Insecure software is a national security risk, costs the U.S. billions of dollars annually, and exposes users’ information to malicious actors. Software developers (vendors) who fail to securely develop their products currently face few legal repercussions, even if they engage in industry-agreed bad practices. Without a current legal framework holding vendors accountable for their products, users assume most (if not all) the risk when cyberattacks occur. Therefore, to ensure the responsibility for secure software is appropriately vested in the entities creating, maintaining, and profiting from its use, a federal torts-based software liability regime should be implemented, and the Department of Justice (DOJ) should collaborate with state attorneys general (AGs) to initiate lawsuits under state laws.

In a given month, more than 100 million people open Pokémon Go—the app that allows users to superimpose the world’s most profitable media franchise onto reality using only their smartphone. Using their phone camera and a flick of the wrist, they captured tiny digital monsters at the park, at the office, sometimes in active minefields, and, yes, in the bathroom.

Who else was watching?

Pokémon Go, initially developed by Niantic in 2016, uses augmented reality (AR) to blend the virtual world of Pokémon with the physical world around players. By accessing a smartphone’s camera, GPS, and motion sensors, the game overlays digital Pokémon onto real-world environments, requiring players to physically move to specific locations to 'catch' them. The game’s seamless blending of the digital and physical world made it an immediate smash hit (its ties to Pokémon probably didn’t hurt, either). But underneath that immersive experience are important privacy concerns about how much personal information is being collected, who controls it, and how it’s being used.

Cyber espionage is the use of cyber tools and techniques to gather intelligence or steal sensitive information from targeted entities. This form of espionage poses significant risks to national security, economic stability and corporate integrity. Given the complex and often hidden nature of cyber espionage activities, accurately measuring their costs presents a significant challenge. Traditional accounting methods and mental models of espionage may fall short in capturing the full impact of cyber espionage and recovery from these incidents, particularly those costs related to intangible assets such as brand reputation and competitive advantage. Measurement methodologies today may not be effective in capturing the full range of costs in years to come as actors adapt and tactics like supply chain attacks post costs to an ever-wider range of third parties as part of cyber espionage targeting a particular organization. Accurately measuring the costs associated with cyber espionage is thus an evolving problem space with direct implications for policy.