[266]

In addition to its own specific duties, the FBI participates alongside non-profit organizations such as InfraGard.[267][268]

The Computer Crime and Intellectual Property Section (CCIPS) operates in the United States Department of Justice Criminal Division. The CCIPS is in charge of investigating computer crime and intellectual property crime and is specialized in the search and seizure of digital evidence in computers and networks.[269] In 2017, CCIPS published A Framework for a Vulnerability Disclosure Program for Online Systems to help organizations “clearly describe authorized vulnerability disclosure and discovery conduct, thereby substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act (18 U.S.C. § 1030).”[270]

The United States Cyber Command, also known as USCYBERCOM, “has the mission to direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests in collaboration with domestic and international partners.”[271] It has no role in the protection of civilian networks.[272][273]

The U.S. Federal Communications Commission‘s role in cyber security is to strengthen the protection of critical communications infrastructure, to assist in maintaining the reliability of networks during disasters, to aid in swift recovery after, and to ensure that first responders have access to effective communications services.[274]

The Food and Drug Administration has issued guidance for medical devices,[275] and the National Highway Traffic Safety Administration[276] is concerned with automotive cyber security. After being criticized by the Government Accountability Office,[277] and following successful attacks on airports and claimed attacks on airplanes, the Federal Aviation Administration has devoted funding to securing systems on board the planes of private manufacturers, and the Aircraft Communications Addressing and Reporting System.[278] Concerns have also been raised about the future Next Generation Air Transportation System.[279]

The US Department of Defense (DoD) issued DoD Directive 8570 in 2004, supplemented by DoD Directive 8140, requiring all DoD employees and all DoD contract personnel involved in information assurance roles and activities to earn and maintain various industry Information Technology (IT) certifications in an effort to ensure that all DoD personnel involved in network infrastructure defense have minimum levels of IT industry recognized knowledge, skills and abilities (KSA). Andersson and Reimers (2019) report these certifications range from CompTIA’s A+ and Security+ through the ICS2.org’s CISSP, etc.[280]

Computer emergency readiness team

Computer emergency response team is a name given to expert groups that handle computer security incidents. In the US, two distinct organizations exist, although they do work closely together.

U.S. NRC, 10 CFR 73.54 Cybersecurity

In the context of U.S. nuclear power plants, the U.S. Nuclear Regulatory Commission (NRC) outlines cyber security requirements under 10 CFR Part 73, specifically in §73.54.[282]

NEI 08-09: Cybersecurity Plan for Nuclear Power Plants

The Nuclear Energy Institute‘s NEI 08-09 document, Cyber Security Plan for Nuclear Power Reactors,[283] outlines a comprehensive framework for cybersecurity in the nuclear power industry. Drafted with input from the U.S. NRC, this guideline is instrumental in aiding licensees to comply with the Code of Federal Regulations (CFR), which mandates robust protection of digital computers and equipment and communications systems at nuclear power plants against cyber threats.[284]

Modern warfare

Main article: Cyberwarfare

There is growing concern that cyberspace will become the next theater of warfare. As Mark Clayton from The Christian Science Monitor wrote in a 2015 article titled “The New Cyber Arms Race”:

In the future, wars will not just be fought by soldiers with guns or with planes that drop bombs. They will also be fought with the click of a mouse a half a world away that unleashes carefully weaponized computer programs that disrupt or destroy critical industries like utilities, transportation, communications, and energy. Such attacks could also disable military networks that control the movement of troops, the path of jet fighters, the command and control of warships.[285]

This has led to new terms such as cyberwarfare and cyberterrorism. The United States Cyber Command was created in 2009[286] and many other countries have similar forces.

There are a few critical voices that question whether cyber security is as significant a threat as it is made out to be.[287][288][289]

Careers

Cyber security is a fast-growing field of IT concerned with reducing organizations’ risk of getting hacked or data breaches.[290] According to research from the Enterprise Strategy Group, 46% of organizations say that they have a “problematic shortage” of cyber security skills in 2016, up from 28% in 2015.[291] Commercial, government and non-governmental organizations all employ cyber security professionals. The fastest increases in demand for cyber security workers are in industries managing increasing volumes of consumer data such as finance, health care, and retail.[292] However, the use of the term cybersecurity is more prevalent in government job descriptions.[293]

Cyber security job titles and descriptions include:[294]

Security analyst
Analyzes and assesses vulnerabilities in the infrastructure (software, hardware, networks), investigates using available tools and countermeasures to remedy the detected vulnerabilities and recommends solutions and best practices. Analyzes and assesses damage to the data/infrastructure as a result of security incidents, examines available recovery tools and processes, and recommends solutions. Tests for compliance with security policies and procedures. May assist in the creation, implementation, or management of security solutions.
Security engineer
Performs security monitoring, security and data/logs analysis, and forensic analysis, to detect security incidents, and mount the incident response. Investigates and utilizes new technologies and processes to enhance security capabilities and implement improvements. May also review code or perform other security engineering methodologies.
Security architect
Designs a security system or major components of a security system, and may head a security design team building a new security system.[295]
Chief Information Security Officer (CISO)
A high-level management position responsible for the entire information security division/staff. The position may include hands-on technical work.[296]
Chief Security Officer (CSO)
A high-level management position responsible for the entire security division/staff. A newer position is now deemed needed as security risks grow.
Data Protection Officer (DPO)
A DPO is tasked with monitoring compliance with data protection laws (such as GDPR), data protection policies, awareness-raising, training, and audits.[297]
Security consultant/specialist/intelligence
Broad titles that encompass any one or all of the other roles or titles tasked with protecting computers, networks, software, data or information systems against viruses, worms, spyware, malware, intrusion detection, unauthorized access, denial-of-service attacks, and an ever-increasing list of attacks by hackers acting as individuals or as part of organized crime or foreign governments.

Student programs are also available for people interested in beginning a career in cyber security.[298][299] Meanwhile, a flexible and effective option for information security professionals of all experience levels to keep studying is online security training, including webcasts.[300][301] A wide range of certified courses are also available.[302]

In the United Kingdom, a nationwide set of cyber security forums, known as the U.K Cyber Security Forum, were established supported by the Government’s cyber security strategy[303] in order to encourage start-ups and innovation and to address the skills gap[304] identified by the U.K Government.

In Singapore, the Cyber Security Agency has issued a Singapore Operational Technology (OT) Cybersecurity Competency Framework (OTCCF). The framework defines emerging cyber security roles in Operational Technology. The OTCCF was endorsed by the Infocomm Media Development Authority (IMDA). It outlines the different OT cyber security job positions as well as the technical skills and core competencies necessary. It also depicts the many career paths available, including vertical and lateral advancement opportunities.[305]

Terminology

The following terms used with regards to computer security are explained below:

  • Access authorization restricts access to a computer to a group of users through the use of authentication systems. These systems can protect either the whole computer, such as through an interactive login screen, or individual services, such as a FTP server. There are many methods for identifying and authenticating users, such as passwords, identification cards, smart cards, and biometric systems.
  • Anti-virus software consists of computer programs that attempt to identify, thwart, and eliminate computer viruses and other malicious software (malware).
  • Applications are executable code, so general corporate practice is to restrict or block users the power to install them; to install them only when there is a demonstrated need (e.g. software needed to perform assignments); to install only those which are known to be reputable (preferably with access to the computer code used to create the application), and to reduce the attack surface by installing as few as possible. They are typically run with least privilege, with a robust process in place to identify, test and install any released security patches or updates for them.
    • For example, programs can be installed into an individual user’s account, which limits the program’s potential access, as well as being a means control which users have specific exceptions to policy. In Linux, FreeBSD, OpenBSD, and other Unix-like operating systems there is an option to further restrict an application using chroot or other means of restricting the application to its own ‘sandbox’. For example. Linux provides namespaces, and Cgroups to further restrict the access of an application to system resources.
    • Generalized security frameworks such as SELinux or AppArmor help administrators control access.
    • Java and other languages which compile to Java byte code and run in the Java virtual machine can have their access to other applications controlled at the virtual machine level.
    • Some software can be run in software containers which can even provide their own set of system libraries, limiting the software’s, or anyone controlling it, access to the server’s versions of the libraries.
  • Authentication techniques can be used to ensure that communication end-points are who they say they are.
  • Automated theorem proving and other verification tools can be used to enable critical algorithms and code used in secure systems to be mathematically proven to meet their specifications.
  • Backups are one or more copies kept of important computer files. Typically, multiple copies will be kept at different locations so that if a copy is stolen or damaged, other copies will still exist.
  • Capability and access control list techniques can be used to ensure privilege separation and mandatory access control. Capabilities vs. ACLs discusses their use.
  • Chain of trust techniques can be used to attempt to ensure that all software loaded has been certified as authentic by the system’s designers.
  • Confidentiality is the nondisclosure of information except to another authorized person.[306]
  • Cryptographic techniques can be used to defend data in transit between systems, reducing the probability that the data exchange between systems can be intercepted or modified.
  • Cyber attribution, is an attribution of cybercrime, i.e., finding who perpetrated a cyberattack.
  • Cyberwarfare is an Internet-based conflict that involves politically motivated attacks on information and information systems. Such attacks can, for example, disable official websites and networks, disrupt or disable essential services, steal or alter classified data, and cripple financial systems.
  • Data integrity is the accuracy and consistency of stored data, indicated by an absence of any alteration in data between two updates of a data record.[307]
Cryptographic techniques involve transforming information, scrambling it, so it becomes unreadable during transmission. The intended recipient can unscramble the message; ideally, eavesdroppers cannot.
  • Encryption is used to protect the confidentiality of a message. Cryptographically secure ciphers are designed to make any practical attempt of breaking them infeasible. Symmetric-key ciphers are suitable for bulk encryption using shared keys, and public-key encryption using digital certificates can provide a practical solution for the problem of securely communicating when no key is shared in advance.
  • Endpoint security software aids networks in preventing malware infection and data theft at network entry points made vulnerable by the prevalence of potentially infected devices such as laptops, mobile devices, and USB drives.[308]
  • Firewalls serve as a gatekeeper system between networks, allowing only traffic that matches defined rules. They often include detailed logging, and may include intrusion detection and intrusion prevention features. They are near-universal between company local area networks and the Internet, but can also be used internally to impose traffic rules between networks if network segmentation is configured.
  • A hacker is someone who seeks to breach defenses and exploit weaknesses in a computer system or network.
  • Honey pots are computers that are intentionally left vulnerable to attack by crackers. They can be used to catch crackers and to identify their techniques.
  • Intrusion-detection systems are devices or software applications that monitor networks or systems for malicious activity or policy violations.
  • A microkernel is an approach to operating system design which has only the near-minimum amount of code running at the most privileged level – and runs other elements of the operating system such as device drivers, protocol stacks and file systems, in the safer, less privileged user space.
  • Pinging. The standard ping application can be used to test if an IP address is in use. If it is, attackers may then try a port scan to detect which services are exposed.
  • A port scan is used to probe an IP address for open ports to identify accessible network services and applications.
  • A key logger is spyware that silently captures and stores each keystroke that a user types on the computer’s keyboard.
  • Social engineering is the use of deception to manipulate individuals to breach security.
  • Logic bombs is a type of malware added to a legitimate program that lies dormant until it is triggered by a specific event.
  • A unikernel is a computer program that runs on a minimalistic operating system where a single application is allowed to run (as opposed to a general purpose operating system where many applications can run at the same time). This approach to minimizing the attack surface is adopted mostly in cloud environments where software is deployed in virtual machines.
  • Zero trust security means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network.

History

Since the Internet‘s arrival and with the digital transformation initiated in recent years, the notion of cyber security has become a familiar subject in both our professional and personal lives. Cyber security and cyber threats have been consistently present for the last 60 years of technological change. In the 1970s and 1980s, computer security was mainly limited to academia until the conception of the Internet, where, with increased connectivity, computer viruses and network intrusions began to take off. After the spread of viruses in the 1990s, the 2000s marked the institutionalization of organized attacks such as distributed denial of service.[309] This led to the formalization of cyber security as a professional discipline.[310]

The April 1967 session organized by Willis Ware at the Spring Joint Computer Conference, and the later publication of the Ware Report, were foundational moments in the history of the field of computer security.[311] Ware’s work straddled the intersection of material, cultural, political, and social concerns.[311]

A 1977 NIST publication[312] introduced the CIA triad of confidentiality, integrity, and availability as a clear and simple way to describe key security goals.[313] While still relevant, many more elaborate frameworks have since been proposed.[314][315]

However, in the 1970s and 1980s, there were no grave computer threats because computers and the internet were still in the early stages of development, and security threats were easily identifiable. More often, threats came from malicious insiders who gained unauthorized access to sensitive documents and files. Although malware and network breaches existed during the early years, they did not use them for financial gain. By the second half of the 1970s, established computer firms like IBM started offering commercial access control systems and computer security software products.[316]

One of the earliest examples of an attack on a computer network was the computer worm Creeper written by Bob Thomas at BBN, which propagated through the ARPANET in 1971.[317] The program was purely experimental in nature and carried no malicious payload. A later program, Reaper, was created by Ray Tomlinson in 1972 and used to destroy Creeper.[318]

Between September 1986 and June 1987, a group of German hackers performed the first documented case of cyber espionage.[319] The group hacked into American defense contractors, universities, and military base networks and sold gathered information to the Soviet KGB. The group was led by Markus Hess, who was arrested on 29 June 1987. He was convicted of espionage (along with two co-conspirators) on 15 Feb 1990.

In 1988, one of the first computer worms, called the Morris worm, was distributed via the Internet. It gained significant mainstream media attention.[320]

Netscape started developing the protocol SSL, shortly after the National Center for Supercomputing Applications (NCSA) launched Mosaic 1.0, the first web browser, in 1993.[321][322] Netscape had SSL version 1.0 ready in 1994, but it was never released to the public due to many serious security vulnerabilities.[321] However, in 1995, Netscape launched Version 2.0.[323]

The National Security Agency (NSA) is responsible for the protection of U.S. information systems and also for collecting foreign intelligence.[324] The agency analyzes commonly used software and system configurations to find security flaws, which it can use for offensive purposes against competitors of the United States.[325]

NSA contractors created and sold click-and-shoot attack tools to US agencies and close allies, but eventually, the tools made their way to foreign adversaries.[326] In 2016, NSAs own hacking tools were hacked, and Russia and North Korea have used it.[327] NSA’s employees and contractors have been recruited at high salaries by adversaries, anxious to compete in cyberwarfare.[328] In 2007, the United States and Israel began exploiting security flaws in the Microsoft Windows operating system to attack and damage equipment used in Iran to refine nuclear materials. Iran responded by heavily investing in their own cyberwarfare capability, which it began using against the United States.[325]

Notable scholars

See also

References

  1. ^ Schatz, Daniel; Bashroush, Rabih; Wall, Julie (2017). “Towards a More Representative Definition of Cyber Security”. Journal of Digital Forensics, Security and Law. 12 (2). ISSN 1558-7215.
  2. ^ Computer security at the Encyclopædia Britannica
  3. ^ Tate, Nick (7 May 2013). “Reliance spells end of road for ICT amateurs”. The Australian.
  4. ^ Kianpour, Mazaher; Kowalski, Stewart; Øverby, Harald (2021). “Systematically Understanding Cybersecurity Economics: A Survey”. Sustainability. 13 (24) 13677. Bibcode:2021Sust…1313677K. doi:10.3390/su132413677. hdl:11250/2978306. ISSN 2071-1050.
  5. ^ Stevens, Tim (11 June 2018). “Global Cybersecurity: New Directions in Theory and Methods” (PDF). Politics and Governance. 6 (2): 1–4. doi:10.17645/pag.v6i2.1569. Archived (PDF) from the original on 4 September 2019.
  6. ^ “About the CVE Program”. www.cve.org. Retrieved 12 April 2023.
  7. ^ Zlatanov, Nikola (3 December 2015). Computer Security and Mobile Security Challenges. Tech Security Conference At: San Francisco, CA.
  8. ^ “Ghidra”. nsa.gov. 1 August 2018. Archived from the original on 15 August 2020. Retrieved 17 August 2020.
  9. ^ Larabel, Michael (28 December 2017). “Syzbot: Google Continuously Fuzzing The Linux Kernel”. www.phoronix.com/. Retrieved 25 March 2021.
  10. ^ a b c “Cyber attacks on SMBs: Current Stats and How to Prevent Them”. crowdstrike.com. Retrieved 30 November 2023.
  11. ^ a b “Cyber security breaches survey 2023”. GOV.UK. Retrieved 30 November 2023.
  12. ^ a b “How cyber attacks work”. www.ncsc.gov.uk. Retrieved 30 November 2023.
  13. ^ “What is a backdoor attack? Definition and prevention | NordVPN”. nordvpn.com. 30 November 2023. Retrieved 3 January 2024.
  14. ^ a b “What is a backdoor attack?”. McAfee. 4 December 2023. Retrieved 4 December 2023.
  15. ^ a b c “Denial of Service (DoS) guidance”. www.ncsc.gov.uk. Retrieved 4 December 2023.
  16. ^ “Computer Security”. www.interelectronix.com. Retrieved 30 November 2023.
  17. ^ a b “What Is a DMA Attack? Analysis & Mitigation”. Kroll. Retrieved 4 December 2023.
  18. ^ a b “What Are Eavesdropping Attacks?”. Fortinet. Retrieved 5 December 2023.
  19. ^ York, Dan (1 January 2010). “Chapter 3 – Eavesdropping and Modification”. In York, Dan (ed.). Seven Deadliest Unified Communications Attacks. Boston: Syngress. pp. 41–69. ISBN 978-1-59749-547-9. Retrieved 5 December 2023.
  20. ^ “What Are Eavesdropping Attacks & How To Prevent Them”. Verizon Enterprise. Retrieved 5 December 2023.
  21. ^ a b c d e f “What is Malware? | IBM”. www.ibm.com. 14 April 2022. Retrieved 6 December 2023.
  22. ^ Bendovschi, Andreea (2015). “Cyber-Attacks – Trends, Patterns and Security Countermeasures”. Procedia Economics and Finance. 28: 24–31. doi:10.1016/S2212-5671(15)01077-1.
  23. ^ “What is malware?”. McAfee. Retrieved 30 November 2023.
  24. ^ a b “What is a man-in-the-middle attack and how can I protect my organization?”. verizon.com.
  25. ^ “Multi-Vector Attacks Demand Multi-Vector Protection”. MSSP Alert. 24 July 2017.
  26. ^ Millman, Renee (15 December 2017). “New polymorphic malware evades three-quarters of AV scanners”. SC Magazine UK. Archived from the original on 14 June 2018. Retrieved 13 July 2018.
  27. ^ a b c Tounsi, Wiem (15 May 2019), Tounsi, Wiem (ed.), “What is Cyber Threat Intelligence and How is it Evolving?”, Cyber-Vigilance and Digital Trust (1 ed.), Wiley, pp. 1–49, doi:10.1002/9781119618393.ch1, ISBN 978-1-78630-448-3, S2CID 187294508, retrieved 6 December 2023{{citation}}: CS1 maint: work parameter with ISBN (link)
  28. ^ “Identifying Phishing Attempts”. Case. Archived from the original on 13 September 2015. Retrieved 4 July 2016.
  29. ^ “Protect yourself from phishing – Microsoft Support”. support.microsoft.com. Retrieved 6 December 2023.
  30. ^ Lazarus, Ari (23 February 2018). “Phishers send fake invoices”. Consumer Information. Retrieved 17 February 2020.
  31. ^ “Email Security”. Trellix. 17 May 2022. Archived from the original on 22 May 2022. Retrieved 24 October 2022.
  32. ^ a b c d “What is Privilege Escalation? – CrowdStrike”. crowdstrike.com. Retrieved 7 December 2023.
  33. ^ Spence, Aaron; Bangay, Shaun (June 2022). “Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures”. International Journal of Information Security. 21 (3): 437–453. doi:10.1007/s10207-021-00563-6. ISSN 1615-5262.
  34. ^ Arcos Sergio. “Social Engineering” (PDF). upc.edu. Archived (PDF) from the original on 3 December 2013. Retrieved 16 April 2019.
  35. ^ Scannell, Kara (24 February 2016). “CEO email scam costs companies $2bn”. Financial Times. No. 25 February 2016. Archived from the original on 23 June 2016. Retrieved 7 May 2016.
  36. ^ “Bucks leak tax info of players, employees as result of email scam”. Associated Press. 20 May 2016. Archived from the original on 20 May 2016. Retrieved 20 May 2016.
  37. ^ “What is Spoofing? – Definition from Techopedia”. techopedia.com. Archived from the original on 30 June 2016. Retrieved 16 January 2022.
  38. ^ Butterfield, Andrew; Ngondi, Gerard Ekembe, eds. (21 January 2016). “spoofing”. A Dictionary of Computer Science. Oxford University Press. doi:10.1093/acref/9780199688975.001.0001. ISBN 978-0-19-968897-5. Retrieved 8 October 2017.
  39. ^ Marcel, Sébastien; Nixon, Mark; Li, Stan, eds. (2014). Handbook of Biometric Anti-Spoofing: Trusted Biometrics under Spoofing Attacks. Advances in Computer Vision and Pattern Recognition. London: Springer. doi:10.1007/978-1-4471-6524-8. ISBN 978-1-4471-6524-8. ISSN 2191-6594. LCCN 2014942635. S2CID 27594864.
  40. ^ “80 to 0 in Under 5 Seconds: Falsifying a Medical Patient’s Vitals”. www.trellix.com. Retrieved 9 February 2023.
  41. ^ Gallagher, Sean (14 May 2014). “Photos of an NSA “upgrade” factory show Cisco router getting implant”. Ars Technica. Archived from the original on 4 August 2014. Retrieved 3 August 2014.
  42. ^ a b Intelligence, Microsoft Threat (11 November 2021). “HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks”. Microsoft Security Blog. Retrieved 7 December 2023.
  43. ^ “Obfuscated Files or Information: HTML Smuggling, Sub-technique T1027.006 – Enterprise | MITRE ATT&CK®”. attack.mitre.org. Retrieved 22 February 2023.
  44. ^ Lim, Joo S.; Chang, Shanton; Maynard, Sean; Ahmad, Atif (2009). “Exploring the Relationship between Organizational Culture and Information Security Culture”. Proceedings of the 7th Australian Information Security Management Conference. Security Research Institute (SRI), Edith Cowan University. doi:10.4225/75/57B4065130DEF.
  45. ^ Reimers, Karl; Andersson, David (2017). Post-secondary Education Network Security: the End User Challenge and Evolving Threats. ICERI2017 Proceedings. Vol. 1. IATED. pp. 1787–1796. doi:10.21125/iceri.2017.0554. ISBN 978-84-697-6957-7. ISSN 2340-1095.
  46. ^ Verizon Data Breach Investigations Report 2020 (PDF). verizon.com (Report). Archived (PDF) from the original on 19 May 2020. Retrieved 17 September 2021.
  47. ^ a b c Schlienger, Thomas; Teufel, Stephanie (2003). “Information security culture-from analysis to change”. South African Computer Journal. 31: 46–52. hdl:10520/EJC27949.
  48. ^ Internet Security Glossary. IETF. doi:10.17487/RFC2828. RFC 2828.
  49. ^ “CNSS Instruction No. 4009” (PDF). 26 April 2010. Archived from the original (PDF) on 27 February 2012.
  50. ^ “InfosecToday Glossary” (PDF). Archived (PDF) from the original on 20 November 2014.
  51. ^ “Cyber security design principles”. www.ncsc.gov.uk. Retrieved 11 December 2023.
  52. ^ a b “How the NCSC thinks about security architecture”. www.ncsc.gov.uk. Retrieved 18 December 2023.
  53. ^ “Secure System Architecture and Design”. UK Cyber Security Council. 2024. Retrieved 4 January 2024.
  54. ^ “security architecture – Glossary | CSRC”. csrc.nist.gov. Retrieved 18 December 2023.
  55. ^ Jannsen, Cory. “Security Architecture”. Techopedia. Janalta Interactive Inc. Archived from the original on 3 October 2014. Retrieved 9 October 2014.
  56. ^ a b Oppliger, Rolf (1 May 1997). “Internet security: firewalls and beyond”. Communications of the ACM. 40 (5): 92–102. doi:10.1145/253769.253802. ISSN 0001-0782.
  57. ^ “How to Increase Cybersecurity Awareness”. ISACA. Retrieved 25 February 2023.
  58. ^ Woodie, Alex (9 May 2016). “Why ONI May Be Our Best Hope for Cyber Security Now”. Archived from the original on 20 August 2016. Retrieved 13 July 2016.
  59. ^ Walkowski, Debbie (9 July 2019). “What Is The CIA Triad?”. F5 Labs. Retrieved 25 February 2020.[dead link]
  60. ^ “Knowing Value of Data Assets is Crucial to Cybersecurity Risk Management | SecurityWeek.Com”. www.securityweek.com. 3 December 2018. Retrieved 25 February 2020.
  61. ^ Foreman, Park (2009). Vulnerability Management. Boca Raton, Fla.: Auerbach Publications. p. 1. ISBN 978-1-4398-0150-5.
  62. ^ Johnson, A. (2018). CCNA Cybersecurity Operations Companion Guide. Cisco Press. ISBN 978-0-13-516624-6.
  63. ^ Calder, Alan; Williams, Geraint (2014). PCI DSS: A Pocket Guide (3rd ed.). IT Governance Limited. ISBN 978-1-84928-554-4. network vulnerability scans at least quarterly and after any significant change in the network
  64. ^ Harrison, J. (2003). Formal verification at Intel. 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings. pp. 45–54. doi:10.1109/LICS.2003.1210044. ISBN 978-0-7695-1884-8. S2CID 44585546.
  65. ^ Umrigar, Zerksis D.; Pitchumani, Vijay (1983). Formal verification of a real-time hardware design. Proceeding DAC ’83 Proceedings of the 20th Design Automation Conference. IEEE Press. pp. 221–227. ISBN 978-0-8186-0026-5.
  66. ^ “Abstract Formal Specification of the seL4/ARMv6 API” (PDF). Archived from the original (PDF) on 21 May 2015. Retrieved 19 May 2015.
  67. ^ Baumann, Christoph; Beckert, Bernhard; Blasum, Holger; Bormer, Thorsten. Ingredients of Operating System Correctness? Lessons Learned in the Formal Verification of PikeOS (PDF). Embedded World Conference, Nuremberg, Germany. Archived from the original (PDF) on 19 July 2011.
  68. ^ Ganssle, Jack. “Getting it Right”. Archived from the original on 4 May 2013.
  69. ^ “Everything you need for a career as a SOC analyst”. www.cybersecurityjobsite.com. Retrieved 19 December 2023.
  70. ^ CISM, John Rittinghouse PhD; CISM, William M. Hancock PhD CISSP (2 October 2003). Cybersecurity Operations Handbook. Digital Press. p. 436-437. ISBN 978-0-08-053018-5. Retrieved 4 September 2025.
  71. ^ “Turn on 2-step verification (2SV)”. www.ncsc.gov.uk. Retrieved 19 December 2023.
  72. ^ “NCSC’s cyber security training for staff now available”. www.ncsc.gov.uk. Retrieved 19 December 2023.
  73. ^ Treglia, J.; Delia, M. (2017). Cyber Security Inoculation. NYS Cyber Security Conference, Empire State Plaza Convention Center, Albany, NY, 3–4 June.
  74. ^ “What is a license dongle?”. www.revenera.com. Retrieved 12 June 2024.
  75. ^ “Token-based authentication”. SafeNet.com. Archived from the original on 20 March 2014. Retrieved 20 March 2014.
  76. ^ “Lock and protect your Windows PC”. TheWindowsClub.com. 10 February 2010. Archived from the original on 20 March 2014. Retrieved 20 March 2014.
  77. ^ Greene, James (2012). “Intel Trusted Execution Technology: White Paper” (PDF). Intel Corporation. Archived (PDF) from the original on 11 June 2014. Retrieved 18 December 2013.
  78. ^ “SafeNet ProtectDrive 8.4”. SCMagazine.com. 4 October 2008. Archived from the original on 20 March 2014. Retrieved 20 March 2014.
  79. ^ “Secure Hard Drives: Lock Down Your Data”. PCMag.com. 11 May 2009. Archived from the original on 21 June 2017.
  80. ^ Souppaya, Murugiah P.; Scarfone, Karen (2013). “Guidelines for Managing the Security of Mobile Devices in the Enterprise”. National Institute of Standards and Technology. Special Publication (NIST SP). Gaithersburg, MD. doi:10.6028/NIST.SP.800-124r1.
  81. ^ “Access Control Statistics: Trends & Insights”. 23 February 2024. Retrieved 26 April 2024.
  82. ^ “Forget IDs, use your phone as credentials”. Fox Business Network. 4 November 2013. Archived from the original on 20 March 2014. Retrieved 20 March 2014.
  83. ^ “Direct memory access protections for Mac computers”. Apple. Retrieved 16 November 2022.
  84. ^ “Using IOMMU for DMA Protection in UEFI Firmware” (PDF). Intel Corporation. Archived (PDF) from the original on 9 December 2021. Retrieved 16 November 2022.
  85. ^ Babaei, Armin; Schiele, Gregor; Zohner, Michael (26 July 2022). “Reconfigurable Security Architecture (RESA) Based on PUF for FPGA-Based IoT Devices”. Sensors. 22 (15): 5577. Bibcode:2022Senso..22.5577B. doi:10.3390/s22155577. ISSN 1424-8220. PMC 9331300. PMID 35898079.
  86. ^ Hassija, Vikas; Chamola, Vinay; Gupta, Vatsal; Jain, Sarthak; Guizani, Nadra (15 April 2021). “A Survey on Supply Chain Security: Application Areas, Security Threats, and Solution Architectures”. IEEE Internet of Things Journal. 8 (8): 6222–6246. Bibcode:2021IITJ….8.6222H. doi:10.1109/JIOT.2020.3025775. ISSN 2327-4662. S2CID 226767829.
  87. ^ “The Most Secure OS: What is the Safest OS Available?”. Tech.co. Retrieved 19 December 2023.
  88. ^ Sanghavi, Alok (21 May 2010). “What is formal verification?”. EE Times_Asia.
  89. ^ Ferraiolo, D.F. & Kuhn, D.R. (October 1992). “Role-Based Access Control” (PDF). 15th National Computer Security Conference: 554–563.
  90. ^ Sandhu, R; Coyne, EJ; Feinstein, HL; Youman, CE (August 1996). “Role-Based Access Control Models” (PDF). IEEE Computer. 29 (2): 38–47. Bibcode:1996Compr..29b..38S. CiteSeerX 10.1.1.50.7649. doi:10.1109/2.485845. S2CID 1958270.
  91. ^ Abreu, Vilmar; Santin, Altair O.; Viegas, Eduardo K.; Stihler, Maicon (2017). A multi-domain role activation model (PDF). 2017 IEEE International Conference on Communications (ICC). IEEE Press. pp. 1–6. doi:10.1109/ICC.2017.7997247. ISBN 978-1-4673-8999-0. S2CID 6185138.
  92. ^ A.C. O’Connor & R.J. Loomis (2002). Economic Analysis of Role-Based Access Control (PDF). Research Triangle Institute. p. 145.
  93. ^ “Studies prove once again that users are the weakest link in the security chain”. CSO Online. 22 January 2014. Retrieved 8 October 2018.
  94. ^ “The Role of Human Error in Successful Security Attacks”. IBM Security Intelligence. 2 September 2014. Retrieved 8 October 2018.
  95. ^ “90% of security incidents trace back to PEBKAC and ID10T errors”. Computerworld. 15 April 2015. Retrieved 8 October 2018.
  96. ^ “Protect your online banking with 2FA”. NZ Bankers Association. 7 October 2018. Archived from the original on 21 January 2020. Retrieved 7 September 2019.
  97. ^ “IBM Security Services 2014 Cyber Security Intelligence Index” (PDF). PcSite. 2014. Retrieved 9 October 2020.[dead link]
  98. ^ Caldwell, Tracey (12 February 2013). “Risky business: why security awareness is crucial for employees”. The Guardian. Retrieved 8 October 2018.
  99. ^ “Developing a Security Culture”. CPNI – Centre for the Protection of National Infrastructure. Archived from the original on 9 October 2018. Retrieved 8 October 2018.
  100. ^ a b “Cyber Hygiene – ENISA”. Retrieved 27 September 2018.
  101. ^ a b Kaljulaid, Kersti (16 October 2017). “President of the Republic at the Aftenposten’s Technology Conference”. Retrieved 27 September 2018.
  102. ^ “Cyber security breaches survey 2023”. GOV.UK. Retrieved 27 December 2023.
  103. ^ Kuchler, Hannah (27 April 2015). “Security execs call on companies to improve ‘cyber hygiene’. Financial Times. Archived from the original on 10 December 2022. Retrieved 27 September 2018.
  104. ^ “From AI to Russia, Here’s How Estonia’s President Is Planning for the Future”. Wired. Retrieved 28 September 2018.
  105. ^ “Professor Len Adleman explains how he coined the term “computer virus”. WeLiveSecurity. 1 November 2017. Retrieved 28 September 2018.
  106. ^ “Statement of Dr. Vinton G. Cerf”. www.jec.senate.gov. Retrieved 28 September 2018.
  107. ^ Promoting Good Cyber Hygiene Act of 2017 at Congress.gov
  108. ^ “Analysis | The Cybersecurity 202: Agencies struggling with basic cybersecurity despite Trump’s pledge to prioritize it”. The Washington Post. Retrieved 28 September 2018.
  109. ^ “Protected Voices”. Federal Bureau of Investigation. Retrieved 28 September 2018.
  110. ^ Lin, Tom C. W. (3 July 2017). “The New Market Manipulation”. Emory Law Journal. 66: 1253. SSRN 2996896.
  111. ^ Lin, Tom C. W. (2016). “Financial Weapons of War”. Minnesota Law Review. SSRN 2765010.
  112. ^ Cole, Jeffrey I.; Suman, Michael; Schramm, Phoebe; van Bel, Daniel; Lunn, B.; Maguire, Phyllisane; Hanson, Koran; Singh, Rajesh; Aquino, Jedrix-Sean; Lebo, Harlan (2000). The UCLA Internet report: Surveying the digital future (PDF). ccp.ucla.edu (Report). Archived from the original (PDF) on 23 April 2003. Retrieved 15 September 2023.
  113. ^ Pagliery, Jose (18 November 2014). “Hackers attacked the U.S. energy grid 79 times this year”. CNN Money. Cable News Network. Archived from the original on 18 February 2015. Retrieved 16 April 2015.
  114. ^ Neumann, P. G. (1997). Computer Security in Aviation: Vulnerabilities, Threats, and Risks. International Conference on Aviation Safety and Security in the 21st Century, White House Commission on Safety and Security.
  115. ^ Dillingham, Gerald L. (20 September 2001). Aviation security: terrorist acts demonstrate urgent need to improve security at the nation’s airports (Report). United States. General Accounting Office.
  116. ^ “Air Traffic Control Systems Vulnerabilities Could Make for Unfriendly Skies [Black Hat] – SecurityWeek.Com”. 27 July 2012. Archived from the original on 8 February 2015.
  117. ^ “Hacker Says He Can Break into Airplane Systems Using In-Flight Wi-Fi”. NPR. 4 August 2014. Archived from the original on 8 February 2015. Retrieved 19 March 2020.
  118. ^ Finkle, Jim (4 August 2014). “Hacker says to show passenger jets at risk of cyber attack”. Reuters. Archived from the original on 13 October 2015. Retrieved 21 November 2021.
  119. ^ Cesar, Alan (15 December 2023). “Online course bolsters cybersecurity in aviation”. Aerogram. Purdue University School of Aeronautics and Astronautics. Retrieved 9 January 2024.
  120. ^ “Pan-European Network Services (PENS) – Eurocontrol.int”. Archived from the original on 12 December 2016.
  121. ^ “Centralised Services: NewPENS moves forward – Eurocontrol.int”. Eurocontrol. 17 January 2016. Archived from the original on 19 March 2017.
  122. ^ “NextGen Data Communication”. FAA. Archived from the original on 13 March 2015. Retrieved 15 June 2017.
  123. ^ “e-Passports | Homeland Security”. www.dhs.gov. Retrieved 3 February 2023.
  124. ^ “The Australian ePassport. Australian Government Department of Foreign Affairs and Trade website”. Archived from the original on 9 January 2015. Retrieved 1 May 2023.
  125. ^ a b “Is Your Watch Or Thermostat A Spy? Cybersecurity Firms Are On It”. NPR. 6 August 2014. Archived from the original on 11 February 2015.
  126. ^ O’Neill, Stephanie (19 November 2018). “As Insurers Offer Discounts For Fitness Trackers, Wearers Should Step With Caution”. NPR. Retrieved 10 October 2025.
  127. ^ Kruse, CB; Smith, B; Vanderlinden, H; Nealand, A (21 July 2017). “Security Techniques for the Electronic Health Records”. Journal of Medical Systems. 41 (8): 127. doi:10.1007/s10916-017-0778-4. PMC 5522514. PMID 28733949.
  128. ^ Backman, Melvin (18 September 2014). “Home Depot: 56 million cards exposed in breach”. CNNMoney. Archived from the original on 18 December 2014.
  129. ^ “Staples: Breach may have affected 1.16 million customers’ cards”. Fortune.com. 19 December 2014. Archived from the original on 21 December 2014. Retrieved 21 December 2014.
  130. ^ “Target: 40 million credit cards compromised”. CNN. 19 December 2013. Archived from the original on 1 December 2017. Retrieved 29 November 2017.
  131. ^ Cowley, Stacy (2 October 2017). “2.5 Million More People Potentially Exposed in Equifax Breach”. The New York Times. Archived from the original on 1 December 2017. Retrieved 29 November 2017.
  132. ^ Finkle, Jim (23 April 2014). “Exclusive: FBI warns healthcare sector vulnerable to cyber attacks”. Reuters. Archived from the original on 4 June 2016. Retrieved 23 May 2016.
  133. ^ Seals, Tara (6 November 2015). “Lack of Employee Security Training Plagues US Businesses”. Infosecurity Magazine. Archived from the original on 9 November 2017. Retrieved 8 November 2017.
  134. ^ Bright, Peter (15 February 2011). “Anonymous speaks: the inside story of the HBGary hack”. Arstechnica.com. Archived from the original on 27 March 2011. Retrieved 29 March 2011.
  135. ^ Anderson, Nate (9 February 2011). “How one man tracked down Anonymous – and paid a heavy price”. Arstechnica.com. Archived from the original on 29 March 2011. Retrieved 29 March 2011.
  136. ^ Palilery, Jose (24 December 2014). “What caused Sony hack: What we know now”. CNN Money. Archived from the original on 4 January 2015. Retrieved 4 January 2015.
  137. ^ Cook, James (16 December 2014). “Sony Hackers Have Over 100 Terabytes Of Documents. Only Released 200 Gigabytes So Far”. Business Insider. Archived from the original on 17 December 2014. Retrieved 18 December 2014.
  138. ^ a b Lee, Timothy B. (18 January 2015). “The next frontier of hacking: your car”. Vox. Archived from the original on 17 March 2017.
  139. ^ Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk (PDF) (Report). 6 February 2015. Archived (PDF) from the original on 9 November 2016. Retrieved 4 November 2016.
  140. ^ “Cybersecurity expert: It will take a ‘major event’ for companies to take this issue seriously”. AOL.com. 5 January 2017. Archived from the original on 20 January 2017. Retrieved 22 January 2017.
  141. ^ “The problem with self-driving cars: who controls the code?”. The Guardian. 23 December 2015. Archived from the original on 16 March 2017. Retrieved 22 January 2017.
  142. ^ Checkoway, Stephen; McCoy, Damon; Kantor, Brian; Anderson, Danny; Shacham, Hovav; Savage, Stefan; Koscher, Karl; Czeskis, Alexei; Roesner, Franziska; Kohno, Tadayoshi (2011). Comprehensive Experimental Analyses of Automotive Attack Surfaces (PDF). SEC’11 Proceedings of the 20th USENIX conference on Security. Berkeley, California, US: USENIX Association. p. 6. Archived (PDF) from the original on 21 February 2015.
  143. ^ Greenberg, Andy (21 July 2015). “Hackers Remotely Kill a Jeep on the Highway – With Me in It”. Wired. Archived from the original on 19 January 2017. Retrieved 22 January 2017.
  144. ^ “Hackers take control of car, drive it into a ditch”. The Independent. 22 July 2015. Archived from the original on 2 February 2017. Retrieved 22 January 2017.
  145. ^ “Tesla fixes software bug that allowed Chinese hackers to control car remotely”. The Telegraph. 21 September 2016. Archived from the original on 2 February 2017. Retrieved 22 January 2017.
  146. ^ Kang, Cecilia (19 September 2016). “Self-Driving Cars Gain Powerful Ally: The Government”. The New York Times. Archived from the original on 14 February 2017. Retrieved 22 January 2017.
  147. ^ “Federal Automated Vehicles Policy” (PDF). Archived (PDF) from the original on 21 January 2017. Retrieved 22 January 2017.
  148. ^ “Vehicle Cybersecurity”. nhtsa.gov. Retrieved 25 November 2022.
  149. ^ “Thales supplies smart driver license to 4 states in Mexico”. Thales Group.
  150. ^ “4 Companies Using RFID for Supply Chain Management”. atlasRFIDstore. Retrieved 3 February 2023.
  151. ^ “The Cutting Edge of RFID Technology and Applications for Manufacturing and Distribution”. Supply Chain Market.
  152. ^ Rahman, Mohammad Anwar; Khadem, Mohammad Miftaur; Sarder, MD. Application of RFID in Supply Chain System. Proceedings of the 2010 International Conference on Industrial Engineering and Operations Management Dhaka, Bangladesh, January 9 – 10, 2010. CiteSeerX 10.1.1.397.7831.
  153. ^ “Gary McKinnon profile: Autistic ‘hacker’ who started writing computer programs at 14”. The Daily Telegraph. London. 23 January 2009. Archived from the original on 2 June 2010.
  154. ^ “Gary McKinnon extradition ruling due by 16 October”. BBC News. 6 September 2012. Archived from the original on 6 September 2012. Retrieved 25 September 2012.
  155. ^ Mckinnon V Government of The United States of America and Another (House of Lords 16 June 2008) (“15. … alleged to total over $700,000”), Text.
  156. ^ “Fresh Leak on US Spying: NSA Accessed Mexican President’s Email”. SPIEGEL ONLINE. 20 October 2013. Archived from the original on 6 November 2015.
  157. ^ Sanders, Sam (4 June 2015). “Massive Data Breach Puts 4 Million Federal Employees’ Records at Risk”. NPR. Archived from the original on 5 June 2015. Retrieved 5 June 2015.
  158. ^ Liptak, Kevin (4 June 2015). “U.S. government hacked; feds think China is the culprit”. CNN. Archived from the original on 6 June 2015. Retrieved 5 June 2015.
  159. ^ Gallagher, Sean. “Encryption “would not have helped” at OPM, says DHS official”. Archived from the original on 24 June 2017.
  160. ^ Davis, Michelle R. (19 October 2015). “Schools Learn Lessons From Security Breaches”. Education Week. Archived from the original on 10 June 2016. Retrieved 23 May 2016.
  161. ^ “Internet of Things Global Standards Initiative”. ITU. Archived from the original on 26 June 2015. Retrieved 26 June 2015.
  162. ^ Singh, Jatinder; Pasquier, Thomas; Bacon, Jean; Ko, Hajoon; Eyers, David (2015). “Twenty Cloud Security Considerations for Supporting the Internet of Things” (PDF). IEEE Internet of Things Journal. 3 (3): 269–284. doi:10.1109/JIOT.2015.2460333. S2CID 4732406.
  163. ^ Clearfield, Chris. “Why The FTC Can’t Regulate The Internet Of Things”. Forbes. Archived from the original on 27 June 2015. Retrieved 26 June 2015.
  164. ^ “Internet of Things: Science Fiction or Business Fact?” (PDF). Harvard Business Review. Archived (PDF) from the original on 17 March 2015. Retrieved 4 November 2016.
  165. ^ Vermesan, Ovidiu; Friess, Peter. “Internet of Things: Converging Technologies for Smart Environments and Integrated Ecosystems” (PDF). River Publishers. Archived (PDF) from the original on 12 October 2016. Retrieved 4 November 2016.
  166. ^ Clearfield, Chris (20 June 2013). “Rethinking Security for the Internet of Things”. Harvard Business Review. Archived from the original on 20 September 2013.
  167. ^ “Hotel room burglars exploit critical flaw in electronic door locks”. Ars Technica. 26 November 2012. Archived from the original on 14 May 2016. Retrieved 23 May 2016.
  168. ^ “Hospital Medical Devices Used As Weapons in Cyberattacks”. Dark Reading. 6 August 2015. Archived from the original on 29 May 2016. Retrieved 23 May 2016.
  169. ^ Kirk, Jeremy (17 October 2012). “Pacemaker hack can deliver deadly 830-volt jolt”. Computerworld. Archived from the original on 4 June 2016. Retrieved 23 May 2016.
  170. ^ “How Your Pacemaker Will Get Hacked”. The Daily Beast. Kaiser Health News. 17 November 2014. Archived from the original on 20 May 2016. Retrieved 23 May 2016.
  171. ^ Leetaru, Kalev. “Hacking Hospitals And Holding Hostages: Cybersecurity In 2016”. Forbes. Archived from the original on 29 December 2016. Retrieved 29 December 2016.
  172. ^ a b “Cyber-Angriffe: Krankenhäuser rücken ins Visier der Hacker”. Wirtschafts Woche. 7 December 2016. Archived from the original on 29 December 2016. Retrieved 29 December 2016.
  173. ^ “Hospitals keep getting attacked by ransomware – Here’s why”. Business Insider. Archived from the original on 29 December 2016. Retrieved 29 December 2016.
  174. ^ “MedStar Hospitals Recovering After ‘Ransomware’ Hack”. NBC News. 31 March 2016. Archived from the original on 29 December 2016. Retrieved 29 December 2016.
  175. ^ Pauli, Darren. “US hospitals hacked with ancient exploits”. The Register. Archived from the original on 16 November 2016. Retrieved 29 December 2016.
  176. ^ Pauli, Darren. “Zombie OS lurches through Royal Melbourne Hospital spreading virus”. The Register. Archived from the original on 29 December 2016. Retrieved 29 December 2016.
  177. ^ “Hacked Lincolnshire hospital computer systems ‘back up’. BBC News. 2 November 2016. Archived from the original on 29 December 2016. Retrieved 29 December 2016.
  178. ^ “Lincolnshire operations cancelled after network attack”. BBC News. 31 October 2016. Archived from the original on 29 December 2016. Retrieved 29 December 2016.
  179. ^ “Legion cyber-attack: Next dump is sansad.nic.in, say hackers”. The Indian Express. 12 December 2016. Archived from the original on 29 December 2016. Retrieved 29 December 2016.
  180. ^ “Former New Hampshire Psychiatric Hospital Patient Accused Of Data Breach”. CBS Boston. 27 December 2016. Archived from the original on 29 September 2017. Retrieved 29 December 2016.
  181. ^ “Texas Hospital hacked, affects nearly 30,000 patient records”. Healthcare IT News. 4 November 2016. Archived from the original on 29 December 2016. Retrieved 29 December 2016.
  182. ^ Becker, Rachel (27 December 2016). “New cybersecurity guidelines for medical devices tackle evolving threats”. The Verge. Archived from the original on 28 December 2016. Retrieved 29 December 2016.
  183. ^ “Postmarket Management of Cybersecurity in Medical Devices” (PDF). Food and Drug Administration. 28 December 2016. Archived from the original (PDF) on 29 December 2016. Retrieved 29 December 2016.
  184. ^ Brandt, Jaclyn (18 June 2018). “D.C. distributed energy proposal draws concerns of increased cybersecurity risks”. Daily Energy Insider. Retrieved 4 July 2018.
  185. ^ “Current Releases – The Open Mobile Alliance”. openmobilealliance.org.
  186. ^ Cashell, B.; Jackson, W. D.; Jickling, M.; Webel, B. (2004). The Economic Impact of Cyber-Attacks (PDF) (Report). Washington DC: Congressional Research Service, Government, and Finance Division. RL32331.
  187. ^ Gordon, Lawrence; Loeb, Martin (November 2002). “The Economics of Information Security Investment”. ACM Transactions on Information and System Security. 5 (4): 438–457. doi:10.1145/581271.581274. S2CID 1500788.
  188. ^ Sanger, David E.; Barnes, Julian E. (20 December 2021). “U.S. and Britain Help Ukraine Prepare for Potential Russian Cyberassault”. The New York Times. ISSN 0362-4331. Retrieved 4 December 2023.
  189. ^ “Cyber-Attack Against Ukrainian Critical Infrastructure | CISA”. www.cisa.gov. 20 July 2021. Retrieved 4 December 2023.
  190. ^ Han, Chen; Dongre, Rituja (2014). “Q&A. What Motivates Cyber-Attackers?”. Technology Innovation Management Review. 4 (10): 40–42. doi:10.22215/timreview/838. ISSN 1927-0321.
  191. ^ Chermick, Steven; Freilich, Joshua; Holt, Thomas (April 2017). “Exploring the Subculture of Ideologically Motivated Cyber-Attackers”. Journal of Contemporary Criminal Justice. 33 (3): 212–233. doi:10.1177/1043986217699100. S2CID 152277480.
  192. ^ Anderson, Ross (2020). Security engineering: a guide to building dependable distributed systems (3rd ed.). Indianapolis, IN: John Wiley & Sons. ISBN 978-1-119-64281-7. OCLC 1224516855.
  193. ^ “The Leading Cloud Recruiting Software”. iCIMS. Retrieved 13 March 2021.
  194. ^ Wilcox, S. and Brown, B. (2005) ‘Responding to Security Incidents – Sooner or Later Your Systems Will Be Compromised’, Journal of Health Care Compliance, 7(2), pp. 41–48
  195. ^ a b Jonathan Zittrain, ‘The Future of The Internet’, Penguin Books, 2008
  196. ^ Information Security Archived 6 March 2016 at the Wayback Machine. United States Department of Defense, 1986
  197. ^ “The TJX Companies, Inc. Victimized by Computer System Intrusion; Provides Information to Help Protect Customers” (Press release). The TJX Companies, Inc. 17 January 2007. Archived from the original on 27 September 2012. Retrieved 12 December 2009.
  198. ^ Largest Customer Info Breach Grows Archived 28 September 2007 at the Wayback Machine. MyFox Twin Cities, 29 March 2007.
  199. ^ “The Stuxnet Attack On Iran’s Nuclear Plant Was ‘Far More Dangerous’ Than Previously Thought”. Business Insider. 20 November 2013. Archived from the original on 9 May 2014.
  200. ^ Reals, Tucker (24 September 2010). “Stuxnet Worm a U.S. Cyber-Attack on Iran Nukes?”. CBS News. Archived from the original on 16 October 2013.
  201. ^ Zetter, Kim (17 February 2011). “Cyberwar Issues Likely to Be Addressed Only After a Catastrophe”. Wired. Archived from the original on 18 February 2011. Retrieved 18 February 2011.
  202. ^ Carroll, Chris (18 October 2011). “Cone of silence surrounds U.S. cyberwarfare”. Stars and Stripes. Archived from the original on 7 March 2012. Retrieved 30 October 2011.
  203. ^ Bumgarner, John (27 April 2010). “Computers as Weapons of War” (PDF). IO Journal. Archived from the original (PDF) on 19 December 2011. Retrieved 30 October 2011.
  204. ^ Greenwald, Glenn (6 June 2013). “NSA collecting phone records of millions of Verizon customers daily”. The Guardian. Archived from the original on 16 August 2013. Retrieved 16 August 2013. Exclusive: Top secret court order requiring Verizon to hand over all call data shows scale of domestic surveillance under Obama
  205. ^ Seipel, Hubert. “Transcript: ARD interview with Edward Snowden”. La Foundation Courage. Archived from the original on 14 July 2014. Retrieved 11 June 2014.
  206. ^ Newman, Lily Hay (9 October 2013). “Can You Trust NIST?”. IEEE Spectrum. Archived from the original on 1 February 2016.
  207. ^ “NIST Removes Cryptography Algorithm from Random Number Generator Recommendations”. National Institute of Standards and Technology. 21 April 2014.
  208. ^ “New Snowden Leak: NSA Tapped Google, Yahoo Data Centers” Archived 9 July 2014 at the Wayback Machine, 31 October 2013, Lorenzo Franceschi-Bicchierai, mashable.com
  209. ^ Riley, Michael; Elgin, Ben; Lawrence, Dune; Matlack, Carol (17 March 2014). “Target Missed Warnings in Epic Hack of Credit Card Data”. Businessweek. Archived from the original on 27 January 2015.
  210. ^ Rosenblatt, Seth (6 November 2014). “Home Depot says 53 million emails stolen”. CNET. CBS Interactive. Archived from the original on 9 December 2014.
  211. ^ “Millions more Americans hit by government personnel data hack”. Reuters. 9 July 2017. Archived from the original on 28 February 2017. Retrieved 25 February 2017.
  212. ^ Barrett, Devlin (4 June 2015). “U.S. Suspects Hackers in China Breached About four (4) Million People’s Records, Officials Say”. The Wall Street Journal. Archived from the original on 4 June 2015.
  213. ^ Risen, Tom (5 June 2015). “China Suspected in Theft of Federal Employee Records”. U.S. News & World Report. Archived from the original on 6 June 2015.
  214. ^ Zengerle, Patricia (19 July 2015). “Estimate of Americans hit by government personnel data hack skyrockets”. Reuters. Archived from the original on 10 July 2015.
  215. ^ Sanger, David (5 June 2015). “Hacking Linked to China Exposes Millions of U.S. Workers”. The New York Times. Archived from the original on 5 June 2015.
  216. ^ Mansfield-Devine, Steve (1 September 2015). “The Ashley Madison affair”. Network Security. 2015 (9): 8–16. doi:10.1016/S1353-4858(15)30080-5.
  217. ^ Turton, W.; Mehrotra, K. (4 June 2021). “Hackers Breached Colonial Pipeline Using Compromised Password”. Bloomberg L.P. Retrieved 3 December 2023.
  218. ^ a b “Mikko Hypponen: Fighting viruses, defending the net”. TED. 19 July 2011. Archived from the original on 16 January 2013.
  219. ^ “Mikko Hypponen – Behind Enemy Lines”. Hack in the Box Security Conference. 9 December 2012. Archived from the original on 25 November 2016.
  220. ^ “Ensuring the Security of Federal Information Systems and Cyber Critical Infrastructure and Protecting the Privacy of Personally Identifiable Information”. Government Accountability Office. Archived from the original on 19 November 2015. Retrieved 3 November 2015.
  221. ^ King, Georgia (23 May 2018). “The Venn diagram between libertarians and crypto bros is so close it’s basically a circle”. Quartz.
  222. ^ Kirby, Carrie (24 June 2011). “Former White House aide backs some Net regulation / Clarke says government, industry deserve ‘F’ in cyber security”. The San Francisco Chronicle.
  223. ^ McCarthy, Daniel (11 June 2018). “Privatizing Political Authority: Cybersecurity, Public-Private Partnerships, and the Reproduction of Liberal Political Order”. Politics and Governance. 6 (2): 5–12. doi:10.17645/pag.v6i2.1335.
  224. ^ “It’s Time to Treat Cybersecurity as a Human Rights Issue”. Human Rights Watch. 26 May 2020. Retrieved 26 May 2020.
  225. ^ “FIRST Mission”. FIRST. Retrieved 6 July 2018.
  226. ^ “FIRST Members”. FIRST. Retrieved 6 July 2018.
  227. ^ “European council”. Archived from the original on 3 December 2014.
  228. ^ “MAAWG”. Archived from the original on 23 September 2014.
  229. ^ “MAAWG”. Archived from the original on 17 October 2014.
  230. ^ “Government of Canada Launches Canada’s Cyber Security Strategy”. Market Wired. 3 October 2010. Archived from the original on 2 November 2014. Retrieved 1 November 2014.
  231. ^ a b “Canada’s Cyber Security Strategy”. Public Safety Canada. Government of Canada. Archived from the original on 2 November 2014. Retrieved 1 November 2014.
  232. ^ a b c “Action Plan 2010–2015 for Canada’s Cyber Security Strategy”. Public Safety Canada. Government of Canada. Archived from the original on 2 November 2014. Retrieved 3 November 2014.
  233. ^ “Cyber Incident Management Framework For Canada”. Public Safety Canada. Government of Canada. Archived from the original on 2 November 2014. Retrieved 3 November 2014.
  234. ^ “Action Plan 2010–2015 for Canada’s Cyber Security Strategy”. Public Safety Canada. Government of Canada. Archived from the original on 2 November 2014. Retrieved 1 November 2014.
  235. ^ “Canadian Cyber Incident Response Centre”. Public Safety Canada. Archived from the original on 8 October 2014. Retrieved 1 November 2014.
  236. ^ “Cyber Security Bulletins”. Public Safety Canada. Archived from the original on 8 October 2014. Retrieved 1 November 2014.
  237. ^ “Report a Cyber Security Incident”. Public Safety Canada. Government of Canada. Archived from the original on 11 November 2014. Retrieved 3 November 2014.
  238. ^ “Government of Canada Launches Cyber Security Awareness Month With New Public Awareness Partnership”. Market Wired. Government of Canada. 27 September 2012. Archived from the original on 3 November 2014. Retrieved 3 November 2014.
  239. ^ “Cyber Security Cooperation Program”. Public Safety Canada. Archived from the original on 2 November 2014. Retrieved 1 November 2014.
  240. ^ “Cyber Security Cooperation Program”. Public Safety Canada. 16 December 2015. Archived from the original on 2 November 2014.
  241. ^ “GetCyberSafe”. Get Cyber Safe. Government of Canada. Archived from the original on 11 November 2014. Retrieved 3 November 2014.
  242. ^ “Australian federal government announces cyber security support for SMBs”,“2023-2030 Australian Cyber Security Strategy”. Retrieved 22 November 2023.
  243. ^ “Securing critical infrastructures: What you need to know about Hong Kong’s first cyber legislation”. Retrieved 21 March 2025.
  244. ^ “Safeguarding Hong Kong’s cybersecurity: Essential insights for Critical Infrastructure Operators”. Retrieved 19 January 2026.
  245. ^ “Need for proper structure of PPPs to address specific cyberspace risks”. ORF. Archived from the original on 13 November 2017.
  246. ^ “National Cyber Safety and Security Standards(NCSSS)-Home”. www.ncdrc.res.in. Archived from the original on 19 February 2018. Retrieved 19 February 2018.
  247. ^ “South Korea seeks global support in cyber attack probe”. BBC Monitoring Asia Pacific. 7 March 2011.
  248. ^ Jun, Kwanwoo (23 September 2013). “Seoul Puts a Price on Cyberdefense”. The Wall Street Journal. Dow Jones & Company, Inc. Archived from the original on 25 September 2013. Retrieved 24 September 2013.
  249. ^ “UK cyber-centre thwarts hostile hackers”. BBC News. 15 October 2018. Retrieved 31 December 2025.
  250. ^ Sengupta, Kim (29 July 2020). “New head of GCHQ cyber security agency announced”. The Independent. Retrieved 31 December 2025.
  251. ^ Targett, Edward (16 December 2021). “UK’s 2022 National Cyber Security Strategy: The Top 10 takeaways”. The Stack. Retrieved 31 December 2025.
  252. ^ “National Cyber Strategy 2022”. GOV.UK. 15 December 2022. Retrieved 31 December 2025.
  253. ^ Warrell, Helen (19 November 2020). “National Cyber Force will target UK adversaries online”. Financial Times. Retrieved 31 December 2025.
  254. ^ White, House (March 2023). “National security strategy” (PDF). No. March 2032. white house. US gov.
  255. ^ Adil, Sajid (16 October 2023). “Do You Know About Biggest Cybersecurity Threats In 2023?”. Cybernexguard. Adil Sajid. Retrieved 18 December 2023.
  256. ^ Adil, Sajid (September 2018). “National Cyber Strategy of the United States of America”. University Libraries UNT Digital Library. Retrieved 18 December 2023.
  257. ^ Adil, Sajid (September 2018). “Do You Know About Biggest Cybersecurity Threats In 2023?”. University Libraries UNT Digital Library. Retrieved 18 December 2023.
  258. ^ International Cybercrime Reporting and Cooperation Act at Congress.gov
  259. ^ “111th Congress, 2nd Session”. Archived from the original on 20 January 2012.
  260. ^ Kelly, Mary Louise (13 May 2021). “Biden Adviser On Cyber Threats And The New Executive Order To Combat Them”. NPR.
  261. ^ Executive Order on Improving the Nation’s Cybersecurity (full text)
  262. ^ “National Cyber Security Division”. U.S. Department of Homeland Security. Archived from the original on 11 June 2008. Retrieved 14 June 2008.
  263. ^ a b “FAQ: Cyber Security R&D Center”. U.S. Department of Homeland Security S&T Directorate. Archived from the original on 6 October 2008. Retrieved 14 June 2008.
  264. ^ AFP-JiJi, “U.S. boots up cybersecurity center”, 31 October 2009.
  265. ^ “Federal Bureau of Investigation – Priorities”. Federal Bureau of Investigation. Archived from the original on 11 July 2016.
  266. ^ “Internet Crime Complaint Center (IC3) – Home”. Archived from the original on 20 November 2011.
  267. ^ “Infragard, Official Site”. Infragard. Archived from the original on 9 September 2010. Retrieved 10 September 2010.
  268. ^ “Robert S. Mueller, III – InfraGard Interview at the 2005 InfraGard Conference”. Infragard (Official Site) – “Media Room”. Archived from the original on 17 June 2011. Retrieved 9 December 2009.
  269. ^ “CCIPS”. 25 March 2015. Archived from the original on 23 August 2006.
  270. ^ “A Framework for a Vulnerability Disclosure Program for Online Systems”. Cybersecurity Unit, Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice. July 2017. Retrieved 9 July 2018.
  271. ^ “Mission and Vision”. www.cybercom.mil. Retrieved 20 June 2020.
  272. ^ William J. Lynn, III (12 November 2009). Remarks at the Defense Information Technology Acquisition Summit (Speech). Washington D.C. Archived from the original on 15 April 2010. Retrieved 10 July 2010.
  273. ^ Shachtman, Noah (23 September 2010). “Military’s Cyber Commander Swears: “No Role” in Civilian Networks”. brookings.edu. Archived from the original on 6 November 2010.
  274. ^ “FCC Cybersecurity”. FCC. Archived from the original on 27 May 2010. Retrieved 3 December 2014.
  275. ^ “Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication”. Food and Drug Administration. Archived from the original on 28 May 2016. Retrieved 23 May 2016.
  276. ^ “Automotive Cybersecurity – National Highway Traffic Safety Administration (NHTSA)”. Archived from the original on 25 May 2016. Retrieved 23 May 2016.
  277. ^ Air Traffic Control: FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen (Report). U. S. Government Accountability Office. 14 April 2015. Archived from the original on 13 June 2016. Retrieved 23 May 2016.
  278. ^ Sternstein, Aliya (4 March 2016). “FAA Working on New Guidelines for Hack-Proof Planes”. Nextgov. Archived from the original on 19 May 2016. Retrieved 23 May 2016.
  279. ^ Elias, Bart (18 June 2015). “Protecting Civil Aviation from Cyberattacks” (PDF). Archived (PDF) from the original on 17 October 2016. Retrieved 4 November 2016.
  280. ^ Anderson, David; Reimers, Karl (2019). CYBER SECURITY EMPLOYMENT POLICY AND WORKPLACE DEMAND IN THE U.S. GOVERNMENT. EDULEARN19 Proceedings. Vol. 1. IATED. pp. 7858–7866. doi:10.21125/edulearn.2019.1914. ISBN 978-84-09-12031-4. ISSN 2340-1117.
  281. ^ Verton, Dan (28 January 2004). “DHS launches national cyber alert system”. Computerworld. IDG. Archived from the original on 31 August 2005. Retrieved 15 June 2008.
  282. ^ Details can be found in 10 CFR 73.54, Protection of digital computer and communication systems and networks.
  283. ^ Cyber Security Plan for Nuclear Power Reactors – Nuclear Energy Institute
  284. ^ Refer to NEI 08-09 for more details.
  285. ^ Clayton, Mark (7 March 2011). “The new cyber arms race”. The Christian Science Monitor. Archived from the original on 16 April 2015. Retrieved 16 April 2015.
  286. ^ Nakashima, Ellen (13 September 2016). “Obama to be urged to split cyberwar command from NSA”. The Washington Post. Retrieved 15 June 2017.{{cite news}}: CS1 maint: deprecated archival service (link)
  287. ^ Overland, Indra (1 March 2019). “The geopolitics of renewable energy: Debunking four emerging myths”. Energy Research & Social Science. 49: 36–40. Bibcode:2019ERSS…49…36O. doi:10.1016/j.erss.2018.10.018. hdl:11250/2579292. ISSN 2214-6296.
  288. ^ Maness, Ryan C.; Valeriano, Brandon (11 June 2018). “How We Stopped Worrying about Cyber Doom and Started Collecting Data”. Politics and Governance. 6 (2): 49–60. doi:10.17645/pag.v6i2.1368. hdl:10945/60589. ISSN 2183-2463.
  289. ^ Maness, Ryan C.; Valeriano, Brandon (25 March 2015). “The Impact of Cyber Conflict on International Interactions”. Armed Forces & Society. 42 (2): 301–323. doi:10.1177/0095327×15572997. ISSN 0095-327X. S2CID 146145942.
  290. ^ Bullard, Brittany (2016). Style and Statistics: The Art of Retail Analytics. Wiley. doi:10.1002/9781119271260.ch8. ISBN 978-1-119-27031-7.
  291. ^ Oltsik, Jon (18 March 2016). “Cybersecurity Skills Shortage Impact on Cloud Computing”. Network World. Archived from the original on 23 March 2016. Retrieved 23 March 2016.
  292. ^ Robinson, Terry (30 May 2018). “Why is a Degree in Cyber Security one of the Best?”. DegreeQuery.com. Archived from the original on 10 October 2021. Retrieved 10 October 2021.
  293. ^ de Silva, Richard (11 October 2011). “Government vs. Commerce: The Cyber Security Industry and You (Part One)”. Defence IQ. Archived from the original on 24 April 2014. Retrieved 24 April 2014.
  294. ^ “Department of Computer Science”. Archived from the original on 3 June 2013. Retrieved 30 April 2013.
  295. ^ “About Cyber Security architect”. cisa.gov. 1 August 2021. Retrieved 1 January 2022.
  296. ^ “How to become a Chief Information Security Officer (CISO)?”. cybersecuritycareer.org. 1 August 2021. Retrieved 4 January 2022.
  297. ^ “Data Protection Officers”. ico.org.uk. January 2021.
  298. ^ “Student Cybersecurity Resources”. NICCS (US National Initiative for Cybercareers and Studies). Archived from the original on 5 November 2020.
  299. ^ “Current Job Opportunities at DHS”. U.S. Department of Homeland Security. Archived from the original on 2 May 2013. Retrieved 5 May 2013.
  300. ^ “Cybersecurity Training & Exercises”. U.S. Department of Homeland Security. 12 May 2010. Archived from the original on 7 January 2015. Retrieved 9 January 2015.
  301. ^ “Cyber Security Awareness Free Training and Webcasts”. MS-ISAC (Multi-State Information Sharing & Analysis Center). Archived from the original on 6 January 2015. Retrieved 9 January 2015.
  302. ^ “DoD Approved 8570 Baseline Certifications”. iase.disa.mil. Archived from the original on 21 October 2016. Retrieved 19 June 2017.
  303. ^ “The UK Cyber Security Strategy: Report on Progress and Forward Plans December 2014” (PDF). United Kingdom Cabinet Office. Archived (PDF) from the original on 18 April 2018. Retrieved 20 August 2021.
  304. ^ “Cyber skills for a vibrant and secure UK”. GOV.UK.
  305. ^ “Singapore Operational Technology (OT) Cybersecurity Competency Framework”. Cyber Security Agency (Press release). 8 October 2021. Archived from the original on 16 October 2021. Retrieved 23 October 2021.
  306. ^ “Confidentiality”. Retrieved 31 October 2011.
  307. ^ “Data Integrity”. Archived from the original on 6 November 2011. Retrieved 31 October 2011.
  308. ^ “Endpoint Security”. 10 November 2010. Archived from the original on 16 March 2014. Retrieved 15 March 2014.
  309. ^ “A Brief History of the Cybersecurity Profession”. ISACA. Retrieved 13 October 2023.
  310. ^ “One step ahead in computing security”. RIT. Retrieved 13 October 2023.
  311. ^ a b Misa, Thomas J. (2016). “Computer Security Discourse at RAND, SDC, and NSA (1958-1970)”. IEEE Annals of the History of Computing. 38 (4): 12–25. Bibcode:2016IAHC…38d..12M. doi:10.1109/MAHC.2016.48. S2CID 17609542.
  312. ^ Neumann, A. J.; Statland, N.; Webb, R. D. (1977). “Post-processing audit tools and techniques” (PDF). nist.gov. US Department of Commerce, National Bureau of Standards. pp. 11–3–11–4. Archived (PDF) from the original on 10 October 2016. Retrieved 19 June 2020.
  313. ^ Irwin, Luke (5 April 2018). “How NIST can protect the CIA triad, including the often overlooked ‘I’ – integrity”. www.itgovernanceusa.com. Archived from the original on 26 November 2022. Retrieved 16 January 2021.
  314. ^ Perrin, Chad (30 June 2008). “The CIA Triad”. techrepublic.com. Retrieved 31 May 2012.
  315. ^ Stoneburner, G.; Hayden, C.; Feringa, A. (2004). Engineering Principles for Information Technology Security (PDF) (Report). csrc.nist.gov. doi:10.6028/NIST.SP.800-27rA. Archived (PDF) from the original on 12 October 2004. Note: this document has been superseded by later versions.
  316. ^ Yost, Jeffrey R. (April 2015). “The Origin and Early History of the Computer Security Software Products Industry”. IEEE Annals of the History of Computing. 37 (2): 46–58. Bibcode:2015IAHC…37b..46Y. doi:10.1109/MAHC.2015.21. ISSN 1934-1547. S2CID 18929482.
  317. ^ “A Brief History of Computer Viruses & What the Future Holds”. www.kaspersky.com. 19 April 2023. Retrieved 12 June 2024.
  318. ^ Tomlinson, Ray. “Interview with Ray Tomlinson on Creeper/Reaper”. OSNews. Retrieved 25 September 2025.
  319. ^ “First incident of cyber-espionage”. Guinness World Records. Retrieved 23 January 2024.
  320. ^ FBI News (2 November 2018). “The Morris Worm – 30 Years Since First Major Attack on the Internet”. fbi.gov. Retrieved 23 January 2024.
  321. ^ a b Boncella, Robert J (April 2004). Bidgoli, Hossein (ed.). The Internet Encyclopedia, Volume 2 (2nd ed.). Wiley. p. 262. ISBN 978-0-471-68996-6.
  322. ^ “1993: Mosaic Launches and the Web is Set Free”. Web Development History. 8 December 2021.
  323. ^ “Web Design Museum – Netscape Navigator 2.0”. 10 March 2023. Retrieved 4 December 2023.
  324. ^ Nakashima, Ellen (26 January 2008). “Bush Order Expands Network Monitoring: Intelligence Agencies to Track Intrusions”. The Washington Post. Retrieved 8 February 2021.
  325. ^ a b Perlroth, Nicole (7 February 2021). “How the U.S. Lost to Hackers”. The New York Times. Archived from the original on 28 December 2021. Retrieved 9 February 2021.
  326. ^ Perlroth, Nicole; Sanger, David; Shane, Scott (6 May 2019). “How Chinese Spies Got the N.S.A.’s Hacking Tools, and Used Them for Attacks”. The New York Times. Retrieved 18 October 2024.
  327. ^ Greenberg, Andy (7 May 2019). “The Strange Journey of an NSA Zero-Day—Into Multiple Enemies’ Hands”. WIRED. Retrieved 25 September 2025.
  328. ^ Schectman, Joel; Bing, Christopher (14 September 2021). “Ex-U.S. intel operatives admit hacking American networks for UAE”. Reuters. Retrieved 25 September 2025.

Further reading

Library resources about
Computer security


source: https://en.wikipedia.org/wiki/Computer_security

]]> https://us.onair.cc/cyber-challenges/feed/ 0 Cyber Teams https://us.onair.cc/cyber-solutions/ https://us.onair.cc/cyber-solutions/#respond Fri, 10 Oct 2025 05:59:03 +0000 https://us.onair.cc/?p=21180

The cybersecurity color wheel categorizes cyber teams by their roles:

  • Red Team are ethical hackers,
  • Blue Team are defenders,
  • Yellow Team are developers who build secure applications.
  • Purple Team facilitates collaboration between Red and Blue
  • Green Team works with Yellow and Blue to implement secure coding practices
  • Orange Team trains Yellow developers
  • White Team manages the overall strategy, compliance, and coordination.

Source: Gemini AI Overview - 10/21/2025

OnAir Post: Cyber Teams

]]> Summary

The cybersecurity color wheel categorizes cyber teams by their roles:

  • Red Team are ethical hackers,
  • Blue Team are defenders,
  • Yellow Team are developers who build secure applications.
  • Purple Team facilitates collaboration between Red and Blue
  • Green Team works with Yellow and Blue to implement secure coding practices
  • Orange Team trains Yellow developers
  • White Team manages the overall strategy, compliance, and coordination.

Source: Gemini AI Overview – 10/21/2025

OnAir Post: Cyber Teams

About

Cyber Teams

Primary teams

Based on a concept that combines offensive, defensive, and development roles, the primary color teams are Red, Blue, and Yellow. 
  • Red Team: These are offensive security professionals or “ethical hackers” who simulate real-world attacks to test an organization’s security and identify vulnerabilities. The red team’s mission is to exploit weaknesses in technology, processes, and people using the same tactics as adversaries, including social engineering and network penetration.
  • Blue Team: This is the defensive security team that protects the organization’s networks and systems. Their responsibilities include continuous monitoring for suspicious activity, managing firewalls and other security tools, responding to incidents, and forensic analysis.
  • Yellow Team: This team consists of developers, software engineers, and architects. They are the “builders” who design and create the applications and infrastructure for the organization. Their role is to integrate security principles into the software development process from the very beginning. 

Secondary and oversight teams

By combining the primary colors, secondary teams emerge that bridge the gaps between different functions. A neutral White Team provides overall management and oversight. 
  • Purple Team: A combination of Red and Blue, the purple team bridges the gap between offensive and defensive security. Instead of operating in silos, they collaborate to ensure the insights from red team exercises are used to improve the blue team’s defenses in a continuous feedback loop.
  • Green Team: Blending Blue and Yellow, the green team consists of DevSecOps engineers who focus on integrating security into the software development lifecycle. They ensure the code and design of applications are fortified with security mechanisms that the blue team can effectively manage and monitor.
  • Orange Team: This team combines the Red and Yellow teams to improve security awareness and secure coding practices among developers. The orange team uses offensive insights from the red team to educate builders on vulnerabilities and threat vectors, helping them “think like a hacker” during development.
  • White Team: The white team is the neutral party that oversees and referees security exercises between the red and blue teams. They establish the rules of engagement, track and monitor all activities, and conduct post-exercise analysis to report findings and lessons learned to management. 

A collaborative framework

The InfoSec Color Wheel is not just a collection of independent teams; it represents an integrated framework for improving an organization’s security posture. The various teams work together in a cycle: 
  • The Yellow Team builds applications and systems with secure foundations.
  • The Green Team provides developers with defensive expertise, embedding security controls and logging.
  • The Orange Team educates developers on potential vulnerabilities from an attacker’s perspective.
  • The Red Team simulates attacks to identify weaknesses in the system and test defenses.
  • The Blue Team defends against these simulated attacks, enhancing their detection and response capabilities.
  • The Purple Team facilitates collaboration between the Red and Blue teams to strengthen overall security.
  • The White Team oversees the entire process, ensuring compliance, reporting on results, and providing strategic guidance. 

Source: Gemini AI Overview – 10/21/2025

Web Links

Ten Cybersecurity Categories

Source: Other

Below are ten leading categories of cybersecurity solutions that organizations use to protect their digital assets. Each category contains numerous vendors and specific products..

1. Endpoint security

Endpoint security protects devices such as desktops, laptops, and mobile phones from malware, ransomware, and phishing attacks. Modern endpoint protection platforms (EPP) and endpoint detection and response (EDR) use behavioral analysis and machine learning to detect and block threats in real-time. 
  • Leading providers: CrowdStrike, SentinelOne, Microsoft Defender. 

2. Network security

Network security protects the network infrastructure from unauthorized access, misuse, or attack. Solutions include firewalls, intrusion detection/prevention systems (IDS/IPS), and Secure SD-WAN. 

3. Cloud security

Cloud security solutions protect data, applications, and infrastructure hosted in the cloud, across a variety of providers. This category includes cloud access security brokers (CASB), cloud workload protection platforms (CWPP), and Cloud Security Posture Management (CSPM). 
  • Leading providers: Microsoft (Defender/Sentinel), Palo Alto Networks, Zscaler. 

4. Identity and access management (IAM)

IAM solutions manage and protect user identities and control their access to digital resources. This includes single sign-on (SSO), multi-factor authentication (MFA), and Privileged Access Management (PAM) to protect access to critical systems. 
  • Leading providers: Okta, Microsoft, CyberArk. 

5. Email security

Email security focuses  on protecting against email-based threats, which are the most common initial attack vector. Solutions use behavioral AI to detect advanced threats like business email compromise (BEC) and phishing that can bypass traditional filters. 
  • Leading providers: Abnormal Security, Proofpoint, Trend Micro. 

6. Vulnerability management

Vulnerability management solutions scan systems, networks, and applications to identify security weaknesses before they can be exploited by attackers. This includes automated patch management and penetration testing services. 
  • Leading providers: Rapid7, Tenable, Qualysec. 

7. Threat intelligence

Threat intelligence services provide information on emerging threats, attacker tactics, and vulnerabilities to help organizations proactively defend against attacks. This intelligence is often integrated into other security tools. 
  • Leading providers: IBM Security, Cisco (Talos), CrowdStrike. 

8. Security Information and Event Management (SIEM)

A SIEM platform collects and aggregates log data from across an organization’s IT environment. It uses artificial intelligence and machine learning to analyze the data, detect threats, and centralize security incident investigation and response. 
  • Leading providers: Microsoft Sentinel, Exabeam, IBM. 

9. Extended Detection and Response (XDR)

XDR platforms go beyond traditional endpoint security by unifying security data from multiple sources—including endpoints, cloud, email, and identity—to automate threat detection, investigation, and response. 
  • Leading providers: Palo Alto Networks (Cortex XDR), Microsoft Defender, SentinelOne. 

10. Data loss prevention (DLP)

DLP solutions help organizations prevent sensitive data from leaving the network. This involves monitoring, detecting, and blocking the transfer of confidential information to unauthorized locations. 
  • Leading providers: IBM, Symantec, Proofpoint.

See Also

NIST Cybersecurity Framework

Source: NIST Website

BACKGROUND

Recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure. The Cybersecurity Enhancement Act of 2014 reinforced NIST’s EO 13636 role.

Created through collaboration between industry and government, the voluntary Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.

The Framework Core and Informative References are available as separate downloads in two formats: spreadsheet (Excel) , and alternate view (PDF).   A companion Roadmap discusses future steps and identifies key areas of cybersecurity development, alignment, and collaboration.

The Department of Homeland Security’s Critical Infrastructure Cyber Community C³ Voluntary Program helps critical infrastructure owners and operators align with existing resources to assist them in using the Cybersecurity Framework and managing their cyber risks.

NIST continues to welcome informal feedback about the Framework and Roadmap. Organizations and individuals may contribute observations, suggestions, examples of use, and lessons learned to cyberframework@nist.gov.

WHAT IS THE FRAMEWORK?

The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.

Check out our Frameworks Basics FAQs section for further information.

AN INTRODUCTION TO THE COMPONENTS OF THE FRAMEWORK

The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles.

The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand.   The Core guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk management processes.

Cyberframework New to Framework Pie

The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management. The Tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget.

Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core.  Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization.

To learn more about the Framework’s three main components, see the Components of Framework online learning module, or to learn more about the how organizations are using the Framework and its potential benefits, see the Uses and Benefits of Framework module.

QUICK START GUIDE

This Quick Start Guide intends to provide direction and guidance to those organizations – in any sector or community – seeking to improve cybersecurity risk management via utilization of the NIST Cybersecurity Framework. Though the Cybersecurity Framework is not a one-size-fits-all approach to managing cybersecurity risk for organizations, it is ultimately aimed at reducing and better managing these risks. As such, this guide is intended for any and all organizations regardless of sector or size. Organizations will vary in how they customize practices described in this document. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize impact.

Framework Basics

What is the Framework, and what is it designed to accomplish?

The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.

Is my organization required to use the Framework?

No. Use of the Framework is voluntary.

Does it provide a recommended checklist of what all organizations should do?

The Framework is guidance. It should be customized by different sectors and individual organizations to best suit their risks, situations, and needs. Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework to achieve positive outcomes will vary. The Framework should not be implemented as an un-customized checklist or a one-size-fits-all approach for all critical infrastructure organizations.

Why should an organization use the Framework?

The Framework will help an organization to better understand, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to assure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity. By providing a common language to address cybersecurity risk management, it is especially helpful in communicating inside and outside the organization. That includes improving communications, awareness, and understanding between and among IT, planning, and operating units, as well as senior executives of organizations. Organizations also can readily use the Framework to communicate current or desired cybersecurity posture between a buyer or supplier.

When and how was the Framework developed?

Version 1.0 of the Framework was prepared by the National Institute of Standards and Technology (NIST) with extensive private sector input and issued in February 2014. The Framework was developed in response to Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, which was issued in 2013. Among other things, the EO directed NIST to work with industry leaders to develop the Framework. The Framework was developed in a year-long, collaborative process in which NIST served as a convener for industry, academia, and government stakeholders. That took place via workshops, extensive outreach and consultation, and a public comment process. NIST’s future Framework role is reinforced by the Cybersecurity Enhancement Act of 2014 (Public Law 113-274), which calls on NIST to facilitate and support the development of voluntary, industry-led cybersecurity standards and best practices for critical infrastructure. This collaboration continues as NIST works with stakeholders from across the country and around the world to raise awareness and encourage use of the Framework. The most recent version, Framework V1.1 was released on April 16, 2018 following a 45-day public comment period on the second draft of Framework V1.1.

What is the purpose of Executive Order 13636?

Executive Order 13636 outlines responsibilities for Federal Departments and Agencies to aid in Improving Critical Infrastructure Cybersecurity. In summary, it assigns these responsibilities and establishes the policy that, “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”

Who from the private sector helped to develop the Framework?

As the Cybersecurity Framework v1.0 was being developed, thousands of people from diverse parts of industry, academia, and government participated in a host of workshops around the United States. During the course of this public development process, NIST received hundreds of detailed suggestions and comments in response to a request for information (RFI) and feedback on the public draft version of the Framework.
NIST routinely engages industry through three primary activities. First, NIST continually and regularly engages in community outreach activities by attending and participating in meetings, events, and roundtable dialogs. Second, NIST solicits direct feedback from industry through requests for information (RFI), requests for comments (RFC), and through the NIST Framework team’s email (). Finally, NIST observes and monitors relevant resources and references published by government, academia, and industry.
Still, many more individuals, organizations and industry stakeholders were directly involved and actively contributed to a series of regular workshops and public comment periods held throughout the process of updating the Framework. This effort culminated in the release of the Cybersecurity Framework Version 1.1.
The Framework is a living document and will continue to be updated, improved and refined as industry provides feedback on implementation.

Why is NIST involved? What is NIST’s role in setting cybersecurity standards?

NIST is a federal agency within the United States Department of Commerce. NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. NIST is also responsible for establishing computer- and information technology-related standards and guidelines for federal agencies to use. Many private sector organizations have made widespread use of these standards and guidelines voluntarily for several decades, especially those related to information security.

How can we obtain NIST certification for our Cybersecurity Framework products/implementation?

NIST does not offer certifications or endorsement of Cybersecurity Framework implementations or Cybersecurity Framework-related products or services. NIST shares industry resources and success stories that demonstrate real-world application and benefits of the Framework. Sharing your own experiences and successes inspires new use cases and helps users more clearly understand Framework application and implementation. To contribute to these initiatives, contact .

Framework Users

What critical infrastructure does the Framework address?

Critical infrastructure (for the purposes of this Framework) is defined in Presidential Policy Directive (PPD) 21 as: “Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Applicable infrastructure includes utilities providing energy and water as well as sectors covering transportation, financial services, communications, healthcare and public health, food and agriculture, chemical and other facilities, dams, key manufacturers, emergency services and several others.

Does the Framework apply only to critical infrastructure companies?

No. Although it was designed specifically for companies that are part of the U.S. critical infrastructure, many other organizations in the private and public sectors (including federal agencies) are using the Framework. NIST encourages any organization or sector to review and consider the Framework as a helpful tool in managing cybersecurity risks.

Does the Framework benefit organizations that view their cybersecurity programs as already mature?

The Framework can be used by organizations that already have extensive cybersecurity programs, as well as by those just beginning to think about putting cybersecurity management programs in place. The same general approach works for any organization, although the way in which they make use of the Framework will differ depending on their current state and priorities.

How is the Framework being used today?

Organizations are using the Framework in a variety of ways. Many have found it helpful in raising awareness and communicating with stakeholders within their organization, including executive leadership. The Framework is also improving communications across organizations, allowing cybersecurity expectations to be shared with business partners, suppliers, and among sectors. By mapping the Framework to current cybersecurity management approaches, organizations are learning and showing how they match up with the Framework’s standards, guidelines, and best practices. Some parties are using the Framework to reconcile and de-conflict internal policy with legislation, regulation, and industry best practice. The Framework also is being used as a strategic planning tool to assess risks and current practices. The Resources and Success Stories sections provides examples of how various organizations have used the Framework.

Framework Components

What is the Framework Core and how is it used?

The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. An example of Framework outcome language is, “physical devices and systems within the organization are inventoried.”

The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each Function, and matches them with example Informative References, such as existing standards, guidelines, and practices for each Subcategory.

What are Framework Profiles and how are they used?
A Framework Profile (“Profile”) represents the cybersecurity outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state). To develop a Profile, an organization can review all of the Categories and Subcategories and, based on business drivers and a risk assessment, determine which are most important. They can also add Categories and Subcategories as needed to address the organization’s risks. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations.

What are Framework Implementation Tiers and how are they used?
Framework Implementation Tiers (“Tiers”) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. During the Tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.

Are the Tiers equivalent to maturity levels?
The Framework Implementation Tiers are not intended to be maturity levels. The Tiers are intended to provide guidance to organizations on the interactions and coordination between cybersecurity risk management and operational risk management. The key tenet of the Tiers is to allow organizations to take stock of their current activities from an organization wide point of view and determine if the current integration of cybersecurity risk management practices is sufficient given their mission, regulatory requirements, and risk appetite. Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and would be cost-effective.

What is the relationship between the Framework and NIST Roadmap for the Framework for Improving Critical Infrastructure Cybersecurity?
The companion Roadmap was initially released in February 2014 in unison with publication of the Framework version 1.0. The Roadmap discusses NIST’s next steps with the Framework and identifies key areas of development, alignment, and collaboration. These plans are based on input and feedback received from stakeholders through the Framework development process. This list of high-priority areas is not intended to be exhaustive, but these are important areas identified by NIST and stakeholders that should inform future versions of the Framework. For that reason, the Roadmap will be updated over time in alignment with the most impactful stakeholder cybersecurity activities and the Framework itself. The most recent version can be found here.

Using The Framework

What is the difference between ‘using’, ‘adopting’, and ‘implementing’ the Framework?

In a strict sense, these words are fairly interchangeable. They can mean an organization’s use of the Framework as a part of its internal processes. NIST generally refers to “using” the Framework.

Would the Framework have prevented recent highly publicized attacks?

There are no “silver bullets” when it comes to cybersecurity and protecting an organization. For instance, “Zero-day” attacks exploiting previously unknown software vulnerabilities are especially problematic. However, using the Framework to assess and improve management of cybersecurity risks should put organizations in a much better position to identify, protect, detect, respond to, and recover from an attack, minimizing damage and impact.

Does the Framework address the cost and cost-effectiveness of cybersecurity risk management?

Yes. An organization can use the Framework to determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.

How does the Framework relate to information sharing?

The Framework provides guidance on how awareness of real and potential threats and vulnerabilities can be used to enhance an organization’s cybersecurity program.

Can the Framework help managing risk for assets that are not under my direct management?

Yes. The Functions, Categories, and Subcategories of the Framework Core are expressed as outcomes and are applicable whether you are operating your own assets, or another party is operating assets as a service for you. For customized external services such as outsourcing engagements, the Framework can be used as the basis for due diligence with the service provider. For packaged services, the Framework can be used as a set of evaluation criteria for selecting amongst multiple providers.

Should the Framework be applied to and by the entire organization or just to the IT department?

The Framework provides guidance relevant for the entire organization. The full benefits of the Framework will not be realized if only the IT department uses it. The Framework balances comprehensive risk management, with a language that is adaptable to the audience at hand. More specifically, the Function, Category, and Subcategory levels of the Framework correspond well to organizational, mission/business, and IT and operational technology (OT)/industrial control system (ICS) systems level professionals. This enables accurate and meaningful communication, from the C-Suite to individual operating units and with supply chain partners. It can be especially helpful in improving communications and understanding between IT specialists, OT/ICS operators, and senior managers of the organization.

How can the Framework help an organization with external stakeholder communication?

The Framework can be used to communicate with external stakeholders such as suppliers, services providers, and system integrators. More specifically, the Framework Core is a language in which to communicate, while Framework Profiles can be used to express security requirements.

What is the role of senior executives and Board members?

The Framework can be used as an effective communication tool for senior stakeholders (CIO, CEO, Executive Board, etc.), especially as the importance of cybersecurity risk management receives elevated attention in C-suites and Board rooms. The Functions inside the Framework Core offer a high level view of cybersecurity activities and outcomes that could be used to provide context to senior stakeholders beyond current headlines in the cybersecurity community.

How can organizations measure the effectiveness of the Framework?

Framework effectiveness depends upon each organization’s goal and approach in its use. Is the organization seeking an overall assessment of cybersecurity-related risks, policies, and processes? Is it seeking a specific outcome such as better management of cybersecurity with its suppliers or greater confidence in its assurances to customers? Effectiveness measures vary per use case and circumstance. Accordingly, the Framework leaves specific measurements to the user’s discretion. Individual entities may develop quantitative metrics for use within that organization or its business partners, but there is no specific model recommended for measuring effectiveness of use.

How long does it take to implement the Framework?

Each organization’s cybersecurity resources, capabilities, and needs are different. So the time to implement the Framework will vary among organizations, ranging from as short as a few weeks to several years. The Framework Core’s hierarchical design enables organizations to apportion steps between current state and desired state in a way that is appropriate to their resources, capabilities, and needs. This allows organizations to develop a realistic action plan to achieve Framework outcomes in a reasonable time frame, and then build upon that success in subsequent activities.

Does the Framework require using any specific technologies or products?

No. It has been designed to be flexible enough so that users can make choices among products and services available in the marketplace. It encourages technological innovation by aiming for strong cybersecurity protection without being tied to specific offerings or current technology.

Is a conformity assessment program being planned?

NIST has no plans to develop a conformity assessment program. NIST encourages the private sector to determine its conformity needs, and then develop appropriate conformity assessment programs. NIST is able to discuss conformity assessment-related topics with interested parties.

Will my organization be regulated against gaps between my current regulation and Framework?

The Framework was created with the current regulatory environment in mind, and does not replace or augment any existing laws or regulations. The Framework leverages industry best practices and methods for cybersecurity risk management, which are often used in regulation.

Is there a way to find out how organizations have used the Framework, and is there a place to get guidance that would help others?

Early users of the Framework are beginning to produce case studies, implementation guides, and other resources. These resources are starting to be available through trade and professional associations. NIST is also listing those items at the Framework website on the Framework Resources and Success Stories pages.

What if Framework guidance or tools do not seem to exist for my sector or community?

The Framework is designed to be applicable to any organization in any part of the critical infrastructure or broader economy. Applications from one sector may work equally well in others. It is expected that many organizations face the same kinds of challenges. There are published case studies and guidance that can be leveraged, even if they are from different sectors or communities. Organizations can encourage associations to produce sector-specific Framework mappings and guidance and organize communities of interest. You may also find value in coordinating within your organization or with others in your sector or community.

Why did NIST create the Perspectives web pages?

The Perspectives web pages are meant to inform people’s decision to use the Framework. The pages contain meaningful quotes that describe why the Framework is important or recommend its use. Survey information that indicates usage is also provided.

What are Success Stories?

NIST is publishing brief Success Stories explaining how diverse organizations use the Framework to improve their cybersecurity risk management. Success stories are prepared by organizations using the Framework following a template and guidance provided by NIST.

How is cyber resilience reflected in the Cybersecurity Framework?

NIST Special Publication (SP) 800-160, Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy secure systems, defines cyber resiliency as the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources regardless of the source. Cyber resiliency has a strong relationship to cybersecurity but, like privacy, represents a distinct problem domain and solution space. Cyber resiliency supports mission assurance, for missions which depend on IT and OT systems, in a contested environment. The Cybersecurity Framework specifically addresses cyber resiliency through the ID.BE-5 and PR.PT-5 subcategories, and through those within the Recovery function. Other Cybersecurity Framework subcategories may help organizations determine whether their current state adequately supports cyber resiliency, whether additional elements are necessary, and how to close gaps, if any. Many organizations find that they need to ensure that the target state includes an effective combination of fault-tolerance, adversity-tolerance, and graceful degradation in relation to the mission goals. The Cybersecurity Framework supports high-level organizational discussions; additional and more detailed recommendations for cyber resiliency may be found in various cyber resiliency models/frameworks and in guidance such as in SP 800-160 Vol. 2.

What is the Cybersecurity Framework’s role in supporting an organization’s compliance requirements?

The common structure and language of the Cybersecurity Framework is useful for organizing and expressing compliance with an organization’s requirements. The Framework provides a flexible, risk-based approach to help organizations manage cybersecurity risks and achieve its cybersecurity objectives. Those objectives may be informed by and derived from an organization’s own cybersecurity requirements, as well as requirements from sectors, applicable laws, and rules and regulations.

How do I use the Cybersecurity Framework to prioritize cybersecurity activities?

The Framework can help an organization to align and prioritize its cybersecurity activities with its business/mission requirements, risk tolerances, and resources. For example, Framework Profiles can be used to describe the current state and/or the desired target state of specific cybersecurity activities. Current Profiles indicate the cybersecurity outcomes that are currently being achieved, while Target Profiles indicate the outcomes needed to achieve the desired cybersecurity risk management goals. Comparing these Profiles may reveal gaps to be addressed to meet cybersecurity risk management objectives. An action plan to address these gaps to fulfill a given Category or Subcategory of the Framework Core can aid in setting priorities considering the organization’s business needs and its risk management processes.

The Framework Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk, which can also aid in prioritizing and achieving cybersecurity objectives. Tiers help determine the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization’s overall risk management practices.

With an understanding of cybersecurity risk tolerance, organizations can prioritize cybersecurity activities, enabling them to make more informed decisions about cybersecurity expenditures.  Organizations may choose to handle risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk, depending on the potential impact to the delivery of critical services. Risk management programs offers organizations the ability to quantify and communicate adjustments to their cybersecurity programs.

The Framework uses risk management processes to enable organizations to inform and prioritize decisions regarding cybersecurity. It supports recurring risk assessments and validation of business drivers to help organizations select target states for cybersecurity activities that reflect desired outcomes. Thus, the Framework gives organizations the ability to dynamically select and direct improvement in cybersecurity risk management for the IT and ICS environments.

Small Business Use

Does the Framework apply to small businesses?

Yes. The approach was developed for use by organizations that span the largest to the smallest organizations.

Will NIST provide guidance for small businesses? Is there a starter kit or guide for organizations just getting started with cybersecurity?

NIST has a long-standing and on-going effort supporting small business cybersecurity. This is accomplished by providing guidance through websites, publications, meetings, and events. This includes a Small Business Cybersecurity Corner website that puts a variety of government and other cybersecurity resources for small businesses in one site. That includes the Federal Trade Commission’s information about how small businesses can make use of the Cybersecurity Framework.

NIST coordinates its small business activities with the Small Business Administration, the National Initiative For Cybersecurity Education (NICE)National Cyber Security Alliance,   the Department of Homeland Security, the FTC, and others.

Small businesses also may find Small Business Information Security: The Fundamentals (NISTIR 7621 Rev. 1) a valuable publication for understanding important cybersecurity activities. It is recommended as a starter kit for small businesses. The publication works in coordination with the Framework, because it is organized according to Framework Functions.

U.S. Federal Agency Use

Are U.S. federal agencies required to apply the Framework to federal information systems?

Yes. On May 11, 2017, the President issued an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. In part, the order states that “Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order” and “describe the agency’s action plan to implement the Framework.”

Can U.S. Federal agencies apply the Framework to Federal information systems?

Yes. The Framework can help agencies to integrate existing risk management and compliance efforts and structure consistent communication, both across teams and with leadership. It can be valuable in managing federal information and information systems according to the Risk Management Framework (RMF), implementing security controls detailed in SP 800-53 r5, and using the methodology outlined in SP 800-39.

How is NIST integrating the Cybersecurity Framework into the cybersecurity risk management practices of federal agencies?

NIST is updating its suite of cybersecurity and privacy risk management publications (e.g. SP 800-37 – Guide for Applying the Risk Management Framework to Federal Information Systems) to provide additional guidance on how to integrate implementation of the Framework. Similarly, the larger suite of NIST security and privacy risk management publications will be updated in consideration of NIST IR 8170 feedback and general Framework value.

Why did NIST author Interagency Publication 8170?

Federal agencies are now required by a May 2017, Executive Order to apply the Framework to federal information systems. (See Section 1(c)(ii) of the Order.) The Framework can help agencies to integrate existing risk management and compliance efforts and to structure consistent communication, both across teams and with leadership. NIST developed NIST Interagency Report (IR) 8170: Approaches for Federal Agencies to Use the Cybersecurity Framework to provide federal agencies with guidance on how the Cybersecurity Framework can help agencies to complement those existing risk management practices and improve their cybersecurity risk management programs. The draft report summarizes eight private sector uses of the Framework, which may also be useful for federal agencies.

What is the relationship between the Framework and NIST’s Managing Information Security Risk: Organization, Mission, and Information System View (Special Publication 800-39)?

The Framework uses risk management processes to enable organizations to inform and prioritize cybersecurity decisions. It can be adapted to provide a flexible, risk-based implementation that can be used with a broad array of risk management processes, including, for example, SP 800-39. SP 800-39 describes the risk management process employed by federal organizations, and optionally employed by private sector organizations. The process is composed of four distinct steps: Frame, Assess, Respond, and Monitor. SP 800-39 further enumerates three distinct organizational Tiers at the Organizational, Mission/Business, and System level, and risk management roles and responsibilities within those Tiers. Organizations using the Framework may leverage SP 800-39 to implement the high-level risk management concepts outlined in the Framework. Within the SP 800-39 process, the Cybersecurity Framework provides a language for communicating and organizing. Further, Framework Profiles can be used to express risk disposition, capture risk assessment information, analyze gaps, and organize remediation.

What is the relationship between the Framework and NIST’s Guide for Applying the Risk Management Framework to Federal Information Systems (SP 800-37)?

Federal agencies manage information and information systems according to the Federal Information Security Management Act of 2002 (FISMA) and a suite of related standards and guidelines. Perhaps the most central FISMA guideline is NIST Special Publication (SP) 800-37 Risk Management Framework for Federal Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, which details the Risk Management Framework (RMF). The RMF six-step process provides a method of coordinating the interrelated FISMA standards and guidelines to ensure systems are provisioned, assessed, and managed with appropriate security including incorporation of key Cybersecurity Framework, privacy risk management, and systems security engineering concepts. NIST held an open workshop for additional stakeholder engagement and feedback on the discussion draft of the Risk Management Framework, including its consideration of the Cybersecurity Framework.

NIST Interagency Report (IR) 8170: Approaches for Federal Agencies to Use the Cybersecurity Framework identifies three possible uses of the Cybersecurity Framework in support of the RMF processes: “Maintain a Comprehensive Understanding of Cybersecurity Risk,” “Report Cybersecurity Risks,” and “Inform the Tailoring Process.” The CSF Core can help agencies to better-organize the risks they have accepted and the risk they are working to remediate across all systems, use the reporting structure that aligns to SP 800-53 r5, and enables agencies to reconcile mission objectives with the structure of the Core.

For more information, please see the CSF’s Risk Management Framework page.

What type of NIST publication is The Framework for Improving Critical Infrastructure Cybersecurity?
Given the broad applicability of the Cybersecurity Framework and the requirement for neutral authorities for what is primarily a voluntary guidance, the document was published as, and remains, a white paper. It is not an Interagency Report, Special Publication, or Federal Information Processing Standard.

How is NIST integrating the Cybersecurity Framework into the cybersecurity risk management practices of federal agencies?

NIST is updating its suite of cybersecurity and privacy risk management publications (e.g. SP 800-37 Rev. 2 – Risk Management Framework for Information Systems and Organizations) to provide additional guidance on how to integrate implementation of the Framework. Similarly, the larger suite of NIST security and privacy risk management publications will be updated based on Executive Order 13800 and feedback received in the development of NIST Interagency Report (IR) 8170: Approaches for Federal Agencies to Use the Cybersecurity Framework.

Relationship Between the Framework and Other Approaches and Initiatives

What is the relationship between the Cybersecurity Framework and the NICE Cybersecurity Workforce Framework?

Workforce plays a critical role in managing cybersecurity, and many of the Cybersecurity Framework outcomes are focused on people and the processes those people perform. While some outcomes speak directly about the workforce itself (e.g., roles, communications, training), each of the Core subcategory outcomes is accomplished as a task (or set of tasks) by someone in one or more work roles. One could easily append the phrase “by skilled, knowledgeable, and trained personnel” to any one of the 108 subcategory outcomes. From this perspective, the Cybersecurity Framework provides the “what” and the NICE Framework provides the “by whom.”

While the Cybersecurity Framework and the NICE Framework were developed separately, each complements the other by describing a hierarchical approach to achieving cybersecurity goals.

The Cybersecurity Workforce Framework was developed and is maintained by the National Initiative for Cybersecurity Education (NICE), a partnership among government, academia, and the private sector with a mission to energize and promote a robust network and an ecosystem of cybersecurity education, training, and workforce development. Where the Cybersecurity Framework provides a model to help identify and prioritize cybersecurity actions, the NICE Framework (NIST Special Publication 800-181) describes a detailed set of work roles, tasks, and knowledge, skills, and abilities (KSAs) for performing those actions.

The NIST Roadmap for Improving Critical Infrastructure Cybersecurity, a companion document to the Cybersecurity Framework, reinforces the need for a skilled cybersecurity workforce. It recognizes that, as cybersecurity threat and technology environments evolve, the workforce must adapt in turn. The NICE program supports this vision and includes a strategic goal of helping employers recruit, hire, develop, and retain cybersecurity talent. One objective within this strategic goal is to publish and raise awareness of the NICE Framework and encourage adoption. Adoption, in this case, means that the NICE Framework is used as a reference resource for actions related to cybersecurity workforce, training, and education.

What is the relationship between the Cybersecurity Framework and the NIST Privacy Framework?

NIST modeled the development of the Privacy Framework on the successful, open, transparent, and collaborative approach used to develop the Cybersecurity Framework. While good cybersecurity practices help manage privacy risk by protecting information, those cybersecurity measures alone are not sufficient to address the full scope of privacy risks that also arise from how organizations collect, store, use, and share this information to meet their mission or business objective, as well as how individuals interact with products and services.

During the development process, numerous stakeholders requested alignment with the structure of the Cybersecurity Framework so the two frameworks could more easily be used together. In response to this feedback, the Privacy Framework follows the structure of the Cybersecurity Framework, composed of three parts: the Core, Profiles, and Implementation Tiers.

This structure enables a risk- and outcome-based approach that has contributed to the success of the Cybersecurity Framework as an accessible communication tool. In addition, the alignment aims to reduce complexity for organizations that already use the Cybersecurity Framework.

Details about how the Cybersecurity Framework and Privacy Framework functions align and intersect can be found in the Privacy Framework FAQs.

What is the relationship between the Framework and the DHS Critical Infrastructure Cyber Community (C3) Voluntary Program?

EO 13636 directed the National Institute of Standards and Technology to work with industry to develop a framework for reducing cybersecurity risks. The EO also charged the Department of Homeland Security with developing a voluntary program to promote use of the Framework and help critical infrastructure organizations improve their cybersecurity. In February 2014, DHS launched the Critical Infrastructure Cyber Community (C3, pronounced “C-Cubed”) Voluntary Program. The C3 Voluntary Program helps align critical infrastructure owners and operators with existing resources to assist in their efforts to use the Framework and manage their cybersecurity risks. More information about the C3 Voluntary Program may be found on the DHS Web site.

What is the relationship between the Framework and the DHS Cyber Resilience Review?

A description of the relationship between the DHS Cyber Resilience Review (CRR) and the Cybersecurity Framework can be found at the DHS Web site.

Is the Framework being aligned with international cybersecurity initiatives and standards?

While the Framework was born through U.S. policy, it is not a “U.S. only” Framework. Private sector stakeholders made it clear from the outset that global alignment is important to avoid confusion and duplication of effort, or even conflicting expectations in the global business environment. These needs have been reiterated by multi-national organizations. The importance of international standards organizations and trade associations for acceptance of the Framework’s approach has been widely recognized. Some countries and international entities are adopting approaches that are compatible with the framework established by NIST, and others are considering doing the same. The Framework has been translated into several other languages. NIST has been holding regular discussions with many nations and regions, and making noteworthy internationalization progress. NIST is actively engaged with international standards-developing organizations to promote adoption of approaches consistent with the Framework.

What is the relationship between the Framework and NIST’s Cyber-Physical Systems (CPS) Framework?

The Cybersecurity Framework provides the underlying cybersecurity risk management principles that support the new Cyber-Physical Systems (CPS) Framework. The CPS Framework document is intended to help manufacturers create new CPS that can work seamlessly with other smart systems that bridge the physical and computational worlds.

The CPS Framework includes a structure and analysis methodology for CPS. The goal of the CPS Framework is to develop a shared understanding of CPS, its foundational concepts and unique dimensions, promoting progress through the exchange of ideas and integration of research across sectors and to support development of CPS with new functionalities.

What is the relationships between Internet of Things (IoT) and the Framework? Do we need an ‘IoT Framework?’

The Cybersecurity Framework is applicable to many different technologies, including Internet of Things (IoT) technologies. Developing separate frameworks of cybersecurity outcomes specific to IoT might risk losing a critical mass of users aligning their cybersecurity outcomes to the Cybersecurity Framework. To retain that alignment, NIST recommends continued evaluation and evolution of the Cybersecurity Framework to make it even more meaningful to IoT technologies. NIST welcomes observations from all parties regarding the Cybersecurity Framework’s relevance to IoT, and will vet those observations with the NIST Cybersecurity for IoT Program.

What is the relationship between the Framework and the Baldrige Cybersecurity Excellence Builder?

The Baldrige Cybersecurity Excellence Builder blends the systems perspective and business practices of the Baldrige Excellence Framework with the concepts of the Cybersecurity Framework. More specifically, the Cybersecurity Framework aligns organizational objectives, strategy, and policy landscapes into a cohesive cybersecurity program that easily integrates with organizational enterprise risk governance. These Cybersecurity Framework objectives are significantly advanced by the addition of the time-tested and trusted systems perspective and business practices of the Baldrige Excellence Framework.  The builder responds to requests from many organizations to provide a way for them to measure how effectively they are managing cybersecurity risk.

What is the relationship between threat and cybersecurity frameworks?

Threat frameworks are particularly helpful understanding current or potential attack lifecycle stages of an adversary against a given system, infrastructure, service, or organization.  They characterize malicious cyber activity, and possibly related factors such as motive or intent, in varying degrees of detail.  Threat frameworks stand in contrast to the controls of cybersecurity frameworks that provide safeguards against many risks, including the risk that adversaries may attack a given system, infrastructure, service, or organization.  While NIST has not promulgated or adopted a specific threat framework, we advocate the use of both types of frameworks as tools to make risk decisions and evaluate the safeguards thereof.  In particular, threat frameworks may provide insights into which safeguards are more important at this instance in time, given a specific threat circumstance.  As circumstances change and evolve, threat frameworks provide the basis for re-evaluating and refining risk decisions and safeguards using a cybersecurity framework.  A threat framework can standardize or normalize data collected within an organization or shared between them by providing a common ontology and lexicon.

Example threat frameworks include the U.S. Office of the Director of National Intelligence (ODNI) Cyber Threat Framework (CTF), Lockheed Martin’s Cyber Kill Chain®, and the Mitre Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) model.  Each threat framework depicts a progression of attack steps where successive steps build on the last step.  At the highest level of the model, the ODNI CTF relays this information using four Stages – Preparation, Engagement, Presence, and Consequence.  These Stages are de-composed into a hierarchy of Objectives, Actions, and Indicators at three increasingly-detailed levels of the CTF, empowering professionals of varying levels of understanding to participate in identifying, assessing, managing threats.  This property of CTF, enabled by the de-composition and re-composition of the CTF structure, is very similar to the Functions, Categories, and Subcategories of the Cybersecurity Framework.  In its simplest form, the five Functions of Cybersecurity Framework – Identify, Protect, Detect, Respond, and Recover – empower professionals of many disciplines to participate in identifying, assessing, and managing security controls.  It is recommended that organizations use a combination of cyber threat frameworks, such as the ODNI Cyber Threat Framework, and cybersecurity frameworks, such as the Cybersecurity Framework, to make risk decisions.

What is the difference between a translation and adaptation of the Framework?

A translation is considered a direct, literal translation of the language of Version 1.0 or 1.1 of the Framework. No content or language is altered in a translation. Current translations can be found on the International Resources page.

An adaptation is considered a version of the Framework that substantially references language and content from Version 1.0 or 1.1 but incorporates new, original content. An adaptation can be in any language. Current adaptations can be found on the International Resources page.

What is the relationship between the PNT Cybersecurity Profile and the Cybersecurity Framework?

The Positioning, Navigation, and Timing (PNT) Profile was created using the NIST Cybersecurity Framework and can be applied as part of a risk management program to help organizations manage risks to systems, networks, and assets that use PNT services. The PNT Profile is broadly applicable and can serve as a foundation for the development of sector-specific guidance. It provides a flexible framework for users to manage risks when forming and using PNT signals and data, which are susceptible to disruptions and manipulations that can be natural, manufactured, intentional, or unintentional.

The PNT Profile is intended to be implemented within the larger context of an organization that is developing and executing its own cybersecurity program. It is best implemented if a cybersecurity program is in place at the organizational level. However, that does not preclude any organization from implementing the PNT Profile even if a cybersecurity program is not yet in place.

The Cybersecurity Framework Core Functions and guidance in the PNT Profile address the generic needs of PNT users in critical infrastructure that depend on PNT services to meet their business objectives. In order to support a risk-based, practical, and effective approach to the responsible use of PNT, organizations can select, tailor, and augment the security controls defined in PNT references. For detailed information  about how the Cybersecurity Framework was used to develop the PNT Profile, see section 4 of the PNT Profile.

Updates to the Cybersecurity Framework

How often will NIST update the Framework?

The Framework will be refined, improved, and evolved over time to keep pace with technology and threat trends, integrate lessons learned, and establish best practice as common practice. Decisions about the timing of updates will be made based on user experiences, technological advances, and standards innovations. The Framework update process integrates the NIST Cybersecurity Risk Management Conference into a public-private dialog that asks stakeholders every three years:

For more information, see:
https://www.nist.gov/cyberframework/online-learning/update-process

Is it an appropriate time for an update, and if so

What would you like to see in that update?

How did NIST process the V1.1 update?

Framework stakeholders provided initial feedback to NIST through: a December 2015 Request for Information lessons learned from Framework use, shared resources from industry partners, and an April 2016 Cybersecurity Framework workshop. When Version 1.1 Draft 1 was issued on January 10, 2017, NIST solicited comments and held a workshop in May 2017 to review and discuss those and other comments. NIST also considered feedback received through meetings and events since the release of Framework Version 1.0, as well as advances made in areas identified in the Roadmap issued in February 2014 when the Framework was initially published. Incorporating feedback received from the May 2017 workshop in addition to the previous workshops and January 10, 2017 Request for Comments, NIST updated the Framework V1.1 Draft. On December 5, 2017 NIST released Framework V1.1 Draft 2 and an additional round of comments were received through a 45-day Request for Comment period. NIST then released Framework V1.1 on April 16, 2018.

How did NIST determine features for this update?

Framework stakeholders provided initial feedback to NIST through: a December 2015 Request for Information, lessons learned from Framework use, shared resources from industry partners, and an April 2016 Cybersecurity Framework workshop. When Version 1.1 Draft 1 was issued on January 10, 2017, NIST solicited comments and held a workshop in May 2017 to review and discuss those and other comments. NIST also considered feedback received through meetings and events since the release of Framework Version 1.0, as well as advances made in areas identified in the Roadmap issued in February 2014 when the Framework was initially published.

What changes are included in Framework V1.1?

The changes made for Framework V1.1 include:

  • Declares applicability of the Framework for “technology,” which is minimally composed of information technology, operational technology, cyber-physical systems, and Internet of Things,
  • Enhances guidance for applying the Framework to supply chain risk management,
  • Summarizes the relevance and utility of Framework measurement for organizational self-assessment,
  • Better accounts for authorization, authentication, and identity proofing, and
  • Administratively updates the Informative References.

For additional information on the Framework V1.1 updates, a Cybersecurity Framework V1.1 Overview webcast is available.

Were there changes proposed to the Framework in light of progress made in areas identified in the 2014 Roadmap?

Yes. The most notable changes are related to Supply Chain Risk Management, where multiple provisions have been added, including a new category in the Framework Core and a new property within Implementation Tiers. Additional provisions related to identity management and access control have been included in V1.1. Also, statements about federal agencies and the Framework are included in V1.1. Informative References also have been updated, reflecting the advancement of standards and guidelines by private and public-sector organizations.

What does this mean for organizations that already have incorporated the current Framework?

Framework V1.1 is intended to be fully compatible with V1.0. NIST recommends that organizations incorporate the additional content and functionality of V1.1 based on the needs of the individual organization.

Should I use V1.0 or V1.1? 

Framework V1.1 is intended to be implemented by first-time and current Framework users. Current users should be able to implement Version 1.1 with minimal or no disruption; compatibility with Version 1.0 has been an explicit objective. As with Version 1.0, users are encouraged to customize the Framework to maximize individual organizational value.

What assistance will NIST provide to organizations that choose to incorporate the additional content and functionality of the new version of the Framework?

NIST will continue to educate organizations through both NIST-hosted and other events. NIST will regularly update its web-based FAQsPresentationsResourcesOnline Learning, and Success Stories pages which offer information about how organizations are using or citing the Framework. NIST also will continue to respond to questions it receives at: cyberframework@nist.gov.

Informative References

What are Informative References?

Informative References show relationships between any number and combination of organizational concepts (e.g., Functions, Categories, Subcategories, Controls, Control Enhancements) of the Focal Document and specific sections, sentences, or phrases of Reference Documents. The discrete concepts of the Focal Document are called Focal Document elements, and the specific sections, sentences, or phrases of the Reference Document are called Reference Document elements.

What is the National Online Informative References (OLIR) Program?

The National Online Informative References (OLIR) Program is a NIST effort to facilitate subject matter experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their cybersecurity, privacy, and workforce documents and elements of other cybersecurity, privacy, and workforce documents like the Cybersecurity Framework. Informative references were introduced in The Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) as simple prose mappings that only noted a relationship existed, but not the nature of the relationship. In addition, informative references could not be readily updated to reflect changes in the relationships as they were part of the Cybersecurity Framework document itself.

At this stage of the OLIR Program evolution, the initial focus has been on relationships to cybersecurity and privacy documents. The OLIRs are in a simple standard format defined by NISTIR 8278A (Formerly NISTIR 8204), National Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers and they are searchable in a centralized repository. By following this approach, cybersecurity practitioners can use the OLIR Program as a mechanism for communicating with owners and users of other cybersecurity documents. You can find the catalog at: https://csrc.nist.gov/projects/olir/informative-reference-catalog.

Refer to NIST Interagency or Internal Reports (IRs)  NISTIR 8278  and NISTIR 8278A  which detail the OLIR program. The NISTIR 8278 focuses on the OLIR program overview and uses while the NISTIR 8278A provides submission guidance for OLIR developers.

The NIST OLIR program welcomes new submissions. For those interested in developing informative references, NIST is happy to aid in this process and can be contacted at .

Why were Online Informative References necessary?

Historically, Informative References appear in many NIST documents. A subset of related Informative References were published in those documents to maintain readability. The OLIR program scales to accommodate a greater number of Informative References and provides a more agile support model to account for the varying update cycles of all Reference documents. The OLIR program allows for the cybersecurity and privacy community to keep information current on relationship assertions from Informative References to cybersecurity and privacy documents. The OLIR program also provides a more robust method to clearly define those relationship assertions.

Where can I comment, and provide feedback about the Online Informative Reference Program?

NIST welcomes feedback to olir@nist.gov.

What is the difference between an Informative Reference and a Reference Document?

A Reference Document is a cybersecurity or privacy document that is being related to a focal document (e.g., Cybersecurity Framework version 1.1, Privacy Framework version 1.0, and NIST SP 800-53 Rev. 4). An Informative Reference is a separate work product that shows multiple relationship assertions between specific Reference document elements and focal document elements.

Are Informative References publicly available?

Yes. Once the submitting organization has refined the Informative Reference to NIST’s specifications and submitted it for public review, it becomes publicly available through a link on the OLIR Informative Reference Catalog and is hosted on the Internet by the submitting organization.

Who can author and submit Informative References?

Anyone can author and submit Informative References. The NIST process for accepting, vetting, and linking to these stakeholder submissions is described in NISTIR 8278A (Formerly NISTIR 8204), National Cybersecurity Online Informative References (OLIR) Program: Submission Guidance for OLIR developers. Questions and draft Informative Reference documents may be directed to olir@nist.gov.

If more than one Informative Reference is submitted for a single Reference Document, which one should I use?

The OLIR site is meant to be a community catalog. However, the Informative References themselves come with no guarantees or endorsements from NIST. Therefore, it is incumbent on the consumer of Informative References to do their due diligence when making business/security decisions for implementation. The implementing party may give preference to a particular Informative Reference that is authored by the same organization that authored the Reference Document (a.k.a. an “authoritative” Reference).

If I disagree with an Informative Reference assertion, can I provide feedback?

Please provide feedback regarding anything related to an Informative Reference to .

How should Federal agencies use the Online Informative References?

Users often need to compare two cybersecurity or privacy documents for a variety of reasons, such as demonstrating where the documents’ cybersecurity controls are similar and where gaps exist. The Derived Relationship Mapping (DRM) Analysis Tool provides users with a convenient way to quickly view how one document may relate to another by leveraging the Focal Document. When a User compares the relationships from different Reference Documents and infers additional relationships among them, those inferred—derived—relationships are non-authoritative. The DRM Analysis tool provides users with the ability to leverage expert assertions from Subject Matter Experts (SMEs) and represents a starting point when attempting to compare Reference Documents.

Another popular use case involves conducting a gap analysis between documents. An analyst could leverage the DRM Analysis Tool to identify significant changes between two versions of the same document. An analyst could also use the tool to identify the gaps that would need to be addressed if their organization adopted a new security framework by generating reports comparing the Reference Documents they already comply with to the Reference Document for the new security framework.

Communication with NIST

How can I ensure resources or case studies my organization has released publicly are visible for others to use?

Share them with NIST via email ((link sends e-mail)), sector organizations (where applicable), trade and professional associations, and post information on your organization’s website.

Does NIST encourage translations of the Cybersecurity Framework? If so, is there a procedure to follow?

NIST’s policy is to encourage translations of the Framework. After an independent check on translations, NIST typically will post links to an external website with the translation.  These links appear on the Cybersecurity Framework’s International Resources page.

Those wishing to prepare translations are encouraged to use the Cybersecurity Framework Version 1.1.

Who can answer additional questions regarding the Framework?

Review the NIST Cybersecurity Framework web page for more information, contact NIST via email at cyberframework@nist.gov, and check with sector or relevant trade and professional associations.

How do I sign up for the mailing list to receive updates on the NIST Cybersecurity Framework?

To receive updates on the NIST Cybersecurity Framework, you will need to sign up for NIST E-mail alerts. The sign-up box is located at the bottom-right hand side on each Cybersecurity Framework-based web page, or on the left-hand side of other NIST pages. Once you enter your email address and select a password, you can then select “Cybersecurity Framework” under the “Subscription Topics” to begin receiving updates on the Framework. If you see any other topics or organizations that interest you, please feel free to select those as well. You may change your subscription settings or unsubscribe at anytime.

How can I share my thoughts or suggestions for improvements to the Cybersecurity Framework with NIST?

There are many ways to participate in Cybersecurity Framework.

Participation in NIST Workshops, RFI responses, and public comment periods for work products are excellent ways to inform NIST Cybersecurity Framework documents. Less formal but just as meaningful, as you have observations and thoughts for improvement, please send those to . We value all contributions through these processes, and our work products are stronger as a result.

Participation in the larger Cybersecurity Framework ecosystem is also very important. NIST’s vision is that various sectors, industries, and communities customize Cybersecurity Framework for their use. Customization efforts include:

If you develop similar resources, NIST is happy to consider them for inclusion in the Industry Resources page.

Thank you very much for your offer to help. Please keep us posted on your ideas and work products.

How can I engage with NIST relative to the Cybersecurity Framework?

NIST welcomes active participation and suggestions to inform the ongoing development and use of the Cybersecurity Framework.

Public and private sector stakeholders are encouraged to participate in NIST workshops and submit public comments to help improve the NIST Cybersecurity Framework and related guidelines and resources. Also, NIST is eager to hear from you about your successes with the Cybersecurity Framework and welcomes submissions for our Success StoriesRisk Management Resources, and Perspectives pages. Lastly, please send your observations and ideas for improving the CSFto . We value all contributions, and our work products are stronger and more useful as a result!

To receive updates on the NIST Cybersecurity Framework, you may sign up for NIST email alerts via the Email Subscription page. Once you enter your email address and select a password, you can then select “Cybersecurity Framework” under the “Subscription Topics” to begin receiving updates on the Framework. If you see any other topics or organizations that interest you, please feel free to select those as well. You may change your subscription settings or unsubscribe at any time.

]]> https://us.onair.cc/cyber-solutions/feed/ 0 United States News https://us.onair.cc/united-states-news/ https://us.onair.cc/united-states-news/#respond Mon, 08 Sep 2025 17:30:48 +0000 https://us.onair.cc/?p=72311 https://us.onair.cc/united-states-news/feed/ 0 Summer 2025 News https://us.onair.cc/summer-2025-news/ https://us.onair.cc/summer-2025-news/#respond Sat, 05 Jul 2025 20:51:46 +0000 https://us.onair.cc/?p=71988 https://us.onair.cc/summer-2025-news/feed/ 0 US onAir National Hub https://us.onair.cc/us-onair-national-hub/ https://us.onair.cc/us-onair-national-hub/#respond Wed, 02 Jul 2025 06:57:29 +0000 https://usgov.onair.cc/?p=37571

The US onAir National Hub is the central hub for the US onAir Network of  50 state onAir hubs. The nonpartisan nonprofit Democracy onAir will be overseeing the soft launch of the US onAir Network this fall.

The US onAir Network supports US citizens and their democracy by bringing together information, experts, organizations, policy makers, and the public to facilitate greater engagement in federal, state, and local politics and more civil, positive discussions and collaborations on important issues and governance.

Learn. Discuss. Collaborate.
Your Voice matters – onAir! 

Select the play button in the feature image or the link below to view a two minute video about the US onAir network.  For a quick scan of this post’s content, select the tabs. For a page view of this post on computers, click anywhere on the feature image or this post’s title. Go to this post for more information on the network and the onAir platform.

OnAir Post: US onAir National Hub

]]>

The US onAir National Hub is the central hub for the US onAir Network of  50 state onAir hubs. The nonpartisan nonprofit Democracy onAir will be overseeing the soft launch of the US onAir Network this fall.

The US onAir Network supports US citizens and their democracy by bringing together information, experts, organizations, policy makers, and the public to facilitate greater engagement in federal, state, and local politics and more civil, positive discussions and collaborations on important issues and governance.

Learn. Discuss. Collaborate.
Your Voice matters – onAir! 

Select the play button in the feature image or the link below to view a two minute video about the US onAir network.  For a quick scan of this post’s content, select the tabs. For a page view of this post on computers, click anywhere on the feature image or this post’s title. Go to this post for more information on the network and the onAir platform.

OnAir Post: US onAir National Hub

]]> https://us.onair.cc/us-onair-national-hub/feed/ 0 People’s Internet onAir https://us.onair.cc/project-liberty/ https://us.onair.cc/project-liberty/#respond Wed, 02 Jul 2025 05:06:05 +0000 https://us.onair.cc/?p=71748

onAir networks has started a People’s Internet onAir hub  at people.onair.cc that seeks to bring together the leaders and organizations behind the DSNP movement to a common place where they could share their knowledge and collaborate as well as promote their content and new topical networks and hubs.

This People’s Internet hub was inspired by Project Liberty‘s various initiatives and "commitment to building a better internet—where the data is ours to manage, the platforms are ours to govern, and the power is ours to reclaim."

This hub was also catalyzed by the work of the Solid protocol. The onAir knowledge sharing platform is integrating both the Solid  and Frequency (Project Liberty Labs) protocols within its software.

Project Liberty's bid for TikTok is aligned with U.S. national security priorities
CNBC Television15/05/2025

https://www.youtube.com/watch?v=Tj4Jyz0JgqI&ab_channel=CNBCTelevision

Frank McCourt, Project Liberty founder, joins CNBC’s ‘Money Movers’ to discuss his bid for TikTok, whether TikTok may be a part of trade negotiations, and the People’s Internet.

OnAir Post: People’s Internet onAir

]]> Summary

onAir networks has started a People’s Internet onAir hub  at people.onair.cc that seeks to bring together the leaders and organizations behind the DSNP movement to a common place where they could share their knowledge and collaborate as well as promote their content and new topical networks and hubs.

This People’s Internet hub was inspired by Project Liberty‘s various initiatives and “commitment to building a better internet—where the data is ours to manage, the platforms are ours to govern, and the power is ours to reclaim.”

This hub was also catalyzed by the work of the Solid protocol. The onAir knowledge sharing platform is integrating both the Solid  and Frequency (Project Liberty Labs) protocols within its software.

Project Liberty’s bid for TikTok is aligned with U.S. national security priorities
CNBC Television15/05/2025

https://www.youtube.com/watch?v=Tj4Jyz0JgqI&ab_channel=CNBCTelevision

Frank McCourt, Project Liberty founder, joins CNBC’s ‘Money Movers’ to discuss his bid for TikTok, whether TikTok may be a part of trade negotiations, and the People’s Internet.

OnAir Post: People’s Internet onAir

News

Wisdom in the age of AI
Project LibertyDecember 23, 2025

The race for intelligence

As AI has moved from the margins to the mainstream, the drive to embed intelligence everywhere has accelerated.

  • Across the economy, AI is framed as an accelerant. Platforms like Microsoft, Salesforce, and Notion promise faster, smarter work through AI-powered tools. Millions now rely on chatbots to draft essays, analyze data, and deploy agents that compress time, reduce friction, and deliver instant answers.
  • AI has the potential to drive research and scientific discovery. Applied to science and research, it can accelerate progress and lead to new discoveries.
  • AI could transform education and care. “Intelligent” systems are heralded as a way to personalize learning, expand access to mental health support, and address isolation and loneliness at scale.

Scoop: TikTok signs deal for U.S. unit after yearslong saga
Sara FischerDecember 19, 2025

TikTok has signed a deal to divest its U.S. entity to a joint venture controlled by American investors, per an internal memo seen by Axios.

Why it matters: A deal would end a yearslong saga to force TikTok’s Chinese parent ByteDance to sell the company’s U.S. operation to domestic owners to alleviate national security concerns.

Zoom in: The agreement is set to close on Jan. 22, per an internal memo sent by CEO Shou Chew.

  • Oracle, Silver Lake and Abu Dhabi-based MGX will collectively own 45% of the U.S. entity, which will be called “TikTok USDS Joint Venture LLC.”
  • Nearly one-third of the company will be held by affiliates of existing ByteDance investors, and nearly 20% will be retained by ByteDance.

Between the lines: The U.S. joint venture will be responsible for U.S. data protection, algorithm security, content moderation and software assurance, per the memo.

  • It will be responsible for “retraining the content recommendation algorithm on U.S. user data to ensure the content feed is free from outside manipulation.”
  • “A trusted security partner will be responsible for auditing and validating compliance with the agreed upon National Security Terms, and Oracle will be the trusted security partner upon completion of the transaction,” the memo notes.
  • Upon the closing, the U.S. joint venture “will operate as an independent entity with authority over U.S. data protection, algorithm security, content moderation and software assurance, while TikTok global’s U.S. entities will manage global product interoperability and certain commercial activities, including e-commerce, advertising, and marketing,” it adds.

By the numbers: The deal values TikTok U.S. at around $14 billion, a source confirmed to Axios.

Catch up quick: The White House and the Chinese government hammered out a deal in principle in September to sell TikTok’s U.S. operations to a joint venture controlled by a U.S. investor group led by Andreessen Horowitz, Silver Lake and Oracle.

Flashback: Trump first issued an executive order demanding that ByteDance sell its U.S. operations in 2020.

  • Congress passed a law in 2024 to ban the app unless it was sold.
  • The Supreme Court upheld that law in January, but Trump repeatedly postponed its enforcement through a series of executive orders while his administration tried to negotiate a sale.

Will Australia’s teen social media ban work?
Project LibertyDecember 16, 2025

For Breanna Easton, social media is a lifeline. The 15-year-old lives on a farm in the Australian outback, 60 miles from her closest friends.

Australia’s new law banning social media use for kids under age 16, which went into effect last week, cut Easton off.

“Taking away our socials is just taking away how we talk to each other,” she said.

Breanna’s mom, Megan Easton, agrees that kids need to be protected, but remembers her own childhood in rural Australia. “We might be incredibly geographically isolated but we’re not digitally illiterate and we have taken great measures in our family to make sure that we educate our children appropriately for the world ahead of them. I do think that it is a bit of government overstepping.”

Last week, Australia became the first country to implement a nationwide social media ban.

A social media platform has filed lawsuits, Australian teens have flouted the rules by posting workarounds, parents have been able to blame the law when trying to enforce their own phone-free policies at home, and policymakers in other countries are watching closely.

In this newsletter, we look at Australia’s grand experiment in banning teens under 16 from social media. It’s been less than a week, but it’s not too early to explore the questions on everyone’s mind:

Is this the government overstepping, or is this an example of a national policy to protect teens that will become a global blueprint?

Stanford Digital Economy Lab Releases “The Digitalist Papers, Volume 2: The Economics of Transformative AI”
December 11, 2025

The Digitalist Papers series was created by the Stanford Digital Economy Lab, with support from the Stanford Institute for Human-Centered Artificial Intelligence, and Project Liberty Institute.

The Stanford Digital Economy Lab today released “The Digitalist Papers, Volume 2,” a collection of 21 essays exploring the implications of the transformative economic power of artificial intelligence, setting the stage for change comparable to the Industrial Revolution but with far greater speed and scope. At a moment when AI capabilities are advancing faster than institutions can adapt, the volume offers frameworks, scenarios, and open questions to help leaders prepare for the transitions ahead.

The first volume of the Digitalist Papers, published in September 2024, focused on AI’s impact on American democracy, with contributions from academics, entrepreneurs, and policy practitioners. The second volume shifts focus to the opportunities and risks of “transformative AI,” or TAI, which is expected to drive rapid and far-reaching changes in the global economy.

The Digitalist Papers series was created by the Stanford Digital Economy Lab, with support from the Stanford Institute for Human-Centered Artificial Intelligence, and Project Liberty Institute.

The rise of the Splinternet
Project LibertyDecember 9, 2025

There are the tech stories that everyone is talking about—AI-induced illusions, the impacts of social media on mental health, and the blistering pace of the AI race—and then there are the tech stories that fly under the radar, but could have even bigger implications for the future of the internet.

This newsletter is about one of those stories.

The global, open internet is rapidly disappearing. In its place, a fragmented internet is emerging, where each country controls and manages its digital infrastructure, content, connectivity, and governance.

This is the era of “the splinternet,” where individual nations carefully curate and control their internet.

Workshop on Deliberation, Governance and Decentralized Social Networks
Project LibertyDecember 9, 2025

This past November, Project Liberty Institute (PLI), in partnership with Georgetown’s Tech and Public Policy (TPP) program, hosted a Workshop on Deliberation, Governance and Decentralized Social Networks at the McCourt School of Public Policy in Washington, DC. The event brought together a diverse group of practitioners, researchers and students to explore and assess the role AI-assisted deliberation might play in helping online communities govern themselves.

Democratic governance can be unwieldy and challenging to design. Fortunately, tools exist to assist online communities in deliberating the pros and cons of policy– one such tool is digital deliberation. Traditionally, deliberative forms of democracy have been time-consuming, expensive, and conducted in person, with a representative selection of participants lasting days or weeks.

Technological advances, including AI applications, have moved deliberation into the 21st century. Today, deliberative decision-making can happen entirely online and produce meaningful results in hours – even minutes. Representativeness may still require up-front effort, but overall costs are relatively modest. Democratic governance is within reach of numerous online communities and platforms.

People Aren’t Convinced AI Will Make Us Better Humans
Project LibertyDecember 9, 2025

For all its promise, AI has yet to win the hearts and minds of most Americans.

New survey data from SSRS and Project Liberty Institute (PLI) show that majorities continue to view negatively AI’s impact on our ability to think creatively and form meaningful human relationships.

Project Liberty Institute Authors T20 Policy Brief & Joins South African Summit
Project LibertyNovember 19, 2025

Following the publication of Project Liberty Institute’s official T20 policy brief, Sarah Nicole, Policy & Research Manager, joined the T20 delegation in Johannesburg, South Africa, on November 13 and 14.

Co-written with the Global Solutions Initiative, the Aapti Institute, Data Privacy Brasil, and the Equiano Institute, the policy brief “Catalysing Positive Digital Infrastructure Innovation: G20’s Role in Advancing Data Agency” feeds directly into the T20 Communiqué, a collection of high-impact recommendations for the G20 by the task forces, published during the T20 summit.

Project Liberty Institute Co-Hosts Landmark Summit on Responsible Investment in Data & AI at Stanford
Project LibertyNovember 7, 2025

On November 13, 2025, the Project Liberty Institute (PLI), in collaboration with its strategic partners ReframeVenture, Omidyar Network and ImpactVC, convened one of the most significant investor gatherings to date on the future of responsible investment in artificial intelligence and data technologies. Held at Stanford University in Palo Alto, the Stanford Summit Responsible Investment in Data & AI brought together a powerful cross-section of leading technologists and the investment ecosystem, including leading limited partners (LPs) and venture capitalists (VCs) representing more than four trillion [$] in capital across the United States and Canada.

The event created a rare forum for asset owners, allocators, and governance leaders to discuss how capital can shape AI technologies in ways that advance human agency, uphold democratic values, and strengthen long-term market trust.

UN B-Tech and Project Liberty Institute Launch Global Initiative to Advance Responsible AI Investment and Data Agency
Project LibertyNovember 7, 2025

A new partnership to shape the future of responsible technology investment and digital infrastructure

On the occasion of the Principles for Responsible Investment (PRI) in Person 2025 conference — one of the world’s foremost UN-backed gatherings of investors representing more than $120 trillion in assets committed to responsible finance — the United Nations Human Rights B-Tech Project and the Project Liberty Institute announced a new partnership to provide a vision for responsible AI investment that does not undermine data agency. The announcement, made during an official side event to PRI in Person in Sao Paulo, comes at a pivotal moment, as responsible investment frameworks expand beyond their roots in climate to address the growing human rights challenges associated with AI and data governance.

The event also marks the release of a new paper, The Investors Financing the AI Ecosystem: Roles and Leverage to Drive Responsible Innovation,” jointly authored by UN B-Tech and the Project Liberty Institute. The publication explores how investors can use their influence to align capital allocation with human rights and unlock greater long-term value creation in the process.

Tokyo Talks & Singapore Sessions: Project Liberty Institute’s Asia Impact Tour
Project LibertyNovember 4, 2025

As part of a global initiative to advance responsible and impactful investment in AI, the Project Liberty Institute (PLI) deepened its engagement with Asian investors through a series of high-level meetings and events across Singapore and Japan this October.

Building on the work in 2024 with strategic partners ReframeVenture, Omidyar Network, and ImpactVC, these engagements aimed to broaden the Institute’s ongoing LP and VC processes on responsible AI and data investment—an initiative that has already involved investors with over $6 trillion in capital across Europe and North America.

PLI’s CEO Sheila Warren emphasized “ASEAN, and Southeast Asia more broadly, are an innovation powerhouse—home to extraordinary entrepreneurial energy and forward-looking investors. For decades, the region has been ahead of the curve when it comes to the adoption of frontier technologies, and it is uniquely positioned to help shape an AI era that upholds individual agency and inspires human-centered business models. As such, this is a crucial region for PLI’s mission to recenter humanity in the global digital economy.”

The Future of Cooperation After the United Nation’s Year of Cooperatives
Project LibertyNovember 4, 2025

Pictured Olivier Clyti, Director of Strategy, CSR, Digital, InVivo, France, Giuseppe Guerini, President, Cooperatives Europe, Italy, J.Benoit Caron, General Director of the Consortium for Collective Enterprise Cooperation, Canada, Osamu Nakano, Vice Executive Director, Japan Workers’ Co-operative Union (JWCU), Japan

On October 27th and 28th, the Project Liberty Institute presented the findings from “How Can Data Cooperatives Help Build a Fair Data Economy? Laying the Groundwork for a Scalable Alternative to the Centralized Digital Economy,” at the Global Innovation Coop Summit.

Financial Times: It’s time to build the intention economy online
Project LibertyOctober 31, 2025

Yet if the intention economy is to thrive it must enable individuals to control their own data. Berners-Lee favours the Fediverse, a nascent network of interconnected digital services and social media, including Bluesky, Mastodon and Matrix, that relies on open protocols. One such protocol is Solid, being commercialised by Berners-Lee’s company Inrupt, which enables users to control their own agentic data pods, or wallets, and grant access to trusted services.

Other developers, universities and organisations are also devising ways to reimagine the web’s infrastructure in the AI age. One of the best-funded is Project Liberty, a $500mn initiative backed by the American businessman Frank McCourt. This has helped develop the interoperable decentralised social networking protocol (DSNP) that enables users to delegate and revoke access to their data for every application. Project Liberty is now working with more than 170 partner organisations, with the protocol being used by about 14mn people, according to McCourt. “Agency should be returned to individuals,” he tells me.

Hailing from a five-generation construction company family, McCourt is convinced that fixing underlying infrastructure is often the most effective means of tackling surface problems. The best way to solve lead poisoning in water, for example, is by replacing dangerous pipes, not the sink and tap. Systemic change happens from the bottom up, rather than the top down.

Project Liberty Institute at Norrsken Impact Week: Building Better AI & Data Economy
Project LibertyOctober 9, 2025

On October 1–2, 2025, Project Liberty founder Frank McCourt and leaders from the Project Liberty Institute (PLI) joined Norrsken Impact Week, which gathered over 1,000 entrepreneurs, investors, and changemakers in Barcelona, Spain. Encompassed by Project Liberty, PLI is an independent 501(c)(3) organization with an international partner network that includes Georgetown University, Stanford University, ETH Zurich, and other leading academic institutions and civic organizations. The Institute’s work focuses on advancing a better AI and data economy that gives people more voice, choice, and stake in the internet by engaging the whole stack of LPs, VCs, entrepreneurs, infrastructure, policymakers, academia, and the general public.

AI has entered the main stage of global markets, with trillions of dollars flowing into the technologies, companies, and infrastructures that shape this new era. The real opportunity of this pivotal moment lies in enabling entrepreneurs and investors to build scalable businesses by creating a human-centered digital future and tapping into tomorrow’s growth markets.

Norrsken, founded by the co-founder of Klarna, Niklas Adalberth, has become one of the world’s leading ecosystems for impact entrepreneurship, with houses in Stockholm, Kigali, Brussels, and Barcelona. Impact Week is Norrsken’s flagship gathering, convening hundreds of entrepreneurs and investors working on solutions to global challenges.

i
About The People’s Internet

The US onAir Network & Democracy onAir, the nonpartisan nonprofit supporting US onAir have been inspired by the Vision of Frank McCourt and his stewardship of Project Liberty … and the development of the Decentralized Social Network Protocol (DSNP), the Frequency DSN protocol being piloted by MeWe as well as other DSNP protocols like the AT Protocol used by Bluesky and the Activity Pub Protocol used by Mastodon.

Likewise, Democracy onAir is in the process of exploring how it can adapt the Frequency protocol for its People’s Networks for Democracy for the US and other democratic countries. We have compiled a number of posts related the DSNPs in “The People’s Internet” category.

onAir News Item post

Project Liberty

Project Liberty is stitching together an ecosystem of technologists, academics, policymakers and citizens committed to building a better internet—where the data is ours to manage, the platforms are ours to govern, and the power is ours to reclaim. Three fundamental beliefs anchor our vision and form the foundation of Project Liberty’s work:

onAir post

Frank McCourt

Frank H. McCourt Jr. is an American business executive and philanthropist. As of 2023, he is the executive chairman and former CEO of McCourt Global, owner of the football club Marseille and founder and executive chairman of international non-profit Project Liberty.

In 2013, he donated $100 million to establish the McCourt School of Public Policy, the ninth school of Georgetown University. He made a second $100 million gift to Georgetown University in March 2021, for the express purpose of ensuring that “the McCourt School can open its doors more widely and build a pipeline of future public policy leaders that reflects the true diversity of our communities.”

In 2021, he founded the non-profit Project Liberty. The initiative has multiple components which includes the development of the Decentralized Social Networking Protocol (DSNP), the founding of the McCourt Institute with founding academic partners Georgetown University in Washington, D.C., and Sciences Po in Paris, and a network of partners within the Unfinished network.

onAir post

Decentralized Social Networking Protocol (DSNP)

DSNP is an open protocol and potential standard for social networking and social media. It is not owned or controlled by any one person or company, allowing anyone to build on it or use it. DSNP is stewarded by Project Liberty Institute, a 501(c)(3).

DSNP is an open-source social media protocol designed to decentralize data ownership, allow easier cross-platform interaction, and let users regain control over their personal data. This includes posts, connections, and messages. The decentralized approach allows users to retain ownership of their information and move it between platforms without relying on a single provider.

onAir Post

Frequency Protocol

Frequency is a blockchain designed to support decentralized social networks to give people control over their online presence. With Frequency, users can freely choose and connect on social apps while retaining ownership of their data.

Built on the Decentralized Social Networking Protocol (DSNP), Frequency offers scalable tools for message discovery, flexible storage for social and identity data, and a unique cost-sharing model that allows apps to deliver smooth, secure experiences that put users in charge.

onAir post

The People’s Bid for TikTok

The People’s Bid is a once-in-a-generation opportunity for Americans to reclaim a voice, choice, and stake in the future of the internet. In April 2024, Congress passed legislation forcing a ban or sale of TikTok in the U.S.

Project Liberty is building a broad consortium of technologists, investors, community leaders, and creators to purchase TikTok and migrate the platform to new infrastructure that allows people to control their own data. We believe a reimagined TikTok can preserve the creativity and dynamism that have made it the cultural engine of the internet while fixing the issues that led Congress to act. Today’s TikTok is a problem. Together, we can make it a solution to the issues created by Big Tech.

Apps Using Frequency Protocol

Frequency is currently being piloted for integration with a number of social media apps including MeWe, We Are 8, and Soar.

Their  plans are to integrate with the Frequency blockchain, a groundbreaking move that will allow people to protect their private data while accessing cutting edge AI solutions. The plan leverages revolutionary internet infrastructure developed by the Frequency Network Foundation and Project Liberty.

OnAir Post: Apps Using Frequency Protocol

AT Protocol & Bluesky

The AT Protocol (Authenticated Transfer Protocol, pronounced “at-protocol” and commonly shortened to ATProto)is a protocol and open standard for decentralized social networking services.

It is under development by Bluesky Social PBC, a public benefit corporation originally created as an independent research group within Twitter to investigate the possibility of decentralizing the service.

OnAir Post: AT Protocol & Bluesky

Acitivity Hub & Mastodon

ctivityPub is a protocol and open standard for decentralized social networking. It provides a client-to-server (C2S) API for creating and modifying content, as well as a federated server-to-server (S2S) protocol for delivering notifications and content to other servers.

ActivityPub has become the main standard used in the fediverse, a popular network used for social networking that consists of software such as Mastodon, Pixelfed and PeerTube.

OnAir Post: Acitivity Hub & Mastodon

i
Investing in a Better Digital Future
Project Liberty, Project Liberty InstituteMay 14, 2025

Project Liberty Institute Contributes to Responsible Data and AI Dialogue at the EU-UN-OECD Conference

On May 12, 2025, Project Liberty Institute’s Director of Policy, Innovation & Impact, Paul Fehlinger, joined international leaders at a special conference at the Organisation for Economic Co-operation and Development (OECD) headquarters in Paris on the occasion of the EU Day. Speaking on the opening panel with ambassadors from the EU and African Union as well as the OECD and the Office of the UN High Commissioner for Human Rights (OHCHR), Fehlinger participated in important discussions about responsible approaches to data and AI investment. The event brought together government officials, investors, and innovation experts to explore how investment strategies can support responsible tech development.

Who was at the table?

This timely dialogue was a collaborative effort between three key organizations. The OECD, which sets global economic standards across its 38 member countries, partnered with the EU—known for groundbreaking tech regulations like the General Data Protection Regulation Act (GDPR), the Digital Markets Act (DMA), and the AI Act—and the UN B-Tech Project an OHCHR initiative focused on human rights in technology and business. The OHCHR contributed crucial insight into rights-based governance approaches. The event also focused on EU-Africa collaboration to scale responsible data and AI practices.

Spearheading Project Liberty Institute’s work at the intersection of governance, entrepreneurship, and capital, Fehlinger highlighted the critical role of both public actors and private market investors in building a sustainable and high-performing data and AI economy. To unlock a fair data economy, he argued, public-private collaboration should focus on infrastructure that supports democracy, improves market dynamics, and enables long-term value creation in the digital era.

 

Project Liberty Institute Partners with VentureESG and ImpactVC
Project Liberty, Newsletter StaffJune 3, 2025

New Initiative to Advance Responsible Data and AI Investment in Venture Capital Launches at SuperVenture 2025 in Berlin

Project Liberty Institute announced a strategic partnership with VentureESG, a leading network of over 550 venture capital firms and 100+ limited partners committed to integrating environmental, social, and governance factors into investment, and ImpactVC, the world’s largest community of over 700 VCs investing for both financial returns and positive societal outcomes.

Launched at SuperVenture 2025, the leading global gathering of VCs and LPs, this collaboration comes when the industry is under increasing pressure to define responsible investment in the data and AI space. The initiative aims to help establish shared frameworks that guide responsible governance practices before regulation and market shifts make them imperative. The first step: a sector-wide survey to benchmark current approaches and identify actionable pathways toward more accountable, resilient, and forward-looking investment models.

“We’re seeing the early signs of a shift in venture,” said Paul Fehlinger, Director of Policy, Governance Innovation & Impact at Project Liberty Institute, who leads engagement with investors. “Most VCs are just starting to grapple with responsible data and AI governance, but some forward-looking LPs are already asking tougher questions. As the sector races ahead, this is a rare window to jointly develop the standards before regulation and market dynamics force everyone’s hand. Investors who move early won’t just mitigate risk—they’ll be better positioned to win over institutional capital and attract founders who see responsible AI as a competitive edge. Ultimately, it’s how we build more resilient companies and ensure the next wave of tech creates real value for users, entrepreneurs, and investors alike.”

Open web initiatives Project Liberty and Solid could be teaming up
TechCrunch, Sarah PerezMarch 10, 2025

Two initiatives to create a more open web, where users are in control of their own digital identities and data, may be coming together. At SXSW 2025, entrepreneur Frank McCourt, whose Project Liberty is developing open internet infrastructure (and is throwing its hat in the ring as a potential buyer for TikTok), announced that his organization has been in discussions with internet pioneer Tim Berners-Lee about an integration with Solid, his open source project aimed at giving people control over their own data.

In a panel at SXSW, McCourt shared that his team had “talked to Tim Berners-Lee about Solid,” adding that “Project Liberty is compatible with Solid.”

Though he didn’t announce an official partnership, McCourt suggested that discussions were underway on a future collaboration.

“We’re debating, or talking, right now about how to incorporate that — him and Solid, his Solid Pods — into the project,” McCourt teased.

Three Pathways to Distributed Power in the AI Economy
RadicalcChange Blog, Matt PrewittJanuary 20, 2025

On Jan 15, 2025 at Stiftung Mercator in Berlin, RadicalxChange Foundation, along with partners Global Solutions Initiative and Sciences Po Technology and Global Affairs Innovation Hub, co-hosted a side event to the Paris AI Action Summit. We focused on the future of collective bargaining in the context of the AI revolution. The discussions helped to advance our thinking in several important ways. Here are some quick initial reflections.

History suggests that following significant technological breakthroughs, individuals and communities often endure temporary but harmful losses of economic bargaining power. (For example, real living standards declined in industrializing countries between the mid-18th and the early-to-mid 19th centuries, in part because individuals’ contributions to vital productive processes became more interchangeable and therefore lacked bargaining power.) On a longer arc of history, new technology’s benefits usually accrue to whole societies, but such short-term social disruptions partly offset those benefits and frequently destabilize societies. It is therefore important to strategize toward achieving social equilibrium quickly, robustly, and without undermining the processes of technological development.

Power rebalancing after technological breakthroughs occurs through at least three pathways: technological, political, and social. Technological rebalancing occurs when the dissemination or cheapening of the relevant technology undermines the advantage of the technology’s owners (as in the personal computer and software revolutions). Political rebalancing occurs when direct state interventions check the rights of businesses to exploit the new technology (as in the 18th century, when speech controls and intellectual property statutes limited the power of printing press owners). Social rebalancing occurs when social or labor organizations form a collective counterpower, achieving an economic foothold vis-a-vis the technology’s owners (as in the late part of the industrial revolution). These pathways are not mutually exclusive, possess unique benefits and drawbacks, and are more or less suitable in different societal and technological situations.

What might these modes of rebalancing look like in the nascent AI revolution? Which are likeliest to mitigate losses of bargaining power and/or uphold the integrity of individuals and communities? We will first define, then critique and evaluate three pathways.

A Healthier Online World with Project Liberty’s Frank McCourt
Semafor, Semafor’s Max TaniMay 29, 2025 (15:45)

https://www.youtube.com/watch?v=7c2MkxviNAA

Project Liberty founder Frank McCourt sat down with Semafor’s Max Tani at the World Economy Summit on April 23, 2025.

Will AI agents lead to freedom or surveillance?
Project LibertyMarch 18, 2025

In this newsletter, we explore AI agents: what they are, recent breakthroughs (last week was big), the risks they pose, and how autonomous AI agents might integrate with a vision for the People’s Internet.

What are AI agents?
Unlike AI chatbots, which respond to user prompts in a single interface, AI agents can autonomously complete multi-step tasks—like researching and booking flights—across multiple systems. While chatbots facilitate back-and-forth interactions, AI agents allow users to delegate entire tasks or projects and let them run independently.

AI agents also differ from AI companions, which are chatbots specifically engineered for emotional connection and social interaction.

The People’s Internet
Beyond concerns over data privacy, surveillance, and security, AI agents challenge our understanding of how we interact with the internet—and our role within it.

Frank McCourt is Stepping Down As CEO
Time, Andrew R. ChowNovember 21, 2022

In the last few years, McCourt has turned his focus to social media, which he says has deeply exacerbated many of the world’s problems. “The economy, inflation, abortion, immigration, democracy: If you step away from all those issues, what drives viewpoints and opinions and perspectives on them is social media,” he says. “It’s going to be very, very hard to solve these big, important societal issues if we can’t have a coherent conversation about them. And our current use of social media currently is not designed to optimize for truth or a shared set of facts.”

McCourt has already committed $150 million of his own money to Project Liberty, and says that ultimately “billions of dollars” will be needed for the effort to effect lasting change. In an interview, he declared his intention to spend 90% of his working time on Project Liberty and 10% on McCourt Global, as opposed to the other way around. “This is a big shift in my focus, but it demonstrates the importance of Project Liberty to me,” he says.

OUR BIGGEST FIGHT: Reclaiming Liberty, Humanity, and Dignity in the Digital Age (book)
PR Newswire, Frank H. McCourt, Jr. & Michael J. CaseyJanuary 16, 2024

Published by Crown Publishing Group, civic entrepreneur Frank McCourt joins forces with journalist Michael Casey to present a galvanizing call to action for a tech revolution that empowers people over platforms and accelerates a new internet era.

From Civic Entrepreneur and Founder of Project Liberty Frank H. McCourt, Jr.  comes a galvanizing call to action for a tech revolution that empowers people over platforms and accelerates a new internet era OUR BIGGEST FIGHT Reclaiming Liberty, Humanity,  and Dignity in the Digital Age  To be published March 12, 2024

On March 12, 2024, Crown, an imprint of the Crown Publishing Group, a division of Penguin Random House, will publish OUR BIGGEST FIGHT: Reclaiming Liberty, Humanity, and Dignity in the Digital Age—a resounding call to action for building a healthier and more equitable internet that frees users from Big Tech’s exploitation, recognizes individuals’ rights to their data, safeguards children and prioritizes the common good—from Frank H. McCourt, Jr., and acclaimed journalist, Michael J. Casey.

The internet was once a utopian dream. And its impact has transformed how we live, learn, work and communicate. Despite its conveniences and connectivity, today’s internet is causing real harm and is the primary cause of a pervasive unease that has taken hold in the U.S. and other democratic societies. Instead of driving progress and collaboration, its dominant platforms are fueling a youth mental health crisis, polluting public discourse with misinformation and toxicity, eroding trust and undermining our most important institutions. Left unchecked, the internet in its current, highly centralized form—dominated by a handful of Big Tech giants that feed on our data—threatens to destabilize societies, democracies and human interaction at every level. And it will get exponentially more harmful in the age of artificial intelligence. McCourt and Casey explain how we can get off this destructive path and seize this most urgent of moments to build an internet that serves society’s needs.

For decades, thought leaders and policy experts have weighed in with suggestions for fixing the internet’s ills, mostly through top-down regulation. What sets McCourt and Casey apart is their relentless focus on the need to innovate our way forward and address the problem at its roots, starting with the web’s underlying infrastructure. Inspired by historical calls to action like Thomas Paine’s Common SenseOUR BIGGEST FIGHT depicts a set of compelling parallels between the American revolution and the need for a similar action today to throw off the shackles of Big Tech. Now is the time, McCourt and Casey argue, to embed the core values of a free, democratic society in the internet of tomorrow.

McCourt is the executive chairman of McCourt Global, a private family company committed to building a better future and extending the McCourt family’s 130-year legacy of developing infrastructure and merging community and social impact with financial results through its work across the real estate, sports & media, technology and capital investment industries, as well as its significant philanthropic activities. Named one of the Top 50 Philanthropists in the U.S. by The Chronical of Philanthropy, McCourt is the foundational donor of Georgetown University’s McCourt School of Public Policy. As a fifth-generation builder, he’s wary of Silicon Valley’s “move fast and break things” ethos and, as a father of seven, concerned about how technology is impacting children, families and communities – and putting our future at risk. Determined to carry out projects that leave a positive impact on society, McCourt is focused on Project Liberty, a bold and far-reaching effort to build an internet where individuals have more control over their data, a voice in how digital platforms operate, and more access to the economic benefits of innovation. Supported by a $500-million commitment from McCourt, Project Liberty encompasses the work of the Project Liberty Foundation—a 501(c)(3) with an international partner network that includes Georgetown UniversityStanford University, Sciences Po, and other leading academic institutions and civic organizations—and Amplica Labs, a technology business launched by McCourt Global that is focused on developing the next generation of digital infrastructure.

Information is the lifeblood of any society, and our current system for accessing, engaging and sharing it is corrupted at its heart. Rather than a free-flowing exchange of ideas in a decentralized environment, today’s internet is a closed-loop system, dominated by large technology firms feeding on our individual data and using increasingly sophisticated algorithms to keep people addicted and perpetually doom scrolling. In plain but forceful language, the authors illustrate how this centralized system, controlled by a small group of for-profit entities, has set a catastrophe in motion and stripped us of our personhood. Trust is gone, hostility is on the rise and people—especially parents concerned about their kids’ use of social media—are desperate for solutions.

McCourt and Casey offer much-needed hope for a better future. Optimistically and convincingly, they lay out a groundbreaking solution to reclaim what Big Tech has co-opted and corrupted: a new, decentralized model for managing information over the internet that, by its very design, puts the rights of the individuals first. They reimagine the internet as a place where the individual can choose whether or not to share their data. A place where people can reclaim their identity, digital footprint, and personal sovereignty. A place where individual rights are sacrosanct – and where tech corporations must agree to our terms of use before accessing the data, content and connections we create online.

Much like Americans have amended the U.S. Constitution in order to enshrine new rights and obligations, so too must we amend the protocols by which the internet operates. By upgrading the internet’s current architecture, we can lay the foundation for a more equitable and inclusive web that prioritizes people over platforms and enables users to own and control their personal data.

McCourt and Casey make a powerful argument for acting now, before a Big Tech-driven AI transformation is complete, to build a new, open internet that works for humanity, rather than against it. Americans have an opportunity—perhaps the last one we’ll ever get—to lead the world out of a mess we helped create.

About the Authors

Frank H. McCourt, Jr. is the Executive Chairman of McCourt Global, a private family enterprise working across the real estate, sports, technology, media, and capital investment industries. He is the founder and Executive Chairman of Project Liberty, a far-reaching effort to build an internet where individuals have more control over their data, a voice in how digital platforms operate, and more access to the economic benefits of innovation. Supported by a $500-million commitment from McCourt, Project Liberty encompasses the work of the Project Liberty Foundation—a 501(c)(3) with an international partner network that includes Georgetown University, Stanford University, Sciences Po, and other leading academic institutions and civic organizations—and Amplica Labs, a technology business launched by McCourt Global that is focused on developing the next generation of digital infrastructure that empowers people and safeguards children.

Michael J. Casey is the Chief Content Officer at the award-winning media company CoinDesk, co-host of the “Money Reimagined” podcast, and the Chairman of the Consensus conference. He has worked as a journalist on five continents, including eighteen years with Dow Jones and The Wall Street Journal, and was a founding staffer at MIT’s Digital Currency Initiative. Casey’s previous books include The Age of CryptocurrencyThe Social Organism, and The Truth Machine.

ABOUT MCCOURT GLOBAL & PROJECT LIBERTY

McCourt Global (MG) is a private family company focused on building for tomorrow through its work across real estate, sports & media, technology, capital investment and social impact. Led by founder and Executive Chairman Frank McCourt, a civic entrepreneur and fifth-generation builder, and an international leadership team, MG extends the McCourt family’s 130-year legacy of developing infrastructure and merging community and social impact with financial results — an approach that began when the original McCourt company was launched in Boston in 1893.

In 2021, MG publicly launched Project Liberty, a far-reaching effort to build an internet where individuals have more control over their data, a voice in how digital platforms operate, and more access to the economic benefits of innovation. Project Liberty’s activities include the release and stewardship of the Decentralized Social Networking Protocol (DSNP), which is available as a public utility to serve as the bedrock of a more equitable and inclusive web, and its launch of the Safe Tech, Safe Kids campaign focused on youth mental health and social media. Project Liberty’s Institute (formerly The McCourt Institute) works to ensure that digital governance is prioritized in the development of the next generation of the internet. The institute’s founding academic partners include Georgetown University, Stanford University, and Sciences Po; and it is collaborating with MIT’s Center for Constructive Communication and Cortico, as well as Harvard’s Berkman Klein Center for Internet & Society to support the creation of healthier social networks. In 2023, Frank McCourt unveiled Project Liberty’s “Better Web, Better World” manifesto at Web Summit in Lisbon. This vision for a new web is supported by the work of Amplica Labs, which is led by the tech team behind DSNP and focused on developing the next generation of digital infrastructure. Through a $500-million commitment that supports both nonprofit and commercial activities, Project Liberty aims to unleash a new era of innovation that empowers people over platforms and serves the common good.

SOURCE McCourt Global

 

Ultimate Potential of Social Web3 – Behind the Code: Web3 Builders
The Kusamarian, https://www.youtube.com/watch?v=E67EwKXZ2Aw&ab_channel=TheKusamarianAugust 3, 2024 (26:00)

https://www.youtube.com/watch?v=E67EwKXZ2Aw&ab_channel=TheKusamarian

Harry & Braxton discuss the mission of Project Liberty Labs, its work with Social Graphs, Network Effects & the Decentralized Social Networking Protocol – the DSNP. They share about building the Frequency rollup on the Polkadot Tech stack, onboarding MeWe & the ultimate potential of Social Web3.

i
Project Liberty, WeAre8, and Frequency Network Foundation Partner
Project LibertyNovember 22, 2024

Building on their shared mission to give people control of their digital lives, Project LibertyFrequency Network Foundation, and WeAre8 are transforming social media through the Frequency blockchain, empowering people with ownership, transparency, and the freedom to engage in a healthier, fairer digital world

Project Liberty, Frequency Network Foundation, and WeAre8, a transformational social media platform, today announced a collaboration that will accelerate their innovative, people-first digital solutions, delivering a more transparent and economically beneficial social media experience. Project Liberty, Frequency Network Foundation and WeAre8 have built digital experiences that prioritizes individual empowerment, economic fairness, and genuine digital interactions, breaking away from Big Tech’s profit-driven algorithms – and together are embarking on the next phase of this revolution.

This collaboration marks a major milestone toward putting control of our digital experiences back into the hands of the people. WeAre8 plans to integrate with the Frequency blockchain, which will allow users to benefit from increased financial value and regain control of their digital identity. This revolutionary internet infrastructure was developed by the Frequency Network Foundation and Project Liberty.

“WeAre8 is living proof that a digital world free from Big Tech’s addictive algorithms can be amazing,” said Frank McCourt, Founder of Project Liberty. “By placing power back in the hands of people, individuals can control their own experiences and benefit financially from their interactions with content. Project Liberty is honored to join forces with WeAre8 as we usher in a new digital era of people’s platforms powered by a people’s internet.”

“This collaboration with Project Liberty marks a pivotal moment for a reimagined digital world that serves the people and supports the planet,” said Zoe Kalar, Founder and Chief Executive Officer of WeAre8. “We have transformed social media by eliminating toxic content, removed algorithms so people can reach all their followers with every post, and built a transformational economic model where the ad revenues are shared with people. Project Liberty brings all our citizens another layer of independence, protection and freedom and we are excited about what our partnership means for people when we are all truly free from big tech control.”

A transformational feature of WeAre8 is its commitment to redistributing wealth back into the hands of people through its business model: 60% of its ad revenue is returned directly to citizens (users), charities, creators, and planet-impact projects. Unlike traditional platforms that force advertising into people’s feeds and encourage endless scrolling,  WeAre8 separates the ads from the feeds, enabling people to discover and even link off-platform from feed posts, while giving them choice on when they watch ads. And people are happy to watch them when they are valued. Every ad dollar is shared with people for every completed ad view, empowering them to direct these funds toward community initiatives, charitable causes, mobile bills, subscriptions or their personal needs.

For more information about WeAre8, visit here. For more information about Project Liberty, visit here. For more information about Frequency, visit here.

About

Project Liberty Overview

Better Web, Better World

The internet is broken, and it’s urgent that we fix it. We can – and must – do more to safeguard the health and wellbeing of our children, our democracy, and our society as a whole.

The institutions and ideals we cherish most are being destroyed for use of free apps that steal our personal data and digital identities. I encourage anyone who is interested in reclaiming their personhood from the machines of Big Tech to engage with Project Liberty and help reimagine an internet that is designed for people and the collective good. We can do this.

Project Liberty is stitching together an ecosystem of technologists, academics, policymakers and citizens committed to building a better internet—where the data is ours to manage, the platforms are ours to govern, and the power is ours to reclaim. Three fundamental beliefs anchor our vision and form the foundation of Project Liberty’s work:
Choice
When people have greater control over their individual experience online and expanded opportunities to manage their data, they can make informed decisions about everything from their privacy and safety to which spaces they choose to participate in. This is digital self-determination, and it is the fundamental principle of the web we deserve. It centers people, not platforms. It protects personal data, not corporate profits. It values freedom of movement across the web, not consolidation of power within any one platform. Self-determination online begins at the protocol level—the base infrastructure of the internet—which is why we’re developing new protocols like DSNP that give people agency over their digital experience and data.
Voice
When people can act as digital citizens entrusted to shape the governance of the spaces they log into everyday, they can create platforms and applications driven by societal value and transparency instead of corporate profits and black-box algorithms. This is digital citizenship, and it is the set of collective responsibilities undertaken by people who embody digital self-determination to build a digital civic architecture of spaces, platforms, tools, and practices that put into action the principles of openness, safety, privacy, accountability, transparency, and ownership.

Stake
The platform-take-all business models of today’s internet are not equitable, long-term models. The economic value from big data and major network effects stem from the contributions, activity, and content of everyday people, and yet that value isn’t shared. An internet that resembles a representative democracy is an internet whose economic value is distributed fairly. This is digital ownership. It is the economic model compatible with a system of digital self-determination and digital citizenship. And yet, today we lack the models where people can participate in the economic upside of their data and online contributions. Innovation is needed, which is why Project Liberty is supporting the piloting and experimentation of new economic models for the future.

Source: Website

Frank McCourt

Frank H. McCourt Jr. (born August 14, 1953) is an American business executive and philanthropist. As of 2023, he is the executive chairman and former CEO of McCourt Global, owner of the football club Marseille and founder and executive chairman of international non-profit Project Liberty.

In 2013, he donated $100 million to establish the McCourt School of Public Policy, the ninth school of Georgetown University. He made a second $100 million gift to Georgetown University in March 2021, for the express purpose of ensuring that “the McCourt School can open its doors more widely and build a pipeline of future public policy leaders that reflects the true diversity of our communities.”

In 2021, he founded the non-profit Project Liberty. The initiative has multiple components which includes the development of the Decentralized Social Networking Protocol (DSNP), the founding of the McCourt Institute with founding academic partners Georgetown University in Washington, D.C., and Sciences Po in Paris, and a network of partners within the Unfinished network.

In 2024, he announced plans to build a consortium to buy the US arm of TikTok.

Frank McCourt was featured in the December 19, 2024 US onAir news post titled: The Vision of Frank McCourt.

OnAir Post: Frank McCourt

Team

Project Liberty Leadership
Frank McCourt
Founder of Project Liberty

Tomicah Tillemann
President, Project Liberty; Interim CEO Project Liberty Institute

Paula Recart
Chief Impact Officer

Braxton Woodham
Co-creator of DSNP

Project Liberty Team
Scott Bendar
Head of Software Development

Denise Duncan
Head of Program Management

Kila Englebrook
Head of Operations

Harry Evans
CTO and Co-creator of DSNP

Lara Galinsky
Head of Partnerships

Kenne Ives
Head of Product

Chris Mitchell
General Counsel

Taylor Patterson
Head of Communications

Alex Poscente
Chief of Staff

Project Liberty Board of Stewards/Advisors
Frank McCourt
Founder of Project Liberty

Angela Glover Blackwell
Founder in Residence, PolicyLink

Dr. John DeGioia
President, Georgetown University

Todd Golub, M.D.
Director, Broad Institute of MIT and Harvard

Eric Liu
Co-Founder & CEO, Citizen University

Dorcas Muthoni
Founder, OPENWORLD LTD

Dr. Dava Newman
Director, MIT Media Lab

Dan Porterfield
President & CEO, Aspen Institute

Jeremy Heimans
Co-founder & Chairman, Purpose

Daniel Sachs
Founder & CEO, P Capital Partners

Source: Website

Alliance

The Project Liberty Alliance consists of over 100 organizations—tech companies, policy groups, impact initiatives, academic institutions, and more—committed to a people-powered internet.

The Alliance serves as a learning and collaboration engine through which members of the community can advance their organizational goals, all while strengthening the overlaps in our missions. It is designed as a way to share learnings, build relationships, and spark collaborations throughout the responsible tech ecosystem and related fields.

Source: Website

Labs

Labs is at the forefront of transforming the digital landscape. As a pivotal part of Project Liberty initiated by McCourt Global, we are committed to empowering creators to innovate within the realm of social applications. Our mission harnesses cutting-edge technology to build essential infrastructure for the next evolution of digital interaction.

Empowering Connections
Our goal at Labs is simple: Revolutionize how we interact online by creating user-centric platforms. From creating the cutting-edge Frequency blockchain to developing the Decentralized Social Networking Protocol (DSNP), we’re putting control back into the hands of the users.

A Future of Transparent Networking
Imagine a digital world where social networking seamlessly integrates into the internet itself, granting freedom and unmatched transparency. At Labs, this vision is becoming a reality.

Real-World Impact

MeWe Integration: Our collaboration with MeWe, known for its commitment to privacy, utilizes the Frequency blockchain to enhance user control and data security, reflecting our shared values of privacy and empowerment.
Acquisition of Speakeasy: The integration of Speakeasy’s AI technologies advances our ability to improve digital discourse, making online interactions more respectful, engaging, and insightful

Source: Website

Project Liberty’s Summit- November 2024

Last week, 500+ leaders in technology, policy, civil society, finance, and media descended on Washington, D.C. for Project Liberty’s Summit on the Future of the Internet. The two-day event provided an opportunity to chart a new course toward a digital future where people have a voice, choice, and stake in a better web.

Through Project Liberty’s partnership with POLITICO, the summit was live-streamed (and you can watch a recording here for Day 1 and here for Day 2). We wanted to share six key takeaways from an incredibly rich and varied array of conversations that took place among the attendees:

// Takeaway #1: The new internet is already here—and it’s built around you.
There was a recognition at the summit that the next generation of the internet is already here—it just needs scale to reach the masses. The summit took place at a critical inflection point, as the public is nowmore aware of the challenges and issues present online than ever before. Users are flocking to new platforms like Bluesky, , whose CEO was one of many participants in our discussions. Policymakers in dozens of states are writing bills and passing legislation. New technologies are giving users greater control.

Joe Lubin, the co-founder of Ethereum and the founder/CEO of Consensys, provided a window into the fast-moving space of the decentralized web and its new business models. “Web2 continued the business model from the 20th century,” he said. “This business model of an organization offers as little as possible and extracts as much as possible from their consumers—an adversarial relationship. Web3, by being based on open protocols, will now enable us to create a user-centric web, and this feels like the natural business model of the web going forward.” At the summit, Project Liberty, Consensys, and Frequency announced a partnership to develop infrastructure for a more people-centered internet.

// Takeaway #2: It’s time to focus on solutions.
In his opening remarks, Project Liberty’s President, Tomicah Tillemann, said “With tech that is already operating at scale, achieving a people’s internet over the next four years is not only possible, but probable. With your help, it can become inevitable. We all know the internet is broken. On behalf of the next generation, we need the people in this room to fix it.” Doing so will require us to stop admiring the problem and focus on solutions. These include:

Building interoperability by giving people more options to navigate and control their data through online spaces;
Designing new economic models so individuals can participate in the value they create;
Passing new laws to mandate portability of personal information, including social graphs;
Strengthening online privacy;
Scaling open-sourcing digital infrastructure; and
Providing people with better alternatives to today’s incumbent platforms, like decentralized tools and technology.

// Takeaway #3: Your data is you.
A central theme of Project Liberty’s Summit was the role of data in empowering individuals to reclaim control over their digital identities. Audrey Tang, Taiwan’s Cyber Ambassador-at-Large,and an advisor to Project Liberty Institute, spoke about “selective disclosure” technology, or tools that allow people to disclose just a part of their identity on the web. “The great hope is to think of this as public infrastructure,” Tang said, where open-source technologies can be adopted by other countries and jurisdictions.

We’re in the midst of a renaissance of tech innovations around data ownership: from Project Liberty’s Frequency blockchain to new models like data commons and data trusts. Sylvie Delacroix, the Inaugural Jeff Price Chair in Digital Law at King’s College London, presented her work to launch the first data trust pilot worldwide in 2022 through the Data Trusts initiative. Matthew Prewitt, the President of the RadicalxChange Foundation, highlighted their work with Serpentine around Partial Common Ownership of art, as a new model for collective ownership of digital assets.

At its heart, The People’s Bid to acquire TikTok reimagines our relationship with data, leveraging new technology to restore users’ control over the data that rightfully belongs to them.

// Takeaway #4: To transform the internet, we need scale.
Building a better internet won’t happen through disconnected pilots or small-scale efforts. It requires, as Project Liberty’s founder, Frank McCourt, said, a million “Davids” fighting against the Goliath of big tech. To reach this kind of scale, we need new economic models, new incentive structures that go beyond hypergrowth, and new types of governance that share the economic value that’s created.

 

To imagine a different economy, Project Liberty Institute released the report“Towards a Fair Data Economy: A Blueprint for Innovation and Growth.” Drafted by the Fair Data Economy Task Force, a group of 18 distinguished leaders from over 10 countries (including Daron Acemoglu, who recently won the Nobel Prize in Economics), the Blueprint outlined four pillars to transform the economy:

Entrepreneurship and new business models
Next-generation digital infrastructure
Policy innovation and frameworks
Strategic capital allocation

// Takeaway #5: We need better policy and leadership from the public sector.
From speakers to breakout sessions, the summit kept returning to a key theme—the leadership that policymakers and government officials must play in shaping the future of the internet. Senator Amy Klobuchar (D – Minnesota) spoke at the summit on Day 1 (watch here)  and emphasized the role of government. She said, “If you believe in economic liberty, you cannot just have everything controlled by a few giant companies, and think that everything is going to work out just fine.” This has been what the internet has become in recent years, but it doesn’t need to be the internet’s future. From greater antitrust regulation to federal laws surrounding privacy, Klobuchar outlined a way forward.

Congresswoman Cathy McMorris Rodgers (R – Washington) spoke about how her work to advance data privacy is personal, with three school-age kids at home. With our online data being collected, manipulated, and exploited, “It is important that Congress act in order to protect our individual privacy rights online,” she said on a panel, highlighting her work to pass a privacy bill.

Project Liberty also unveiled its latest Policy Blueprint  to guide policymakers on digital governance. This Policy Blueprint is designed to give the incoming Administration and legislators across the US actionable, high-impact, and nonpartisan policy solutions to transform the internet.

// Takeaway #6: This is not just about tech. This is about reclaiming our liberty.
“We the people have become the largest unpaid workforce in human history.” These were the words from Zoe Kalar, the Founder of the social media app WeAre8 where advertisers pay the users to advertise (WeAre8, Project Liberty and Frequency just announced a collaboration to integrate Frequency into WeAre8). She’s one of many leaders who participated in the summit who are shifting the balance of power from corporations to individuals and giving everyday people an economic stake in their digital lives. “Humanity has been in an abusive relationship with the technology that enslaves us. Now it’s time to break free.”

Frank McCourt built on this idea as he shared his closing remarks: The collective work to build the next generation of the internet is not just a tech project, he said. Instead, it is something far more profound; it’s about reclaiming our agency, our autonomy, our liberty. It’s about tapping into what it means to be human. By fixating too much on the tech, we might miss the bigger picture of what it means to be citizens in the digital age, and we might miss the opportunity before us to practice our self-determination.

~~

In newsletters in the coming weeks, we’ll be exploring some of the big ideas that emerged from the summit in more depth. For now, check out the recordings from Day 1 here and Day 2 here.

Other notable headlines
// ? Everyone in AI seems to agree that new models are hitting a scaling wall, according to an article in The Verge. Now, the buzz is turning to ‘reasoning’ and AI agents.

// ? AI can now create a replica of your personality. A two-hour interview is enough to accurately capture your values and preferences, according to new research highlighted in an article in MIT Technology Review.

// ? In its antitrust case, the US Justice Department asked a judge to force Google to sell its Chrome browser, according to an article in The New York Times.

// ? New data shows the number of new mobile internet users is stalling. What happened to the “next billion” internet users? They’re already online, according to an article in Rest of World.

// ?? An article in TechCrunch introduced three incoming EU lawmakers in charge of key tech policy areas in Europe.

// ? Proponents of US legislation that would establish a public AI resource and data hub are making a last-ditch effort to push the plan through Congress, according to an article in Semafor.

Partner news & opportunities
// Virtual book talk: Vanishing Culture

December 3rd at 1pm ET

Join Internet Archive and Authors Alliance for a discussion on Vanishing Culture: A Report on Our Fragile Cultural Record. Explore how shifting digital models and cyber threats endanger access to cultural history and the vital role of libraries in preservation. Register here.

// Virtual event on post-truth, fake news, and democracy

December 4th at 12:30pm ET

Join the Institute for Rebooting Social Media as Johan Farkas discusses the politics of misinformation, based on the 2nd edition of the book Post-Truth, Fake News and Democracy: Mapping the Politics of Falsehood. This conversation will examine fake news’ impact on events like the COVID pandemic and explore democratic alternatives to combating disinformation. Register on Zoom here.

// Empowering parents with research-backed resources

Children and Screens is hosting the “Learn and Explore” resource library, a tool that offers parents evidence-based insights on key issues affecting kids in today’s digital world. Free from tech industry influence, this tool empowers families with trustworthy, research-backed guidance to promote healthy digital habits.

Source: Website

Web Links

DSNP Protocols

DSNP stands for Decentralized Social Networking Protocol, which is an open protocol and potential standard for social networking and social media. It is not owned or controlled by any one person or company, allowing anyone to build on it or use it. DSNP is stewarded by Project Liberty Institute, a 501(c)(3).

DSNP is an open-source social media protocol designed to decentralize data ownership, allow easier cross-platform interaction, and let users regain control over their personal data. This includes posts, connections, and messages. The decentralized approach allows users to retain ownership of their information and move it between platforms without relying on a single provider.

Frequency is Project Liberty’s implementation of the DSNP protocol.

About the Protocol

Source: DSNP Website

10 High-Level DSNP Concepts

Users are given a numeric ID known as their DSNP User Id which may or may not be linked to or associated with their real-world identity.
User data is managed and secured via a set of control keys typically connected in a public/private key pair. The control keys are owned and managed solely by the user.
DSNP is designed to run on a consensus-based system such as a blockchain. This allows the system to be truly decentralized—meaning that users, not system operators, have control and agency over their data, and changes to the state of the system are public and immutable.
DSNP users can delegate tasks such as managing social connections or submitting posts and content to the applications they use. This means that tasks that require specialized technical knowledge or have associated costs can be performed by service providers acting under the user’s explicit agreement (which the user may revoke at any time).
User-generated content is handled via Announcements–public or private declarations or directions published to the system.
Updates or changes to the system are expressed as State Change Records–the observable output of a DSNP system.
Part of the data stored by each user is their social graph, which contains information about all the public and private relationships between the user and others in the system.
DSNP is designed to allow users to easily and seamlessly access their social graph and other user-centric data with any compatible application—user data and content is not just portable between applications, but fully interoperable.
Applications and service providers (those to whom tasks are delegated) compete in an open marketplace for users. This allows users to choose the applications and providers who best serve their needs, and grant or revoke delegations at any time.
Applications and service providers collect and send Announcements in batches, reducing operational cost and enhancing scalability.

What is a DSNP System?
A DSNP system is a (1) state machine that generates an (2) ongoing, (3) publicly observable and (4) verifiable (5) stream of state change records in response to (6) authenticated public input. To take each of these terms one by one:

State Machine: The system maintains a consistent, deterministic set of data (state) in response to protocol communications.
Ongoing: The system runs continually.
Publicly Observable: System activities are transparent and may be openly viewed by developers, creators and users.
Verifiable: The authenticity of those sending messages is recorded and can be verified. While these identities may remain pseudonymous, and the real world identity of the user may not be revealed, each account’s activity can be verified to come only from that account.
Stream of State Change Records: The system produces a continuous log of all changes that occur, such as account Id creation, messages sent, delegation, and so forth.
Authenticated Public Input: Refers to the open, decentralized nature of DSNP applications, which ensures that users have control and agency over their data.

In social networking terms, one can think of a DSNP system as one that continuously records everything that happens, including the identities of the participants (identity), the relationships they declare to other participants, the messages they send, when they are sent, and who they are for. This is true whether or not that participant is sending data themselves or delegating that task to someone else to do it on their behalf. A DSNP system does its recordkeeping in public, even if some of the data it manages may be private (encrypted).

The DSNP Difference

Source: DSNP.website

How DSNP differs from AT Protocol and ActivityPub, and how DSNP can act as a bridge to create truly decentralized social. by Jeanette Depatie
Economic Viability

One of the main differences between DSNP and AT Protocol/ActivityPub is in the revenue models they can support.
While DSNP is also a 501(c)3-stewarded protocol with charitable donations covering advisor meetings and community communications, DSNP can support any number of revenue models for applications and network participants. App developers may choose any monetization strategy they see fit so long as they clearly and transparently divulge this strategy to would-be users on the platform. At the next level, DSNP end users may choose whatever app provider meets with their personal needs. Thus monetization strategies are both presented and selected in a free-market system which may change to accommodate different market conditions and whatever end users are currently willing to support.
Decentralization
A bridge built between DSNP and ActivityPub and AT Protocol could result in greater decentralization for these two federated systems. DSNP could potentially offer greater data resilience and resistance to censorship.
Data Persistence
It is conceivable that connections built between DSNP, AT Protocol and ActivityPub could result in a hybrid system. This hybrid system could afford greater data persistence and resilience than is currently enjoyed by either of the federated systems.
Censorship
DSNP users are less vulnerable to censorship, as the delegation model allows them to simply elect to share access to their data with any willing application provider. Each of these providers is expected to provide clear instructions regarding their terms of service. And should a user choose to leave one provider or application, the process of moving to another is quite simple. As all important information the user needs to stay connected to their DSNP identity and relationships is stored among all nodes of the system, the user can move from one application to another without fear that their essential data will be lost.

 

Frequency

Source: Website

Frequency’s Mission
Frequency’s Mission is to provide the infrastructure to empower people by:

Offering everyone a self-sovereign digital social identity that they may use to sign in and share data across the applications they choose.

Allowing people to freely move among applications and providers rather than being forced to accept application changes that worsen their experience.

Offering application providers practical economics that make blockchain usage feasible and desirable.

Securely storing each person’s relationships (social graph) so they are not controlled by any application or company, and can only be accessed with user permission.

Creating an interoperable social media public commons where everyone can participate in the conversation.

Creating a shared and decentralized economy where everyone can participate in the shared value they have created on the internet.

What isFrequency?

Frequency is a blockchain designed to support decentralized social networks to give people control over their online presence. With Frequency, users can freely choose and connect on social apps while retaining ownership of their data. Built on the Decentralized Social Networking Protocol (DSNP), Frequency offers scalable tools for message discovery, flexible storage for social and identity data, and a unique cost-sharing model that allows apps to deliver smooth, secure experiences that put users in charge.

User Advantages
On most social media platforms, you get a stark choice: accept the platform as is, or leave the platform, your friends and your relationships behind. Frequency changes all of this by offering users control, community, and ownership over their online experience.

Community
Connect with over 1 million users, each in charge of their digital experience.

Create a single Universal Handle, Sign-On and Identity so you can connect, share and engage with audiences across multiple applications through a single identity.

Control
Choose which applications to join and which to leave — you decide who can access your relationships and manage your data.

Hold application providers accountable to the promises they have made you. If they change in a way you don’t like, simply pick another provider.

Ownership
You built your social networks, followers, content, and behavioral data. With Frequency, you get to decide what data is shared and who benefits from its value.

Harness the network effects of your content, data, and relationships in the future economy.
Developer Advantages
Getting started building on Frequency is simple.

Easy
Set up a templated example application with Frequency Gateway in mere minutes.

Economical
Add decentralized social to both new and existing applications in a scalable and economical way with batching and Capacity making blockchain usage predictable.

Open
Build your app with open-source tools designed for a more decentralized environment free from reliance on big tech.

Proven
Access and engage a healthy and growing community of over 1 million users out of the gate as well as a community that has grown to rely on Frequency as proven and tested core infrastructure for their businesses.
Developer Portal
Explore & Build

Frequency offers simple blockchain integration for your applications—bridging the gap between your app and the decentralized web. Frequency Developer Gateway offers a suite of self-hosted tools and services that make it easy to connect your applications to Frequency. This allows your developer team to focus on building outstanding user experiences without managing the complexity of blockchain interactions. With Frequency Developer Gateway, you can pick and choose among the tools and services to build the best applications for your users to:

Add authentication and onboarding workflows
Connect with their universal social graph
Read, write, and interact with social media content

Consensys

Source: Websiite

Consensys is a private blockchain software technology company founded by Joseph Lubin and based in Fort Worth. Consensys is involved in many different projects and services for blockchain uses and applications.

A complete suite of products to create and participate in web3

MetaMask

MetaMask is the leading self-custodial wallet for over 100 million users annually. MetaMask is everything you need to manage your identity, digital assets and to explore web3. Available as a browser extension and mobile app.

MetaMask Developer

Start building today with MetaMask developer tools: connect your app to MetaMask with our SDK, test new features in Flask, and extend MetaMask core functionality with Snaps.

Infura

Infura is the original platform for web3 development, giving developers access to a robust, reliable, and integrated set of tools to easily build and scale their decentralized applications.

Linea

Linea is an EVM equivalent zkEVM rollup offering fast finality, high throughput, low gas fees and the security of Ethereum settlement. Projects across web3 are building with Linea to unlock new capabilities without compromising the security and developer experience of L1 Ethereum.

Apps

MeWe

Source: Website

The world’s largest decentralized social network
We are a privacy-first social network with over 20 million users worldwide and more than 700,000 interest groups that is committed to giving our users control, protecting their data and providing a great user experience. MeWe contains no ads, no targeting, and no newsfeed manipulation. It is available on iOS, Android and desktop in more than 20 languages and over 200 countries worldwide.

Our journey began in New Mexico in 2011 when co-founders Mark Weinstein and Jonathan Wolfe began dreaming of the next generation of social media. The duo were disillusioned with big-tech’s disregard for personal privacy and its willingness to target, track and sell our data. They envisioned a new experience built on safety and respect and one that would bring people together while making social networking fun again. After several years of testing and a public beta, MeWe was officially launched at the SXSW

Interactive Media festival in 2016 where we were honored as a finalist for their ever “Innovative World Technology” award.
In the years that followed we continued to refine both our free and subscription offerings while staying true to our ethos of privacy and user control. In March 2021 long time entertainment and technology executive Jeffrey Edell was named Chairman and CEO. Under Edell’s leadership we made considerable progress in improving our user experience, growing our membership and doubling down on our privacy-first message.

In 2022, we made the strategic decision to move to the blockchain and incorporate the Decentralized Social Networking Protocol (DSNP), an open internet protocol released by the Project Liberty Foundation. The foundation, launched in 2021 by Frank McCourt, and Frequency Labs, is part of the $500 million Project Liberty initiative, aimed at creating a better internet and a healthier digital ecosystem. DSNP has the potential to transform the internet by liberating social networking functionality from closed, proprietary platforms and integrating this functionality into the web itself.
With this move we put MeWe’s ethos into code and are completely solidifying our commitment to user protection and control.

We were honored again by SXSW in 2024 as a finalist for their Social Media Innovation Award and as of March have more than 670,000 active users on the blockchain, making MeWe the largest truly decentralized social network in the world.
MeWe has been supported by some of the most respected figures in tech, media/entertainment and finance, including Sir Tim Berners-Lee (inventor of the World Wide Web), Steve Wozniak (co-founder of Apple), Divya Narendra (co-founder of Harvard Connection), Gavin Wood / Bjorn Wagner (co-founders of Polkadot/Parity / Web3 Foundation) and Frank McCourt (founder / chairman of McCourt Global & Project Liberty).

We are 8

WeAre8, founded by tech entrepreneur Zoe Kalar, is a transformational social media platform designed to provide a healthier digital home for humanity. WeAre8 and the Frequency Network Foundation partner to Ignite a People-First Social Media Revolution (press release).

The People’s Platform
WeAre8, founded by tech entrepreneur Zoe Kalar, is a transformational social media platform designed to provide a healthier digital home for humanity.

People are protected from toxic content, your followers actually see your posts (no controlling algorithms), and everyone benefits because the money made from advertisers on WeAre8 is shared with people, communities, charities, and planet-saving projects. It’s more than just a platform—it’s a movement towards economic liberation that shifts the power of big tech back into the hands of the people. To learn more, visit www.WeAre8.com.

Soar

Source: PR Newswire

SOAR.com strengthens commitment to individual privacy and control by implementing the Frequency Blockchain and the Decentralized Social Networking Protocol (DSNP), both developed and supported by Project Liberty in collaboration with Frequency Network Foundation. This infrastructure provides secure, decentralized access to services, giving users control over their data.

Today, SOAR.com announced plans to integrate with the Frequency blockchain, a groundbreaking move that will allow people to protect their private data while accessing cutting edge AI solutions. The plan leverages revolutionary internet infrastructure developed by the Frequency Network Foundation and Project Liberty.

In an era when data has become currency, people are tired of having their information stolen or co-opted by big platforms. SOAR.com’s Family Portal and Citizen Portal will serve as cornerstones of a secure, decentralized AI ecosystem where people can keep control over their data. SOAR.com will be a key element of a new digital landscape that finally puts people over platforms.

TikTok

Source: Website

About Us
In April 2024, President Biden signed a law that would ban TikTok in the United States unless it is sold within a year. Project Liberty, an initiative dedicated to building a better internet, is organizing a broad consortium of technologists, investors, community leaders, and creators to purchase the platform. The People’s Bid for TikTok is a once-in-a-generation opportunity for Americans to reclaim their digital identities and have a voice, choice, and stake in the future of the internet.

The People’s Bid offers an innovative alternative to the challenges of today’s social media. We plan to migrate TikTok to new digital infrastructure that prioritizes privacy and gives users control over their data – along with more opportunities to share in the economic value they create online. The core TikTok user experience would remain the same, but people – not corporations, governments, or algorithms – would have the agency to shape their digital experience.

The People’s Bid has received broad support from leading technologists, investors, and policymakers. Many of the best minds in these fields are contributing to our vision for a safer, healthier TikTok.

A reimagined TikTok can serve as the blueprint for tomorrow’s internet. Join The People’s Bid by adding your name to the pledge today.

FAQS 

More Information

Wikipedia

ERROR: URL using bad/illegal format or missing URL

]]> https://us.onair.cc/project-liberty/feed/ 0 Maryland onAir Hub https://us.onair.cc/maryland-onair/ https://us.onair.cc/maryland-onair/#respond Sat, 28 Jun 2025 04:01:35 +0000 https://us.onair.cc/?p=46658

Maryland is located in the Southern region of the USA with Annapolis as its capital. Wes Moore (D)  is Governor.

The Maryland General Assembly is the state legislature of the U.S. state of Maryland that convenes within the State House in Annapolis. It is a bicameral body: the upper chamber, the Maryland Senate, has 47 representatives, and the lower chamber, the Maryland House of Delegates, has 141 representatives. Members of both houses serve four-year terms.

OnAir Post: Maryland onAir Hub

]]> Summary

Maryland is located in the Southern region of the USA with Annapolis as its capital. Wes Moore (D)  is Governor.

The Maryland General Assembly is the state legislature of the U.S. state of Maryland that convenes within the State House in Annapolis. It is a bicameral body: the upper chamber, the Maryland Senate, has 47 representatives, and the lower chamber, the Maryland House of Delegates, has 141 representatives. Members of both houses serve four-year terms.

OnAir Post: Maryland onAir Hub

News

Gov. Moore responds to Bridge Collapse
Governor Wes MooreApril 9, 2024 (02:46)

https://www.youtube.com/watch?v=D8QC22CTPu0&ab_channel=GovernorWesMoore

Two weeks ago, the Key Bridge collapsed. Six lives were lost, and our state was heartbroken. But we are determined to bring closure to the families, clear the channel, take care of everyone affect by this crisis, and rebuild the Key Bridge.

#MarylandTough and #BaltimoreStrongKeep

Wes Moore gives update on Key Bridge
CBS NewsApril 4, 2024 (46:15)

https://www.youtube.com/watch?v=2IQTM-0PMXA&ab_channel=CBSNews

Gov. Wes Moore is holding a press conference Thursday to provide updates on efforts underway following the collapse of the Francis Scott Key Bridge in Baltimore. Moore will be joined by the Unified Command, U.S. Small Business Administrator Isabel Casillas Guzman, and federal and local elected leaders.

2024 State of the State Recap
Governor Wes MooreFebruary 9, 2024 (01:54)

https://www.youtube.com/watch?v=vzxniJjJZyM&ab_channel=GovernorWesMoore

This week, I delivered my second State of the State Address. But it may have been a little long, so if you didn’t catch it, here’s what you missed.

https://www.youtube.com/watch?v=SBlMwd-ytqE&ab_channel=GovernorWesMoore

Gov. Moore signed more than 120 bills into law
Maryland Matters, Bryan P. SearsApril 9, 2024

Gov. Wes Moore (D) signed more than 120 bills into law Tuesday. It was the first bill signing following the end of the 2024 legislative session. 

“This legislation will support the businesses and the workers that have been affected by this collapse,” Moore said during the lengthy bill-signing ceremony.

“Among the many provisions that our administration helped to craft, this bill will create a new permanent scholarship program for the families of transportation workers who died on the job,” he said. “This legislation will also allow for more flexibility in work search requirements for unemployment insurance. And the legislation will empower our administration to stay nimble and our response to the collapse even though session is now over. It does not mean that Maryland’s response will cease.”

Senate Bill 1188 and HB 1526, sponsored respectively by Senate President Bill Ferguson and Del. Luke Clippinger, both Baltimore City Democrats, were introduced in the waning days of the session and less than a week after the Francis Scott Key Bridge collapse.

Moore signed the bills Tuesday afternoon after rushing back from a meeting with Maryland’s federal legislative delegation on Capitol Hill to discuss aid for ongoing recovery and reconstruction efforts.

The emergency bills become effective upon the signature of the governor.

Moore also signed into law a second port-related act. House Bill 375 and its identical companion, SB 156, formally renamed the port in honor of Helen Delich Bentley.

Bentley covered maritime issues as a journalist and later served as chair of the federal Maritime Commission for six years. She went on to serve for a decade in Congress representing Maryland’s 2nd District.

Reducing Healthcare Spending While Improving Quality Of Care
Forbes Breaking NewsMarch 12, 2024 (04:11)

https://www.youtube.com/watch?v=XtDfQI-5jAA&ab_channel=ForbesBreakingNews

During a Senate Budget Committee hearing last week, Sen. Chris Van Hollen (D-MD) questioned witnesses about growing healthcare costs and improving the healthcare system. Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:

Van Hollen says “I’m not clear” on White House policy
Face the NationApril 7, 2024 (06:44)

https://www.youtube.com/watch?v=Oj1Tx916yGI&ab_channel=FacetheNation

Democratic Sen. Chris Van Hollen of Maryland tells “Face the Nation” that “I’m not clear” on the White House’s policy toward Israel amid the war with Hamas. “The President and the White House have yet to lay out what consequences they have and they want to impose,” Van Hollen said.

About

 

This Maryland onAir Hub is managed by students supporting Marylanders to become more informed about and engaged in local, state, and federal politics while facilitating more civil and positive discussions with their representatives, candidates, and fellow citizens.

  • Maryland onAir is one of 50 state governance and elections hubs that the US onAir Network is providing to help reinvigorate US democracy.  This post has short summaries of current state and federal representatives with links to their complete Hub posts.  Students curate post content from government, campaign, social media, and public websites.  Key content on the Maryland Hub is also replicated on the US onAir nations Hub at: us.onair.cc.
  • Maryland students will be forming onAir chapters in their colleges and universities to help curate Maryland onAir content.  As more students participate and more onAir chapters are started, we will expand to include more state and local content as well as increase the number of aircasts – student-led, livestreamed, online discussions with candidates, representatives, and the public.

Find out more about Who Represents Me in Maryland
Learn more about the US onAir Network

All hub content  in onAir hubs is free to the public. Hub ontent is under the Creative Commons Attribution-NonCommercial license which permits content sharing and adaptation by nonprofit organizations as long as proper attribution is given to its author(s) and is used for non-commercial purposes. Content and moderation guidelines reinforce our commitment to fact-based, comprehensive content and civil and honest discourse.

To participate in aircast and post discussions, email usdemocracy@onair.cc and include your first name last name, and zipcode. Your real name and any other profile information will not be displayed unless you choose to do so. Your personal information is not shared with any other website or organization.

Hub membership will enable you to:

  • Participate in issue and interview aircasts (student-led livestreamed discussions);
  • Interact directly with post authors and curators giving them feedback, content suggestions, and asking questions;
  • Ask questions, make suggestions, and give endorsement to representatives

Web Links

State Representatives

Governor Wes Moore

Maryland onAir 1Current Position: Author, small business owner
Affiliation: Democrat
Former Position: CEO, Robin Hood Foundation from 2015 – 2021

Wes Moore is the 63rd Governor of the state of Maryland. He is Maryland’s first Black Governor in the state’s 246-year history, and is just the third African American elected Governor in the history of the United States.

Wes Moore, a combat veteran, bestselling author, small business owner, Rhodes Scholar and former CEO of one of the nation’s largest anti-poverty organizations, has devoted his life’s work to a basic principle: no matter your start in life, you deserve an equal opportunity to succeed – a job you can raise a family on, a future you can look forward to.

OnAir Post: Wes Moore – MD

US Representatives

Senator Ben Cardin

Ben Cardin 2Current Position: US Senator
Affiliation: Democrat
Former Positions: US Representative from 1987 – 2007; State Delegate from 1967 – 1987; Attorney from 1967 – 1978
2024: Not Running for another term

Featured Quote: 
Raising the debt ceiling will allow us to pay for what we’ve already spent, our bills – trillions under the previous administration. It’s like paying off our credit card. Default would be catastrophic for our economy. #fullfaithandcredit

OnAir Post: Ben Cardin – MD

Senator Chris Van Hollen

Chris Van Hollen 1Current Position: US Senator
Affiliation: Democrat
Former Positions: US Representative District 8 from 2003 – 2017; State Senator from 1995 – 2003; Lawyer from 1990 – 2003
Other Positions:  Chair, Subcommittee on Financial Services and General Government

In 2007, Van Hollen became the chair of the Democratic Congressional Campaign Committee (DCCC). His father was a Foreign Service officer. Van Hollen worked as a legislative assistant for defense and foreign policy to U.S. Senator Charles Mathias and a legislative advisor for federal affairs to Maryland Governor William Donald Schaefer. He joined the law firm of Arent Fox.

Featured Quote: 
Our Budget Framework invests in workers, families, & our economy. For starters, that means: -Continuing monthly Child Tax Credit payments -Expanding Medicare for hearing, vision & dental -Reducing the $ of Rx Drugs We’ll lower costs for working people across the board.

OnAir Post: Chris Van Hollen – MD

Andy Harris MD-01

Andy Harris 1Current Position: US Representative of MD District 1 since 2011
Affiliation: Republican
Former Position: State Senator from 1999 – 2011
District:  Eastern Shore of Maryland, including Salisbury, as well as Harford County and parts of Baltimore County
Upcoming Election:

Harris served in the Navy Medical Corps and the U.S. Naval Reserve as a lieutenant commander on active duty during Operation Desert Storm. He previously worked as an anesthesiologist,  an associate professor of anesthesiology and critical care medicine, and as chief of obstetric anesthesiology at the Johns Hopkins Hospital.

Featured Quote: 
I’m proud to have joined @RepTenneyon an amicus brief to SCOTUS to overturn the NY restrictive concealed carry law. A successful ruling in this case could very well overturn the impossibly restrictive “good cause” requirements to obtain a CC license in many states including MD.

OnAir Post: Andy Harris MD-01

Johnny Olszewski MD-02

Johnny Olszewski MD-02 1John Anthony Olszewski Jr. born September 10, 1982), also known by his nickname Johnny O, is an American politician who is the member of the U.S. House of Representatives from Maryland’s 2nd congressional district. He is also the 14th and current county executive of Baltimore County, Maryland.

Olszewski first ran for the U.S. House of Representatives in 2024, defeating state delegate Harry Bhandari in a landslide in the Democratic primary and defeating radio host Kimberly Klacik in the general election. He will be sworn in on January 3, 2025.

Sarah Elfreth MD-03

Sarah Elfreth MD-03 1Sarah Kelly Elfreth (born September 9, 1988) is an American politician who has served as a member of the Maryland Senate representing the 30th district since 2019.

Elfreth won the 22-way Democratic primary in the U.S. House of Representatives election in Maryland’s 3rd congressional district and then defeated the Republican nominee in the general election. She will be sworn in on January 3, 2025.

OnAir Post: Sarah Elfreth MD-03

Glenn Ivey MD-04

Glenn Ivey MD-04 2Current Position: US Representative of MD District 4 since 2023
Affiliation: Democrat
Former Position: State’s attorney for Prince George’s County, Maryland, from 2002 to 2011.
District:  Most of Prince George’s County and a small portion of Montgomery County.
Upcoming Election:

Ivey served on Capitol Hill as chief counsel to Senate majority leader Tom Daschle, as counsel to U.S. senator Paul Sarbanes during the Whitewater controversy, as chief majority counsel to the Senate Banking Committee, and on the staff of U.S. representative John Conyers. He also worked for U.S. attorney Eric Holder as an assistant U.S. attorney and as chair of the Maryland Public Service Commission.

OnAir Post: Glenn Ivey MD-04

Steny Hoyer MD-05

Steny Hoyer 1Current Position: US Representative of MD District 5 since 1981
Affiliation: Democrat
Former Position: State Senator from 1967 – 1978; House Majority Leader
District: All of Charles, St. Mary’s, and Calvert counties, as well as portions of Prince George’s and Anne Arundel counties.
Upcoming Election:

Steny Hoyer was House Majority Leader from 2007 to 2011 and again from 2019 to 2023. From 1962 to 1966, Hoyer was a member of the staff of U.S. Senator Daniel Brewster; also on Brewster’s staff at that time was Nancy Pelosi. He earned his J.D. degree from Georgetown University Law Center in 1966.

Featured Quote: 
In the first 200 days of the 117th Congress, House Democrats have delivered results for Americans. Take a look at the significant legislative accomplishments that House Democrats have advanced during this Congress #ForThePeople:

Featured Video

OnAir Post: Steny Hoyer MD-05

April McClain-Delaney MD-06

April McClain-Delaney MD-06 1April Lynn McClain-Delaney[1] (née McClain; born May 28, 1964) is an American lawyer, government official, and politician who served as an official of the U.S. Department of Commerce during the Biden administration.

A member of the Democratic Party, in 2024 she won the U.S. House of Representatives election in Maryland’s 6th congressional district after prevailing from a crowded primary and defeating Republican former state delegate Neil Parrott in the general election.

She is the wife of former Congressman John Delaney, who represented the 6th district from 2013 to 2019.

Source: Wikipedia

OnAir Post: April McClain-Delaney MD-06

Kweisi Mfume MD-07

Kweisi Mfume 1Current Position: US Representative of MD District 7 since 2021
Affiliation: Democrat
Other Positions:  House Committee on Small Business
Subcommittee on Contracting and Infrastructure.
District: Almost the entire city of Baltimore and some of Baltimore County
Upcoming Election:

Kweisi Mfume first served as 7th district representative from 1987 to 1996. Mfume first left his seat to become the president and CEO of the National Association for the Advancement of Colored People (NAACP), a position he held from 1996 to 2004. Mfume returned to his former House seat in 2020 after it was left vacant by the death of Elijah Cummings

Featured Quote: 
Spread the word- we passed a new child tax credit and you may be eligible for cash payments beginning July 15, 2021. Visit http://childtaxcredit.gov for details. #ChildTaxCredit

OnAir Post: Kweisi Mfume MD-07

Jamie Raskin MD-08

Jamie Raskin 1Current Position: US Representative of MD District 8 since 2017
Affiliation: Democrat
Other Positions:  Committee on House Administration; Subcommittee on Civil Rights and Civil Liberties
Former Position: Constitutional law professor from 1990 – 2006
District:  DC suburbs, including Bethesda, Chevy Chase, and Potomac and Rockville and Silver Spring.
Upcoming Election:

Raskin co-chairs the Congressional Freethought Caucus. He was the lead impeachment manager (prosecutor) for the second impeachment of President Donald Trump in response to the attack on the U.S. Capitol.[3][4] Before his election to Congress, Raskin was a constitutional law professor at American University Washington College of Law and co-founder of the Marshall-Brennan Constitutional Literacy Project.

Featured Quote: 
When violent insurrectionists assault police officers, smash windows and storm the Capitol, most of us see terrorists. Rep. Clyde sees “tourorists,” a whole new form of riot denial.

OnAir Post: Jamie Raskin MD-08

More Information

Wikipedia

ERROR: URL using bad/illegal format or missing URL

]]> https://us.onair.cc/maryland-onair/feed/ 0 AI2 Nexus https://us.onair.cc/ai2-nexus/ https://us.onair.cc/ai2-nexus/#respond Wed, 25 Jun 2025 11:05:12 +0000 https://us.onair.cc/?p=71563

George Mason is building a nexus of collaboration and resources on campus, throughout the region with our vast partnerships, and across the state, called AI2Nexus.

As a model for universities, AI2Nexus is based on four key principles: Integrating AI to transform education, research, and operations; Inspiring with AI to advance higher education and learning for the future workforce; Innovating with AI to lead in responsible AI-enabled discovery and advancements across disciplines; and Impacting with AI to drive partnerships and community engagement for societal adoption and change.

George Mason University is driving rapid AI adoption and advancements across the Commonwealth.

As the largest and most diverse university in Virginia, just outside Washington, D.C., George Mason University is leading the future of inclusive artificial intelligence (AI) and developing responsible models for AI research, education, workforce development, and community engagement within a modern university.

As AI reshapes industries, George Mason combines fearless ideas that harness the technology’s boundless potential to address the world’s grand challenges, while creating guardrails based on informed, transdisciplinary research around ethical governance, regulatory oversight, and social impact.

Led by the university’s inaugural vice president and chief artificial intelligence officer (CAIO) Amarda Shehu with an AI Visioning Task Force, George Mason is reimagining operational excellence in every facet of the university.

Source: AI Webpage

Welcome, Amarda Shehu | Chief Artificial Intelligence Officer
George Mason University04/09/2024 (01:18)

https://www.youtube.com/watch?v=5TLBzTpBGwA

George Mason University has named Associate Vice President for Research for the Institute for Digital Innovation (IDIA) Amarda Shehu as the university’s inaugural vice president and chief artificial intelligence officer (CAIO). In this role, Shehu will lead the strategy and implementation of AI across research, academics, and partnerships for the university, maximizing opportunity and adoption in addressing the world’s grand challenges while leading on ethical considerations, governance, and risk mitigation

OnAir Post: AI2 Nexus

]]> Summary

George Mason is building a nexus of collaboration and resources on campus, throughout the region with our vast partnerships, and across the state, called AI2Nexus.

As a model for universities, AI2Nexus is based on four key principles: Integrating AI to transform education, research, and operations; Inspiring with AI to advance higher education and learning for the future workforce; Innovating with AI to lead in responsible AI-enabled discovery and advancements across disciplines; and Impacting with AI to drive partnerships and community engagement for societal adoption and change.

George Mason University is driving rapid AI adoption and advancements across the Commonwealth.

As the largest and most diverse university in Virginia, just outside Washington, D.C., George Mason University is leading the future of inclusive artificial intelligence (AI) and developing responsible models for AI research, education, workforce development, and community engagement within a modern university.

As AI reshapes industries, George Mason combines fearless ideas that harness the technology’s boundless potential to address the world’s grand challenges, while creating guardrails based on informed, transdisciplinary research around ethical governance, regulatory oversight, and social impact.

Led by the university’s inaugural vice president and chief artificial intelligence officer (CAIO) Amarda Shehu with an AI Visioning Task Force, George Mason is reimagining operational excellence in every facet of the university.

Source: AI Webpage

Welcome, Amarda Shehu | Chief Artificial Intelligence Officer
George Mason University04/09/2024 (01:18)

https://www.youtube.com/watch?v=5TLBzTpBGwA

George Mason University has named Associate Vice President for Research for the Institute for Digital Innovation (IDIA) Amarda Shehu as the university’s inaugural vice president and chief artificial intelligence officer (CAIO). In this role, Shehu will lead the strategy and implementation of AI across research, academics, and partnerships for the university, maximizing opportunity and adoption in addressing the world’s grand challenges while leading on ethical considerations, governance, and risk mitigation

OnAir Post: AI2 Nexus

News

2025 AI in Education Summit
George Mason UniversityJuly 21, 2025 (04:37)
https://www.youtube.com/watch?v=WCA-aFECe5o&ab_channel=PBSNewsHour

George Mason launches Virginia’s first public master’s degree in AI
Mason News, Nathan KahlMarch 31, 2025

George Mason University will offer a master of science in artificial intelligence (AI) starting this fall, becoming Virginia’s first public university to offer a stand-alone master’s degree in this field.  

Recently approved by the State Council of Higher Education for Virginia (SCHEV), the degree will equip the next generation of AI innovators with a rigorous, interdisciplinary curriculum blending foundational theory with real-world applications, ensuring graduates are prepared to address complex challenges in industry and government. 

Amarda Shehu, inaugural vice president and chief AI officer, associate dean for research in the College of Engineering and Computing, and professor in the Department of Computer Science, said, “Seeing this vision come to life has been incredibly rewarding, and I am deeply honored to have led this effort to create a program that will shape the future of AI talent in Virginia and beyond.” 

Courses will span core domains such as machine learning foundations and practice; planning and decision-making for intelligent agents; and deep learning fundamentals; providing students with the expertise to build, deploy, and evaluate AI systems across various computing platforms.

 “We had to completely rethink how we teach AI to students,” added Shehu. “Rather than hiding such courses behind long chains of prerequisites, the challenge that we answered is how to design these courses to be largely self-containing and yet offer a rigorous foundation in AI.”

Vadim Sokolov, associate professor, Department of Systems Engineering and Operations Research, was one of the leading faculty in the working group designing curriculum. With his mathematics background and his extensive experience teaching the first deep learning course on campus in 2017, Sokolov has great interest in the field and what this means for students. “The idea is students are not just ‘prompt engineers’ but are supposed to understand the basics of the models and be able to tune them and train them for specific tasks.” 

Sokolov added that the program is unique in how it enhances this foundation with real-world settings. According to the program, students will be adept in managing the full machine learning operations lifecycle, integrating open-source AI frameworks, and developing secure, scalable AI solutions while effectively collaborating with cross-functional teams and communicating complex AI concepts to diverse stakeholders.  

“This program is carefully designed to meet the needs of our community, whether that is government or business, but it also provides a holistic experience to students, from AI ethics to AI policy, and from scalable and secure AI to advanced AI solutions, Sokolov said.  

Shehu said, “As AI transforms the way we work, govern, and live, this master’s degree program is more than just a response to demand—it is a commitment to preparing students with both the technical expertise and ethical grounding to shape the future of AI responsibly.” 

George Mason sets in motion a plan to harness AI for responsible adoption and societal impact
Mason NewsMarch 3, 2025

At last week’s Board of Visitors meeting, George Mason University’s Vice President and Chief AI Officer Amarda Shehu rolled out a new model for universities to advance a responsible approach to harnessing artificial intelligence (AI) and drive societal impact. George Mason’s model, called AI2Nexus, is building a nexus of collaboration and resources on campus, throughout the region with our vast partnerships, and across the state.

AI2Nexus is based on four key principles: “Integrating AI” to transform education, research, and operations; “Inspiring with AI” to advance higher education and learning for the future workforce; “Innovating with AI” to lead in responsible AI-enabled discovery and advancements across disciplines; and “Impacting with AI” to drive partnerships and community engagement for societal adoption and change.

Shehu said George Mason can harness its own ecosystem of AI teaching, cutting-edge research, partnerships, and incubators for entrepreneurs to establish a virtuous cycle between foundational and user-inspired AI research within ethical frameworks.

As part of this effort, the university’s AI Task Force, established by President Gregory Washington last year, has developed new guidelines to help the university navigate the rapidly evolving landscape of AI technologies, which are available at gmu.edu/ai-guidelines.

Further, Information Technology Services (ITS) will roll out the NebulaONE academic platform equipping every student, staff, and faculty member with access to hundreds of cutting-edge Generative AI models to support access, performance, and data protection at scale.

“We are anticipating that AI integration will allow us to begin to evaluate and automate some routine processes reducing administrative burdens and freeing up resources for mission-critical activities,” added Charmaine Madison, George Mason’s vice president of information services and CIO.

George Mason is already equipping students with AI skills as a leader in developing AI-ready talent ready to compete and new ideas for critical sectors like cybersecurity, public health, and government. In the classroom, the university is developing courses and curriculums to better prepare our students for a rapidly changing world.

In spring 2025, the university launched a cross-disciplinary graduate course, AI: Ethics, Policy, and Society, and in fall 2025, the university is debuting a new undergraduate course open to all students, AI4All: Understanding and Building Artificial Intelligence. A master’s in computer science and machine learning, an Ethics and AI minor for undergraduates of all majors, and a Responsible AI Graduate Certificate are more examples of Mason’s mission to innovate AI education. New academies are also in development, and the goal is to build an infrastructure of more than 100 active core AI and AI-related courses across George Mason’s colleges and programs.

The university will continue to host workshops, conferences, and public forums to shape the discourse on AI ethics and governance while forging deep and meaningful partnerships with industry, government, and community organizations to offer academies to teach and codevelop technologies to meet our global society needs. State Council of Higher Education for Virginia (SCHEV) will partner with the university to host an invite-only George Mason-SCHEV AI in Education Summit on May 20-21 on the Fairfax Campus.

Virginia Governor Glenn Youngkin has appointed Jamil N. Jaffer, the founder and executive director of the National Security Institute (NSI) at George Mason’s Antonin Scalia Law School, to the Commonwealth’s new AI Task Force, which will work with legislators to regulate rapidly advancing AI technology.

How Arlington County used AI to improve emergency preparedness
CIO Dive, Lindsey WilkinsonFebruary 3, 2025

The Virginia county’s Department of Public Safety Communications and Emergency Management worked with George Mason University researchers to develop AI-enhanced video games for skills building.

Emergency response management is a high-stakes space. Each decision can mean life or death, which makes training and preparing for these scenarios critical.

Over the course of a year, a three-person team from George Mason University worked to improve preparedness via AI-powered games for the Department of Public Safety Communications and Emergency Management in Arlington, Virginia.

Using an iterative process and feedback from Arlington County department members, the team created two interactive games, called Go-Repair and Go-Rescue, which simulated infrastructure maintenance, resource allocation and evacuations. The dynamic learning environment provided utility managers and volunteers with a wider scope and more flexibility than traditional training methods.

 

 

New Course Creates Ethical Leaders for an AI-Driven Future
Mason News, Buzz McClainApril 10, 2025

While the debates continue over artificial intelligence’s possible impacts on privacy, economics, education, and job displacement, perhaps the largest question regards the ethics of AI. Bias, accountability, transparency, and governance of the powerful technology are aspects that have yet to be fully answered.

A new cross-disciplinary course at George Mason University is designed to prepare students to tackle the ethical, societal, and governance challenges presented by AI. The course, AI: Ethics, Policy, and Society, will draw expertise from the Schar School of Policy and Government, the College of Engineering and Computing (CEC), and the College of Humanities and Social Sciences (CHSS).

The master’s degree-level course begins in spring 2025 and will be taught by Jesse Kirkpatrick, a research associate professor in the CEC, the Department of Philosophy, and codirector of the Mason Autonomy and Robotics Center (MARC).

The course is important now, said Kirkpatrick, because “artificial intelligence is transforming industries, reshaping societal norms, and challenging long-standing ethical frameworks. This course provides critical insights into the ethical, societal, and policy implications of AI at a time when these technologies are increasingly deployed in areas like healthcare, criminal justice, and national defense.”

Debates about bias in AI systems, the governance of autonomous decision-making, and the risks of misinformation “underscore the urgency of equipping students and professionals with the tools to address the opportunities and challenges responsibly,” he added.

This course is designed for students and professionals from diverse fields, including policy, computer science, engineering, law, philosophy, and business.

“Occupations such as AI developers, policymakers, ethicists, legal advisors, and technology strategists will benefit greatly,” Kirkpatrick said. “The interdisciplinary approach ensures that participants develop insights applicable across public and private sectors, enabling them to lead responsibly in the AI-driven future.”

The course is open to George Mason students and is a core component of the university’s new graduate certificate in Responsible AI, making it an essential step for those pursuing advanced study or leadership roles in ethical AI design and governance.

In addition to critical readings and written assignments, the course incorporates hands-on components such as workshops, interactive discussions, and practical tools includes algorithmic audits, ethical toolkits, and risk management frameworks.

“Students will also engage in scenario-building exercises and present collaborative projects that apply ethical AI principles to real-world challenges,” Kirkpatrick said. “The course also features distinguished guest speakers from academia, industry, and government, providing students with diverse perspectives on AI.”

As a MARC codirector, Kirkpatrick is engaged in “responsible AI” initiatives. “I bring a unique blend of academic expertise and practical experience,” he said. “My work spans creating ethical AI frameworks, consulting on AI policy, and teaching at the intersection of ethics, technology, and public policy.

He adds, “This course reflects my commitment to equipping students with the knowledge and tools to address the profound ethical challenges and opportunities posed by AI technologies in society.”

i
George Mason’s Fuse at Mason Square opens with its commercial launch
Mason News, John HollisDecember 9, 2024

George Mason University gave the public its first look at Fuse at Mason Square and what’s in store for the metropolitan Washington, D.C., region with the building’s Dec. 6 commercial launch.

A state-of-the-art tech research hub intended to be a beacon for students, researchers, and entrepreneurs to come together and collaborate, Fuse will serve as the center for technological advances in the region, fostering innovation in various sectors while adding to the tech talent pipeline necessary to help fuel the economies of the region and the commonwealth of Virginia.

“The most surefire way to strengthen an innovation ecosystem is for a top-tier research university, local industry, and the community to join together in partnership,” said George Mason President Gregory Washington.

The 345,000-square-foot-building, which will welcome students in Fall 2025, features specialized labs for robotics and virtual reality and data visualization, as well as office spaces, retail, and co-working areas and classrooms.

Rep. Don Beyer, who is working toward a master’s degree in computer science at George Mason, was among the speakers to laud the project at the brief ceremony in Arlington. Photo by Ayman Rashid/Office of University Branding

Fuse cost roughly $254 million to construct, with $90 million each contributed by George Mason and the commonwealth’s Tech Talent Investment Program, as well as $78 million from Edgemoor Infrastructure and Real Estate.

George Mason announced in October that the building’s first tenant, Cybastion, a cybersecurity and digital IT company focused on emerging markets, would move into Fuse in spring 2025. The restaurant Wood & Iron will be located on the ground floor. About 75% of the building’s commercial space has been committed.

U.S. Rep. Don Beyer (D-VA), who is enrolled at George Mason and working toward a master’s degree in computer science with a concentration in machine learning, was among the speakers to laud the project at the brief ceremony in Arlington, joining Washington; Liza Wilson Durant, George Mason’s associate provost for strategic initiatives and community engagement who is also the associate dean of George Mason’s College of Engineering and Computing and director of the Northern Virginia node of the Commonwealth Cyber Initiative; Ryan Touhill, director of Arlington Economic Development; and Brian Naumick, vice president and managing director of Edgemoor.

George Mason’s Liza Wilson Durant took questions from the media about the new building.

Fuse at Mason Square supports the Tech Talent Investment Program, a 20-year initiative aimed at producing 25,000 additional tech graduates in Virginia. The building will house George Mason’s Institute for Digital Innovation and the new School of Computing, part of the College of Engineering and Computing, and will offer courses in artificial intelligence, data analytics, and cybersecurity.

Washington expects the new building to be a catalyst for economic growth. “When we started the Fuse project in April of 2022, I said then that we’re not just breaking ground on a building—we’re breaking ground on Virginia’s future,” he said. “That future begins in earnest today with the Fuse leasing grand opening.”

Missy Cummings Takes AI to New Heights at George Mason University
Northern Virginia Magazine, Dawn KlavonDecember 15, 2023

One of the Navy’s first female fighter pilots brings her maverick attitude to GMU’s autonomy and robotics center.

How are universities handling the rise of artificial intelligence and robotics? George Mason, for its part, is making its mark by bringing in a maverick to shake things up. Earlier this year, the school welcomed Mary ‘Missy’ Cummings, 56, as professor and director of the Mason Autonomy and Robotics Center. Cummings, one of the Navy’s first female fighter pilots and a world-renowned AI expert, is teaching at the Fairfax campus, conducting research, and devising ways to “upskill” and “reskill” the area’s workforce in all things AI-related.

“I’m on a mission to educate people so that we’re making better decisions about how, why, when, and where to incorporate AI,” she says.

In addition to guiding the next generation of AI experts at the university, the former Duke University and MIT professor hopes to expand her reach throughout the DMV.

Virginia Activates Its Artificial Intelligence Task Force
Government Technology, News StaffOctober 16, 2024

Created by executive order at the start of the year, Virginia has now set its AI Task Force in motion, aiming to support and advise policymakers on the technologies. Ten members have been named; more may follow.

Virginia will join other states in launching an Artificial Intelligence (AI) Task Force to support policymakers and government agencies in implementing the technology, Gov. Glenn Youngkin announced Wednesday.

States have taken various actions to advance AI, from establishing AI leadership positions to implementing governance. A good number have already stood up AI task forces of their own, including Alabama, Massachusetts, New Jersey, Rhode Island, Wisconsin and Washington.

Virginia’s AI Task Force was created by way of Executive Order 30 (EO 30), signed Jan. 18. The order created AI education guidelines for the classroom, implemented AI policy standards, and called for the secretary of administration to work with the director of the Office of Regulatory Management to establish such a task force. The group’s formation delivers on this order.

The following individuals make up the state’s task force: John Bailey, founder of Vestigo Partners; Bill Cleveland, former vice mayor of Alexandria, Va.; Richard Culatta, CEO of the International Society for Technology in Education; Zach Graves, executive director of the Foundation for American Innovation; Sam Hammond, senior economist of the Foundation for American Innovation; Tim Hwang, senior technology fellow at the Institute for Progress; Jamil Jaffer, professor at Antonin Scalia Law School at George Mason University; Lori Jennings, founder of Jennings ProSearch; Paige Kowalski, executive vice president at the Data Quality Campaign; and Naren Ramakrishnan, professor at Virginia Tech. More members may be added.

Rep. Don Beyer wanted to understand AI, so he enrolled at George Mason
VPM- NPR/PBSApril 12, 2024

WASHINGTON — Don Beyer’s car dealerships were among the first in the U.S. to set up a website. As a representative, the Northern Virginia Democrat leads a bipartisan group focused on promoting fusion energy. He reads books about geometry for fun.

So, when questions about regulating artificial intelligence emerged, the 73-year-old Beyer took what for him seemed like an obvious step, enrolling at George Mason University to get a master’s degree in machine learning.

In an era when lawmakers and Supreme Court justices sometimes concede they don’t understand emerging technology, Beyer’s journey is an outlier, but highlights a broader effort by members of Congress to educate themselves about AI as they consider laws that would shape its development.

Analyzing Status of Global AI Infrastructure | JP Singh
The Brand Called YouAugust 12, 2023 (58:00)

https://www.youtube.com/watch?v=y0I5B5ncI48

S5 E016 JP Singh, Distinguished University Professor, George Mason University, USA

00:15 – About JP Singh

01:54 – Can you share some inflection points that shaped your career and life?

10:48 – How was it like to get the opportunity to study in one of the top universities in the US? 19:33 – Do you think there is going to be a realization of India’s rich history?

27:27 – What are your thoughts on the pointers that indicate India to be leading the world soon?

34:31 – What do you hope to achieve through the Minerva program?

In this conversation, we have the privilege of speaking with an accomplished individual, JP Singh, who has made significant contributions to academia, global organisations, and the advancement of human-machine partnerships.

Driven by a passion for creative problem-solving and a deep understanding of political economy, Professor Singh has embarked on a remarkable career that has spanned regional, national, and international spheres.

Through his insights, we gain a deeper understanding of the complexities of global development and the potential for technology to create a brighter future for all.

[00:15] – About JP Singh- –

JP Singh is a distinguished professor at George Mason University.

-He is the co-director of the Center for Advanced Human Machine Partnership.

-Professor Singh has written 10 books and over 100 articles.

-He has advised international organisations such as UNESCO, the World Bank, and the World Trade Organization.

Advancing sensor tech for foggy situations
Mason News, Nathan KahlJanuary 13, 2025

Devices that rely on sensors to accurately navigate and perceive the world around them are more and more commonplace, from drones to autonomous vehicles to ground robots on rescue missions. Parth Pathak, an associate professor in the Department of Computer Science at George Mason University, is working to ensure the sensors have 20/20 vision. 

Three men stand in front of a robot vehicle
From left, Rezoan Ahmed Nazib, Parth Pathak, and Ahmad Kamari with a rescue robot that can “see” through smoke and fog. Photo provided

Pathak received $660K in funding from the Army Research Office (ARO) for this work, some of which is done in collaboration with colleagues at the University of California, Davis, where he did his post-doc.

“Conventional sensors rely on cameras or LiDAR (light detection and ranging) to pursue objects around them, but they don’t work very well when there’s smoke, fog, or generally a visually degraded environment,” said Pathak. “But the mmwave wireless radar sensors that we are working on don’t get affected by that. If there is dirt on the sensor, well, that’s okay. They can see through things and see around things.”

Imagine a rescue robot going into a building filled with smoke, trying to navigate with little to no visibility, Pathak said. “These wireless sensors can enable them to perceive the environment and even self-localize without cameras, LiDARs, or other positioning systems.”

Another positive aspect of the devices is that while they can sense…they don’t sense too much, which is important for privacy concerns. The disadvantage, of course, is that when a sensor depicts an object such as a car, the resolution is not particularly good, and the images are “noisy.” Pathak is not just improving navigation and perception, but using multiple robots, for example, cooperatively. In a rescue mission, a swarm of robots can share their data, allowing them to collectively “see” a better picture.

robot
Photo provided

“They can self-localize based on what they see, like how our brains work. But the robots only have wireless sensors to rely on, so part of the work is developing very good signatures of what they see from these very low resolution and noisy images,” said Pathak. “We can build 3D models of a room by scanning it through the wireless sensors and using machine learning to capture and recreate every minute detail. This is something that these sensors were never designed for. We are developing custom-tailored deep learning models of wireless sensing, essentially pushing the limits of what they can perceive using wireless signals.”

In addition to the research, ARO’s funding also supports testbed-to-prototype development and solution evaluation.

Pathak and colleagues published this research at the Association for Computing Machinery’s ACM Mobicom conference and have submitted it to other conferences for potential publication. Two PhD students from his team, Ahmed Kamari and Rezoan Ahmed Nazib, are working actively on the project, along with three high school students who participated in prototyping over the summer as part of George Mason’s Aspiring Scientists Summer Internship Program.

Teaching humans to play safe
Mason News, Nathan KahlMarch 4, 2024

Autonomous systems can be programmed to always make the logical, “best” decisions, given a set of circumstances. But what happens when human judgment and decision-making is introduced to a system? Xuan Wang, an assistant professor in George Mason University’s Electrical and Computer Engineering Department, is asking this question as part of a recent $344,000 grant from the National Science Foundation.

Wang stressed that this research is particularly important given technologies on the horizon. “The operation of many real-world systems involves the co-existence of human and autonomous agents. Inadequate coordination among these agents can lead to significant performance degradation or safety risks.”

Wang is turning the idea of humans controlling machines on its head. “The key novelty of this research is, instead of thinking about how humans can program robots, we are thinking about the ways that the autonomous agents can impact humans,” he says. “Assuming human response can’t be coded in the way we can control a robotic agent’s behavior, then how we can design the robot’s behavior so they’re impacting human behavior in a way that is beneficial for the overall system?”

A robot and a student collaboratively carry a glass of water on a board. Photo provided.
In one of Wang’s simulations, a human and robot carry a cup of hot water, testing programmed guarantees so that when the cup spills, it only spills to the robot side of the board, protecting the human. Photo provided.

Because human agents, who are very diverse, use observations to see occurrences in the world around them and respond accordingly, traditional optimization approaches are less effective at predicting behavior. Wang says that he’ll use a framework relying on game theory, which assumes each agent has their own objective function, and that function is coupled with another agent’s decisions and actions. Then both human and autonomous agents ideally will optimize their overall behavior to coordinate across a whole system, creating a better output.

This human-response alignment mechanism is bidirectional, allowing for communication moving in opposite ways at the same time. For robots, they will investigate new approaches that allow them to adapt more intelligently to human behaviors with uncertainties; for humans, they will study how they can be incentivized during human-robot interaction so that human responses favor the efficiency and robustness of the entire system.

But how can systems—autonomous or controlled by humans—ever guarantee safety, say in the use of unpersoned vehicles?

Wang says, “When we are deriving safety criteria, there might be some uncertainties, so given the inputs of the system there will be an upper and lower bound that allows you to know what is the worst case that will happen. Given that, if all assumptions are satisfied, one can guarantee that there will be no crash.”

Wang and team are also working with the Army Research Lab to develop collaborative autonomous vehicles working in unknown environments, ensuring the vehicles can coordinate and gain advantage when there are potential threats in the environment.

 

In This Story

Xuan Wang

Related Stories

Learn more: Electrical and Computer Engineering Department

Topics

robotics and autonomous systems
Department of Electrical and Computer Engineering
human-computer interaction
Artificial Intelligence
National Science Foundation
Research
CEC faculty research
Tech Talent Investment Pipeline (TTIP)
TTIP
Tech Talent Investment Program

Mason receives $4.85 million gift to increase intimate partner violence detection and reporting
Mason News, GMU CommunicationsMarch 5, 2024

George Mason University today announced an anonymous $4.85 million gift to advance groundbreaking research on bruise and injury detection for individuals who experience interpersonal violence.

bruising research team
The research team (from left) Janusz Wojtusiak, Katherine Scafide, and David Lattanzi. Photo by Ron Aira/Office of University Branding

The funding will help develop new tools in imaging technology using a light source that is five times better than white light for identifying and visualizing bruising across all skin tones for use by forensic nurses, social service providers, and law enforcement.

“This single largest gift to support research in the College of Public Health’s history underscores Mason faculty’s leadership in life-changing work affecting those who experience interpersonal violence,” said Melissa J. Perry, dean of the College of Public Health. “A gift of this magnitude brings transformative resources to Mason’s cross-disciplinary research and collaborative approach that takes ground-breaking research to new heights with the potential for greater use and impact.”

Mason’s acclaimed interdisciplinary research in using Alternate Light Sources for bruise detection, as featured on NBC Nightly News, is led by researchers Katherine Scafide, David Lattanzi, and Janusz Wojtusiak. The funding will expand the team’s bruise detection system that leverages artificial intelligence (AI), imaging and light technologies, forensic reports, and clinical expertise to increase data collection and access to care for trauma victims. The technology can be used across all skin tones and responds to deficits in the identification of physical injuries particularly among people with darker skin tones.

bruising research

“By improving documentation of physical trauma, we hope to address disparities in clinical care which can lead to improved healthcare for all as well as legal recourse for all survivors of violence,” said Scafide, forensic nurse, research leader, and an associate professor of nursing in Mason’s College of Public Health. “This gift expands Mason’s leadership in developing new technologies to empower vulnerable communities.”

One in three women worldwide experience physical trauma at the hands of an intimate partner or stranger. In the United States, more than 10 million women and men grapple with intimate partner violence each year. Among domestic violence survivors, bruises and soft tissue trauma are the most reported injuries. When injuries are accurately documented, survivors are more likely to participate in the criminal justice process, according to recent studies on interpersonal violence and reporting. In addition, family and partner violence and elder abuse can lead to a host of other public health issues, such as infectious and noninfectious diseases, mental health trauma, and reproductive health problems.

A vital piece to success is ensuring that any AI tool has access to in-depth data from all skin tones and skin characteristics alongside human expert analysis,” said Lattanzi, an associate professor in the Sid and Reva Dewberry Department of Civil, Environmental, and Infrastructure Engineering in the the College of Engineering and Computing.

Supporters working on ending domestic violence commended the announcement.

Ruth Glenn, president of Survivor Justice Action, applauds the groundbreaking work. “In a nation where domestic violence disproportionately impacts communities of color, this innovative research holds immense promise. By prioritizing inclusivity and recognizing the unique challenges faced by survivors with darker skin tones, Scafide’s research aligns seamlessly with our vision to end domestic violence in our lifetime. Continued research on this technology not only has the potential to revolutionize the identification of bruising in diverse populations but also signifies a vital step toward justice and empowerment for those who have long been marginalized. Survivor Justice Action stands firmly in support of initiatives that demand systems change and establish resources for survivors and advocates.”

“The Scafide team’s research and findings are revolutionizing medical forensic examinations. The ability for medical professionals to visualize and identify previously ‘invisible’ injury substantively advances quality medical assessment and patient care. Visibility and documentation of trauma/ injury provide valuable forensic corroboration for law enforcement and the courts to hold offenders accountable,” said Ann Burdges, CEO of End Violence Against Women International.

This project is led by Mason’s College of Public Health in collaboration with the College of Engineering and Computing. More information on the study can be found at bruise.gmu.edu.

Rep. Don Beyer wanted to understand AI, so he enrolled at George Mason
VPM- NPR/PBSApril 12, 2024

WASHINGTON — Don Beyer’s car dealerships were among the first in the U.S. to set up a website. As a representative, the Northern Virginia Democrat leads a bipartisan group focused on promoting fusion energy. He reads books about geometry for fun.

So, when questions about regulating artificial intelligence emerged, the 73-year-old Beyer took what for him seemed like an obvious step, enrolling at George Mason University to get a master’s degree in machine learning.

In an era when lawmakers and Supreme Court justices sometimes concede they don’t understand emerging technology, Beyer’s journey is an outlier, but highlights a broader effort by members of Congress to educate themselves about AI as they consider laws that would shape its development.

About

Overview

George Mason is building a nexus of collaboration and resources on campus, throughout the region with our vast partnerships, and across the state, called AI2Nexus.

As a model for universities, AI2Nexus is based on four key principles:

  • Integrating AI to transform education, research, and operations;
  • Inspiring with AI to advance higher education and learning for the future workforce;
  • Innovating with AI to lead in responsible AI-enabled discovery and advancements across disciplines; and
  • Impacting with AI to drive partnerships and community engagement for societal adoption and change.

Source: Website

Integrate AI: Advancing Operations with NebulaONE

George Mason is reimagining operational excellence, equipping every student, faculty member, and staff with access to hundreds of cutting-edge Gen AI models through the revolutionary NebulaONE platform rolling out in early spring.

Guidelines on the Use of Artificial Intelligence at George Mason University

 

AI infrastructures are a national security and human safety issue, Mason professor says

https://www.youtube.com/watch?v=-_pMeNUB5x4

Through his Minerva Project, J.P. Singh, Schar School of Policy and Government, wants to understand “how preferences or interests from society, business, or other government actors shape policy in terms of what countries are doing with their national AI infrastructures.”

Learn more about J.P. Singh’s Minerva Project

Inspire AI: Designing Curriculum for the Future Workforce

George Mason is equipping students with AI skills as a leader in developing AI-ready talent ready to compete and new ideas for critical sectors like cybersecurity, public health, and government.  In the classroom, the university is developing courses and curriculums to better prepare our students for a rapidly changing world.

In Spring of 2025, the university launched a cross-disciplinary graduate course, AI: Ethics, Policy, and Society. In Fall 2025, the university is debuting a new undergraduate course open to all students, AI4All: Understanding and Building Artificial Intelligence. A master’s in computer science and machine learning, a master of science in AI (fall 2025), an Ethics and AI minor for undergraduates of all majors, and a Responsible AI Graduate Certificate are more examples of Mason’s mission to innovate AI education. New academies are also in development.

READ: George Mason launches Virginia’s first public master’s degree in AI 

Research using AI to track Amazon rainforest species produces landmark results

David Luther | Biodiversity in Tropical Rainforest

https://www.youtube.com/watch?v=bRI0FMKq6wo&t=2s

George Mason students receive real-world, hands-on experience with AI. An example is the team of undergraduate researchers that worked under researcher David Luther to analyze acoustic recordings from the tropics to identify animals. Hear more about Luther’s tracking research.

Thanks to the tenacity of a George Mason University biology professor, animals in the Amazon have a lot less privacy these days, but that’s good for scientists who want to know what’s going on in the Brazilian rainforests.

Innovate with AI: Building a Responsible Ecosystem

Fuse Building construction at Mason Square. Photo by: Ron Aira/Creative Services/George Mason University

Fuse at Mason Square fosters collaboration and innovation by creating spaces for students and researchers to work side-by-side with industry leaders. View the space.

George Mason’s ecosystem of AI teaching, cutting-edge research, and incubators for entrepreneurs foster interdisciplinary collaborations and substantiate a virtuous cycle between foundational and user-inspired AI research within ethical frameworks.

The university hosts workshops, conferences, and public forums to shape the discourse on AI ethics and governance while forging deep and meaningful partnerships with industry, government, and community organizations to co-develop impactful AI technologies for a richly diverse global society.

George Mason partners with tech leaders like Google and Amazon Web Services to offer certifications in data analytics, cybersecurity, and cloud computing, enhancing student expertise. 

LISTEN to Access to Excellence Podcast – EP 46: Missy Cummings: Artificial intelligence is artificial and not intelligent

Impact AI: Driving Community Engagement and Adoption

George Mason is tackling the world’s most urgent challenges with a purpose and vision for societal change. The university’s AI-in-Government Council is a partnership between academia, public-sector tech providers, and government. It is a trusted resource for advancing AI approaches, governance frameworks, and robust guardrails to guide the development and deployment of responsible AI in government. Leading experts and faculty also participate in statewide efforts.

George Mason collaborates with other universities across the country to bring together experts and students to advance research. Gentopia, with North Carolina State University, George Mason University, and Carnegie Mellon University, aims to push the boundaries of natural language processing. Gentopia lets researchers develop and share tool-augmented natural language models and discover new ways of using them for various tasks and domains.

Virginia governor Glenn Youngkin has appointed Jamil N. Jaffer, the founder and executive director of the National Security Institute (NSI) at George Mason’s Antonin Scalia Law School, to his new AI Task Force, which will work with legislators to regulate rapidly advancing AI technology. Learn about Jaffer’s appointment to the AI Task Force.

LISTEN to Access to Excellence Podcast — EP 59: Jamil Jaffer: Cybersecurity and the global threats of tomorrow

Web Links

Videos

Welcome, Amarda Shehu | Chief Artificial Intelligence Officer

(01:18)
By: George Mason University

https://www.youtube.com/watch?v=5TLBzTpBGwA

George Mason University has named Associate Vice President for Research for the Institute for Digital Innovation (IDIA) Amarda Shehu as the university’s inaugural vice president and chief artificial intelligence officer (CAIO). In this role, Shehu will lead the strategy and implementation of AI across research, academics, and partnerships for the university, maximizing opportunity and adoption in addressing the world’s grand challenges while leading on ethical considerations, governance, and risk mitigation

J.P. Singh | Artificial Intelligence

September 15, 2023 (02:17)
By: George Mason University

https://www.youtube.com/watch?v=-_pMeNUB5x4&t=2s

As companies and consumers rush to figure out just what artificial intelligence (AI) applications can do, J. P. Singh is more concerned about how these technologies are created. A Distinguished University Professor with Mason’s Schar School of Policy and Government and co-director of ‪@georgemasonuniversity‬‘s Center for Advancing Human-Machine Partnership (CAHMP), Singh’s research focuses on how cultural preferences can shape both global policy and technology.

Learn more about Singh at https://www.gmu.edu/different

David Luther | Biodiversity in Tropical Rainforest

November 25, 2024 (01:36)
By: George Mason University

https://www.youtube.com/watch?v=bRI0FMKq6wo

Thanks to the tenacity of a George Mason University biology professor, animals in the Amazon have a lot less privacy these days, but that’s good for scientists who want to know what’s going on in the Brazilian rainforests.

Discover more: https://www.gmu.edu/news/2024-11/rese

Research Centers….

Explore more AI research News at George Mason

Mason Autonomy and Robotics Center (MARC)

Source: Website

The Mason Autonomy and Robotics Center (MARC) conducts research and provides unique educational opportunities to address local and global needs in autonomy, embedded artificial intelligence (AI), and robotics.

Our interdisciplinary activities take a holistic approach to growing technological demands by combining computer science, electrical and mechanical engineering, systems engineering, psychology, philosophy, and policy education and research.

Working in conjunction with our other research affiliates and technology partners has created a proven and repeatable technology development program, uniting faculty, students, government agencies, and corporate sponsors.

Grand opening of the Mason Autonomy and Robotics Center
Mason CEC – 15/04/2024 (00:12)

OnAir Post: Mason Autonomy and Robotics Center (MARC)

C5I Center of Excellence

Source: Website

The C5I (Center of Excellence in Command, Control, Communications, Computing, Cyber and Intelligence) at George Mason University is the nation’s first and only civilian university-based entity offering a comprehensive academic and research program in military applications of information technology and cyber security.

Vision
To serve as a multi-disciplinary hub connecting faculty and researchers with interests in the Center’s mission and be widely recognized as a premier source of knowledge and innovation to military and civilian authorities.
Mission
The Center’s mission is to perform advanced research in defense, intelligence, and security-related applications in IT and Cyber; bridging cultural gaps and aligning requirements between government, industry, and academia.

High-Level Data Fusion for Modern Command and Control (C2) and Counter Small Unmanned Systems

OnAir Post: GMU C5I

People

Amarda Shehu

Source: CEC webpage

Shehu is an accomplished administrator, teacher, and scholar. She currently serves as George Mason’s Inaugural VP and Chief AI Officer in which capacity she also continues to provide leadership for the Institute of Digital InnovAtion (IDIA) for which she served as Associate Vice President for Research during 2022 and 2024.

Shehu also serves as an Associate Dean for AI Innovation in the College of Engineering and Computing (CEC), where she is also a tenured Professor in the Department of Computer Science.

OnAir Post: Amarda Shehu

Missy Cummings

Source: CEC webpage

A naval officer and military pilot from 1988-1999, Cummings was one of the U.S. Navy’s first female fighter pilots. She is now the director of Mason’s Autonomy and Robotics Center (MARC) and a professor at George Mason University. She holds faculty appointments in the Mechanical Engineering, Electrical and Computer Engineering, and Computer Science departments. She is an American Institute of Aeronautics and Astronautics (AIAA) Fellow and recently served as the senior safety advisor to the National Highway Traffic Safety Administration.

Cummings received her BS in Mathematics from the U.S. Naval Academy in 1988, her MS in Space Systems Engineering from the Naval Postgraduate School in 1994, and her PhD in Systems Engineering from the University of Virginia in 2004.

OnAir Post: Missy Cummings

J.P. Singh

Source: Schar webpage

J.P. Singh is Distinguished University Professor at George Mason University (USA), and Richard von Weizsäcker Fellow with the Robert Bosch Academy, Berlin. He is also co-director of the Center for Advancing Human-Machine Partnership (CAHMP) at George Mason.

Singh has published 10 books and over 100 articles. His latest books are:  Cultural Values in Political Economy (2020), and Sweet Talk:  Paternalism and Collective Action in North-South Trade Negotiations (Stanford, 2017).

OnAir Post: J.P. Singh

Jesse Kirkpatrick

Source: GMU webpage

Jesse Kirkpatrick is a Research Associate Professor, Acting Director of the Institute for Philosophy and Public Policy,  and Co-director of the Mason Autonomy and Robotics Center (MARC) at George Mason University.

Jesse is also an International Security Fellow at New America and serves as a consultant for numerous organizations. His most recent consulting engagement is with Noblis Inc., a non-profit science, technology, and strategy organization that delivers technical and advisory solutions to federal government clients, where he is a member of the Responsible Artificial Intelligence Committee; AI Review Board; and Biosafety and Bioethics Committee.

OnAir Post: Jesse Kirkpatrick

Alan R. Shark

Source: Schar webpage

Alan R. Shark is an associate professor in the School of Policy and Government at George Mason University. His research focuses on technology leadership, artificial intelligence, emerging technologies, governance, cybersecurity, and civic engagement.

In addition to and formerly, he served 20 years as executive director of the Public Technology Institute (PTI).

OnAir Post: Alan R. Shark

Janusz Wojtusiak

Source: Public Health page

Dr. Wojtusiak, Professor of Health Informatics and Director of the Machine Learning and Inference Laboratory, has expertise that spans machine learning, health informatics, artificial intelligence in clinical decision support and knowledge discovery in medical data, and a wide range of applications of these fields in health care. His particular area of interest is in developing algorithms that derive simple, transparent and usable models from complex health data to predict patient and population outcomes. He studies how to create and evaluate reproducible, unbiased and trustworthy algorithms and models.

Dr. Wojtusiak serves as the Division Director for Health Informatics in the Department of Health Administration and Policy. He oversees undergraduate, master’s and doctoral programs in health informatics. Dr. Wojtusiak teaches several courses focused on machine learning, data mining, artificial intelligence and computing applied in medicine, healthcare and individual/population health.

He authored or co-authored over 100 research publications and presentations and continues to collaborate with multiple national and international institutions.

OnAir Post: Janusz Wojtusiak

Thema Monroe-White

Source: GMU page

Thema (pron: Tay-mah) Monroe-White is an Associate Professor of Artificial Intelligence and Innovation Policy in the Schar School of Policy and Government and Department of Computer Science (joint) at George Mason University. Her broad interests include bias mitigation in artificial intelligence (AI), critical quantitative and computational methods, and racial equity in innovation and entrepreneurship (I&E).

As an interdisciplinary scholar, her work explores the systemic biases that affect the workforce and educational journeys of racially minoritized groups within science, technology, engineering, and mathematics (STEM) fields. She is particularly concerned with understanding the pathways to achieving social and economic empowerment for minoritized groups via I&E, AI literacy, and emancipatory data science.

OnAir Post: Thema Monroe-White

Dasha Pruss

Source: GMU webpage

Dasha Pruss is an Assistant Professor of Philosophy and Computer Science at George Mason University and a Faculty Associate at the Berkman Klein Center for Internet and Society at Harvard University.

Previously, she was a 2023-2024 fellow at the Berkman Klein Center and a postdoctoral fellow in the Embedded EthiCS program at Harvard University. In 2023 she received her PhD in history & philosophy of science from the University of Pittsburgh, where she was a National Science Foundation fellow, and she holds a BS in computer science.

Dr. Pruss draws on interdisciplinary methods from critical data studies, feminist philosophy of science, and the qualitative social sciences to examine how AI systems shape (and are shaped by) their social contexts. Her research critically interrogates the social impacts of algorithmic decision-making systems promoted by ‘evidence-based’ reforms in the US criminal legal system.

In 2024, she organized Prediction and Punishment: Cross-Disciplinary Workshop on Carceral AI, which brought together scholars and activists from around the world to address technologies designed to police, incarcerate, surveil, and control human beings. Dr. Pruss is also an activist and has co-organized efforts to ban facial recognition and predictive policing in the city of Pittsburgh.

OnAir Post: Dasha Pruss

Programs

Master of Science in AI

Source: : Website

Launching in Fall 2025, Master of Science in AI

The rapid adoption of artificial intelligence across industries and government is revolutionizing business practices, enhancing public services, and reshaping the workforce. As artificial intelligence transforms an increasing number of economic sectors, decision-making across the government, and daily life, there is a growing demand for professionals who can ethically design, interpret, and deploy artificial intelligence systems

Become an AI Innovator

Enroll in the Master of Science (MS) in Artificial Intelligence, a cutting-edge graduate program in the College of Engineering and Computing. Designed to equip the next generation of AI innovators, this program offers a solid, interdisciplinary education that blends foundational theory with real-world application, preparing graduates to address complex challenges in industry, government, and beyond.

OnAir Post: Master of Science in AI

Ethics and AI Minor

Source: GMU Catalog

This minor is designed to equip students to tackle the moral complexity of AI-enabled technologies. It provides students with core competencies for thinking critically about the impact of AI in social and global contexts and allows them to apply their knowledge and skills via case studies, debates, and individual or team projects.

The minor seeks to make ethical and social considerations a forethought in the design, development, deployment, and use of AI-related technologies. Given the role of AI-enabled technologies in our increasingly digital society, the minor is of relevance to all Mason students as engaged citizens and offers vital competencies to those planning for careers in such areas as computing and technology, government, public policy, health, law, education, and the media.

OnAir Post: Ethics and AI Minor

Responsible AI Graduate Certificate

Source: GMU Catalog

The graduate certificate in Responsible AI provides students with the fundamentals of artificial intelligence (AI), how AI systems are architected, the principles of systems engineering as they relate to AI systems, theories of AI safety and risk, how to test and evaluate such systems to meet risk thresholds, and how to identify ethical, legal and regulatory issues that arise in such systems.

Students will be prepared to develop and manage complex systems with embedded AI, including identifying unique requirements for systems with embedded AI, testing and certifying these systems, and defining and maintaining safe levels of performance for deployed AI. Graduates will also be able to develop acquisition plans for complex systems with embedded AI, and develop AI maintenance programs including auditing. Areas of application include safety-critical physical systems like self-driving cars, air taxis and health applications, as well as software-based systems like financial and banking systems, and those that support education and research.

OnAir Post: Responsible AI Graduate Certificate

]]> https://us.onair.cc/ai2-nexus/feed/ 0