I have been working over the past years with Oxford’s Global Cyber Security Capacity Centre (GCSCC), which is associated with the Oxford Martin School and Department of Computer Science at Oxford, as well as several other departments, including the OII, and Saïd Business School. My own work has been focused on bringing the social sciences into the discussion, primarily by directing work on the cultural and social dimensions of cybersecurity.
There are also a few articles I’ve written, often with others, on aspects of these social and cultural dimensions, including:
Creese, S., Shillair, R., Bada, M., Reisdorf, B.C., Roberts, T., and Dutton, W. H. (2019), ‘The Cybersecurity Capacity of Nations’, pp. 165-179 in Graham, M., and Dutton, W. H. (eds), Society and the Internet: How Networks of Information and Communication are Changing our Lives, 2ndEdition. Oxford: Oxford University Press. An earlier version of this book chapter was presented at the TPRC conference and available online at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2938078
Bauer, J., and Dutton, W. H. (2015), “The New Cybersecurity Agenda: Economic and Social Challenges to a Secure Internet’, Joint Working Paper for the Global Cyber Security Centre at the University of Oxford, and the Quello Center, Michigan State University. Available online at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2614545
Dutta, S., Dutton, W. H. and Law, G. (2011), The New InternetWorld: A Global Perspective on Freedom of Expression, Privacy, Trust and Security Online: The Global Information Technology Report 2010-2011. New York: World Economic Forum, April. Available at SSRN: http://ssrn.com/abstract=1810005
The fifth annual conference of Oxford’s Global Cyber Security Capacity Centre (GCSCC) was held in late February 2019 at the Oxford University’s Martin School. It engaged over 120 individuals from the capacity building community in one full day of conference sessions, preceded and followed by several days of more specialized meetings.*
The focus of the conference was on taking stock of the last five years of the Centre’s work, and looking ahead to the next five years in what is an incredibly fast moving area of Internet studies. So it was an ideal setting for reflecting on current themes within the cybersecurity and capacity building community. The presentations and discussions at this meeting provided a basis for reflections on major themes of contemporary discussions of cybersecurity and how they come together in ways that reinforce the need for capacity building in this area.
The major themes I took away from the day concerned 1) changing nature of threats and technologies; 2) the large and heterogeneous ecology of actors involved in cybersecurity capacity building; 3) the prominence of cross-national and regional differences; and 4) the range and prevalence of communication issues. These themes gave rise to a general sense of what could be done. Essentially, there was agreement that there was no technical fix to security, and that fear campaigns were ineffective, particularly unless Internet users are provided instructions on how to respond. However, there was also a clear recommendation not to throw up your hands in despair, as ‘cybersecurity capacity building works’ – nations need to see capacity building as a direction for their own strategies and actions.
I’ll try to further develop each of these points, although I cannot hope to give justice to the discussion throughout the day. Voices from Oxford (VOX) has helped capture the day in a short clip that I will soon post. But here, briefly, are my major takeaways from the day.
Changing Threats and Technologies
The threats to cybersecurity are extremely wide ranging across contexts and technologies, and the technologies are constantly and rapidly changing. Contrast the potential threats to national infrastructures from cyberwarfare with the threats to privacy from the Internet of Things, such as a baby with a toy that is online. The number of permutations of contexts and technologies is great.
The Complex Ecology of Actors
There is a huge and diverse set of actors and institutions involved in cybersecurity capacity building. There are: cybersecurity professionals, IT professionals, IT, software, and Internet industries; non-governmental organizations; donors; researchers; managers of governments and organizations; national and regional agencies; and global bodies, such as the World Economic Forum and the Internet Governance Forum. Each has many separate but overlapping roles and areas of focus, and each has a stake in global cybersecurity given the risks posed by malicious actors that can take advantage of global weaknesses.
One theme of our national cybersecurity reviews was that the multitude of actors within one country that were involved with cybersecurity often came together in one room for the very first time to speak with our research team. Cybersecurity simply involves a diverse range of actors at all levels of nations and organizations, and with a diverse array of relationships to the Internet and information and communication technologies, from professional IT teams and cybersecurity response teams to users. Developing a more coherent perspective on this ecology of actors is a key need in this area.
National and Regional Differences
Another clear theme of the day was the differences across the various nations and regions, including the obvious issues of the smaller versus larger nations in the scale of their efforts, but also between the low and high income nations. We heard cases of Somalia juxtaposed with examples from the UK and Iceland. And the range and nature of actors across these nations often differed dramatically, such as in the relevance of different global facilitating organisations, such as the World Bank.
Communication in So Many Words
Given this ecology of actors in a global arena, it might not be surprising that communication emerged as a dominant theme. It arose through many presentations and discussions of the need for awareness, coordination, collaboration (across areas and levels within nations, across countries, regions), as well as the need for prioritizing efforts and instruction and training, both of which work through communication. Of course, the conference itself was an opportunity for communication and networking that seemed to be highly valued.
What Can Be Done? Capacity Building
However, despite these technical, individual, and national differences, requiring intensive efforts to communicate, coordinate, and collaborate nationally, regionally, and globally, there were some common thoughts on what needs to be done. Time and again, speakers stressed the lack of any technical fix – or what one participant referred to as a silver bullet – to fix cybersecurity. And there was a general consensus that awareness campaigns that were basically fear campaigns did not work. Internet users, whether in households or major organizations, need instructions on what to do in order to improve their security. But doing nothing was not an option, and given the conference, it may not be surprising, but there did seem to be a general acceptance that cybersecurity capacity building was a set of instructions on a way forward. Our own research has provided empirical evidence than capacity building works, and is in the interest of every nation.**
I have been amazed by the level of consensus, among politicians, the press and the directors of security agencies, over the origins and motivations behind the Russian hacking of the 2016 presidential election. Seldom are security agencies willing to confirm or deny security allegations, much less promote them*, even when cyber security experts vary in their certainty over the exact details. Of course there are many interpretations of what we are seeing, including speaking arguments that this is simply a responsible press, partisan politics, reactions to the President-elect, or a clear demonstration of what has been called, in a study of a thread of Israeli journalism, ‘patriotic’ journalism.* For example, you can hear journalists and politicians not only demonizing WikiLeaks founder Julian Assange, the messenger, but also arguing that those who do not accept the consensus are virtually enemies of the state.
One useful theoretical perspective that might help make sense of this unfolding display of consensus is the concept of the ‘certainty trough’, anchored in Donald MacKensie’s research** on missile systems and those who had different levels of certainty about their performance, such as their accuracy in hitting the targets they are designed to strike. He was trying to explain how the generals, for example, could be so certain of their performance, when those most directly involved in developing the missile systems were less certain of how well they will perform.
The figure applies MacKenzie’s framework to the hacking case. My contention is that you can see aspects of the certainty trough with respect to accounts of Russian hacking of John Podesta’s emails, which led to damaging revelations about the Democratic National Committee (DNC) and the Clinton Foundation during the election, such as in leading to the resignation of Representative Debbie Wasserman Schultz’s DNC post. On the one hand, there are security experts, most directly involved in, and knowledgeable about, these issues, with less certainty than the politicians and journalists about how sophisticated these hacks of an email account were, and whether they can attribute clear intentions to an ecology of multiple actors. At the other extreme, the public is the least knowledgeable about cyber security, and likely to have less certainty over what happened (see Figure). Put simply, it is not the case that the more you know the more certain you are about the facts of the case.
The upshot of this possibility is that the journalists and politicians involved in this issue should not demonize those who are less certain about who did what to whom in this case. The critics of the skeptics might well be sitting in the certainty trough.
The Global Cybersecurity Capacity Center at the Oxford Martin School is developing a model and the tools for nations to self-assess their levels of maturity in addressing cybersecurity. I am supporting the Principal Investigator, Professor Sadie Creese, and other co-principal investigators as an Oxford Martin Fellow.
Input from the project team and its international, expert advisory groups, has led to the refinement of a model that identifies key dimensions of cybersecurity, including cultural and other social as well as strategic, legal and technical aspects of a security context. My major focus has been on developing an instrument that will enable teams in particular nations to self-assess their maturity levels in ways that are methodologically sound and replicable.
As the model and associated instruments are being developed, the research team has been working with a variety of nations to help them assess their cybersecurity capacity. In each case, the Oxford project team has been collaborating with key organizations that have helped advise the project and support implementation of the model in a range of international settings.
To date, the team has visited a remarkable number of countries, which have worked with us to implement and help refine our model and indicators of capacity. The team has worked with the Organisation of American States (OAS), supported by the Inter-American Development Bank (IDB), to visit and review Jamaica and Colombia. The World Bank worked with us to review Armenia, Kosovo, Bhutan and Montenegro. The Commonwealth Telecommunications Organisation (CTO) supported our review of Uganda and Fiji. The UK Cabinet Office collaborated with us on a review of the United Kingdom. Indonesia’s Telkom University and the Ministry of Communication and Information Technologies helped with our review of Indonesia. The Government of the Netherlands, under the auspices of the Global Forum on Cyber Expertise (GFCE), worked with us on our review of Senegal. And the British Embassy in Tashkent is supporting our forthcoming review of Uzbekistan. These collaborations will provide valuable lessons for developing the tools and indicators for self-assessment in nations round the world.
In such ways, the Oxford Cybersecurity Capacity Center is having an incredible international impact even during these early stages of developing and refining the frameworks and tools for nations and other organizations to use in self-assessing and building their cybersecurity capacities.