Cultural and Social Dimensions of Cybersecurity

I have been working over the past years with Oxford’s Global Cyber Security Capacity Centre (GCSCC), which is associated with the Oxford Martin School and Department of Computer Science at Oxford, as well as several other departments, including the OII, and Saïd Business School. My own work has been focused on bringing the social sciences into the discussion, primarily by directing work on the cultural and social dimensions of cybersecurity.

Bill courtesy of Voices from Oxford (VOX)

I happened across a video we produced years ago in which I sought to address some of the questions in this area of cybersecurity. It is available here: https://www.oxfordmartin.ox.ac.uk/cyber-security/responsible-cyber-culture/

There are also a few articles I’ve written, often with others, on aspects of these social and cultural dimensions, including:

Creese, S., Shillair, R., Bada, M., Reisdorf, B.C., Roberts, T., and Dutton, W. H. (2019), ‘The Cybersecurity Capacity of Nations’, pp. 165-179 in Graham, M., and Dutton, W. H. (eds), Society and the Internet: How Networks of Information and Communication are Changing our Lives, 2ndEdition. Oxford: Oxford University Press. An earlier version of this book chapter was presented at the TPRC conference and available online at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2938078

Dutton, W. H., and GCSCC (2018), ‘Collaborative Approaches to a Wicked Problem: Global Responses to Cybersecurity Capacity Building’, February. Notes on the 2018 Annual GCSCC Conference, Oxford University: Available online at: https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/GCSCC%20Annual%20Conference%202018%20Output%20180508%20.pdf

Dutton, W. (2017), ‘Fostering a Cyber Security Mindset’, Internet Policy Review, 6(1): DOI: 10.14763/2017.1.443 Available at: https://policyreview.info/node/443/pdf. An abridged version was reprinted in Encore, a publication of The Alexander von Humboldt Institute for Internet and Society (HIIG), forthcoming in 2018. https://www.hiig.de/en/fostering-cybersecurity-mindset/

Bauer, J., and Dutton, W. H. (2015), “The New Cybersecurity Agenda: Economic and Social Challenges to a Secure Internet’, Joint Working Paper for the Global Cyber Security Centre at the University of Oxford, and the Quello Center, Michigan State University. Available online at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2614545

Dutta, S., Dutton, W. H. and Law, G. (2011), The New InternetWorld: A Global Perspective on Freedom of Expression, Privacy, Trust and Security Online: The Global Information Technology Report 2010-2011. New York: World Economic Forum, April. Available at SSRN: http://ssrn.com/abstract=1810005

Society and the Internet, 2nd Edition

It is such a pleasure to see the publication today of the second edition of Society and the Internet by Oxford University Press. My co-editor, Mark Graham, and I worked long and hard to assemble a wonderful set of authors to build on the first edition. The success of the original volume led to this new edition. The pace and scale of changes in the issues surrounding the Internet led to almost a completely new set of chapters. Information about the 2nd edition is available on the OUP web site for the paperback edition here, and the hardback here.

Society and the Internet, 2nd Edition

Our thanks to OUP and the many professional staff who helped us produce this new 2nd edition, and particularly to my friend Steve Russell for the brilliant art work on the cover. Thanks as well to the OII, which inspired our lecture series that led to these volumes, and OII colleagues who launched much of the research that informs them. I hope you can read the acknowledgements in full as we owe thanks to so many individuals and institutions, such as MSU’s Quello Center, which together with the Global Cyber Security Capacity Centre, supported my own contributions to this second edition.

We owe incredible thanks to our colleague Manuel Castells for his insightful foreword and all the authors of the book’s 24 chapters. These colleagues endured our many requests and most importantly accepted our call to contribute to what we hope will be a perfect reader for courses on Internet studies, digital technology and society, new media, and many other courses dealing with society and the Internet. The authors include junior and senior researchers from around the world. To all, we send our appreciation. No more deadlines, we promise. The authors are:

Maria Bada, Cambridge Cybercrime Centre
Grant Blank, University of Oxford
Samantha Bradshaw, University of Oxford
David A. Bray, People-Centered Internet
Antonio A. Casilli, Paris Institute of Technology
Manuel Castells, University of Southern California
Vint Cerf, Google
Sadie Creese, University of Oxford
Matthew David, Durham University
Laura DeNardis, American University, Washington, DC
Martin Dittus, University of Oxford
Elizabeth Dubois, University of Ottawa
Sandra González-Bailón, University of Pennsylvania 
Scott A. Hale, University of Oxford
Eszter Hargittai, University of Zurich
Philip N. Howard, University of Oxford
Peter John, King’s College London 
Sílvia Majó-Vázquez, University of Oxford
Helen Margetts, University of Oxford
Marina Micheli, European Commission
Christopher Millard, Queen Mary University of London
Lisa Nakamura, University of Michigan
Victoria Nash, University of Oxford
Gina Neff, University of Oxford
Eli Noam, Columbia Business School 
Sanna Ojanperä, University of Oxford
Julian Posada, University of Toronto
Anabel Quan-Haase, University of Western Ontario
Jack Linchuan Qiu, The Chinese University of Hong Kong
Lee Rainie, Pew Research Center
Bianca C. Reisdorf, University of North Carolina at Charlotte
Ralph Schroeder, University of Oxford
Limor Shifman, The Hebrew University of Jerusalem
Ruth Shillair, Michigan State University 
Greg Taylor, University of Oxford
Hua Wang, University at Buffalo, The State University of New York
Barry Wellman, NetLab
Renwen Zhang, Northwestern University

So, if you are seriously interested in the societal implications of the Internet and related social media and the mobile Internet, please consider this reader. You will see a variety of methods, data, and theoretical perspectives in play to address important issues in ways that challenge conventional wisdom and punditry about the Internet. You can get a paperback edition from OUP here or from your favourite bookstore.

Nominate an Early Career Research to Become a TPRC Junior Fellow

The TPRC is seeking to select up to 6 TPRC Junior Fellows – early-career researchers engaged in research on the Internet, telecommunication and media policy in the digital age. Please nominate individuals whom you think might make outstanding fellows. Those who have wond student paper awards at the TPRC conference as well as those who served Benton Award winners could be candidates, but we are open to anyone you feel to have the potential to do outstanding research on key issues for the TPRC, and engage other early-career researchers in our activities.

The TPRC Junior Fellows Program was designed in part to award excellence but also tobring new members into the TPRC community. Those appointed will be honoured and serve as ambassadors for TPRC, working pro bono and appointed to two-year terms by the Board. Junior Fellows will be emerging scholars with good connections to their peers, including but not limited to successful TPRC paper presenters and alumni of the Graduate Student Consortium and Benton Award.

TPRC hopes that Junior Fellows will help broaden the TPRC community, and improve the participation of underrepresented groups, such as young academics, certain disciplines not traditionally involved in telecom research who are engaged in new media and digitial policy, and those engaged in new research areas, as well as those who bring greater diversity to our community, including women, minorities, and under-represented groups.

The TPRC Board anticipates that Fellows will disseminate information about TPRC on their personal networks, and identify and engage 1-1 with prospective attendees and encourage them to participate in TPRC. In return, TPRC will recognize Fellows on the TPRC web site, and publicly welcome new appointees during the conference, and provide material and mentoring to support their outreach mission. Of course, the Early Career Fellows will be able to list this service on their resumes. Each Fellow will have a designated Board liaison, who will check in periodically to discuss support needed and progress made. TPRC will aim to support your career.

Desiderata

We’re looking for people that meet as many of the following criteria as possible. None of them are required qualifications; we don’t expect that anyone will check all the boxes.

  • From under-represented groups, including women and minorities
  • Working in new research areas and those under-represented at TPRC
  • Academic talent and promise
  • Good network of contacts, e.g. active on social media
  • Able and willing to advocate for TPRC

For information about the TPRC, see: http://www.tprcweb.com/

If you have ideas, you may contact me on this site, or by email at william.dutton@gmail.com

Cybersecurity and the Rationale for Capacity Building: Notes on a Conference

The fifth annual conference of Oxford’s Global Cyber Security Capacity Centre (GCSCC) was held in late February 2019 at the Oxford University’s Martin School. It engaged over 120 individuals from the capacity building community in one full day of conference sessions, preceded and followed by several days of more specialized meetings.*

The focus of the conference was on taking stock of the last five years of the Centre’s work, and looking ahead to the next five years in what is an incredibly fast moving area of Internet studies. So it was an ideal setting for reflecting on current themes within the cybersecurity and capacity building community. The presentations and discussions at this meeting provided a basis for reflections on major themes of contemporary discussions of cybersecurity and how they come together in ways that reinforce the need for capacity building in this area.

The major themes I took away from the day concerned 1) changing nature of threats and technologies; 2) the large and heterogeneous ecology of actors involved in cybersecurity capacity building; 3) the prominence of cross-national and regional differences; and 4) the range and prevalence of communication issues. These themes gave rise to a general sense of what could be done. Essentially, there was agreement that there was no technical fix to security, and that fear campaigns were ineffective, particularly unless Internet users are provided instructions on how to respond. However, there was also a clear recommendation not to throw up your hands in despair, as ‘cybersecurity capacity building works’ – nations need to see capacity building as a direction for their own strategies and actions.

Bill courtesy of Voices from Oxford (VOX)

I’ll try to further develop each of these points, although I cannot hope to give justice to the discussion throughout the day. Voices from Oxford (VOX) has helped capture the day in a short clip that I will soon post. But here, briefly, are my major takeaways from the day.

Changing Threats and Technologies

The threats to cybersecurity are extremely wide ranging across contexts and technologies, and the technologies are constantly and rapidly changing. Contrast the potential threats to national infrastructures from cyberwarfare with the threats to privacy from the Internet of Things, such as a baby with a toy that is online. The number of permutations of contexts and technologies is great.

The Complex Ecology of Actors

There is a huge and diverse set of actors and institutions involved in cybersecurity capacity building. There are: cybersecurity professionals, IT professionals, IT, software, and Internet industries; non-governmental organizations; donors; researchers; managers of governments and organizations; national and regional agencies; and global bodies, such as the World Economic Forum and the Internet Governance Forum. Each has many separate but overlapping roles and areas of focus, and each has a stake in global cybersecurity given the risks posed by malicious actors that can take advantage of global weaknesses.

One theme of our national cybersecurity reviews was that the multitude of actors within one country that were involved with cybersecurity often came together in one room for the very first time to speak with our research team. Cybersecurity simply involves a diverse range of actors at all levels of nations and organizations, and with a diverse array of relationships to the Internet and information and communication technologies, from professional IT teams and cybersecurity response teams to users. Developing a more coherent perspective on this ecology of actors is a key need in this area.

National and Regional Differences

Another clear theme of the day was the differences across the various nations and regions, including the obvious issues of the smaller versus larger nations in the scale of their efforts, but also between the low and high income nations. We heard cases of Somalia juxtaposed with examples from the UK and Iceland. And the range and nature of actors across these nations often differed dramatically, such as in the relevance of different global facilitating organisations, such as the World Bank.

Communication in So Many Words

Given this ecology of actors in a global arena, it might not be surprising that communication emerged as a dominant theme. It arose through many presentations and discussions of the need for awareness, coordination, collaboration (across areas and levels within nations, across countries, regions), as well as the need for prioritizing efforts and instruction and training, both of which work through communication. Of course, the conference itself was an opportunity for communication and networking that seemed to be highly valued.

What Can Be Done? Capacity Building

However, despite these technical, individual, and national differences, requiring intensive efforts to communicate, coordinate, and collaborate nationally, regionally, and globally, there were some common thoughts on what needs to be done. Time and again, speakers stressed the lack of any technical fix – or what one participant referred to as a silver bullet – to fix cybersecurity. And there was a general consensus that awareness campaigns that were basically fear campaigns did not work. Internet users, whether in households or major organizations, need instructions on what to do in order to improve their security. But doing nothing was not an option, and given the conference, it may not be surprising, but there did seem to be a general acceptance that cybersecurity capacity building was a set of instructions on a way forward. Our own research has provided empirical evidence than capacity building works, and is in the interest of every nation.**

A short video of the conference will give you a more personal sense of the international ecology of stakeholders and issues: https://vimeo.com/voicesfromoxford/review/322632731/ec0d5e5f9f 

Notes

*An overview of the first five years of the centre is available here: https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/GCSCC%20booklet%20WEB.pdf 

**An early working paper is available online at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2938078

 

 

 

Pick up the phone!

Ofcom reports that fewer people are using their mobile phones for making phone calls (Williams 2018). The use of smartphones for calls is declining while their use for texting, emailing, searching and using social media is rising. Clearly, this trend is not unique to the UK, nor is it simply limited to the use if smartphones. But I fear this interesting trend masks a more fundamental shift in communication: Put simply, more people are choosing not to speak with others – by phone or in person.

To illustrate, here is a typical conversation I would have with a former office assistant (OA) in my former university. She was a valued member of our team and went off for an exciting move when her husband was offered a better job. But here was a typical scenario:

Me: Has the approval for our research travel come through?

OA: No. I sent an email two days ago. No word yet.

Me: Could you check, and try to nudge them? We need to move ahead.

OA: OK. I’ll send another email.

Me: Maybe it would be easier if you just picked up the phone? Actually, the office is close – maybe you could pop in a speak to the grant officer.

OA: Its easier to email, and she’ll see it.

Me: OK.

I stew for a moment and then walk the few minutes to the grant office, speak with the officer, and get the approval. All the time I am wondering why no one wants to simply pick up the phone or walk down the hall. Perhaps (undoubtedly) it is more efficient for the OA to email, but not for me waiting for approval. Perhaps the OA doesn’t want to disturb or interrupt the grant officer, but my work is effectively stalled. Am I simply being selfish or is my OA simply following a rational path that is not only the easy way but the contemporary way to do things?  Unknown

Of course, this is a simple anecdote, but it happens so often that I cannot help but wonder how pervasive this style of communication is becoming. When I have shared this view with administrators, they acknowledge this as a growing pattern. And it is not just email, but also so-called enterprise platforms for conducting all sorts of financial, administrative, and personnel matters. Ask about health benefits, and I’m told to check or enroll on our enterprise business system. Of course, these systems are designed to permit fewer administrators to handle more personnel. But ironically, it might also lead to inefficiencies and ineffectiveness, such as sending an email rather than picking up a phone or speaking with the right person.

Maybe I am wrong. Video and voice over IP enables applications like Skype, Google Hangouts, and FaceTime that are permitting more interpersonal conversations to occur among people distributed around the world. And since the 1970s, when people expected electronic telecommunications to enable tradeoffs with travel, research has found that telecommunications tends to reinforce travel as we telecommunicate with those we meet with face-to-face before and after meetings. If we email someone, we are more likely to meet them face-to-face, and vice versa.

But I wonder if we have reached some tipping point where this might well be changing – a point when it is getting increasingly difficult to speak with anyone face-to-face or even on the phone.

Reference

Zoe Williams, ‘It’s so funny how we don’t talk any more’, The Guardian, Friday, 3 August 2018: 5.

 

 

Russian Hacking and the Certainty Trough

Views on Russian Hacking: In a Certainty Trough?

I have been amazed by the level of consensus, among politicians, the press and the directors of security agencies, over the origins and motivations behind the Russian hacking of the 2016 presidential election. Seldom are security agencies willing to confirm or deny security allegations, much less promote them*, even when cyber security experts vary in their certainty over the exact details. Of course there are many interpretations of what we are seeing, including speaking arguments that this is simply a responsible press, partisan politics, reactions to the President-elect, or a clear demonstration of what has been called, in a study of a thread of Israeli journalism, ‘patriotic’ journalism.* For example, you can hear journalists and politicians not only demonizing WikiLeaks founder Julian Assange, the messenger, but also arguing that those who do not accept the consensus are virtually enemies of the state.

One useful theoretical perspective that might help make sense of this unfolding display of consensus is the concept of the ‘certainty trough’, anchored in Donald MacKensie’s research** on missile systems and those who had different levels of certainty about their performance, such as their accuracy in hitting the targets they are designed to strike. He was trying to explain how the generals, for example, could be so certain of their performance, when those most directly involved in developing the missile systems were less certain of how well they will perform. screen-shot-2017-01-07-at-15-21-25

The figure applies MacKenzie’s framework to the hacking case. My contention is that you can see aspects of the certainty trough with respect to accounts of Russian hacking of John Podesta’s emails, which led to damaging revelations about the Democratic National Committee (DNC) and the Clinton Foundation during the election, such as in leading to the resignation of Representative Debbie Wasserman Schultz’s DNC post. On the one hand, there are security experts, most directly involved in, and knowledgeable about, these issues, with less certainty than the politicians and journalists about how sophisticated these hacks of an email account were, and whether they can attribute clear intentions to an ecology of multiple actors. At the other extreme, the public is the least knowledgeable about cyber security, and likely to have less certainty over what happened (see Figure). Put simply, it is not the case that the more you know the more certain you are about the facts of the case.

The upshot of this possibility is that the journalists and politicians involved in this issue should not demonize those who are less certain about who did what to whom in this case. The critics of the skeptics might well be sitting in the certainty trough.

References

*ICA (2017), ‘Intellligence Community Assessment, Assessing Russian Activities and Intentions in Recent US Elections’, Intelligence Community Assessment, 01D, 6 January: https://www.dni.gov/files/documents/ICA_2017_01.pdf

**Avashalom Ginosar, ‘Understanding Patriotic Journalism: Culture, Ideology and Professional Behavior’, see: https://www.academia.edu/20610610/Understanding_Patriotic_Journalism_Culture_Ideology_and_Professional_Behavior

***for Donald MacKensie’s work on the certainty trough, see: http://modeldiscussion.blogspot.com/2007/01/mackenzies-certainty-trough-nuclear.html or his summary of this work in Dutton, W. H. (1999), Society on the Line. (Oxford: OUP), pages 43-46.

Books and the Internet in Prisons: Beyond the Right to Read

A British High Court justice has ‘struck down a ban on sending books to prisoners’, as reported by the NYT: http://www.nytimes.com/2014/12/06/world/europe/british-judge-lifts-restriction-on-books-in-prison.html A number of writers, poets and human rights advocates have been pressing for the right of prisoners to buy books from the ‘outside world’. Apparently the prison service had supported access to books, but only through the prison libraries or purchases through the prison service, as a security measure: to prevent the smuggling of other things into the prison, as we have all seen in popular films and television series. It seems to me that it is arguably worth the time and effort of searching packages sent to prisoners in order to enhance access to books. Surely the value of books in educating and supporting the rehabilitation of those in prison is a long-term payoff that offsets the cost of screening.

About a decade ago, I was introduced to an imaginative plan to enable limited access to the Internet from prison. There are a number of programs that enable limited access to electronic text messaging, for example, but by and large, this is a huge hurdle. Nevertheless, I hope advocates of this development are continuing to pursue schemes that might enable safe access to the Internet, such as for access to education and entertainment that could be as important as the right to read. I would like to hear of initiatives in this area, and wish them well.

chinese-internet-jail

Courtesy: http://marktanner.com/blog/the-internet-in-china-going-the-full-circle/