Alexandra Paulus
@alexandrapaulus.bsky.social
Researcher for cybersecurity policy + emerging tech, @swp-berlin.org.
Currently:
- Managing military software supply chains risk
- Mitigating US tech dependencies
- Biotechnology + defense
Author of "Building Bridges in Cyber Diplomacy" (2024). She/her.
Currently:
- Managing military software supply chains risk
- Mitigating US tech dependencies
- Biotechnology + defense
Author of "Building Bridges in Cyber Diplomacy" (2024). She/her.
@weld.bsky.social
Christoph Lobmeyer
@clotildebomont.bsky.social
Colin Topping
@jamesshires.bsky.social
John Scott
John Speed Meyers
Jörg Eschweiler
Marc Lanouette
Philip Engelmartin
Sara Ann Bracket
Sebastian Lange
Simon Stanley
Full text: www.swp-berlin.org/publikation/... /10+fin
Christoph Lobmeyer
@clotildebomont.bsky.social
Colin Topping
@jamesshires.bsky.social
John Scott
John Speed Meyers
Jörg Eschweiler
Marc Lanouette
Philip Engelmartin
Sara Ann Bracket
Sebastian Lange
Simon Stanley
Full text: www.swp-berlin.org/publikation/... /10+fin
An Achilles Heel of Today’s Armed Forces
Managing Software Supply Chain Risk in the Military Sector
www.swp-berlin.org
November 20, 2025 at 9:42 AM
@weld.bsky.social
Christoph Lobmeyer
@clotildebomont.bsky.social
Colin Topping
@jamesshires.bsky.social
John Scott
John Speed Meyers
Jörg Eschweiler
Marc Lanouette
Philip Engelmartin
Sara Ann Bracket
Sebastian Lange
Simon Stanley
Full text: www.swp-berlin.org/publikation/... /10+fin
Christoph Lobmeyer
@clotildebomont.bsky.social
Colin Topping
@jamesshires.bsky.social
John Scott
John Speed Meyers
Jörg Eschweiler
Marc Lanouette
Philip Engelmartin
Sara Ann Bracket
Sebastian Lange
Simon Stanley
Full text: www.swp-berlin.org/publikation/... /10+fin
Formulating sensible policy recommendations on software supply chain security truly takes a village. I am extremely grateful to the participants of the international expert workshop (+ the other 50 experts who spoke with me for this project):
@amyertan.bsky.social
@andrewdwyer.bsky.social /9
@amyertan.bsky.social
@andrewdwyer.bsky.social /9
November 20, 2025 at 9:42 AM
Formulating sensible policy recommendations on software supply chain security truly takes a village. I am extremely grateful to the participants of the international expert workshop (+ the other 50 experts who spoke with me for this project):
@amyertan.bsky.social
@andrewdwyer.bsky.social /9
@amyertan.bsky.social
@andrewdwyer.bsky.social /9
However, these measures will pay off by helping to prevent devastating events. They are therefore needed to safeguard the warfighting capabilities of today's militaries and protect the Achilles heel of the software supply chain. /8
November 20, 2025 at 9:42 AM
However, these measures will pay off by helping to prevent devastating events. They are therefore needed to safeguard the warfighting capabilities of today's militaries and protect the Achilles heel of the software supply chain. /8
... can be used to enforce relevant requirements for reducing software supply chain risk in suppliers' products.
The inconvenient truth: managing software supply chain risk is hard. There is no easy fix; instead, leaders must invest significant resources and take various steps simultaneously. /7
The inconvenient truth: managing software supply chain risk is hard. There is no easy fix; instead, leaders must invest significant resources and take various steps simultaneously. /7
November 20, 2025 at 9:42 AM
... can be used to enforce relevant requirements for reducing software supply chain risk in suppliers' products.
The inconvenient truth: managing software supply chain risk is hard. There is no easy fix; instead, leaders must invest significant resources and take various steps simultaneously. /7
The inconvenient truth: managing software supply chain risk is hard. There is no easy fix; instead, leaders must invest significant resources and take various steps simultaneously. /7
...as well as fostering expertise, red teaming, and adapting procurement rules. III. Policymakers and the armed forces must ensure that software suppliers take action. Model contract language, procurement rules, product liability, and conformity assessments ... /6
November 20, 2025 at 9:42 AM
...as well as fostering expertise, red teaming, and adapting procurement rules. III. Policymakers and the armed forces must ensure that software suppliers take action. Model contract language, procurement rules, product liability, and conformity assessments ... /6
I. Political and military leaders must define the appropriate level of protection for the different types of (embedded) software products.
II. The armed forces must set up their own software supply chain risk management. This involves setting up responsibilities and internal procedures.../5
II. The armed forces must set up their own software supply chain risk management. This involves setting up responsibilities and internal procedures.../5
November 20, 2025 at 9:42 AM
I. Political and military leaders must define the appropriate level of protection for the different types of (embedded) software products.
II. The armed forces must set up their own software supply chain risk management. This involves setting up responsibilities and internal procedures.../5
II. The armed forces must set up their own software supply chain risk management. This involves setting up responsibilities and internal procedures.../5
I spent more than one year analyzing the risks and formulating policy recommendations for military and political leaders on how to manage them. The result is my latest research paper (see link below).
In a nutshell, three steps are necessary: /4
In a nutshell, three steps are necessary: /4
November 20, 2025 at 9:42 AM
I spent more than one year analyzing the risks and formulating policy recommendations for military and political leaders on how to manage them. The result is my latest research paper (see link below).
In a nutshell, three steps are necessary: /4
In a nutshell, three steps are necessary: /4
Accordingly, software supply chains can expose militaries to significant risks:
1. Industrial espionage,
2. Political espionage, and
3. Sabotage.
Even without an attacker, inadvertent mistakes by suppliers (or their suppliers) can disrupt operations and cause significant damage. /3
1. Industrial espionage,
2. Political espionage, and
3. Sabotage.
Even without an attacker, inadvertent mistakes by suppliers (or their suppliers) can disrupt operations and cause significant damage. /3
November 20, 2025 at 9:42 AM
Accordingly, software supply chains can expose militaries to significant risks:
1. Industrial espionage,
2. Political espionage, and
3. Sabotage.
Even without an attacker, inadvertent mistakes by suppliers (or their suppliers) can disrupt operations and cause significant damage. /3
1. Industrial espionage,
2. Political espionage, and
3. Sabotage.
Even without an attacker, inadvertent mistakes by suppliers (or their suppliers) can disrupt operations and cause significant damage. /3
Software now underpins all military activities: office applications, logistics systems, situational awareness platforms, and it is even embedded in large weapons platforms like fighter jets. /2
November 20, 2025 at 9:42 AM
Software now underpins all military activities: office applications, logistics systems, situational awareness platforms, and it is even embedded in large weapons platforms like fighter jets. /2
@tspbackground.bsky.social Artikel zum Papier (Paywall): background.tagesspiegel.de/it-und-cyber...
Mehr als Cloud und Saas: Europas Abhängigkeiten sind tiefer verwurzelt
In den Debatten um Eurostack und Cloud-Zugänge bleiben wichtige Abhängigkeiten im Cybersicherheits-Ökosystem oft unerwähnt. Doch bei sich drehendem politischen Wind könnten sie gefährlich werden. Eine...
background.tagesspiegel.de
November 6, 2025 at 8:30 AM
@tspbackground.bsky.social Artikel zum Papier (Paywall): background.tagesspiegel.de/it-und-cyber...
German paper: www.swp-berlin.org/publikation/...
Europas Cybersicherheit hängt an den USA
Wie europäische Regierungen mehr Verantwortung übernehmen können
www.swp-berlin.org
November 6, 2025 at 8:24 AM
German paper: www.swp-berlin.org/publikation/...
Even if negative scenarios never materialize, these actions will strengthen the global cybersecurity ecosystem, thereby improving the resilience of individuals, institutions, and companies in Europe and beyond.
English paper: www.swp-berlin.org/en/publicati... /9
English paper: www.swp-berlin.org/en/publicati... /9
Europe’s Cybersecurity Depends on the United States
Europe Can and Must Do More
www.swp-berlin.org
November 6, 2025 at 8:24 AM
Even if negative scenarios never materialize, these actions will strengthen the global cybersecurity ecosystem, thereby improving the resilience of individuals, institutions, and companies in Europe and beyond.
English paper: www.swp-berlin.org/en/publicati... /9
English paper: www.swp-berlin.org/en/publicati... /9
Based on this analysis, I recommend that German and European policymakers take 3 steps, each of which includes several concrete action items:
I. Gather information about cyber threats.
II. Create legal protections for security researchers.
III. Investing in the Cybersecurity Ecosystem. /8
I. Gather information about cyber threats.
II. Create legal protections for security researchers.
III. Investing in the Cybersecurity Ecosystem. /8
November 6, 2025 at 8:23 AM
Based on this analysis, I recommend that German and European policymakers take 3 steps, each of which includes several concrete action items:
I. Gather information about cyber threats.
II. Create legal protections for security researchers.
III. Investing in the Cybersecurity Ecosystem. /8
I. Gather information about cyber threats.
II. Create legal protections for security researchers.
III. Investing in the Cybersecurity Ecosystem. /8
Scenario 3: The US government weaponizes Europe’s dependencies. /7
November 6, 2025 at 8:23 AM
Scenario 3: The US government weaponizes Europe’s dependencies. /7
I then present 3 scenarios in which these dependencies could pose problems for Europe and outline their potential consequences.
Scenario 1: Washington ceases financial support for cybersecurity projects.
Scenario 2: The US government changes its political priorities. /6
Scenario 1: Washington ceases financial support for cybersecurity projects.
Scenario 2: The US government changes its political priorities. /6
November 6, 2025 at 8:22 AM
I then present 3 scenarios in which these dependencies could pose problems for Europe and outline their potential consequences.
Scenario 1: Washington ceases financial support for cybersecurity projects.
Scenario 2: The US government changes its political priorities. /6
Scenario 1: Washington ceases financial support for cybersecurity projects.
Scenario 2: The US government changes its political priorities. /6
2. US companies dominate the market for information about cyber threats.
3. The US Armed Forces gather intelligence on cyber threats.
4. The US government funds vulnerability databases.
5. The US government supports the security of open source software. /5
3. The US Armed Forces gather intelligence on cyber threats.
4. The US government funds vulnerability databases.
5. The US government supports the security of open source software. /5
November 6, 2025 at 8:21 AM
2. US companies dominate the market for information about cyber threats.
3. The US Armed Forces gather intelligence on cyber threats.
4. The US government funds vulnerability databases.
5. The US government supports the security of open source software. /5
3. The US Armed Forces gather intelligence on cyber threats.
4. The US government funds vulnerability databases.
5. The US government supports the security of open source software. /5
In this policy paper, I examine seemingly niche, technical aspects of the ways in which the US government and companies play a key role in the global cybersecurity ecosystem. I identify five key dependencies:
1. US companies dominate the market for cybersecurity applications. /4
1. US companies dominate the market for cybersecurity applications. /4
November 6, 2025 at 8:21 AM
In this policy paper, I examine seemingly niche, technical aspects of the ways in which the US government and companies play a key role in the global cybersecurity ecosystem. I identify five key dependencies:
1. US companies dominate the market for cybersecurity applications. /4
1. US companies dominate the market for cybersecurity applications. /4
3. The good news: German and European policymakers can reduce these dependencies and take responsibility for the global cybersecurity ecosystem today. /3
November 6, 2025 at 8:20 AM
3. The good news: German and European policymakers can reduce these dependencies and take responsibility for the global cybersecurity ecosystem today. /3