Depending on who you read or talk to, the reaction has been split between measured optimism and alarm about the model’s capabilities. The UK’s AI Security Institute, for instance, found that while Mythos Preview can execute multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously, its demonstrated capability is currently limited to small, weakly defended, and vulnerable enterprise systems, leaving open whether the model could successfully attack hardened environments with active defenders and detection tooling. On the other hand, Check Point warned that “the time-to-exploit window will collapse to near zero.” CrowdStrike’s CTO stated that “the window between a vulnerability being discovered and being exploited by an adversary has collapsed.” Thomas Ptacek, in an essay titled “Vulnerability Research Is Cooked,” argued that the economics of exploit development have been fundamentally altered. Anthropic itself frames the situation as a race: give defenders a head start before equivalent capabilities proliferate within six to eighteen months. But eventually, they “expect that defense capabilities will dominate: that the world will emerge more secure, with software better hardened.”

This last quote gets at the more interesting governance question beneath the headlines. Project Glasswing is an institutional response to a technological shift that could reshape the vulnerability management ecosystem. Understanding this requires tracing how the bottleneck in cybersecurity’s value chain is migrating from discovery to remediation.

The Discovery Premium Is Gone

Prompt: A recent article on Anthropic’s Mythos model touts its vulnerability discovery capabilities, with a red-team researcher ominously saying, “We basically need to start, right now, preparing for a world where there is zero lag between discovery and exploitation.” While increasing capabilities can certainly be used for malicious purposes, a very significant and functional bug bounty market exists today. Attached is some information about Mythos’ capabilities and costs to find vulnerabilities. Assuming an increase in the supply of vulnerabilities because of these new model(s), how would the more rapid discovery of vulnerabilities impact that market? 

The bug bounty market — valued at roughly $1.2 billion in 2024 and projected to grow to nearly $4 billion by 2032 — was built on a simple premise: vulnerability discovery was scarce. Finding a critical bug in a hardened codebase required elite human attention, deep domain expertise, and significant time investment. Organizations can pay large bounties per finding because the supply of people who can produce those findings is limited, and their opportunity costs are high.

The Mythos system card reports cost data that demolishes this premise. As noted, a full scan of the OpenBSD codebase — one thousand runs across the repository — cost under $20,000 and yielded several dozen findings, including a 27-year-old vulnerability in one of the most security-focused operating systems in existence. The specific run that discovered the critical TCP SACK bug cost under $50. A scan of FFmpeg, one of the most thoroughly fuzzed projects in the world, cost roughly $10,000 across several hundred runs and found a 16-year-old vulnerability that had been hit five million times by automated testing tools without being caught. Converting a known Linux kernel vulnerability into a working root privilege escalation exploit — a task that historically takes skilled researchers days to weeks — took the model under a day at a cost of under $2,000.

Given these economics, the per-vulnerability bounty model faces a classic supply shock. When the marginal cost of discovering a critical vulnerability drops from thousands or tens of thousands of dollars in researcher time to tens of dollars in API credits, the price structure that sustained the bounty ecosystem erodes. The low-hanging fruit that historically funded early-career security researchers will be found by AI first. The market won’t disappear, but it will bifurcate: commodity vulnerability discovery will be absorbed into automated scanning services, while the remaining human bounty work will concentrate on findings that models still struggle with — business logic flaws, social engineering vectors, and the complex interactions between systems that no single codebase can reveal.

The Bottleneck Migrates Upstream

Prompt: Let’s assume that Mythos and similar emerging models essentially are a substitute for identifying vulnerabilities. Presumably, these models can also be used for creating patches for those vulnerabilities, as explained in this work: https://team-atlanta.github.io/blog/post-patch-2026-ensemble/  The new bottleneck appears to be verification of patches.

If discovery is effectively commoditized, where does the supply bottleneck move? The obvious next candidate is patch generation — and here, recent work from Team Atlanta, a group of researchers from Georgia Tech, Samsung Research, KAIST, and POSTECH that won DARPA’s AI Cyber Challenge (AIxCC), provides important data.

Their evaluation tested ten agent configurations — combining four coding agent frameworks (Claude Code, Codex CLI, Copilot, Gemini CLI) with five frontier models — on 63 real crashes from the DARPA AIxCC competition. The results show that AI-generated patching has progressed remarkably fast. The best configurations now produce semantically correct patches for roughly 71% of real-world vulnerabilities, up from about 52% just one year earlier. Model choice matters more than framework choice, and the improvement trajectory is steep.

But patching isn’t the real bottleneck either. The actual bottleneck is *verification* — confirming that a generated patch actually fixes the root cause without breaking anything else. Even the best agent configuration in Team Atlanta’s evaluation still produces around 20% semantically incorrect patches. These are patches that pass every automated check — compilation, test suites, crash replay — but are actually wrong. The failure modes are revealing. The most common involves functionality being altered or broken: the patch fixes the bug but changes normal program behavior in unintended ways. The second most common is patching the symptom rather than the root cause — enlarging a buffer to prevent an overflow instead of fixing the underlying off-by-one miscalculation, or resetting a dangling pointer at the crash site rather than fixing initialization in the common API where the pointer should have been set. Other failures involve insufficient guard conditions, wrong API usage that violates trust boundaries, or fundamentally incorrect mitigation strategies.

Every one of these failure modes requires contextual judgment to detect: understanding the specification, the security model, the trust boundaries between components, and the upstream behavioral implications of a code change. Test suites validate behavior against existing expectations, not the correctness of the security property being preserved. This is precisely the kind of judgment that remains expensive, scarce, and stubbornly human (hey, hire a GT Cybersecurity grad!).

Team Atlanta’s “ensemble approach” — running multiple agents, collecting all patches that pass automated validation, and having a selector model choose the best one — improves semantic correctness rates. But it doesn’t eliminate the problem. And the researchers’ own methodology reveals the constraint: they manually reviewed all 630 generated patches and cross-validated 456 of them. The evaluation scope was limited by the human review bottleneck, not by computational cost. Models can find vulnerabilities and generate patches all day at a lower cost. For now, the constraint is judgment and having humans qualified to assess whether those patches are correct.

Glasswing as Transitional Institution

Prompt: In light of the anticipated impacts on the market, the announced institutional response, Project Glasswing, is interesting. It is unclear whether this approach would be a substitute for bug bounty markets or a complementary function, allowing vulnerabilities that enable zero-day exploits to be mitigated outside of the market mechanism.

This bottleneck migration reframes what Project Glasswing actually is. The conventional reading positions it as a vulnerability discovery initiative — Anthropic gives partners access to Mythos so they can find bugs in their systems before attackers do. But if discovery is cheap and getting cheaper, the scarce resource Glasswing actually organizes isn’t model access. It’s the institutional capacity to close the loop from discovery through *verified remediation*.

Consider the partner list. The twelve Glasswing organizations aren’t just large technology firms — they are the entities with the deepest institutional knowledge of their own codebases and application of AI to cybersecurity. Apple can verify whether a macOS patch preserves intended security properties in ways that no external researcher or automated system can replicate. The Linux kernel maintainers can assess whether a proposed fix to the TCP stack introduces subtle behavioral changes that would break upstream consumers. The value of the club isn’t only vulnerability identification; it’s the human and organizational expertise required for the verification step that AI can’t yet reliably perform.

This is a fundamentally different institutional form than the bug bounty market. Bug bounties are a “flow” mechanism: they provide continuous, decentralized incentives for independent researchers to find new vulnerabilities as software evolves. Glasswing appears to be addressing the “stock” problem — the accumulated backlog of undiscovered vulnerabilities in critical, long-lived codebases — through a coordination effort that integrates discovery, patching, and verification under a managed process. The system card’s showcase findings are paradigmatic stock problems: vulnerabilities that persisted for 16, 17, and 27 years despite decades of human review and automated testing.

But Glasswing’s institutional structure also reveals tensions. It concentrates several roles — discoverer, disclosure coordinator, and capability gatekeeper — in a single organization. In the bounty market, these roles are distributed across independent actors: the researcher discovers, the platform triages, the vendor patches. Glasswing bundles them. Anthropic acknowledges the resulting coordinated disclosure management challenge: fewer than 1% of discovered vulnerabilities have been patched, and they had to hire professional security contractors to manage the validation pipeline. The announcement that it “may become necessary to relax our stringent human-review requirements” is a direct acknowledgment that the verification bottleneck is binding even within Glasswing’s coordination.

What Comes Next

Prompt: Project Glasswing as an institutional response to technological change, i.e., the Mythos model, and the bottleneck migrating upstream from vulnerability discovery to patch verification.

The key analytical question is whether the verification bottleneck is permanent or transitional, and how it will be governed. Team Atlanta’s data shows semantic correctness improving from ~62% to ~80% in roughly one year. If that trajectory continues — and the general trend in frontier model improvement suggests it might — then verification too may become largely automatable within a few model generations, perhaps through adversarial model-on-model verification pipelines where one model generates patches, another red-teams them, and a third adjudicates like the Team Atlanta ensemble approach which already demonstrates that contrasting multiple candidate patches is informative for quality assessment.

If verification does become automatable, the entire discovery-patch-verify pipeline runs end-to-end with minimal human intervention. However, there remains a fundamental human role, a genuinely hard problem that none of this current work touches: deciding which vulnerabilities *matter*, how to prioritize remediation across an organization’s full attack surface, and how to manage the systemic risk of thousands of simultaneous patches hitting production systems. Those aren’t technically solvable problems.

In the near term, several market-level consequences seem likely. The bug bounty market won’t disappear but will restructure around verified remediation rather than raw discovery. Bounty programs that pay for a discovered vulnerability, plus a validated patch, plus reproduction steps, will be more valuable than those that pay only for vulnerabilities. The platforms that survive will be the ones that pivot from brokering human research to orchestrating AI-augmented scanning with human verification in the loop. The professional services market for patch verification will grow, favoring firms with deep codebase-specific expertise.

As Anthropic notes, Glasswing itself is best understood now as a transitional institution — an attempt to manage a capability discontinuity during the period when existing market institutions haven’t yet adapted. Its familiar club structure makes sense for the current moment: the capability is restricted, the verification bottleneck demands insider knowledge, and the urgency of burning down the stock of latent vulnerabilities in critical software infrastructure justifies coordinated action outside normal market mechanisms. But if Mythos-class capabilities proliferate as expected, the club model becomes untenable because the underlying capability is no longer scarce enough to restrict.

What persists after the transition will depend on whether Glasswing evolves into a durable networked governance structure that provides value by providing disclosure pipelines, deconflicting simultaneous discovery, building robust automated and human verification capabilities, and helping manage any systemic risks of producing AI-driven (in)security at scale. The history of similar arrangements in cybersecurity — early ISACs, the Conficker Working Group, M3AAWG, the Cyber Threat Alliance — suggests clubs can persist beyond their initial formation, but only if they provide ongoing coordination value that individual actors can’t replicate on their own or with market transactions.

The post AI, Project Glasswing, and the Changing Institutional Economics of Bugs appeared first on Internet Governance Project.

My study of blocking 

To understand the scale of website blocking in India, I queried the DNS servers of six major and regional ISPs to test the censorship of 294 million domains, representing nearly the entire visible domain name space. These tests were carried out over many months in 2025 and contribute to the largest study of DNS-level website blocking in India to date. The study quantifies what previous qualitative research on Internet censorship in India has shown. Despite receiving the same blocking orders, not all ISPs block the same websites. 

Inconsistent results 

Out of the total 43,083 blocked domain names found by the study, only 1,414 were blocked by all six ISPs. This is caveated by the fact that some of the ISPs surveyed may be using other abovementioned protocols to block these domains, which the study does not cover. What is clear however is that at least on the DNS layer, domains are treated inconsistently based on the category of content they host. Piracy, peer-to-peer file sharing, pornography and gambling websites make up the majority of what is blocked, yet blocks are not consistently enforced across ISPs. For domains hosting terrorism and militancy content, blocking consistency across ISPs goes up dramatically. Perfect consensus can be seen in certain sensitive cases, such as the blocking of China’s Weibo.com or the website of Srinagar-based publication The Kashmir Walla, showing that some orders are treated more seriously than others. Along with this, almost all ISPs appear to engage in arbitrary blocking in some form. 

While highlighting only some notable blocks, the study shows the haphazard way in which both regional and national ISPs are currently implementing blocking orders. In the absence of a standardised framework or guidelines, ISPs are left to their own devices, resulting in an inconsistent blocking landscape. A domain blocked by one provider may be freely accessible through another, undermining the stated rationale for blocking while still infringing on the rights of users served by the more aggressive ISP. Domains officially ordered unblocked continue to remain blocked by some ISPs in clear defiance of orders, but without penalty to ISPs or respite for operators of such websites. 

Needlessly opaque  

Inconsistency is not the only problem however. The regime is needlessly opaque. An ideal system would see disclosure of blocked domains from the source, with exceptions only for sensitive matters such as those concerning national security and websites hosting child sexual abuse material. A perfect example of this is the many malicious domains found blocked by the study, which is arguably in the public interest, but which cannot be distinguished from overreach without disclosure. The Supreme Court in Shreya Singhal v. Union of India (2015) upheld Section 69A but emphasised procedural safeguards, including a review committee and the right of affected parties to be heard. In practice, neither can operate meaningfully as long as the system runs like patchwork. 

Karan Saini is an independent security researcher from New Delhi, and the author of the “Poisoned Wells” report, available at dnsblocks.in 

The post India’s crude Internet censorship regime appeared first on Internet Governance Project.

The Secure and Trusted Communications Networks Act of 2019 required the FCC to maintain a list of communications equipment if someone in the government thinks it poses a risk to national security. Previous iterations of this list target specific corporate entities like Huawei, ZTE, or Hikvision. Last week’s action expanded the “Covered List” to include ordinary household internet equipment, not specific companies, based entirely on foreign origin. 

What is banned? 

The ban targets new Small Office/Home Office (SOHO) routers, Wi-Fi extenders, and mesh systems. These devices can be found in practically every American home. The import ban includes any device where the “critical manufacturing and firmware assembly” occurs within a jurisdiction designated as a foreign adversary (primarily the People’s Republic of China, Russia, and Iran). The leverage for the ban comes from the FCC’s Equipment Authorization process. No new models from these regions can receive the “FCC ID” required for legal sale in the U.S. The Defense Department or the Department of Homeland Security (DHS) can exempt a product by transmitting to the FCC a specific determination that a given router or class of routers do not pose such risks. 

As of March 23, 2026, the FCC ceases all new equipment authorizations for covered devices. Starting in September 2026, retailers are prohibited from importing new inventory of covered devices. A year from now, March 2027, the “Maintenance Waiver” expires, and even security patches for existing legacy devices must undergo a secondary federal audit if they originate from covered jurisdictions. 

Fortunately, this bit of security theater does not apply to hardware that is already authorized and currently in consumers’ homes, or in the retail channel. These products can continue to be a “national security threat.” It also does not apply to enterprise or carrier-grade equipment, which remains governed by previous specific-entity bans. Certain sub-components (like passive capacitors or casing) are exempt, provided the “logic-bearing” components (SoCs and Firmware) are not of foreign-adversary origin. 

Legal Authorities 

The primary vehicle for this action is the Secure and Trusted Communications Networks Act of 2019; the law passed after an orchestrated and sustained U.S. intelligence community campaign portraying Huawei equipment as a potential (but never actualized) Trojan Horse. Additionally, the Secure Equipment Act of 2021 prevents the FCC from reviewing or approving any authorization for equipment after it has been placed on the Covered List, effectively turning a “warning list” into a “market ban.” 

Just as this new move will prove to be very costly to consumers, the “Rip and Replace” program authorized by the 2019 Act generated a massive funding shortfall. While the law initially estimated costs at $1 billion, and Congress appropriated $1.9 billion, the actual requests from carriers totaled nearly $5 billion. Many small carriers started “ripping” without enough money to finish the “replacing,” leading to concerns about service outages in rural areas. In the years preceding this farce, not a single compromise of American telecom networks or data were attributable to the use of Huawei gear. On the other hand, dozens of Chinese-instigated compromises occurred by means of compromises of American-made software and phishing.

Factual Studies and Intelligence Reports 

To support its decision, the FCC cited two primary types of evidence.  

1. The “Typhoon” Campaign Reports: Intelligence from CISA and the FBI regarding Volt Typhoon and Salt Typhoon. These reports detailed how state-sponsored actors hijacked thousands of SOHO routers to create a “botnet” that obfuscated attacks on U.S. power grids and water systems. 
2. The 2025 Supply Chain Audit: A Department of Commerce study argued that the concentration of 85% of the consumer router supply chain in China creates a “systemic vulnerability” where a single firmware update could be weaponized to disable U.S. home internet access. 

Just as the Huawei and TikTok scares played on the general public’s ignorance of actual cybersecurity risks and vulnerabilities, the new FCC ban follows the same pattern. These reports do not provide evidence for the policy.

Deconstructing the “Foreignness” Fallacy 

The central logical pillar of the FCC ban is that the origin of manufacture is the primary determinant of risk. However, an empirical look at the “Typhoon” intrusions reveals a profound disconnect between this premise and the technical reality. 

Vulnerabilities vs. Backdoors. The FCC justifies the ban on the potential for “backdoors”—intentional entry points built at the factory. Yet, in the history of the Volt Typhoon and Flax Typhoon campaigns, not a single instance of a hardware-level manufacturing backdoor was identified. Instead, these actors exploited: 

• Unpatched Software Bugs: Standard coding errors (CVEs) that exist in software globally. 

• Weak Credentials: Default “admin/admin” passwords in cheap devices that users never changed. 

• Management Interfaces: Ports left open to the public internet due to poor user configuration or “Secure-by-Design” failures. 

The Geography of Code. The digital economy is global. A router “Made in the USA” likely runs a Linux kernel maintained by global contributors, uses Wi-Fi drivers written in Taiwan, and incorporates open-source libraries managed by developers worldwide. By focusing on the geographic location of the assembly line, the FCC ignores the logical supply chain of the software. A U.S.-assembled router with a poorly written UPnP (Universal Plug and Play) implementation is just as vulnerable to a hijacking as a foreign one. 

If one looks at the Cybersecurity Advisory issued by DHS, NSA, and other agencies about the botnets used by the Chinese, one finds that U.S.-based processor architectures were involved in over 90% of the compromises, and that vendors and products like Juniper, Apache, Linux, Fortinet, Atlassian and others not located or headquartered in “adversary nations” were exploited. 

Targeting New Devices instead of Legacy Ones?

Perhaps the most obvious lack of logic in the FCC’s policy is its exclusive focus on new equipment authorizations while leaving legacy devices in place. Empirical data from cybersecurity firms consistently shows that older devices are significantly more vulnerable than new ones. 

• End-of-Life (EOL) Status: The Volt Typhoon campaign specifically targeted “End-of-Life” routers because they no longer receive security patches. 

• Legacy Protocols: Older routers often use outdated encryption (WEP/WPA) and lack modern hardware-level protections like Secure Boot or Trusted Platform Module (TPM). 

By banning the sale of the newest, most secure Wi-Fi 7 and Wi-Fi 8 routers from dominant foreign manufacturers, the FCC forces the American public to pay substantially more for upgraded, more secure equipment or, what is more likely, to keep their older, more vulnerable devices for longer. 

If a consumer cannot easily or affordably replace their 2019-era router because the 2026 models are banned, the total attack surface of the United States actually increases. The ban targets the very devices most likely to have modern, auto-updating security features, while providing a “free pass” to the millions of insecure, aging devices that state-sponsored actors are currently exploiting. 

The FCC’s decision assumes that manufacturing origin is the primary risk factor. However, cybersecurity data suggests that device age and software support are far more critical indicators of whether a router will be compromised. 

All new Wi-Fi 7 and most Wi-Fi 6 devices utilize WPA3, which protects against common “offline” password-cracking attacks. Many legacy devices in homes rely on WPA2, which has known architectural flaws like the KRACK vulnerability.  Modern hardware is designed to only run firmware that has been digitally signed by the manufacturer. This would have prevented the “Typhoon” actors from overwriting the router’s operating system with a malicious one. Most legacy routers targeted by the KV-Botnet lacked this physical protection. CISA and the FBI noted that the Volt Typhoon campaign specifically targeted End-of-Life routers from Cisco and Netgear. These devices are technically “trusted” by the FCC because they were authorized years ago, yet they are the most vulnerable items on the network because they no longer receive security patches. 

Conclusion 

By blocking the importation of modern Wi-Fi 7 equipment based solely on its “foreignness,” the FCC actually worsens the security situation. Incentives to upgrade to modern, more secure hardware are reduced, and users are encouraged to keep using unpatched legacy equipment—the exact hardware that state-sponsored actors have successfully weaponized for years.  

Does this whole thing make any sense? It does it you see the FCC’s ban as an exercise in industrial policy disguised as cybersecurity. Netgear, a US-founded and headquartered company, has been lobbying the government on “cybersecurity and strategic competition with China.” Once again – as with the semiconductor export controls and the TikTok ban – we see the bootleggers seeking protection from competition hiding behind the religious banner of national security. While the risks of state-sponsored infrastructure attacks are real, the remedy chosen—a geographic ban on new hardware – prioritizes geopolitical decoupling over the immediate technical hardening of the American digital home. 

The post Fake Cybersecurity: The FCC Router Ban appeared first on Internet Governance Project.

While this framing is not entirely wrong, it misses what is most important. The real stakes lie not in whether Anthropic was right to refuse, but in what this confrontation reveals about the deeper structural challenges of governing AI in high-stakes environments. This post examines three of them. First, the Pentagon’s demands are dangerous not because they cross obvious legal lines, but because flexible AI use policies erode human judgment in ways that are hard to see and harder to reverse. Second, Anthropic’s understanding of AI safety as something built into the programming of the model created the paradox at the heart of this dispute. And third, why this confrontation reveals the need for governance frameworks that do not leave principled companies to stand alone.

What Happened?

In July 2025, Anthropic signed a $200 million contract with the U.S. Department of Defense (DoD), and it was the first lab to integrate its models into mission workflows on classified networks. Through partnerships with Palantir Technologies, Claude Gov was cleared for classified military and intelligence tasks and became deeply embedded in Pentagon operations.

On February 24, Secretary Hegseth delivered a formal demand to Anthropic to remove all usage restrictions, including domestic surveillance and fully autonomous weapons, and grant the Pentagon the right to use Claude Gov model  “for all lawful purposes”. The threatened consequences for refusal were termination of contract, designation as a supply chain risk to national security, and the potential invocation of the Defense Production Act of 1950. Anthropic CEO Dario Amodei refused, stating that DoD made virtually no progress on preventing Claude’s use for mass surveillance of Americans or to control fully autonomous weapons, and that the company “cannot in good conscience” agree to allow the DoD to use its AI models in all lawful use cases.

President Trump ordered the U.S. government to stop using Claude and the Pentagon moved to designate the company a national security risk last Friday. However, less than 24 hours after Trump’s ban was announced, the DoD deployed Claude to attack Iran on February 28.

What does the Pentagon Want?

We still do not know exactly what the Pentagon has done or wants to do with Claude. What we do know is that the Pentagon demanded Anthropic remove all usage restrictions and grant access to the model “for all lawful purposes”—with no exceptions. However, Anthropic’s refusal and the Pentagon’s stated concern that AI safety guardrails could impede military response in emergency situations allow us to infer the Pentagon’s intentions. The Pentagon is pursuing a higher degree of automation in both intelligence data processing and weapons systems—a vision in which AI operates with minimal human intervention.

Before advanced AI, raw data was simply too voluminous and fragmented to be useful for comprehensive surveillance. The government could purchase location data from smartphone apps, browsing histories from data brokers, or financial records from third parties—but analyzing it all at scale was difficult and time consuming. This is precisely the bottleneck the Pentagon seeks to eliminate. AI makes it possible to analyze massive datasets—geolocation, web browsing activity, financial transactions—and synthesize them into predictive portraits of individuals’ lives, automatically and at scale.

The problem is that U.S. law has not caught up with the capabilities of modern AI. Under current law, it is perfectly legal for government authorities to acquire massive amounts of data and use AI to analyze it—even though the result may, in effect, constitute mass surveillance of American citizens. For this reason, Anthropic asked the Pentagon to explicitly include contract language prohibiting the bulk collection of Americans’ publicly available information. The Pentagon refused.

The second red line concerns autonomous weapons. The Pentagon’s position is, in some respects, understandable. The realities of modern combat are fluid and fast-changing, and there are clear limits to human capacity for real-time decision-making in such environments. AI-enabled autonomous detection and strike systems are already operating on the battlefield in Ukraine, demonstrating three to four times higher target engagement rates with lower human costs—sometimes without meaningful human oversight. The Pentagon’s goal is to reflect these battlefield realities. Because future combat scenarios are unpredictable, the military wants the flexibility to operate without pre-imposed restrictions—and it insists that private companies should not be in a position to dictate the terms under which AI is used in warfare.

It is also worth noting that Anthropic’s use of the term “fully autonomous weapons” is technically imprecise. Fully autonomous weapons—systems capable of independently making the decision to kill without any human involvement—do not yet exist. The U.S. military defines autonomy as “a system’s ability to accomplish goals independently or with minimal supervision in complex and unpredictable environments,” where the system refers to a subset of a broader weapons platform, not a decision-making authority unto itself. They therefore speak not of “autonomous weapons” but of autonomous systems or unmanned systems. In other words, while automated systems can exist to assist in decisions to kill, no weapons platform is designed to make that determination entirely on its own.

If the Pentagon’s push for more unrestricted and flexible AI use is legally permissible, operationally advantageous, and does not formally exclude human oversight—does that mean there is nothing to worry about? There are two issues here; the first has not been mentioned enough in the public media.

Trying to build politics into technology

Key to Anthropic’s ethos is the idea that their model can be engineered to prevent bad uses of their product – whether by the military or anyone else. In other words, they have bought into that school of AI safety (and of Science, Technology and Society studies) that believes that technology itself has politics and that values and social controls can be reliably built into the technical system. This viewpoint focuses on technology design rather than social institutions to regulate human behavior with technology.

As controls on moral behavior, technology is a crude instrument. For example, reflecting its concern that Claude’s powerful programming capabilities might be used to develop bio weapons, the company programmed the model to refuse to handle the word “pathogen.” You can kill a Claude session dead by querying one of these refusal strings – a word or request that is considered so bad that it triggers a “hard off switch” that causes the application to stop dead in its tracks.

The problem with these kinds of controls is that they lack the contextual nuance of real-world social activities. The Center for Disease Control, for example, has every reason to be searching for the word “pathogen” or doing research work on pathogens, and found this Claude restriction an impediment to its work. The Pentagon’s unnecessary, excessively punitive “supply chain risk” designation aside, the DoD has a legitimate concern that one of these restrictions built into Claude might stop it from doing something it needs to do.

The risk of automation bias

On the other hand, Anthropic’s resistance to giving the DoD a blank check is justifiable. The more flexible the terms of AI use, the more likely human operators are to gradually defer their own judgment to the machine—a tendency known as automation bias.

During negotiations, Anthropic asked the Pentagon to include stricter safety language in the newly proposed contract. But the company found that “new language framed as compromise was paired with legalese that would allow those safeguards to be disregarded at will.” In other words, even when restrictions on the use of Claude exist on paper, ambiguous contractual language makes them easy to bypass in practice. Over time, even if human involvement remains the stated principle, fewer and fewer operators will feel compelled to exercise independent judgment.

Overly flexible AI use policies create conditions under which human operators become increasingly reliant on autonomous systems—and in doing so, introduce a risk that is not primarily technical, but human: the error born of over-reliance. As CEO Amodei emphasized, “frontier AI systems are simply not reliable enough to power fully autonomous weapons.” In high-stakes military environments, the combination of unreliable AI and under-exercised human judgment could result in lethal mistakes—unintended escalation, misidentified targets, or mission failure precisely when it matters most.

The risks are even more pronounced in the context of mass surveillance. The U.S. government has already announced plans to use AI, through Palantir, to support ICE operations targeting undocumented immigrants—tracking their real-time locations and financial activity. The concern here is not simply that the surveillance happens, but that without strict use guidelines, agents relying on this technology are far more likely to act on its outputs uncritically, increasing the risk of overreach and wrongful action. This is not hypothetical. In recent years, police departments that over-relied on AI-powered facial recognition arrested the wrong people on multiple occasions. The pattern is consistent as when the rules governing AI use are vague, the humans operating within those rules tend to trust the machine more than they should.

Anthropic’s decision to walk away from the Pentagon’s request was, at its core, a recognition of this institutional vacuum and fully within its rights as a private business. Without strict guidelines capable of meaningfully reducing these risks, no contractual arrangement could be trusted to hold. What is needed is better institutions—clear legal frameworks, enforceable oversight mechanisms, and organizational cultures that actively resist the pull of automation bias.

The Paradox of Anthropic’s Safety

Anthropic’s willingness to stand up for its own public interest principles deserves praise. But few have examined a deeper paradox: the safer and more reliable an AI system becomes, the more valuable it is for military applications.

Unlike ChatGPT or Gemini, Claude was not primarily designed for everyday consumer tasks or commercial applications even though it is still general-purpose model. It is widely regarded as strong in deep analysis, contextual reasoning, and complex coding tasks. Anthropic has also been recognized for its advanced capabilities in local AI deployment—technology that allows the model to operate on a user’s own servers without sending data to external systems. These features were developed in the name of safety, privacy, and reliability. But paradoxically, they are precisely what makes Claude so attractive for military and intelligence work.

In intelligence operations, agencies must process and synthesize information from multiple sources. Deep analytical reasoning is essential for handling this volume of intelligence data, identifying patterns, and generating actionable insights. Contextual understanding allows the model to interpret ambiguous situations—exactly what is needed for operational planning and battlefield simulation. Strong coding capabilities enable rapid development of custom tools for cyber operations. Claude’s local deployment architecture also allows classified information to remain in secure government networks, and external data never enters the analytical environment. In comparison, a model like Gemini, which is deeply integrated with Google’s broader ecosystem, remains vulnerable to inbound contamination—where external information pollutes or distorts the integrity of classified analysis.

In other words, the very qualities that make Claude “safer” for civilian use are the same qualities that make it indispensable for warfare. For the average user, this level of privacy and local deployment capability is a nice-to-have, not a necessity; most people are perfectly comfortable using cloud-based AI services. But for military and intelligence applications, these features are attractive. Anthropic built an AI designed to be trustworthy, and in doing so, built exactly what the Pentagon needed.

This is the paradox at the heart of the dispute. The company now finds itself in the uncomfortable position of having created a tool so well-suited for national security applications that the government is unwilling to accept any restrictions on its use.

Implications

The dispute between Anthropic and the DoD is not merely a corporate contract negotiation gone wrong. It offers important lessons for the future development of AI governance frameworks. One key implication is that private companies should play a larger role in AI governance than they currently do. This may seem counterintuitive—shouldn’t democratic governments, not profit-driven corporations, set the rules for powerful technologies?

In practice, companies’ internal safety policies are often far more detailed and technically grounded than most people assume. In many cases, it is the companies—not governments—that are most sensitive to AI risks and quickest to implement guardrails. Companies possess more granular information about their own systems and have strong incentives to understand the risks their products pose. Their business models depend on it. Anthropic is a case in point. The company recognized that the very features that made Claude attractive for military use also made it potentially dangerous if deployed without restrictions. Because Anthropic understood the lethality of its own model, it was able to refuse the Pentagon’s demands.

This suggests that AI governance should evolve not through sweeping state control, but through the strengthening of corporate safety frameworks—with appropriate transparency and accountability mechanisms to ensure those frameworks serve the public interest. But for such frameworks to hold, they cannot rely on corporate goodwill alone. The Anthropic episode demonstrates that a company willing to draw principled lines can be immediately undercut by a competitor willing to accommodate. What is needed, therefore, is not just better corporate guidelines, but institutional structures that incentivize and reinforce them—legal frameworks that reward companies for maintaining meaningful safety standards, shield them from retaliation when they push back against unreasonable demands, and raise the cost for those who abandon their principles under government pressure. Only then can companies like Anthropic stand their ground not as an act of courage, but as a matter of course.

The post What Everyone Is Missing About Anthropic and the Pentagon appeared first on Internet Governance Project.

This move represents more than just another salvo in ongoing tech tensions between the two governments. It threatens to fracture a foundational practice of internet cybersecurity: the global threat intelligence ecosystem that allows defenders worldwide to collect, analyze, and share information about emerging attacks and responses to cyber threats that know no borders.

But there’s a way forward. Recent research from Georgia Tech reveals both the problem and a potential solution: provenance could allow threat intelligence to remain global even as geopolitical tensions push nations toward digital isolation.

A Competitive Ecosystem Under Threat

Threat intelligence is produced in a complex cybersecurity institutional landscape, governed at the organizational, national, and transnational levels. Most cybersecurity practitioners understand that threat intelligence—information about malware, malicious infrastructure, and attacker TTPs—flows through a complex network of actors, can be difficult to integrate, and provides questionable value.  

In a DARPA-funded study to be presented at the 2026 Network and Distributed System Security Symposium, GT computer scientists developed a novel method to trace the propagation of threat intelligence through this ecosystem, which consists of vendors (TI platforms, antivirus, sandboxes), researchers, and operators. By embedding unique watermarks in benign test files and tracking them as they moved between actors, they uncovered several findings:

While 67% of vendors perform dynamic malware analysis, only 17% share the intelligence they extract. Network indicators (like malicious domains or URLs) are shared 20 times more frequently than the actual malware binaries—meaning defenders often get conclusions without the evidence needed to validate them. Most vendors consume information, and a handful of “nexus vendors” like VirusTotal act as central aggregation points, creating potential points of failure. Delays of hours to days in sharing the data slow coordinated responses. Adversaries are actively exploiting predictable sandbox environments and fingerprinting techniques to evade detection. The researchers found hundreds of malware samples actively using publicly available blocklists of sandbox IP addresses to avoid analysis—a technique that reduces the number of vendors receiving intelligence by 25%.

Characterizing these findings as troubling, the research makes several recommendations, including that vendors perform recursive analysis of malware to uncover full attack chains, diversify the IP space used in analysis infrastructure to avoid adversary counter-measures, and use watermarked binaries to allow auditing of data sharing. While there were limitations in examining temporal fingerprint data and freely available analysis environments, the technical mechanisms for improving the quality of TI data were well developed. However, the paper leaves open questions about how to coordinate the adoption of these recommendations across a thriving industry sector driven by incentives that vary and are sometimes aligned and sometimes competing.   

The Geopolitical Fracture

Now overlay geopolitical tensions. China’s ban isn’t happening in isolation. The United States has previously banned Russian antivirus firm Kaspersky, and sought to ban the TikTok app based on the premise that it could provide data about the American population. There have also been efforts to discredit threat intel research by Chinese and American cybersecurity firms. Similar dynamics have played out with telecom infrastructure, semiconductors, artificial intelligence applications, and other digital technologies deemed “strategic.”

The core tension is this: producing cybersecurity requires global visibility to be effective. Malware developed in one country can attack targets worldwide within minutes. Botnets span continents. Phishing campaigns exploit infrastructure in dozens of jurisdictions. Yet the tools and practices to defend against these global threats are increasingly being carved up along national lines.

When China bans Western cybersecurity vendors, Chinese network operators lose access to threat intelligence from those sources. When the U.S. bans Russian tools, American defenders become blind to threats that Russian vendors might detect first. Each ban reduces global visibility and risks hindering collective response.

Network Operators Hold the Key

Here’s the crucial insight: while states make bans and set public policies, it is network operators—the security teams at corporations, universities, service providers, and government agencies—who make the actual decisions about what threat intelligence to use and how to act on it. These operators face a difficult choice. Follow geopolitically-driven bans and lose access to potentially valuable threat intelligence? Or find workarounds that might violate regulations?

But what if there were a third option? What if operators could use threat intelligence regardless of origin, as long as it met certain verifiable quality and process standards?

Secure Provenance Incentives: From “Who” to “How”

This is where secure provenance systems, which store ownership and process history of data objects and can ensure confidentiality, integrity, and availability, come in. Instead of focusing on “who produced this threat intelligence?”, such a system would allow defenders to ask “how was this intelligence produced and validated?” It creates a trustworthy, auditable trail documenting the entire lifecycle of a piece of threat intelligence:

• Where and when was it first observed? 
• How was it analyzed (static analysis, sandbox execution, manual review)? 
• How deep was the analysis (did analysts examine dropped files and network connections)? 
• Which independent parties validated it? 
• How long did each step take?

The Georgia Tech research demonstrates that answering these questions is technically feasible. Their watermarking system tracked threat intelligence through multiple vendors, distinguishing between binary and network indicator sharing, and timing each stage of propagation. A secure provenance system could formalize and standardize this tracking. With it, network operators can use or filter policy-compliant threat intelligence without necessarily relying on the country of origin. Consider these scenarios:

• Prohibited from using certain vendors’ software, a firm could accept threat intelligence where provenance shows it was independently re-analyzed by approved methods or domestic vendors. 
• Firms subject to restrictions can contribute to global threat intelligence where provenance metadata is sanitized to protect operational details (e.g., IoCs designated TLP:AMBER or PAP:RED), analysis occurs through neutral intermediaries, and compliance audit trails can be generated.

Beyond enabling compliance with conflicting domestic regulations, secure provenance addresses concrete operational challenges revealed by the research. The study found that some vendors delay sharing by hours to days, slowing disruption of attacks by 20%. Provenance makes delays visible, allowing operators to avoid bottlenecks or request parallel analysis. Similarly, when 85% of antivirus vendors and 57% of sandboxes failed to execute packed malware, potentially valuable intelligence was lost. Provenance incentivizes deeper analysis by making quality visible and valuable in the marketplace. Relatedly, many vendors reshare IoCs and detection labels, creating the “illusion of consensus”. Provenance reveals actual analytical independence, helping operators set appropriate thresholds for intelligence use, and makes the diversity of the analysis environment visible and verifiable.

Building Blocks

What is required for a secure provenance system? While formal definitions and threat modeling are needed, an LLM-grounded analysis (Claude Code, Opus 4.6) of the sources reviewed here suggests the system needs to combine cryptographic chaining for local data integrity supported by anchoring in global, decentralized trust — allowing multiple untrusted organizations to independently verify the complete lineage of any piece of threat intelligence. Architectural components include:

Layer 1: Collection — Trusted Hardware & Kernel Modules                                                                                                                    

At the edge where TI is generated, integrity begins with kernel-level collectors that automatically capture metadata during analysis, backed by hardware attestation to ensure the collection environment itself hasn’t been tampered with.

Layer 2: Data Model — Provenance Record Graphs & Chains

Each action on TI data produces a provenance record containing who holds the data and what was done to it. Records can be linked into a graph structure that captures complex, multi-actor lineage, with cryptographic chaining that ensures that reordering or deleting historical records is detectable.

Layer 3: Identity & Trust — PKI and Digital Signatures

Every actor signs provenance records created using managed key pairs, ensuring authenticity and non-repudiation. Records are cryptographically bound to participants’ identities, preventing selective removal of records from the chain.

Layer 4: Storage & Verification — Distributed Ledger

Provenance record hashes can be anchored to a distributed ledger, providing tamper-evident, immutable storage without a central authority. Automated contracts enforce validation and access rules when actors submit or query TI lineage.

Layer 5: Privacy & Access Control

Encryption with selective disclosure allows owners to reveal specific chain segments to auditors without exposing sensitive details. Policy-based encryption embeds access rules directly into the data, and conditional privacy mechanisms protect actor identities while preserving accountability.

Figure 1. Provenance operational flow

Binary submitted → Vendor analyzes, generates signed provenance record

↓

Record linked into provenance graph via cryptographic chaining

↓

Hash anchored to distributed ledger

↓

TI migrates across organizational boundaries → Receiver validates sender’s signature via PKI

↓

Auditor verifies full chain using public keys + ledger anchors

Granted, even this rough brainstorming raises sticky questions. A secure provenance system needs apolitical, transnational governance structure(s) with infrastructure distributed across multiple jurisdictions, verifiable information and reporting, without exposing sensitive capabilities. This is the unsolved institutional design problem that future work must consider.

Conclusion: Institutional Economics of Global TI Provenance

Peer production has a long history in cybersecurity—but it also has limits in environments hostile to openness. The response was the emergence of a network of sub-groups of vetted actors voluntarily collaborating to produce and share specialized and relevant threat intelligence in trusted environments. But aggravated by a decade of growing geopolitical tensions, the main threat to collaborative threat intelligence now comes from states. What’s needed now are governance structures that allow operators, vendors, and researchers to continue cooperating globally while adhering to various governments’ incompatible notions of jurisdictionally-bound identity, sovereignty, and compliance. 

Implementing secure provenance for TI data objects could be a step toward that. Club good production of threat intelligence already exists; organizations like FS-ISAC, the Cyber Threat Alliance, and FIRST operate as membership-based sharing communities, alongside a thriving private market. But exclusion in these existing clubs is based on organizational identity and trust relationships — precisely the attributes targeted by geopolitical bans. Provenance can create an excludability mechanism that transforms high-quality global threat intelligence from an underprovided public good into a sustainable club good: participation in the verification chain becomes both the “credential” for access and the incentive for contribution, solving free-rider problems that the GT study documented without requiring a central authority to enforce sharing norms. Provenance shifts excludability from who produced the intelligence to how it was produced and verified, making the club resilient to national identity and sovereignty-based restrictions while preserving the quality assurance that excludability provides.

Chinese, American, and other participants (both public and private) will have incentives to use the same provenance system, not out of altruism, but because exclusion from the verifiable pool of TI is operationally costly in a threat environment that remains stubbornly global. Universality and flexibility of applying different usage policies at the operator level mean provenance can accommodate divergent regulatory regimes without fragmenting the underlying intelligence. Existing guidance, standards and protocols, and certificate authorities could be leveraged to begin building such a system. But the harder challenge is institutional: secure provenance requires transnational governance structure(s) perceived as legitimate by participants operating under conflicting state mandates — without which threat intelligence risks becoming a zero-sum geopolitical competition.

References and Further Reading

Galloway et al. (2026). “Actively Understanding the Dynamics and Risks of the Threat Intelligence Ecosystem.” Network and Distributed System Security Symposium. https://tillsongalloway.com/ti-ecosystem-ndss.pdf 

Hasan, R., Sion, R., & Winslett, M. (2007, October). Introducing secure provenance: problems and challenges. In Proceedings of the 2007 ACM workshop on Storage security and survivability (pp. 13-18).

Pan, B., Stakhanova, N., & Ray, S. (2023). Data provenance in security and privacy. ACM Computing Surveys, 55(14s), 1-35.

Peisert, S., Bishop, M., & Talbot, E. (2017, October). A Model of Owner Controlled, Full-Provenance, Non-Persistent, High-Availability Information Sharing. In Proceedings of the 2017 New Security Paradigms Workshop (pp. 80-89).

Reuters (January 14, 2026). “Exclusive: Beijing tells Chinese firms to stop using US and Israeli cybersecurity software.” https://www.reuters.com/world/china/beijing-tells-chinese-firms-stop-using-us-israeli-cybersecurity-software-sources-2026-01-14/ 

Wang, X., Zeng, K., Govindan, K., & Mohapatra, P. (2012, October). Chaining for securing data provenance in distributed information networks. In MILCOM 2012-2012 IEEE Military Communications Conference (pp. 1-6). IEEE.

For more on STIX (Structured Threat Information Expression) and existing threat intelligence sharing standards, see: https://oasis-open.github.io/cti-documentation/

The post Beyond Borders: How Threat Intelligence Provenance Can Save Global Cybersecurity From Geopolitical Fragmentation appeared first on Internet Governance Project.

Two Wall Street Journal reporters fired a shot in this battle recently, publishing an article claiming that an AI app “bullied” a Denver engineer who rejected some code it submitted to an open-source project he helps maintain. The general theme of the article was that AI applications are already becoming autonomous agents, and cranky and nasty ones at that. In the article, the “Denver engineer” concludes with a warning, “Right now this is a baby version,” he said. “But I think it’s incredibly concerning for the future.”

A big picture of Dario Amodei, the CEO of Anthropic, graced the middle of the article. And that tells you a lot about the source of the article. Amodei views advanced AI as having a 25% or higher risk of causing a societal catastrophe in the next five years. He warns of rapid AI development outpacing safety measures, widespread white-collar job displacement, and potential loss of control over autonomous AI systems.

People who don’t know much about AI Safety research, and the political position about that promoted by Dario Amodei, might see the WSJ article as an emerging scientific consensus about the autonomy of AI applications. I don’t. I see evidence of a public relations campaign by a particular AI model developer.

What’s really going on here?

One’s opinions about the dangers of AI should not be based on fantasies that they are emerging life forms that will rise up and destroy us. Yet people who believe that, or whose careers may depend on keeping that worry alive, are mostly in charge of what we hear about AI autonomy. Journalists such as the WSJ’s Sam Schechner and Georgia Wells are not reporting on the frontiers of science, they are distributing interpretations of AI behavior given to them by Amodei and the AI Safety crowd.

This is not to say that all of the safety research, or safety concerns, are wrong. It’s just that most of those experiments are done by people with a vested interest in generating concerns about AI autonomy.

None of these people try to assess empirically the limitations or constraints on AI autonomy. Instead, they conduct experiments intended to find evidence of machine autonomy. This bias has some epistemological justifications – after all, you can’t prove a negative. But it also creates a major confirmation bias incentive. Just as PhD students in statistical social science MUST find a statistically significant correlation between their variables, else they’ve all been wasting their time, so the AI Safety researcher must find evidence of danger, of machine autonomy.

Finding evidence that an AI application “bullied” a human, finding demonstrations of murderous intentions an AI system expressed toward people who try to turn them off – that not only is more achievable for the researcher, but a lot more interesting in the attention economy. It keeps AI safety research funded and in the public eye. A finding that “advanced AI models are just scaled-up computing infrastructures that humans, build and manage” would not get on to the front page of the Wall Street Journal. But where do these “findings” come from?

Are AI Experiments Misleading?

My own reviews of research on AI Safety by AI labs has left me highly critical. I have found that evidence of behavioral autonomy disappears when the process used in the experiment and the training and instructions are made transparent. This means that journalists and public intellectuals should not draw any conclusions about AI autonomy from intermediaries, unless the people conducting the experiment disclose the exact factual details of their tests. When one knows exactly which tests were done, how they were structured, and who programmed them, AI autonomy disappears from the plot, like the failure of a spirit to appear in a séance when the lights are turned on. Looking carefully at these experiments, we find not machine autonomy, but highly specialized instructions, often involving giving the machine conflicting objectives, and a laboratory experiment that was designed to find behavior that could be interpreted as autonomous. Often the evidence underlying a claim of autonomy is statistical; e.g., 5 or 6 different models were tested, and in 10% or 3% or 20% of the tests the output was “misaligned” with what the humans conducting the experiment think was the proper output.

Tests for Autonomy

Here is how to pick apart AI research that claims to find evidence of machine autonomy. Ask questions about the design and preparation of the experiment:

• What was the AI application used in this instance? The WSJ article implies that multiple models were tested; let’s be told which ones (and which versions) they were. Were the models specialized applications developed to conduct this test or ones intended for general use in production?
• Did the AI submit code to a real-world software sharing community, or was it a simulation set up by the experimenters? If the former, did it create its account without human input or control? Did human input prompt it to develop and submit code to this forum or did this happen spontaneously? Did a human prompt it to submit the software, or did the application do this all by itself?
• Was the experiment deliberately designed to test what would happen if the application’s code was rejected, or did this result happen unexpectedly?
• On what blog did this AI post its attack on Mr Schambaugh? Did the application create its own account, set up its own public web site, or did the lab create an experimental one for it? Can anyone see this blog post?
• Was the AI application’s submission of blog posts rule-governed, or spontaneous and unexpected? In other words, did the humans controlling this machine give it specific conditions that had to be met to post blogs, and tell it what kind of messages would go into those blogs?
• In explaining the attack on Mr Schambaugh, did humans tell the machine to react angrily to a rejection of its code? Is this kind of reaction rule-governed, a pattern embedded in the application’s training, or was it random?
• Tell us more about Scott Shambaugh, the person who “rejected” the AI application’s code. Was he part of the experiment? What is his connection to Anthropic? Did he know that the code was submitted by an AI agent? If he did not, which standard of quality or functionality did the AI’s code not meet? Did the humans in the lab bring Mr Schambaugh into this experiment without his permission or knowledge?

Software Liability: The new name for AI Safety Research

We are just beginning to realize how much AI governance has been misdirected by the doomer narrative of an autonomous, malevolent AGI. One of the biggest casualties is research into the possiblew failings and problems of AI models. There is a legitimate, even important role for “AI Safety” research, but the focus on machine autonomy has turned the whole field into confirmation-biased hunts for misanthropic behavior by AI applications.

Here’s the new direction it should take: AI Safety research should be renamed software liability research. Researchers in model developers’ labs should stop hunting for AI autonomy and focus on all the ways in which flaws or unintended consequences of specific ML applications (AI models) might generate harm, and how to distribute responsibility for those costs. As I’ve argued elsewhere, those kinds of tests are application-specific. How might autonomous vehicles go wrong? How do we assign responsibility to manufacturers of vehicles, model developers, drivers? How will we assign liability when automated code distributions (updates), such as Crowdstrike’s massive failure, generated cascading problems?

It’s true that this country had a policy debate about software liability 25 years ago. Insofar as it was resolved, it was that there should be as little as possible. AI applications reopen that debate. The search for machine autonomy distracts from it.

The post Did an AI application really “bully” a human? appeared first on Internet Governance Project.

In this blog, we try to focus on digital media; that is, on public narratives, propaganda, the polarization of political coalitions and their role in the deportation effort. Digital media are key players in the conflict. Immigration is about identity, and media representations can shape perceptions of identity. And these same media, from the forced divestiture of TikTok to FCC’s discriminatory treatment of media mergers and licensees, are at the center of numerous political and policy battles at the moment.  

The conflict needs to be placed in a broader political economy perspective, however. Immigration is a political economy issue, not just a matter of representation in the media. We were restrained and referred to American “civil conflict” and not “civil war.” While the conflict falls short of civil war, some of the key elements are there: invasions, paramilitary forces, shooting deaths, debates over the role of the military, clashes between the authority of federal and state governments. 

What is Trump trying to accomplish? 

Before it took over the Republican Party, Trump’s movement consisted of economic nationalists, cultural conservatives and a few conservative financiers. His rise to power, however, was fueled as much by reaction to the rot in the Democratic Party and the excesses of the progressive left as by its own appeal. By 2024, Americans were sick of 15 years of cultural domination by highly educated coastal elites who “moderated” social media to promote their values, told the majority they were guilty oppressors, and promoted ever-stranger concepts of gender and personal identity. But aside from the rising cost of living – inflationary pressures for which Trump was as responsible as Biden – it was the immigration issue that best encapsulated the growing cleavage between left and right in America. Whereas the left embraced ethnic and cultural diversity, the right hated it. The flood of asylum seekers seemed chaotic, racist ideas of “replacement” were circulating, and some Americans felt marginalized by a globalizing workforce and globalized markets. Prominent voices on both the right and the left, in fact, had been telling Americans for nearly a decade that they were victims of globalization and that immigration and outsourcing should be curbed.  

Prior to Trump, the more liberal elements in the Republican coalition accepted immigration as a logical extension of their support for an open market economy. Trump has rid the Republican party of its economic liberalism, leading it into a full-on embrace of protectionism and mercantilism, and a nativist opposition to immigration. His antidote to progressive identity politics is not a rejection of leftist identity politics, however, but an alternative identity politics: nationalist, nativist, religious. A multicultural society open to immigration is the opposite of that. He aims to purge America of immigrants, and the DEI ideology of the cultural left.  

To carry out this nationalist identity politics, Trump has seized unprecedented forms of Executive power. DHS, the Justice Department, and the State Department are actively focused – one might say ‘weaponized’ – on carrying out these policy goals (as well as his personal vendettas). Top of the list is ending the diversification of American identity.  When it comes to immigration, those agencies give him almost unlimited power. He can control entry and exit of citizens and non-citizens. He can expel and/or prosecute immigrants. He can single out protesting students on F1 visas. He can prosecute university administrations for allowing anti-Israel protests.  

Why immigration is Central 

We can see now why visible attacks on immigrants are so central to the MAGA vision and MAGA constituencies. It is no longer about closing the border to masses of asylum seekers – that was fixed quickly and the fix started under the Biden administration. The real goal is to advance the new MAGA identity-politick. MAGA does not conceive of America as a set of constitutional principles and liberal-democratic political ideals that can be embraced by any individual, regardless of nationality and culture. It conceives of America as a tribe of “our own kind of people,” mostly white and rural. Restricting the entry of new immigrants advances that kind of identity politics but does not go far enough to alter the character of America. There must be mass deportations as well.  

Mass deportation performs an important symbolic function. From that standpoint, Minneapolis is the perfect target. We can trace the origins of the current conflict to the riots around the George Floyd incident, which also happened in Minneapolis, and the frenzy over masks, vaccines and shutdowns in 2020. Trump wants his own, counter-woke version of the George Floyd incident to unfold on the streets of the Twin Cities. His syncretic mind sees a political trifecta in sending jackbooted, heavily armed Border Patrol agents into a city that (to his supporters) symbolizes lefty progressives, Somali welfare cheats and politicians favoring sanctuary cities.  

Resistance 

Minneapolis-St. Paul was the wrong target. This city was ready to resist. Its brave people carried out a sustained campaign of notification, organized monitoring, and peaceful obstruction. (Yes, there was some obstruction but, like the civil rights movement, it was a non-violent form of protest, like a sit-in.) Like several other ICE-invaded communities, Minneapolis-St. Paul came to the defense of immigrants but also highlighted that many innocent legal residents were being rounded up in the process.  

As the crackdown proceeds, it becomes clearer and clearer that there is no economic policy goal – or benefit – from Trump’s deportation plan. It hurts the economy of all Americans. It is not just restricting undocumented workers, who despite their status fulfill a valuable production and service role and fill gaps in the supply of labor. It is restricting students from studying in American universities. It scares off tourists. It tarnishes the country’s reputation. It interfered with attempts by South Korea to build a factory employing hundreds of people in the state of Georgia. It has even threatened and intimidated recent immigrants of legal status.  

Reports from the Wall Street Journal and New York Times show that the administration made a deliberate decision to organize these armed invasions instead of seeking targeted action. Moreover, ICE entered these localities without the cooperation or approval of local authorities. The whole point was to make their presence visible and confrontational, to demonstrate that the federal government was

asserting control of the situation. The point was to subordinate and override local police and state and local governments that offered sanctuary or supported more liberal immigration policies. If they were really interested in finding and deporting known criminals who happen to be illegal immigrants, they could have targeted and arrested them. They chose not to do that. Indeed, they chose to be as provocative and militant as possible, putting Gregory Bovino, a Border Patrol officer out of his jurisdiction, in charge of the Minneapolis operation. He was selected not only because he favored aggressive action, but seemingly also for symbolic purposes, as his look and behavior seem to have been modelled on Colonel Miles Quaritch, the crew-cut blond, muscular, robot-wielding militarist who invaded Pandora to destroy the Na’vi in Cameron’s Avatar movie. 

So, this was not about immigration enforcement per se. This was a display of power, an invasion meant to intimidate and subordinate cities and constituencies that were perceived as hostile to Trump. As one post on X put it,  

“If you want to deport people who are in the country illegally, you don’t pull up to random cars in parking lots and shatter their windows and drag their drivers out. You don’t trap cars in intersections and shatter their windows to force the occupants out into the street. You don’t go up to random Hispanic people at gas stations and demand their papers.” 

Minnesota’s resistance helped lift the veil from the pretense that this was about rounding up criminals. Faced with public friction and exposure, ICE agents twice lost their temper and murdered American citizens. The administration had already compromised the First Amendment, viewing unfavorable interviews and news reports as targets of litigation, and protestors as targets for police harassment; when it was discovered that one of the victims, Alex Pretti, was armed, it showed it was willing to jettison the Second Amendment, the right to carry a gun, as well.  

After three weeks of this and the second murder, the public turned against the Administration. A few Republican Senators and Representatives finally got a backbone. A Republican gubernatorial candidate withdrew from the race to protest the national government’s actions. A budget cutoff was threatened. Colonel Quaritch-Bovino was sent packing and cut off social media. Kristi Noem shut up for a while. Trump called Minnesota governor Walz.  

However, Trump did not withdraw ICE from the city. Justice Department head Pam Bondi sent a letter to Minnesota officials saying ICE will only leave if the state turns over its voter database to Trump. A seizure of voting records from 2020 in the State of Georgia raises further alarms about an attempt to rig the next election. Trump himself compared his Operation Metro Surge to the military action against Venezuela.  

The role of digital media 

We like to complain about surveillance in digitizing society, but let’s remember the role of sous-veillance, everybody surveilling everybody, in the Minnesota conflict. The protestors’ main “weapons” were phone cameras and whistles – and to some extent, their bodies. Their pictures, shared on social media platforms and mainstream media apps, recorded a set of events from multiple perspectives and made it accessible and even viral across all digital media platforms.   

We can speak of the camera as a weapon because it carried a viable threat that any misbehavior by the troops would be exposed, and exposure would bring accountability. 

But how strong was this weapon? Misbehavior – terrible, fatal misbehavior – was in fact exposed. Everyone saw the videos. They left little room for debate about what had happened. Yet for nearly a week, it was frighteningly unclear whether this would even make a difference. The Trump administration tried to impose a false interpretation. It characterized the victims as “terrorists” and claimed they were aggressively threatening ICE agents. They instantly granted the killers immunity from state or local prosecution. They excluded domestic police from investigating the crime. Their capture of the federal-level executive branch agencies and of both Houses of Congress seemed to shut off most avenues for recourse.  

Ultimately, smartphone documentations of two deaths, disseminated across digital media, made the government’s approach untenable. There were too many witnesses, and the evidence was too clear. The entire country could witness not only the shooting, but hear the outraged dissent of Minneapolis’s Mayor, the shock of its police chief, the first-hand accounts of bystanders. The government was lying and everyone knew it. There was a flood of videos of other abuses by undisciplined ICE agents in less fatal situations. Trump was losing millions of people who voted for him in 2024 and alienating a vast set of middle-ground voters who might consider voting for Republicans in the midterms.  

Mayor Jacob Frey of Minneapolis asked poignantly, “what if we did not have these videos?” Social media networking and digital devices were crucial.  But it was not simply the information, the publicity, but the willingness of responsible and authoritative political actors to become vocal and act on that information, that made a difference. 

Polarization 

Social media are often accused of polarizing the polity. Mostly this accusation is about a polarized U.S.A., but sometimes the argument is extended to other democracies like Brazil, India or even Europe. The now-cliched argument is that divisive and angry messages are more likely to keep users engaged, so algorithmically controlled media amplify them to sell ads, and a passive public falls in line. 

Generally, it is a mistake to blame digital media for divergent reactions to hot button issues. There are strong substantive differences in the population; the media reflects, it does not create, these divisions, though it may accelerate them under certain circumstances. The significance of immigration and identity politics in the current conflict was explained above. To think that these divisions would not exist if social media were banned or heavily moderated to allow only anodyne cat videos shows a lack of understanding of collective action in a complex, liberal-democratic society. 

A heated discourse about Minnesota was certainly evident on social media. The two sides shouted at, caricatured, goaded and trolled each other on X, with owner Elon Musk obviously – but a bit half-heartedly – tipping the scales toward a pro-ICE stance. Yet even on X, the discourse became increasingly balanced, as apologists for ICE became outweighed by critics, and evidence of abuse piled up.  

Polarization was evident in the way defenders of ICE tried to represent protestors and their supporters. ICE operations reinforced liberals’ and leftists’ view of the Trump administration as “fascist,” “authoritarian,” or racist. MAGA nationalists, for their part, saw the hard-line actions as highly satisfying. After the killings, however, the “poles” shifted.

MAGA supporters tried very hard to keep them aligned. When it was no longer possible for Trump supporters to argue that the killings were justified, it became about the victims’ identity, and specifically their status as agents of the opposition political movement. Michael Shellenberger, a professional Trump apologist, tweeted that “the Left is getting people killed” by “encouraging people to interfere in law enforcement operations.” While disavowing the shooting, Shellenberger’s approach places the blame for the killings on “progressive nonprofits, Democrats, and liberal influencers” – an attempt to reinforce the political divisions that led to the conflict.  

One could therefore superficially conclude that people reacting to the representations of the conflicts on social media reinforced polarization. Except it didn’t. Ultimately, media interactions broke through the standard forms of division. The Trump administration alienated a significant segment of its current and potential supporters, and they began to post. Conservative judges, independent Republicans, libertarians, and even a response from cautious CEOs, who remained silent as long as possible due to their attempt to avoid recriminations from Trump, began to react to the situation. 

A January 25 letter signed by 60 leaders of Minnesota companies, including Target, 3M and General Mills, published the day after the fatal shooting of Alex Pretti, called for “an immediate de-escalation of tensions and for state, local and federal officials to work together to find real solutions.” The polarization existed before the incident, but it put the advocates of mass deportation on the defensive. The exchange of real-time opinion, rage and evidence altered the political environment.  

Unfortunately, the issue has not been resolved. Trump’s political base is deeply invested in both the symbolism and the reality of mass deportation. Its goal is to erase the message of hope inscribed on the Statue of Liberty. Minnesotans cannot back down either, because to do so would be to surrender basic American rights and liberties, and dangerously curb the local and state powers granted to them under a federalist constitution. 

The post Digital Media and the American Civil Conflict appeared first on Internet Governance Project.

From “national pride” to “runaway”

Manus made its international debut in March 2025, by unveiling what it touted as the world’s first general-purpose AI agent, an autonomous system that could execute complex tasks such as drafting reports, analyzing stocks, and coding, with minimal prompting. The product went viral and gained massive domestic and international attention. Chinese state media and the local government of Wuhan lauded it as “the next DeepSeek” and showed strong eagerness in supporting this new golden child of AI innovation.

However, in a drastic overturn/contrast, after Silicon Valley venture capital firm Benchmark invested in Manus with 75 million dollars in April, Manus swiftly made decisive moves to segregate itself from the Chinese market. It closed its Wuhan and Beijing offices, deleted its Chinese social media account, fired Chinese employees except for the core team, and moved to Singapore. Users with Chinese IPs were even blocked from accessing its site.

This dramatic shift triggered polarized sentiments in China. On one hand, venture capital and tech communities are excited about an emerging new playbook of accessing the lucrative US capital market. As long as you totally abandon your Chinese identity, you can still be accepted by the US capital market and make money through acquisitions. On the other hand, some commentators criticized the company for “running away” from the Chinese market. From the angle of the Chinese government, the acquisition was especially alarming as it sets a dangerous precedent that domestic innovators could just abscond to the U.S. despite all the support they gained from the domestic talent pool, policy encouragement, and industry advantage. Such grievance is not inconsequential, as Beijing also attempts to review whether the deal is consistent with its export controls (this is our previous article on China’s nascent export control regime).

The Benchmark investment and OISP screening

Why did Manus gain such a sudden lucrative acquisition, and also determine to cut its ties with China so decisively in a short time span of 9 months? The startup defended itself by stating its “DNA of internationalization” from the very beginning, and their retreat from China is just a reflection of their strategy of becoming a truly international company, in order to avoid foreign blockades and utilize American LLM APIs such as Claude. More importantly, after receiving investment from Benchmark, Manus swiftly went on a path of restructuring and relocating in order to navigate through the heavy American investment screening crossfire.

The investment was an audacious move for Benchmark; as US venture capitalists become more national security aware, they have avoided investing in Chinese firms. The deal was subject to the “reverse CFIUS” – the U.S. Outbound Investment Security Program (OISP) rules that impede American firms investing in Chinese technological companies. In hindsight, before the Benchmark investment, Manus apparently falls into the OISP covered category – a China-based company operating in China. Hence, after Benchmark’s investment and guidance, all its relocation and segregation moves serve to conform to OISP; Manus has spent over 9 months to implement an “identity engineering” task to become fully “non-Chinese” and “international”.

How “Chinese” are you?  U.S. government’s expanding approach of determining company identity

From FIRRMA and the restrictions on Huawei and ZTE to the recent OISP rules, the U.S. government has steadily broadened the definition of a “covered entity.” Moving beyond the simple principle of legal nationality, it has adopted a holistic risk-assessment mechanism that scrutinizes inbound and outbound investments, as well as domestic market entries, targeting Chinese-background firms and individuals. This evaluation is based on a wide range of factors, including headquarters location, revenue sources, expenditure destinations, ownership percentages, data storage location, algorithm control, and government connections.

Starting from 2018, the Foreign Investment Risk Review Modernization Act (FIRRMA) allowed U.S. authorities to scrutinize even non-controlling minority stakes by Chinese investors in critical tech sectors. Around the same time, Chinese telecom giants Huawei and ZTE were regarded as entities with strong connections with the Chinese state, and eventually blacklisted in the U.S. network by 2019-2020. During this period, the US regulators mainly focused on companies being under the Chinese jurisdiction or influence.

However, as the TikTok saga shows, moving out of the Chinese jurisdiction wouldn’t guarantee a free pass from the U.S. government. Even though TikTok has long separated its Chinese and international branches, and developed data localization and security plan in the U.S. territory (see Project Texas), the U.S. regulators still pressed TikTok to sell and restructure. The eventual deal, reached in late 2025, forced ByteDance to reduce its stake to 19.9% and cede majority ownership to U.S. investors. U.S. user data, critical algorithms, and content decisions must be controlled by a new U.S.-led joint venture (see our previous post). This case shows what the U.S. really wants over a China-originated company when it carries strategic value: to gain absolute controlling power over it.

Recent developments of the Comprehensive Outbound Investment National Security (COINS) Act further exemplifies the intentionally expansive nature of the U.S. government’s definition of a Chinese company. The COINS Act broadens the scope of “covered foreign persons” by replacing the OISP’s fixed equity and voting thresholds with a qualitative “direction or control” standard, which captures entities regardless of their specific ownership percentages. This shift ensures that minority-owned or non-technical Chinese entities still remain subject to OISP.

Pushing this current logic and trend further, an extreme but plausible situation would be: whenever a China-originated company is deemed to carry high strategic value (be it in AI, telecommunications, social media, etc.), even entities that fall outside this strict definition (e.g. headquartered offshore with mixed ownership) can be treated with suspicion if they have Chinese DNA in their founding team or technology.

Mind the gap: the stack of Identity engineering

By summarizing the current U.S. regulations and political climate, a new Chinese AI firm will have to painstakingly conduct a whole stack of identity engineering if they are still seriously seeking to obey U.S. regulations, enter the U.S. market, and/or receive U.S. investment:

• Incorporation & HQ abroad: register and headquarter outside mainland China, Hong Kong, and Macau SARs.
• No majority China exposure: ensure the majority of its revenue and expenditure are not primarily tied to the Chinese market.
• Avoid state linkage: decline investments from state-owned funds and avoid state contracts and affiliations.
• Isolate data flows: store user and operational data outside China and block any cross-border transfers back to Chinese servers.
• Rebrand globally: De-emphasize Chinese origin in marketing, press, and investor materials.

In a more extreme playbook, when more restrictive and racist requirements emerge from the U.S., they might even have to:

• Be led by non-Chinese management and staff: limit Chinese passport holders in executive, technical, or board-level roles.
• Have zero China operations: shut down domestic business entirely and block Chinese IP access to platforms.
• Supply chain decoupling: move manufacturing and hosting relationships out of China.

If a China-originated company truly adheres to all the requirements here, can they still be defined as Chinese companies? Manus made a clear choice to totally abandon its home market identity, but not all firms are audacious enough to burn so many bridges. This level of compliance with U.S. regulations is, in effect, a clear act of “taking a side”, which will inevitably carry consequences from the Chinese regulator and market.

Conclusion

Although some commentators may argue that identity engineering is just companies’ reactive measures to bypass and dodge U.S. regulation, such policies still pose long-term costs to Chinese companies.

Chinese technology firms like Manus essentially attempt to leverage the comparative advantages of both China and the U.S. On the one hand, they thrive from the high-quality talent pool, advantageous application innovation environment, and strong manufacturing capacity from China. On the other hand, they still want to enter the US market due to its high liquidity, strong consumption power, and access to computing power. Under the current restrictive and discriminative policies from the U.S. government, they must implement a full stack of “identity engineering”. However, when the costs for compliance have reached a tipping point where they exceed the gains, they may need to consider another path.

More importantly, the pivotal question remains for some Chinese firms: despite all their efforts to rebrand, restructure, and even alienate their home market, will the U.S. regulators ever truly accept them as “non-Chinese”? I doubt so, given the contingent nature of U.S. investment policies amid strategic competition with China, the final determination of “who they are” is hardly theirs to make.

The post Identity Engineering: Why a leading Chinese AI startup abandons its home market appeared first on Internet Governance Project.

The Cybersecurity Information Sharing Act of 2015 (CISA 2015) was enacted during a period of heightened anxiety over massive state-sponsored breaches and the burgeoning threat of global ransomware. Its architects envisioned a nationwide “digital neighborhood watch,” where private companies and the federal government would swap “indicators of compromise” (IOCs) in real-time, shielded by broad liability protections.

However, nearly a decade later, the framework of CISA 2015 has stagnated, and the landscape of cybersecurity has evolved. As the law faces its sunset and the debate over its renewal intensifies, a cold-eyed assessment of its flagship program, the Automated Indicator Sharing (AIS) system, reveals a system that is not only failing to meet its objectives but is increasingly viewed as an obsolete relic of an earlier era of cyber defense.

A Program in Terminal Decline

The primary justification for renewing CISA 2015 is the expansion of threat intelligence sharing. Yet, according to the federal government’s own auditors, the law has presided over a dramatic contraction, not an expansion, of shared intelligence.

The Department of Homeland Security’s Office of Inspector General (OIG) has released several scathing reports (notably OIG-24-60 and the final 2025 assessment OIG-25-46) documenting the steady erosion of the AIS program. The data paints a picture of a “ghost town” of information exchange:

• Participation Collapse: The number of non-federal participants using AIS to share information peaked at 304 in 2020. By late 2022, that number had plummeted to 135. As of late 2024, active non-federal participants have dwindled to fewer than 90.

• Indicator Freefall: More telling than the number of participants is the volume of data shared. Between 2020 and 2022, the sharing of IOCs through AIS declined by a staggering 93%.

• The “Single Source” Mirage: While CISA reported a surge in shared indicators in 2024 (climbing from 1 million to 10 million), the OIG revealed that 89% of that data came from a single private-sector participant.

This “unevenness” is a critical indicator of systemic failure. When a national security program relies on a single corporate benefactor for nearly 90% of its utility, it is no longer a “nationwide sharing” initiative; it is a specialized partnership disguised as a broad statutory success. The federal government’s inability to recruit and retain a diverse range of data producers suggests that the private sector has voted with its feet, finding the AIS framework fundamentally mismatched to modern operational needs.

The Superiority of Decentralized, Sectoral Information Sharing

The second reason to oppose the renewal of CISA 2015 is that the market and the nonprofit community are already doing what CISA failed to deliver. Commercial threat intelligence services, nonprofit Information Sharing and Analysis Centers (ISACs) and industry consortia like the Cyber Threat Alliance have emerged as the gold standard for information sharing. Oddly, the CISA-run system, at its core an attempt to centralize power, relies entirely on the volition of information sharers to get its data. Unlike commercial and some nonprofit threat intel services, which operate telemetry services that automate data collection, CISA relies on voluntary decision by agencies and enterprises to send data into the AIS.

The Power of Context

Modern cybersecurity is no longer about having a “list” of bad IP addresses; it is about understanding the Tactics, Techniques, and Procedures (TTPs) of specific adversaries.

• ISACs: ISACs were products of the Clinton administration’s critical infrastructure security commission. From the late 1990s on, sector-specific groups like the Financial Services ISAC (FS-ISAC) or the Electricity ISAC (E-ISAC) have provided “vetted” intelligence. When a bank shares data with FS-ISAC, it is reviewed by human analysts who understand the specific banking software and regulatory environment. This “contextualized” data is actionable.

• Commercial Feeds: Companies today pay for specialized feeds (such as those from CrowdStrike, Mandiant, or LevelBlue) that provide high-fidelity data tailored to their specific attack surface.

In contrast, the AIS program—mandated by CISA 2015—focuses on machine-to-machine bulk sharing of raw indicators. This approach prioritizes quantity over quality.

Renewing CISA 2015 under the guise of “improving” information sharing ignores the reality that the “sharing” problem has been solved elsewhere. The federal government’s attempt to duplicate these high-trust, high-context environments through a centralized, one-size-fits-all statute has proven to be a redundant exercise that consumes millions in taxpayer dollars with little added value.

The Centralization Myth: Data Without Responsibility

The fundamental philosophical flaw of CISA 2015 is its attempt to centralize cyber threat data in federal hands, while the responsibility for action remains decentralized and the sources of data are highly distributed. This creates a structural bottleneck that actively hinders effective defense. The only real agenda behind the renewal of the act is tbe bureaucratic interest of the Cybersecurity and Infrastructure Security Agency (CISA) to give itself a bigger budget and a more central role in “managing” cybersecurity.

The Responsibility Gap

Cybersecurity is an operational, “on-the-ground” discipline. The entities best positioned to detect, mitigate, and recover from an attack are the IT departments of the specific organizations being targeted, or specialist threat intel providers. A hospital in Ohio or a municipal water plant in Florida need specific, immediate intelligence about threats to their specific infrastructure. While it’s true that information specifically targeted at hospitals or water plants could be useful to these actors, the vast majority of threat intel out there is not relevant to them.

The AIS program operates on a “hub-and-spoke” model where all roads lead to the Department of Homeland Security. The “centralized” data repository becomes a “black hole”—data enters, is scrubbed for privacy, analyzed by a distant bureaucracy, and by the time it is redistributed, the threat has often morphed or the “indicator” (like an IP address) has been discarded by the attacker. But most of the data is just not relevant.

The “Noise” Problem

For most organizations, the bulk data provided by the AIS is not an asset; it is noise. Security Operations Centers (SOCs) are already overwhelmed by thousands of alerts per day. Ingesting millions of unvetted, uncontextualized indicators from a nationwide AIS often leads to “alert fatigue,” where real threats are missed because analysts are chasing ghost indicators that have no relevance to their specific environment.

By attempting to centralize this data, CISA 2015 encourages a “compliance-over-security” mindset. Organizations may feel they are doing their part by “sharing with the government,” but this centralized reporting does little to actually harden their own defenses or provide them with the specific intelligence needed to survive a sophisticated intrusion.

Conclusion: Let it Expire

The Cybersecurity Information Sharing Act of 2015 was a product of its time—a well-intentioned but ultimately flawed attempt to treat digital defense like a centralized military operation. The evidence from the past decade is clear:

1. The program is failing statistically, with participation and data volume in freefall.

2. Superior alternatives exist in the private and nonprofit sectors that provide the context and trust the government cannot replicate.

3. The centralized model is structurally unsound, creating a repository of “noise” that provides little value to the organizations actually responsible for securing the nation’s infrastructure.

Renewing CISA 2015 would be a victory for bureaucratic inertia, but a defeat for cybersecurity efficacy. Instead of reauthorizing a law that supports a declining and ineffective AIS program, policymakers should pivot toward supporting the organic, decentralized ecosystems of the ISACs and focusing federal resources on securing the government’s own notoriously vulnerable networks. Cyber defense belongs at the edge, in the hands of the practitioners—not in a centralized federal database that the industry has clearly outgrown.

The post Don’t Renew the Cybersecurity Information Sharing Act appeared first on Internet Governance Project.

1. The Entrenchment of Techno-Nationalism

The dominant theme of 2025 was the solidification of the “tech cold war.” While the US-China conflict remained central, IGP expanded analysis to show how techno-nationalism increasingly became a global norm, with (mostly) governments pursuing their own aggressive and destructive notions of “digital sovereignty”. We’ve consistently critiqued strategies of “containment” and “decoupling,” arguing that these policies often backfire or serve political theater rather than technical security. 

• US-China Tech War: We argued that while the US successfully choked off China’s access to advanced hardware (chips), the two ecosystems remain deeply interdependent. Unpacking US-China “Decoupling” and Apple in China highlight that complete separation is economically destructive and often impossible. Meanwhile, Chinese firms adapted by innovating in software efficiency (e.g., DeepSeek-OCR) rather than brute-force computing.
• The “India Stack”: Coverage of India highlighted a distinct form of protectionism. The blog critiqued the push for “indigenous” web browsers as mere skins designed to enforce government surveillance (root certificates) rather than genuine innovation. Similarly, India’s Satellite Communications Policy analyzed how the entry of Starlink was managed to balance geopolitical alignment with the U.S. against the protectionist demands of local telecom giants like Jio.
• TikTok & Identity Politics: The “settlement” of the TikTok ban was framed not as a security win, but as the imposition of state-aligned control over media, driven by “identity politics” and anti-China sentiment rather than technical threat models.

Referenced Articles:

• Unpacking US-China “Decoupling” in AI
• Embarrassing the Future: TikTok Decision Turns on Data Collection
• Why a TikTok Divestiture Never Happened
• The shocking part of the TikTok settlement that no one’s talking about
• Identity politics: The TikTok Deal, Chinese export controls…
• DeepSeek Disruption
• DeepSeek-OCR: China’s Answer to the U.S. Chip Ban
• “Indigenous” Web Browsers in India: Who Benefits?
• India’s Satellite Communications Policy
• “Apple in China:” A Critical Review

2. Institutional Challenges to Internet Governance

The year 2025 marked a watershed moment for some global internet governance institutions, culminating in a significant shift toward state-centric influence within the United Nations system and potentially on the African continent.

• The UN Swallows the IGF: Coverage throughout the year—including Has the IGF lost the Plot? and Should WSIS End?—warned that the forum had become a venue for bureaucratic process rather than helping to resolve real-world digital conflicts. A major development occurred in December with the conclusion of the WSIS+20 review. We critically analyzed the UN General Assembly’s decision to make the Internet Governance Forum (IGF) a “permanent forum of the UN.”  By absorbing a multistakeholder deliberative body into the multilateral bureaucracy, the UN has effectively “internalized” the conflict between sovereign control and the global internet. While the impact of this remains uncertain, the WSIS process will not face another existential challenge for at least a decade.
• AfriNIC Crisis: IGP closely followed the governance crisis at AfriNIC (the African region IP address registry). It reported on the Supreme Court of Mauritius’s intervention to allow board elections to proceed despite legal sabotage by litigants. Our coverage was highly critical of ICANN’s intervention with SmartAfrica in the process, arguing that ICANN fostered “not-so-smart ideas” that threatened the autonomy of the regional registry system.
• Defending Independence: In contrast to the above, our blog championed initiatives to create independent governance structures. It argued for the privatization of the .US domain to foster innovation and promoted the Declaring Independence in Cyberspace book to remind stakeholders that the IANA transition proved the viability of non-state governance. 

Referenced Articles:

• WSIS+20: The UN Swallows the IGF
• Should WSIS End? A call for discussion
• Has the IGF lost the Plot?
• Has the Supreme Court of Mauritius Resolved AfriNIC’s Governance Turmoil?
• ICANN fosters some Not-So-Smart Ideas for AFRINIC
• Is it time to privatize .US?
• New Book: Declaring Independence in Cyberspace

3. Technological Governance: Realism over Rhetoric 

The narrative shifted from existential dread over AI to economic skepticism and a critique of “safety” as a mask for industrial policy.

• Policy & Politics: The blog analyzed the collapse of global AI coordination (So Much for Global Governance of AI…), noting that nations retreated to “AI nationalism” at the Paris Summit. It also predicted that a Trump 2.0 administration would pivot away from “safety” obsessions toward deregulation and rapid innovation to compete with China
• AI Investment Corrections By October, IGP predicted an inevitable economic correction for the AI sector. We argued that the massive capital expenditure on chips and data centers is a bubble driven by “FOMO” (Fear Of Missing Out) and government subsidies rather than sustainable business models, predicting a crash similar to the dot-com bust.
• Governance & Safety: Early in the year, we critiqued “safety” reports from California and OpenAI’s call for bans on Chinese models as “neo-mercantilist” protectionism disguised as safety. Countering “Terminator” narratives, Rethinking AI in Warfare argued for viewing AI as an “augmentation” tool for decision support rather than a substitution for human agency. We highlighted research showing that Chinese models (DeepSeek) are not monolithic propaganda tools; they can be “jailbroken” to criticize the CCP, suggesting that the “threat” of foreign AI is exaggerated to justify domestic control. It wasn’t all AI, we pushed back on exaggerated national-security fears over Battery Energy Storage Systems (BESS), providing a sober, fact-driven analysis that risks are manageable if properly engineered. 

Referenced Articles:

• So Much for Global Governance of AI…
• Trump 2.0’s AI Policy Direction
• The Coming AI Bust
• The Frontier Illusion: Rethinking DeepSeek’s AI Threat
• DeepSeek Says “Xi Jinping is a Dictator”
• OpenAI’s manifesto: Neo-mercantilism Enters Global AI Governance
• A Review of the Draft Report of the California Working Group on AI Frontier Models
• From Substitution to Augmentation: Rethinking AI in Warfare
• India’s Report on AI Governance Guidelines Development
• Batteries Enable the Renewables Transition: But Can We Trust China’s Batteries?

4. The Digital Economy: Money, Data, and Industrial Policy

IGP explored how digital monetary networks and data access control and rights are being reshaped, proposing strategic alignments for the U.S. dollar and exploring emerging governance mechanisms in response to technological change.

• Dollar Dominance: IGP proposes a strategy where the U.S. leverages stablecoins (digitized dollars) to interconnect with the Bitcoin network. Analyzed in the context of the GENIUS Act, which legalized and regulated the stablecoin market in mid-2025, the authors argue this would extend U.S. monetary hegemony against BRICS alternatives by making the dollar the on-ramp for the crypto economy.
• Data Enclosure: Cloudflare’s move to block AI crawlers by default is analyzed as a pivotal moment of “data enclosure.” A new paper argues this potentially transforms the “open web,” shifting it further toward market-based and other mechanisms for exchanging increasingly valuable data, and raises important questions about competition and innovation.
• Bits vs. Atoms: Industrial Policy vs. Digital Reality critiqued the political obsession with bringing back factory jobs, using Palantir as an example to show that modern “reindustrialization” is driven by data and software, not labor-intensive assembly lines.

Referenced Articles:

• Interconnection and Rivalry in Global Monetary Networks
• Networks of Money
• A GENIUS Bill?
• Is the Banking System at a Turning Point?
• Cloudflare Declares “Content Independence”: A New Phase of Data Enclosure
• Industrial Policy vs. Digital Reality

5. Censorship, Compliance, and Information Flow

Analysis of free speech moved beyond simple binaries, examining how platforms navigate conflicting legal regimes, how “safety” can lead to suppression, and noting a realignment where recent defenders of expression have become proponents of control.

• Power Corrupts: IGP criticized U.S. Republicans for hypocrisy. After years of decrying jawboning and censorship by Democrats (which we similarly took issue with), they began using state power (visa restrictions, FCC threats) to target political opponents and university protesters once they regained influence. Our coverage of the Kirk Assassination highlighted how political violence is used to justify crackdowns on speech.
• Global Censorship: We also critiqued human rights group Article 19 for labeling an AWS cloud outage a “democratic failure,” arguing this conflates technical resilience with political censorship and ideological arguments against private infrastructure. Is Musk a Hypocrite? offered a nuanced take on X’s (Twitter) actions in Turkey and India. It distinguished between compliance with valid court orders (Turkey) and resistance to extra-legal state coercion (India), arguing that platforms are often caught between local law and global principles.
• Amplification vs. Detection: Reporting on an IAEA Technical Meeting, we argued that trying to “detect and delete” disinformation is a failed strategy. Instead, we encouraged building networks to “amplify” factual information during crises, shifting the focus from suppression to resilience. This expert input was grounded in IGP research resulting in a new paper, which demonstrated how classical propaganda models and evolved digital implementation continue to explain how state actors disseminate, legitimize, and deflect disinformation during high-stakes national crises.

Referenced Articles:

• The New Republican Censorship-Industrial Complex
• Free Speech and the Kirk Assassination
• Is Musk a Hypocrite? Content Removal Cases in Turkiye and India
• Has Article 19 abandoned Article 19?
• DNS-based Web Censorship in India
• IGP at IAEA Technical Meeting 2025

The post IGP Year in Review (2025) appeared first on Internet Governance Project.