Hackers, Hoodies, and Helmets: Technology and the changing face of Russian private military contractors

The first time Russia invaded Ukraine in the twenty-first century, the Wagner Group was born. The now widely profiled private military company (PMC) played an important role in exercising Russian national power over the Crimea and portions of the Donbas—while giving Moscow a semblance of plausible deniability. In the near decade since, the Russian PMC sector has grown considerably, and is active in more than a dozen countries around the world. PMCs are paramilitary organizations established and run as private companies—though they often operate in contract with one or more states. They are profit-motivated, expeditionary groups that make a business of the conduct of war. PMCs are in no way a uniquely Russian phenomenon, yet the expanding footprint of Russian PMCs and their links to state interests call for a particularly Russian-focused analysis of the industry. The growth of these firms and their direct links to the Kremlin's oligarch network as well as Moscow's foreign media, industrial, and cyber activities present a challenge to the United States and its allies as they seek to counter Russian malicious activities abroad.The accelerating frequency of PMCs found operating around the world and the proliferation of private hacking, surveillance, and social media manipulation tools suggest that Russian PMCs will pose diverse policy challenges to the United States and allies going forward. This issue brief seeks to offer an initial exploration of these questions in the context of how these PMCs came about and how they are employed today. The section below addresses the origin and operations of PMCs in Russian international security strategy, and also profiles the changing role of technology in conflict and the activities of these PMCs. The last section closes with a set of open research questions

Making Democracy Harder to Hack

With the Russian government hack of the Democratic National Convention email servers and related leaks, the drama of the 2016 U.S. presidential race highlights an important point: nefarious hackers do not just pose a risk to vulnerable companies; cyber attacks can potentially impact the trajectory of democracies. Yet a consensus has been slow to emerge as to the desirability and feasibility of reclassifying elections—in particular, voting machines—as critical infrastructure, due in part to the long history of local and state control of voting procedures. This Article takes on the debate—focusing on policy options beyond former Department of Homeland Security Secretary Jeh Johnson’s decision to classify elections as critical infrastructure in January 2017—in the U.S., using the 2016 elections as a case study, but putting the issue in a global context, with in-depth case studies from South Africa, Estonia, Brazil, Germany, and India. Governance best practices are analyzed by reviewing these differing approaches to securing elections, including the extent to which trend lines are converging or diverging. This investigation will, in turn, help inform ongoing minilateral efforts at cybersecurity norm building in the critical infrastructure context, which are considered here for the first time in the literature through the lens of polycentric governance

Weary Giants of Flesh and Steel: Three Articles on the State and Information Security

This dissertation explores the dynamic of control between politics and technology, looking at three particular facets – assimilation, restriction, and standardization – as examples of the evolving relationship between the state and information security. Chapter 1 looks at the process of assimilation as the state attempts to use information security toward its own ends. Critiquing contemporary arguments on the presence of an offensive advantage in information security, this chapter breaks open the previously black boxed process of developing and deploying offensive capabilities by the state. Particularly, it examines how the software development process impacts, and often limits, the state’s ability to employ malicious tools especially in lieu of conventional alternatives like precision guided bombs. Advancing the argument that there is substantial complexity in the offensive process, the chapter concludes that existing assumptions for ease of use and the likelihood of rapid escalation prevalent in literature on the topic are exaggerated owing to the challenges in assimilating and employing information security tools in a conflict environment. Chapter 2 takes up the question of control through restriction, explaining the repeated use of export controls to regulate the diffusion of information security products globally. Set against a collection of legal tools seemingly ill-fitted to controlling the flow of software, the Departments of Commerce, State, and Defense have persisted in the application of export controls to limit trade in information security products. Rather than adapt to a changing commercial and research environment or craft policy tools better suited to curtail the spread of information security products abroad, the U.S. continued to apply and only moderately tweak the composition of export controls despite their limited effectiveness. This chapter explains the selection of these controls and their persistence as a product of boundedly rational behavior to minimize transaction costs and change in standard operating procedures, even at the cost of reduced regulatory efficacy. Chapter 3 looks at standardization, trying to answer if the recent emergence of the information security insurance industry as a means of private governance is a product of the state’s failure to set and enforce standards or the private sector’s opportunistic action to lock in material benefit. Synthesizing previous state efforts to create standards with literature on private governance and its internal debates, the chapter examines the history and process of insurance. It argues that a market driven enforcement mechanism was key to providing financial benefit to companies willing to lead in the governance process

A primer on the proliferation of offensive cyber capabilities

Offensive cyber capabilities run the gamut from sophisticated, long-term disruptions of physical infrastructure to malware used to target human rights journalists. As these capabilities continue to proliferate with increasing complexity and to new types of actors, the imperative to slow and counter their spread only strengthens. But to confront this growing menace, practitioners and policy makers must understand the processes and incentives behind it. The issue of cyber capability proliferation has often been presented as attempted export controls on intrusion software, creating a singular emphasis on malware components. This primer reframes the narrative of cyber capability proliferation to be more in line with the life cycle of cyber operations as a whole, presenting five pillars of offensive cyber capability: vulnerability research and exploit development, malware payload generation, technical command and control, operational management, and training and support. The primer describes how governments, criminal groups, industry, and Access-as-a-Service (AaaS) providers work within either self-regulated or semi-regulated markets to proliferate offensive cyber capabilities and suggests that the five pillars give policy makers a more granular framework within which to craft technically feasible counterproliferation policies without harming valuable elements of the cybersecurity industry. These recommended policies are developed in more detail, alongside three case studies of AaaS firms, in our companion report, Countering Cyber Proliferation: Zeroing in on Access as a Service

Making Democracy Harder to Hack

With the Russian government hack of the Democratic National Convention email servers and related leaks, the drama of the 2016 U.S. presidential race highlights an important point: nefarious hackers do not just pose a risk to vulnerable companies; cyber attacks can potentially impact the trajectory of democracies. Yet a consensus has been slow to emerge as to the desirability and feasibility of reclassifying elections—in particular, voting machines—as critical infrastructure, due in part to the long history of local and state control of voting procedures. This Article takes on the debate—focusing on policy options beyond former Department of Homeland Security Secretary Jeh Johnson’s decision to classify elections as critical infrastructure in January 2017—in the U.S., using the 2016 elections as a case study, but putting the issue in a global context, with in-depth case studies from South Africa, Estonia, Brazil, Germany, and India. Governance best practices are analyzed by reviewing these differing approaches to securing elections, including the extent to which trend lines are converging or diverging. This investigation will, in turn, help inform ongoing minilateral efforts at cybersecurity norm building in the critical infrastructure context, which are considered here for the first time in the literature through the lens of polycentric governance

Evaluating a novel high-density EEG sensor net structure for improving inclusivity in infants with curly or tightly coiled hair

Electroencephalography (EEG) is an important tool in the field of developmental cognitive neuroscience for indexing neural activity. However, racial biases persist in EEG research that limit the utility of this tool. One bias comes from the structure of EEG nets/caps that do not facilitate equitable data collection across hair textures and types. Recent efforts have improved EEG net/cap design, but these solutions can be time-intensive, reduce sensor density, and are more difficult to implement in younger populations. The present study focused on testing EEG sensor net designs over infancy. Specifically, we compared EEG data quality and retention between two high-density saline-based EEG sensor net designs from the same company (Magstim EGI, Whitland, UK) within the same infants during a baseline EEG paradigm. We found that within infants, the tall sensor nets resulted in lower impedances during collection, including lower impedances in the key online reference electrode for those with greater hair heights and resulted in a greater number of usable EEG channels and data segments retained during pre-processing. These results suggest that along with other best practices, the modified tall sensor net design is useful for improving data quality and retention in infant participants with curly or tightly-coiled hair

Neoadjuvant Atezolizumab With Gemcitabine and Cisplatin in Patients With Muscle-Invasive Bladder Cancer: A Multicenter, Single-Arm, Phase II Trial.

PURPOSE: Neoadjuvant gemcitabine and cisplatin (GC) followed by radical cystectomy (RC) is standard for patients with muscle-invasive bladder cancer (MIBC). On the basis of the activity of atezolizumab (A) in metastatic BC, we tested neoadjuvant GC plus A for MIBC. METHODS: Eligible patients with MIBC (cT2-T4aN0M0) received a dose of A, followed 2 weeks later by GC plus A every 21 days for four cycles followed 3 weeks later by a dose of A before RC. The primary end point was non-muscle-invasive downstaging to \u3c pT2N0. RESULTS: Of 44 enrolled patients, 39 were evaluable. The primary end point was met, with 27 of 39 patients (69%) \u3c pT2N0, including 16 (41%) pT0N0. No patient with \u3c pT2N0 relapsed and four (11%) with ≥ pT2N0 relapsed with a median follow-up of 16.5 months (range: 7.0-33.7 months). One patient refused RC and two developed metastatic disease before RC; all were considered nonresponders. The most common grade 3-4 adverse event (AE) was neutropenia (n = 16; 36%). Grade 3 immune-related AEs occurred in five (11%) patients with two (5%) requiring systemic steroids. The median time from last dose of chemotherapy to surgery was 7.8 weeks (range: 5.1-17 weeks), and no patient failed to undergo RC because of AEs. Four of 39 (10%) patients had programmed death-ligand 1 (PD-L1)-positive tumors and were all \u3c pT2N0. Of the patients with PD-L1 low or negative tumors, 23 of 34 (68%) achieved \u3c pT2N0 and 11 of 34 (32%) were ≥ pT2N0 ( CONCLUSION: Neoadjuvant GC plus A is a promising regimen for MIBC and warrants further study. Patients with \u3c pT2N0 experienced improved relapse-free survival. The PD-L1 positivity rate was low compared with published data, which limits conclusions regarding PD-L1 as a predictive biomarker