Engaging Academia in Cybersecurity Research

Engaging Academia in Cybersecurity Research 

Across most academic fields, researchers are increasingly focused on outreach to relevant practitioner and policy communities. It can sharpen their sense of the key questions but also enable their research to have greater application and impact. In contrast, within the field of cybersecurity, policy and practitioners from governmental, non-governmental organizations (NGOs), like the World Bank, and business and industry are more dominant in the production of research. Academic researchers play a relatively less active role. That said, research on cybersecurity could be greatly enhanced if a larger and more multidisciplinary collection of academic researchers could be engaged to focus on issues of cybersecurity and build collaborative relationships with the policy and practitioner communities. 

Why is this the case, and what could be done to correct it? 

Courtesy Arthur Berger

The Dynamics Limiting Academia’s Role in Cybersecurity

I am but one of a growing set of multidisciplinary researchers with a focus on cybersecurity. The field is clearly engaging some top researchers and scholars from a variety of fields, evidenced by colleagues and centers at prominent universities, a growing number of journals and publications, and a dizzying number of events and conferences on topics within the field. Stellar academics, such as Professor David Clark at MIT, Professor Sadie Creese at Oxford University, and Bruce Schneier, a Fellow at the Berkman Center at Harvard, are strong examples. I would add Gabriella Coleman, a chaired professor at McGill University, and Professor Patrick Burkart at Texas A&M, to the list, even though they might not identify themselves as cybersecurity researchers. Many others could be added.  

Nevertheless, compared with other fields, cybersecurity research appears to be dominated more by the practitioner and policy communities. Cybersecurity is not a discipline but a multidisciplinary field of study. But it remains less multidisciplinary and more anchored within the computer sciences than some related fields, such as Internet studies as one comparator with which I am familiar. A number of possible explanations for the different multidisciplinary balance of this field come to mind. 

First, it is a relatively new field of academic research. It was preceded by studies of computer security, which were more computer science centric as they were more focused on technical advances in security systems. The development of shared computing systems and the Internet in particular, has greatly expanded the range of users and devices linked to computer systems, reaching over 4 billion users in 2020. In many respects, the Internet drove the transition from computer security to cybersecurity research and is therefore understandably young in relation to other academic fields of study. 

Secondly, the concept of cybersecurity carries some of the baggage of its early stages. While the characterisations evoked by concepts are often crude, the term often conjures up images of men in suits employed by large institutions trying to keep young boys out of their systems. My MSU colleague, Ruth Shillair, reminded me of the 1983 movie War Games. It is based around a young hacker getting into the backdoor of a major military computer system in ways that threatened to launch a world war, but which left the audience cheering for the young haker.

Today, big mainframe computers are less central than are the billions of devices in households and business and industry and governments across the world. Malicious users, rather than a child accidentally entering the backdoor of a military complex, are the norm. Yet cybersecurity carries some of this off-putting imagery from its early days into the present. 

Thirdly, it is an incredibly important field of research for which there is great demand. Many rising academics in the field of cybersecurity are snapped up by business, industry and governmental headhunters for lucrative positions rather than by academia. 

These are only a few of many reasons for the relative lack of a stronger multidisciplinary research community. Whatever initiatives might enhance its multidisciplinary make-up might also bring more academics as well as more academic disciplines into the study of cybersecurity. How could this be changed?

What Needs to Be Done?

First, academics involved with research on cybersecurity need to do more to network among themselves. This is somewhat of a chicken and egg problem as when there are relatively few academics in a field it seems less important to network with each other. However, until the field comes together to better define the field and its priorities for research, it is harder for it to flourish. Similarly, there are so many pulls to work with practitioners and the policy communities in this area that academic collaboration may seem like a distraction. It is not, as it is essential for the field to mature as an academic field of study. 

Secondly, the field needs to identify and promote academic research on cybersecurity that address big questions with major implications for policy and practice. On this point, some of the research at Oxford’s Global Cyber Security Capacity Centre (GCSCC) has made a difference for nations across the world. For example, the research demonstrates that nations that have enhanced their cybersecurity capacity building efforts have made a serious improvement in the experiences of their nations’ Internet users.[1] But this work is one of many examples of work that is meeting needs in this new area of technological and organizational advances. 

Thirdly, national governments need to place a greater priority on building this field of academia along with building their own cybersecurity capacities. Arguably, in the long run, a stronger academic field in cybersecurity will help nations advance cybersecurity capacity, such as by creating a larger pool of expertise and thought leadership in this area. 

This would be possible through a number of initiatives, from simply taking a leadership role in identifying the importance of the field to encouraging the public research councils and other funding bodies to consider the development of grant support for multidisciplinary research on cybersecurity.

For example, the UK’s Economic and Social Research Council (ESRC) generated early funding for what became the Programme on Information and Communication Technologies (PICT). The establishment of PICT helped to draw leading researchers, such as the late Roger Silverstone, into the study of the social aspects of information and communication technologies. Such pump-priming helped put the UK in an early strategic international position in research on the societal aspects of the Internet and related digital media. 

What factors are constraining the more rapid and widespread development of this field? What could be done to accelerate and deepen its development?

There are a host of other issues around whether policy makers and practitioners would value collaboration with academics, given that their time scales and methodologies can be so dramatically different.[2] That is for another blog, but in the interim, I’d value your thoughts on whether you agree on the need and approaches to further develop the multidisciplinary study of cybersecurity within academia.

Notes


[1] See: Creese, S., Shillair, R., Bada, M., Reisdorf, B.C., Roberts, T., and Dutton, W. H. (2019), ‘The Cybersecurity Capacity of Nations’, pp. 165-179 in Graham, M., and Dutton, W. H. (eds), Society and the Internet: How Networks of Information and Communication are Changing our Lives, 2nd Edition. Oxford: Oxford University Press.

[2] My thanks to Caroline Weisser Harris for suggesting a focus on this question of why practitioners and policy makers might or might not value collaboration with academia. 

Cultural and Social Dimensions of Cybersecurity

I have been working over the past years with Oxford’s Global Cyber Security Capacity Centre (GCSCC), which is associated with the Oxford Martin School and Department of Computer Science at Oxford, as well as several other departments, including the OII, and Saïd Business School. My own work has been focused on bringing the social sciences into the discussion, primarily by directing work on the cultural and social dimensions of cybersecurity.

Bill courtesy of Voices from Oxford (VOX)

I happened across a video we produced years ago in which I sought to address some of the questions in this area of cybersecurity. It is available here: https://www.oxfordmartin.ox.ac.uk/cyber-security/responsible-cyber-culture/

There are also a few articles I’ve written, often with others, on aspects of these social and cultural dimensions, including:

Dutton, W. H., Creese, S., Shillair, R., and Bada, M. (2019). Cyber Security Capacity: Does It Matter? Journal of Information Policy, 9: 280-306. doi:10.5325/jinfopoli.9.2019.0280

Creese, S., Shillair, R., Bada, M., Reisdorf, B.C., Roberts, T., and Dutton, W. H. (2019), ‘The Cybersecurity Capacity of Nations’, pp. 165-179 in Graham, M., and Dutton, W. H. (eds), Society and the Internet: How Networks of Information and Communication are Changing our Lives, 2ndEdition. Oxford: Oxford University Press. An earlier version of this book chapter was presented at the TPRC conference and available online at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2938078

Dutton, W. H., and GCSCC (2018), ‘Collaborative Approaches to a Wicked Problem: Global Responses to Cybersecurity Capacity Building’, February. Notes on the 2018 Annual GCSCC Conference, Oxford University: Available online at: https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/GCSCC%20Annual%20Conference%202018%20Output%20180508%20.pdf

Dutton, W. (2017), ‘Fostering a Cyber Security Mindset’, Internet Policy Review, 6(1): DOI: 10.14763/2017.1.443 Available at: https://policyreview.info/node/443/pdf. An abridged version was reprinted in Encore, a publication of The Alexander von Humboldt Institute for Internet and Society (HIIG), forthcoming in 2018. https://www.hiig.de/en/fostering-cybersecurity-mindset/

Bauer, J., and Dutton, W. H. (2015), “The New Cybersecurity Agenda: Economic and Social Challenges to a Secure Internet’, Joint Working Paper for the Global Cyber Security Centre at the University of Oxford, and the Quello Center, Michigan State University. Available online at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2614545

Dutta, S., Dutton, W. H. and Law, G. (2011), The New InternetWorld: A Global Perspective on Freedom of Expression, Privacy, Trust and Security Online: The Global Information Technology Report 2010-2011. New York: World Economic Forum, April. Available at SSRN: http://ssrn.com/abstract=1810005

Cybersecurity and the Rationale for Capacity Building: Notes on a Conference

The fifth annual conference of Oxford’s Global Cyber Security Capacity Centre (GCSCC) was held in late February 2019 at the Oxford University’s Martin School. It engaged over 120 individuals from the capacity building community in one full day of conference sessions, preceded and followed by several days of more specialized meetings.*

The focus of the conference was on taking stock of the last five years of the Centre’s work, and looking ahead to the next five years in what is an incredibly fast moving area of Internet studies. So it was an ideal setting for reflecting on current themes within the cybersecurity and capacity building community. The presentations and discussions at this meeting provided a basis for reflections on major themes of contemporary discussions of cybersecurity and how they come together in ways that reinforce the need for capacity building in this area.

The major themes I took away from the day concerned 1) changing nature of threats and technologies; 2) the large and heterogeneous ecology of actors involved in cybersecurity capacity building; 3) the prominence of cross-national and regional differences; and 4) the range and prevalence of communication issues. These themes gave rise to a general sense of what could be done. Essentially, there was agreement that there was no technical fix to security, and that fear campaigns were ineffective, particularly unless Internet users are provided instructions on how to respond. However, there was also a clear recommendation not to throw up your hands in despair, as ‘cybersecurity capacity building works’ – nations need to see capacity building as a direction for their own strategies and actions.

Bill courtesy of Voices from Oxford (VOX)

I’ll try to further develop each of these points, although I cannot hope to give justice to the discussion throughout the day. Voices from Oxford (VOX) has helped capture the day in a short clip that I will soon post. But here, briefly, are my major takeaways from the day.

Changing Threats and Technologies

The threats to cybersecurity are extremely wide ranging across contexts and technologies, and the technologies are constantly and rapidly changing. Contrast the potential threats to national infrastructures from cyberwarfare with the threats to privacy from the Internet of Things, such as a baby with a toy that is online. The number of permutations of contexts and technologies is great.

The Complex Ecology of Actors

There is a huge and diverse set of actors and institutions involved in cybersecurity capacity building. There are: cybersecurity professionals, IT professionals, IT, software, and Internet industries; non-governmental organizations; donors; researchers; managers of governments and organizations; national and regional agencies; and global bodies, such as the World Economic Forum and the Internet Governance Forum. Each has many separate but overlapping roles and areas of focus, and each has a stake in global cybersecurity given the risks posed by malicious actors that can take advantage of global weaknesses.

One theme of our national cybersecurity reviews was that the multitude of actors within one country that were involved with cybersecurity often came together in one room for the very first time to speak with our research team. Cybersecurity simply involves a diverse range of actors at all levels of nations and organizations, and with a diverse array of relationships to the Internet and information and communication technologies, from professional IT teams and cybersecurity response teams to users. Developing a more coherent perspective on this ecology of actors is a key need in this area.

National and Regional Differences

Another clear theme of the day was the differences across the various nations and regions, including the obvious issues of the smaller versus larger nations in the scale of their efforts, but also between the low and high income nations. We heard cases of Somalia juxtaposed with examples from the UK and Iceland. And the range and nature of actors across these nations often differed dramatically, such as in the relevance of different global facilitating organisations, such as the World Bank.

Communication in So Many Words

Given this ecology of actors in a global arena, it might not be surprising that communication emerged as a dominant theme. It arose through many presentations and discussions of the need for awareness, coordination, collaboration (across areas and levels within nations, across countries, regions), as well as the need for prioritizing efforts and instruction and training, both of which work through communication. Of course, the conference itself was an opportunity for communication and networking that seemed to be highly valued.

What Can Be Done? Capacity Building

However, despite these technical, individual, and national differences, requiring intensive efforts to communicate, coordinate, and collaborate nationally, regionally, and globally, there were some common thoughts on what needs to be done. Time and again, speakers stressed the lack of any technical fix – or what one participant referred to as a silver bullet – to fix cybersecurity. And there was a general consensus that awareness campaigns that were basically fear campaigns did not work. Internet users, whether in households or major organizations, need instructions on what to do in order to improve their security. But doing nothing was not an option, and given the conference, it may not be surprising, but there did seem to be a general acceptance that cybersecurity capacity building was a set of instructions on a way forward. Our own research has provided empirical evidence than capacity building works, and is in the interest of every nation.**

A short video of the conference will give you a more personal sense of the international ecology of stakeholders and issues: https://vimeo.com/voicesfromoxford/review/322632731/ec0d5e5f9f 

Notes

*An overview of the first five years of the centre is available here: https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/GCSCC%20booklet%20WEB.pdf 

**An early working paper is available online at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2938078

 

 

 

Russian Hacking and the Certainty Trough

Views on Russian Hacking: In a Certainty Trough?

I have been amazed by the level of consensus, among politicians, the press and the directors of security agencies, over the origins and motivations behind the Russian hacking of the 2016 presidential election. Seldom are security agencies willing to confirm or deny security allegations, much less promote them*, even when cyber security experts vary in their certainty over the exact details. Of course there are many interpretations of what we are seeing, including speaking arguments that this is simply a responsible press, partisan politics, reactions to the President-elect, or a clear demonstration of what has been called, in a study of a thread of Israeli journalism, ‘patriotic’ journalism.* For example, you can hear journalists and politicians not only demonizing WikiLeaks founder Julian Assange, the messenger, but also arguing that those who do not accept the consensus are virtually enemies of the state.

One useful theoretical perspective that might help make sense of this unfolding display of consensus is the concept of the ‘certainty trough’, anchored in Donald MacKensie’s research** on missile systems and those who had different levels of certainty about their performance, such as their accuracy in hitting the targets they are designed to strike. He was trying to explain how the generals, for example, could be so certain of their performance, when those most directly involved in developing the missile systems were less certain of how well they will perform. screen-shot-2017-01-07-at-15-21-25

The figure applies MacKenzie’s framework to the hacking case. My contention is that you can see aspects of the certainty trough with respect to accounts of Russian hacking of John Podesta’s emails, which led to damaging revelations about the Democratic National Committee (DNC) and the Clinton Foundation during the election, such as in leading to the resignation of Representative Debbie Wasserman Schultz’s DNC post. On the one hand, there are security experts, most directly involved in, and knowledgeable about, these issues, with less certainty than the politicians and journalists about how sophisticated these hacks of an email account were, and whether they can attribute clear intentions to an ecology of multiple actors. At the other extreme, the public is the least knowledgeable about cyber security, and likely to have less certainty over what happened (see Figure). Put simply, it is not the case that the more you know the more certain you are about the facts of the case.

The upshot of this possibility is that the journalists and politicians involved in this issue should not demonize those who are less certain about who did what to whom in this case. The critics of the skeptics might well be sitting in the certainty trough.

References

*ICA (2017), ‘Intellligence Community Assessment, Assessing Russian Activities and Intentions in Recent US Elections’, Intelligence Community Assessment, 01D, 6 January: https://www.dni.gov/files/documents/ICA_2017_01.pdf

**Avashalom Ginosar, ‘Understanding Patriotic Journalism: Culture, Ideology and Professional Behavior’, see: https://www.academia.edu/20610610/Understanding_Patriotic_Journalism_Culture_Ideology_and_Professional_Behavior

***for Donald MacKensie’s work on the certainty trough, see: http://modeldiscussion.blogspot.com/2007/01/mackenzies-certainty-trough-nuclear.html or his summary of this work in Dutton, W. H. (1999), Society on the Line. (Oxford: OUP), pages 43-46.

Early International Impact of the Oxford Cybersecurity Capacity Center

The Global Cybersecurity Capacity Center at the Oxford Martin School is developing a model and the tools for nations to self-assess their levels of maturity in addressing cybersecurity. I am supporting the Principal Investigator, Professor Sadie Creese, and other co-principal investigators as an Oxford Martin Fellow.

Prof. Sadie Creese
Prof. Sadie Creese

Input from the project team and its international, expert advisory groups, has led to the refinement of a model that identifies key dimensions of cybersecurity, including cultural and other social as well as strategic, legal and technical aspects of a security context. My major focus has been on developing an instrument that will enable teams in particular nations to self-assess their maturity levels in ways that are methodologically sound and replicable.

As the model and associated instruments are being developed, the research team has been working with a variety of nations to help them assess their cybersecurity capacity. In each case, the Oxford project team has been collaborating with key organizations that have helped advise the project and support implementation of the model in a range of international settings.

To date, the team has visited a remarkable number of countries, which have worked with us to implement and help refine our model and indicators of capacity. The team has worked with the Organisation of American States (OAS), supported by the Inter-American Development Bank (IDB), to visit and review Jamaica and Colombia. The World Bank worked with us to review Armenia, Kosovo, Bhutan and Montenegro. The Commonwealth Telecommunications Organisation (CTO) supported our review of Uganda and Fiji. The UK Cabinet Office collaborated with us on a review of the United Kingdom. Indonesia’s Telkom University and the Ministry of Communication and Information Technologies helped with our review of Indonesia. The Government of the Netherlands, under the auspices of the Global Forum on Cyber Expertise (GFCE), worked with us on our review of Senegal. And the British Embassy in Tashkent is supporting our forthcoming review of Uzbekistan. These collaborations will provide valuable lessons for developing the tools and indicators for self-assessment in nations round the world.

In such ways, the Oxford Cybersecurity Capacity Center is having an incredible international impact even during these early stages of developing and refining the frameworks and tools for nations and other organizations to use in self-assessing and building their cybersecurity capacities.

More information about the project is available on the project’s online portal at: www.sbs.ox.ac.uk/cybersecurity-capacity