April 23rd, 2018
[Written by Quello’s Ruth Shillair and posted by Bill Dutton, with her permission]
I was honored to be selected as one of the 50 cybersecurity scholars from around the world to attend the annual global RSA cybersecurity conference. It is a gathering of 50,000 cybersecurity professionals and researchers held in San Francisco. The theme this year was “Now Matters” and cybersecurity issues certainly something that we need to address “now” rather than in the future.
The overwhelming theme that I saw was that cybersecurity has gotten over the “silver bullet” fantasy. We realize there will be no killer app or magic formula that will ultimately solve cyber insecurities and protect networks, systems, and individuals from attack. The human factor has often been cited as the weakness of cybersecurity; however, it was refreshing to hear that many leaders are realizing that humans are also the strength and core of cybersecurity. Many sessions discussed how cybersecurity needs to be holistic, a long-term commitment, an imbedded culture and an overall mindset.
Chris Young, CEO of McAfee spoke on the importance of building a cybersecurity culture- part of a “sustained cycle of measures, rewards, and advocacy.” Even though technical advances make systems stronger than ever, the attackers also are intelligent and adaptive, making it important for us to work as a team. He quoted Christopher Painter, former coordinator for cyber issues at the U.S. State Department, “The failure to ‘mainstream’ cyber issues into larger national security and policy debates has real consequences” (Click here to read more from Mr. Painter ). Mr. Young went on to compare the current Facebook issues as the Exon of today. After the oil spills people start to re-think the costs and benefits that cheap energy policies had on the overall environment. Even though cheap oil prices had caused a boom in the economy, there was a price to pay. Now, people are starting to re-think the costs and benefits of “free” social networking services that facilitate networking and the exchange of information. The surveillance economy has caused an economic boom also, but there are long term implications that we are just beginning to understand.
This cybersecurity mindset takes a team mentality. Brad Smith, the president of Microsoft used the metaphor of a crew rowing a boat together. Stakeholders need to learn to trust each other and communicate well in order to navigate the uncertain waters ahead. He also shared about the human impacts of the recent WannaCry ransomware attacks. This was a cyber based state-backed attack on citizens during a time of peace. It crippled the national health service in Great Britain, shutting off access to critical health records and blocking individuals from all but critical emergency care. As a result, Microsoft, and many other companies are working together at unprecedented levels to help build resilience against similar attacks in the future.
The hundreds of possible sessions ranged from technical training on the latest penetration testing techniques to policy discussions. Several sessions discussed the implications of artificial intelligence and the growing concerns about how human bias and discrimination are magnified by these systems if not guided by policies and standards to protect individuals. An entire track of sessions was dedicated to the human dimensions of cybersecurity and the importance of policy. The recent congressional meetings with Mark Zuckerberg illustrated the challenge ahead to reach policy makers so they understand the basics of cybersecurity, privacy, and what can or can’t be done to help improve our current systems.
One of my favorite sessions was led by Bruce Schneier (Schneier on Security and of the Berkman Klein Center at Harvard University). He spoke of the urgency to build policy and regulations for the growth of the Internet of Things (IoT). It used to be that cybersecurity threats were ultimately losing control of files of data, now threats are physical, real and imminent. Instead of just attacking one self-driving car and taking it over, what will happen once hackers take control of all the self-driving cars of a particular make or model? He spoke of the complexity of keeping a device up to date as systems become compromised and updates may have unintended consequences. To check updates before rolling them out to car owners, car manufacturers will have to keep track of all the makes and models to test updates and make sure systems don’t fail as patches are rolled out. Beyond cars being basically computers on wheels, many of the devices in our homes and factories are now IoT devices. In today’s marketplace consumers have no idea which IoT devices are safe, have backdoors, or if they are even updatable. His upcoming book, Click Here to Kill Everybody, should be very interesting.
Overall, this conference was encouraging and overwhelming all at the same time. It was encouraged to see progress in viewing cybersecurity as a cultural and mindset issue rather than just a technical problem. It was encouraging to see so many young scholars, educators, and technologists working tirelessly to make the world a better place. It was discouraging to see so few women in the conference. Yes, there were special “Women in Cybersecurity” sessions -and there was some tremendous mentoring going on- but there are few women and minorities in this field. The telling point was during session breaks where the men’s bathrooms had long lines going down the hall, at the same time the women’s bathrooms had no lines at all. However, seeing the mixture of young cybersecurity scholars I am hopeful that in the future we will see a representation that is more diverse, bringing with them the insights and experiences that will help build a cybersecurity mindset that can be widely embraced and core to our culture.
PhD Candidate and Quello Research Assistant
Faculty and staff of the Quello Center will be actively engaged in this year’s Telecommunication Policy Research Conference (TPRC). The following papers on the schedule for the 45th TPRC Research Conference on Communications, Information, and Internet Policy, at George Mason University in Arlington, Virginia:
“Social Shaping of the Politics of Internet Search and Networking: Moving Beyond Filter Bubbles, Echo Chambers, and Fake News,” by William H. Dutton and Bianca C. Reisdorf (presenter), Quello Center, Michigan State University; Elizabeth Dubois, Department of Communication, University of Ottawa; and Grant Blank, Oxford Internet Institute, University of Oxford.
“Race and Digital Inequality: Policy Implications,” by C.H. Rhinesmith, Simmons College (presenter), and B.C. Reisdorf, Quello Center.
“Price-Cap Regulation of Firms That Supply Their Rivals,” Omar A. Nayeem, Deloitte Tax; and Aleksandr Yankelevich, Quello Center (presenter).
“Cyber Security Capacity: Does it Matter?” by William H. Dutton, Quello Center; Sadie Creese, Computer Science, Oxford University; Ruth Shillair, Quello Center (presenter), Maria Bada, Oxford Martin, University of Oxford; Taylor Roberts US Dept of Management and Budget.
“Regulating the Open Internet: Past Developments and Emerging Challenges,” by Kendall J. Koning, Department of Media and Information, Michigan State University (presenter); and Aleksandr Yankelevich, Quello Center.
We hope you can join the conference and provide feedback on our papers.
Charles Villanueva manages a “gigantic Cybersecurity Conference Directory which lists nearly a thousand events” – and this is truly incredible. So if you feel you can’t keep up with all the conferences, you are probably not alone. His URL is https://infosec-conferences.com/
The Quello Center is involved in a number of cybersecurity projects, including Oxford Martin’s Global Cyber Security Capacity Building Center at the University of Oxford. See: http://www.oxfordmartin.ox.ac.uk/cybersecurity
What is a cyber security mindset and why is it important?
Quello’s Professor of Media and Information Policy has just published an article in Internet Policy Review, a journal on Internet regulation, entitled ‘Fostering a Cyber Security Mindset’. It seeks to introduce the concept and suggest ways in which research on who has such a mindset and what difference it can make to cyber security can be furthered. It is available free online at: https://policyreview.info/articles/analysis/fostering-cyber-security-mindset
Dutton, William. (2017), ‘Fostering a Cyber Security Mindset’, Internet Policy Review, 6(1): DOI: 10.14763/2017.1.443
Ruth Shillair is joining the Quello Center’s research team as a Research Assistant in this Spring Semester to support our work on cybersecurity, which is linked to the Oxford Global Cyber Security Capacity Center (GCSEC). She is working with Bill Dutton on an analysis that builds on his concept of a cyber security mindset and another analysis that focuses on the outcomes of national cyber security capacity building: Can we see capacity having a positive, independent impact on cyber security?
Ms. Shillair is a doctoral student in the Media and Information Department at MSU. Her research has focused on cyber security, such as in working with the Online Safety for the Ages (OSA) project with Professors Bob LaRose, Nora Rifkin, Saleem Alhabaash, and Sheila Cotten, which focuses on generational differences in online safety behaviors, particularly in the area of online banking.
Ruth has been recognized at MSU, such as in being awarded with one of the Department’s PhD Academic Merit Awards, and an ‘outstanding doctoral student research’ award. She also participated in the Oxford Internet Institute’s (OII) Summer Doctoral Program (SDP). As Bill Dutton, Director of the Quello Center noted: “We are very lucky to have Ruth onboard as her expertise in cyber security and quantitative analysis is going to help us leap ahead on our cyber security research.”