Trey Herr

Trey Herr is the director of the Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security at the Atlantic Council. His team works on the role of the technology industry in geopolitics, cyber conflict, the security of the internet, cyber safety and growing a more capable cybersecurity policy workforce.

Subscribe to this Lawfare contributor via RSS.

Cybersecurity

Cascading Security Through the Internet of Things Supply Chain

Trey Herr, Nathaniel Kim, Bruce Schneier Mon, Jun 29, 2020, 8:01 AM

The “internet of things” supply chain has been a channel for risk into our homes. We can use that same channel to push security back up through the supply chain.

Read more about Cascading Security Through the Internet of Things Supply Chain

Cybersecurity

Software Liability Is Just a Starting Point

Trey Herr Thu, Apr 23, 2020, 9:47 AM

To meaningfully change the software ecosystem, liability policies must also establish clear security standards, apply them to the whole supply chain and create incentives for organizations to apply patches quickly.

Read more about Software Liability Is Just a Starting Point

Cybersecurity

Better to Be Realistic About the Security Opportunities of Cloud Computing

Trey Herr Tue, Mar 17, 2020, 3:36 PM

How to map a more effective security strategy for cloud computing.

Read more about Better to Be Realistic About the Security Opportunities of Cloud Computing

Cybersecurity

What You See Is What You Get: Revisions to Our Paper on Estimating Vulnerability Rediscovery

Trey Herr, Bruce Schneier Thu, Jul 27, 2017, 3:18 PM

We recently published a paper on the rediscovery of software vulnerabilities. This was the final version of a paper that had been in the works since September, peer-reviewed by the WEIS community during the winter, and then circulated for additional revision in early March. Since publication, two mistakes have come to light.

Read more about What You See Is What You Get: Revisions to Our Paper on Estimating Vulnerability Rediscovery

Cybersecurity

Rediscovering Vulnerabilities

Trey Herr, Bruce Schneier Fri, Jul 21, 2017, 11:30 AM

Software and computer systems are a standard target of intelligence collection in an age where everything from your phone to your sneakers has been turned into a connected computing device. A modern government intelligence organization must maintain access to some software vulnerabilities into order to target these devices. However, the WannaCry ransomware and NotPetya attacks have called attention to the perennial flipside of this issue—the same vulnerabilities that the U.S. government uses to conduct this targeting can also be exploited by malicious actors if they go unpatched.

Read more about Rediscovering Vulnerabilities

Cyber & Technology

Ransomware Remixed: The Song Remains the Same

Trey Herr Wed, Jun 28, 2017, 10:11 AM

Another month, another ransomware epidemic. Broadsheets are screaming panic while companies yell back that All Is Well and Ukraine shows the world what gifs can do for incident response. Twitter is abuzz with the rapid, globalized forensics effort of a legion of amateurs and professionals (though nothing yet from the White House).

Read more about Ransomware Remixed: The Song Remains the Same

Cybersecurity: Legislation

PATCH: Debating Codification of the VEP

Mailyn Fidler, Trey Herr Wed, May 17, 2017, 5:46 PM

Today a bipartisan group of lawmakers introduced in both the House and Senate a bill that would formalize the Vulnerability Equities Process (VEP) into law. The proposed legislation, the Protecting our Ability To Counter Hacking (PATCH) Act, is sponsored by Senators Brian Schatz (D-Hawai‘i), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) (all members of the Senate Committee on Commerce, Science, and Transportation) and Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas).

Read more about PATCH: Debating Codification of the VEP