CCC@AAAS2019 – Socio-technical Cybersecurity: It’s All About People

How does social science and government policy affect technology? That was the main question the Socio-technical Cybersecurity: It’s All About People scientific session attempted to answer at this year’s American Association for the Advancement of Science (AAAS) Annual meeting in Washington, DC.

The session was moderated by Computing Community Consortium (CCC) Director Ann Drobnis, and CCC Council Member Keith Marzullo (University of Maryland, College Park) was the discussant for the panel, which included participating speakers:

• Brian LaMacchia (Microsoft Research) highlighted the challenges in cybersecurity in the age of cloud and edge computing in his presentation Cyberspace: Enabling Trustworthy and Autonomous Agency;
• David Mussington (University of Maryland, College Park) discussed the necessity of increased education in cybersecurity for policy makers and the need to bolster congressional staff with cybersecurity experts in his presentation Cybercrime: The Need for Evidence-Based Policy;
• Rebecca Wright (Rutgers/Barnard) highlighted the impact that design and regulations can have on compromising and/or enhancing privacy and security in her presentation Misalignment of Incentives in a Complex Multi-stakeholder Setting.

During the Q&A portion of the session, Brian LaMacchia made the case for developing better autonomous detection systems in order to deal with the high volume of attempts of cyberattacks. According to Brian, there are nearly 30 million login attempts to Microsoft accounts from adversaries per day, far too many for human beings to monitor and respond to. In order to deal with this volume the computing community must improve machine learning and automation tools that can identify attacks and pass them on to a human being for more nuanced responses.

One audience member asked the panel about the shortage of qualified security experts in the workforce and what that will mean for the US in the next 5 years. Rebecca Wright made the case for developing training for current software engineers to improve their understanding of embedded security and privacy, and also argued for revamping the computer science curriculum to ensure that security is taught throughout and not only as a standalone topic. She also said the computing community needs to find ways to attract and retain more women and underrepresented minorities in cybersecurity careers, starting even at the K-12 level, in order to improve the workforce capacity of the future.

Another audience member asked what role can legislation play if it turns out that the incentives are wrong? In response, David Mussington argued that companies should be made liable to customers who have their information released in a data breach – the volume of data that exist on American citizens can cause real harm. He also discussed the potential benefits of passing national privacy protections similar to the European Union’s GDPR or California’s new online privacy law that would force companies to give consumers more information about how their data is being used. Mussington also argued the need for greater urgency in our response to cyberthreats and attacks; after all cybersecurity not only impact your Facebook page and bank account, but critical infrastructure like power plants and nuclear facilities. The last decade of trying and retrying the same approaches to policy have not yielded a more secure cyberspace and cyber threats are demonstrably worsening. Without concerted efforts to improve our capacity for security through automated tools, retraining programs, and innovative policy the problem of cybersecurity will continue to negatively impact the United States and its citizens.

For more information see the CCC@AAAS website.