Cybersecurity In Humanities And Social Sciences: A Research Methods Approach [1, 1st Edition] 1786305399, 9781786305398, 1119777569, 9781119777564

The humanities and social sciences are interested in the cybersecurity object since its emergence in the security debate

305 51 6MB

English Pages 235 Year 2020

Report DMCA / Copyright

DOWNLOAD FILE

Polecaj historie

Cybersecurity In Humanities And Social Sciences: A Research Methods Approach [1, 1st Edition]
 1786305399, 9781786305398, 1119777569, 9781119777564

  • Commentary
  • TruePDF
Citation preview

Cybersecurity in Humanities and Social Sciences

Cybersecurity Set coordinated by Daniel Ventre

Volume 1

Cybersecurity in Humanities and Social Sciences A Research Methods Approach

Edited by

Hugo Loiseau Daniel Ventre Hartmut Aden

First published 2020 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address: ISTE Ltd 27-37 St George’s Road London SW19 4EU UK

John Wiley & Sons, Inc. 111 River Street Hoboken, NJ 07030 USA

www.iste.co.uk

www.wiley.com

© ISTE Ltd 2020 The rights of Hugo Loiseau, Daniel Ventre, Hartmut Aden to be identified as the authors of this work have been asserted by them in accordance with the Copyright, Designs and Patents Act 1988. Library of Congress Control Number: 2020935380 British Library Cataloguing-in-Publication Data A CIP record for this book is available from the British Library ISBN 978-1-78630-539-8

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ix

Daniel VENTRE, Hugo LOISEAU and Hartmut ADEN Chapter 1. The “Science” of Cybersecurity in the Human and Social Sciences: Issues and Reflections . . . . . . . . . . . . . . . . . . .

1

Hugo LOISEAU 1.1. Introduction . . . . . . . . . . 1.2. A method? . . . . . . . . . . 1.3. Data? . . . . . . . . . . . . . . 1.4. One or more definition(s)? . 1.5. Conclusion . . . . . . . . . . 1.6. References . . . . . . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

1 4 11 16 20 21

Chapter 2. Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity. . . . . . . . . . . . . . . . . . . . . . . . . . . .

25

Daniel VENTRE 2.1. Introduction . . . . . . . . . . . . . . . . . . . . 2.2. Definition . . . . . . . . . . . . . . . . . . . . . 2.2.1. What is a definition? . . . . . . . . . . . . 2.2.2. Usefulness of definitions . . . . . . . . . 2.2.3. Rules for constructing definitions . . . . 2.2.4. Definitions of cybersecurity. . . . . . . . 2.3. Typology . . . . . . . . . . . . . . . . . . . . . 2.3.1. What is a typology? . . . . . . . . . . . . 2.3.2. Usefulness of typologies . . . . . . . . . . 2.3.3. Rules for the construction of typologies 2.3.4. Cybersecurity typologies . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

25 27 27 29 29 32 43 44 44 45 46

vi

Cybersecurity in Humanities and Social Sciences

2.4. Taxonomy. . . . . . . . . . . . . . . . . . . . . . 2.4.1. What is a taxonomy? . . . . . . . . . . . . . 2.4.2. Usefulness of taxonomy . . . . . . . . . . . 2.4.3. Rules for the construction of taxonomies . 2.4.4. Taxonomies of cybersecurity . . . . . . . . 2.5. Ontologies . . . . . . . . . . . . . . . . . . . . . 2.5.1. What is ontology? . . . . . . . . . . . . . . 2.5.2. Usefulness of ontologies . . . . . . . . . . . 2.5.3. Rules for construction of ontologies . . . . 2.5.4. Cybersecurity ontologies . . . . . . . . . . 2.6. Conclusion . . . . . . . . . . . . . . . . . . . . . 2.7. References . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

Chapter 3. Cybersecurity and Data Protection – Research Strategies and Limitations in a Legal and Public Policy Perspective

48 48 49 49 50 51 52 53 53 54 56 57 67

Hartmut ADEN 3.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2. Studying the complex relationship between cybersecurity and data protection: endangering privacy by combating cybercrime? . . . . . 3.2.1. Potential tensions between cybersecurity and data protection . . 3.2.2. Potential synergies between cybersecurity and data protection . 3.3. Methodological approaches and challenges for the study of cybersecurity – legal and public policy perspectives . . . . . . . . . . . . 3.3.1. Legal interpretation and comparison as methodological approaches to the study of cybersecurity . . . . . . . . . . . . . . . . . . 3.3.2. Public policy approaches to the study of cybersecurity. . . . . . 3.3.3. Transdisciplinary synergies between legal and public policy perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4. Conclusion and outlook. . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

67

. . . . . .

68 69 72

. .

74

. . . .

74 77

. . . . . .

78 80 81

Chapter 4. Researching State-sponsored Cyber-espionage . . . . . .

85

Joseph FITSANAKIS 4.1. Defining cybersecurity and cyber-espionage . . . . . . . . . . . . . . 4.2. Taxonomies of cyber-threats . . . . . . . . . . . . . . . . . . . . . . . . 4.3. The structure of this chapter . . . . . . . . . . . . . . . . . . . . . . . . 4.4. The significance of state-sponsored cyber-espionage . . . . . . . . . 4.5. Research themes in state-sponsored cyber-espionage . . . . . . . . . 4.6. Theorizing state-sponsored cyber-espionage in the social sciences . 4.7. Research methodologies into state-sponsored cyber-espionage . . .

. . . . . . .

. . . . . . .

85 87 88 90 94 98 104

Contents

4.8. Intellectual precision and objectivity in state-sponsored cyber-espionage research . . . . . . . . . . . . . . . . . . . . . . . . . 4.9. Detecting state actors in cyber-espionage research. . . . . . . . 4.10. Identifying specific state actors in cyber-espionage research . 4.11. Conclusion: researching a transformational subject . . . . . . 4.12. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . .

. . . . .

. . . . .

. . . . .

vii

. . . . .

106 110 112 116 118

Chapter 5. Moving from Uncertainty to Risk: The Case of Cyber Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

123

Michel DACOROGNA and Marie KRATZ 5.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2. The scientific approach to move from uncertainty to risk . . . 5.3. Learning about the data: the exploratory phase . . . . . . . . . 5.4. Data cleansing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.5. Statistical exploration on the various variables of the dataset 5.6. Univariate modeling for the relevant variables . . . . . . . . . 5.7. Multivariate and dynamic modeling . . . . . . . . . . . . . . . 5.7.1. A fast-changing environment: time dependency . . . . . . 5.7.2. Causal relations . . . . . . . . . . . . . . . . . . . . . . . . . 5.7.3. Models for prediction . . . . . . . . . . . . . . . . . . . . . 5.8. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . 5.10. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

. . . . . . . . . . . . .

123 124 126 128 130 134 139 140 143 147 149 151 151

Chapter 6. Qualitative Document Analysis for Cybersecurity and Information Warfare Research . . . . . . . . . . . . . . . . . . . . . . .

153

Brett VAN NIEKERK and Trishana RAMLUCKAN 6.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.1. Previous research . . . . . . . . . . . . . . . . . . . . . . . . 6.2. Information warfare and cybersecurity . . . . . . . . . . . . . . 6.3. Researching information warfare and cybersecurity . . . . . . 6.4. Qualitative research methodologies for information warfare and cybersecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.4.1. Clustering of documents . . . . . . . . . . . . . . . . . . . . 6.4.2. Clustering of words. . . . . . . . . . . . . . . . . . . . . . . 6.4.3. Word frequencies and word clouds . . . . . . . . . . . . . 6.4.4. Text search and word trees . . . . . . . . . . . . . . . . . . 6.4.5. Example use cases of qualitative document analysis . . . 6.5. An analysis of national cybersecurity strategies . . . . . . . . 6.5.1. Selection process for the documents . . . . . . . . . . . . . 6.5.2. Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

153 154 154 156

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

157 159 159 159 159 160 161 161 162

viii

Cybersecurity in Humanities and Social Sciences

6.5.3. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.6. An analysis of the alignment of South Africa’s Cybercrimes Bill to international legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.6.1. Background to the documents . . . . . . . . . . . . . . . . . . . 6.6.2. Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.6.3. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.7. An analysis of the influence of classical military philosophy on seminal information warfare texts . . . . . . . . . . . . . . . . . . . . . . 6.8. Reflections on qualitative document analysis for information warfare and cybersecurity research . . . . . . . . . . . . . . . . . . . . . 6.9. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.10. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . .

167

. . . .

. . . .

169 169 170 174

. . .

176

. . . . . . . . .

177 179 180

Chapter 7. Anti-feminist Cyber-violence as a Risk Factor: Analysis of Cybersecurity Issues for Feminist Activists in France. . . . . . . .

185

. . . .

Elena WALDISPUEHL 7.1. Introduction . . . . . . . . . . . . . . . . . . . . 7.2. Localization of an online field . . . . . . . . . 7.2.1. Online ethnographic work and empathy 7.2.2. Cybersecurity issues of an online field . 7.3. Online–offline continuum . . . . . . . . . . . 7.4. Continuum between security and insecurity . 7.5. Conclusion . . . . . . . . . . . . . . . . . . . . 7.6. References . . . . . . . . . . . . . . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

185 187 192 193 194 199 204 205

List of Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

211

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

213



Introduction

Why a methodology book? Before the concept of cybersecurity was introduced, in the 1960s, computer security was referred to as the “protection of computer programs and data against unauthorized access” [PAY 83]. In the 1990s, the concept of “cybersecurity” emerged. This mainly refers to computer protection in its technical dimension, and some even see it as one of the major challenges for security policies for the coming decades: “One of the biggest challenges for strategic leaders in the 21st Century will be cyber security – protecting computers and the links between them” [JOH 95]. In much of the literature, “cyber” or “computer” technologies are first and foremost imperfect objects, which must be repaired to produce security. However, cybersecurity has a broader remit than computers: the security of cyberspace. For the past 10 years or so, the human and social sciences (HSS) have been concerned with cybersecurity. Political [DEI 10, QUI 12, CAV 19], legal [GRA 04], strategic and economic readings have been proposed. Journals dedicated to the study of cybersecurity provide human and social science disciplines with spaces for discussing research from multiple viewpoints. These include the Journal of Cybersecurity (Oxford University Press)1, the Journal of Cybersecurity Research (JCR)2, the International Journal of Cybersecurity Intelligence and Cybercrime (IJCIC)3, the National Journal of Introduction written by Daniel VENTRE, Hugo LOISEAU and Hartmut ADEN. 1 https://academic.oup.com/cybersecurity/pages/About. 2 https://clutejournals.com/index.php/JCR. 3 https://vc.bridgew.edu/ijcic.

x

Cybersecurity in Humanities and Social Sciences

Cyber Security Law4 and the Journal of Intelligence and Cyber Security5, to name a few. Most of these academic journals have only recently been founded. Cybersecurity, in any case, is in the process of becoming a fully fledged subject of research in the human and social sciences, if it has not already become this. Notwithstanding this observation, research still appears to be relatively scattered and heterogeneous, with each discipline within HSS grasping the issues and posing research questions based on its own approaches, using its own theoretical and methodological apparatus. Our contribution to this wave of international cybersecurity productions will be a reflection on methodological aspects in the human and social sciences for cybersecurity research. This book therefore poses the following central question: what methods and theoretical tools can mobilize HSS researchers to address cybersecurity? This methodological dimension seemed essential to us for several reasons: – Publications produced in recent years generally pay little attention to the methodological dimension. Research books and articles naturally address this methodological dimension in the formal framework of their development. However, they generally focus on the treatment of the subject matter of the particular publication. To date, there has been little effort to offer reflections centered on questions of methods and theories specific to the human and social sciences. – The topic of cybersecurity can be confusing at first glance for young (and sometimes not so young) researchers. The purpose of cybersecurity seems to require mobilization and mastery of multiple fields of knowledge (that of the field specific to the HSS researcher, combined with knowledge of informatics, networks, communication, etc.). It is therefore a question of gathering knowledge that is essential to the researcher, thus a question of methodology. – Once it has been defined, explained and deconstructed, cybersecurity will quickly appear as a complex object, with multiple components that will each be objects of research (cybercrime, cyberattacks, cyber threats, cyber risk, intelligence issues in cyberspace, etc.). Each of these objects may require specific knowledge, distinct theoretical frameworks and adapted

4 http://stmjournals.com/Journal-of-Cybersecurity-Law.html. 5 https://www.academicapress.com/journals.

Introduction

xi

methodologies. The chapters in this book eloquently demonstrate the complexity of the cybersecurity object. – Moreover, another very important question arises when considering cybersecurity as being composite and complex: what can or should be the place of multidisciplinarity or interdisciplinarity in its study? As a discipline, cybersecurity is under two forms of pressure which are fertile for its development. The first is, of course, the willingness of researchers who see themselves as part of this discipline (in terms of knowledge, methods or techniques) to specialize in order to distinguish the cybersecurity object from the multitude of objects or dimensions that comprise it in the real world, as well as the ability to distinguish this field of research from other contiguous fields such as computer security, data protection and computer engineering. The second pressure is pushing the discipline to broaden its horizons towards HSS, since it is now accepted that cybersecurity is also a social phenomenon. This pressure thus pushes research towards interdisciplinarity or multidisciplinarity to take account of the human and social dimensions of cybersecurity. – Is cybersecurity relevant to all HSS disciplines? This question implies that the human and social aspects of cybersecurity are potentially intersectional when the HSS address cybersecurity. In other words, theories, methods and analytical frameworks as much as variables from psychology, anthropology, sociology or any other HSS discipline, can contribute in some way to explaining or understanding the phenomenon of cybersecurity. Mobilizing these different research tools and methodological heritages seems beneficial for an integrated analysis of cybersecurity and an unsuspected wealth of knowledge. – What benefits does cybersecurity derive from its encounter with the human and social sciences? The answer to this question is based on what characterizes the humanities and social sciences and what ultimately distinguishes them from other sciences. The main distinction lies in their ability to analyze complex human phenomena both qualitatively and quantitatively. As a result, a multitude of tools and methodological approaches exist and make it possible, in particular, to refine cybersecurity knowledge and to strongly qualify techno-determinism (or “solutionism” as Morozov calls it [MOR 14]). This dual qualitative and quantitative capacity enables the HSS to identify issues in cybersecurity in three ways. First of all, in a macro way where the globality of the cybersecurity phenomenon is revealed in its structural, systemic and environmental aspects. For example,

xii

Cybersecurity in Humanities and Social Sciences

international geopolitics is being transformed by the importance of cybersecurity in international relations today [DOU 14]. Secondly, in a meso way, where decision-making processes, the roles of the different institutional actors and private organizations are highlighted. We need only think of the formulation of a foreign or defense policy that cannot disregard hybrid threats in terms of cybersecurity. Finally, in a micro way, where the uniqueness and particularity of this same cybersecurity phenomenon are observable in individual behavior or thought, such as the victim of a phishing campaign, for example. The contribution of HSS is also evident in its capacity to generate social debate on cybersecurity issues and to force the discipline to popularize its basic concepts. The transmission of knowledge and social awareness about cybersecurity issues is thus facilitated. Finally, it provides a context for cybersecurity-related problems or risks by giving historical depth to otherwise impossible to find reflection or debate. – A final question is, in our opinion, methodologically and theoretically necessary: is it necessary to mobilize pre-existing theoretical frameworks, or is it possible to envisage their renewal? The nature of the cybersecurity object certainly favors multidisciplinarity, but nevertheless creates two obstacles blocking its analysis. On the one hand, cybersecurity combines a technical dimension with a human dimension, which makes this a hybrid and complex research object, as mentioned above. Moreover, few theoretical or methodological frameworks currently exist to address the full human and technical dimensions of cybersecurity so as to gain a holistic or integrated perspective on cybersecurity. On the other hand, the speed of IT development (technical dimension) and the adoption of new technologies (human dimension) make existing analytical frameworks quickly obsolete. These two obstacles must be taken into account in mobilizing existing theoretical frameworks, as well as, and more importantly, in developing new comprehensive analytical frameworks. In order to achieve this, a study on research methods and theoretical tools of the human and social sciences in the study of cybersecurity seemed necessary to us. Contributions to the book The seven chapters of this book offer different perspectives on particular aspects of cybersecurity and provide some answers to the various questions outlined above.

Introduction

xiii

In his chapter, Hugo Loiseau discusses the scientificity of cybersecurity studies. This still needs to be defined and demonstrated in the human and social sciences. Among the abundance of research in cybersecurity, in all sciences combined, only a few studies are devoted to the methodological and scientific problems of this emerging discipline. Indeed, in the human and social sciences, from an epistemological point of view, studies on cybersecurity require methodological criticism to improve their scientificity and credibility in relation to computer sciences and engineering. In this chapter, research methods, access to data and the development of a cybersecurity discipline in the humanities and social sciences are thus assessed. The objective of this chapter is to lay the epistemological foundations for proposing an operationalizable definition of “cybersecurity” for the human and social sciences. Daniel Ventre deals specifically with definitions of concepts and ways of expressing and grasping them. Definition, typology, taxonomy and ontology (grouped under the acronym DTTO) can be used to express cybersecurity, to represent it, understand it and draw its domain and its perimeter. The literature most often postulates that there is no consensus on DTTO. In this chapter, the author attempts to identify sufficiently strong and significant trends in each of the approaches to cybersecurity in order to study this premise. Hartmut Aden analyzes tensions and synergies between cybersecurity and data protection from the perspective of legal science and public policy analysis, with a focus on the transdisciplinary links between the two. This shows that the combination of legal methods of interpreting norms emerging in the field of cybersecurity and qualitative and quantitative social science methods used for public policy analysis can contribute to a better understanding of the various facets of the tensions and synergies between cybersecurity and data protection. Joseph Fitsanakis is interested in the methods, tools and theories that the researcher can mobilize and the specific obstacles that may be encountered in studying the challenges of State-sponsored cyber-espionage. He provides a survey of current research on the subject in the human and social sciences, focusing on the strategic, tactical and operational dimensions of the phenomenon. He identifies and discusses the relevant theoretical and conceptual tools to conduct this research.

xiv

Cybersecurity in Humanities and Social Sciences

Marie Kratz and Michel Dacorogna use quantitative methods to study and understand cybersecurity. Their chapter focuses on methodological aspects, illustrated by the operation of a database of the French Gendarmerie Nationale on cybercrime complaints recorded by their offices. Some tools and methods are described more exhaustively than others, whenever they can be accessed/understood by non-statisticians or whoever wishes to use them or at least understand their use. Brett van Niekerk and Trishana Ramluckan’s chapter illustrates how qualitative research can be useful for cybersecurity research. It provides an analysis of cybercrime legislation and national cybersecurity strategies using the NVivo application. The objective of this chapter is to assess the relevance of a qualitative literature review for research on information warfare and/or cybersecurity. Elena Waldispuehl looks at online anti-feminist violence from two angles. On the one hand, this chapter discusses the definition and issues of cybersecurity for feminist activists through their sense of online safety. On the other hand, it discusses the cybersecurity issues (cyber threats and prevention measures) that weigh on the researcher, who also identifies as a feminist in her research practices. References [CAV 19] CAVELTY M.D., EGLOFF F.J., “The politics of cybersecurity: Balancing different roles of the state”, St Antony’s International Review, vol. 15, no. 1, pp. 37–57, 2019. [DEI 10] DEIBERT R.J., ROHOZINSKI R., “Risking security: Policies and paradoxes of cyberspace security”, International Political Sociology, vol. 4, no. 1, pp. 15–32, March 2010. [DOU 14] DOUZET F., “La géopolitique pour comprendre le cyberespace”, Hérodote, vol. 1, nos 152–153, pp. 3–21, 2014. [GRA 04] GRADY M.F., PARISI F., “The law and economics of cybersecurity: An introduction”, George Mason University School of Law, Working Paper Series, Paper 12, 2004. [JOH 95] JOHNSEN W.T., JOHNSON II D.V., KIEVIT J.O. et al., The Principles of War in the 21st Century: Strategic Considerations, Department of Defense, U.S. Army War College, Carlisle Barracks, USA, August 1, 1995. [MOR 14] MOROZOV E., Pour tout résoudre, cliquez ici : l’aberration du solutionnisme technologique, Limoges, Fyp éditions, 2014. [PAY 83] PAYTON J., ASBURY A.J., “Computer security”, British Medical Journal, vol. 287, pp. 965–967, 1983.

1 

The “Science” of Cybersecurity in the Human and Social Sciences: Issues and Reflections

The scientificity of cybersecurity studies is yet to be demonstrated in the humanities and social sciences. Among the plethora of cybersecurity research, few studies are devoted to the methodological and scientific problems of this emerging knowledge. Indeed, from an epistemological point of view, cybersecurity studies require a methodological critique to improve their scientificity and credibility in relation to computer science and engineering. In this chapter, research methods, access to data and the contributions of the human and social sciences to cybersecurity studies are assessed. The objective of this chapter is to lay the epistemological foundations for an operationalizable definition of cybersecurity for the human and social sciences.

1.1. Introduction How can human and social sciences (HSS) studies in cybersecurity claim to be scientific? Several answers to this question come to mind, and based on these, it is necessary to clarify the debate through an epistemological approach to the contribution of HSS to cybersecurity studies, particularly in terms of methodology, all within the framework of the empirical–analytical paradigm and post-positivism, both of which are currently dominant in science. Indeed, according to the principles of the scientific method advocated by these paradigms, it is the method used that distinguishes science from nonscience [NØR 08]. In order to make this distinction, the use of epistemology Chapter written by Hugo LOISEAU.

2

Cybersecurity in Humanities and Social Sciences

is unavoidable. The critical study of science enlightens us about the value and significance of science and its results. So, what is the scientific value of human and social sciences studies in cybersecurity? It could be argued that the HSS perspective on cybersecurity is peripheral, if not unimportant, to the issues raised by this field. Risks and threats from cyberspace directly affect national security and public safety through the deep penetration of computer networks into societies and their reliance thereon. The first reflex of societies is therefore to militarize and securitize 1 these issues, and this is what the vast majority of states throughout the world has done. It could also be argued that HSS research results are very abstract and ideal compared to the results of computer science and engineering that propose concrete software or hardware “solutions” to cybersecurity issues. The contribution of HSS to cybersecurity would therefore be marginal since it would not be immediately applicable to urgent technical or technological problems. What HSS produces in cybersecurity would mobilize too many resources (social awareness, political will, legislative changes, mental representations, etc.) to be qualified as useful. Overall, the contribution of HSS to cybersecurity studies would contribute little to knowledge and its real-world application. In other words, the explanatory and practical scope of the research produced in cybersecurity by HSS would be weak. Moreover, in the cyber field in general, while Saleh and Hachour praise the merits of a multidisciplinary opening towards cyber-issues in HSS [SAL 12], Bourdeloie invites the community of HSS researchers to a vast epistemological effort for the positioning and constructive criticism of cyberissues [BOU 14]. There is therefore a need for epistemological reflection on the place of HSS in cybersecurity studies. Once this need is recognized, contemporary epistemology teaches us that the social and human sciences alternate between two references for scientificity, an external one in the natural sciences and an internal one for HSS [BER 12]. Cybersecurity studies are an exemplary example of the tension between these two references, which is revealed in the methodological preferences of researchers. For some, the causality of cyber phenomena can be demonstrated and explained, which is an 1 Securitization corresponds to the idea of dealing, in political discourse, with an issue predominantly from the security angle, to the detriment of other angles (social, health, etc.). The “war on drugs” is a perfect example.

The “Science” of Cybersecurity in the Human and Social Sciences

3

external reference for scientificity where the possibility of issuing general laws is attainable (positivist approach). Whereas for others, social actors and their behavior are more relevant scientifically, which is an internal reference for scientificity within the HSS, and they must be understood in all their subjectivities (constructivist approach and the related heterogeneity). The debate is not closed and can be seen in cybersecurity studies. This rapid diagnosis may seem to show a lack of scientificity in HSS studies on cybersecurity, as epistemological issues are poorly addressed in the face of the immediate need for results on issues. A large part of the problem stems from the inability of HSS in cybersecurity studies to reach a level of internal scientificity sufficient to be considered scientific by the computer and engineering sciences, and therefore, by implication, socially credible to the research community that has developed a body of knowledge based on the reference of scientificity used by the natural sciences. In short, there is a lack of reflection on the epistemology of the HSS in relation to cybersecurity. Yet many research studies and research methods exist and are published under the name of science without any real epistemological contribution. Yet again, there is an astonishing similarity between cybersecurity and the phenomena analyzed by HSS. The nature of cybersecurity and cyber objects, like the vast majority of the objects of HSS, is characterized by hybridity, multi-causality, ephemerality, interpretative ambiguity, etc. Taking these common characteristics into account, we can therefore ask whether it is possible and even desirable to move from cybersecurity studies (essentially descriptive and empirical studies) to a science of cybersecurity (nomothetic and more theoretical studies) in which the HSS would be fully considered as contributors of research results meeting the principles of the scientific method? If this is not the case, then what is lacking in HSS to achieve a sufficient level of consideration both scientifically and socially? This chapter will address this issue in three parts. The first will address the central question of the methodology used in the HSS to analyze the cybersecurity object. The second part will cover the thorny issue of the data available to the HSS for analyzing cybersecurity. The third part will present a proposed definition of cybersecurity that can be operationalized for and by the HSS in order to clarify the nature of the subject matter dealt with by the HSS. The real purpose of this chapter, beyond epistemological debates, is to reflect on the ideal framework within which cybersecurity studies in the HSS could reach the highest levels of scientificity, according to the rules of the art.

4

Cybersecurity in Humanities and Social Sciences

1.2. A method? The humanities and social sciences are characterized by the diversity of methodological approaches they use for their analyses. The diversity of these methods corresponds to a necessity: that of the diversity and fragmentation of their object of research. For the social sciences, this object comes down to the social relationships that humans have with each other. For the social sciences together with humanities, the scope of their analyses is even broader and represents everything that has to do with human beings. These sciences are also characterized by their disciplinary porosity within their own sciences, where interdisciplinarity (or multidisciplinarity) is the key to the validation of knowledge. The political phenomenon can be explained through the many sub-disciplines of political science, to take just one example. The same is true for all disciplines in the social sciences. The humanities are subject to the same interdisciplinarity. This porosity is also increasingly apparent at the fringes of the HSS. The human causes or consequences of biological, physical and technological phenomena are becoming central in the natural, computer and life sciences. We need to only think of studies on global warming and its anthropogenic causes or of public health to be convinced of this. In short, in the HSS, there is not a precise core of well-circumscribed phenomena that would mobilize a community of researchers towards a growing accumulation of valid knowledge. HSS have arrived at this diversity through epistemological reflections that have, throughout the 20th and 21st Centuries, highlighted the ontological differences of HSS in relation to other sciences. This has resulted in the development of a whole series of ethical, theoretical, methodological and etiological reflections on the objects of HSS. These are thus nonreproducible in time (we speak of the uniqueness of the object), which prevents the strict application of the experimental method. They are also very limited in terms of predictability, and, to overcome this limitation, HSS research turns to comparative analysis and ex post research. They also correctly develop new criteria of scientificity that form a common epistemic space, according to Berthelot, and define them as a science in their own right [BER 12]. In other words, in HSS, a diversity of theories, methods and paradigms coexist within the same field of knowledge (human and social), to the benefit of the validity of the knowledge produced by disciplines, research programs and communities of researchers.

The “Science” of Cybersecurity in the Human and Social Sciences

5

Without entering too much into this epistemological debate, and beyond the discussion on the very notion of criteria, the issues in HSS concerning the criteria of scientific validity can be summarized in the relevance of transposing criteria from the natural sciences to the social sciences (external reference) and especially how to adjust them to make them consistent with the specific nature of HSS (internal reference) [KEM 12]. For Proulx, generativity, i.e. the “…capacity for qualitative research to stimulate and participate in the production of new objects, new perspectives, new methods of gathering, etc…” [PRO 19 pp. 63–64] allows the debate to be decided. The generativity of research does not imply evaluating the value of research only on the basis of fixed, pre-existing and independent criteria. Instead, generativity proposes assessing the value of research based on its fertility, in terms of new ideas, new methods or new data or results generated [PRO 15 pp. 25–27]. In our view, cybersecurity studies, especially for the HSS, would deserve to be evaluated according to this generativity criterion, since it is from the diversity of methods, theories and knowledge relevant to cybersecurity that we can draw conclusions. This methodological diversity and these epistemological reflections are therefore a source of intelligibility and credibility for the HSS, as they demonstrate the added value of these sciences in traditional cybersecurity studies and their claim to scientificity. As Corbière and Larivière put it: “In a world of research that is becoming increasingly open and broad, it is becoming desirable to have an inclusive perspective, capable of integrating the contributions of various methodological approaches, while recognizing their own particularities.” [COR 14 p. 1] In our view, this is exactly the case for cybersecurity studies, which benefit from combining their research efforts in a multidisciplinary manner using a variety of research methods. In order to grasp the diversity of cyber phenomena, the HSS have developed an analytical corpus, concepts and representations that make it possible to theorize cyber-attacks, cyber operations, cybercrime, etc. Efforts

6

Cybersecurity in Humanities and Social Sciences

to establish a typology were made very early on by cybersecurity studies in order to name phenomena taking place in cyberspace and their consequences in reality [VEN 11]. In this sense, idiographic research or description of the observed phenomena, the first step in any emerging science, has been successfully undertaken. Logically, for the HSS, this emergence must first be descriptive, i.e. identify the cybersecurity object and its social and human specificity. This stage is already well underway and is producing interesting results that feed into scientific and political debates. The methodological threshold that remains to be crossed for HSS cybersecurity studies, in our opinion, lies in the development and relevant use of nomothetic methods, such as the comprehensive and explanatory approach, in order to achieve the theorizing claim of the empirical–analytical paradigm. The use of these two research approaches thus reduces the tension between the two sources of scientificity discussed above. The first approach seeks to understand the cyber behavior of individual and collective social actors, while the second attempts to identify relevant and valid variables to form theories to be subjected to empirical verification. The scientific process then follows a sequence of trial and error to improve research protocols and knowledge. However, this requires valid data, the creation of a discipline and the development of a common definitional basis, as discussed below. The ultimate goal of this phase is to answer with confidence the fundamental epistemological question: “Do we know whether we know adequately what we claim to know?” [NØR 08]. In other words, this question allows a critical look at the scientific value of the methods used in HSS to analyze cybersecurity. Figure 1.1 sets out the scientific process that filters observations, transforms them, in fact, operationalizes them into variables and links them into hypotheses that can form the basis of theories, which sometimes produce scientific laws. Cybersecurity studies are, in our opinion, where the dotted line is located, i.e. in the passage from variables to hypotheses. Of course, the teleological nature of such a graph must be qualified, as it is only used here to illustrate what is being said, knowing full well that this process is marked by major jolts and setbacks. Finally, this graph illustrates the magnitude of labor ahead for the HSS, in terms of explanatory work to reach a level of external scientificity equivalent to that of the natural and computer sciences.

The “Science” of Cybersecurity in the Human and Social Sciences

7

Figure 1.1. From observations to scientific laws

From an epistemological point of view, the following stage of this emergence manifests itself through the development of proven HSS research methods in cybersecurity. The advantage is that cybersecurity studies can draw on the vast methodological heritage of the HSS to adapt it to its purposes. This stage involves a more subjectivist and sociological look, through the empirico-inductive (comprehensive) approach, to understand the motivations and behaviors of cybersecurity actors. The major contribution of the HSS to cybersecurity studies is found in this type of method. Indeed, they allow the development of concepts and variables with very strong internal validity, because they are anchored in social reality. This heuristic phase of observations and reflections precedes a confirmation phase to verify the validity of the hypotheses put forward [DEK 09]. In this subsequent step2 , the concepts and variables studied are linked together in cause-and-effect relationships, in order to discover the explanatory factors and consequences of cybersecurity. Hypotheticodeductive methods put the different hypotheses in competition with reality 2 In this chapter, for lack of space, we will not deal with the abduction phase, which is between the heuristic phase and the confirmatory phase.

8

Cybersecurity in Humanities and Social Sciences

and are validated, or not, by this test of facts. These hypothetico-deductive methods also allow, where ethically possible, the deployment of experimental or quasi-experimental research in the HSS. One problem remains, however, in applying this range of research methods. Indeed, how can we distinguish the individual from the community and vice versa? In other words, how can the agency-structure debate be resolved 3 with these different methods? The simplest answer is to use qualitative analyses (for individuals or small groups of individuals) and quantitative analyses (for communities). Indeed, the phenomena arising from the vast field of observation of cybersecurity lend themselves advantageously to quantitative analyses (the number of cyber-attacks over a given period of time, the extent of the cyber threat, the amount of personal data leaked, the number of actors involved, etc.) as well as to qualitative analyses (the nature of the codes developed, whether militarized or not, the nature of the targets, the nature of the personal data compromised, the nature of the actors involved, etc.). As long as cybersecurity studies benefit from a substantial body of valid data and information, it is possible to choose the right methods, i.e. those adapted to the nature of the object, the state of the literature and the resources available to the researcher. This diversity of methods can be envisaged along two fundamental lines, making it easier to construct a typology of the methods commonly used in HSS. The first axis corresponds to qualitative and quantitative analyses. These identify what is quantifiable and present in large numbers. Qualitative analyses, on the other hand, apprehend what is related to words, the nature of the phenomena observed and their context. The contribution of the HSS, particularly with regard to qualitative analyses, is very important, in order to grasp the role of individuals, their interpretation of the meaning they give to their actions, as well as the role of institutions and the results of their actions. For example, in the HSS, a quantitative analysis could estimate the costs of a cyber-incident to industry or government [ROM 16]. A qualitative study, on the other hand, would seek to describe the objectives, the processes for formulating proposals, the roles assigned to each of the actors involved and the results of the negotiations for the governance of cyberspace within the United Nations Group of Governmental Experts on Information Security [HEN 19]. 3 In other words, what is the predominant variable in explaining or understanding a social phenomenon? Is it the social actor, the social structure that surrounds it or the fusion of the two that is predominant?

The “Science” of Cybersecurity in the Human and Social Sciences

9

The second axis distinguishes between hypothetico-deductive approaches (explanatory approach) and empirico-inductive approaches (comprehensive approach) and reflects the tension between explaining and understanding arising from the internal and external references of scientificity in HSS. These two axes cover the majority of research strategies that can be implemented in the HSS. They cover both individual and community interpretive efforts, as well as attempts to discover the causes of phenomena. Naturally, qualitative analyses are more common in empirico-inductive research, as they are deployed with individuals or small groups with the aim of interpreting behaviors. Therefore, in the lower left quadrant of Figure 1.2, there are many research strategies that can be used to achieve this goal.

Figure 1.2. Quantitative and qualitative approaches and empirico-inductive and hypothetico-deductive approaches in the human and social sciences

In the opposite quadrant (top right) are the quantitative and hypotheticodeductive methods used to identify trends and causalities between two cybersecurity phenomena or between other phenomena and cybersecurity. In the HSS, these methods mainly use correlational research strategies, discourse or content analysis and experimental or quasi-experimental research.

10

Cybersecurity in Humanities and Social Sciences

Of course, thanks to theoretical and methodological triangulation, taken in a broad sense, several crossovers, overlaps and convergences between quadrants or methods are allowed. This corresponds to mixed methods, located in the center of the graph, which take advantage of the crossover of qualitative and quantitative methods, analyses and data [PAQ 10]. This graph therefore provides a global picture of the possibilities of research methods available to the HSS in the study of cybersecurity. This design offers the advantage of being able to analyze cybersecurity at micro, meso (with mixed methods) and macro levels, according to the objectives of explaining or understanding phenomena. It also facilitates the triangulation of theories and research methods, as it marks out the universe of methodological possibilities with regard to these objects. However, a major problem remains in the use of this collection of research methods. The first relates to the notion of Ceteris paribus sic stantibus, or in English, “all things otherwise equal”. In other words, cybersecurity studies must accept the existence of a gap between the analysis of reality at time X and reality at time X+1, since X is totally different from X+1, as cyberspace changes very rapidly [KAR 12]. Indeed, the context, the environment, i.e. cyberspace, is constantly changing, through the introduction of new technologies, new protocols, the arrival of new players or the transformation of existing players, or through the nature of the information that circulates, or through the transformation and ultra-rapid dissemination of information observed qualitatively by researchers. This has the consequence of very quickly invalidating any knowledge developed through a scientific process and makes research very difficult to reproduce. Cyberspace is therefore a very special field of research that needs to be explored. The issue at stake is that every effect has a cause4, and cybersecurity and its study cannot escape this truth. This constraint therefore diminishes the possibility of achieving a complete and valid knowledge of cyberspace and cybersecurity for both natural sciences and the HSS. In the face of this impasse, qualitative and comprehensive research finds all its relevance. Methodologically speaking, in summary, cybersecurity studies can and should navigate the four quadrants of the table and continue efforts to describe cybersecurity-related phenomena. Ideally, these studies would 4 According to the principle ex nihilo nihil fit (nothing comes of nothing).

The “Science” of Cybersecurity in the Human and Social Sciences

11

apply and refine all of these methods to achieve a high level of general knowledge, within the limits of what is possible, with the aim of providing scientifically informed recommendations and thus promote the well-being of humankind, which is the ultimate goal of all science. One challenge remains, however, that of the validity of the data. 1.3. Data? The implementation of research methods in all sciences requires access to information and data relevant to those sciences. This is the empirical basis on which the theoretical constructions that generally result from application of the various research methods are built. According to Gauthier and Bourgeois, in scientific research, researchers must apprehend reality according to “an integral conception of the facts, on the refusal of the prior absolute and on the awareness of [their] own limits. [...] It is an objective quest for knowledge on factual issues” [GAU 16 p. 8]. In this respect, cybersecurity studies, and not only cybersecurity in the HSS, face two problems. The first is intrinsic to the nature of the object itself, i.e. the hidden aspect of the actors, their intentions and actions in cyberspace and, more specifically, in relation to threats to cybersecurity. The second issue is the privacy of data for cybersecurity studies. These data are of a private nature (personal data, strategic company information, national security data, etc.). They come from individuals, from the private and public sectors, and the vast majority of them are subject to the seal of confidentiality. Finally, very often, these data are analyzed by private cybersecurity companies in a contractual framework where the disclosure of information, which is very often sensitive, is greatly restricted. The quest for profit, not knowledge, is the main driver of this market, which encourages the appearance of conflicts of interest. Taken together, these problems delay or impede improvements in cybersecurity, cyber resilience or post-incident de-escalation because the victim of the cyber-attack or cyber operation cannot know exactly what really happened, in the way that researchers do. However, there is a latent imprecision in the data (and consequently in the research results), even with large public surveys produced in a professional manner. For example, Statistics Canada recently conducted a

12

Cybersecurity in Humanities and Social Sciences

survey entitled: “Canadian Cyber Security and Cyber Crime Survey” [STA 18] covering the year 2017. “The purpose of the Canadian Cyber Security and Crime Survey is to collect data on the impact of cybercrime on Canadian businesses, including such aspects as investment in cyber security measures, cyber security training, the number of cyber security incidents and the costs associated with responding to these incidents.” [STA 18] To this end, Statistics Canada created and submitted a 35-question questionnaire to the information technology managers or senior managers responsible for computer and network security in the companies surveyed. The sample size was 12,597 Canadian companies, and the response rate was 86%. Among the 35 questions, several dealt with cybersecurity threats and digital risks related to cybercrime to Canadian businesses of all sizes. For example, question 22 asked: “In your opinion, what was the method used to compromise cybersecurity? Select all that apply. Incident(s) to disrupt or disfigure the business or its web presence Incident(s) to steal personal or financial information Incident(s) to steal money or to demand payment of a ransom Incident(s) to steal or improperly use intellectual property or business data Incident(s) to access unauthorized or privileged access areas Incident(s) to monitor and track business activities Incident(s) without known motive.” [STA 18] The results generated by this question are misleading. First, asking this question assumes that the respondent is aware of the intentionality of the

The “Science” of Cybersecurity in the Human and Social Sciences

13

cyber-attacker. However, HSS has long been aware of all the methodological pitfalls inherent in the intentionality of social actors and the difficulty of interpretation, due to the contextualization of social action and the construction of meaning for the actor. Second, this issue also seems to misunderstand the implications of obfuscation (or impenetrable code) efforts during cyber-attacks. One of the main characteristics of a cyber-attack is precisely the inability of the victim to determine where the attack comes from and who exactly the attacker is. The latter blurs the tracks and undertakes “counter-forensic” measures in order to hide their identity, their equipment, their networks and their method. This measure therefore hampers the observability of cybersecurity phenomena. Finally, this question considers that the respondent has a complete and comprehensive view of all cybersecurity incidents in their company, disregarding the compartmentalization of company information and activities for security purposes. In sum, the question generates information and results that can be analyzed, in particular, because of the sample size, but the validity of these data is weak from a scientific point of view. Of course, this single question does not form the empirical basis of the entire study. Nevertheless, a very large number of such questions are found in HSS cybersecurity investigations. The problem is that this type of data or results is more about opinion than fact. It is therefore rather risky to build a scientifically valid analysis on such a low-quality empirical basis, regardless of the number of questions in the questionnaire. The question then becomes how to improve the quality and quantity of authentic data available to researchers. The first path of the solution returns, in part, to the previous section of this chapter. Indeed, as illustrated in Figure 1.3, the use of different research methods and the publication of their results will generate back-and-forth movements between conceptualization and the field. This back and forth between theory and reality will allow more accurate identification and counting of these cybersecurity phenomena. As a result, the empirical base will be broadened, deepened and improved. In practice, to achieve this, it seems necessary to foster links between researchers (academic and private), victims of cybercrime, practitioners (public and private sectors) and governments at all levels in the field of cybersecurity. This is a second option. There is also a need to facilitate the flow of information with feedback on awareness-raising and the dissemination of good

14

Cybersecurity in Humanities and Social Sciences

cybersecurity practices. To this end, grounded theory seems to be a perfect example of the contribution of HSS to cybersecurity studies since it aims to: “inductively generate theorizing about a cultural, social or psychological phenomenon by progressively conceptualizing and relating valid qualitative empirical data.” [PAI 96 p. 184]

Figure 1.3. From conceptualization to field, from field to conceptualization

Essentially an empirico-inductive method, grounded theorizing “[…] allows a provisional formulation to understand the complexity of the phenomenon both at the conceptual level and at the empirical level of its situational settings. The method is a constant and progressive back and forth between data collected in the field and a theorization process.” [MÉL 13 p. 436] The use of this method seems promising for the study of cybersecurity in HSS, particularly in terms of the generation of evidence that can be used scientifically or politically, and therefore has high added value [MAU 19]. However, in order to do so, research needs a structure that can ensure its scientific production and scientific reproduction. This third way of solution is seen through the development of an academic discipline. According to Lévy and Lussault, a discipline is an:

The “Science” of Cybersecurity in the Human and Social Sciences

15

“[…] institutional division of a body of knowledge that delimits a field in which the production of academic knowledge and the reproduction of the professional body of ‘scholars’ are carried out. By extension, a teachable school subject, defined by specific objects, methods and exercises.” [LEV 13 pp. 283 –284] In the light of this definition, it is possible to see that, for the moment, the discipline of cybersecurity in HSS is merging into something less precise, such as Digital Humanities or Internet Studies. To our knowledge, there is currently no multidisciplinary humanities or social science academic discipline dedicated solely to the study of cybersecurity. There is no doctoral program from these two fields that ensures the replication of a faculty or research community dedicated to creating cybersecurity research programs. There is also no systematic production of research or publication of research results that would form a substantial body of scientific publications by the HSS, for the HSS and other sciences, from a basic research perspective, as well as for the practice communities concerned with cybersecurity, from an applied research perspective. These three findings, therefore, have a major impact on the generation of available and valid data published in serious scientific journals or disseminated in meta-databases that are accessible to HSS practitioners (such as the ICPSR database5, for example). Of course, the birth of a discipline is never clearly decided in reality, especially in HSS. Cybersecurity is no exception to this observation since, in general, the academic community has lagged behind practices in the field and the private sector in this area. The impact is even greater for HSS, as the need to understand the human dimension of cybersecurity is increasingly pressing. HSS scholars may claim to contribute to knowledge in this field and must generate data and research results to study cybersecurity. Through the application of the methods and theories that populate its field of knowledge, HSS is therefore legitimate and credible in its contributions to the description, understanding and explanation of cybersecurity. Are individual initiatives and initial ad hoc collaborations leading to the birth of a cybersecurity discipline for HSS? This is desirable for both scientific and practical reasons. But is this feasible in the short or medium term? The question remains open.

5 See: https://www.icpsr.umich.edu/icpsrweb/.

16

Cybersecurity in Humanities and Social Sciences

In summary, for cybersecurity studies in general to become more scientifically sound, they need authentic, available and public data. To do this, the capacity for heuristic research from the public sector (universities, governments, etc.) must be increased in quality and quantity, to eliminate the current imprecision of available data and their privatization. Ideally, HSS cybersecurity researchers, organized in academic disciplines, could draw data with confidence from large international databases maintained by public non-profit organizations (e.g. public universities) and research communities from HSS research programs. These valid data not only promote the emergence of new methods or new research but also help to clarify the purpose of cybersecurity in the HSS. 1.4. One or more definition(s)? The subject of cybersecurity in the HSS remains a mystery and therefore poses a problem of definiton: what is cybersecurity for the HSS? In practical terms, therefore, ontologically speaking, what is cybersecurity for the HSS? Answering this ontological question means identifying the object (or objects) by describing its components, and thus following the logic of the scientific process prescribed above. Discerning the object to be analyzed from the multitude of social and other phenomena empowers the research community to apply the different research methods at their disposal on a common and partly consensual basis. A simple answer to the question would see cybersecurity as security in cyberspace. This first answer, which is too simple, is difficult to operationalize because empirically it does not discriminate between the essential elements upon which the analysis is based. In other words, it leaves significant imprecision about what security is and what cyberspace is. Moreover, this response overlooks the growing intertwining of cyberspace and societies where offline and online relationships have become interdependent. This is what Graham and Dutton call cyberization [GRA 14]. Finally, this first answer abandons the human aspects of cybersecurity, in favor of the technical and computer aspects, since security in cyberspace primarily and pragmatically means the security of computer networks. In fact, a more accurate answer would be that there is not one cybersecurity object exclusive to the HSS or exclusive to computer sciences, but rather a multitude of objects more or less close to the notion of

The “Science” of Cybersecurity in the Human and Social Sciences

17

cybersecurity, which must be interpreted in the light of multidisciplinarity. The different chapters of this book clearly demonstrate this diversity. The legal and political aspects of cybersecurity, cyberspace espionage, Internet surveillance, cyberviolence, insurance in the cyber and cyberwarfare are treated as objects of cybersecurity in their own right, despite their great diversity or empirical disparity. In fact, these objects “exist” both in the virtual (cyberspace) and in the real world, and are likely to be dealt with through a descriptive approach. Their causes and consequences are human actions mediated by networked computers, which could be analyzed using a hypothetico-deductive approach. Finally, they would be based on a subjective projection of the individual and the community in cyberspace that can be explored through an empirico-inductive approach. A fertile tension nevertheless persists between the more technical fields (such as computer science or computer engineering) and the fields stemming from the “humanities” (sociology, political science, international relations, etc.), which proceed with different scientific methods and criteria, as has been demonstrated. Far from hindering the development of cybersecurity studies, these differences can be reconciled, in particular, around the definition of the very object on the basis of these fields of knowledge: cybersecurity. Inevitably, this complicates the definition of the object since it broadens, but unites, the possible field of investigation of this protean object. How then can this complexity be accounted for to make it intelligible in a definition? First of all, the technical and human aspects that characterize the duality of cybersecurity must be accounted for. Figure 1.4 shows this intelligible division of the cybersecurity object. The objective is to reconcile methodological (hypothetico-deductive and empirico-inductive) and epistemological (external and internal epistemological references) tensions in the diversity of cybersecurity objects arising from its main technical and human dimensions. Cybersecurity, according to a definition that accounts for the human being, is interpreted as “a state of greater or lesser computer, software, network, individual and societal security” [LOI 16 p. 250]. “It is based on a holistic, layered conception of cyberspace that includes the different layers that make it up: physical, software, informational and human” [DUP 17]. The advantage of this definition is that it approaches cybersecurity as a state variable, not as an objective, intention or policy. It is therefore a state of greater or lesser cybersecurity at a specific time and which fluctuates, i.e. its state at time X is different from its state at time X+1. Based on valid data,

18

Cybersecurity in Humanities and Social Sciences

this state is empirically observable, as is its opposite, cyber-insecurity. It can therefore be analyzed both through the scientific method in the sense used by natural science and through the more interpretative methods of HSS.

Figure 1.4. Human-centered definition of cybersecurity

Moreover, as with the research methods outlined above, the issue of quantity versus quality remains important to consider, as it is clearly manifested in the real world. For this reason, it seems appropriate to include in the proposed definition the more individual (or micro) aspects of the more collective (macro) aspects, in order to be able to adequately reflect the reality that cybersecurity covers. In this broad definition of cybersecurity, the human and technical dimensions lend themselves advantageously to it, as they are more precise in terms of the objects to be processed. Finally, this definition takes account of the online–offline continuum, which is transversal in its four dimensions, as shown in Figure 1.5. This figure should be read in relation to Figure 1.2. More precisely, regardless of idiographic research, these two figures harmonize in the sense that their quadrants correspond. Thus, the human dimension of cybersecurity (on the left-hand side of the figure) is more amenable to analysis using empirico-inductive methods. The technical dimension on the right-hand side of the figure is more suitable for hypothetico-deductive research. Collective phenomena affecting cybersecurity (the top of the figure) involve quantitative analyses, whereas qualitative research is more suited to

The “Science” of Cybersecurity in the Human and Social Sciences

19

individual phenomena or small groups of individuals. Thus, the quadrant in the lower left corner of the figure corresponds to the fundamental contribution of the HSS to cybersecurity studies, since these human and individual phenomena can be analyzed by comprehensive and qualitative methods. They provide an account of the reality of cybersecurity through human experience and human interaction with or in cyberspace in the light of the co-construction of knowledge and the interpretability of these interactions and experiences. This makes it easier to observe and interpret small-scale cybersecurity phenomena.

Figure 1.5. A broad definition of cybersecurity

In contrast (top right of the figure), technical and collective phenomena are best analyzed using hypothetico-deductive and quantitative methods. They use statistical approaches to describe and explain collective phenomena and identify trends or variables. This makes it possible to measure and observe cybersecurity phenomena on a large scale.

20

Cybersecurity in Humanities and Social Sciences

At the center of the figure is the online/offline continuum, which involves triangulation of collection tools and information sources, triangulation of theories and methods and triangulation of researchers or research teams using mixed methods [ROT 08 pp. 892–894]. The study of this continuum and the phenomena or objects associated with it [ARU 15] using mixed methods allows us to conceptualize the contribution of multidisciplinarity to the complete analysis of cybersecurity and thus also allows us to cross a new threshold of scientificity. Indeed, the use of mixed methods reveals the possible subjectivity of the researcher and their influence on the object of research within the framework of a probable reality, in order to stimulate methodological and epistemological reflection in cybersecurity studies [COR 14]. In summary, if one adds the definition of cybersecurity initially presented to the methodological considerations just mentioned, this gives a workable definition of cybersecurity with a high threshold of scientificity. In this respect, we can therefore define cybersecurity as a state of greater or lesser computer, software, network, individual and societal security that can be analyzed according to different approaches and methods that capture the individual uniqueness and collective plurality of the phenomenon, as well as the cross-cutting impact upon it of the online/offline continuum. 1.5. Conclusion This chapter is the outline of an epistemological reflection on the scientific contribution of the HSS to cybersecurity studies. Much remains to be written on this vast subject at a time of strong and pressing social, governmental and scientific demand for a better understanding of cybersecurity. In order to set the scene for the debate, it is necessary to return to the central question of the chapter: in what way and how can the HSS contribute scientifically to the study of cybersecurity? In order to raise their scientific threshold, they can do so first of all by using the diversity of proven research methods available to them. They can also contribute by generating valid and publicly available data. Finally, they can do so by means of an ontological reflection on the object or objects of cybersecurity. Thus, this chapter has provided a broad definition of cybersecurity that is combined with the diversity of methods invoked and the need to generate valid data. The epistemological markers submitted in this chapter are quite ambitious, but they seem right to increase the scientificity of HSS in cybersecurity studies.

The “Science” of Cybersecurity in the Human and Social Sciences

21

HSS research has been able to demonstrate, over the course of its history and through its methods, its usefulness in deepening our understanding of complex processes or phenomena, such as those arising from cybersecurity. They are also able to discover relevant variables that have not yet been identified, such as human, psychological or contextual variables. They are beneficial to the exploration of social phenomena when public policy, common sense and practice fail to provide satisfactory results. HSS complement and even complete the unthought-of, and then nuance the determinism arising from the natural sciences, and this is particularly true in cybersecurity. Finally, such research is capable of generating knowledge when investigations cannot be carried out experimentally for practical or ethical reasons [MAR 89]. All of these elements, assessed against the criterion of generativity, are very favorable for giving credibility to the study of cybersecurity by the HSS. Moreover, the epistemological reflection in this chapter, as well as the methods and constraints outlined, demonstrate the advantages of an extensive definition of cybersecurity, which favors the construction of general knowledge that is scientifically or theoretically relevant, i.e. anchored in reality and having positive repercussions for actors in reality [BER 12]. It is an intellectual work in progress that needs to be critically evaluated. Questions also remain about the duality between subjectivity and objectivity, as well as about the principles and practices of research ethics that must be developed to address the purposes of the broad definition of cybersecurity proposed in this chapter. 1.6. References [ARU 15] ARUNESH S., NGUYEN T.H., KAR D. et al., “From physical security to cybersecurity”, Journal of Cybersecurity, vol. 1, no. 1, pp. 19–35, 2015. [BER 12] BERTHELOT J.-M. (ed.), Épistémologie des sciences sociales, Presses Universitaires de France, Paris, 2012. [BOU 14] BOURDELOIE H., “Ce que le numérique fait aux sciences humaines et sociales : épistémologie, méthodes et outils en questions”, Tic & société, vol. 7, no. 2, pp. 19–34, 2014. [COR 14] CORBIÈRE M., LARIVIÈRE N. (eds), Méthodes qualitatives, quantitatives et mixtes : dans la recherche en sciences humaines, sociales et de la santé, Presses de l’Université du Québec, Quebec, 2014.

22

Cybersecurity in Humanities and Social Sciences

[DEK 09] DE KETELE J.-M., ROEGIERS X., Méthodologie du recueil d’informations : fondements des méthodes d’observation, de questionnaire, d’interview et d’étude de documents, 4th ed., De Boeck, Brussels, 2009. [DES 97] DESLAURIERS J.-P., KÉRISIT M., “Le devis de recherche qualitative”, in POUPART J. et al. (eds), La recherche qualitative : enjeux épistémologiques et méthodologiques, Gaëtan Morin, Cowansville, 1997. [DUP 17] DUPÉRÉ S., “Les différentes couches composant le cyberespace”, in LOISEAU H., WALDISPUEHL E. (eds), Cyberespace et science politique : de la méthode au terrain, du virtuel au réel, Presses de l’Université du Québec, Quebec, 2017. [GAU 16] GAUTHIER B., BOURGEOIS I. (eds), Recherche sociale : de la problématique à la collecte des données, 6th ed., Presses de l’Université du Québec, Quebec, 2016. [GRA 14] GRAHAM M., DUTTON W.H. (eds), Society and the Internet: How Networks of Information and Communication are Changing Our Lives, Oxford University Press, Oxford, 2014. [HEN 19] HENRIKSEN A., “The end of the road for the UN GGE process: The future regulation of cyberspace”, Journal of Cybersecurity, vol. 5, no. 1, pp. 1–9, 2019. [KAR 12] KARPF D., “Social science research methods in internet time”, Information, Communication & Society, vol. 15, no. 5, pp. 639–661, 2012. [KEM 12] KEMP S.J., “Constructivist criteria for organising and designing educational research: How might an educational research inquiry be judged from a constructivist perspective?”, Constructivist Foundations, vol. 8, no. 1, pp. 118–125, 2012. [LEV 13] LÉVY J., LUSSAULT M., Dictionnaire de la géographie et de l’espace des sociétés, Belin, Paris, 2013. [LOI 16] LOISEAU H., “L’humain, grand oublié du phénomène cyber? Pistes de réflexion pour la cybersécurité”, in GARON R. (ed.), Penser la guerre au futur, Presses de l’Université Laval, Quebec, 2016. [MAR 89] MARSHALL C., ROSSMAN G.B., Designing Qualitative Research, Sage, Newbury Park, 1989. [MAU 19] MAUNIER S., “Données probantes : quel rôle pour la recherche qualitative?”, Recherches qualitatives, vol. 38, no. 1, pp. 71–87, 2019. [MÉL 13] MÉLIANI V., “Choisir l’analyse par théorisation ancrée : illustration des apports et des limites de la méthode”, Recherches Qualitatives – Hors Série, no. 15, pp. 435–452, 2013. [NØR 08] NØRGAARD A.S., “Political science: Witchcraft or craftsmanship? Standards for good research”, World Political Science Review, vol. 4, no. 1, article 5, 2008. [PAI 96] PAILLÉ P., “L’échantillonnage théorique. Induction analytique. Qualitative par théorisation (analyse). Vérification des implications théoriques”, in MUCCHIELLI A. (ed.), Dictionnaire des méthodes qualitatives en sciences humaines et sociales, Armand Colin, Paris, 1996.

The “Science” of Cybersecurity in the Human and Social Sciences

23

[PAQ 10] PAQUAY L., CRAHAY M., DE KETELE J.-M. (eds), L’analyse qualitative en éducation, 2nd ed., De Boeck, Brussels, 2010. [PRO 15] PROULX J., “Mathematics education research as study”, For the Learning of Mathematics, vol. 35, no. 3, pp. 25–27, 2015. [PRO 19] PROULX J., “Recherches qualitatives et validités scientifiques”, Recherches qualitatives, vol. 38, no. 1, pp. 53–70, 2019. [ROI 70] ROIG C., “La théorie générale des systèmes et ses perspectives de développement dans les sciences sociales”, Revue française de sociologie, XI-XII, special edition, pp. 47–97, 1970–1971. [ROM 16] ROMANOSKY S., “Examining the costs and causes of cyber incidents”, Journal of Cybersecurity, vol. 2, no. 2, pp. 121–135, 2016. [ROT 08] ROTHBAUER P.M., “Triangulation”, in GIVEN L.M. (ed.), The Sage Encyclopedia of Qualitative Research Methods, Sage Publications, Los Angeles, 2008. [SAL 12] SALEH I., HACHOUR H., “Le numérique comme catalyseur épistémologique”, Revue française des sciences de l’information et de la communication, no. 1, 2012. [STA 18] STATISTIQUE CANADA, Enquête canadienne sur la cybersécurité et le cybercrime, 15 October 2018, available at: https://www.statcan.gc.ca/fra/enquete/entreprise/5244. [VEN 11] VENTRE D., Cyberattaque et cyberdéfense, Hermes-Lavoisier, Paris, 2011.

2 

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

2.1. Introduction On the national and international scene, cybersecurity is nowadays described as a major issue. Faced with the ever-increasing volume and seriousness of security incidents in cyberspace, states have equipped themselves with legal and technological instruments enabling them to organize the necessary responses. By legal means, they have not only designed the framework for sanctions but have also given the security forces the means to act. These means have been implemented since the 1970s. And even if, at that time, we were not talking about “cyberspace” or “cybercrime”, but about “computer crime”, or “computer-related crime”, the challenges were no less great. This need for protection, anticipation and reaction was essential. The story has not changed much since then. Society as a whole, its economy, its citizens, its businesses, its critical infrastructures, its administration and its government, are exposed to cyberattacks whose power or intensity level is such that it can disrupt their functioning and balance. The State is probably the major actor in coordinating the fight against these threats – which are propagated by networks – because it requires comprehensive action and the involvement of many actors which must be simultaneously legal, technical, political, public and private, national and international.

Chapter written by Daniel VENTRE.

26

Cybersecurity in Humanities and Social Sciences

Although the concept of “cybersecurity” is now at the heart of national security and defense policies, its definition still raises some problems today. Formulations of definitions are multiplying. To grasp the full meaning and scope of this concept, typologies, taxonomies and ontologies are also constructed. However, the concept seems to elude these latter just as much, allowing a very large number of possibilities – perhaps too many. This is the impression conveyed by recurrent observation of a lack of consensus on definitions, typologies, taxonomies, ontologies (which we shall refer to in the rest of this chapter as DTTOs); i.e. on how to express the ideas contained in concepts and the relationships between them. DTTOs are essential tools that can be mobilized by different actors (academic researchers, industry, state administrations, etc.) to try to master concepts. All these actors use them and reformulate them according to their own cultures, knowledge, vocabularies and objectives. There is therefore a natural accumulation of definitions of cyberspace, cybersecurity, and notions or concepts derived from it. The same can be said for typologies, taxonomies and ontologies. Our chapter discusses the frequent assertion that “no one definition – or typology, taxonomy, ontology – exists” for cybersecurity. There are several reasons for this phenomenon. The objects, too complex and designating evolutionary phenomena, remain elusive. The composite nature of the concepts does not make them any easier to understand: here, we are faced with terms comprising a “cyber” prefix, subject to interpretation, itself associated with equally complex concepts (such as the notion of security, defense, space, domain, crime, etc.). Difficulties mount up. The lack of consensus may reflect the transversal nature of cyberspace, which occupies practically all sectors of activity and therefore calls for diverse representations or expressions of phenomena. The lack of consensus is in itself a significant issue, because of the negative effects it may have. First of all, it may prevent dialogue, penalize communication between decision-makers, engineers, different disciplines, professions, both nationally and internationally, and could even lead to disagreement or misinterpretation. Think of meetings between national cybersecurity officials who are unable to agree on a common definition of national cybersecurity. Lack of consensus would then be a brake on efficiency. There can be no large-scale coordinated fight without sharing, at the very least, a common definition of the phenomenon to be fought against [LAS 14]. How can we understand each other, get along, discuss, negotiate,

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

27

if we do not agree on common definitions? This lack of consensus would block the production of information and statistical data on the phenomena: in the absence of a shared definition of cybersecurity, it is difficult, for example, to compare expenditure on it (What should be counted? What is cybersecurity spending?) or to assess the extent and evolution of the phenomena. It would also be a hindrance for researchers to formulate global theories [SHA 10]. At the strategic level, particularly in the field of defense, the lack of convergence on the definition of an act of cyberwar poses the risk of an escalation of inter-state tensions [LIN 17]. On the other hand, the mere fact of reaching consensual DTTOs would remove many obstacles, ensuring a solid basis for dialogue, mutual understanding during negotiations, pooling of resources and definition of global security policies. However, consensus in the understanding of concepts does not guarantee the effectiveness of cybersecurity policies, nor does consensus on such policies. In this chapter, we will analyze the DTTOs of cybersecurity, in order to try to highlight the absence, or on the contrary the existence, of strong convergences. Can it really be said that there is no consensus? We will examine these instruments one by one, which are definitions, typologies, taxonomies and ontologies, their theoretical modes of construction and their applications to the concept of cybersecurity. We will compare approaches and isolate some observations that we believe are significant, in terms of how cybersecurity is understood and addressed. In our view, there are a few major trends that we believe are necessary, enough to speak of consensus or to lay the foundations for it. 2.2. Definition 2.2.1. What is a definition? We will retain the following formulation of a definition: “To define, in the scientific sense of the word, is to condense a concept into a short and precise formula. This formula, however, is not easily found. There is a great distance […] between feeling or conceiving and defining or expressing, especially when it comes to a large set of ideas and facts. It may very well be, and indeed it frequently happens, that the object of

28

Cybersecurity in Humanities and Social Sciences

any branch of human knowledge is clearly and equally conceived by all those who cultivate it, and yet each of them expresses it in a different way. It is possible […] that an idea can be defined in the mind without having its exact definition in language […] a definition can never express the total internal essence of the concept, which is why science is a process of continuous renewal to arrive at a definition in accordance with the nature of the cognoscible, and it enters the states of our intellectual activity through intermediate stages…” [CAR 81] The author of these words recalls the primary purpose of a definition (to condense), its form (precision and conciseness), the difficulty of the exercise and its limits. While the definition should be precise, it can nevertheless be multiple. A definition is therefore never definitive, unique. It is also the result of choices, expressing a concept from a particular angle. A definition is not descriptive: “The material for our judgments consists of individual representations and general ideas. Representations are described; ideas are defined. To describe is to determine the constituency of an individual; to define is to determine the constituency of an idea.” [LIA 73] According to the online dictionary of the Centre National de Ressources Textuelles et Lexicales (CNRTL)1, “to describe” consists of “representing in detail, in writing or orally, certain apparent features of an animate or inanimate being”2, while “definition”, on the contrary, aims to determine the distinctive characteristics of a being3. The “apparent” features of description are in contrast to the “characteristic” features of definition. Examples include descriptions of organizations’ cybersecurity policies (descriptive criteria are applied) [AIC 17], descriptions of continuity plans to deal with an attack [CIG 18] and descriptions of cybercrime incidents [BHA 17] and cyber threats (descriptions based on factual data such as dates, volume of attacks, costs, geography, victims, evolution in time and space, modus operandi, etc.) [ENI 18]. 1 https://www.cnrtl.fr. 2 https://www.cnrtl.fr/definition/décrire. 3 https://www.cnrtl.fr/definition/définition.

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

29

A definition will answer the question “what is (cybersecurity)?” while a description will answer the question “how” (How is cybersecurity organized or how does it work? How do attacks impact/affect society, systems, actions, etc.?) and will call for developments of a factual nature. 2.2.2. Usefulness of definitions A definition has several functions. It serves to enlighten, to clarify, to remove ambiguities, to explain and to create a space for common discourse: “This is the great utility of defining names, to make it clear what they are about, so as not to argue unnecessarily over words, which one hears one way and the other hears the other way, as is so often done, even in ordinary discourse” [BAR 77]. “When writers are trying to explain an unfamiliar idea, they rely on definitions. All definitions attempt to explain or clarify a term” [NRO 19]. It associates a sequence of words with a single term that contains them all: “Often you can only get a distinct idea of a thing by using many words to describe it, and it would be unwise, especially in science books, to repeat this great sequence of words over and over again. That is why, having made the thing understood by all these words, one attaches to a single word the idea one has conceived, and this word takes the place of all the others” [BAR 77]. “A definition links a denomination to its conceptual content” [VEZ 09]. Making a definition is consubstantial with the creation of knowledge: “Socrates reminds us […] that the precondition for any thought, and therefore, a fortiori, for any action, is the search for the definition of the object under discussion. Definition is not an ancillary process but the essence of knowledge. To know is to know how to define what it’s all about” [COU 15]. 2.2.3. Rules for constructing definitions There are several categories of definitions, which differ in particular in their composition. Some of these categories are listed in Table 2.1.

30

Cybersecurity in Humanities and Social Sciences

Definition Category

Aristotelian

Answer the question: “What is an X?” The definition then takes the form: X is a kind of Y (here, we designate the genus, the general class to which X belongs) which has the characteristics a, b, c… (we identify what differentiates X from the other elements belonging to Y). This is also called an inclusive, logical or hyperonymic definition. [DES 01]

Conceptual

Conceptual definition “consists of a statement comprising a basic or inclusive term and propositions explaining the semantic features (differentiating and essential) of a notion.” [LAR 96]

Constructive

A constructive definition “tends to create a new concept by the very act of definition.” [KER 02]

Extended

A type of definition that combines formal and informal definition. [NRO 19]

Explanatory

“A definition which tends to reflect a concept ‘given in advance’ […] and which pre-exists […] the operation of definition itself” [KER 02]. Opposite of constructive definition.

Formal

Type of definition found in dictionaries, glossaries, chapters, manuals. It is formal because it has a particular form, made up of 3 constituent elements: the term, the grammatical category (verb, noun, adjective, etc.) and the definition (see paragraph below on the formalism of definitions). [NRO 19]

Hyperspecific (encyclopaedic)

When the number of features goes beyond what is necessary. Includes superfluous elements.

Hypospecific

When the number of characteristics stated is insufficient.

Informal

One that explains ideas or terms with the use of synonyms or antonyms. [NRO 19] Composed of a synonymous paraphrase.

Lexicographic

“Seeks to describe the meaning(s) (signified) of a lexical unit.” [VEZ 09]

Morphosemantic

Reserved for compound or derivative words and defines only the affix or compositional link. [DES 01]

Negative

Defines a word by indicating what it is not.

Nominal

“Nominal definitions only allow us to designate an object by its characters, to distinguish one object from others. They

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

31

are traditionally opposed to real definitions, which deal with the nature, the objective reality of things themselves.”4 Operational

Describes what you need to do to…

Operatorial or by function

Describes the unfolding of a phenomenon, a process.

By understanding

Listing all the characters.

By extension

Listing all the forms.

By generation

Explain how things were formed. Example: “…is obtained by rotating…”

By inclusion

Formed in two parts: the “inclusion”, which designates the general genus or category to which the object to be defined belongs, and the specific features of the object distinguishing it from other objects of the category.

Partial

Definition of the type “X is a part of…” or “X is a set of…”

By example/by extension

Giving examples.

Referential

“Consists of a definition, either lexical or conceptual, followed by a development in the form of a description including the ancillary features of the concept.” [LAR 96]

Socratic

That which answers the (Socratic) question “What is…?”5 It takes a moral, philosophical and aesthetic stance, not on the terms but on the essence of things [WER 08].

Stipulative

Indicates how the term will be used by the proposer of the definition, or how it should be used by others. The distinction between lexical and stipulative definitions can be difficult to make [HAN 06].

Terminological

“The aim is to describe and state a concept (or notion) designated by a term […] and to characterize it in relation to other concepts within an organized system (called a conceptual system).” [VEZ 09] Table 2.1. Some types of definitions

This long, yet non-exhaustive list illustrates the complexity and diversity of the categories of definitions that can be used to express concepts. These various forms of definitions can sometimes be combined, intermingled (a definition can, for example, be both partial and operational or operative at the same time). The online dictionary of the Centre National de Ressources 4 https://www.cnrtl.fr/definition/nominal. 5 https://faculty.washington.edu/smcohen/320/socdef.htm.

32

Cybersecurity in Humanities and Social Sciences

Textuelles et Lexicales (CNRTL)6 recalls the essential features of a “definition”. The dominant idea, the CNRTL tells us, “is that of a boundary or set of lines that circumscribe an object”. A definition must precisely determine the limits of an object, the distinctive features of a being, the content of a concept. It “puts in equivalence a being to be defined, with a set of attributes that determine its essential characteristics”. A definition is generally composed of three parts [HAN 06]: – the “definiendum”: the term to be defined, the definite; – a connector (defining connective); – the “definians”: what defines, what defines it. Several categories of definitions retain this tripartite structure. For Mal Shield [SHI 04], formal definitions in mathematics have such a structure. The example from [SHI 04] provides the following definition of “triangle”: “A triangle is a closed plane shape with three straight sides.” The three parts of the definition are as follows: – the item (the subject, the theme, the object): which is the idea or concept to be defined (here “triangle”); – the class: which identifies the set or group to which the object belongs (here, “closed plane shape”); – characteristics: are the elements that distinguish the object from all other objects in the class (“with three straight sides”). 2.2.4. Definitions of cybersecurity Several studies have proposed a comparative study of the various definitions of cybersecurity available. We refer the reader to the ENISA study published in 2015 [ENI 15], to the article by Samantha A. Adams of the same year [ADA 15], as well as to the 2017 article by Daniel Schatz, Rabih Bashroush and Julie Wall [SCH 17]. Other documents provide compilations of cybersecurity-related definitions without comparative analysis (Tim Maurer and Robert Morgus, 2014 [MAU 14]). We have grouped together (Table 2.2)

6 https://www.cnrtl.fr/definition/définition.

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

33

several definitions of cybersecurity7, classifying them by type of source: international organizations; online dictionaries; industry; academic research; government, state agencies. Within each of these categories, publications are listed in chronological order.

Source

Year

Definition

1 – Organizations, associations, international bodies

UIT (ITU-T X.1025)

ISO/IEC JTC1/SC27 ITSecurity Techniques

Freedom Online Coalition (FOC)

ISACA

2008

“Cybersecurity is a set of tools, policies, security concepts, security guarantees, guidelines, risk management approaches, actions, training, best practices, insurance and technologies that can be used to protect the cyber environment, the organization and the user’s assets. Organizational and user assets include connected computing devices.”8

2012

“Preservation of the confidentiality, integrity and availability of information in cyberspace.” “Cybersecurity is about preserving – through legislation, policies, technology and education – the availability, confidentiality and integrity of information and its underlying infrastructure, so as to enhance the security of people online and offline.”

2015

“Cybersecurity is about preserving – through policies, technologies and education – the availability, confidentiality and integrity of information and its underlying infrastructure, so as to enhance personal security, both online and offline.” [BRO 17]

2016

“The protection of information assets by addressing threats to information processed, stored and transported by interconnected information systems.” [ISA 16]

7 It should be recalled that cybersecurity is subject to several spellings: “cybersecurity”, “cyber security” or “cyber-security”. 8 https://www.itu.int/en/ITU-T/studygroups/com17/Pages/cybersecurity.aspx.

34

Cybersecurity in Humanities and Social Sciences

ENISA

ENISA

2016

“Cybersecurity refers to the security of cyberspace, where cyberspace itself refers to all the links and relationships between objects accessible via a generalized telecommunications network, as well as all objects with interfaces allowing their remote control, remote access to data, or participation in actions of control in this cyberspace.” [ENI 15]

2017

“Cybersecurity covers all aspects of prevention: prediction, tolerance, detection, mitigation, suppression, analysis and investigation of cyberincidents. Considering the different types of components of cyberspace, cybersecurity should cover the following attributes: availability, reliability, security, confidentiality, integrity, maintainability (tangible systems, information and networks), robustness, survivability, resilience (to support the dynamics of cyberspace), accountability, authenticity and non-repudiation (to support information security).” [ENI 17] “Cybersecurity encompasses the protection of electronic systems against malicious electronic attacks (unlawful interference) and the means to deal with the consequences of such attacks.”9

ICAO (civil aviation)

2 – Dictionaries, glossaries online whatis.techtarget.com

2019

“Cybersecurity is a set of technologies, processes and practices designed to protect networks, computers and data from unauthorized attacks, damage and access.”10

Merriam-Webster

2019

“Cybersecurity refers to measures taken to protect a computer or computer system (such as on the Internet) from unauthorized access or attacks.”

Cambridge Dictionary

2019

“Means of protecting computer systems against threats such as viruses.”11

Collins Dictionary

2019

“The state of security against electronic crime and the measures taken to achieve it.”12

9 https://www.icao.int/cybersecurity/Pages/default.aspx. 10 https://whatis.techtarget.com/fr/definition/cybersecurite. 11 https://dictionary.cambridge.org/fr/dictionnaire/anglais/cybersecurity. 12 https://www.collinsdictionary.com/dictionary/english/cybersecurity.

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

35

3 – Industry FSB (Financial Stability Board) members

2017

“Cybersecurity is the praxis of protecting digital assets from connected threats.” [FSB 17]

Cisco

2019

“Cybersecurity is about protecting systems, networks and programs from digital attacks.”13

Norton

2019

“Cybersecurity is the state or process of protecting and restoring networks, devices and programs against any type of cyber-attack.”14

2019

“Cybersecurity is about defending computers, servers, mobile devices, electronic systems, networks and data from malicious attacks. This is also known as information technology security or electronic information security. The term is applied in a variety of contexts, ranging from business computing to mobile computing, and can be divided into a few common categories.”15

Kaspersky

4 – Academic research 2014

“Cybersecurity is the organization and collection of resources, processes and structures used to protect cyberspace and the systems activated in cyberspace from events that alter property rights.”

2015

Cybersecurity is defined as “the proactive and reactive process that aims to ideally dispel any danger to the confidentiality, integrity or availability of computers, networks and information that are an integral part of cyberspace, the conceptual space in which digitized and networked human and organizational activities take place.”

[GOU 15]

2015

“Cybersecurity lies in the technologies and processes designed to protect computers, hardware, software, networks and data from unauthorized access, as well as vulnerabilities provided over the Internet by cybercriminals, terrorist groups and hackers.”

[FIN 16]

2016

“The protection of information and communication technologies against unauthorized access or attempted access.”

[CRA 14]

[ADA 15]

13 https://www.cisco.com/c/en/us/products/security/what-is-cybersecurity.html. 14 https://us.norton.com/internetsecurity-malware-what-is-cybersecurity-what-you-need-toknow.html. 15 https://www.kaspersky.com/resource-center/definitions/what-is-cyber-security.

36

Cybersecurity in Humanities and Social Sciences

5 – Government, state agencies

Qatar

ANSSI (France)

NICCS (USA)17

NICCS (USA)18

2014

“The set of tools, strategies, security concepts, security assurances, guidelines, risk management approaches, actions, training, best practices, certification and technologies that can be used to protect the cyber environment and the assets of the organization and users.” [MIC 14]

2019

“A state sought for an information system that enables it to withstand events in cyberspace that may compromise the availability, integrity or confidentiality of data stored, processed or transmitted and the related services that these systems provide or make accessible. Cybersecurity uses information system security techniques and is based on the fight against cybercrime and the establishment of cyber defense.”16

2018

“Activity or process, capability or means, or state by which information and communication systems and the information contained therein are protected and/or defended against damage, unauthorized use or modification, or intelligence.” [NIC 18]

2018

“Strategy, policy and standards for security and operations in cyberspace, encompassing the full range of policies and activities relating to threat reduction, vulnerability, deterrence, international engagement, incident response, resilience and recovery, including the operation of computer networks, information security, law enforcement, diplomacy, military and intelligence missions with respect to the security and stability of the global

16 French National Agency for the Security of Information Systems (ANSSI): https://www.ssi.gouv.fr/entreprise/glossaire/c. 17 This Department of Homeland Security (DHS) definition is the one used by the international experts who published the report “Cybersecurity. A generic reference curriculum” for NATO. The report also adopts the definition of the US National Institute of Standards and Technology (NIST) for the concept of “cyberspace”. [NAT 16] NATO, Cybersecurity. A generic reference curriculum, October 2016, 74 pages, Canada, https://www.nato.int/nato_static_fl2014/assets/pdf/pdf_2016_10/1610-cybersecuritycurriculum.pdf. 18 This extended definition is also the one adopted by the international working group that published the report “Cybersecurity. A generic reference curriculum” for NATO [NAT 16]. The definition is adapted from several American sources: NCSSI 4009, NIST SP 800-53 Rev 4, NIPP, DHS National Preparedness Goal; White House Cyberspace Policy Review, May 2009.

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

37

information and communications infrastructure.” [NIC 18] “Process of protecting information and information systems by preventing, detecting and responding to unauthorized access, use, disclosure, disruption, alteration or destruction in order to ensure confidentiality, integrity and availability.” [USC 16]

Gov. USA

NIST (USA)

US DoD (Department of the Navy)

ICTD (the Philippines)

Saudi Arabian Monetary Authority

U.S. Department of Defense Dictionary

Gov. of Kuwait

2011

“The ability to protect or defend the use of cyberspace against cyber-attacks.” [BAL 18]

2017

“Damage prevention, protection and restoration of computers, electronic communications systems, electronic communications services, wire communications and electronic communications, including the information they contain, in order to ensure their availability, integrity, authentication, confidentiality and non-repudiation.” [DON 17]

2017

“Cybersecurity refers to the collection of tools, policies, risk management approaches, actions, training, best practices, insurance and technologies that can be used to protect the cyber environment and the assets of the organization and its users.” [DIC 17]

2017

“Cybersecurity is defined as the set of tools, strategies, security concepts, security guarantees, guidelines, risk management approaches, actions, training, best practices, insurance and technologies that can be used to protect member organization information from internal and external attacks, threats.” [SAM 17]

2017

“Measures taken in protected cyberspace to prevent unauthorized access to, use of, or damage to computers, electronic communications systems and other information technologies, including information platform technologies, and the information they contain, in order to ensure their availability, integrity, authentication, confidentiality and non-repudiation.” [DOD 19]

2017

“Cybersecurity is a set of tools, strategies, security concepts, security guarantees, guidelines, risk management approaches, actions, training, best practices, insurance and technologies that can be used to protect the cyber-environment as well as user and user assets.”

38

Cybersecurity in Humanities and Social Sciences

2018

“Cybersecurity comprises all physical, logical and administrative measures taken to digitally protect companies, people and systems against digital attacks against their devices, applications and data, which could compromise the confidentiality, availability and/or integrity of their data.” [CTI 18]

15 USC 7421: Definitions. From Title 15 – Commerce and Trade. 2019 Chapter 100 – A Cybersecurity Enhancement.

“The full range of threat reduction, vulnerability, deterrence, international engagement, incident response, resilience and recovery policies and activities, including computer network operations, information security, law enforcement, diplomacy, military and intelligence missions related to the security and stability of the global information and communications infrastructure.”19

Gov. of Catalonia

Table 2.2. Definitions of cybersecurity, grouped into five categories

The definitions are all in the forms “is a” and “is defined as”. There are many partial definitions: “is a set of”, “collection of”. These formulations open the door to long enumerations. The resulting definitions are either hyperspecific or hypospecific. We identify six types of responses to the question, “What is cybersecurity?”, as shown in Figure 2.1. These responses make cybersecurity a technical issue, where the implementation of means, procedures and organizations is essential. The political and strategic dimension of cybersecurity is not a priority. The concepts most frequently used in all the texts referenced concern (in descending order here) information, security, systems, cyberspace and the idea of protection. Among the least used concepts, we find those of crime, criminals, cyber-attack, defense, hackers, terrorists, viruses and vulnerabilities. The definitions thus focus on the concepts of information and systems, even before the concept of “cyberspace”. The word cloud that we create from all the text (the original English language version) of the definitions reinforces this first analysis, where the notions of systems and information predominate over that of cyberspace. The term “electronics” is more common than “Internet”. The notion of “network” is not used either. 19 https://uscode.house.gov.

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

39

The choice of terms and the concerns expressed in these approaches show that cybersecurity is mainly defined from the point of view of the engineer, of the computer scientist, of technology, even if some of them are intended to be more broad, integrating political, legal, diplomatic and military tools into the means of cybersecurity. To refine our analysis, we propose to search in each of the definitions for: – A: what is said about motives, reasons, causes, drivers for implementing cybersecurity (e.g. hackers, attacks, etc.); – B: what is said about the means or methods of cybersecurity (e.g. means to counter threats); – C: what is said about the objects to be secured, what is being protected (e.g. potential targets to be protected, computers, infrastructure, operation of systems, etc.).

Figure 2.1. Answers to the question, “What is cybersecurity?”

40

Cybersecurity in Humanities and Social Sciences

Figure 2.2. Word cloud created from cybersecurity definitions (text in Table 2.2). For a color version of this figure, see www.iste.co.uk/loiseau/cybersecurity.zip

After analyzing the contents, we were able to define subdivisions of these three categories, summarized in the following table: A (causes, reasons, motives…)

B (means, methods)

C (what the protection should cover)

A1: undefined

B1: set of political, legal and technical instruments…

C1: undefined

A2: malware, malicious attack, connected threats, digital attacks, electronic crime, cybercrime

B2: techno-centric

C2: electronic systems, cyber-infrastructure, cyber-environment

A3: threats (without further details)

B3: “practices, measurements” (imprecise)

C3: information

A4: “events” (imprecise)

B4: means to reach a safe state

C4: introduces a human dimension

A5: remote actions





Table 2.3. Subdivisions of the three components of definitions

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

41

A total of 13 subdivisions appear, which come together to form the definitions, and which will reveal the views of their authors, their intentions, their way of looking at cybersecurity. We reproduce these arrangements in Table 2.4. Source

A

B

C

Organizations, associations, international bodies UIT (ITU-T X.1025)

A1

B1

C2

ISO/IEC JTC1/SC27 IT-Security Techniques A1

B1

C2/C3

Freedom Online Coalition (FOC)

A1

B1

C2/C3

ISACA

A1

B2

C3

ENISA 2016

A5

B2

C2

ENISA 2017

A2

B2

C2/C3

ICAO (civil aviation)

A2

B2

C2

Online dictionaries whatis.techtarget.com

A2

B2

C2

Merriam-Webster

A2

B3

C2

Cambridge Dictionary

A2

B3

C2

Collins Dictionary

A2

B3/B4

C1

Industry FSB (Financial Stability Board) members

A2

B3

C2

Cisco

A2

B2

C2

Norton

A2

B2

C2

Kaspersky

A2

B2

C2

Academic research [CRA 14]

A2

B2

C2/C3

[ADA 15]

A1

B2

C2/C3

[GOU 15]

A3

B2

C2/C3/C4

42

Cybersecurity in Humanities and Social Sciences

[FIN 16]

A2

B2

C2/C3

Governments, state agencies Qatar

A1

B1

C2

ANSSI (France)

A2/A4

B1/B2

C2/C3

NICCS (USA)

A2

B2

C2/C3

Gov. USA

A3

B1

C2/C3

NIST (USA)

A2

B2

C2/C3

US DoD (Department of the Navy)

A1

B2

C2/C3

ICTD (Philippines)

A1

B1

C2/C3

Saudi Arabian Monetary Authority

A3

B1

C2/C3

U.S. Department of Defense Dictionary

A1

B2

C2/C3

Gov. of Kuwait

A1

B1

C2

Gov. of Catalonia

A2

B1

C2/C3/C4

15 USC 7421: Definitions. From Title 15Commerce and Trade. Chapter 100 – A Cybersecurity Enhancement.

A1

B1

C2

Table 2.4. Main content components of definitions of cybersecurity and their arrangements

We visualize in Figure 2.3 the place that each of these building blocks of discourse occupies in the whole corpus of definitions. Figure 2.3 highlights the central role played in the definitions by components A1 and A2, B1 and B2, C2 and C3. A significant proportion of the definitions therefore do not mention causes (A1). When they do (A2), they focus on malware and cybercrime, and do not mention operations such as disinformation actions, propaganda on social networks, for example, which could very well be part of these motives for cybersecurity in our opinion. These threats or risks will be tackled using a techno-centric approach, primarily (B2), although it can be extended in a series of broader (political, legal) ways. All these measures are aimed at protecting information and a technological environment (C2 and C3).

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

43

Figure 2.3. Main components used to design cybersecurity definitions. For a color version of this figure, see www.iste.co.uk/loiseau/cybersecurity.zip

The human dimension is therefore generally not present, dominated by the techno-centric readings of cybersecurity. This trend is shared by all categories of sources, whether state actors, international organizations, academic researchers or industrialists. This reading confirms the first elements of analysis. Of course, we must remain cautious, aware that the sample of definitions is small (n = 33). A more comprehensive census may confirm or contradict our findings. However, we observe here a very strong convergence of approaches, which, in a way, constitutes a consensus: cybersecurity is above all a matter of technology; engineers, lines of code, procedures, standards and technique, leaving little room for social, sociological, ideological or human considerations. 2.3. Typology The categories and components of the definitions of cybersecurity we have just analyzed prefigure the branches of possible typologies or taxonomies. These may be typologies and taxonomies of the very concept of cybersecurity, as well as of all its component dimensions, i.e. cybercrime,

44

Cybersecurity in Humanities and Social Sciences

threats to systems and information, malware, means and methods of cybersecurity, policies, law, technologies. As we did in the previous section, we will first introduce some theoretical background (what is a typology, what is its usefulness, how is it constructed) and then look at typologies of cybersecurity (or of concepts directly related to cybersecurity). Our objective will be to identify the themes, notions or concepts that these typologies refute, and that may reveal the way in which their authors envisage cybersecurity. 2.3.1. What is a typology? Typology is the “science of analyzing and describing the typical forms of a complex reality, enabling classification”20. In linguistics, typology will refer to a “method of classifying languages based on their internal characteristics, as they emerge from a rigorous analysis”21. In sociology, it is the “study of the characteristics of a set of complex empirical data of a social phenomenon, with a view to classifying them into types, into systems”22. In political science, it is the “classification of political regimes based on one or more criteria”23. Creating a typology consists of organizing and classifying data in a structured way. Let us recall here some famous typologies: the sociological typology of suicides (Durkheim, 1897), the typology of violence by Johan Galtung [GAL 75] or the World Health Organization [WHO 02] or the typology of war proposed by the COW (Correlates Of War) project [SAR 10]. 2.3.2. Usefulness of typologies A typology will be given several functions. It allows us to arrange (classify) reality in a systematic way, to simplify complexity and to structure thought. It provides a grid for reading phenomena or concepts. It allows us to link observations, to have an overview of them. However, typologies do have weak points: they are sometimes criticized for a lack of rationality, the

20 http://www.cnrtl.fr/definition/typologie. 21 http://www.cnrtl.fr/definition/typologie. 22 http://www.cnrtl.fr/definition/typologie. 23 http://www.cnrtl.fr/definition/typologie.

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

45

evolutionary nature of their objects (cybercrime, for example, is changing in its form, expression, organization, effects, apprehensions, legal framework, etc.) preventing typologies from becoming permanently fixed. A typology must be read in context. It can thus be inscribed in a specific spatial framework (country). It is adaptable and not necessarily universal. 2.3.3. Rules for the construction of typologies In order to approach the method of designing typologies, it would be useful to refer to the work of Jean-Pierre Gremy and Marie-Joëlle Le Moan, entitled “Analysis of the approach to building typologies in the social sciences” [GRE 77]. The principles of construction are relatively simple. A typology should establish clear rules to determine what is and what is not within the scope of the typology. The typology cannot be a “catch-all”, it cannot incorporate unnecessary elements, it cannot be a simple list or enumeration of items. It groups together concepts according to their similarities, common traits or characteristics. Being based on more than one common trait, it is a multi-dimensional classification method. Then comes the step of dividing the overall set into subsets or subcategories, which are types. They must be comprehensive (i.e. be able to include all the elements of the general set. “All members must have all attributes used to define each category”24), and mutually exclusive. A typology is built on the principle of highlighting differences between types. It is not a question of looking for their relationships, but on the contrary, at what isolates them and then allows for the inclusion of elements in a distinct way, which cannot be of several types. For example, if we build a typology of hackers, then we will have to imagine several “types” of hackers. Ideally, an element of the “hacker” population will then be able to fit into only one of the defined types. The features characterizing each type (and then subtype) must be explicitly defined. Types, categories and subtypes will be created from a corpus of cases or data. Construction of a typology is thus performed by successive attempts. One of the challenges is to limit the number of types, in order to facilitate the reading of the typology as a whole, and to be able to integrate all the elements which are included. To reduce the number of types, polarized types can be created (e.g. male-female, civil-military, etc.). However, basing typologies on too few 24 Online courses, IAE Lille, Instructional design Alain Desreumaux, Course “Typologies des organisation”, site consulted in October 2019, http://bricks.univ-lille1.fr/M20/cours/ co/chap01.html.

46

Cybersecurity in Humanities and Social Sciences

types may require the use of a large number of subtypes. In this case, we can then proceed by substructuring, i.e. re-examining the subtypes in order to deduce common features justifying the creation of one or more new types. A typology is the result of a search for balance in its architecture. Typologies can also be presented in the form of tables, flowcharts, graphs, orthonormal markers and many other formats. There are no real rules in this area, except for compliance with constraints: ease of reading, simplification. 2.3.4. Cybersecurity typologies Cybersecurity typologies may address cybersecurity from multiple angles. In the following table, we have grouped together references to publications (articles, reports, etc.) dealing with cybersecurity typologies. References are grouped according to the nature of their source (academic research, think tank, etc.). We repeat the categories A, B and C used in Table 2.4 (A = causes, reasons, motives; B = methods, means, or “impacts”25; C = what should be protected; targets, victims). TC and NTC indicate respectively whether the approaches appeared to us to be techno-centric or non-techno-centric. Objects of cybersecurity typologies

Sources

TC

NTC

A

Cisco26

*

x

[GRA 19]

*

x

Panda Security27

*

x

SSL28

*

x

B

C

Industry

Typology of cyber-attacks

Academic research Typology of cybersecurity governance models

[EGG 18]

*

x

25 By “impacts” we mean all the consequences, effects produced by consideration and awareness of threats and risks (identified in category A). These include political, economic, legal and other impacts. 26 https://www.cisco.com/c/en/us/products/security/common-cyberattacks.html. 27 https://www.pandasecurity.com/mediacenter/panda-security/types-of-cybercrime. 28 https://aboutssl.org/most-common-types-of-cyber-attacks.

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

Typologies of cyber threat actors

[BRU 17]

*

Typology of state actor responses to cybersecurity threats

[HOU 16]

*

Typology of states on the basis of their levels of cybercrime

[KIG 16]

*

x

[MCB 14]

*

x

[SEE 15]

*

x

[BRO 06]

*

x

[POO 14]

*

x

[HAL 12]

*

x

Typology of cyber-aggressions [RUN 17]

*

x

Typology of cyber deviance

[VEN 18]

*

x

Mobile phone victimization typology

[LUS 17]

*

Typology of public–private partnerships in the field of cybersecurity

[BOS 18]

*

[ROB 13]

*

Typology of approaches to cybersecurity29

[ITU 05]

*

Typology of cybercrime

[GER 12]

*

x

x

16/20

15/20

5/20

Typology of hackers Typology of cybercrime Typology of cybercrimes against women

47

x x

x

x

x x

Think tank Typology of cyber threat

x

International organizations

Corpus statistics analyzed

4/20

x

3/20

Table 2.5. Some typologies associated with the field of cybersecurity

29 The authors of the study reiterate the usefulness of typologies for cybersecurity policy and governance. Representations determine decisions, types of organizations: “The dominance of one or several typologies has implications for the shape of protection policies and, subsequently, in determining appropriate protection efforts, goals, strategies, and instruments for solution of problems.”

48

Cybersecurity in Humanities and Social Sciences

On the basis of the few data produced and works identified, several remarks can be made. A great many documents offer simple lists or enumerations of the types of cybercrimes and cyber-attacks, without ordering them or describing the rules governing their groupings. The number of types identified varies widely. It goes from 5 or 6 (for example: 6 types identified by the company Cisco)30 to 17 (work carried out by the company PhoenixNAP)31. Component A takes account of cyber-attacks such as phishing, malware and denial of service. The types can be described (who are the hackers, how do they do it, what are the technical steps of a cyber-attack, etc.). It is this component that very largely dominates all of the work analyzed, which thus focuses on the origins of the attacks and threats. Component B (the means of cybersecurity) appears to be secondary. This is also the case for component C (what to protect, potential targets). Overall, for all the typologies considered here, the approach is mainly non-techno-centric (except those for industrial production, all of which are techno-centric). The typologies produced by academic research seem to be more interested in the human dimension (typologies of hackers, for example) and the socio-political dimension (typology of modes of governance) than in technical aspects alone. 2.4. Taxonomy Lessons learned from the analysis of definitions and typologies pave the way for the creation of taxonomies. We will be able to develop the same stages of reasoning, i.e. define the object that is taxonomy, explore its components, its rules of creation, and then analyze the contents of the cybersecurity taxonomies. Do we find the same trends, a techno-centric approach, contents oriented according to the origin of their authors or their target audiences? What do we learn from cybersecurity in how it is treated by taxonomies? 2.4.1. What is a taxonomy? Taxonomy is the “science of the laws and principles of classification of living organisms; by extension, the science of classification”. It is the 30 https://www.cisco.com/c/en/us/products/security/common-cyberattacks.html#~types-ofcyber-attacks. 31 https://phoenixnap.com/blog/cyber-security-attack-types.

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

49

“classification of elements; a series of elements forming lists that relate to a field, a science”32. Table 2.6 provides some definitions of taxonomy. A taxonomy is not a catalogue, which is essentially a collection of descriptions. A taxonomy is the basis for the classification of objects for research and identification purposes; the catalogue provides additional, detailed information [AND 89]. 2.4.2. Usefulness of taxonomy Taxonomies help to order the complexity of the living world (biology) and have been developed in many different fields. They aim to provide tools that can be used by practitioners, researchers, engineers and decision-makers to help them organize concepts in their fields. They have a utilitarian, pragmatic character. They are often used in the service of research: “These taxonomies provide a basis for basic research in the form of a common language about a field in which problems and their solutions can be defined and explored” [NIC 09]. Taxonomies are deployed in multiple domains (data management process or DMP, e-commerce, website design, etc.). There are many taxonomies applicable to the cyber environment: taxonomies of secrets [ANO 01], concepts in communication [BLA 75], hyperlink masking techniques [GUA 13], cybersecurity risks [CEB 10], networks [ONN 12], attack graphs [HEB 04]. 2.4.3. Rules for the construction of taxonomies There are few steps in the creation of a taxonomy. It is necessary to define the purpose and limits of the object of the taxonomy; then identify the sources, collect terms and concepts; group them according to their similarities (also called clustering) and finally try to simplify the structure of the taxonomy [NAI 18]. The design of a taxonomy must take a sufficient number of objects to be able to group them into categories. While the typology is deductive, the taxonomy is inductive in nature. Taxonomy, in contrast to typology, prioritizes categories that together include all possibilities. A taxonomy can be considered as a tree: we start from its root, the trunk, then go up to the

32 http://www.cnrtl.fr/definition/taxonomie.

50

Cybersecurity in Humanities and Social Sciences

branches, which are themselves made of other branches. Each level is more precise than the previous one. 2.4.4. Taxonomies of cybersecurity We have carried out a census of cybersecurity taxonomies and grouped them in Table 2.6. We use the same categories of data as previously used in the table of cybersecurity typologies. Objects of cybersecurity taxonomies

TC33

Sources

NTC34

A

B

C

Industry 35

Taxonomy of threats

[HAS 19]

Malware taxonomy

Cybersecurity Forum36

*

x

*

x

x

Academic research Taxonomy of cyber-risks

[CEB 10]

*

x

Taxonomy of cyber-attacks

[AGR 18]

*

x

x

x

x

[HAN 04]

*

[HAR 11]

x

x

[KOT 05]

*

*

x

x

[SIM 09]37

*

x

[ZHU 11]

*

x

x

Taxonomy of cyber threats

[NAR 19]

*

x

x

Taxonomy of system vulnerability

[BIS 95]

*

Taxonomy of cybercrime

[BRA 18]

x

x

x *

x

33 TC = techno-centric. 34 NTC = not techno-centric. 35 This taxonomy is specifically concerned with cyber threats to e-mail. 36 https://cybersecurityforum.com/cyber-attacks. 37 AVOIDIT: Attack Vector, Operational Impact, Defense, Information Impact, and Target is a taxonomy of cyber-attacks developed by the University of Memphis (USA), within the Department of Computer Science.

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

Taxonomy of national cybersecurity concerns

[HUA 18]

*

x

x

x

x

*

x

x

*

x

x

51

Think tank Taxonomy of attacks against cyber-physical systems

[YAM 13]

*

International organizations [ENI 16]38

Taxonomy of cyber threats

39

Taxonomy of cybersecurity incidents

[NCG 18]

Taxonomy of countermeasures

[EGS 12]

*

x

Governments, state organizations Taxonomy of cyber-incidents

[CER 18]

Taxonomy of cyber-exercises

[DIE 15]

Corpus statistics analyzed

*

x *

11/19

8/19

x x

16/19

3/19

14/19

Table 2.6. Some taxonomies of cybersecurity

Even if the techno-centric approach seems to be in the majority within the framework of taxonomies, it is not radically so. On the other hand, we note that, all categories of sources combined, A and C seem to dominate B to a large extent. The question of the means of struggle, of policies, of reactions, seems secondary compared to the pair which dominate the considerations, the source of threats on the one hand, the targets on the other. 2.5. Ontologies Having tried to grasp the meaning of cybersecurity and understand the processes contributing to the construction of this concept through definitions, typologies and taxonomies, ontologies can in turn contribute to this exercise. They create relationships between different typologies and 38 [ENI 16] file in Excel format, listing cyber threats: 8 main types, divided into 74 subtypes. ENISA, 2016. https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/ enisa-threat-landscape/threat-taxonomy/at_download/file. 39 This taxonomy proposed by European institutions (the NIS Cooperation Group) comprises two parts: one dealing with the nature of the incidents (column A of the table), the other with the impacts and, more specifically, the sectors affected (thus column C of the table).

52

Cybersecurity in Humanities and Social Sciences

taxonomies, to form more complete representations of the complexity of contexts, environments, processes, various worlds or universes, in our case those of cyberspace and cybersecurity in particular. While taxonomies are classification tools, ontologies help to model the relationships between concepts. They are relatively recent tools for knowledge representation, derived from information sciences. The ontologies discussed here do not refer to ontology in the epistemological sense. 2.5.1. What is ontology? The notion of ontology has gone beyond the boundaries of philosophy and found a new definition in the information sciences. Ontology is the highlighting of relationships and properties within a set of concepts, related to a given domain. Ontologies aim to go beyond glossaries, definitions, typologies, thesauri, dictionaries, to embrace a domain in its entirety. There are very many definitions of ontologies. We shall take only two: “An engineering artefact, consisting of a specific vocabulary used to describe a certain reality, as well as a set of explicit assumptions about the intended meaning of the words in the vocabulary […] In the simplest case, an ontology describes a hierarchy of concepts linked by subsumption relationships; in more sophisticated cases, appropriate axioms are added to express other relationships between concepts and to constrain their intended interpretation.” [GUA 98] “An ontology… is a formal specification of a shared conceptualization of an area of interest. This means that this formal specification must be capable of being interpreted by machines and shared between them on the basis of consensus. An ontology is a representation of knowledge of a particular area of interest corresponding to a human representation of that area. Knowledge is represented by concepts and the relationships between these concepts. The concepts describe the meaning of knowledge in any field of interest.” [STR 16]

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

53

2.5.2. Usefulness of ontologies Computer ontologies are technological objects, which have several uses, including that of knowledge representation, offering “an inventory of the different dimensions of reality by mobilizing formalisms derived from logical and computer languages” [MON 09]. They are sometimes considered to surpass taxonomies, being more appropriate than taxonomies for sharing information between complex systems [ZHU 15]. Taxonomies are built on the principle of hierarchical relationships between entities, but do not, unlike ontologies, provide contextual information. The latter also make it possible to envisage different relationships between the elements. Ontologies are useful for sharing knowledge, structuring domain concepts, reasoning about the properties of a domain and describing a domain [SAN 11]. According to Natalya F. Noy and Deborah L. McGuinness [NOY 19], they allow us to share the same structuring of information (which facilitates information sharing, communication between individuals and organizations, a common reading of the issues), to reuse knowledge about a domain, to clarify hypotheses about a domain and to separate knowledge about a domain from operational knowledge. Ontologies are also used for interoperability between systems, or systems engineering [VLA 11]. Knowledge reuse is one of the key principles of ontologies. For this purpose, their formatting must meet special standards. Once this principle has been respected, ontologies can then be open to complementary developments, be associated with pre-existing ontologies, be linked, crossreferenced with each other, borrowed, etc. An ontology is thus certainly a complex architecture in itself, but it can be seen as a building block that can be used for other, even more complex constructions. 2.5.3. Rules for construction of ontologies Ontologies, focusing on relationships and contextualization, are hierarchical sets of standardized terms, together with defined, essential and declared relationships between these terms. Ontologies are not catalogues, lists or even simply knowledge bases. They look at a wider world than taxonomies (there may be several taxonomies within an ontology). They “combine the basic concepts of a specific field and the relationships between these concepts in a machine-readable way” [ZAI 11]. It is therefore

54

Cybersecurity in Humanities and Social Sciences

necessary to encode knowledge in order to make it usable by machines and reusable for the design of new ontologies. Knowledge about a given domain consists of the classes of objects, the attributes attached to the objects and the types of relationships between objects. For instance: – object classes: cyber-attacks, hackers, critical infrastructure; – attributes attached to the objects: IP address of the attack source, target machine, attack type; – type of relationship: “comes from”, “aim/target”. The “cyber-attack” object could then be linked to the “critical infrastructure” object by the “aim/target” relationship. The construction of an ontology proceeds by successive steps [NOY 19]: the definition of classes and their properties; the arrangement of classes according to a taxonomic hierarchy (class and subclasses); the definition of relationships and the definition of instances (is it an instance or a class?). The creation of ontologies can be based on dedicated software (e.g. the Protégé application40). 2.5.4. Cybersecurity ontologies In the field of cybersecurity, ontologies have a very practical, operational purpose, such as structuring or systematizing industrial procedures, information-sharing processes or providing tools to aid understanding and decision-making. Takeshi Takahashi and Youki Kadobayashi [TAK 15] thus propose an ontology for operational information that must be shared among cybersecurity actors. The ontology aims to structure information that can be heterogeneous, come from several countries or be constituted according to different standards or multiple industrial specifications. The exercise in which the researchers are engaged is constrained by the need to demonstrate the utilitarian dimension of the ontology produced [TAK 15]. A great deal of work has been carried out in recent years to develop ontologies in the field of cybersecurity. As an example, we have identified

40 https://protege.stanford.edu.

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

55

some of them, referenced in Table 2.7, according to their sources and using the same categories as defined above (A, B C, TC and NTC). Purpose of cybersecurity ontologies

Source

TC

NTC

A

B

C

Industry Cybersecurity incident ontology (FireEye Enterprise)

[KAP 19]

*

x

x

x

x

x

x

Academic research Ontology of cybersecurity

[OBR 12]

[SYE 16]

* *

Ontology of cybersecurity culture

[GCA 15]

*

Information security ontology

[HER 07]

Ontology for the construction of national cybersecurity policies

[VUU] [TAL 18]

Ontology of attacks

[ZHU 15]

*

Ontology for cybersecurity of the Internet of Things

[MOZ 18]

*

Ontology for incident response

[MOR 18]

*

Cybersecurity and human factors

[LTO 15]

*

Ontology for cybercrime investigations

[PAR 09]

*

Cyberterrorism

[VEE 12]

*

x

[VLA 11]41

*

x

*

x

*

x x

*

x

x

x x x x x

x

x

x x

International organizations Ontology of cyber resilience

x

x

Governments, state organizations Vulnerability ontology Corpus statistics analyzed

NIST VDO Application42 6/14

8/14

x

9/14 7/14 9/14

Table 2.7. Some ontologies in the field of cybersecurity

41 This report was published by ENISA in 2011. 42 Site du NIST, National Institute of Standards and Technology, Department of Commerce, USA. Présentation de VDO (Vulnerability Description Ontology): https://csrc.nist.gov/ publications/detail/nistir/8138/draft. See also [BOO 16]

56

Cybersecurity in Humanities and Social Sciences

It is clear from this table that the techno-centric vision does not dominate the ontologies, but appears in almost equal measure with non-techno-centric approaches, which take account of the environment and the human dimension. Furthermore, there does not seem to be any particular predominance of any of the three components (A, B, C), which means that there is a balance in the consideration of the sources of threats, what motivates cybersecurity measures, the effects and measures of a political, strategic and organizational nature, and the domain of the targets or victims of cyber threats. 2.6. Conclusion These four readings of cybersecurity call for some observations. The DTTOs provide an account of cybersecurity: information systems and information security is a very broad issue in terms of both its modalities and effects, and cybersecurity is a fragmented field. There is consensus on the need to take account of threats whose modalities are determined by the nature of the technological space in which they take shape, and which weigh deeply on society as a whole. Cybersecurity appears, through the prism of definitions, to be an essentially technical issue, giving a large place to the engineer’s vision. This strong trend calls into question the assertion that there is no consensus on definitions of cybersecurity, although of course multiple formulations remain possible. However, this reading differs somewhat when approaching cybersecurity and its various facets using typologies, taxonomies and ontologies. The non-techno-centric approach dominates typologies, which focus (in the corpus studied) on the sources, origins, forms of threats (hackers, etc.). We can conclude that in typologies, the consensus shifts from the dominance of the engineering vision in the definitions, to a consideration that we will qualify as sociological or political in the typologies. Taxonomies tend on the contrary (still based on our corpus) to give relatively equal weight to both approaches (techno-centric and non-technocentric), while paying particular attention to the origins of insecurity and the targets of this insecurity, to the detriment of taking into account the means to implement security.

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

57

With ontologies, where the analysis integrates a broader context, all components are integrated at virtually equal levels (A, B and C) and neither viewpoint (CT or NTC) really dominates. There are therefore strong trends within each category expressing cybersecurity. These trends are strong enough, it seems to us, to allow us to speak of a “consensus”, not on the reading of cybersecurity in general, but within each form of expression. We may then wonder about the reasons for these differences in approaches: how can it be explained that definitions are essentially techno-centric, when typologies and taxonomies seem to be non-technocentric, and ontologies seem to give equal importance to techno-centric and non-techno-centric approaches? We do not have a definitive answer to this question. The differences may be due to the quality of our corpus, which is still not exhaustive enough to draw definitive conclusions. Each tool, because of its own usefulness and structure, may also require different developments. Thus, ontologies, which by their very nature are intended to capture contexts or universes in all their complexity, rather than definitions or typologies for example, allow a better balance between technological and non-technological variables. However, this does not explain the importance of technology in the definitions of cybersecurity, to the detriment of social or political variables. These trends could be explained by the category to which the authors of cybersecurity DTTOs belong (researchers, engineers, government officials, business managers, etc.). The analysis could be further refined by looking for possible particular developments or trends in time (over the last two decades) or space (is the vision the same on the European and North American continents, for example). The work carried out in this chapter may therefore be extended by further qualitative and quantitative analyses, taking account of spatio-temporal and sociological variables. 2.7. References [ADA 15] ADAMS S.A., “The governance of cybersecurity”, Tilburg University, The Netherlands, https://www.wodc.nl/binaries/2484-volledige-tekst_tcm28-73672.pdf, November 2015. [AGR 18] AGRAFIOTIS I., NURSE J.R.C., GOLDSMITH M. et al., “A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate”, Journal of Cybersecurity, vol. 4, no. 1, pp. 1–15, 2018.

58

Cybersecurity in Humanities and Social Sciences

[AIC 17] AICPA, Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program, American Institute of Certified Public Accountants, https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/download abledocuments/cybersecurity/description-criteria.pdf, 2017. [AND 89] ANDERSON L.B. et al., A taxonomy for warfare simulation, Military Operations Research Society, Workshop report, https://ia800105.us.archive.org/7/items/DTIC_ ADA331305/DTIC_ADA331305.pdf, 27 October 1989. [ANO 01] ANONYMOUS, “Toward a taxonomy of secrets”, Cryptologic Quarterly, vol. 20, nos 1–2, https://ia600206.us.archive.org/34/items/TowardaTaxonomyofSecrets/Toward%20a% 20Taxonomy%20of%20Secrets.pdf, 2001. [BAL 18] BALKE L., “China’s new cybersecurity law and U.S–China cybersecurity issues”, Santa Clara Law Review, vol. 58, no. 1, pp. 137–168, https://digitalcommons.law.scu. edu/cgi/viewcontent.cgi?article=2849&context=lawreview, 2018. [BAR 77] BARRÉ L., La logique ou l’art de penser, New edition, J. Delalain et Fils, Paris, 1877. [BHA 17] BHAVYA SREE D., SATYANARAYAN REDDY K., “A systematic approach towards classification and description of cyber crime incidents”, IJEDR, International Journal of Engineering Development and Research, vol. 5, no. 4, pp. 1524–1528, https://www. ijedr.org/papers/IJEDR1704242.pdf, 2017. [BIS 95] BISHOP M., A taxonomy of UNIX system and network vulnerabilities, University of California, Davis, Report no. CSE-95-10, 1995. [BLA 75] BLAKE R.H., HAROLDSEN E.O., A Taxonomy of Concepts in Communication, Hastings House Publishers, New York, 1975. [BOO 16] BOOTH H., TURNER C., Vulnerability Description Ontology (VDO). A Framework for Characterizing Vulnerabilities, Draft NISTIR 8138, National Institute of Standards and Technology, Washington DC, https://csrc.nist.gov/csrc/media/publications/nistir/8138/ draft/documents/nistir_8138_draft.pdf, September 2016. [BOS 18] BOSSONG R., WAGNER B., “A typology of cybersecurity and public–private partnerships in the context of the European Union”, in BURES O., CARRAPICO H. (eds), Security Privatization, Springer, 2018. [BRA 18] BRAR H.S., KUMAR G., “Cybercrimes: A proposed taxonomy and challenges”, Journal of Computer Networks and Communications, https://doi.org/10.1155/2018/ 1798659, 2018. [BRO 06] BROADHURST R., “Developments in the global law enforcement of cybercrime”, Policing: An International Journal of Police Strategies and Management, vol. 29, pp. 408–433, 2006. [BRO 17] BROWN D., ESTERHUYSEN A., KNODEL K., Cybersecurity policy and human rights, Briefing document, APC, https://www.apc.org/sites/default/files/brief8.pdf, 2017.

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

59

[BRU 17] DE BRUIJNE M., VAN EETEN M., GAÑAN C.H. et al., Towards a new cyber threat actor typology, Delft University of Technology, https://www.wodc.nl/binaries/ 2740_Volledige_Tekst_tcm28-273243.pdf, 2017. [CAR 81] CARRERAS Y., GONZALEZ M., Philosophie de la science économique : concept, définition, dénomination, rapports, qualification, classification, méthode, histoire, écoles et critique de l’économie politique, d’après les principaux économistes, https://gallica.bnf.fr/ark:/12148/bpt6k5495398r/f57.image.r=formuler%20une%20d%C3 %A9finition?rk=21459;2, 1881. [CEB 10] CEBULA J.J., YOUNG L.R., A taxonomy of operational cyber security risks, Technical note CMU/SEI-2010-TN-028, Software Engineering Institute, https:// archive.org/details/DTIC_ADA537111, December 2010. [CER 18] CERT.HR, National taxonomy for computer security incidents, https://www.cert.hr/wp-content/uploads/2018/06/National-taxonomy-for-computer-securityincidents.pdf, June 2018. [CIG 18] CIGREF, Cybersecurity: visualize, understand, decide, Report, https:// www.cigref.fr/wp/wp-content/uploads/2019/01/Cigref-Cybersecurity-Visualize-UnderstandDecide-2018-October-EN.pdf, October 2018. [COU 15] COURNARIE L., “Platon lectures platoniciennes : thèmes et dialogues”, Philopsis : revue numérique, http://www.philopsis.fr/IMG/pdf/platon-cournarie.pdf, 2015. [CRA 14] CRAIGEN D., DIAKUN-THIBAULT N., PURSE R., “Defining cybersecurity”, Technology Innovation Management Review, https://timreview.ca/sites/default/files/article_PDF/ Craigen_et_al_TIMReview_October2014.pdf, October 2014. [CTI 18] CATALONIA TRADE & INVESTMENT, Cybersecurity in Catalonia: Technology snapshot, Government of Catalonia, http://catalonia.com/.content/documents/ Cybersecurity-snapshot_ENG-DEF.pdf, 2018. [DES 01] DESMET I., Théories et pratiques de la terminologie : la définition terminologique, séminaire à l’ISTI – Brussels, http://paulmura.phpnet.org/campus/isti/courses/TERM001/ document/Intranet/desmet01.pdf23, March 2001. [DIC 17] DICT, National Cybersecurity Plan 2022, Philippines, http://www.dict.gov.ph/wpcontent/uploads/2017/04/FINAL_NationalCyberSecurityPlan2022.pdf, 2017. [DIE 15] DÍEZ E.G. et al., Cyber exercises taxonomy, INCIBE, Spanish National Institute for Cyber-security, https://www.incibe.es/extfrontinteco/img/File/intecocert/EstudiosInformes/ incibe_cyberexercises_taxonomy.pdf, March 2015. [DOD 19] DEPARTMENT OF DEFENSE, Dictionary of Military and Associated Terms, USA, https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/dictionary.pdf, July 2019. [DON 17] DEPARTMENT OF THE NAVY, Cyber glossary: Terms and definitions, USA, https://www.doncio.navy.mil/FileHandler.ashx?ID=11240, 11 December 2017. [EGG 18] EGGENSCHWILER J., “A typology of cybersecurity governance models”, St Antony’s International Review, vol. 13, no. 2, pp. 64–78, https://www.ingentaconnect.com/content/ stair/stair/2018/00000013/00000002/art00006?crawler=true, February 2018.

60

Cybersecurity in Humanities and Social Sciences

[EGS 12] EXPERT GROUP ON THE SECURITY AND RESILIENCE OF COMMUNICATION NETWORKS AND INFORMATION SYSTEMS FOR SMART GRIDS, Countermeasure Taxonomy, European Commission, https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=1764, 19 March 2012. [ENI 15] ENISA, Definitions of cybersecurity. Gaps and overlaps in standardisation, V. 1.0, https://www.enisa.europa.eu/publications/definition-of-cybersecurity, December 2015. [ENI 17] ENISA, Overview of cybersecurity and related terminology, European Union Agency for Network and Information Security, https://www.enisa.europa.eu/publications/enisaposition-papers-and-opinions/enisa-overview-of-cybersecurity-and-related-terminology, September 2017. [ENI 18] ENISA, Threat landscape report European Union Agency for Network and Information Security, https://www.enisa.europa.eu/publications/enisa-threat-landscapereport-2017/at_download/fullReport, January 2018. [FIN 16] FINNEMORE M., HOLLIS D.B., “Constructing norms for global cybersecurity”, The American Journal of International Law, vol. 110, no. 3, pp. 425–479, https:// www.iilj.org/wp-content/uploads/2017/01/Finnemore-Hollis-Constructing-Norms-for-GlobalCybersecurity.pdf, July 2016. [FSB 17] FINANCIAL STABILITY BOARD, Stocktake of publicly released cybersecurity regulations, guidance and supervisory practices, Switzerland, https://www.fsb.org/wpcontent/uploads/P131017-2.pdf, 13 October 2017. [GAL 75] GALTUNG J., “The specific contribution of peace research to the study of the causes of violence: Typologies”, Interdisciplinary Expert Meeting on the Study of the Causes of Violence, Paris, 12–15 November 1975. [GCA 15] GCAZA N., VON SOLMS R., VAN VUUREN J., “An ontology for a national cybersecurity culture environment”, Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance, https://pdfs.semanticscholar.org/ c596/1ba43c38f5da5dc833eea209db5ccd768c7f.pdf, 2015. [GER 12] GERCKE M., Understanding Cybercrime: Phenomena, Challenges and Legal Response, ITU, Switzerland, http://www.itu.int/ITU-D/cyb/cybersecurity/docs/Cybercrime% 20legislation%20EV6.pdf, September 2012. [GOU 15] GOUTAM R.K., “Importance of cyber security”, International Journal of Computer Applications, vol. 111, no. 7, https://pdfs.semanticscholar.org/5cfb/7a5bd2e6c181e8a69ebd 49b1dadb795f493b.pdf, 7 February 2015. [GRA 19] GRAHAM A., “Different types of cyber attacks”, https://www.itgovernance.co.uk/ blog/different-types-of-cyber-attacks, 9 May 2019. [GRE 77] GREMY J.-P., LE MOAN M.-J., “Analyse de la démarche de construction de typologies dans les sciences sociales”, Informatique et sciences humaines, no. 35, 1977. [GUA 98] GUARINO N., “Formal ontology in information systems”, Proceedings of the First International Conference (Fois’98), Trento, Italy, June 6–8, 1998.

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

61

[GUA 13] GUANG G.G. et al., “A taxonomy of hyperlink hiding techniques”, WebQuality2013, Rio de Janeiro, Brazil, https://archive.org/details/arxiv-1303.2438, May 13, 2013. [HAL 12] HALDER D., JAISHANKAR K., “Definition, typology and patterns of victimization”, Cyber Crime: Concepts, Methodologies and Applications, IGI Global, pp. 1016–1042, 2012. [HAN 04] HANSMAN S., HUNT R., “A taxonomy of network and computer attacks”, Computer and Security, vol. 24, pp. 31–43, 2004. [HAN 06] HANSSON S.O., “How to define – A tutorial”, Princípios, Natal, vol. 13 nos 19–20, https://periodicos.ufrn.br/principios/article/download/508/440/, pp. 31–43, December/January 2006. [HAR 11] HARRISON K., WHITE G., “A taxonomy of cyber events affecting communities”, Conference Proceedings of 44th Hawaii International Conference on System Sciences, vol. 1, pp. 1–9, 2011. [HAS 19] HASSOLD C., “The threat taxonomy: A working framework to describe cyber attacks”, https://www.agari.com/email-security-blog/threat-taxonomy-framework-cyber-attacks/, 22 October 2019. [HEB 04] HEBERLEIN T., BISHOP M., CEESAY E. et al., A taxonomy for comparing attackgraph approaches, Paper submitted to ARDA, http://citeseerx.ist.psu.edu/viewdoc/ download?doi=10.1.1.570.3376&rep=rep1&type=pdf, 2004. [HER 07] HERZOG A., SHAHMEHRI N., DUMA C., “An ontology of information security”, IJISP, vol. 1, pp. 1–23, 2007. [HOU 16] HOUSEN-COURIEL D., “Cybersecurity threats to satellite communications: Towards a typology of state actor responses”, Acta Astronautica, vol. 128, pp. 409–415, https://cyberregstrategies.com/wp-content/uploads/2016/08/Acta-Astronautica.pdf, 2016. [HUA 18] HUANG K., MADNICK S., JOHNSON S., Interactions between cybersecurity and international trade: A systematic framework, Working paper, Massachusetts Institute of Technology, Cambridge, http://web.mit.edu/smadnick/www/wp/2018-13.pdf, November 2018. [ISA 16] ISACA, Cybersecurity fundamentals glossary, Information Systems Audit and Control Association, USA, http://www.isaca.org/Knowledge-Center/Documents/Glossary/ Cybersecurity_Fundamentals_glossary.pdf, 2016. [KAP 19] KAPELLMANN ZAFRA D., BRUBAKER N., “The FireEye OT-CSIO: An ontology to understand, cross-compare, and assess operational technology cyber security incidents”, FireEye, https://www.fireeye.com/blog/threat-research/2019/09/ontology-understand-assessoperational-technology-cyber-incidents.html, 30 September 2019. [KER 02] VAN DE KERCHOVE M., Jalons pour une théorie critique du droit, Presses de l’Université Saint-Louis, Brussels, 2002.

62

Cybersecurity in Humanities and Social Sciences

[KHA 99] KHALILZAD Z.M., WHITE J.P., MARSHALL, A.W. (eds), Strategic Appraisal: The Changing Role of Information in Warfare, RAND Corporation, Santa Monica, CA, https://www.rand.org/pubs/monograph_reports/MR1016.html, 1999. [KIG 16] KIGERL A., “Cyber crime nation typologies: K-means clustering of countries based on cyber crime rates”, International Journal of Cyber Criminology, vol. 10, no. 2, pp. 147–169, https://www.cybercrimejournal.com/Kigerlvol10issue2IJCC2016.pdf, July–December 2016. [KOT 05] KOTAPATI K., LIU P., SUN Y. et al., “A taxonomy of cyber attacks on 3G networks”, in KANTOR P. et al. (eds), Intelligence and Security Informatics, ISI 2005, Lecture Notes in Computer Science, vol. 3495, Springer, Berlin, Heidelberg, 2005. [LAR 96] LARIVIÈRE L., Conception et réalisation d’un nouveau répertoire terminologique et documentaire unifié : le terminaire ou thésaurus TERMDOC des documents professionnels de correspondance, Thesis https://papyrus.bib.umontreal.ca/xmlui/bitstream/handle/1866/ 6776/these_body.html, University of Montreal, Canada, February 1996. [LAS 14] LASTDRAGER E.E.H., “Achieving a consensual definition of phishing based on a systematic review of the literature”, Crime Science, vol. 3, no. 9, https://ris.utwente.nl/ws/ portalfiles/portal/6471853/phishing-definition.pdf, December 2014. [LIA 73] LIARD L., Des définitions géométriques et des définitions empiriques : thèse, https://gallica.bnf.fr/ark:/12148/bpt6k28699v/f7.image.r=formuler%20une%20d%C3%A 9finition, Paris, France, 1873. [LIN 17] LIN H., “Fundamentals of cyber conflict”, Presentation document, Stanford University, https://seclab.stanford.edu/courses/cs203spring2017/lectures/lin.pdf, 23 May 2017. [LUS 17] LUSINGA S., KYOBE M., “Testing a typology of mobile phone victimization using cluster analysis”, The Electronic Journal of Information Systems in Developing Countries, vol. 78, no. 6, pp. 1–21, https://onlinelibrary.wiley.com/doi/pdf/10.1002/j.1681-4835. 2017.tb00574.x, 2017. [MAU 14] MAURER T., MORGUS R., Compilation of Existing Cybersecurity and Information Security Related Definitions, NewAmerica, Report, https://www.giplatform.org/sites/default/ files/Compilation%20of%20Existing%20Cybersecurity%20and%20Information%20Security %20Related%20Definition.pdf, October 2014. [MCB 14] MCBRAYER J., Exploiting the digital frontier: Hacker typology and motivation, Doctoral dissertation, http://acumen.lib.ua.edu/content/u0015/0000001/0002070/u0015_ 0000001_0002070.pdf, University of Alabama, 2014. [MIC 14] MINISTRY OF INFORMATION AND COMMUNICATIONS TECHNOLOGY, Qatar National Cyber Security Strategy, Qatar, http://www.motc.gov.qa/sites/default/files/national_ cyber_security_strategy.pdf, 2014. [MOL 96] MOLANDER R.C., RIDDILE A.S., WILSON P., Strategic Information Warfare: A New Face of War, RAND, Santa Monica, California, 1996.

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

63

[MON 09] MONNIN A., FÉLIX, E., Essai de comparaison des ontologies informatiques et philosophiques: entre être et artefacts. Rochebrune’09 : Ontologie et dynamique des systèmes complexes, perspectives interdisciplinaires, https://hal-paris1.archives-ouvertes.fr/hal00636120/document, p. 14, January 2009. [MOR 18] MOREIRA G.B. et al., “CSIHO: An ontology for computer security incident handling”, Anais do XVIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, Porto Alegre, Brazil, https://sol.sbc.org.br/index.php/sbseg/ article/view/4239/4170, pp. 1–14, 2018. [MOZ 18] MOZZAQUATRO B.A. et al., “An ontology-based cybersecurity framework for the Internet of Things”, Sensors, vol. 18, p. 3053, 2018. [NAI 18] NAI-FOVINO I. et al., European cybersecurity centres of expertise map definitions and taxonomy, JRC Technical Reports, European Commission, https://publications.jrc.ec.europa. eu/repository/bitstream/JRC111441/taxonomy_final.pdf, 2018. [NAR 19] NARWAL B., MOHAPATRA A.K., USMANI K.A., “Towards a taxonomy of cyber threats against target applications”, Journal of Statistics and Management Systems, vol. 22, no. 2, 301–325, 2019. [NAT 16] NATO, CYBERSECURITY. “A generic reference curriculum”, Canada, https:// www.nato.int/nato_static_fl2014/assets/pdf/pdf_2016_10/1610-cybersecurity-curriculum.pdf, October 2016. [NCG 18] NIS COOPERATION GROUP, Cybersecurity Incident Taxonomy, CG Publication, Brussels, http://ec.europa.eu/information_society/newsroom/image/document/2018-30/cybersecurity_ incident_taxonomy_00CD828C-F851-AFC4-0B1B416696B5F710_53646.pdf, July 2018. [NIC 09] NICKERSON R., MUNTERMANN J., VARSHNEY U. et al., “Taxonomy development in information systems: A taxonomy of mobile applications”, https://halshs.archives-ouvertes.fr/ halshs-00375103/document, 2009. [NIC 18] NICCS, Explore terms: A glossary of common cybersecurity terminology, Department of Homeland Security, https://niccs.us-cert.gov/about-niccs/glossary#C, 2018. [NOY 19] NOY N.F., MCGUINNESS D.L., Ontology development 101: A guide to creating your first ontology, Stanford University, https://protege.stanford.edu/publications/ontology_ development/ontology101-noy-mcguinness.html, accessed June 2019. [NRO 19] THE NROC PROJECT, Identifying types of definitions, Monterey Institute for Technology and Education, http://content.nroc.org/DevelopmentalEnglish/unit05/Foundations/identifyingtypes-of-definitions.html, 2019. [OBR 12] OBRST L., CHASE P., MARKELOFF R., “Developing an ontology of the cyber security domain”, STIDS, Fairfax, VA, http://ceur-ws.org/Vol-966/STIDS2012_T06_ObrstEtAl_ CyberOntology.pdf, 2012. [OLT 15] OLTRAMARI A., HENSHEL D., CAINS M. et al., “Towards a human factors ontology for cyber security”, STIDS Conference, http://stids.c4i.gmu.edu/papers/STIDS_2015_ T04_Oltramari_etal.pdf, pp. 26–33, 2015.

64

Cybersecurity in Humanities and Social Sciences

[ONN 12] ONNELA J.-P. et al., “Taxonomies of networks from community structure”, Physical Review E-Statistical, Nonlinear, and Soft Matter Physics, 40 pages, https://archive. org/details/arxiv-1006.5731, 2012. [PAR 09] PARK H., CHO S., KWON J.-P., “Cyber forensics ontology for cyber criminal investigation”, in SORELL M. (ed.), e-Forensics, LNICST 8. https://eudl.eu/pdf/10.1007/ 978-3-642-02312-5_18, pp. 160–165, 2009. [POO 14] POONIA A.S., “Cyber crime: Challenges and its classification”, International Journal of Emerging Trends & Technology in Computer Science (IJETTCS), vol. 3, no. 6, https://www.ijettcs.org/Volume3Issue6/IJETTCS-2014-12-08-96.pdf, November– December 2014. [ROB 13] ROBINSON N., GRIBBON L., HORVATH V. et al., Cyber-Security Threat Characterisation. A Rapid Comparative Analysis, RAND Europe, Cambridge, UK, https://www.rand.org/content/dam/rand/pubs/research_reports/RR200/RR235/RAND_RR23 5.pdf, 2013. [RUN 17] RUNIONS K.C., BAK M., SHAW T., “Disentangling functions of online aggression: The Cyber-Aggression Typology Questionnaire (CATQ)”, Aggressive Behavior, vol. 43, no. 1, pp. 74–84, 2017. [SAM 17] SAUDI ARABIAN MONETARY AUTHORITY, Cyber Security Framework, http://www.sama.gov.sa/en-US/Laws/BankingRules/SAMA%20Cyber%20Security%20 Framework.pdf, May 2017. [SAN 11] SANDEWALL E., Ontology, taxonomy and type in artificial intelligence, Course material, https://www.ida.liu.se/ext/caisor/pm-archive/krf/027/PM-krf-027.pdf, Linköping University, 2011. [SAR 10] SARKEES M. R., The COW Typology of War: Defining and Categorizing Wars, The Correlates of War Project, http://cow.dss.ucdavis.edu/data-sets/COW-war/the-cow-typologyof-war-defining-and-categorizing-wars/view, 2010. [SCH 17] SCHATZ D., BASHROUSH R., WALL J., “Towards a more representative definition of cyber security”, Journal of Digital Forensics, Security and Law, vol. 12, no. 2, article 8 pp. 53–74, 2017. [SEE 15] SEEBRUCK R., “A typology of hackers: Digital investigation”, The International Journal of Digital Forensics & Incident Response, vol. 14, no. C, pp. 36–45, September 2015. [SHA 10] SHARMA A., “Cyber wars: A paradigm shift from means to ends”, Strategic Analysis, vol. 34, no. 1, pp. 62–73, 2010. [SHI 04] SHIELD M., “Formal definitions in mathematics”, AMT, vol. 60, no. 4, pp. 25–28, https://ia801600.us.archive.org/13/items/ERIC_EJ717866/ERIC_EJ717866.pdf, 2004. [SIM 09] SIMMONS C., ELLIS C., SHIVA S. et al., “AVOIDIT: A cyber attack taxonomy” https://www.researchgate.net/publication/229020163_AVOIDIT_A_Cyber_Attack_Taxo nomy, 2009.

Definitions, Typologies, Taxonomies and Ontologies of Cybersecurity

65

[SMI 02] SMITH K., “Typologies, taxonomies, and the benefits of policy classification”, Policy Studies Journal, vol. 30, no. 3, pp. 379–395, https://onlinelibrary.wiley.com/doi/abs/10. 1111/j.1541-0072.2002.tb02153.x, 2002. [SNO 11] SNOWDEN D., “Typology or taxonomy?”, CognitiveEdge, http://cognitive-edge.com/ blog/typology-or-taxonomy/, 22 October 2011. [STR 16] STRATAN S., Software implementation for taxonomy browsing and ontology evaluation for the case of Wikidata, Master’s thesis, Technische Universitat Dresden, https://iccl.inf.tudresden.de/w/images/6/69/MscStratan.pdf, March 2006. [SYE 16] SYED Z., PADIA A., FININ T. et al., UCO: A unified cybersecurity ontology, Paper, https://www.aaai.org/ocs/index.php/WS/AAAIW16/paper/download/12574/12365, 2016. [TAK 15] TAKAHASHI T., KADOBAYASHI Y., “Reference ontology for cybersecurity operational information”, The Computer Journal, vol. 58, no. 10, pp. 2297–2312, https:// pdfs.semanticscholar.org/0f0c/e5f80fe66cd61f3da6068e2c9ad488a6b2ff.pdf, 2015. [TAL 18] TALIB A., ALOMARY F., ALWADI H. et al., “Ontology-based cyber security policy implementation in saudi arabia”, Journal of Information Security, vol. 9, pp. 315–333, 2018. [USC 16] U.S. COMMISSION ON ENHANCING NATIONAL CYBERSECURITY, Report on Security and Growing the Digital Economy, December 1, 2016. [VEE 12] VEERASAMY N., GROBLER M., SOLMS B.V., “Building an ontology for cyberterrorism”, Conference Paper, M11th European Conference on Information Warfare and Security (ECIW), France, https://core.ac.uk/download/pdf/20119812.pdf, 2012. [VEN 18] VENKATRAMAN S., CHEUNG C.M.K., LEE Z.W.Y. et al., “The “darth” side of technology use: An inductively derived typology of cyberdeviance”, Journal of Management Information Systems, vol. 35, no. 4, pp. 1060–1091, 2018. [VEZ 09] VÉZINA R., La rédaction de définitions terminologiques, Office québécois de la langue française, https://www.oqlf.gouv.qc.ca/ressources/bibliotheque/terminologie/redaction_def_ terminologiques_2009.pdf, 2009. [VLA 11] VLACHEAS P.T. et al., Ontology and taxonomies of resilience, ENISA, Heraklion, Greece, https://www.enisa.europa.eu/publications/ontology_taxonomies/at_download/ fullReport, December 2011. [VUU 14] VAN VUUREN J.C.J., LEENEN L., ZAAIMAN J.J., “Using an ontology as a model for the implementation of the National Cybersecurity Policy Framework for South Africa”, 9th International Conference on Cyber Warfare and Security, Purdue University, USA, 24–25 March 2014. [WER 08] WERNER C., “La philosophie de la valeur chez Socrate et Platon”, Revue de théologie et de philosophie et compte-rendu des principales publications scientifiques, vol. 41, pp. 449–458, https://www.jstor.org/stable/44347990, 1908. [WHO 02] WORLD HEALTH ORGANIZATION, World report on violence and health: Summary, https://www.who.int/violence_injury_prevention/violence/world_report/en/summary_en.pdf, 2002.

66

Cybersecurity in Humanities and Social Sciences

[YAM 13] YAMPOLSKIY M., HORVATH P., KOUTSOUKOS X.D. et al., “Taxonomy for description of cross-domain attacks on CPS”, Proceedings of the 2nd ACM International Conference on High Confidence Networked Systems, USA, pp. 135–142, 2013. [ZAI 11] ZAIDI, A., “Recherche et détection des patterns d’attaques dans les réseaux IP à hauts débits. Réseaux et télécommunications”, Université d’Evry-Val d’Essonne, https:// tel.archives-ouvertes.fr/tel-00878783/file/ThA_se_ZAIDI_MAJ.pdf, 2011. [ZHU 11] ZHU B., JOSEPH A., SASTRY S., “A taxonomy of cyber attacks on SCADA systems”, IEEE, 2011. [ZHU 15] ZHU Y., Attack pattern ontology: A common language for cyber security information sharing, Master’s thesis, Delft University of Technology, https://repository.tudelft.nl/ islandora/object/uuid:611583f1-b200-4851-915e-76a43c42fd46/datastream/OBJ1/download, 2015.

3 

Cybersecurity and Data Protection – Research Strategies and Limitations in a Legal and Public Policy Perspective

3.1. Introduction This chapter explores the relationship between cybersecurity on the one hand and data protection and privacy on the other. Cybersecurity and data protection are interconnected in two sometimes contradicting respects. Cybersecurity is essential for data protection. A high standard of cybersecurity is a prerequisite for effective protection of individuals’ data and privacy while using the Internet. However, when police and intelligence agencies collect personal data to prevent and combat cybercrime, they may weaken cybersecurity if they seek access to information stored on the users’ devices by using “backdoors” to infiltrate said devices. This chapter analyzes potential methodological approaches to the study of this complex relationship between data protection and cybersecurity from a transdisciplinary legal and public policy perspective. If personal data is used for criminal purposes in cyberspace, this is a serious breach of data protection laws as they have been established in Europe and other parts of the world in order to protect individuals’ fundamental rights. Identity theft is even a more serious violation of individual rights for those who find themselves confronted with other people using their identity for criminal purposes. From this perspective, security Chapter written by Hartmut ADEN.

68

Cybersecurity in Humanities and Social Sciences

agencies can help to protect individuals’ rights to data protection by preventing and investigating cybercrime. However, if security agencies try to investigate cybercrime, this can conflict with privacy as well. The options for investigative strategies in cyberspace are limited. Therefore, security agencies tend to explore investigation strategies using big data analysis or other surveillance strategies that equally endanger privacy. Thus, since the early days of the existence of cyberspace, cybersecurity strategies have found themselves in a dilemma (see [ONE 01]). Both privacy and cybersecurity can be perceived as “political meta-phenomena that constitute major challenges of our time” [BAU 17 p. 1]. This chapter uses the terms data protection and privacy not as synonyms but as complementary aspects of the same right. Privacy, as a fundamental right, explicitly laid down in newer fundamental rights charters, such as Article 7 of the European Union’s Charter of Fundamental Rights (CFR), guarantees that private life is protected against attempts by state agencies and private parties to get information related to the private sphere. Data protection, guaranteed as a fundamental right by Article 8 of CFR, is somewhat broader, including self-determination with respect to any information related to individuals. As both rights are complementary in relation to each other, courts tend to refer to both of them combined (see [TZA 17 pp. 16–24]). Against this backdrop, this chapter explores the following research questions: (1) Which synergies and tensions can be identified between cybersecurity on the one hand and data protection and privacy on the other? (2) Which methodological challenges occur for the study of tensions and synergies between cybersecurity and data protection? (3) How can tensions between both be regulated, by which polities and actors – and can the EU be a “role model” for global regulation? 3.2. Studying the complex relationship between cybersecurity and data protection: endangering privacy by combating cybercrime? In substance, studying the relationship between cybersecurity and data protection requires a closer look at potential tensions and synergies between the two. This perspective can serve as a starting point and as a theoretical framework for specific legal or public policy approaches to analyze these tensions and synergies.

Cybersecurity and Data Protection

69

3.2.1. Potential tensions between cybersecurity and data protection Tensions between cybersecurity and data protection occur where security agencies develop investigative strategies that hamper data security and privacy. Privacy can be endangered by state agencies combating cybercrime by collecting and retaining personal data. Preventive data retention became an issue for law and public policy after September 11, 2001, when improved transnational security governance became a major topic on the political agenda (see [BOS 13]). Initiatives sometimes resulted in legal instruments (see [BOE 12, EUR 12]) and sometimes in more or less informal practices established by transnational networks of security agencies (see [ADE 18]). Some practitioners working for security agencies tend to complain about missing data for cyber investigation. The underlying idea is to have metadata on past online communication available when cybercrimes are being committed and discovered, in order to trace back the perpetrators of criminal activities. For investigating cases of online fraud, for example, it may be helpful to have the Internet Protocol (IP) address from where the fraud originated. However, criminal investigation of online fraud using data retention has practical limitations. Police agencies are able to trace fraudsters using their IP address only if those responsible do not use dissimilation tools. And likewise, criminal prosecution of detected fraudsters can only occur if the criminals are based in countries that cooperate in mutual legal assistance. In Europe, Directive 2006/24/EC “on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks” 1 was passed by the European Parliament and the Council, forcing the European Union’s member states to establish legal obligations for communication service providers to retain communication metadata for a period between six months and two years (Article 6). Communication metadata to be retained according to this approach include the information necessary to trace and identify the source and the destination of a communication, i.e. the telephone numbers dialled, the IP addresses accessed, location data and the names and addresses of subscribers. The categories of crimes for which law enforcement agencies were authorized to ask for the data retained by the communication service providers were not defined by the directive – this was left to the member states’ laws (Article 4). 1 Official Journal EU L 105 of 13.4.2006, p. 54.

70

Cybersecurity in Humanities and Social Sciences

Directive 2006/24/EC and its transposition into the member states’ laws were highly contested. In the European Union, the retention of communication metadata had been subject of controversial debates since the early 2000s. When this topic was “uploaded” to the European polity soon after the terrorist attacks of September 2001, it was basically a security issue, falling under the EU’s “third pillar” established for “Justice and Home Affairs” in the early 1990s with the Treaty of Maastricht (see [ADE 98]). However, policy-makers successfully managed to transform the issue into a topic related to the European internal market and therefore falling under the former first pillar. Thus, Directive 2006/24/EC was passed under the first pillar: “The legal and technical differences between national provisions concerning the retention of data for the purpose of prevention, investigation, detection and prosecution of criminal offences present obstacles to the internal market for electronic communications, since service providers are faced with different requirements regarding the types of traffic and location data to be retained and the conditions and periods of retention.” (Directive 2006/24/EC, Recital 6) The European Parliament supported the directive (see [RIP 13] for an explanation). Once Directive 2006/24/EC had been passed, the member states had no choice but to implement the targets in view of possible sanctions that the European Commission may use in order to force member states to implement EU directives (see [TRE 14] on the research related to this field). This was a strong argument for governments wishing to introduce data retention against the will of domestic opposition. Soon after the directive had entered into force, the Irish government challenged it before the European Court of Justice (ECJ). However, the legal question to be answered was related to the EC’s competence to regulate data retention, not to the restrictions to fundamental rights that data retention constitutes. At that time, the EU Charter of Fundamental Rights was not yet binding. Ireland’s annulment case was not successful. The Court followed the Commission’s legal position saying that the European Community (as predecessor of what is today the European Union) was entitled to regulate data retention under the first pillar because of the implications for the internal market in relation to telecommunication services. 2 In 2012, data 2 European Court of Justice, case C-301/06, judgment of 10.2.2009; Ireland v. European Parliament and Council.

Cybersecurity and Data Protection

71

retention was challenged again in preliminary reference cases initiated in Ireland and in Austria. This time, the Court of Justice of the EU declared Directive 2006/24/EC invalid, arguing that the obligation to data retention as required by the Directive is not proportional in view of the interference with the right to the protection of private life (Article 7) and data protection (Article 8) guaranteed by the Charter of Fundamental Rights3. Interestingly, this judgment mainly relies on proportionality arguments – with the Court holding that data retention is not incompatible with fundamental rights under all circumstances. These arguments are very close to the German Constitutional Court’s 2010 judgment on the German transposition of the data retention directive 4 , even if the Constitutional Court did not dare to question the constitutionality of the European Directive at that time (see [ADE 13]). In the perspective of cybercrime, this leads to the restriction that only the most serious crimes, such as terrorism or child abuse, justify the use of retained data. By contrast, most variations of online fraud will not justify the access to retained data for criminal investigation. In serious crime cases, such as terrorist attacks, investigators also claim the need for more data to analyze the networks to which suspects may belong. For the investigation of a cybercrime case, it might indeed be useful to be able to trace back online activities for an extended period of time. However, due to the global extent of the Internet, this would require the storage of communication metadata at a global level – which would require a centralized governance infrastructure. With respect to the risks deriving from this kind of data retention for individuals’ fundamental rights, it would be politically and legally impossible to establish such centralized data retention facilities. Authoritarian (and sometimes even democratic) political regimes might (mis-)use this kind of big data to prosecute political opponents and to restrict the freedom of expression. Whistleblower Edward Snowden revealed that the US National Security Agency (NSA) retained large quantities of data unrelated to specific security purposes. Even if Snowden’s revelations led to a controversial debate on the legitimacy of mass surveillance and to some legal limitations, surveillance by security agencies has not been substantially restricted due to political pressure after terrorist attacks (see [LYO 15, TZA 17]). Against this

3 CJEU, cases C-293/12 and C-594/12, judgment of 8.4.2014. 4 BVerfGE 125, 260.

72

Cybersecurity in Humanities and Social Sciences

backdrop, centralized data retention mechanisms for combating cybercrime are even more problematic. In reaction to terrorism, intelligence services have become more powerful in many countries since the early 2000s. Even if some legal provisions and oversight mechanisms for intelligence agencies and covert policing strategies have been established in rule of law countries, they still tend to be undeveloped. Parliamentary oversight of intelligence services often takes place in sub-committees bound to strict secrecy, which constitutes a major challenge for the accountability of surveillance measures used by these agencies (see [WET 18]). Other tensions concern the relationship between cybersecurity, IT security and data protection. Tensions between cybersecurity and data protection occur where security agencies seek to use “backdoors” of IT systems used by individuals targeted as criminals or as (potential) terrorists in order to install surveillance malware. If security agencies use “backdoors” that have not yet been discovered and reported to the competent IT security authorities, this leads to the risk that criminals may also discover and use them before the software provider can close them. If the US government announces its intent to “develop tailored strategies to ensure adversaries understand the consequences of their malicious cyber behavior” [USA 18 p. 21; less explicitly by the European Commission: [EUR 17 p. 17], this is likely to include preventive counter-attacks in cyberspace. However, where state agencies use cyber-attacks for military purposes, this is ambiguous as well. Such attacks may prevent others from attacking public IT infrastructure, but they may also ultimately weaken IT security overall and lead to the disclosure of personal data. More generally, reactive responses to cyber threats as they have prevailed in the EU and other countries so far (see [CAR 17 p. 151f.]) neglect preventive approaches to cybersecurity that would be less problematic from a data protection perspective. 3.2.2. Potential synergies between cybersecurity and data protection Synergies between cybersecurity and data protection occur where measures taken in favor of cybersecurity contribute to protect personal data

Cybersecurity and Data Protection

73

against data breaches. Generally, a high level of cybersecurity minimizes the risk of unauthorized use of personal data. Security agencies sometimes pursue access to as much information as possible in favor of effective criminal investigation. However, collecting large quantities of data alone does not guarantee effective law enforcement. With increasing quantities of data, quality management becomes a major topic. False or outdated information may misguide law enforcement activities and lead to a loss of precious time for investigation. Therefore, keeping the collected data up to date so that it may be effectively used by security agencies for criminal investigation is a major issue. Electronic information nowadays needs very little space to be stored. Searches in cyberspace or in databases have become easy and fast. Large quantities of data can be processed in little time. Therefore, new strategies are needed to separate useful, up-to-date insights from outdated digital information. Data protection laws prohibit the use of false or outdated personal data in the interest of the individuals concerned. In the EU, according to Article 8 (2) CFR, “everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified”. False information may have far-reaching consequences for the individuals concerned, including unjustified criminal prosecution or even false arrest. Therefore, developing effective tools to assure high quality of the data used for cybersecurity investigations creates synergies between data protection and cybersecurity. Until now, such tools are underdeveloped. Databases often do not use automated tools for the erasure of outdated information and for the detection of errors. The use of artificial intelligence may unlock new potential for automated quality checks, making it so that administrators only have to intervene and double-check the findings if the system automatically detects data to be erased or updated. Privacy by design as it is required by EU data protection laws (Article 25 of the General Data Protection Regulation (EU) 2016/679 5 ) aims at the implementation of privacy already at the development stage of new technologies. Data protection solutions that depend upon their application by 5 Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ EU L 119 of 4.5.2016, p. 1.

74

Cybersecurity in Humanities and Social Sciences

individual users are likely to be circumvented or simply forgotten by negligence. Designing technology in a way that only allows its use in a way that is data protection friendly is therefore a relevant strategy to create synergies between data protection and cybersecurity. The implementation of privacy by design strategies can therefore be an issue for transdisciplinary cybersecurity research, involving legal, public policy and computer science scholars. 3.3. Methodological approaches and challenges for the study of cybersecurity – legal and public policy perspectives The global extent of the Internet and the opacity of threats to cybersecurity constitute structural limitations to research. While cyber threats such as hacking, cyber-attacks and the darknet can only be researched with specific approaches that take into account the opacity of these phenomena, legal and public policy research perspectives rather look at the reactions to cyber threats. This section explores potential methodological approaches, structural limitations and transdisciplinary synergies for the study of cybersecurity and of the emerging regulatory and public policy approaches in this area. While the legal and public policy framework to be studied is still loose at the global level, cybersecurity has attracted more attention from policy-makers and legal institutions at national and regional levels – in Europe by the European Union and the Council of Europe. 3.3.1. Legal interpretation and comparison as methodological approaches to the study of cybersecurity Legal studies typically use norms as the main starting point for their approaches. Laws and court cases are the main “raw material” to be analyzed and interpreted. Therefore, legal studies largely depend upon the availability of these kinds of primary sources. In a global perspective, this constitutes a major limitation to the legal study of cybersecurity: while the Internet and cyber threats have a global dimension, there is still little public international law related to cybersecurity. If the normative “raw material” is limited, there is little room for method-driven legal interpretation. In the 1990s, the Internet became an important element of everyday life in many parts of the world. Quickly, the risk that this new information and communication tool could be misused became a major political topic. As early as 2001, the Council of Europe passed the Budapest Convention on

Cybersecurity and Data Protection

75

Cybercrime, reacting to “the risk that computer networks and electronic information may also be used for committing criminal offences and that evidence relating to such offences may be stored and transferred by these networks” [COU 01 p. 2]. As substantive criminal law is still mainly national, the regulatory content of the Budapest Convention primarily focused on measures to be taken at the level of the member states. The convention described the behavior and types of misuse of the Internet for which the member states took the obligation to foresee criminal sanctions, topics such as fraud and child abuse that still dominate the political and legal debates on cyber threats almost 20 years later. Regarding the international normative framework, the situation has not significantly changed since then. Nation states remain the principal regulators of cybersecurity and for sanctioning cybercrime. In a methodological perspective, this means that the divergent traditions and methods for the interpretation of national and the emerging international law in this area remain the predominant methodological starting point. Norms and court cases as “raw material” of legal interpretation can be analyzed based on their wording, their objectives, their systematic position in the normative context and in relation to the official justifications of the relevant laws and the reasoning given in court cases. For data protection law, the European Union has become an important norm setter in recent years. The European Union’s CFR has become binding with the Treaty of Lisbon in 2009, establishing privacy (Article 7) and data protection (Article 8) as fundamental rights. With the General Data Protection Regulation and Directive (EU) 2016/6806 on data protection in the area of policing and criminal justice, the EU has contributed to the establishment of a more solid legal framework for data protection and privacy everywhere in Europe. Tensions and synergies between cybersecurity and data protection can be analyzed against the backdrop of privacy as a fundamental right 6 Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ EU L 119 of 4.5.2016, p. 89.

76

Cybersecurity in Humanities and Social Sciences

(see [TZA 17]). For example, national laws authorizing security agencies to analyze personal data for cybersecurity purposes can be interpreted according to their wording. As the fundamental rights guaranteed by the European Union’s CFR or by national constitutions are ranked higher than ordinary laws in the hierarchy of norms, the legal interpretation of cybersecurity laws has to take into account that state interventions have to be limited in order to protect citizens’ fundamental rights. In the end, the intensity of the encroachment into citizens’ fundamental rights and the security purposes will have to be weighed in a proportionality test. As a result, it will be justified to restrict the citizens’ privacy only for important security purposes that clearly outweigh the individuals’ right to data protection. Methodological limitations follow from major differences in legal systems and from the unequal geographical distribution of the normative “raw material” related to cybersecurity. Where a strong public international law framework is missing, as is the case for cybersecurity, legal interpretation is focused on those regions and countries that produce laws and court judgments related to this topic. Countries without an established rule of law framework may therefore escape from scholarly attention. Comparison has to take into account major differences between legal systems – as, for example, between common law countries in which court judgments play a more important role compared to countries in which the legal systems are based on detailed laws. In the United States as a common law country, for example, court judgments are more important than legislation for legal interpretation. However, for some issues, common law countries use legislation as well, i.e. for the definition of criminal sanctions. Therefore, the Computer Fraud and Abuse Act was enacted in the United States in 1986 in order to define criminal sanctions, including for unauthorized accessing of a computer, as an example. Functional comparison of legal rules as it has been developed by comparative law scholars goes beyond the synoptic description of laws and institutions (see [RHE 38]), as well as analyzes the political and sociological context in which laws are made and applied. In this perspective, comparative studies of cybersecurity law have to take into account differences between legal systems and contextualize legal rules and practices in the respective legal cultures and political systems. For example, surveillance laws can only be correctly understood and interpreted in their respective constitutional and political contexts (see [SCH 17]).

Cybersecurity and Data Protection

77

3.3.2. Public policy approaches to the study of cybersecurity The methodological approaches for the study of cybersecurity from a public policy perspective are much more analytical, compared to normative legal approaches. Public policy analysis looks at the reactions of political systems to specific problems or phenomena such as cybersecurity. Public policy includes law-making and is therefore interconnected with legal studies that primarily work with legislation as the outcome of the political law-making process. The analysis of public policy related to cybersecurity and data protection can make use of well-established social science methodology, including quantitative and qualitative approaches. A broad range of public policy aspects of cybersecurity and data protection may be studied with these methods, for example, the law-making activities of parliaments, the management of these issues by security agencies and the preparedness of private companies to deal with cyber threats (see [BOS 18]). The relevance of cybersecurity and data protection in the broader context of digitalization may be studied with the help of these methods. Policy papers and legislative proposals may be analyzed with qualitative methods such as discourse analysis, complemented by (semi-)structured interviews with relevant actors. Ethnographic approaches may observe the role of individual actors in the implementation of public policy related to cybersecurity. Surveys may deliver quantitative insights into the awareness of security agencies, private companies and individuals in relation to cybersecurity and potential tensions with data protection. As a result, potential public policy research related to cybersecurity can be based on a broad range of well-established approaches and methods. Limitations to the study of public policy related to cybersecurity result from the secrecy that governs the operational work of security agencies [ADE 18], which is sometimes legitimated by legal rules (see [SCH 88, CUR 14] on the role of secrecy in legal studies). Field access for studying the practical implementation of cybersecurity and data protection rules by security agencies may therefore be restricted. Public security agencies and private companies tend to be hesitant when it comes to analyses of the implementation of policy strategies if this might reveal shortcomings or lead to the disclosure of confidential business information. Protective strategies and measures may also be confidential if the disclosure of information may showcase weaknesses that allow attackers to circumvent this protection.

78

Cybersecurity in Humanities and Social Sciences

For scholarly research, secrecy and confidentiality constitute a limitation to the availability of information needed to produce new insights. The theoretical framing used for analyzing public policy related to cybersecurity and data protection can vary according to the research interest and the standpoint of the scholars involved (see [SAB 99] for an overview). Scholars may look at the relevance of institutions for successful policymaking [MAR 89], or at the policy cycle, starting with political agenda setting, looking at political decision-making processes, and they may also study the implementation and potential outcomes of a successful public policy. This approach can explain why a proposal may be successful in a specific situation, for example, in a “window of opportunity”, which opens after a cyber-attack that demonstrates vulnerabilities. Other studies may take the perspectives of historical or sociological institutionalism and look at path dependencies and critical junctures that can shape the relationship between cybersecurity and data protection in a specific political system in a mediumor long-term perspective. For example, becoming a member state of the European Union can be perceived as a critical juncture for the respective European countries that contributed to overcoming divergent legal traditions. For the study of global answers to cyber threats and their relationship to data protection, the “grand theories” of international relations such as realism and liberalism may deliver sometimes divergent answers to the question of why international or global policy initiatives are successful or not (see [BAY 19] for an overview). For this purpose, studies can rely on well-established qualitative methods such as the analysis of primary sources or semistructured interviews with experts involved in policy-making, or with practitioners working in security agencies or in the security departments of international companies. 3.3.3. Transdisciplinary synergies between legal and public policy perspectives Combining legal and public policy perspectives in a transdisciplinary approach can be a fruitful method for the study of the relationship between cybersecurity and data protection. Over recent decades, the role of states for the provision of services in the public interest has changed fundamentally. While telecommunication, postal services and railways were exclusively public services in most countries

Cybersecurity and Data Protection

79

before, this has changed since the late 1980s. Neo-liberalism and New Public Management approaches have shifted the role of states in many areas from a service provider to a regulator and guarantor for the provision of public services [ADE 16]. As the Internet only emerged after the beginning of the trend towards privatization of telecommunication services, major parts of the infrastructure on which the Internet is based have never been public property. Thus, regarding the methodological and theoretical approaches for the study of cybersecurity and its potential conflicts with data protection, specific approaches that have been developed for the study of regulatory governance can be applied to cybersecurity. In this perspective, cybersecurity and data protection rules for the Internet can both be perceived as variations of regulatory interventions. Regulatory approaches may be based not only on coercive law but also on participation of non-state actors such as Internet users or communication service providers, public–private partnerships and soft law (see [LOB 12 p. 66]). In the area of cybersecurity, a broad variety of public–private partnerships has emerged. For example, security agencies can only analyze cyber threats if private entities, such as communication service providers or companies concerned by cyber-attacks, share the relevant information on a voluntary basis or as mandated by legal provisions (see [BOS 18 p. 228]). Regulatory governance approaches for the study of the state’s role as regulator and guarantor of services in the general interest have some similarities with law in context approaches as they have been developed by law and society scholars. These approaches aim at understanding lawmaking, the influence of legislation and the obedience to laws (see [FRI 16]) from a perspective that goes beyond legal doctrine and includes empirical knowledge on the interests involved and on the impact of law. For the transdisciplinary study of cybersecurity and data protection, this perspective can deliver insights into the practical impact of regulatory approaches in this area and into the way in which state agencies and private actors cooperate and interact for cybersecurity purposes (see [BOS 18 p. 231] for a typology). Transdisciplinary research may also look at the functioning of accountability settings for cyber investigation and the use of personal data by security agencies and private companies and their shortcomings in the global dimension of cyberspace (see [BOW 16]). Data protection authorities (DPAs) such as the European Data Protection Supervisor (EDPS) and the member states’ DPAs can be perceived as actors in accountability forums (see [BOV 14] on the theoretical framework) established to hold security

80

Cybersecurity in Humanities and Social Sciences

agencies and private companies accountable in how they process data. In political and scholarly research, the term accountability often serves as a kind of umbrella for concepts such as transparency, efficiency, responsiveness, responsibility and integrity [BOV 07 p. 449f.]. The effectiveness of data protection authorities and other accountability forums in their role as “watchdogs” may be analyzed with qualitative empirical methods. According to the typology of accountability forums that has been developed by accountability scholars, the basic level of accountability means that the actors to be held accountable have to inform the “watchdog” about their activity. For an enhanced level of accountability, the “watchdogs” may ask questions, and actors to be held accountable have to deliver justifications for their behavior. The third level of intensity of accountability includes the right of “watchdogs” to make a judgment on the behavior of those to be held accountable. For example, data protection authorities may publish reports including judgments on the quality of preventive measures for cybersecurity taken by private companies or public administration. The power to sanction constitutes the fourth and most intensive level of accountability forums (see [BOV 07 p. 452f., BOV 14 p. 9]). In the past, most data protection authorities did not have sanctioning powers and were limited to an advisory function to public prosecutors in cases of criminal behavior. This has changed with the GDPR attributing the power to impose fines to the DPAs. This sanctioning power may contribute to enhanced accountability, at least for private companies, when they process personal data of their customers in cyberspace. Finally, the study of transparency can be another aspect linking public policy and legal perspectives on cyber threats and state surveillance established in the name of cybersecurity [FEN 17]. 3.4. Conclusion and outlook This chapter has demonstrated that tensions and synergies between cybersecurity and data protection co-exist. Tensions occur where security agencies use personal data for the prevention and investigation of cybercrime. In the European Union, the retention of personal data is strictly bound to the principles of proportionality and purpose limitation. Therefore, security agencies are not allowed to retain large quantities of data on individuals who are not involved in any criminal activity – even if the analysis of big data may be sometimes helpful for cybercrime investigations. Two dimensions of synergies can be observed between cybersecurity and data protection: in the

Cybersecurity and Data Protection

81

first dimension, protecting individuals against cybercrime helps to protect their personal data. In the second dimension, data protection requirements such as the rights to erasure of outdated information and to rectification of incorrect personal data do not only protect individuals’ fundamental rights to data protection but also help security agencies to establish quality management tools for the data processed and thus to work effectively. Research on potential conflicts and synergies between cybersecurity and data protection can take multiple perspectives. Transdisciplinary legal and public policy approaches can analyze publicly accessible information such as policy papers and laws. By contrast, research on the practical impact of policies and laws tends to be more challenging against the backdrop of the global extent of cybersecurity issues. Security agencies usually keep their investigation strategies secret, which may restrict research in this area. While the normative framework of cybersecurity and data protection is still underdeveloped at the global level, the European Union has become a major player for legal regulation in these areas. Future research may observe if the EU manages to build upon the potential synergies between cybersecurity and data protection discussed in this chapter. With the GDPR, the EU is developing towards a global role model for data protection law. It will be interesting to see if this will also be the case for cybersecurity in the future, based on strategies developed by EU institutions (see [COM 17]). 3.5. References [ADE 98] ADEN H., Polizeipolitik in Europa. Eine interdisziplinäre Studie über die Polizeiarbeit in Europa am Beispiel Deutschlands, Frankreichs und der Niederlande, Westdeutscher Verlag, Opladen/Wiesbaden, 1998. [ADE 13] ADEN H., “Die EU-Innen- und Strafjustizpolitik auf dem Prüfstand des Bundesverfassungsgerichts – Grundrechtsschutz, ausgeblendete Exekutivdominanz und Wettbewerb zwischen Gerichten”, in LHOTTA R., KETELHUT J., SCHÖNE H. (eds), Das Lissabon-Urteil: Staat, Demokratie und Integration im “verfassten politischen Primärraum”, Springer VS, Wiesbaden, pp. 137–158, 2013. [ADE 15] ADEN H. (ed.), Police Cooperation in the European Union under the Treaty of Lisbon – Opportunities and Limitations, Nomos, Baden-Baden, 2015. [ADE 16] ADEN H., “Accountability problems in public private partnerships and legal solutions in a guarantor state”, in BALLER O. (ed.), Public Private Partnership in Germany and Tunisia, Berliner Wissenschaftsverlag, Berlin, pp. 79–88, 2016.

82

Cybersecurity in Humanities and Social Sciences

[ADE 18] ADEN H., “Information sharing, secrecy and trust among law enforcement and secret service institutions in the European Union”, West European Politics (WEP), vol. 41, no. 4, pp. 981–1002, 2018. [BAU 16] BAUMANN M.-O., SCHÜNEMANN W.J., “Introduction: Privacy, data protection and cybersecurity in Europe”, in SCHÜNEMANN W.J., BAUMANN M.-O. (eds), Privacy, Data Protection and Cybersecurity in Europe, Springer, Cham, pp. 1–14, 2016. [BAY 19] BAYLIS J., SMITH S., OWENS P., The Globalization of World Politics: An Introduction to International Relations, 8th edition, Oxford University Press, Oxford, 2019. [BOE 12] BOEHM F., Information Sharing and Data Protection in the Area of Freedom, Security and Justice. Towards Harmonised Data Protection Principles for Information Exchange at EU-Level, Springer, Heidelberg/Dordrecht, 2012. [BOS 13] BOSSONG R., The Evolution of EU Counter-Terrorism. European Security Policy After 9/11, Routledge, London, 2013. [BOS 18] BOSSONG R., WAGNER B., “A typology of cybersecurity and public–private partnerships in the context of the European Union”, in BURES O., CARRAPICO H. (eds), Security Privatization. How Non-security-related Private Businesses Shape Security Governance, Springer, Heidelberg, pp. 219–247, 2018. [BOV 07] BOVENS M., “Analysing and assessing accountability: A conceptual framework”, European Law Journal, vol. 13, no. 4, pp. 447–468, 2007. [BOV 14] BOVENS M., SCHILLEMANS T., GOODIN R.E., “Public accountability”, in BOVENS M., SCHILLEMANS T., GOODIN R.E. (eds), The Oxford Handbook of Public Accountability, Oxford University Press, Oxford, pp. 1–20, 2014. [BOW 16] BOWLING B., SHEPTYCKI J., “Legal and political accountability for global policing”, in LISTER S., ROWE M. (eds), Accountability of Policing, Routledge, London, pp. 214–230, 2016. [CAR 18] CARRAPICO H., FERRAND B., “Cyber crime as a fragmented policy field in the context of the area of freedom, security and justice”, in RIPOLL SERVENT A., TRAUNER F. (eds), The Routlege Handbook of Justice and Home Affairs Research, Routledge, London, pp. 146–156, 2018. [COU 01] COUNCIL OF EUROPE, Convention on Cybercrime, Budapest, European Treaty Series, no. 185, 2001. [CUR 14] CURTIN D., “Overseeing secrets in the EU: A democratic perspective”, Journal of Common Market Studies, vol. 52, no. 3, pp. 684–700, 2014. [EUR 12] EUROPEAN COMMISSION, Strengthening law enforcement cooperation in the EU: The European Information Exchange Model (EIXM), Communication from the Commission to the European Parliament and the Council, Brussels, 2012.

Cybersecurity and Data Protection

83

[EUR 17] EUROPEAN COMMISSION AND HIGH REPRESENTATIVE OF THE UNION FOR FOREIGN AFFAIRS AND SECURITY POLICY, Resilience, deterrence and defence: Building strong cybersecurity for the EU, Joint communication to the European Parliament and the Council, Brussels, 2017. [FEN 17] FENSTER M., The Transparency Fix. Secrets, Leaks and Uncontrollable Government Information, Stanford University Press, Stanford, 2017. [LOB 12] LOBEL O., “New governance as regulatory governance”, in LEVY-FAUR D. (ed.), The Oxford Handbook of Governance, Oxford University Press, Oxford, pp. 65–82, 2012. [LYO 15] LYON D., Surveillance After Snowden, Polity Press, Cambridge, 2015. [MAR 89] MARCH J.G., OLSEN J.P., Rediscovering Institutions. The Organizational Basis of Politics, The Free Press, New York, 1989. [ONE 01] O’NEILL M., “Cyber crime dilemma: Is it possible to guarantee both security and privacy?”, The Brookings Review, vol. 19, no. 1 (Winter), pp. 28–31, 2001. [POR 12] PORCEDA M.G., Data Protection and the Prevention of Cybercrime: The EU as an Area of Security? European University Institute, Department of Law, Florence, available at: https://cadmus.eui.eu/bitstream/handle/1814/23296/LAW-2012-25.pdf?sequence =1&isAllowed=y (accessed 20th December 2019), 2012. [RHE 38] RHEINSTEIN M., “Teaching comparative law”, University of Chicago Law Review, vol. 5, no. 4, pp. 615–624, available at: https://chicagounbound.uchicago.edu/ uclrev/vol5/iss4/4 (accessed 28th December 2019), 1938. [RIP 13] RIPOLL SERVENT A., “Holding the European Parliament responsible: Policy shift in the data retention directive from consultation to codecision”, Journal of European Public Policy, vol. 20, no. 7, pp. 972–987, 2013. [SAB 89] SABATIER P.A., “The need for better theories”, in SABATIER P.A. (ed.), Theories of the Policy Process, Westview Press, Boulder, pp. 3–17, 1989. [SCH 15] SCHAAR P., “Zwischen Öffentlichkeit und Datenschutz”, in VON ARNIM H.H. (ed.), Transparenz contra Geheimhaltung in Staat, Verwaltung und Wirtschaft, Duncker & Humblot, Berlin, pp. 27–33, 2015. [SCH 88] SCHEPPELE K.L., Legal Secrets, University of Chicago Press, Chicago, 1988. [SCH 17] SCHULHOFER S.J., “A transatlantic privacy pact. A practical view”, in COLE D.D., FABBRINI F., SCHULHOFER S.J. (eds), Surveillance, Privacy and Trans-Atlantic Relations, Hart Publishing, Oxford, pp. 173–195, 2017. [TRE 14] TREIB O., “Implementing and complying with EU governance outputs”, Living Reviews in European Governance, vol. 9, no. 1, available at: http://www.europeangovernancelivingreviews.org/Articles/lreg-2014-1/ (accessed 7th December 2019), 2014. [TZA 17] TZANOU M., The Fundamental Right to Data Protection. Normative Value in the Context of Counter-Terrorism Surveillance, Hart Publishing, Oxford, 2017.

84

Cybersecurity in Humanities and Social Sciences

[USA 18] UNITED STATES OF AMERICA, National Cyber Strategy, available at: https://www. whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf (accessed 28th December 2019), 2018. [WET 18] WETZLING T., VIETH K., Upping the Ante on Bulk Surveillance. An International Compendium of Good Legal Safeguards and Oversight Innovations, Heinrich Böll Foundation, Berlin, available at: https://www.boell.de/sites/default/files/2018-11-08_ bulk_surveillance.pdf (accessed 28th December 2019), 2018.

4 

Researching State-sponsored Cyber-espionage

4.1. Defining cybersecurity and cyber-espionage Cybersecurity is the product of a triangular interaction between computer science, information security and mathematics, with the latter being arguably at the helm. Over time, the interdisciplinary landscape of cybersecurity has been broadened with additions from research in political science, military science, sociology and psychology. In its current state, the term cybersecurity refers to an array of principles, technologies, processes and practices that aim to prevent unauthorized access to, or the unwanted manipulation and destruction of, cyber-systems and their data. Cybersecurity concentrates solely on safeguarding digital – rather than physical or analog – systems. It is therefore different from information security, which makes no distinction between digital and analog systems. Cybersecurity also differs from computer security, because it concentrates not only on computer devices or networks but also on the much broader realm of cyberspace. The term cyberspace is used here to denote the convergence of networked computer hardware, the digital data it relies on and generates, and the machines or humans that manage or use them. To understand the term cyberspace in context, it helps to consider the example of Stuxnet, the malicious computer worm that was discovered in 2010. Stuxnet is believed to have been designed to sabotage the nuclear program of the Islamic Republic of Iran. It targeted the industrial computers – known as Chapter written by Joseph FITSANAKIS.

86

Cybersecurity in Humanities and Social Sciences

programmable logic controllers – that regulated the operation of mechanical and electronic components of Iranian nuclear installations. By compromising the software installed on these computers, Stuxnet manipulated the rotor speed of nuclear centrifuges at Iran’s Natanz Fuel Enrichment Plant. As it increased the centrifuges’ rotor speed to unmanageable levels, Stuxnet rendered large numbers of these machines permanently inoperable [SHA 13]. In the case of Stuxnet, the term cyberspace would incorporate the computer devices at the Natanz nuclear facility, as well as the hardware – such as wires, optic cables and routers – that connected the computer devices into cable or wireless networks. It would also include the database, file, mail, print and other servers that were used to administer the facility’s computer infrastructure. Finally, it would include all software installed on these machines, all data stored or exchanged through them and all system managers and users who were authorized to interact with them. These users would be scientific staff, such as nuclear scientists and technicians, as well as data managers and network administrators. This model of cyberspace acknowledges the complex interoperability of human and machine components in cyber-systems. It also recognizes that threat actors – also referred to as adversaries – do not view their targets as isolated elements. On the contrary, they design methods of attack – known as threat vectors – that treat targets holistically, with an eye to exploiting any and all vulnerabilities in their hardware, software, network or human components. It follows, therefore, that cybersecurity has a strong theoretical basis, which constantly evolves through the testing and documentation of historical case studies and predictive models. Its mission, however, is unmistakably applied in nature. In other words, the discipline of cybersecurity employs theories of security in order to protect cyberspace from unauthorized intrusions by illicit actors. Crucially, illicit actors vary significantly according to capabilities, skills and intent. In reference to intent – an actor’s goal or purpose – threats are distinguished into four broad areas: – cybercrime, through which illicit actors seek to degrade, sabotage, vandalize or otherwise disrupt cyber-systems for financial gain or to exercise behavioral control over their victims through extortion or grooming; – cyber-terrorism, which is the illicit use of cyber-systems to attain political, religious or ideological goals through violence, intimidation, coercion or instilling fear;

Researching State-sponsored Cyber-espionage

87

– cyber-espionage, namely the surreptitious intrusion into cyber-systems to steal private, sensitive or classified information with the aim of advancing political, military or economic interests; – cyber-warfare, which denotes the use of networked computer systems to wage large-scale warfare in the realm of cyberspace. Undoubtedly, the threat vectors and attack methods employed by illicit cyber-actors often overlap. Thus, phishing or malware of various levels of sophistication may be used for purposes of cybercrime, cyber-terrorism and cyber-espionage. However, the end-goals to which these methods are put differ substantially depending on the precise intent of the illicit actor. 4.2. Taxonomies of cyber-threats In reference to the capabilities and skills of illicit actors, the taxonomy of cyber-threats is typically based on what the United States Department of Defense calls “tiers”. These refer to “levels of increasing sophistication” [UNI 12] in the conception, planning and execution of cyber-operations. The precise taxonomy used by the United States Department of Defense ranges from Tier I to Tier VI adversaries. The Tier I adversary label is applied to the type of computer hacker known as a “script kiddie”. The term is commonly used to describe an illicit actor who is not sophisticated enough to produce original malicious programs, and resorts instead to using pre-developed scripts or code of a rudimentary nature. Tier II adversaries are able to produce original code, thus posing a more serious threat to cyber-systems. Tier III adversaries possess the capability – namely time, know-how, funds and patience – to produce customized malicious software that is designed to attack specific targets. Tier IV actors are “highly technical, proficient, well-funded professionals” [UNI 12] who typically work in groups and are sometimes guided by state institutions. Tier V threats are typically institutional state actors who are able to exploit both computer software and hardware during various stages of production or use. They are also extraordinarily methodical and develop offensive cyber-operations that can sometimes take years to plan and build. A handful of states – though the list is steadily growing – can be designated as Tier VI actors, which means that they are able to execute what the US government describes as “full spectrum operations” [UNI 12]. These are multi-million dollar cyber-efforts that are undertaken in combination with complex military or intelligence operations. Tier VI cyber-operations are invariably used in pursuit of

88

Cybersecurity in Humanities and Social Sciences

political goals. Tier V and VI actors are easily able to conduct and manage numerous advanced cyber-operations in parallel. In addition to their technical sophistication, resources and scale, illicit actors are also distinguishable with reference to their motivation. For example, Tier I actors tend to be motivated simply by curiosity, bragging rights or even boredom. Tier II and III actors are typically after money. But the higher-tiered actors, such as those that fall under the Tier IV, V and VI categories, are guided by security doctrines that reside at the level of national and international statecraft. When applied to the cyber-domain, these security doctrines are largely pursued through cyber-espionage, which is also the subject of this chapter. The present analysis, therefore, focuses on the surreptitious intrusion into cyber-systems to steal information to advance political, military or economic interests at the state level. Such operations are nearly always sponsored by states and carried out by state actors, or by non-state actors using sophisticated resources that are provided to them by states. It is important to distinguish here between cyber-espionage from open-source intelligence collection – known as OSINT. Cyber-espionage is typically employed by actors who seek information that is secret; opensource intelligence collection focuses on publicly available information. Put simply, cyber-espionage operations do not focus on OSINT targets. 4.3. The structure of this chapter Section 4.4 highlights the paradigm-changing qualitative and quantitative differences that intelligence collection in the cyber-domain signifies for the intelligence cycle of nation-states in our time. It also argues that the speed, safety, deniability, lucrative access and high-speed potential of this practice are all elements that can prove instrumental in reordering the global balance of power in our century. Section 4.5 describes ongoing social science research on cyberespionage, which concentrates on the strategic, tactical and operational facets of the phenomenon. Researchers are looking into the extent to which nation-state actors rely on cyber-espionage as a tool to achieve their strategic vision for information dominance. On the tactical level, research into statesponsored cyber-espionage concentrates on the details – such as they are – of adversaries and threat actors, as well as on their overall pattern of behavior and approach to tactical cyber-espionage. On the operational level, research

Researching State-sponsored Cyber-espionage

89

into state-sponsored cyber-espionage focuses on attempts to evaluate the methods or means by which cyber-espionage attacks are carried out, as well as the types of vulnerabilities that are exploited by threat actors. This can contribute to the detailed comprehension of an adversary’s mode of thinking and hopefully lead to pre-emptive defense protocols. In section 4.6, the main axiomatic principles and theoretical concepts of research in state-sponsored cyber-espionage are discussed. These include the continuing proliferation of state-sponsored espionage, the combination of digital intelligence collection and big-data processing, the growth of quantum computing, the growing integration of cyber-espionage into the intelligence apparatuses of nation-states and the total-warfare approach in cyber-espionage operations. Section 4.7 describes the four methods of generating and empirically testing evidence in the field of state-sponsored cyber-espionage, namely experimental, applied, observational and theoretical. It leads to section 4.8, which highlights some of the problems faced by researchers in a topic that is characterized by the unwillingness of research subjects – both offensive and defensive – to be studied. This section also stresses the importance of objectivity in research into this politically heated topic. Section 4.9 centers on one of the central questions in state-sponsored cyber-espionage research, namely how to distinguish between state and non-state threat actors. The answer centers on collecting and collating data relating to each actor’s capabilities, time, scope, proficiency and intent. In section 4.10 attention is paid to the need to identify specific state actors that may be behind specific cyber-espionage operations. It is proposed that researchers focus on creating cyber-personalities – or ideal types – of threat actors based on their common traits, attributes, or tradecraft characteristics, among other features. On a more technical level, researchers can seek geolocational data acquired through the use of so-called “honeypot” computers. Finally, section 4.11 points to the state of flux in the field of cyberespionage, which in turn requires versatile methodological approaches by researchers. The latter will have to continue to address two core problems of research into this topic, namely the scarcity of available datasets and the increasing complexity of this inherently intricate field of study.

90

Cybersecurity in Humanities and Social Sciences

4.4. The significance of state-sponsored cyber-espionage Cyber-espionage is the most recent rendering of a practice whose documented history dates to the Bronze Age. Indeed, intelligence scholars, such as University of Cambridge historian Christopher Andrew, draw on the writings of Sun Tzu and the Old Testament to describe espionage as “the second oldest profession” [AND 18] – with the first being prostitution. Pre-modern accounts of sophisticated wartime and peacetime espionage operations survive in some of the earliest Egyptian chronicles from the mid-13th Century BCE, as well as in Homer’s Odyssey, which dates to the 8th Century BCE [AND 18]. Equally complex espionage operations are contained in Indian, Chinese, European and Arab documents from the Hellenistic, Roman, medieval and early renaissance periods [AND 18]. The emergence of powerful, centralized nation-states in continental Europe after the Napoleonic Wars gave rise to organized espionage efforts by dedicated government agencies. Their purpose was – and remains to this day – the collection and processing of information that is of importance to national security. That mission also encapsulates the process through which information is turned into intelligence in the nation-state environment. Thus, the difference between information and intelligence is that the latter relates to national security. Today espionage is an integral aspect of intelligence collection, which in turn forms one of the stages of the intelligence cycle. When applied to statelevel processes, the term intelligence cycle denotes a conceptual model of intelligence processing that involves institutional interactions between policy- or decision-makers and various components of the intelligence community. The purpose of the intelligence cycle is to equip policy- or decision-makers – referred to by intelligence agencies as “customers” – with the information they require to make sound decisions in the service of national security. The process typically begins with a sense of direction that is provided to intelligence agencies by the customers – for example, seeking answers to a set of questions on a pressing or long-term topic. These are then translated into action by the intelligence community during the planning stage, which involves the development and preparation of intelligence collection programs. The latter are then implemented during the collection phase of the intelligence cycle, when different platforms of intelligence collection – human, technical or a mixture of the two – are employed. The collected information is then exploited – translated, combined with other sources, etc. – and analyzed. Following the analysis stage, the intelligence is

Researching State-sponsored Cyber-espionage

91

disseminated to the customers in fulfillment of their initial direction or request. Upon processing the information, customers provide the intelligence agencies with feedback that prompts them to restart the process in search of more information or terminate the cycle if all questions on the topic have been sufficiently answered. Given the historical continuity of the practice of espionage, some might argue that cyber-espionage offers nothing more than exploiting computer networks to perform the tasks of traditional espionage in our digital era. Yet nothing could be further from the truth. When combined with the resources and technical proficiencies of states, cyber-espionage can profoundly transform the process with which government agencies collect and exploit intelligence. It does so in several different ways. To begin with, cyberespionage requires comparatively little capital and its infrastructural expenses often pale in comparison to those of other technical platforms of intelligence collection, such as geospatial intelligence or measurement and signature intelligence. Moreover, cyber-espionage drastically reduces – or completely eliminates – the need to physically transport assets and equipment across large distances. It therefore significantly limits the financial burden associated with intelligence collection, which is often the most expensive step in the intelligence cycle. Additionally, the immediacy of cyber-espionage, which relies on the unprecedented speed of digital communication networks, has the potential to accelerate intelligence collection. This crucial aspect of cyberespionage tends to level the playing field for socioeconomically weaker state actors by offering them the ability to achieve high standards of intelligence collection that would be unreachable through other collection platforms. The collected material is often in digital format, which also helps speed up the processing and exploitation step of the intelligence cycle. Furthermore, the growing reliance by post-industrial nation-states and civil society on digital systems means that their data – secret or otherwise – are increasingly available in digital format and therefore increasingly accessible to cyberespionage actors. This makes cyber-espionage progressively more lucrative and desirable by intelligence agencies who seek to improve the efficiency, speed and reliability of their intelligence cycle. In addition to the elements of speed and efficiency that it provides, cyberespionage has the potential to revolutionize the traditional intelligence cycle through the security and protection that it offers to illicit actors. The technical architecture of digital networks comes with built-in capabilities for clandestine action, which allows illicit actors to hide their tracks from their

92

Cybersecurity in Humanities and Social Sciences

targets and other online entities. This phenomenon is known as the question of cyber-attribution, which refers to the difficulty involved in identifying and assigning responsibility to the perpetrators of cyber-penetrations or attacks. The technical limitations of cyber-attribution enable the culprits of statesponsored cyber-espionage to resort to plausible deniability – meaning that they are able to deny responsibility for cyber-operations due to lack of sufficient evidence linking them to these activities. Alongside arming illicit actors with the weapon of plausible deniability, cyber-espionage provides physical safety to its perpetrators by allowing them to target their victims remotely. This crucial aspect of cyber-espionage can eliminate the perilous aspects of intelligence collection that are often difficult to divorce from human intelligence (HUMINT) and some technical forms of collection. Finally – not in terms of significance – cyber-espionage allows illicit actors to attack major targets with intelligence operations that may result in high-impact consequences for both perpetrator and victim. The hacking of the email servers belonging to the United States Democratic National Committee (DNC) in 2016 provides an illustrative example of the transformational potential of the use of cyber-espionage at the state level. This cyber-espionage operation resulted in the theft and subsequent unauthorized disclosure of nearly 20,000 emails and over 8,000 attachments sent or received by members of the DNC, which is the main governing body of the Democratic Party in the United States. The perpetrators of this crime operated under the online monikers Guccifer 2.0 and DCLeaks. According to the US government’s report on the matter, which was led by Special Counsel Robert Mueller, Guccifer 2.0 and DCLeaks were “online personas” of the Main Directorate of the General Staff of the Russian Armed Forces, known as GRU [MUE 19]. Some of the stolen emails, which belonged to carefully selected and targeted senior officials and other high-profile members of the DNC, were leaked on the anti-secrecy website WikiLeaks and the popular blogger platform WordPress. The final report of the Mueller investigation, which was released in redacted format in March 2019, concurred with earlier statements by the United States Office of the Director of National Intelligence [NAK 16] that the DNC hack and subsequent release of the stolen emails were “designed and timed to interfere with the 2016 [United States] presidential election and undermine the [Hillary] Clinton [presidential] Campaign” [MUE 19]. Operationally, the attack on the DNC’s servers highlighted the change of paradigm that is represented by state-sponsored cyber-espionage. It required

Researching State-sponsored Cyber-espionage

93

little capital and minimal infrastructural expenses. Although some peripheral aspects of Russia’s broader destabilization campaign involved the physical presence of operatives in the United States, the DNC server attack itself was carried out remotely from Russia. The operational distance between the threat actor and its target was instrumental in ensuring the physical safety of the hacker. It also allowed the Kremlin to use the inconclusive aspects of cyber-attribution in order to employ plausible deniability, by promptly dismissing accusations against it by the United States Department of Justice. Moreover, the stolen material was extensive in volume and lucrative in exploitation value. It was speedily analyzed and processed in time for the presidential elections in the United States. Perhaps most significantly, the high-impact political consequences of the hack remain incalculable to this day. Michael Hayden, the former director of the Central Intelligence Agency (CIA) and the National Security Agency (NSA), described it as “the most successful covert influence operation in history” [MAY 18]. Other observers noted that the operation undermined the office of the presidency and deepened pre-existing divisions in American society. In doing so, it arguably contributed to the destabilization of American political life by promoting a broad sense of disillusionment with democratic political institutions and norms in the United States and the West more generally. In their 2018 study of politically motivated cyber-operations, a team of researchers at the University of British Columbia’s Centre for the Study of Democratic Institutions described such attacks as “novel threats to democracy” that are contributing to the “changing of democratic practices” by exploiting democracy’s dependency on communication technologies. They added that attacks like the 2016 DNC email hack represent “serious threats to [the very] legitimacy of democratic processes and institutions” [TEN 18]. Crucially, the attack on the DNC email servers was not a stand-alone operation and should not be examined as such. Rather it was part of a broader information operation that was allegedly launched by the Russian government under the cryptonym LAKHTA. Its overall mission was allegedly to destabilize American political life by deepening and exposing its inconsistencies in the court of public opinion [UNI 18]. The DNC attack, therefore, should be seen as a typical cyber-espionage effort to alter the balance of information between adversaries and as an integral part of what cyber-strategists describe as “broader efforts to maintain political and military dominance in a given theatre” [VAL 18]. In this sense, cyberespionage provides intelligence planners with a set of important collection functions that reside within the broader rubric of the intelligence cycle.

94

Cybersecurity in Humanities and Social Sciences

Its transformational values are therefore being felt at all levels of the intelligence cycle in the service of peace or war. The speed, safety, deniability, lucrative access and high-impact potential of cyber-espionage could conceivably transform the ability of states to dominate the broader information landscape against other states, thus reordering the global balance of power. 4.5. Research themes in state-sponsored cyber-espionage Broadly speaking, research into state-sponsored cyber-espionage concentrates on the strategic, tactical and operational facets of the phenomenon. On the strategic level, research focuses on assessing the degree of reliance that nation-state actors have on cyber-espionage as a tool for achieving their strategic vision for information dominance. It is clear that not all states display a strong interest in cyber-espionage. For instance, Cuba, Romania and Belarus are among several former members of the old Soviet Bloc that appear to continue to rely primarily on human intelligence (HUMINT) methods of intelligence collection. This is in all likelihood a conscious decision that builds on the formidable traditions of HUMINT expertise that these nations’ intelligence communities built during the Cold War. Other actors have spearheaded the hybridization of HUMINT by combining its functions with evolving models of cyber-espionage. The CIA – America’s primary HUMINT agency – began to systematize the integration of the hybrid model into its structure in 2015. That was when the agency launched its Directorate of Digital Innovation (DDI), which marked the establishment of a brand-new CIA directorate “for the first time since before man walked on the moon”, as one commentator characteristically wrote at the time [KEL 17]. With its customary vagueness, the CIA describes the mission of the DDI as introducing “cutting-edge digital and cyber-tradecraft” to the agency’s “culture, tradecraft, and knowledge management across the board” [CEN 15]. Outside observers view the new directorate as an attempt to retrofit the CIA for intelligence tradecraft in the age of the Internet. In 2017, CIA Deputy Director Andrew Hallman raised the stakes by publicly tasking the DDI with “transforming how we do intelligence” and suggesting that the new directorate would “rewire the brain” of the CIA and change “how the CIA thinks about intelligence” [KEL 17]. On the tactical level, research into state-sponsored cyber-espionage concentrates on adversaries and threat actors. These two terms are

Researching State-sponsored Cyber-espionage

95

distinguishable on the basis of the amount of details that are known about them. Thus, an adversary is a nation-state with known cyber-espionage pursuits. A threat actor is an identified element in that nation-state’s arsenal that carries out cyber-espionage operations in the service of that state. Threat actors range from an entire agency down to specific operators working in that agency. As an illustration, the state of Israel is an adversary in the cyberdomain, whereas Unit 8200 of the Aman, Israel’s military-intelligence directorate, which is specifically tasked with computer hacking and cyberespionage, is a threat actor. Adversaries and threat actors display operational preferences, or patterns of attacks, which reveal their overall approach to tactical cyber-espionage. That is of major interest to research into statesponsored cyber-espionage, because it can potentially shed light on the nature of adversaries and threat actors. Moreover, it can contribute to our understanding of the overall methodological approach that different adversaries and threat actors tend to follow. For example, China is known to display a strong preference for economic-related cyber-espionage operations without distinguishing between state- and private-sector targets. The alleged aim of these operations is to give Chinese companies, or entire commercial sectors, an advantage in competing for international contracts against American firms [FIT 14]. In contrast to Chinese cyber-espionage operations, Russian efforts tend to advance the Kremlin’s policy of manipulating the balance of information in its favor by supporting extremist groups in the West. This method appears to be practiced without regard to whether the ideology of these groups is on the left or the right on the political spectrum. Thus, Russian hackers are believed to have assisted the gilets jaunes movement in France, which propagates both left- and right-wing populist views, whereas in the Czech Republic and Slovakia, they act in support of armed far-right militias like the National Home Guard and the Night Wolves [DAL 18; FIT 18]. At the same time, Russian hackers operate in support of progressive Western European and North American environmental groups who favor direct action against hydraulic fracking, while also helping Austria’s far-right Freedom Party, even though the latter denies the existence of global warming [MOO 18; BEW 19]. The aforementioned Project LAKHTA offers an archetypal model of a Russian information operation with major cyber-espionage components. It simultaneously helped promote the campaigns of racially divisive groups from both sides of the American political spectrum. Thus, Russian cyberoperations co-opted both militant white supporters and aggressive black detractors of Donald Trump [SHA 18].

96

Cybersecurity in Humanities and Social Sciences

With reference to the United States, it can be stated with considerable certainty that the tactical doctrine of its cyber-espionage model is to spy indiscriminately on all foreign targets – whether they belong to allies or adversaries. This is clearly shown in the disclosures made by Edward Snowden, an American intelligence contractor who defected to Russia in 2013. Snowden, a computer systems administrator who had been employed in the US Intelligence Community, smuggled to Russia digital copies of an estimated 1.7 million classified documents belonging to American and other Western intelligence agencies. His subsequent disclosures to the media revealed that Washington had spied on its European allies on cyberspace with a degree of frequency and intensity that closely parallels its cyberespionage operations directed against adversarial countries like China and Iran [FIT 19]. According to Snowden’s revelations, targets of American cyber-espionage included the offices of the European Union in Washington, DC, the offices of the European Union delegation to the United Nations in New York, and even the European Union’s headquarters in Brussels. Germany, one of America’s closest European allies, featured prominently in Snowden’s disclosures as a target of American cyber-espionage operations. It is difficult to say whether that is because German communications networks have been heavily targeted by the United States or because Snowden’s disclosures have deliberately favored a German-centered narrative in order to drive a wedge in German-American relations. In looking at Snowden’s revelations more broadly, it appears that, in addition to systematically targeting German politicians, including Chancellor Angela Merkel, the United States monitored data from half a billion communications exchanges taking place within Germany each month in the years leading up to 2013 [POI 13]. There are, therefore, significant tactical differences between Chinese, Russian and American cyber-espionage practices at the state level. On the operational level, research into state-sponsored cyber-espionage focuses on attempts to evaluate threat vectors – i.e. the methods or means by which cyber-espionage attacks are carried out – as well as the types of vulnerabilities that are exploited by threat actors. As can be expected, this is the most technically oriented area of research into state-sponsored cyberespionage. Researchers tend to keep information on these aspects of cyber-espionage secret, because they constitute core elements of forensic cyber-attribution – i.e. methods that can potentially enable the identification of cyber-spies based on their modus operandi. Some of these research methodologies are discussed in further sections of this chapter. It is safe to

Researching State-sponsored Cyber-espionage

97

say here that illicit actors are often identifiable by the attack protocols, routines of execution or exploitation techniques that they tend to follow during campaigns – i.e. series of attacks aimed at the same target or set of targets. Such techniques can consist of – for example – phishing attempts, social engineering methods or typosquatting/URL hijacking practices. Additionally, illicit actors are often identifiable by the technical microspecifications of their threat vectors, such as the malware they use to gain access to the cyber-systems of their targets. For instance, the method of coding used to design a worm or Trojan may give away the nationality, level of sophistication or programming lineage of the designer of the malware. By carefully examining threat vectors on a forensic level, researchers can build detailed operational profiles of threat actors and their preferred attack methodologies. This can contribute to the detailed comprehension of an adversary’s mode of thinking and hopefully lead to pre-emptive defense protocols. Moreover, by modeling adversaries and threat actors based on their capabilities and methodologies, researchers can acquire a deeper understanding of the evolving cybersecurity landscape. The above research themes in the area of state-sponsored cyber-espionage follow the standard compartmentalization of security operations into their strategic, tactical and operational aspects. Indeed, this typology will be immediately recognized by academic researchers in the fields of intelligence studies or military science and by journalists who specialize in these subjects. However, given the young age of this research area, and given the state of flux that resides in the intersection of advancing technology and shifting political realities, the question of methodology is in itself a research theme in this field. Therefore, in theorizing the topic of state-sponsored cyber-espionage, researchers must confront the central question of which research methods are appropriate to use in order to sufficiently collect and analyze data. The complexity of this decision is amplified by the political sensitivity of the topic, as governments around the world are eager to avoid being labeled as cyber-espionage aggressors. Ultimately, researchers must treat the question of methodology with the same intensity as they treat the central question of their research. They must ask, therefore, “what is the research method that will enable me to accurately research this topic while upholding my impartiality and safeguarding my objectivity as a researcher”? This central question is indeed a major reasoning behind the existence of the present chapter and is addressed in detail in subsequent sections.

98

Cybersecurity in Humanities and Social Sciences

4.6. Theorizing state-sponsored cyber-espionage in the social sciences The term cyber-espionage denotes an empirical phenomenon – an occurrence that can be perceived and observed by means of the human senses – as well as a surreptitious method of accessing secret information. It rests on sets of axiomatic principles, theoretical concepts and – as discussed earlier – taxonomies of actors. Axiomatic principles consist of values that are taken to be true and thus facilitate further reasoning that leads to the postulation of theories. An example of an axiomatic principle in the field of state-sponsored cyber-espionage is that state apparatuses administer governance through the use of bureaucratic systems. Another axiomatic principle is that bureaucratic systems evaluate their efficiency based on the time it takes them to complete administrative tasks and on the accuracy of those tasks. A third axiomatic principle is that contemporary state apparatuses see digitization and networked computer systems as desired means of administration, because they improve the time of completion and accuracy of bureaucratic tasks. This leads to the increasing digitization of the global bureaucratic ecosystem. Statecraft – the management of state affairs – has thus grown highly dependent on digital networks. Such axiomatic principles are taken to be true and serve as premises for further reasoning that allows us to build broader theories in the area of state-sponsored cyber-espionage. Theories are sets of descriptive propositions, definitions and concepts that present our body of knowledge on a given subject in a generalized way. This body of knowledge has been amassed through observation. The generalized – and somewhat simplified – nature of theories makes them broadly applicable to a wide range of conditions and circumstances. The purpose of theories is to systematize our understanding of phenomena by highlighting behavioral patterns that can help us explain them and possibly predict their future development. For theories to be sound, they must be able to be tested under reasonably reproducible conditions, and therefore be proven or disproven through experimentation and application. When reproducibility cannot be guaranteed, theories are advanced through observation or abstract research. Theories tend to be the products of observational research because it is through research that we produce patterns of knowledge that inform theoretical constructs. At the same time, these theoretical constructs spark further research that is meant to prove or disprove them. The relationship between theory and research is therefore cyclical and interminable.

Researching State-sponsored Cyber-espionage

99

Since the mid-1980s, when the first incidents of cyber-espionage began to emerge in the open literature, continuous observation from social science scholars has permitted us to stipulate a number of theoretical statements from an intelligence and security perspective. These statements rely on our axiomatic body of knowledge on the subject of cyber-espionage. Furthermore, they are generalized enough to be broadly applicable throughout the field. The most important big-picture theoretical statements about state-sponsored cybersecurity from an intelligence and security studies perspective are provided in the following paragraphs. I. State-sponsored cyber-espionage continues to proliferate. The current upward trend in the use of cyber-espionage as a method of intelligence collection by nation-states is far from having peaked and will not do so in the foreseeable future [GEH 15]. The reasons for this trend are complex, but rely primarily on the fact that digital methods of intelligence collection make as much practical and financial sense as digital methods of information storage and retrieval. Put simply, the fear of compromise by adversaries does not appear to be sufficient to discourage nation-states from relying on networked digital systems to administer their bureaucratic functions. It follows that classified information will continue to exist in a primarily digital format for the foreseeable future. This will prompt adversaries to continue to make substantial investments on cyber-espionage in resources, money and time. Because of this trend, cyber-espionage will continue to serve as a prolific method of intelligence collection against both state and non-state targets [COA 19]. Nation states will use these methods increasingly, and will use them increasingly indiscriminately against enemies and allies alike, in order to justify their growing investment in cyber-espionage infrastructure. II. Cyber-espionage is seen by state actors as a means of securing strategic advantages. The proliferation of digital information through the Internet has revolutionized intelligence collection. One of its many effects is that it has pushed upwards the threshold of truly secret data. In other words, true secrets are becoming rarities in our increasingly open-sourced society. Furthermore, the enormous amount of collected data, which has become possible by the digitization of information, has brought to the forefront the importance of processing it – i.e. making sense of collected data. This has led to the rapid development of a field known as big data, which addresses the challenges involved in examining datasets that are too large in size and complexity to be analyzed using traditional computer-processing techniques. The statistical modeling that is produced by big data methods promotes

100

Cybersecurity in Humanities and Social Sciences

predictive analytics and can offer significant forecasting advantages – for instance, by mapping social networks and producing automated analytics models focusing on topic trend analysis, online sentiment detection and opinion-mining [FIT 12]. The combination of digital intelligence collection and big data processing is seen by intelligence agencies as offering the ability to manage the increasing complexity of regional and global events, and will continue to be deployed as a means of providing state administrations with strategic advantages. III. Digital networked systems remain vulnerable to compromise by adversaries, especially Tier IV, V and VI actors. The axiomatic principle that there is no such thing as an impenetrable cyber-system will continue to apply for the foreseeable future. Moreover, as the security of cyber-systems increases, so will the capabilities of illicit actors. Therefore, the relationship between targets and perpetrators will continue to be co-evolutionary – i.e. develop in parallel [WIL 15]. For example, North Korea is known to develop its cyber-espionage strategy in the realm of defense by monitoring the networked capabilities of foreign militaries that are engaged in wars. It is through such systematic observation that Pyongyang realized the significance of cyber-espionage as a component of asymmetric warfare and “gradually developed its cyber-power in sequential phases” [KON 19]. At the same time, as cybersecurity companies develop their anti-virus software partly with reference to the capabilities of North Korean state-sponsored hackers, the latter are trained to hack by studying commercial-grade antivirus software [HA 18]. What will make state-sponsored cyber-espionage more challenging in the coming years will be the development of strong cryptography. This trend will continue to be led by the development of increasingly sophisticated encryption algorithms that will make intercepted data highly resistant – and in some cases even impenetrable – to cryptanalysis. However, the implementation of strong encryption will not in itself pose barriers to intelligence collection through cyber-espionage [BHA 19]. The latter will continue unabated, especially by Tier IV, V and VI actors. What will have to change is the degree of fusion between cyber-espionage and other forms of intelligence collection, such as HUMINT. The purpose of such a fusion will be to gain access to targeted data prior to its encryption, or to gain access to cryptanalytic information following the collection of the data. IV. The integration of cyber-espionage into the intelligence apparatuses of nation-states is expanding. As cyber-espionage methods continue to

Researching State-sponsored Cyber-espionage

101

evolve, it will become progressively more difficult to divorce them from the wider range of tools employed in state-sponsored civilian and military information operations. Moreover, cyber-espionage operations are increasingly focusing on narrow targets, down to the level of individuals. For instance, in 2010, a state-sponsored group of hackers targeted the information technology firm IBM – one of the world’s largest companies. The group worked in teams with clearly defined roles and objectives. The first team, dubbed “the breach team” performed carful reconnaissance of the IBM network for several months. During that phase of the operation, the hackers focused on specific computer accounts on IBM’s network and eventually narrowed their collection activities down to specific IBM employees. The team identified those employees’ personal and professional habits, likes and dislikes, after-work activities, hobbies, family life, etc. The hackers also made sure that all of the targeted IBM employees were located in the same time zone, in an effort to reduce the possibility of detection by conducting their illicit activities after work hours [CHO 11]. Such operations are carried out in support of tactical goals that concentrate on measurable outcomes with regard to information collection or support to warfighters. The ability of advanced state actors to rise to the level of full-spectrum cyber-adversaries – i.e. are able to employ cyber-capabilities in all dimensions of a cyber-conflict, including military and civilian – will be coupled with their ability to employ cyber-espionage resources in support of increasingly targeted and measurable intelligence operations [CHO 11]. V. Competent state actors are deploying progressively more customizable methods in cyber-espionage operations. Using overwhelming force or sophistication on a relatively weak target runs the risk of unnecessarily exposing the maximum extent of one’s capabilities, while at the same time wasting valuable cyber-resources that could be devoted to more challenging targets. Therefore, proficient state adversaries are becoming increasingly capable of using cyber-espionage tools that are tailored to the defensive strength of their targets. Stated differently, competent state actors are becoming progressively more attune to the importance of “exert[ing] just enough resources to compromise a network or avoid detection” [LYN 19]. The most capable cyber-adversaries are distinguished by their ability to allocate their cyber-resources in such a way that espionage targets are penetrated without the unnecessary use of overwhelming force. An example of such a threat actor is the China-based hacker group Bronze Union – also known as Advanced Persistent Threat (APT) 27, Emissary Panda or LuckyMouse – which has been “one of the most prolific and active” since it

102

Cybersecurity in Humanities and Social Sciences

was first detected by cybersecurity experts in 2013 [SEC 19]. One of Bronze Union’s most interesting traits is its reported preference for using publicly available malware to attack weaker targets, while using its own custommade malware to attack stronger targets [SEC 19]. The group has learned to deploy its most powerful malware resources only when the target’s defensive prowess requires them. VI. The dividing line between state and non-state adversaries is both deepening and blurring. There is no question that the traditional division between state and non-state illicit actors in cyberspace is becoming clearer in terms of the resources that are available to them. As state actors dedicate more resources to their cyber-espionage arsenals, their intelligencecollection capabilities progressively set them further apart from those of non-state adversaries [GEH 15]. However, the line between them is blurring operationally, as more Tier III and IV actors are contracted or otherwise conscripted by state adversaries for specific tasks, or as proxies for longerterm efforts. This trend is especially pronounced in Russia, where it is alleged that often “cybercriminals are arrested but never end up in prison” [KRA 16]. In 2017, the United States Federal Bureau of Investigation (FBI) indicted a number of Russian criminal hackers who were allegedly contracted in 2014 by the Russian Federal Security Service (FSB) to attack the 500 million-strong user database of the American web services provider Yahoo [BRA 17]. Also in 2017, Konstantin Kozlovsky a member of Lurk, a notorious hacker group whose members are believed to have stolen in excess of $45 million from hundreds of companies, said during court testimony that he was hired by the Kremlin to hack into the computers of the United States Democratic Party [SMI 17]. Additionally, state adversaries tend to conceal their tracks by consciously employing rudimentary threat vectors and impersonating non-state actors [OFL 19]. This makes the distinction between them difficult to establish in research into cyber-espionage. VII. State-sponsored cyber-espionage is becoming total in nature, with targeting patterns that increasingly incorporate the private sector. The difficulty in establishing cyber-attribution is encouraging aggressive cyberespionage operations by state agencies. The latter focus on the weakest targets of social and political systems, many of which tend to reside in the private sector. Commercial industries, including those not directly linked to the defense and other government sectors, are now routinely targeted in state-sponsored cyber-espionage operations [GEH 15]. An example of such a

Researching State-sponsored Cyber-espionage

103

case is the notorious 2011 spear-phish attack that targeted the American firm RSA Security, one of the world’s leading network security providers whose primary products include encryption protocols and standards used in industry and government. The attack was allegedly “extremely sophisticated” [ZET 11a] and is believed to have originated from China. Its main target, however, was not RSA Security itself, but rather its customers, which included dozens of American defense contractors like Northrop Grumman, L-3 and Lockheed Martin. Many of them were subsequently attacked by the same hacker group that compromised RSA Security [MCM 11]. Additionally, a growing number of these operations now target the manufacturing sector in an effort to compromise computer hardware before it reaches the users. For instance, in 2013, the German newsmagazine Der Spiegel alleged it had seen leaked documents that showed American intelligence agencies had the ability to load surveillance malware onto electronic devices, such as laptop computers, before they were used by consumers. According to the newsmagazine, the method is called “interdiction” and involves intercepting shipping deliveries of electronics in the mail [SPI 13]. Researchers into state-sponsored cyber-espionage should formally postulate theories by breaking them down into statements that are both measurable and causally connected with each other. For instance, theory VI, above, should be postulated as follows: (A) Divisions between state and non-state cyber-espionage adversaries are becoming more distinct in terms of capabilities. This is detectable through the growing capabilities of state-sponsored cyber-espionage arsenals in terms of (A1) numbers of personnel, (A2) financial resources, (A3) technical sophistication of threat vectors and (A4) the targeted nature of threat vectors. (B) Divisions between state and non-state cyber-espionage adversaries are becoming less distinct in terms of operational behavior. This is detectable through increasing collaboration between state and non-state cyber-espionage adversaries, as observed in (B1) the frequency of identified contractual affiliations between states and non-state threat actors, and (B2) the frequency of identified proxy associations between states and nonstate threat actors. Additionally, (B) is detectable through (B3) the increasing frequency of instances in which state adversaries impersonate non-state threat actors by intentionally concealing their technical sophistication, or (B4) engage in false-flag operations by identifying themselves as non-state threat actors.

104

Cybersecurity in Humanities and Social Sciences

4.7. Research espionage

methodologies

into

state-sponsored

cyber-

The formal theories stipulated in the previous section cover some of the major observable big-picture trends in state-sponsored cyber-espionage. None of these stipulations are absolute, yet all are generalized enough to be broadly applicable to the field. Moreover, they are empirically grounded, meaning that are designed to be empirically testable through the four types of scientific research – namely observational, theoretical, applied and experimental. Through these research methods, scholars can evaluate the level of accuracy of existing theories and generate evidence that will allow for their improvement by making them more nuanced or by invalidating them and replacing them with new testable theories. Experimental research offers the most direct and scientifically sound method of testing existing theories. It consists of controlled experiments that are targeted according to parameters set by hypotheses. The aim of experimental research is to provide data that support or contradict existing theories. For example, the theory that “state-run cyber-collection teams consisting of under-25-year-olds are more effectual than teams consisting of over-25-year-olds” could be tested in a series of controlled experiments in which teams would compete for access to the same decoy targets. Experimental research modeling is especially useful in evaluating the strength of threat vectors through what are called “red teaming” – teams of experts who emulate the behavior of adversaries in order to test the strength of defensive measures taken by the targets of cyber-espionage. Since experimental research takes place exclusively in controlled conditions, the parameters of independent variables are set by the designers of the study. When at least one independent variable is not fully contained within the experiment’s controlled conditions, the study turns into what is called “quasi-experimental”, meaning that it cannot be fully replicated but remains useful by producing limited data. Applied research focuses on evaluating with precision the effectiveness of practical solutions to problems. Like experimental research, applied research relies on controlled experiments. Unlike experimental research, however, applied research measures the degree of success or failure of proposed responses to identified challenges or shortcomings. For instance, prior experimentation may have led to the conclusion that cyber-collection teams consisting of under-25-year-olds are more effective in short-term

Researching State-sponsored Cyber-espionage

105

operations than in drawn-out campaigns. An applied research design would test the performance of teams that have been created as a result of prior experimentation against carefully designed targets. The results of the study would help measure the effectiveness of existing solutions to identified challenges. Observational methods are best suited to research into broad topics that involve real-world behavior of cyber-actors – in other words, when it is impossible to control the independent variables of the system. Observational modeling is highly applicable to studies involving the Internet, whose large-scale, open-ended design and human-user element makes it impossible to conduct controlled experiments that can be replicated. An example of an observational research topic would be testing the theory that state-sponsored cyber-espionage against a specified range of economic targets proliferates during times of global economic crisis. The exploratory and descriptive nature of observational research is suitable to fields like state-sponsored cyber-espionage, which are in their infancy and remain highly uncharted and undefined. The open-ended reality in such young fields of study can make it difficult for researchers to even come up with the kinds of questions that they need to be asking in their research. In these cases, observational studies can help distinguish patterns of behavior or bring up new questions that will eventually prompt further investigation into the topic by researchers. Indeed, the empirical descriptions of case studies, or sets of case studies, which are generated by observational research, are often extremely useful in the field of state-sponsored cyber-espionage. Theoretical research operates on a highly abstract level and uses logic to test a set of assumptions about how cyber-systems will react to certain incidents or trends. It is the only type of research methodology available to scholars who wish to study cyber-espionage models that are currently non-existent or not available for study in the unclassified domain. Several theoretical research models were developed in the first half of the 1990s to test the so-called “clipper chip” device and its associated Skipjack data encryption algorithm. These were proposed by the US government as a method for installing backdoor entry points into commercial telecommunications hardware. Their purpose was to give government agencies access to the content of messages exchanged on digital telecommunications systems that used commercially available encryption [GUR 97]. Theoretical research models usually consist of a series of descriptions that test the limits of the behavior of certain cyber-systems in

106

Cybersecurity in Humanities and Social Sciences

accordance with the particular theories under examination. Testing these models allows researchers to postulate hypotheses – i.e. formally stated assumptions that form the basis of observational or experimental methods of evaluation. In the case of cyber-espionage, most theoretical models involve future attacks or series of attacks. Such studies highlighted the ability of theoretical research to uncover impending threats to the system that remain hidden under the past- or present-based models of all other research methods. 4.8. Intellectual precision and objectivity in state-sponsored cyber-espionage research All four types of research highlighted above offer systematic, evidenceor logic-based approaches to the study of state-sponsored cyber-espionage. However, not all are equally practical within the constraints of a field like state-sponsored cyber-espionage. The latter is known for the unwillingness of research subjects – both offensive and defensive – to be studied. Observational and theoretical research methods are by far the most suitable for social science research in the unclassified domain. This is because they allow researchers to incorporate uncontrolled dependent variables and use observational research to study real-life case studies or to use theoretical research to study highly abstract concepts. Yet all four research methods have to confront what is admittedly the most challenging obstacle to social science research into state-sponsored cyber-espionage – namely the difficulty in amassing adequate datasets to study. This problem is generated by two factors: first, the resistance of adversaries and threat actors to being studied; second, the wall of classification that prevents government agencies from revealing detailed information about state-sponsored cyber-espionage operations to researchers. In short, the two most crucial populations of actors, namely cyber-espionage perpetrators and victims, are inherently opposed to being studied. Tackling this crucial problem of social science research into statesponsored cyber-espionage requires creative research modeling that involves a high degree of innovation and intellectual precision. It must be taken for granted that many studies will inevitably raise more questions than they will answer. Additionally, researchers must deliberately adopt estimative language in their studies, by employing terms that clearly and deliberately denote confidence levels. Examples of such terms are given in Table 4.1.

Researching State-sponsored Cyber-espionage

Highly likely

“It is highly probable/virtually certain…” “It can be stated with high confidence that…”

Likely

“It is likely/probable…” “It can be stated with high-to-moderate confidence…”

Even probability

“It is possible that…” “We can state with moderate confidence…”

Unlikely

“It is not likely that…” “It is unlikely that…”

Highly probable

“It is highly improbable that…” “It is highly doubtful that…”

107

Table 4.1. Estimative language that denotes confidence levels

It is also important for social science researchers to resist the pressure to uncritically reproduce the dominant narrative in Western media reporting, which portrays the West as being constantly on the defensive against a relentless cyber-assault from countries like China, Russia and Iran. There is no evidence that leading Western countries like the United States, France or the United Kingdom have adopted a purely defensive counterespionage posture on cyberspace. On the contrary, there are mounting indicators that offensive cyber-espionage has been practiced routinely by the West and its adversaries for over three decades. Bernard Barbier, former technical division director of the General Directorate for External Security (DGSE), France’s external intelligence agency, has publicly stated that the DGSE began to deploy “teams of hackers” as early as 1992. He also claimed that “France’s cyber-army”, as he called it, directed operations against Canada, Ivory Coast, Algeria, Norway, as well as its European Union partners Spain and Greece. Today the DGSE’s cyber-component is believed to constitute approximately half of the organization’s personnel force [FOL 16]. The British and German governments have also admitted to conducting “remote clandestine searches” of targeted computers and even employing malware, such as Trojan viruses, during criminal and national security investigations [LEP 09; DIE 11]. In the United States, a dedicated “hacker army” has been reportedly operating as part of the NSA’s Office of Tailored Access Operations (TAO) since at least 1990. According to the late Matthew M. Aid, a worldwide authority on the NSA, TAO personnel successfully penetrated the Chinese

108

Cybersecurity in Humanities and Social Sciences

government’s network servers since the late 1990s, and in doing so generated “some of the best and most reliable intelligence information” on China gained by Washington [AID 09]. Another authority on the NSA, James Bamford, has reported that the NSA has increased funding for its so-called “cyber-warriors” to unprecedented levels in our century, by hiring “thousands of computer experts, hackers and engineering PhDs” who have enabled it to “expand its offensive capabilities in the digital realm” [BAM 13, emphasis added]. The CIA is arguably not far behind, if one is to judge by the Vault 7 document leak in 2017 by the anti-secrecy website WikiLeaks. The documents show that the agency employed a host of surreptitious technologies to extract data from digital applications and devices, ranging from flash drives to smart-screen televisions. They also showed that the CIA’s targets included popular communications systems like Skype and WhatsApp, smartphones produced by Google and Apple, commercial software like Adobe PDF and Microsoft Windows, and even smart televisions with Internet connectivity [FIT 17]. All this is not to say that Western countries are not heavily targeted by state-sponsored cyber-espionage, as indeed they are. But it is to say that researchers into this highly controversial field must not sacrifice their intellectual objectivity by focusing exclusively on non-Western illicit actors, or – even worse – by moralizing in favor of some illicit actors and against others. In the wise words of Eric Chien, a fellow for more than two decades in Symantec’s Security Technology and Response division, “for us there’s no good guys [versus] bad guys. [There’s only] bad guys […], people who are writing malicious code that infects systems that can cause unintended consequences or intended consequences” [ZET 11b]. In the same vein, particular attention must be devoted to guard against the temptation to attribute cyber-espionage attacks to China in a knee-jerk fashion. China’s reputation as a powerhouse in the field of state-sponsored cyber-espionage is largely accurate and well-deserved. However, the ofteneffortless attribution of cyber-espionage attacks to the Chinese People’s Liberation Army (PLA) or the Ministry of State Security tends to ignore the “wealth of loopholes and methods” [DEI 09] that are available to illicit cyber-actors who wish to mask their identity or location. Numerous experts have cautioned that the large volume of information about Chinese statesponsored cyber-espionage that is available in the unclassified literature is partly attributed to “an increased interest in information on Chinese espionage” by Western media [EDD 13]. Moreover, as computer security

Researching State-sponsored Cyber-espionage

109

expert and theorist Mikko Hypponen has suggested, Beijing is “such an easy scapegoat that, if I were a hacker working for a [non-Chinese] government agency, and conducted a state-sponsored […] espionage operation against a third country, I would do everything I could to make it look like it’s [from] the Chinese” [CRO 11]. Hypponen made this comment four years before Kim Heung-Kwang, a defector from Bureau 121, the North Korean military’s cyber-espionage and cyber-warfare wing, claimed that teams of North Korean hackers operated clandestinely out of China. According to Kim, Bureau 121 set up a complex network of hackers in the Chinese city of Shenyang, whose sizeable Korean community offered a natural cover for blending in. The Bureau 121 hackers “entered China separately” over time, said Kim, “in smaller groups […], under different titles” such as office workers, trade company officials, or even diplomatic personnel. From there, they allegedly used hijacked Chinese Internet servers to compromise computer systems around the world without Beijing’s knowledge or consent [RIP 15]. The above example demonstrates that researchers of state-sponsored cyber-espionage must be cognizant of false-flag activities that can skew the intellectual objectivity of their work. Further illustration of this point is provided by the case of the self-described “Cyber-Caliphate”, the online hacker wing of the Islamic State of Iraq and Syria (ISIS). The group made its initial appearance in early 2014, claiming to act on behalf of ISIS with a virtual army of hackers from several dozen countries. Over the next two years, the Cyber-Caliphate conducted several cyber-espionage and cyber-sabotage operations against both state and non-state targets. But Western intelligence agencies eventually concluded that the group was in fact a “flag of convenience” for the government of Russia. Following reports by German and American intelligence agencies, Britain’s National Cyber-Security Centre concluded in October 2018 that the Cyber-Caliphate was essentially the same outfit as the hacker groups APT 28, Fancy Bear and Pawn Storm, which operated under the Russian GRU [ALL 18]. There have been similar allegations connecting non-state hacker or “hacktivist” groups like Anonymous or LulzSec with Western intelligence agencies. In 2011, an investigation by British newspaper The Guardian concluded that around 25% of those active in the American hacker community were working as informants for the Federal Bureau of Investigation and other US government agencies. According to the report, government authorities had made significant inroads in neutralizing hacker groups, not by training their officers in hacking skills, but by employing the threat of lengthy prison

110

Cybersecurity in Humanities and Social Sciences

sentences as a means of convincing captured hackers to turn into government informants. That method was responsible for the creation of an “army of informants” operating “deep inside the hacking community” of the United States [PIL 11]. 4.9. Detecting state actors in cyber-espionage research The ambiguous nature of state-sponsored cyber-espionage does not mean that research into the topic is unfeasible. On the contrary, there are several methodological techniques that can be employed in isolation or – preferably – in combination to produce highly accurate data. Initial emphasis must be placed on modeling the capabilities of threat actors. The basis of this modeling is derived from the combination of financial resources and time that are available to threat actors. How many resources are available to them, in terms of personnel, computing power and software? Threat actors like Pawn Storm (Russia) and APT10 (China) are known to be composed of multiple teams of hackers who work in shifts focusing on the same targets, sometimes for years at a time [BAE 17]. The best-resourced malware designers have access to exploits that require significant financial investments, such as zero-day attack vectors. The latter are based on inside information that can sell for as high as $500,000 on the black market. In 2018, APT37 (North Korea, also known as Reaper) used an Adobe Flash zero-day vulnerability to carry out a cyber-espionage operation [FIR 18]. The designers of Stuxnet made use of as many as 20 zero-day vulnerabilities, prompting experts to refer to them with near-absolute certainty as members of “a government cyberarmy” [ZET 11b]. State agencies are known to purchase zero-day vulnerabilities in the black market, some of them allegedly to keep them from getting into the hands of illicit actors as part of their “defense strategy” [KAR 12]. However, there is no assurance that they do not also use them in the pursuit of their own cyber-espionage goals. Time is the same thing as persistence and patience. State-sponsored threat actors tend to have access to substantial financial and human resources, as well as technical know-how and experience, which allows them to carry out prolonged operations. There are documented cases of threat actors, such as Pawn Storm (Russia), having patiently focused on a carefully selected target for two or three years, meticulously working their way into the targeted system by using an impressive variety of exploits. The threat actor known as APT1 (China, also known as Byzantine Candor), has targeted over 1,000

Researching State-sponsored Cyber-espionage

111

companies, organizations and agencies – often repeatedly – since its appearance in 2006. The time patterns of its activities lead to the conclusion that its size is probably unrivaled in the contemporary world of cyber-espionage. Today APT1 is believed to comprise “several thousand operatives” from the Second Bureau of the PLA’s General Staff Department [RIL 12]. Another element in the threat equation of state actors is their scope and proficiency. Scope refers to the breadth of their targeting and their ability to spy on numerous targets simultaneously. In their 2009 study of statesponsored Chinese cyber-espionage against the exiled Tibetan independence movement, researchers from Canada’s Information Warfare Monitor found that the adversary was able to simultaneously exploit carefully selected targets in 103 countries [DEI 09]. Such a breadth of scope would be unfeasible without the sort of ample resources that are associated with state actors. Proficiency is typically revealed in the quality of the software code, especially if it is brand new and presents a departure from other known threat vectors. Malware coding evolves incrementally as threat actors learn from each other and from their targets. But state adversaries are much better than non-state actors at continuously educating themselves, by “actively following developments and publications of the offensive security community when selecting their toolkit” [SYM 18]. As a result, truly revolutionary code tends to come from state actors. The case of Stuxnet is once again illustrative here, as it was the first malware that employed digital code designed to physically destroy a real-world machine. But the proficiency of the designers of Stuxnet was also evident in their operational security – their skill at evading detection of the malware and of themselves. Not only was their command-and-control infrastructure – the system that they used to communicate with and direct the malware – extremely sophisticated, but the malware itself had been carefully camouflaged to resemble a rudimentary piece of software used by low-level criminal threat actors for purposes of industrial espionage. It took painstaking analysis by a dedicated computer security team to uncover the true intention of Stuxnet [ZET 11b]. Arguably, Stuxnet was a revolutionary moment in the history of malware design and implementation. However, it highlights that the most capable Tier IV, V and VI threat actors work persistently on their evasive tactics. State actors like APT37 (North Korea) or Leafminer (Iran) consciously strive to improve their command-and-control infrastructure and operational security over time [FIR 18].

112

Cybersecurity in Humanities and Social Sciences

The deliberate and highly selective nature of attacks – often referred to as intent – is also an indicator of state-sponsored cyber-espionage activity. For instance, it is rare for criminal actors to focus on diplomatic targets, because exploiting such targets does not usually generate financial gain. It is even rarer for criminal actors to hack intergovernmental organizations like the United Nations or the European Union, foreign affairs ministries, or trade unions and think tanks. When such targets feature in the victim lists of threat actors, as is the case with Leafminer (Iran) or GhostNet (China), they almost always point to state-sponsored cyber-operations. Researchers usually look for concentrations of more than 20% of such targets – known as “high-value targets” – in the victim lists of threat actors before feeling relatively confident to define them as state-sponsored. High-value targeting is often paired with exploits that are customized to specific software modules, or even to specific individuals, within a targeted organization. This signifies that the threat actor has the time and resources to carefully study its targetset and to gather information on specific individuals within it. Threat vectors are then designed to appeal to the personality, preferences and needs of targeted individuals. An example would be an email phishing campaign that is contextually relevant to a single individual within an organization. That individual may be known to have a passion for a specific computer game or a specific model of antique automobile, and that would be reflected in the email phishing campaign directed against them. This level of sophisticated reconnaissance is almost always associated with state adversaries. 4.10. Identifying specific state actors in cyber-espionage research The process of detecting state-sponsored activity in cyber-espionage research is two-fold. The first step – outlined in the previous section – focuses on distinguishing state from non-state threat actors. The second step in the process is arguably more challenging. It aims to identify the specific state actor that may be behind a cyber-espionage operation. Researchers have an extensive array of tools at their disposal, which have proven relatively accurate – keeping in mind, of course, the important caveat about false-flag activities discussed earlier. To begin with, it must be remembered that state-sponsored cyberespionage actors do not typically claim responsibility for particular attacks – or attacks at all. It is therefore the task of cyber-espionage researchers to attribute specific attacks to the gamut of activities of known threat actors.

Researching State-sponsored Cyber-espionage

113

A crucial method for attributing cyber-espionage attacks to known threat actors is based on the behavioral analysis of what some researchers describe as the tools, tactics, techniques and procedures (TTTPs) of adversaries [STE 16]. The term refers to the particular cyber-tradecraft that adversaries use to accomplish their goals. TTTP-based analysis offers crucial glimpses into the cyber-behavior of threat actors and allows researchers to build what can be described as a cyber-personality of known adversaries. This becomes possible by the tendency of some threat actors to show a preference for certain types of threat vectors, or employ methods of attack that display distinct architectures. Other threat actors show strong preferences for particular action sequences, or methods of dispensing threat vectors. For example, in their 2017 study of APT 33 (Iran), a team of researchers with the security firm FireEye noted that the threat actor tended to repurpose hacker tools that were especially popular on Iranian hacking websites [OLE 17]. Over time, detailed observations of threat actors and their behavior can give rise to the formation of abstract modeling based on the notion of the “ideal type”. Known also as “pure type”, this Weberian concept allows for the construction of a typological system that enables researchers to categorize threat actors and their behavior into broad classifications. The latter are based on common traits, attributes, tradecraft characteristics, etc., which add distinguishing features to specific cyber-personalities of threat actors [FIN 16]. It is important to stress here that ideal types need not completely overlap with the specific characteristics of individual illicit actors or cyber-attacks. Rather, the central idea is that ideal types must reflect central elements that are common to most cases clustered under the same label. Additionally, it must be noted that the term ideal, or pure, does not refer to absolute fulfillment or perfection; rather it refers to the idea, or vision, of a mental construct that typifies a set of broadly attributable features. Ideal types approximate reality but do not encompass the entirety of its complexity. It is also possible – indeed desirable – to conduct a geolocation analysis of the activities of threat actors. This is rarely feasible during the preparatory stages of a cyber-espionage attack, unless a threat actor has previously succumbed to an offensive counter espionage operation. However, after an attack has been detected, geolocation data can be collected by using “honeypot” computers as baits. These allow security experts to monitor the traffic generated by threat vectors, which can then help identify the servers used by the perpetrators of an attack. The Internet protocol (IP) addresses

114

Cybersecurity in Humanities and Social Sciences

extracted through honeypotting can help geolocate the attackers’ home base. This process can be aided tremendously by researchers who are in possession of detailed knowledge about the precise structure of an adversary’s intelligence community and the physical location of its facilities. When the latter correlate with the geolocation of a cyber-espionage attack, it is usually clear evidence that helps identify a state cyber-espionage actor with relative precision. Researchers also analyze the time patterns of when malicious IP addresses communicate with installed malware. These patterns are then matched with the time zone(s) of suspected state actors, or ideal types, and compared against their customary workday and workweek patterns. For example, in their 2017 study of APT 33, FireEye researchers noted that the threat actor “largely operated on days that correspond to Iran’s workweek, Saturday to Wednesday”. They then pointed out that “Iran is one of few countries that subscribes to a Saturday to Wednesday workweek”, which is something that distinguishes it from other Middle East countries that follow a Sunday to Thursday workweek [OLE 17]. The above example highlights the crucial significance of possessing cultural knowledge of one’s subject. Such knowledge is also useful when analyzing the coding of malware used in cyber-espionage attacks. The latter often presents researchers with linguistic tools that can help pinpoint the precise identity of a state adversary. For example, following the discovery of the Stuxnet worm, some experts speculated that elements of its code contained symbolic references to the Hebrew Scriptures or to the history of Israel and Judaism, thus potentially implicating the Israeli government in the construction of the malware [FAL 10]. In 2015, while analyzing the state-sponsored threat actor known as Rocket Kitten, a team of researchers with the California-based cybersecurity firm Check Point noted that the usernames of those accessing a phishing application used in one of the group’s cyber-espionage attacks featured “potentially Persian names or aliases such as merah, kaveh, ahzab or amirhosein” [CHE 15]. In 2017, another team of researchers with FireEye noted that the resource language sections of software used by APT 33 to carry out cyber-espionage attacks were in Yemeni Arabic and Farsi [OLE 17]. Geolocational studies, time-space modeling and cultural analyses of threat actors should ideally be paired with careful evaluations of their targeting patterns – especially when the latter prioritize high-value targets. The guiding question for researchers should be whether there is a high degree of correlation between the targeting pattern of a given threat actor

Researching State-sponsored Cyber-espionage

115

and the strategic or foreign-policy priorities of a nation-state. In identifying APT 10 as a Chinese state-sponsored threat actor, researchers with PricewaterhouseCoopers and BAE Systems explained in 2017 that the group targeted almost exclusively organizations that were of strategic value to Chinese state-owned businesses [BAE 17]. Other Chinese threat actors, such as GhostNet, have also been identified because of their “high-value targets [which] are clearly linked to Chinese foreign and defense policy” [DEI 09]. In identifying APT 37 as a North Korean state actor, FireEye researchers noted in 2018 that the threat actor’s targeting closely aligned with North Korean state interests. They went on to explain that the group’s target list included “a research fellow, advisory member, and journalist associated with different North Korean human rights issues […], an entity in Japan associated with the United Nations missions on sanctions and human rights [and] a Christian missionary organization that works with North Korean defectors” [FIR 18]. When the research methods outlined here are used in combination, they can lead to conclusions that are remarkably accurate. The social science term for this approach to research is “triangulation”, which means using more than two methods to collect or evaluate data on the same topic. There is a plethora of documented instances where researchers working with unclassified tools used triangulation to the extreme. In one case, researchers were able to identify the individuals behind APT 37 and Rocket Kitten by name and address [CHE 15; FIR 18]. There is also an emerging trend of governments using triangulation to indict individual employees of foreign intelligence agencies for carrying out cyber-espionage operations. This trend was demonstrated in 2012, when the United States Department of Justice named and indicted five officers of the PLA’s Unit 61398, whom it accused of stealing business secrets and intellectual property from American firms in order to advance Chinese commercial interests [RIL 12]. In mid-2014, the Netherland’s General Intelligence and Security Service (AIVD) went even further in neutralizing APT 29 (also known as Cozy Bear), a Russian statesponsored threat actor believed to have hacked the email servers of the United States Democratic Party in 2016. According to accounts in the Dutch press, the AIVD was able to detect the physical base of the Cozy Bear hackers at an academic facility near Moscow’s Red Square. The AIVD team then remotely took control of security camera networks located around the facility before hacking into another security camera network located inside the buildings that housed the hackers’ offices. They were then able to collect

116

Cybersecurity in Humanities and Social Sciences

photographs and video footage of Cozy Bear members, which were promptly compared with photographs of “known Russian spies” [MOD 18]. 4.11. Conclusion: researching a transformational subject In the words of Canadian philosopher Marshal McLuhan, we must not allow “the content of any medium [to blind] us to the character of the medium” [MCL 94]. By that, he meant that the medium through which messages are communicated has a potentially higher significance for the development of civilization than the content or meaning of any particular messages. In this sense, the dawn of digital statecraft is in itself more important than the digital content that fuels it or is produced by it. Digitization is not only changing the conditions in which nation-states interact with each other and with their citizens. It is also changing the very nature of the nationstate, in ways that are yet to be fully explored or understood. Within this rapidly changing context, state-sponsored cyber-espionage is profoundly transforming the way that nation-states collect intelligence, and perhaps even the very nature of intelligence itself. This powerful transformational dynamic is being felt across all levels of the state’s intelligence apparatus, as the latter is being essentially rewired. The growth of data science, paired with the explosion of social media and its associated functions, like behavioral informatics and surveillance capitalism, are altering the very notions of communication, information classification and secrecy in our societies. In an important sense, therefore, the social sciences will be unable to analyze statecraft in our time without also comprehending the information-collection modalities of the digital nation-state. Any research that is undertaken to study the intelligence functions of statecraft during this time of flux will need to resort to equally versatile methodological approaches. Specifically, innovation in research on statesponsored cyber-espionage will continue to be guided by two major challenges. The first is the scarcity of available datasets, which is caused by the persistent unwillingness of research subjects to be studied. To address this problem, researchers will require the use of precise methodologies of evaluating known cyber-operations, as well as increasingly detail-oriented methodologies of cyber-attribution. At the same time, research into cyberespionage will be forced to resort heavily to what methodologists call “strategic guessing”. This denotes the ability to provide reasonable answers to research questions without being privy to all the information on the

Researching State-sponsored Cyber-espionage

117

subject of the study. Strategic guessing relies on the ability to distinguish current – and envisage future – patterns in datasets, while meticulously eliminating wrong answers and relying on a certain sense of “research intuition”. Coupled with careful research design, strategic thinking can bridge some of the gaps caused by the scarcity of datasets. In the meantime, researchers must be daring enough to propose overarching theories while accepting the brutal reality that a high proportion of research efforts will bear little or no fruit. Failure will inevitably lead to exploring the implications of research models and subsequently refining them in order to achieve improved results. The second major challenge that will guide innovation in research on state-sponsored cyber-espionage is the increasing complexity of this inherently intricate field of study. Not only is cyber-espionage becoming more integrated into the numerous functions of statecraft, but also the very practice of cyber-intelligence is turning more technical and esoteric. Social science researchers will therefore become increasingly unable to study it in isolation from other specialists. What is needed is a more substantial level of interdisciplinarity than ever before, which will combine the highly technical fields of cybersecurity, mathematics and engineering with political science, intelligence studies and international relations. A degree of interdisciplinarity has always been helpful in researching cyber-espionage. In the present conditions, however, it is absolutely essential. Moreover, it must be expanded to include input from military science and peace and conflict studies, in an effort to understand how the practice of cyberespionage informs defense systems and processes in times of peace and war. Additionally, input must be sought from history and geography, as well as from economics, given the frequency with which cyber-espionage is found to reside in the intersection of historical, economic and geopolitical parameters of nation-state behavior. Interdisciplinarity must thus be guided by a conscious effort to build teams of researchers that can address the strategic, tactical and operational aspects of state-sponsored cyber-espionage – often within the same study. Ultimately, the last thing social science research should do at this critical juncture is to turn away from the study of state-sponsored cyber-espionage, intimidated by the scarcity of data and the inherent political controversy of the topic. The stakes are simply too high. Ignoring this increasingly critical aspect of modern-day statecraft will create a knowledge gap in our understanding of governance that could take decades – if not centuries – to bridge.

118

Cybersecurity in Humanities and Social Sciences

4.12. References [AID 09] AID M.M., The Secret Sentry: The Untold History of the National Security Agency, Bloomsbury Press, New York, NY, 2009. [ALL 18] ALLEN I., “Britain sees Russian government hackers behind Islamic State cybergroup”, intelNews, https://intelnews.org/2018/10/05/01-2412, 5 October 2018. [AND 18] ANDREW C., The Secret World: A History of Intelligence, Yale University Press, New Haven, CT, 2018. [BAE 17] BAE SYSTEMS, Operation Cloud Hopper: Exposing a systematic hacking operation with an unprecedented web of global victims, Report, BAE Systems and PricewaterhouseCoopers, April 2017. [BAM 13] BAMFORD J., “Meet the spy chief leading us into cyberwar”, Wired, https://www.wired.com/2013/06/general-keith-alexander-cyberwar/, 12 June 2013. [BEW 19] BEWARDER M., NAUMANN A., “Deutscher Verfassungsschutz spricht Österreich misstrauen aus”, Die Welt, 18 May 2019. [BHA 19] BHASKER D., “Staying ahead of the race: Quantum computing and cybersecurity”, Journal of Cyber-Security and Information Systems, no. 1, pp. 36–42, 2019. [BRA 17] BRANDOM R., “Russian officials hired criminals to hack 500 million Yahoo accounts, according to Feds”, The Verge, https://www.theverge.com/2017/3/15/14934654/ yahoo-russia-hackers-charged-breach-security-fsb-criminal, 15 March 2017. [CEN 15] CENTRAL INTELLIGENCE AGENCY, Digital Innovation: innovation at the speed of mission, Langley, VA, https://www.cia.gov/offices-of-cia/digital-innovation/index.html, 1 October 2015. [CHE 15] CHECK POINT, Rocket Kitten: A campaign with 9 lives, Threat Intelligence and Research, Check Point Software Technologies, San Carlos, CA, 2015. [CHO 11] CHOO K.-W.R., “The cyber-threat landscape: Challenges and future research directions”, Computers & Security, no. 1, pp. 719–731, 2011. [COA 19] COATS D.R., Worldwide threat assessment of the US Intelligence Community, Statement for the Record by the Office of the United States Director of National Intelligence, Select Committee on Intelligence, United States Senate, 29 January 2019. [CRO 11] CROZIER R., “Fear of China masks the work of other web spies”, IT News, https://www.itnews.com.au/news/fear-of-china-masks-the-work-of-other-web-spies279623, 10 November 2011. [DAL 18] DALTON M., “France probes any Moscow role in Yellow-Vest movement”, The Wall Street Journal, 14 December 2018. [DEI 09] DEIBERT R., ROHOZINSKI R., “Tracking GhostNet: Investigating a cyber-espionage network”, Information Warfare Monitor, Ottawa, 29 March 2009.

Researching State-sponsored Cyber-espionage

119

[DIE 11] DIEHN S.A. , IMPEY J., KIMBALL S., “Several German states admit to use of controversial spy software”, Deutsche Welle, https://p.dw.com/p/12p0I, 11 October 2011. [EDD 13] EDDY M., “Chinese cyber-espionage: Don’t believe the hype”, PC Magazine, http://securitywatch.pcmag.com/security/311911-chinese-cyber-espionage-don-t-believethe-hype, 28 May 2013. [FAL 10] FALLIERE N.O., MURCHU L., CHIEN E., W32.Stuxnet dossier, Symantec Corporation, Cupertino, CA, September 2010. [FIN 16] FINNEMORE M., HOLLIS D.B., “Constructing norms for global cybersecurity”, The American Journal of International Law, no. 3, pp. 425–479, July 2016. [FIR 18] FIREEYE, APT37 Reaper: The overlooked North Korean actor, Milpitas, CA, 2018. [FIT 12] FITSANAKIS J., BOLDEN M., “Social networking as a paradigm shift in tactical intelligence collection”, Intelligence Studies Yearbook, no. 1, pp. 28–40, January 2012. [FIT 14] FITSANAKIS J., Should state-sponsored cyber-operations target the private sector? American and Chinese Assessments, Working Paper III.13, Chaire de Cyberdéfense et Cybersécurité, École Spéciale Militaire de Saint-Cyr, Paris, France 2014. [FIT 17] FITSANAKIS J., “Files released by WikiLeaks show advanced CIA technical collection methods”, intelNews, https://intelnews.org/2017/03/08/01-2075/, 8 March 2017. [FIT 18] FITSANAKIS J., “Authorities in Europe warn about the rise of heavily armed paramilitary groups”, intelNews, https://intelnews.org/2018/09/06/01-2392, 6 September 2018. [FIT 19] FITSANAKIS J., “Growth and uncertainty: The impact of 9/11 on intelligence and national security studies”, in FINNEY M., SHANNON M. (eds), 9/11 and the Academy: Responses in the Liberal Arts and the 21st Century World, Palgrave Macmillan, Cham, Switzerland, pp. 243–274, 2019. [FOL 16] FOLLOROU J., “Les confessions d’un maître de l’espionnage français”, Le Monde, https://www.lemonde.fr/societe/article/2016/09/03/les-confessions-d-un-maitre-de-lespionnage-francais_4991935_3224.html, 3 September 2016. [GEH 15] GEHEM M., USANOV A., FRINKING E. et al., Assessing cyber-security: A metaanalysis of threats, trends, and responses to cyber-attacks, The Hague Center for Strategic Studies, The Hague, Netherlands, 2015. [GUR 97] GURAK L.J., Persuasion and Privacy in Cyberspace: The online Protests over Lotus MarketPlace and the Clipper Chip, Yale University Press, New Haven, CT, 1997. [HA 18] HA M., MAXWELL D., Kim Jong Un’s ‘All-purpose Sword’: North Korean Cyberenabled Economic Warfare, FDD Press, Washington, DC, October 2018. [KAR 12] KARENA C., “Australian spies buying computer bugs: Sources”, The Sydney Morning Herald, https://www.smh.com.au/technology/australian-spies-buying-computerbugs-sources-20120307-1ujlb.html, 8 March 2012.

120

Cybersecurity in Humanities and Social Sciences

[KEL 17] KELLY S., “The CIA’s officer of the future”, The Cipher Brief, https://www. thecipherbrief.com/column_article/best-of-the-cias-officer-of-the-future-2, 28 May 2017. [KON 19] KONG J.-Y., KIM K.-G., KIM J.-I., “The all-purpose sword: North Korea’s cyberoperations and strategies”, in MINÁRIK T., ALATALU S., BIONDI S. et al. (eds), 11th International Conference on Cyber-Conflict: Silent Battle, NATO CCD COE, Tallinn, Estonia, pp. 143–162, 2019. [KRA 16] KRAMER A.E., “How Russia recruited elite hackers for its cyberwar”, The New York Times, https://www.nytimes.com/2016/12/29/world/europe/how-russia-recruitedelite-hackers-for-its-cyberwar.html, 29 December 2016. [LEP 09] LEPPARD D., “Police set to step up hacking of home PCs”, The Sunday Times, https://www.thetimes.co.uk/article/police-set-to-step-up-hacking-of-home-pcs-wqv6xj099 kn, 4 January 2009. [LYN 19] LYNGAAS S., “Inside a Chinese APT’s very flexible playbook”, CyberScoop, https://www.cyberscoop.com/apt27-chinese-secureworks-report/, 27 February 2019. [MAY 18] MAYER J., “How Russia helped swing the election for Trump”, The New Yorker, 24 September 2018. [MCL 94] MCLUHAN M., Understanding Media: The Extensions of Man, MIT Press, Cambridge, MA, 1994. [MCM 11] MCMILLAN R., “RSA Spearphish attack may have hit US defense organizations”, IDG News Service, https://www.computerworld.com/article/2511039/rsa-spearphishattack-may-have-hit-u-s--defense-organizations.html, 8 September 2011. [MOD 18] MODDERKOLK H., “Hackers AIVD leverden cruciaal bewijs over Russische inmenging in Amerikaanse verkiezingen”, De Volkskrant, https://www.volkskrant. nl/nieuws-achtergrond/hackers-aivd-leverden-cruciaal-bewijs-over-russische-inmenging-inamerikaanse-verkiezingen~b32c6077, 26 January 2018. [MOO 17] MOONEY K., “Putin is funding green groups to discredit natural gas fracking”, Newsweek, 11 July 2017. [MUE 19] MUELLER R., Report on the investigation into Russian interference in the 2016 presidential election, vol. 1, United States Department of Justice, Washington, DC, 2019. [NAK 16] NAKASHIMA E., “US government officially accuses Russia of hacking campaign to interfere with elections”, The Washington Post, 7 October 2016. [OFL 19] O’FLAHERTY K., “Russian hackers disguised as Iranian spies attacked 35 countries”, Forbes, https://www.forbes.com/sites/kateoflahertyuk/2019/10/21/nsa-and-ncsc-warningrussian-hackers-disguised-as-iranian-spies-hacked-35-countries/#7a7469c76428, 21 October 2019. [OLE 17] O’LEARY J., KIMBLE J., VANDERLEE K. et al., Insights into Iranian Cyber-espionage: APT33 targets aerospace and energy sectors and has ties to destructive malware, FireEye, Milpitas, CA, 2017.

Researching State-sponsored Cyber-espionage

121

[PIL 11] PILKINGTON E., “One in four US hackers ‘is an FBI informer’”, The Guardian, https://www.theguardian.com/technology/2011/jun/06/us-hackers-fbi-informer, 6 June 2011. [POI 13] POITRAS L., ROSENBACH M., STARK H., “NSA snoops on 500 million German data connections”, Der Spiegel, 30 June 2013. [RIL 12] RILEY M., LAWRENCE D., “Hackers linked to China’s army seen from EU to DC”, Bloomberg, https://www.bloomberg.com/news/articles/2012-07-26/china-hackers-hit-eupoint-man-and-d-c-with-byzantine-candor, 26 July 2012. [RIP 15] RIPLEY W., “North Korean defector: ‘Bureau 121’ hackers operating in China”, CNN, https://edition.cnn.com/2015/01/06/asia/north-korea-hackers-shenyang, 7 January 2015. [SEC 19] SECUREWORKS, “A peek into Bronze Union’s toolbox”, Counter Threat Unit Research Team, https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox, 27 February 2019. [SHA 13] SHAKARIAN P., SHAKARIAN J., RUEF A., Introduction to Cyber-warfare: A Multidisciplinary Approach, Elsevier, New York, NY, 2013. [SHA 18] SHANE S., FRENKEL S., “Russian 2016 influence operation targeted AfricanAmericans on social media”, The New York Times, 17 December 2018. [SMI 17] SMITH G., “A Russian hacker confessed to hacking the DNC during the election campaign”, Fortune, https://fortune.com/2017/12/11/russian-hacking-election-confession, 11 December 2017. [SPI 13] SPIEGEL STAFF, “Documents reveal top NSA hacking unit”, Der Spiegel, https://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spyon-global-networks-a-940969-3.html, 29 December 2013. [STE 16] STECH F.J., HECKMAN K.E., STROM B.E., “Integrating cyber-D&D into adversary modeling for active cyber-defense”, in SUSHIL J., SUBRAHMANIAN V.S., SWARUP V., WANG C. (eds), Cyber-deception: Building the Scientific Foundation, Springer, Basel, Switzerland, 2016. [SYM 18] SYMANTEC CORPORATION, “Leafminer: New espionage campaigns targeting Middle Eastern regions”, Threat Intelligence, https://www.symantec.com/blogs/threatintelligence/leafminer-espionage-middle-east, 25 July 2018. [UNI 12] UNITED STATES DEPARTMENT OF DEFENSE, Resilient military systems and the advanced cyber-threat, Task Force on Resilient Military Systems and the Advanced Cyber-Threat, Defense Science Board, Office of the Under Secretary of Defense for Acquisition, Technology and Logistics, Washington, DC, 2012. [UNI 18] UNITED STATES DEPARTMENT OF JUSTICE, Russian national charged with interfering in US political system, Office of Public Affairs, Washington, DC, 19 October 2018. [VAL 18] VALERIANO B., JENSEN B., MANESS R.C., Cyber-Strategy: The Evolving Character of Power and Coercion, Oxford University Press, New York, NY, 2018. [WIL 15] WILLARD G.N., “Understanding the co-evolution of cyber-defenses and attacks to achieve enhanced cybersecurity”, Journal of Information Warfare, no. 2, pp. 16–30, 2015.

122

Cybersecurity in Humanities and Social Sciences

[ZET 11a] ZETTER K., “Hacker spies hit security firm RSA”, Wired, https://www.wired.com/ 2011/03/rsa-hacked/, 17 March 2011. [ZET 11b] ZETTER K., “How digital detectives deciphered Stuxnet, the most menacing malware in history”, Wired, https://www.wired.com/2011/07/how-digital-detectivesdeciphered-stuxnet/, 11 July 2011.

5 Moving from Uncertainty to Risk: The Case of Cyber Risk

5.1. Introduction Every day, we receive information about cyber-attacks and the failures of IT systems to prevent data theft. Cybersecurity is becoming a central subject and a societal demand. With the advent of the Internet and the inter-connection of computer systems, the need to build a society that is more resilient to cyberthreats is rising. As for any other type of crime, society must learn to cope with it and fight it. One step in this direction is the study and understanding of the events that have already happened, as well as a better grasp of the various motivations for cybercrime. This chapter aims to describe the quantitative methods we are using to cope with this problem and to explain our scientific approach. It concentrates on the methodological aspects, which we illustrate with the study we have conducted on the French Gendarmerie Nationale (GN) database on cybercrime complaints registered at their offices. Some tools or methods are described more exhaustively than others, whenever they can be accessible to/understood by non-statisticians or those who would like to use them or at least understand their usage. Other more technical concepts are briefly overviewed, just to give an idea of the concept’s background. In section 5.2, we explain the way we move from an uncertain future to a future where the uncertainty is quantifiable and thus becomes a risk that can be partly hedged. In section 5.3, we describe the process to collect the data Chapter written by Michel DACOROGNA and Marie K RATZ .

124

Cybersecurity in Humanities and Social Sciences

and its structure. Section 5.4 is dedicated to data cleansing, an inescapable step if we want to develop valuable models. In section 5.5, we deal with the problem of learning important behaviors from the data from simple statistics. Section 5.6 concentrates on univariate modeling, while section 5.7 is dedicated to both the multivariate and dynamic approaches. In the last section, we draw the conclusion and methodological recommendations. 5.2. The scientific approach to move from uncertainty to risk Already in the 18th Century, philosophers came to realize that risk could contain two aspects. For instance, the French thinker Étienne Bonnot de Condillac (1714–1780) qualified risk as “The chance of incurring a bad outcome, coupled with the hope, if we escape it, to achieve a good one.” We see here the birth of a notion that will become prevalent in finance and economics over the course of the 20th Century. Taking risks is specific to entrepreneurs, investors or insurance companies. They do it in search of a future good outcome. The risk-taker always aims at producing a surplus, either industrial or financial. The stochastic nature of future outcomes has been noted early, already with the creation of the first mortality table in the 17th Century and later in finance thanks to the pioneering work of the French mathematician Louis Bachelier at the beginning of the 20th Century. However, a proper treatment of this behavior was not generalized until the second half of the 20th Century with the advances of mathematics and economic theory. One of this advances is a better definition of the notion of risk, often confused with uncertainty. In economics, the seminal work of Knight (1921) laid the foundation for distinguishing risk from uncertainty. He defines “risk” as the randomness with knowable probabilities (measurable uncertainty), while “uncertainty” is the randomness with unknowable probabilities (unmeasurable uncertainty). In this sense, risk is measurable and thus manageable, while uncertainty is part of life and has to be accepted as such and managed only on its consequences. The realization that taking risk can produce a return and that it is measurable has given birth to the insurance industry, starting with the first insurance contracts of the Babylonians up to the sophisticated risk modeling tools of modern insurance companies, as well as hedge funds and banks. Quantitative risk management (QRM) takes its sources from the progress of computers coupled with the advances in mathematics, in particular

Moving from Uncertainty to Risk

125

in probability theory following Kolmogorov, Fisher and others, and with the advent of extreme value theory. Over the years, QRM has reached a level of sophistication unheard of even in recent past. QRM uses complex tools and extrapolation techniques to obtain insights into the probability of rare events and into ways to diversify away the risks, so as to be able to manage the consequences of the bad realization of any of them. The frontier between uncertainty and risk should not be considered as intangible. Advances in science have shown that this frontier can always be pushed back further by discovering that uncertainty could be transformed into risk when models become available. Pursuing the debate among economists on uncertainty and risk, Daniel Ellsberg (1961) introduced the notion of ambiguity, which he defines as the risk whose probability is not known to the person who decides. He showed that people would prefer to choose a solution for which the probability is known, even if the chances of success are small, rather than a solution with an unknown probability. This is another encouragement to improve risk management; to move the frontier from uncertainty or ambiguity in favor of risks. One can find more developments on those notions of risk in the work by Dacorogna and Kratz (2015). Risk is defined in risk theory as the deviation to expectation, as the risk is the unexpected. It can be summarized by various quantities like the variance or other risk measures. Once we are able to describe risk with a probability distribution, we can evaluate it in a handy way; the difficulty lies in finding adequate probabilistic models, using a scientific approach. The conservatism of trying to read or fit phenomena within a given theoretical frame or a given economic theory (and its associated models) has to be replaced by a more scientific approach. It is important to learn from observations (data), especially as data is becoming more and more widely available, rather than selecting specific observations a priori that fit within a theory. Moreover, the existence of complex interactions and phenomena does not necessarily imply the use of complex models to handle them, nor does it reduce them with too simple models. The scientific approach consists of distinguishing the main factors to the phenomenon and of modeling them. Fundamentally, science helps simplify without reducing the problem, putting it on grounds that can be treated and experimentally proven. As summarized

126

Cybersecurity in Humanities and Social Sciences

very well in a quote attributed to Einstein, even though he never expressed it this way: “Everything should be made as simple as possible, but no simpler” (Championing Science 2019). Such an approach remains crucial to handle this complex world, with inherent (always existing throughout time) risks and new ones born from more connections. Studying the dependence between risks is essential for understanding their real impacts and consequences. This has always been a topic in probability and statistics when looking at what is referred to as a multivariate framework, or even further, a multidimensional context. We propose in this study to illustrate the scientific approach we follow to analyze the GN database on registered complaints related to cyber-attacks. The idea is to show how we can, with such an approach, move from the uncertainty created in society by cybercrimes to a measurable risk, against which we can find ways of hedging its worst consequences, thus making society more resilient towards this threat. 5.3. Learning about the data: the exploratory phase All too often in the literature, we find papers that use data for showing that the presented model is a good model. Our approach here is different: our aim is to understand the environment in which our data has been generated. We do not want to begin with preconceived ideas on the right model to use. Whilst working with the officers of the Gendarmerie Nationale, they explained to us how the data were input in the system. The first entry into the database comes from the officer who receives the complaint at one of the GN offices in France. He/she is usually not a specialist of cybersecurity but rather a generalist. The data is collected all over the country, except in the big cities (Paris, Lyon, Marseille, etc.) that are under the responsibility of the Police Nationale. So, they will be confronted with complaints coming from mediumsize cities, towns and the countryside. The first concern of the officer is not to fill a database, but to help the people who are filing the complaints and try to find the culprit. This explains why the database has many errors due either to incorrect transcriptions or typing errors. The Gendarmerie Nationale started collecting centrally the data in 2014, but the process has only been fully functional since around July 2015. Since

Moving from Uncertainty to Risk

127

then, the C3N (Centre de lutte contre les criminalités numériques1 , part of the “service central de renseignement criminel de la GN”2 (SCRCGN)) has been managing the database and taking care of its quality. One of the C3N missions is to exploit the intelligence gathered from the data to improve prevention and fight against cybercrimes. A collaboration between SCRCGN and the ESSEC risk research center – CREAR – has been put in place to analyze the data from a statistical point of view and to build probabilistic models to help us better understand the underlying risk. Another benefit of this collaboration will be to eventually produce an anonymized dataset, which will be made publicly available to researchers. The data are provided through a user interface that contains the following fields: – a report on the complaint written by the officer; – the report date; – the location of the alleged fraud; – the amount of damages; – the gender of the victim; – the date of birth of the victim; – a field called “category”; – a “natinf” field describing the type of cybercrime. The report is a plain text describing the event and the cause of the complaint, which can also contain information about the amount of damages and about the victim (name, gender, family relations, etc.). The field category corresponds to a classification internal to C3N and essentially distinguishes between cyber fraud and attacks. The natinf field is a number corresponding to the list of crimes recognized by the Minister of Justice. During our exploration, we found that there was no binary field distinguishing between fraud against private individuals and fraud against companies or institutions, although there are complaints from both companies and individuals. It can be deduced most of the time from the description given in the report field (via text mining, given the large database). But for the sake of time, we recommended that the GN adds this field. Another field that will be very useful is a field for software attacks 1 Meaning the Center against digital crime. 2 Meaning the GN central criminal intelligence service.

128

Cybersecurity in Humanities and Social Sciences

as opposed to frauds via email or via websites. This would allow us to analyze classical frauds (for which only the tool has changed with time, being nowadays a computer) separately from those that require the development of specific software like viruses or worms. During the cleansing phase, we noted that the vast majority of the complaints are related to traditional schemes of fraud, with the use of a computer. The difference is, of course, that it widens the tradional reach of criminals and makes it easier for them to hide their whereabouts. The anonymization of the data, which is a condition for opening the information to the public, is not an easy goal to achieve. Rendering the data fully anonymous requires the help of specialists in order to avoid reconstructing data not present in the anonymous dataset. However, even though we are not anonymization specialists, we have done a first step in this direction when collecting the data for our work: we did not select fields containing names and locations, and we transformed the date of birth into age in months at the time of the reported complaint. 5.4. Data cleansing To develop credible models, we need data that are representative of the phenomenon we are studying. This means a phase of data cleansing to ensure the quality of the representation of the problem at hand. In the case of the C3N database, although some data were collected in 2014 and in early 2015, these data are very sparse with only 58 filed complaints until July 2015. So, it does not make sense to consider them in a statistical study. Similarly, the last months of the database from May 2019 to July show a big drop in the number of data (less than half). After talking to the people in charge, they confirmed that it could be that some reports were not yet registered in the database. Thus, here too, it makes sense to consider a period during which the database is complete. The sample that is considered here for the exploration is then restricted to the period from July 2015 to April 2019 with 208,037 entries, which is still a big number. A first objective of the collaboration between C3N and CREAR is to validate the reliability of the database via different methods, such as text data mining and exploratory statistics. Given the large amount of data, it is not possible to check the plausibility of each entry manually. C3N developed an automatic text recognition algorithm to check the various fields and their

Moving from Uncertainty to Risk

129

congruence. However, this procedure is still in its early days and needs to be refined. Some typical errors that were found during our manual exploration are: – negative values in the amount field. Usually those values should simply be given as an absolute value, but sometimes they were mistakenly entered with a negative sign since it represents a loss; – some ages of victims were too high, due to a typing error on the date of birth; – the age of victims, who are minor children, is not always reported, while the age of their legal representative is reported in the date of birth of the victim instead. This type of incorrect data input can only be caught if one compares the description in the report with the date of birth field; – sometimes, when the field date of birth is not filled, it might be due to the fact that it is an attack against a company rather than against an individual; – some very small or very large values can also be due to typing mistakes. Allowing for decimals instead of only integers was also a source of error. Most of these errors could be detected by an intelligent algorithm of text recognition that can compare the fields to the complaints report written by the officer. The automatic procedure is under current development. Although it helped catch the most obvious problems, it still requires more sophisticated algorithms to dispose of a complete and trustworthy database. Clearly, for some difficult cases, expert opinions cannot be avoided, but their number should be limited to single to low double digits. Some of the improvements we would like to bring in the automatic detection is to introduce a better way to classify the type of crimes. Currently, the system is very rigid and one category excludes the other, while sometimes two categories could be involved, like ransomware and identity theft. In the present category, ransomware is associated with CryptoLocker only. The typology of cyber-attacks is changing rapidly; the classification must be more flexible to quickly adapt to these developments. We also need to be able to rapidly detect massive attacks through the individual filing of complaints. This is only possible if we can associate an intelligent anomaly detection algorithm with a flexible classification mechanism. This algorithm will serve both purposes: detecting errors in the input and providing an early warning system in case of massive attacks. All of these can be fulfilled through various methods combining text recognition and machine learning algorithms.

130

Cybersecurity in Humanities and Social Sciences

For the study presented here, we have done our own cleansing, partly by choosing a relevant sample and partly manually. Since we are interested in the extremes, we manually reviewed the 1,100 largest amounts, which represents a quantile around 96.5% of the data with amounts above 500 e, by comparing the text of the report and the other fields. We found many problems in this dataset. The main one was a mistake in the cents of the amounts, where, instead of cents, the amounts were reported without a dot marking the cents, for instance, reporting 50,000 instead of 500.00 e. The issue of decimals amounted for 90% of the errors we found manually. It could also be the other way round. This will have to be checked in the next phase. In Table 5.1, we show the number of data points according to the reported amounts after the cleansing steps described above. We distinguish between amounts below 500 e and above, because, according to the procedures of the GN, no legal inquiry is pursued for small amounts. It is thus a natural threshold, which is, by the way, known by hackers. Hence, we see many amounts just below. The hackers will pursue a strategy of trying to get many small amounts through a malware rather one big extortion. It seems that there are also many small amounts in the database (about 14%), if not too many errors made with the decimal issue. Amount in e

Number Percentage of complaints of the sample

ND or x = 0

145,052

70.69%

0 < x < 500

29,074

13.97%

x ≥ 500

31,911

15.34%

Table 5.1. Repartition of the data according to the reported amount (ND means “not declared”)

5.5. Statistical exploration on the various variables of the dataset Once we have at our disposal a trustworthy dataset, the first step towards building a model is to explore it statistically with a minimal set of assumptions for detecting empirical regularities. Starting with descriptive statistics, simply computing the first four moments of the distribution already gives some useful information. In this section, we describe the quantities we computed and illustrate them with the complaints amounts, as this is a natural quantitative variable analyzed by insurance companies for instance, to understand the economic consequences of cybercrimes.

Moving from Uncertainty to Risk

131

Let us define a real random variable (rv) X on a probability space (Ω, A, P, ) with cumulative distribution F and, when existing, probability density f . The nth moment of a distribution is defined as:  ∞  ∞ n n μn = E[X ] = x dF (x) = xn f (x)dx −∞

−∞

where E is the expectation operator. Of course, the moments exist only if the integral converges. The convergence depends thus on the type of underlying theoretical distribution of X: the highest the order n of finite moment, the fastest is the convergence to 0 of the tail of the distribution (defined by P[X > x], with large x). For instance, the Gaussian distribution is light tailed, with a tail distribution decreasing exponentially fast to 0, hence all its moments are finite. Taking now the Pareto distribution of which decay to 0 is of power type (P[X > x] = x−α α > 0, and x ≥ 1), much slower than an exponential decay, it has finite moments of order k − 1 if and only if α < k (for instance, a Pareto with shape parameter α = 2.5 has finite first and second moments, but no third and further moments). We can estimate the moments on our data sample, using empirical estimators. But be careful that, even if the moments do not exist (meaning they are infinite), evaluating them on a finite sample will of course lead to a finite number. Hence, “theoretical infinity” has to be interpreted for a finite sample by “a very large value”. Let us start estimating the first moment, the mean μ = μ1 = E[X] (which is unknown, but that we try to evaluate on our sample of observations), considering the empirical mean as estimator: N 1  μ ˆ= Xi , N i=1

where N is the sample size, i.e. the number of observations xi , considered as realizations of the rv X. The law of large numbers states that μ ˆ converges almost surely to the unknown mean μ. Replacing in the above estimator the Xi ’s by the observed values xi gives an estimate of the mean. If we want to know how fast the convergence is (to see whether we can observe it on our sample), we will use asymptotic theorems, for example the central limit theorem. The larger the number of observations N , the more precisely we can estimate the theoretical expectation μ.

132

Cybersecurity in Humanities and Social Sciences

Turning to the second moment, we can center it (i.e. considering X − E(X) instead of X) to evaluate the variance, defined by var(X) = E[(X − E(X))2 ]. To do so, we consider, once again, its empirical estimator defined by  = var(X)

1  (Xi − μ ˆ)2 . N −1 N

i=1

Note that the division by N − 1 comes from the fact that we use the estimator of μ instead of μ (if μ was known, we would use it and simply divide  by N ). Once again, we will provide an estimate of it, computing N 1−1 N i=1 (xi − μ ˆ)2 , μ ˆ corresponding here to an estimate. The variance gives us the dispersion around the mean. A convenient quantity to measure this dispersion is the coefficient of variation defined by  var(X) CV = , E[X] which can also be evaluated by taking the estimates of each moment involved. For instance, a coefficient of variation of 0.1 would mean that the dispersion around the mean is about 10%. Another useful information on the distribution is about its asymmetry. The  centered third moment of X (with mean μ and standard deviation σ = var(X)) helps evaluating it. Indeed, the skewness of the distribution of X, denoted by γ1 , is defined as the standardized third moment of X:   X −μ 3 E[(X − μ)3 ] γ1 = E = . σ (E[(X − μ)2 ])3/2 This last expression shows us how to estimate this value, replacing the expectations by their empirical means. Finally, we would like to learn about the shape of the probability distribution of X. To do this, we evaluate the kurtosis γ2 of the distribution, related to the fourth moment of X, as follows:   X −μ 4 E[(X − μ)4 ] γ2 = E = . σ (E[(X − μ)2 ])2

Moving from Uncertainty to Risk

133

As for all the other quantities we have defined, the convergence of the estimator is not guaranteed if the theoretical moments do not exist. It will depend on the distribution of the random variable. However, on a finite number of observations, we can always compute a number that will give us some information on the type of data we are facing. Armed with these quantities, we estimate them on our data, using the third sample of Table 5.1, which we consider as the main (representative) sample, containing 31,911 observations. We concentrate on the amount registered with the complaint, in order to measure the severity of cyber-related losses. So, the next step will be to look at the empirical properties of the loss severity, considered as a random variable. The results are presented in Table 5.2. Besides the moments described previously, we also give the extremes (maximum and minimum) of the sample, as well as the median that represents the value above which we have as many observations as below it. The values displayed in the table are very instructive. First of all, we see that the observations are very biased towards the high value. This is given both by the high positive skewness and the large difference between the median and the mean, which is more than twice the median. Moreover, the very large standard deviation points towards an infinite second moment, which is reinforced by the coefficient of variation that is close to 100. The kurtosis is also very high. Even if the estimation of the skewness and the kurtosis on only one sample is known as not being quite so robust, we will not use other tools (e.g. bootstraps) to address this estimation uncertainty. Indeed, with such a large sample size and large estimate values, we may consider all those observations as marks of heavy tail distribution, which will be confirmed in the next section. Min

Max

Mean

Median

Standard CV Skewness Kurtosis deviation

500 8,069,984 6,460.1 1,500.00 61,891.6 9.6

90.6

10,512.6

Table 5.2. Descriptive statistics on the sample, whose amounts are above 500 e, of size N = 31, 911

The analysis of the descriptive statistical results leads us to consider or develop some models capturing the features revealed through the data exploration phase. Although it might seem obvious, we insist on this step of

134

Cybersecurity in Humanities and Social Sciences

learning from the data to think about possible models (to use or to build), and not doing the reverse, developing models and looking for possible applications. There is a back and forth between data and models: learning from the data, we can suggest some models that we will infer on the data. Moreover, a back and forth between modelers and experts in the domain is essential not to have bias, or an a priori on the data when performing a statistical analysis, if we want to learn from the data. Once we obtain results, they can be analyzed and interpreted by statisticians and experts. A very simple example of this was our first run on the dataset that showed a maximum of 50,000,000. The expert did not recall having seen such a high amount. So, we went back together to look at this case in the database and found out that the amount was wrongly typed and was a factor 10 too high. Table 5.2 gives us very good arguments to look at the amounts registered in the complaints as a heavy tailed process. The remaining question is how heavy the tail of the distribution is. This is the subject of the next section, where we introduce the basics of extreme value theory (EVT). 5.6. Univariate modeling for the relevant variables As already pointed out, the analysis of the descriptive statistical results leads us to consider or develop some models capturing the features revealed through the data exploration phase. To illustrate this way of thinking, let us first turn to the univariate modeling of the main variables, taking here the example of the loss severity incurred by victims of cyber-attacks, which are labeled as “damages” in the database. As observed on the descriptive statistics (section 5.5), large variance, skewness and kurtosis point out the existence of a heavy tail. This will lead us to look for heavy-tailed modeling. Before presenting the model, let us say just a few words on extreme value theory EVT, which develops asymptotic theorems for extremes, as the central limit theorem (CLT) does for the mean (under some conditions). The standard CLT states that the empirical mean (average of many independent realizations that constitute a sample) of a real random variable with probability distribution F (having a finite variance) converges in distribution to a Gaussian random variable, regardless of F ; the larger the sample size, the faster the convergence. On the other side of the spectrum, extremes are related to unexpected,

Moving from Uncertainty to Risk

135

abnormal or extreme outcomes. EVT studies this type of realization and finds regularities in their behavior, as CLT does for the average realizations. The literature on EVT is very broad. We refer the reader to a few books on the topic (in a chronological order by the first edition): Leadbetter et al. (2011) (1st ed. 1983), Resnick (2008) (1st ed. 1987), Embrechts et al. (2011) (1st ed. 1997), Reiss and Thomas (2007) (1st ed. 1997), Beirlant et al. (2004), de Haan and Ferreira (2006) and Resnick (2007). In univariate EVT, there are two main results when considering independent and identically distributed (iid) random variables. The first states that the limiting distribution for the rescaled sample extreme (i.e. renormalized maximum) is the so-called generalized extreme value (GEV) distribution, defined by    x − μ −1/ξ x−μ > 0. Gμ,σ,ξ (x) = exp − 1 + ξ , for x such that 1+ξ σ σ It is a three-parameter distribution, with location parameter μ, scale parameter σ and tail index ξ, this last parameter being our focus in EVT as it determines the nature of the tail distribution. If ξ > 0, the GEV is a Fréchet distribution, characterized by a fat or heavy tail; if ξ < 0, it is a Weibull distribution (with finite upper-end point, contrarily to the Fréchet one); if ξ = 0, it is a Gumbel distribution, with a light tail. The existence of moments of the GEV distribution is related to the value of the tail index. The larger the tail index, the heavier the tail. For instance, if ξ ≥ 1/2, the second moment of the distribution does not exist. Why are we interested in the nature of the tail? To be able to correctly evaluate the probability of occurrence of extreme events. To illustrate the impact of the tail heaviness, compare the capital needed to cover a risk up to a probability, say for example of 99%, when having a distribution with a light (as, for instance, the Gaussian distribution, whose tail decays exponentially fast to 0) versus a heavy tail (as, for instance, a Pareto distribution, whose tail decays polynomially to 0, hence more slowly than a Gaussian one). As an example to illustrate this point, we show, in Figure 5.1, the tails of both normal (or Gaussian) and Fréchet distributions with the same mean (μ = 1.35) and standard deviation (σ = 0.92), where we see how fast the tail of the Gaussian distribution converges to 0, compared with the Fréchet one (we used a log-scale on the y-axis to better visualize the difference). In this

136

Cybersecurity in Humanities and Social Sciences

example, we have chosen a relatively mild-heavy tail index ξ = 1/3 or shape parameter α = 1/ξ = 3 (indicating a finite second moment but infinite third moment). According to regulation, the amount of capital needed to cover risk corresponds to a quantile of order 99% (for banks; for insurance companies, it is of order 99.5%). From our example, it is obvious that the quantile associated with a light tail (in this example, the quantile q99% = 3.49 of the normal distribution (with mean μ and variance σ 2 )) is much smaller than that with a fat tail (q99% = 4.64, for our Fréchet distribution with the same mean as for the normal distribution). This means that the amount of capital required to cover risk will be much smaller when using a model with a light tail than with a fat tail. In this example, the heavy-tailed distribution would require 33% more capital. Hence the need to accurately evaluate the shape of the tail distribution when analyzing risks. 4.0% 3.5% Fréchet (alpha=3)

3.0%

Gaussian

2.5% 2.0% 1.5% 1.0% 0.5% 0.0% 3.000

3.500

4.000

4.500

5.000

5.500

Figure 5.1. Tail of a Gaussian (or normal) (in red) and a Fréchet (in blue) distribution respectively with a log-scale for the y-axis (representing − log y instead of y). Both distributions have the same mean, and the Fréchet distribution has a tail index of 1/3 (or shape parameter α = 3). The quantile of each distribution, taking the same order (99%) for both, is pointed out with dashed lines. For a color version of this figure, see www.iste.co.uk/loiseau/cybersecurity.zip

Extracting more information in the tail of the distribution than just that given by the maximum should help for the statistical evaluation of the tail index (measuring the fatness of the tail). Therefore, considering the kth (k ≥ 1) largest-order statistics (considered as extremes in the sense that they exceed a high threshold), we introduce the notion of “threshold exceedances”. The

Moving from Uncertainty to Risk

137

second EVT pillar theorem, the Pickands theorem, proves that for a sufficiently high threshold u, a very good approximation to the excess distribution function (i.e. the distribution of the exceedances above u) is the generalized Pareto distribution (GPD) Gξ,σ(u) defined by ⎧

 ⎨ 1 − 1 + ξ y −1/ξ if ξ =  0

σ(u)  Gξ,σ(u) (y) = ⎩ 1 − exp − y if ξ = 0 σ(u) σ(u) if ξ < 0. As for the GEV, we have ξ three different cases for the GPD Gξ,σ(u) , depending on the sign of ξ, giving back a heavy tail if ξ > 0, a light tail if ξ = 0 and a finite upper endpoint if ξ < 0. where y ≥ 0 if ξ ≥ 0, and 0 ≤ y ≤ −

Univariate extreme value theory focuses on the tail distribution evaluation, more precisely on the estimation of the tail index. Hence, the first and main question is how to determine the threshold above which observations are considered as extremes. Various methods have been developed to answer this question. We refer the reader to the cited literature and to Kratz (2019) for an overview of some standard (supervised) and new (unsupervised) methods in univariate EVT. Looking to model the extreme loss severity associated with the registered complaints, we used an algorithmic (unsupervised) method developed by Debbabi et al. (2017) for heavy-tailed modeling, which we describe succintly. This method is based on a hybrid distribution composed of three weighted components, with a C 1 density h: h(x; θ) = γ1 f (x; μ, σ) 1I(x≤u1 ) + γ2 e(x; λ) 1I(u1 ≤x≤u2 ) + γ3 g(x − u2 ; ξ, β) 1I(x≥u2 ) , with f : Gaussian pdf with mean μ and variance σ 2 , e: exponential pdf with intensity λ, g: GPD pdf with tail index ξ and scale parameter β, θ =  μ, σ, u2 , ξ]: the vector of parameters to be estimated, γi , 1 ≤ i ≤ 3: the weights evaluated from the assumptions (in part C 1 ), β = u2 ξ > 0, λ = 1+ξ β and u1 = μ + λ σ 2 . 1I denoting the indicator function defined by 1IA (x) = 1 if x ∈ A and 0 otherwise. The two main components, f , g, have been chosen

138

Cybersecurity in Humanities and Social Sciences

as the limit distributions for the mean and extreme behaviors, using CLT and Pickands theorem, to be as general as possible. An exponential distribution bridges the gap between those two components, and is also a way to better determine the threshold u2 above which the Pickands theorem applies.

Figure 5.2. Hybrid probability density function. For a color version of this figure, see www.iste.co.uk/loiseau/cybersecurity.zip

An iterative algorithm is then developed for estimating the parameters of this model. The initialization is made on μ, σ, u2 to determine a first value for the tail index ξ, then ξ is fixed to evaluate the three other parameters again, and we iterate the process until the distance between the empirical and model distributions, as well as that between the empirical and model tail distributions, converges to 0. The convergence of the algorithm has been studied analytically and numerically. The performance of this method has been tested in terms of goodness of fit on simulated data and compared with other more standard EVT approaches. Note that the main goal of this self-calibrating method is to determine in an automatic way the threshold u2 above which the GPD fits the tail distribution, as well as the tail index ξ. For the Gaussian component (based on the CLT), it can be replaced by any distribution chosen specifically to model the main body of the distribution; the algorithm will be adapted accordingly, but its structure will not change at all.

Moving from Uncertainty to Risk

139

Applying this method highlighted one feature of the loss severity associated with cyber-attacks, showing that it is very heavy-tailed distributed, as could be expected from the descriptive statistics (finite mean but “infinite” variance). Fitting the GN dataset for loss severity above 500 e, we ended up with a tail index of the GPD between 2/3 and 1, and a threshold u2 corresponding to the quantile of order 98.7% (around 40,000 e), where the tail starts (see Figure 5.3 for the tail fit). We see here that the fit is very good, particularly for very high quantiles. Moreover, the values of the tail index point towards very high risks, like natural catastrophes, where ξ is between 0.59 and 0.77 for windstorms and hurricanes, while it hovers between 0.9 and 1.1 for earthquakes. Similarly, pandemic risks and systemic risks on financial markets are estimated to have tail indices between 0.5 and 0.6. Therefore, here, we are more in the range of natural catastrophes. To illustrate the purpose, we see that the quantile at 99.5% is around 150,000 e, which is more than 20 times the mean. Here, observing that the estimated tail index is larger than 1/2, it confirms that the variance does not exist, as do all the other higher-order moments. We had a hint of this when we discussed Table 5.2. 1.00

gpd ecdf

0.98 0.96 0.94 0.92 0.90 0.88 8

9

10

11

12

13

14

15

16

Figure 5.3. Tail of the empirical distribution (dashed line) and of the hybrid distribution (continuous line). The units on the x-axis are in a log-scale. For a color version of this figure, see www.iste.co.uk/loiseau/cybersecurity.zip

5.7. Multivariate and dynamic modeling As described previously, we provided trustful results on the tail behavior of the severity of losses incurred by victims of cybercrimes because we did a

140

Cybersecurity in Humanities and Social Sciences

first cleansing of the data. We were able to manually double-check all the data concerning extreme amounts, going even lower than the threshold above which the GPD is fitted. For reporting further results on other fields of the database, we will need to wait for the full data cleansing to have taken place. Nevertheless, we can already think about the methodology we want to follow when studying the GN database, in a multivariate and dynamic context. Indeed, the first statistical results obtained on complaints severity (Dacorogna et al. 2018) already pointed to the existence of strongly heavy-tailed and a heterogeneous distribution for the amounts at stakes in the complaints. Therefore, we aim to filter the data by developing a proper clustering relying on this information and to combine it with a new heavy-tailed and dynamic model for the severity distribution. 5.7.1. A fast-changing environment: time dependency A second characteristic of the cyber risk is its evolution in a fast-changing environment, mainly due to IT progress and its consequences, positive and negative (an increasing use of connected tools, very diverse cyber-attacks, etc.). It implies using dynamic modeling to take this changing environment into account. We note that it does not necessarily mean that this characteristic will translate into a non-stationarity of the time series we observe. Let us briefly recall the concept of stationarity of time series. The idea behind stationarity of a time series could be viewed as: the properties of the observed data are the same as those we will see in a future period. The starting and ending times of the sample do not really matter, as long as the sample is large enough to observe this invariance under time shift. We can mathematically formalize this concept saying that a time series X = (Xt , t ∈ T ) is strictly stationary if its probability distribution is invariant under time shift: L(Xt1 , . . . , Xtk ) = L(Xt1 +h , . . . , Xtk +h ), ∀k ≥ 1, ∀(t1 , . . . , tk ) ∈ T, ∀h such that (t1 + h, . . . , tk + h) ∈ T, L denoting the distribution (law). This concept can be weakened when replacing the distribution by moments. For instance, if X has second moments, X is said to be weakly stationary at order 2 if and only if E[Xt ] =) constant for any t, and cov(Xs , Xt ) = cov(X0 , Xt−s ) for any s, t. There are techniques to stationarize a time series, so that stationary models can then be used on the transformed time series (see, for example, Brockwell and Davis 2009).

Moving from Uncertainty to Risk

141

To study stationarity of a time series requires having access to observations over a long time period, to draw any conclusion. For instance, on the GN database, we can observe an increasing trend of the number of cyber-attacks, thus denying the notion of stationarity for the frequency when taken as a variable (but it might be wise to observe the trend over more years). As an example, taking this non-stationarity into account, we can mention the bivariate model, a GPD-Poisson model, introduced in the first study we performed on the GN database (a preprint should soon be available, based on the internal report we wrote for the GN in 2018), which concerns the loss severity of the complaints and their frequency. This leads to taking a GPD reparametrized model, with scale parameter σ(t) defined as a function of the intensity λ(t) of the Poisson process modeling the times when having extreme amounts exceeding the high threshold above which a GPD is fitted (for the loss severity), with the same tail index as in the univariate case. It was our first way to take into account time dependency. We will need to develop alternative models, where the model is updated along with the new data that comes. As the time dimension becomes crucial in the analysis, time scale transformation could also be a solution to gain some stationarity of certain properties. In parallel, looking for simple statistical properties that do not vary with time is very important to give a good ground for the model and possibility of generalization. Coming back to the problem of time varying properties, a very convenient method, to look at the dynamics of a random variable is to use moving averages, also called rolling windows. The idea is to choose a sample of smaller size than the dataset and to move forward the sample, dropping the first value and including the last value. Mathematically, it can be formulated like this, varying t: Mt =

N 1  1 Xt−i and Mt+1 = Mt+1 = Mt + (Xt+1 − Xt−N ) N N i=0

where Xt is a time series and N is the number of observations taken in the moving average. As an illustration, we present in Figure 5.4 the number of complaints per month during the entire period from July 2015 to April 2019. We observe over time a slight increase of the mean of the monthly frequency of complaints,

142

Cybersecurity in Humanities and Social Sciences

around 4,000 for the years 2015 and 2016 (4,194.5 from July 2015 to December 2016) and 5,000 for the years 2017 and 2018 (5032.8 from January 2017 to June 2018); these two values are represented by the blue curve. We represent in magenta (on the same figure) the variation of the monthly frequency of complaints with respect to the monthly average over the full sample. The normalized values appear on the right vertical axis and correspond to: mi − mT mT

with

kT 1  mT = mj , kT

i = 1, · · · , kT ,

[5.1]

j=1

where kT denotes the number of months over the period T chosen here as kT = 46 (for the considered years) and mi is the number of complaints for month i, i = 1, · · · , kT .      





 



       



  















 

Figure 5.4. Monthly frequency of the N complaints. The x-axis represents the 46 successive months over the entire period. The left y-axis gives the monthly frequency of complaints, while the right one gives the normalized number of complaints per month with respect to the monthly average on the full sample. For a color version of this figure, see www.iste.co.uk/loiseau/cybersecurity.zip

The red curve associated with the normalization follows the same path as the blue one of the monthly amount of complaints, as expected (from the way it is computed; see [5.1]). But the latter scale, displayed on the right, is different, with values between -0.45 and 0.35, which allows us to distinguish in an easy way the two periods, that of 2015–2016 (negative normalized number,

Moving from Uncertainty to Risk

143

and mean number of complaints of 4,195) and that of 2017–2018 (positive normalized number, and mean number of complaints of 5,033). Besides the existence of these periods, we observe a clear increasing trend for the year 2017. We see with this example how useful a moving average can be to explore the time variation of a particular random variable. 5.7.2. Causal relations Not only time dependency has to be looked at, finding causal relations and risk factors are necessary steps to produce a robust model against the changing environment. It means to further investigate the dependence between explanatory variables available in the dataset and extremes. Stochastic dependence has always been a topic in probability and statistics when looking at what is called a multivariate framework. Notions like linear correlation and copula, for instance, were introduced to treat this problem. The first one was formalized mathematically by Karl Pearson in a paper dating back to 1895 in the context of biometric studies (see Pearson 1895). The second was first named and formalized by Sklar (1959) in the context of probability theory to solve a theoretical problem posed by Fréchet, but turned out to become an important tool for applied probability and the evaluation of risks in financial institutions. The realization that risks are more interdependent in extreme situations led to the development of the notion of systemic risks, risks that would affect the entire system as well as the notion of systematic risks, i.e. components present in all other risks. Various tools (simple and more sophisticated ones) can already be used and some new ones will have to be developed if we want to master as much as possible risk in its complexity. Distinguishing between linear and nonlinear types of dependence is an important first step. Let us recall just a few simple tools to measure the dependence between two random variables, say X and Y having distributions FX and FY respectively. To visualize dependence and help point towards the possible tools or models, scatter plots and ranked (obtained when ordering the variables) scatter plots turn out to be quite useful to give a graphical presentation of the relationship between two quantitative variables. For instance, looking at the ranked scatter plots in Figure 5.5, we see, from left to right, the cases where X and Y exhibit a perfect negative dependence

144

Cybersecurity in Humanities and Social Sciences

d

0.0

0.2

0.4

0.6

0.8

1.0

1.0 0.8 0.6 0.4 0.2 0.0

0.0

0.0

0.2

0.2

0.4

0.4

0.6

0.6

0.8

0.8

1.0

1.0

(i.e. Y = T (X) in distribution, with T a strictly decreasing function), then X and Y are (stochastically) independent (no relation appears on the plot, points are just spread uniformly) and finally X and Y exhibit a perfect positive d dependence (i.e. Y = T ∗ (X) in distribution, with T ∗ a strictly increasing function).

0.0

0.2

0.4

0.6

0.8

1.0

0.0

0.2

0.4

0.6

0.8

1.0

Figure 5.5. Ranked scatter plots. From left to right: perfect negative dependence, independence, perfect positive dependence

Once we observed some dependency (linear or nonlinear), we can turn to simple measures that provide a scalar summary of the dependence. We can start with the Pearson linear correlation ρ, which exists if the variables have a finite variance, defined by ρXY = 

cov(X, Y ) var(X)var(Y )

with cov(X, Y ) = E[(X − E[X])(Y − E[Y ])] and var(X) = cov(X, X), estimated via the empirical linear correlation   n n n 1  1  1 ρXY = (xi − x ¯)(yi − y¯)/ (xi − x ¯)2 × (yi − y¯)2 n−1 n n i=1

i=1

i=1

on a sample of size n (the denominator (n-1) is due to some estimation technique on a sample; if we considered the entire population, we would have 1 n 1 n (1/n), with x ¯ = n i=1 xi and y¯ = n i=1 yi the empirical mean of X and Y respectively. We have to be careful that the Pearson correlation only concerns the linear correlation, hence represents a very restricted view on the dependence, except for the class of distributions for which the knowledge of

Moving from Uncertainty to Risk

145

the covariance matrix gives full knowledge of the distribution, for example in the case of elliptical distributions (as the Gaussian). If two variables X and Y are (stochastically) independent, then they are linearly independent, i.e. ρ(X, Y ) = 0, but the converse is false. We illustrate this statement in Figure 5.6. Y

Uxy=1

Y

Uxy=0 Independence

X Y

Uxy=-1

Ÿ Uxy=0

X Y

Uxy=0

Ÿ Independence Uxy=0 Ÿ Linear

Uxy=0

Lndependence

X

X

Figure 5.6. Interpreting linear correlation

On the left column, we see the cases where the two quantitative random variables X and Y are perfectly linearly dependent, positively on the top plot with ρXY = 1, negatively on the bottom plot with ρXY = −1. On the right column, we see two examples, where X and Y are linearly independent as ρXY = 0, but on the top scatter plot, we see no relation (linear or not linear) at all between X and Y , indicating a full (stochastic) independence, in particular a linear independence. On the bottom scatter plot, it appears that there is no linear dependence between the variables, which we find back through the measure ρXY = 0, but we clearly see that X and Y are very dependent of each other. Nonlinear dependence can be summarized via the ranked correlations as the Spearman rho ρS or the Kendall tau ρτ , defined respectively by ρS (X, Y ) = ρ(FX (X), FY (Y ))   ˜ and ρτ (X, Y ) = 2P (X − X)(Y − Y˜ ) > 0 − 1,

146

Cybersecurity in Humanities and Social Sciences

˜ Y˜ ) an independent copy of (X, Y ). The advantage respectively, with (X, of ranked correlations is that there is no condition on the variables for those quantities to exist (contrarily to the linear correlation for which we need variables with finite second moments). We extract information on the dependence only by ordering the variables, looking at their signs, in the case of the Kendall tau. When trying to look more deeply at dependence structures, a possible tool is the so-called copula, a multivariate distribution C from [0, 1]d to [0, 1] with standard uniform marginal distributions, i.e. such that C(1, · · · , 1, ui , 1, · · · , 1) = ui for any i ∈ {1, 2, · · · , d} and ui ∈ [0, 1]. Sklar’s theorem states that the knowledge of the full distribution of a random vector comes back to the knowledge of the marginal distributions (i.e. the distribution of each component) and of the dependence structure between the components. In fact, there exists always a copula (dependence structure) associated with a joint distribution and it is unique as soon as the marginal distributions are continuous. There exist an infinity of possible dependence structures. Some that have common properties have been grouped into classes, as, for instance, the class of elliptical copulas (among which are the Gaussian copula, the Student copula, etc.), the class of Archimedean copulas (among which are the Gumbel and the Clayton ones) defined via a generator function, the class of extreme-value copulas defined via a dependent function, and so on. We will not go into detail on that topic and refer the interested reader to Nelsen (2006), Mai and Matthias (2014) and Joe (2015). Nevertheless, we illustrate the notion in Figure 5.7 with examples of copulas used in practice. We observe a strong left tail dependence but no right tail dependence for the Clayton copula, and the reverse when taking the mirror (or survival) one. For the Gumbel copula, we see some dependence on the right tail, whereas the Student and Gaussian copulas are symmetric in their tails. However, the Gaussian copula is asymptotically independent, i.e. there is no dependence in the extremes (on the left and right tails, the points appear spread out up to the x and y axes), whereas the Student distribution looks very dependent in the tails (the points form a narrow line close to 0 and to 1, away from the x and y axes); it is also due to the chosen ν. Indeed, the smaller the degree of freedoms, the stronger the right and left tail dependence. We see in Figure 5.7 that even if all those copulas present the same Kendall tau of 0.5, the dependence structure

Moving from Uncertainty to Risk

147

can be widely different from one scatter plot to the next. Thus the importance, before embarking in modeling, to begin with an exploratory analysis of the relation between random variables.

Clayton

Gumbel

Clayton-M

Student v=1

Gauss

Figure 5.7. Examples: Clayton and survival Clayton on the first row, Gumbel, Student (with ν = 1 degree of freedom), and Gaussian copulas on the second row. All these plots have the same Kendall tau of 0.5

So far, in our overview on dependence, we have mainly considered pairwise dependence (considering two random variables). Those concepts can be extended to time series (considering, for instance, the autocorrelation function) but will not be developed here. We can refer to the textbook by Brockwell and Davis (2009); otherwise, much literature has been developed since, in particular on time series and extremes. Finally, all this study may be completed using recent data science tools (again, this is beyond the scope of this chapter), going from classification techniques to (black box) models as neural networks, also providing causal relations between variables, even if not in an explicit way. It will help for a better knowledge on the relations between the variables available in the database. 5.7.3. Models for prediction Once we better understand the dataset with information on each variable as well as on the relations between each other, we can turn to modeling, adapting

148

Cybersecurity in Humanities and Social Sciences

existing models or developing new ones that would better fit the various characteristics of cyber risk. It can be explicit probabilistic models and/or nonexplicit models, for example neural networks, in view of prediction, so that results can be compared and interpreted. Why do we need models? We want to understand a general phenomenon from the view/information we have on it through samples. It is needed if we want to extend the results we obtained from our sample (i.e. our database) to more generality, in view of prediction. Once we have explored and studied the dataset, extracting out of it the main features characterizing the observed phenomenon, we can adapt or build a model. Then, we proceed to the statistical inference, to fit our model on the observations, and check its relevance (using various criteria such as goodness of fit and Akaike). Once we are satisfied with the calibration of our model, we proceed to study its quality to predict the future. To do this, given the fact that we are facing a changing environment and because of the lack of stationarity, the goodness of fit is not enough to guarantee that the model generalizes well (i.e. would perform as well on data that were not used for the fit, than on the fitted data). Since the seminal work of Meese and Rogoff (1983), it is a wellknown fact in econometrics that a model must be tested out-of-sample. This means that the quality of the model must be assessed on data that were not seen by the model during the calibration procedure. The time series dataset is divided into two samples: the in-sample period and the out-of-sample period (note that in machine learning or with unsupervised methods, there is a similar concept, called training sample/set and test sample/set. For time series, even three samples are considered: training, test and validation sets). The usual way to proceed here is to use a rolling sample (a moving in-sample) as in the case of the moving average. We calibrate the model on the rolling sample and test it outside of the sample. In Figure 5.8, we illustrate this procedure: the first insample period starts at t0 and ends at t1 , while the out-of-sample period extends from t1 to tf . The in-sample period is rolled out keeping its size constant. The reason for keeping the size of the in-sample constant is to avoid changing the ratio between the signal we are trying to model, which should remain the same, and the noise due to the changing environment. The use of a rolling sample for calibration comes from the fact that the model parameters might change over time and need to be recalibrated. This procedure is known as dynamic

Moving from Uncertainty to Risk

149

optimization. As we can see in Figure 5.8, even though we recalibrate the model, the test is always performed on data that have not been seen by the calibration procedure, thereby respecting the out-of-sample principle.

‫ݐ‬଴

‫ݐ‬ଵ

KƵƚͲŽĨͲƐĂŵƉůĞ ƚĞƐƚŝŶŐ

‫ݐ‬௙

Figure 5.8. Schematic illustration of a dynamic out-of-sample testing of a model. For a color version of this figure, see www.iste.co.uk/loiseau/cybersecurity.zip

5.8. Conclusion In this chapter, we have shown through the example of the database of the GN on cybercrime complaints, the approach we choose to turn uncertainty, as the development of cyber-attacks, into measurable risk. Note that it is the only way for insurance companies to price those risk covers, thus to offer adequate protections against cyber-threats. We emphasize the fact that a scientific approach starts from a good grasping of the data, then a back and forth between models and data. By this we mean, an understanding of the context of the data gathering, the information that is stored, then one must check the relevance of the data and do a necessary phase of data cleansing. The next step is to explore the basic statistical properties of the data both in terms of computing its basic moments and by looking at possible dependence between the various variables. Only then can we start developing models to better understand the phenomenon we are studying and to allow generalization that can be used on future data. As we are facing a fast-changing environment, we need to develop strategies to catch the dynamics of the phenomenon, for example moving averages, or dynamic optimization on rolling windows. The results we have presented here concern the severity of the amount of damage in the filed cyber-complaints. We have applied an algorithmic method to estimate the heaviness of the tail of the distribution and found it to be very fat, similar to risks like natural catastrophes. This is due to a strong element of

150

Cybersecurity in Humanities and Social Sciences

systemic risk that is inherent to cyber, since IT systems are now prevalent in all aspects of our lives, starting with the portable phone and laptops up to the Internet of Things and personal assistants like Siri or others. The next steps will be to analyze the other important variables that are stored in the GN database and see if we can classify the crimes by different tail indices for the probability distributions of claim amounts. Another research path will also be to look at the dynamic behavior of these variables, applying some of the techniques that were mentioned in this chapter. This understanding of cyber-threats is a first step in improving cybersecurity. Indeed, modeling cyber-attacks helps draw their main features and dynamics; hence, it is quite useful for predicting cyber-attacks, and/or building strategies in view of increasing the resilience of society. While the term “cybersecurity” is as old as the appearance of computers itself, the term “cyber-resilience” has been gaining momentum. Cybersecurity management is focusing on security alone, but organizations need a more comprehensive strategy. You might ask: “Isn’t cyber-resilience the same thing?” Not really. There is a substantial difference in meaning between the two. Security refers to defense, guarding and precaution, whereas resilience refers to being buoyant, elastic, pliable, quick to recover and hedging. Simply put, cyber-resilience is a measure of how well an organization can recover and operate its business during a data breach or cyber-attack. In other words, it is about how quickly we get back to the good in the face of a lot of bad. The future of resilience will be in combining security strategies, redundancies in IT infrastructure, as well as insurance protections, in order to ensure the survival and functioning of the system. Finally, we want to emphasize how important it is to consider a multidisciplinary approach, collaborating with researchers from different fields such as computer science, criminology, law, mathematics, political science, security and strategy. We must be aware that we need to go beyond technological solutions and investments, with the setting of a legislation of the cyber topic. We can already observe that countries that have strengthened their legal instruments see a relevant decrease of cyber-attacks, the attackers turning to easier prey. The European GDPR, by protecting private data, is a step in the direction of increased protection.

Moving from Uncertainty to Risk

151

5.9. Acknowledgments Dr. Michel Dacorogna would like to acknowledge the support of LabEx MME-DII when holding the international chair LabEx MME-DII – ESSEC CREAR on Quantitative Risk Management, during spring 2018. It gave us the opportunity to start this research collaboration on cyber risk with the Gendarmerie Nationale. We would also like to warmly thank the colleagues from PJGN, in particular Jérôme Barlatier, who strongly supports this collaboration PJGN- ESSEC CREAR. 5.10. References Beirlant, J., Goegebeur, Y., Segers, J., and Teugels, J. (2004). Statistics of Extremes: Theory and Applications. John Wiley & Sons, West Sussex. Brockwell, P.J. and Davis, R.A. (2009). Time Series: Theory and Methods, 2nd edition. Springer, Berlin. Championing Science (2019). In honor of Albert Einstein’s birthday – Everything should be made as simple as possible, but no simpler [Online]. Available: https://championingscience. com/2019/03/15/everything-should-be-made-as-simple-as-possible-but-no-simpler/. Dacorogna, M. and Kratz, M. (2015). Living in a stochastic world and managing complex risks [Online]. Available: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2668468. Dacorogna, M., Debbabi, N., and Kratz, M. (2018). Analyse exploratoire des plaintes de crimes cyber renseignées à la C3N de la PJGN. Research report, PJGN, pp. 1–24. Debbabi, N., Kratz, M., and Mboup, M. (2017). A self-calibrating method for heavy tailed data modelling. Application in neuroscience and finance [Online]. Available: https://arxiv. org/abs/1612.03974v2. Ellsberg, D. (1961). Risk, ambiguity and the savage axioms. The Quarterly Journal of Economics, 75(4), 643–669. Embrechts, P., Klüppelberg, C., and Mikosch, T. (2011). Modelling Extremal Events for Insurance and Finance, 2nd edition. Springer Verlag, Berlin. de Haan, L. and Ferreira, A.J. (2006). Extreme Value Theory: An Introduction. Springer Verlag, Berlin. Joe, H. (2015). Dependence Modeling with Copulas. CRC Press, Chapman & Hall, Boca Raton. Knight, F.H. (1921). Risk, Uncertainty and Profit. Houghton Mifflin Co., The Riverside Press, Boston. Kratz, M. (2019). Introduction to extreme value theory. Applications to risk analysis & management. In 2017 MATRIX Annals – Mathematics of Risk, Wood, D., de Gier, J., Praeger, C., and Tao, T. (eds). Springer Verlag, Berlin. Leadbetter, M.R., Lindgren, G., and Rootzèn, H. (2011). Extremes and Related Properties of Random Sequences and Processes, 2nd edition. Springer Verlag, Berlin.

152

Cybersecurity in Humanities and Social Sciences

Mai, J.-F. and Matthias, S. (2014). Financial Engineering with Copulas Explained, Palgrave MacMillan, London. Meese, R.A. and Rogoff, J. (1983). Empirical exchange rate models of the seventies, do they fit out of sample? Journal of International Economics, 14, 3–24. Nelsen, R.B. (2006). An Introduction to Copula, 2nd edition. Springer, Berlin. Pearson, K. (1895). Note on regression and inheritance in the case of two parents. Proceedings of the Royal Society of London, 8, 240–242. Reiss, R.D. and Thomas, M. (2007). Statistical Analysis of Extreme Values: With Applications to Insurance, Finance, Hydrology and Other Fields, 2nd edition. Birkhäuser Verlag, Basel. Resnick, S.I. (2007). Heavy-tail Phenomena: Probabilistic and Statistical Modeling. Springer Verlag, Berlin. Resnick, S.I. (2008). Extreme Values, Regular Variation, and Point Processes, 2nd edition. Springer Verlag, Berlin. Sklar, A. (1959). Fonctions de répartition à n dimensions et leurs marges. Publications de l’Institut de Statistique de l’Université de Paris, 8, 229–231.

6 Qualitative Document Analysis for Cybersecurity and Information Warfare Research

6.1. Introduction Traditionally (and often incorrectly), cybersecurity is assumed to be a purely technical field aligned to computer science. However, due to the growing prevalence of cybersecurity in an international socio-political and economic setting, it can be seen that cybersecurity is a largely multidisciplinary topic. Just as cyber-operations and cybersecurity have proven to be disruptive in the modern fabric of society, so too is it disruptive for the many disciplines conducting research into information warfare and cybersecurity. Required methodologies may deviate from traditional disciplinary norms and thus prejudiced against, posing challenges for scholars researching and publishing in topics related to information warfare and cybersecurity. The prevalent mathematical and experimental research in cybersecurity, conducted by technical researchers does not address the societal aspects of cybersecurity, such as the legal, political and international relations considerations. These disciplines often require a qualitative approach to research into cybersecurity and information warfare in addition to the quantitative methodologies. This chapter discusses qualitative research in a cybersecurity context and provides analysis of cybercrime legislation and national cybersecurity Chapter written by Brett VAN NIEKERK and Trishana RAMLUCKAN.

154

Cybersecurity in Humanities and Social Sciences

strategies through document analysis, using the NVivo software. The aim of the chapter is to assess the suitability of qualitative document analysis for aspects of information warfare and/or cybersecurity research. This is done through case studies that investigate specific use cases of QDA in the fields. This chapter is organized as follows: section 6.2 provides background to information warfare and cybersecurity, which is followed by a discussion of research considerations for these topics in section 6.3. A deeper focus on the qualitative research is provided in section 6.4. Sections 6.5 and 6.6 conduct analysis on national cyber strategies and the alignment of South Africa’s Cybercrimes Bill to international cybercrime legislation respectively. Section 6.7 provides initial research on the influence of classical military theory on information warfare. Section 6.8 reflects on the use of qualitative methodologies in such research, and section 6.9 concludes the chapter. 6.1.1. Previous research This research is a continuation of van Niekerk, Ramluckan and Duvenage [VAN 19], which used qualitative document analysis to investigate the relationship among professional body white papers on cyber intelligence and cyber threat intelligence. The paper considered the multi-disciplinary nature of both cybersecurity and intelligence, and similarities in the research and intelligence processes. The relationships among the white papers were successfully established, and the content and thematic analysis identified gaps in the coverage of the documents. In addition, Ramluckan, van Niekerk and Leenen [RAM 19] investigated challenges faced by South Africa in conducting research into cybersecurity and cyberwarfare. 6.2. Information warfare and cybersecurity Information warfare can be considered as offensive or defensive operations conducted in the information sphere in order to achieve some advantage over a competitor or adversary [BRA 07, STU 15]. The information sphere comprises three keys aspects [BRA 07]: – the physical (e.g. wires and hard copies of documents); – the logical or virtual (protocols and soft copies of documents); – the cognitive (related to human memory, perception and behavior).

Qualitative Document Analysis for Cybersecurity and Information Warfare Research

155

These three aspects indicate that information warfare does not solely comprise cyber-operations, but can also incorporate other forms of conflict, such as psychological operations. The main components of information warfare are [ARM 10, BRA 07, CHA 08, STU 15, VEN 09]: – command and control warfare: activities taken to disrupt or protect the military’s decision-making process and to command and communicate with their forces; – computer network operations: operations to target and protect computer networks, the systems connected to the networks, and the information that is transmitted or stored therein; – critical infrastructure protection: defense of the critical information infrastructure supporting critical national infrastructures from information warfare operations and other adverse events; – economic information warfare: operations seeking to disrupt, protect or control economic information or activity through information and information systems; – electronic warfare: operations that target and protect the use of the electro-magnetic spectrum, such as communications jamming and “anti-jam” technologies; – network-centric warfare: the networking of groups (military or otherwise) to coordinate activities and operations; – psychological operations: operations that seek to sway human perception and behavior to one that is favorable to those conducting the operations. Offensive activities aim to degrade, deny, disrupt, corrupt, exploit or destroy the adversary’s capability. Examples can include flooding a system with malicious requests, to overload it and prevent legitimate access, maliciously changing information to affect decision-making, or changing human perception towards the information. Defensive activities seek to maintain the confidentiality, integrity and availability of the information and systems [HUT 01]. Cybersecurity relates to information warfare as the defensive posture of computer network operations; however, it also includes the national strategies, laws, international relations and the social-economic implications

156

Cybersecurity in Humanities and Social Sciences

of computer, network and Internet security. It is therefore broader than the technical defensive computer network operations. A proposed definition for cybersecurity is the “protection of internet-connected systems, including hardware, software and data, from cyberattacks” [SEA 18]; however, this only implies the technical aspects. Another definition considers cybersecurity as “the effort to protect information, communications, and technology from harm caused either accidentally or intentionally; […] is the effort to ensure the confidentiality, integrity, and availability of data, resources, and processes through the use of administrative, physical, and technical controls” [GUI 17 pp. 16–17]. This definition incorporates similar aspects to those of information warfare above, and also considers the non-technical aspects, such as the administrative controls. There is increasing overlap among the components of information warfare, particularly with regard to cyber-operations. The use of social media for the distribution of “fake news” and influence operations, as well as the combined cyber-electromagnetic operations, are examples of such convergence. From the convergence of cyber-operations with psychological operations and geo-political considerations, there is an increasing need for qualitative and multi-disciplinary research to account for both the humanities and technical aspects. The next section discusses research in information warfare and cybersecurity. 6.3. Researching information warfare and cybersecurity Research related to information warfare and cybersecurity is often incorrectly assumed to be technical, examples including the analysis of network traffic or the development of artificial intelligence algorithms to detect cyber-threats. However, there are a number of social science aspects to cybersecurity, including the legal, political and international relations, economics and psychological aspects, to name a few. This broad range of disciplines indicates that cybersecurity and information warfare are inherently multi-disciplinary and transdisciplinary in nature; therefore, multi-disciplinary and transdisciplinary research methodologies should apply. A number of challenges that affect research into cybersecurity directly or indirectly are considered by [RAM 19], including: – access to data or respondents, primarily due to the sensitive nature of the subject;

Qualitative Document Analysis for Cybersecurity and Information Warfare Research

157

– data cleanliness, where vendors are inconsistent in reporting or categorizing cybersecurity-related information [PRE 16]; – traditional disciplinary norms may prove to be biased against multi-disciplinarity and thus hinder the research; – lack of skills and diversity, particularly a lack of women in cybersecurity and low awareness of cybersecurity as a career path. The lack of diversity in cybersecurity reduces the representation of differing cultural norms, which may affect the acceptance or perception of various cybersecurity technologies or laws. A consideration that will particularly affect human sciences research into cybersecurity is the reliability of respondents. In section 6.2, we state that information warfare may seek to influence human perception. Should research be based on human responses, a challenge arises, in that these perceptions may have been affected by information warfare activities, reducing the reliability of the responses [RAM 19]. 6.4. Qualitative research methodologies for information warfare and cybersecurity The purpose of qualitative research is to obtain an understanding of a specific situation or phenomenon [BAB 14]. Qualitative research is usually explorative and associated with the interpretivist research philosophy, as it forms the understanding and interpretation of a specific situation or phenomenon. Qualitative research distinguishes humans from physical phenomena as humans are equipped with the ability to create meaning. The purpose of interpretivist research is to develop new, abundant understandings and interpretations between social worlds and contexts. Interpretivist research not only focuses on complexity, abundance, a multitude of interpretations and the creation of meaning interpretivism, but it is explicitly subjectivist. The axiological consequence of interpretivist research is that the researcher recognizes that their interpretation of research materials (in this case, documents) and data, reflecting their own values and beliefs, plays a pivotal role in the research process [SAU 19]. In contrast to qualitative research, quantitative research is associated with the positivist research philosophy. The positivist philosophy is objective and is focused on facts. Quantitative research approaches the

158

Cybersecurity in Humanities and Social Sciences

research problem by way of measuring the phenomenon using numerical data that can be analyzed using definable statistics [SAU 07, SAU 19]. Table 6.1 describes briefly the difference between quantitative and qualitative data. Quantitative data

Qualitative data

Meaning

Based on numbers

Based on meanings expressed through words

Collection

Numerical and standardized

Non-standardized data requiring classification into categories

Analysis

Statistical and use of diagrams

Conceptualization

Table 6.1. Comparison of quantitative and qualitative methodologies, adapted from [SAU 07]

Interviews are considered as the most common form of data collection in qualitative research [OAK 98]. Interviews form a framework in which the practices and standards are achieved, challenged and reinforced. Interviews are either structured or semi-structured, probing for an in-depth understanding. Qualitative Document analysis (QDA) is a form of qualitative research in which documents are interpreted by the researcher, providing in-depth insight and understanding regarding a particular topic [BOW 09]. For the purpose of QDA, the documents’ content is coded into themes, which is similar to how focus group or interview transcripts are analyzed [BOW 09]. Sometimes rubrics are used to grade or score the document. As mentioned in section 6.1, the NVivo software is used for the cases presented in sections 6.5 and 6.6. The NVivo software is produced by QSR International for qualitative and mixed-methods research. This software analyzes various forms of qualitative material including scientifically unstructured text, audio, video and image data, including interviews, focus groups, surveys, social media and journal articles/documents. The NVivo software provides a number of useful tools to conduct QDA, as described in sections 6.4.1–6.4.4. Section 6.4.5 provides examples of use cases for QDA using the features of NVivo.

Qualitative Document Analysis for Cybersecurity and Information Warfare Research

159

6.4.1. Clustering of documents The clustering of documents involves the application of cluster analysis to textual documents. It allows for the automatic organization, extraction and information retrieval or filtering of documents. It further involves the use of descriptors and descriptor extraction. Descriptors are defined as “sets of words that describe the contents within the cluster” [MAN 99 p. 504]. This is generally considered to be a centralized process [MAN 99], and examples may include web document clustering for search users. 6.4.2. Clustering of words Cluster analysis is an exploratory technique that can be used to visualize patterns in research by simply grouping sources or nodes (themes) that share similar words, similar attribute values or are coded similarly by nodes, i.e. similar words usually form one cluster. The cluster analysis diagrams provide a graphical representation of sources or nodes simplifying the similarities and differences. Sources or nodes in the cluster analysis diagram that appear close together are more similar than those that are far apart. 6.4.3. Word frequencies and word clouds For computer-aided qualitative research, content analysis can be used by performing word counts or frequencies. Word frequencies are used to identify the possible themes emerging from the use or mention of a particular theme or word. Word clouds are generated to present the graphical representation of the most frequent or recurrent themes or nodes. These techniques allow for the categorization of terms and words used in documents, as is indicated in Table 6.1, for qualitative research. 6.4.4. Text search and word trees A word tree is described as a graphical version of the traditional “keyword-in-context” technique, first developed by Hans Peter Luhn. It enables the rapid querying and exploration of pieces of text or documents [WAT 08]. NVivo allows for an interactive word tree, which is usually formulated through a text search. The interactive word tree permits for the

160

Cybersecurity in Humanities and Social Sciences

specific word to be analyzed within the full context of the document and illustrates its prevalence as a key word or theme. Where sections 6.4.1–6.4.4 have described the features available in NVivo for QDA, section 6.4.5 provides example use cases of QDA. 6.4.5. Example use cases of qualitative document analysis Qualitative analysis can be used for threat intelligence. Since qualitative research is used to analyze, identify, clarify and organize the requirements within a particular environment, is a common form of research for cyberwarfare and cybersecurity and through its interpretative nature, it provides the ideal platform for threat intelligence. Threat intelligence is extremely broad in its definition and there remains limited consensus on what it is and how to use it. Intelligence within a cyberwarfare and cybersecurity context can be defined as information that can be used to make important decisions in changing possible outcomes dependent on the level of decision-making (strategic) within the structure [CHI 15]. Qualitative document analysis can be used for narrative analysis, in terms of interview transcripts, as well as the analysis on content posted online, such as social media. Narrative analysis is becoming more prevalent in cyberwarfare and cybersecurity research. When investigating or researching a cyber-incident, the narrative analysis can be seen as an account of an experience (from primary data collected, e.g. interviews regarding the incident) noted in a sequenced way, creating a timeline of events which, taken collectively, is significant for the research being conducted [COF 96]. Qualitative document analysis applied to online content, such as hacker forums or social media activity, will allow major focus areas of the hackers to be assessed, with the view of identifying predominate techniques or possible future targets. Policy analysis can use qualitative analysis for comparing various documentation, including policies and legislation. Policy analysis is usually employed within the public administration sphere, enabling civil servants, activists and others to analyze and evaluate the available options to implement the objectives, elected officials and legislation. Large corporations are also known to use policy analysis, for the purposes of evaluating any

Qualitative Document Analysis for Cybersecurity and Information Warfare Research

161

complex policies. Policy analysis forms an important part of information warfare and cybersecurity research, as it allows for the analysis of existing documentation and strategies, and can be used for the further development of new policies regarding cyber activities. In an information warfare context, narratives such as “fake news” distributed through social media can be analyzed through the use of QDA. Clustering and correlation of various narratives can illustrate how various factions are aligning or competing. Two examples of policy analysis will follow: an analysis of the similarities in national cybersecurity strategies is presented in section 6.5, and an assessment of the alignment of South Africa’s cybercrime legislation with international cybercrime legislation in section 6.6. 6.5. An analysis of national cybersecurity strategies This section provides an analysis of 12 national cybersecurity strategies. Section 6.5.1 describes the process whereby the documents were selected. Section 6.5.2 presents the results of the document analysis performed using the NVivo software, which is followed by a discussion in section 6.5.3. 6.5.1. Selection process for the documents These 12 national cyber strategy documents were selected based on a convenience sample in a manner that maximized the representation of the populated continents, regions within continents (e.g. Western Europe and Eastern Europe) as well as a range of country types (based on economy and how established their cybersecurity programs are). The criteria for consideration were that the documents were in English (either as an original or translation) and readily available for download from either the International Telecommunications Union, North Atlantic Treaty Organization or the Commonwealth Technology Organisation, all of which host a number of national cyber strategy documents. All the documents considered here were sourced from these organizations. Some documents were not available at the time of document collection, in some instances the link to the file was broken and therefore the document was unavailable for

162

Cybersecurity in Humanities and Social Sciences

download, and other documents were not available in English (e.g. the Brazilian documents were only available in Portuguese). Table 6.2 lists the countries whose national strategy documents are considered according to continent. Continent Africa

Asia Australasia Europe

North America South and Central America

Countries considered

Pages

Words

Mauritius [MAU 14]

25

4899

South Africa [SSA 15]

30

9500

China [CHI 16]

8

4066

India [IND 13]

10

3157

Japan [JAP 18]

56

19,787

Australia [COA 16]

68

16 050

Estonia [EST 14]

15

4084

France [ROF 15]

44

10,196

UK [HMG 16]

80

25,044

Canada [CAN 18]

25

3599

USA [USA 18]

40

8848

Jamaica [JAM 15]

40

8289

Table 6.2. National strategies considered per continent

6.5.2. Analysis A cluster analysis was performed on the source documents based on the Pearson correlation of the words in the documents. The clustering is presented in Figure 6.1, and the Pearson correlation matrix is presented in Figure 6.2. A cluster of four documents (France, China, Japan and South Africa) can be seen, with the other documents forming the other major cluster, with minor internal clusters. India, Canada, Australia and the UK clustering together is expected, as all three are major members of the Commonwealth nations and have a long-standing history of cooperation. Of the Commonwealth members considered, South Africa is the only country outside of the largest cluster. In a similar manner, the NATO countries cluster together in the largest major cluster (USA, Canada, UK, Estonia),

Qualitative Document Analysis for Cybersecurity and Information Warfare Research

163

with the only exception being France. An unexpected clustering is Jamaica and Mauritius; however, they can be considered to have similar strategic situations being small island nations.

Figure 6.1. Strategy documents clustered by word similarity. For a color version of this figure, see www.iste.co.uk/loiseau/cybersecurity.zip

To aid visualization, Figure 6.2 is shaded according to a heat map of the Pearson correlations: green shows the stronger correlations and red depicts the weaker correlations. The cluster in Figure 6.1 shows a high-level grouping of the documents, whereas Figure 6.2 presents more specific information regarding the similarities of the documents. The strongest correlation is between the UK and Australia (0.822), followed by the similarity between Australia and Canada (0.79). The weakest correlation is between Japan and Australia (0.341), with the next two weakest being between South Africa and Canada and Australia (0.343 and 0.344). Therefore, it can be seen that both South Africa and Australia have two of the weakest correlations, indicating that their foci are the most different. The clustering and the Pearson correlation can be seen to align to the strategic cooperation and alignments among the nations. This illustrates that the document clustering can be used to identify possible collaborations or influences in developing national cyber-strategies.

Australia Canada China Estonia France India Jamaica Japan Mauritius South Africa UK USA 0.415 0.722 0.434 0.682 0.694 0.345 0.723 0.343 0.736 0.432

0.746 0.365 0.673 0.736 0.341 0.777 0.344 0.822 0.455

0.790

Canada

0.388

0.790

Australia

0.418

0.410

0.529

0.468

0.607

0.502

0.554

0.477

0.470

0.415

0.388

China

0.45

0.76

0.49

0.77

0.46

0.77

0.71

0.51

0.470

0.722

0.746

Estonia

0.371

0.422

0.445

0.444

0.475

0.504

0.474

0.510

0.477

0.434

0.365

France

0.457

0.653

0.493

0.761

0.491

0.744

0.474

0.710

0.554

0.682

0.673

India

0.475

0.763

0.540

0.795

0.476

0.744

0.504

0.774

0.502

0.694

0.736

Jamaica

0.485

0.421

0.616

0.398

0.476

0.491

0.475

0.462

0.607

0.345

0.341

Japan

0.450

0.756

0.466

0.398

0.795

0.761

0.444

0.766

0.468

0.723

0.777

Mauritius

0.429

0.445

0.466

0.616

0.540

0.493

0.445

0.494

0.529

0.343

0.344

South Africa

0.497

0.445

0.756

0.421

0.763

0.653

0.422

0.760

0.410

0.736

0.822

UK

0.497

0.429

0.450

0.485

0.475

0.457

0.371

0.448

0.418

0.432

0.455

USA

164 Cybersecurity in Humanities and Social Sciences

Figure 6.2. Pearson correlation matrix for the strategic documents. For a color version of this figure, see www.iste.co.uk/loiseau/cybersecurity.zip

Qualitative Document Analysis for Cybersecurity and Information Warfare Research

165

Figure 6.3 presents a word cloud of all the documents combined. As is expected, the major words are “information”, “government”, “national” and “cyberspace”, as the documents are essentially national government policies. A deeper look has words such as “development”, “international”, “services”, “sector” and “public”. This indicates that there are two main areas of focus – ensuring internal public services, as well as an international aspect between states. The word “development” is important, in that it indicates that numerous national strategies are including the development of skills and cybersecurity systems. Less prevalent are words such as “businesses”, “infrastructure”, “critical”, “law” and “cooperation”. This indicates that the consideration of critical businesses and infrastructure is less prevalent among the strategies, as are the legal aspects and cybersecurity cooperation.

Figure 6.3. Word cloud representation of national cyber strategy documents

166

Cybersecurity in Humanities and Social Sciences

To further investigate the concepts within the broader scope of the documents, a series of text queries were performed. Table 6.3 shows the results of the query for “critical information infrastructure”, Table 6.4 shows the results of the query for “critical infrastructure” and Table 6.5 presents the results of the query for “industrial control”. Country

References

Coverage

China

10

1.17%

Estonia

4

0.24%

India

11

1.71%

Mauritius

3

0.16%

South Africa

23

0.6%

Table 6.3. Text query for “critical information infrastructure”

The results in Table 6.3 indicate few strategies (5 of 12) explicitly considered critical information infrastructures. South Africa mentioned it the most (23 times); however, in the Indian document it counts for the greatest percentage of the content (1.71%). A broader concept, “critical infrastructure”, shown in Table 6.4, also yielded results illustrating limited considerations within individual documents; however, more documents did mention the phrase (10 of 12). The Japanese document mentioned “critical infrastructure” the most (32 times), and the phrase comprised the greatest percentage of the content in the Canadian document. Four countries only mentioned the phrase once. Only three national documents mentioned “industrial control”, as presented in Table 6.5. As industrial control systems are an important component to critical infrastructure, the limited consideration in the documents is concerning. Additional text queries were conducted for information warfare concepts appearing in the cybersecurity strategies; however, these returned limited results. The term “cyber warfare” only appeared in the South African document, with seven references. Two references were made to “information operations” in the USA document, which also contained a single reference to “influence operations”. These terms are all relevant in modern international relations; however, there is limited coverage in the strategies. The bureaucracy to develop strategies may be partly to

Qualitative Document Analysis for Cybersecurity and Information Warfare Research

167

blame, where the environment evolved faster than the documents are produced. Country

References

Coverage

Australia

4

0.04%

Canada

15

0.68%

China

1

0.08%

Estonia

2

0.08%

India

1

0.10%

Jamaica

18

0.36%

Japan

32

0.27%

Mauritius

1

0.03%

UK

1

0.01%

USA

17

0.32%

Table 6.4. Text query for “critical infrastructure”

Country

References

Coverage

Jamaica

2

0.03%

Japan

2

0.01%

UK

4

0.02%

Table 6.5. Text query for “industrial control”

6.5.3. Discussion The objective of the section was to provide some insight of qualitative research within a cybersecurity context, providing an analysis of national cybersecurity strategies through QDA. The interpretivist research philosophy was applied. The NVivo software was used, which allows for qualitative data to be analyzed through quantitative means. From the analysis, the clustering of the documents indicated two major sets of strategic thought. The clusters exhibit similar groupings as we would expect in terms of political alignment, such as the majority of Commonwealth member nations and the USA are grouped together. Jamaica and Mauritius are possibly

168

Cybersecurity in Humanities and Social Sciences

clustered as they are both island nations and may experience similar socio-economic factors. This clustering indicates that the policy analysis of cyber strategies can provide insight into alignments, cooperation and influence regarding a nation’s cyber capability. The word cloud visualizing word frequency highlights the key focus of the documents as a group. An alternative method would be to use multiple word clouds for each cluster (or individual documents) to determine similarities and differences among them. To further illustrate the focus of the documents, three text queries illustrated that the majority of documents considered critical infrastructure, but only briefly, whereas fewer documents considered the more specific critical information infrastructure (some with much greater weighting), and very few considered the more detailed topic of industrial control in a very limited manner in the context of the documents. An interesting comparison is that India only mentions “critical infrastructure” once, yet the phrase “critical information infrastructure” comprises the greatest percentage of the content compared to the other strategies. Similarly, South Africa had the most mentions of “critical information infrastructure” but was one of two countries that did not mention broader “critical infrastructure” once. An explanation could lie in the conceptualization of the terms, that “critical information infrastructure” is the information or networked component of the critical infrastructure sectors. This example highlights how the presence of specific views (or deviations from the norm) can be identified using document analysis. Possible reasons for the appearance (or lack) of certain terminology can include the national political drivers influencing the strategies, or the maturity of the cybersecurity capability within the nation, including the lawmaker’s understanding of cybersecurity. The implication of this phenomenon is that the strategies may leave vulnerabilities in the national approaches to cybersecurity which could be exploited by adversaries. Future research can focus on these causes and implications of specific terminology. Other avenues for future research can expand the exploratory research conducted in this section, for example, a focused look at political alignments and similarities in cybersecurity approaches, such as the document clustering indicated. Where specific terms are used (or do not appear), future research can expand on this by investigating specific terminology use within broader cybersecurity strategic approaches, such as deterrence or active defense.

Qualitative Document Analysis for Cybersecurity and Information Warfare Research

169

Where this section has investigated the similarities among the 12 national cybersecurity strategies, the following section investigates the alignment of South Africa’s Cybercrimes Bill to international legislation. 6.6. An analysis of the alignment of South Africa’s Cybercrimes Bill to international legislation This section provides an analysis of the three official versions of the South African Cybercrimes Bill in relation to three international cybercrime documents. Section 6.6.1 provides a background to the documents and process, whereby the documents were selected. Section 6.6.2 presents the results of the document analysis performed using the NVivo software, which is followed by a discussion in section 6.6.3. 6.6.1. Background to the documents This section provides a background to the six documents under consideration. The earliest is the Budapest Convention on Cybercrime by the Council of Europe in 2001 [COE 01]. The treaty allows for mutual collaboration among nations to counter cybercrime, including cross-border investigations [COE 01]. This is the first major cybercrime treaty that was implemented. The Southern African Development Community (SADC) developed a model law on cybercrime for its member nations, with the aid of the International Telecommunications Union (ITU) in 2013 [ITU 13]. In 2014 the African Union (AU) developed its own cybersecurity convention with a focus on personal data protection, intended specifically for member nations of the AU [AFR 14]. As the name suggests, there are aspects focusing on protecting personal information, and others establishing the responsibility of nations to develop national legislative frameworks and monitoring capabilities for cybersecurity [AFR 14]. The initial draft of the proposed South African Cybercrimes and Cybersecurity Bill was released in 2015 for public comment [MOJ 15]. Based on the received comments the document was revised and tabled before the South African national parliament in 2017 [MOJ 17]. However, due to strong concerns about the bill being raised publicly, the document was again revised as the Cybercrimes Bill to limit its scope by excluding national cybersecurity

170

Cybersecurity in Humanities and Social Sciences

considerations relevant to national intelligence and the military [HUN 18, MOJ 18]. The document outlines what are considered as offences, the obligations of various parties, issues regarding evidence collection and mutual assistance with foreign agencies [MOJ 18]; however, it is yet to be enacted. The documents do have some relationship with each other. As mentioned, the AU Convention was intended to be an African alternative to the European Budapest Convention, while the SADC document was one of the regional forerunners to the AU document. The South African documents need to bear some semblance to all the documents, due to the signatory and ratification processes and the obligations this places on the nation to introduce cybercrime legislation. The page and word count for each of the documents is provided in Table 6.6. The decrease in words in the versions of the Cybercrimes Bill illustrates the challenges mentioned above and the resulting exclusion of clauses to modify the bill. Document considered

Pages

Words

Chapters

Sections/articles

AU Convention on Cybercrime

40

11,818

4

38

Budapest Convention

22

10,347

4

48

Cybercrimes and Cybersecurity Bill 2015

128

33,939

11

68

Cybercrimes and Cybersecurity Bill 2017

139

30,832

13

63

Cybercrimes Bill 2018

119

25,885

10

60

SADC Model Law

32

7,158

6

38

Table 6.6. Text query for “industrial control”

6.6.2. Analysis The results of the document cluster analysis, shown in Figure 6.4, illustrate two major clusters. The South African Cybercrimes Bill (and earlier drafts) cluster together, as is expected, along with the SADC Model Law. The smaller cluster includes the AU Convention and the Budapest Convention. These two clusters can be considered to be differentiated by geographical or political size: both the AU and Budapest documents are treaties intended to govern

Qualitative Document Analysis for Cybersecurity and Information Warfare Research

171

multiple nations, whereas the SADC and South African documents are tailored towards the actual national legislation.

Figure 6.4. Documents clustered by word similarity. For a color version of this figure, see www.iste.co.uk/loiseau/cybersecurity.zip

The Pearson correlation matrix for the clustered documents is presented in Table 6.7. Based on the correlations between the Cybercrimes Bill drafts, the later drafts increase correlation with the SADC Model Law, yet they decrease in correlation when compared to the AU Convention. This implies that the drafts moved closer to the SADC document and increasingly deviated from the AU document. The Cybercrimes drafts showed a slightly increasing correlation with the Budapest Convention; however, these correlations are weak. Therefore the South African document aligns most to the regional context (SADC), then the continental context (AU), then the global context (Budapest). When considering the clustering and the associated Pearson correlation matrix in Table 6.7, the age of the documents should be considered: the Budapest Convention originated in 2001, compared to the documents of African compilation, published in a five-year period from 2013 through to 2018. Figure 6.5 presents a word cloud to visualize the word frequency from all six documents. The most prominent words are “data”, “person”, “offence”, “act” and “information”. As the documents have a focus on cybercrime, the word “offence” would be expected to have a high frequency, as the documents are defining what constitutes illegal conduct, i.e. offences. The word “act” can have two aspects: it can refer to an act as a legal document, or an action which is being defined as legal or illegal. The word “person” implies that cybercrimes are considered individualistic in nature: that the perpetrator and/or victim is a single person. This could also relate to the “data” view, where the privacy of a person’s data is recognized.

Cybercrimes Bill 2018

SADC Model Law

AU Convention on Cyber-crime

Budapest Convention

Cybercrimes and Cybersecurity Bill 2015

Cybercrimes and Cybersecurity Bill 2017

Cybersecurity in Humanities and Social Sciences

Cybercrimes and Cybersecurity Bill 2015

172

0.870

0.800

0.439

0.489

0.377

0.972

0.527

0.450

0.461

0.532

0.434

0.469

0.419

0.451

Cybercrimes and Cybersecurity Bill 2017

0.870

Cybercrimes Bill 2018

0.800

0.972

SADC Model Law

0.439

0.527

0.532

AU Convention on Cybercrime

0.489

0.450

0.434

0.419

Budapest Convention

0.377

0.461

0.469

0.451

0.525 0.525

Table 6.7. Pearson correlation matrix for cybercrime legislation. For a color version of this table, see www.iste.co.uk/loiseau/cybersecurity.zip

Less frequent, but still prominent, words include “information”, “national”, “state”, “security” and “electronic”. The occurrence of these words is again expected: the documents will be dealing with the security of information in its electronic form, and the cybersecurity programs will be at a national level. Words that are even less prominent include “warrant”, “evidence”, “imprisonment” and “infrastructure”. These words are again expected; however, their lack in prevalence is surprising, as they relate to the evidence (and the warrant needed to collect the evidence) and the punishment for the crimes (“imprisonment”). “Infrastructure” is not as prevalent in the context of cybercrime as it would be in terms of national cybersecurity (in the context of cyberwarfare), therefore its low prevalence is not as surprising as the other words. The lack of these important terms implies that there are still challenges within the legal and justice systems in addressing cybercrime, both in terms of evidence collection and processing, and the challenge of introducing punishment and penalties that are in-line with crime in the physical world.

Qualitative Document Analysis for Cybersecurity and Information Warfare Research

(a)

(b) Figure 6.5. Word cloud for cybercrime legislation. (a) Word cloud including all versions of the Cybercrimes and Cybersecurity Bill. (b) Word cloud including only the 2018 version of the Cybercrimes Bill

173

174

Cybersecurity in Humanities and Social Sciences

In this case it should be noted that some of the words can be ignored for the interpretation, such as “section” and “subsection”, as these are clearly structural for the documents and will have no particular meaning in the context of the topic. It is also worth noting that using all six documents in the generation of the word cloud (Figure 6.5a) introduces a bias, in that three drafts of the Cybercrimes Bill are considered, weighting the result to the prevalence of words in the South African documents. In Figure 6.5b, only the final version of the Cybercrimes Bill (2018) is used in the generation of the word cloud; in this instance, the decreasing prevalence of certain words can be seen, such as section and subsection, and computer is more prevalent than person in the second word cloud. Where cluster analysis is useful to illustrate the convergence or divergence with international legislative documents by including all documents, the same document selection for the words clouds and word frequencies will give erroneous results. This example is therefore illustrative of how unintentional bias can be introduced into such analysis, due to the manner in which documents are selected. Figure 6.6 presents the results of a text search query for the word “extortion”, as an example of a possible crime committed online. Unlike section 6.5, where the focus of the text queries is the occurrence per document, here it is the term in context of the words associated with it. From the contexts, it is evident that extortion is considered related to “aggravated offences” and also possible terrorist activities to gain funds. The acts of extortion considered include cyber uttering and harmful disclosure of pornography. Therefore, the text queries can not only be used to illustrate the prevalence within documents, but can also be used to illustrate the common contexts that they occur in. This will be particularly useful in conducting thematic analysis of cybersecurity documents. 6.6.3. Discussion The objective of this section was to provide some insight of qualitative document analysis within a cybersecurity context, providing an analysis of cybercrime legislation. As with the previous section, the interpretivist research philosophy is applicable and the NVivo software was used.

Qualitative Document Analysis for Cybersecurity and Information Warfare Research

175

Figure 6.6. Text search query for “extortion”

Through the qualitative data analysis, it is evident that the alignment of the South African cybercrime legislation is strongest with the SADC Model Law, then to the AU Convention and the Budapest Convention. The drafts of the Cybercrimes Bill are converging (becoming more aligned) with the SADC Model Law and the Budapest Convention, and diverging (becoming less aligned) with the AU Convention. The result is that where the document was originally strongest aligned with the AU Convention, the third iteration is strongest with the SADC Model Law, then the Budapest Convention, then the AU Convention. This raises questions around the suitability of the AU document as, after extensive consultation with the stakeholders in South Africa, the draft bill moved away from the document and aligned more with the international Budapest Convention. Future research in this area could identify any possible areas where the AU document is perceived to be weak or unsuitable. The word cloud illustrates a weak focus on critical aspects in dealing with crime: the legal collection of evidence and punishment. This is potentially due to the evolving nature of digital forensics, with the laws yet unable to sufficiently cater for the collection of evidence in cyber-space. Uncertainty in equivalence between some online crimes and the physical crimes may result in a low focus on the punishment. To further investigate, the term “extortion” was searched for using a text query, with the result being displayed in a word tree. This effectively showed the context in which the term was used within the documents, and this is a useful tool to gain a deeper understanding of terms within large document sets.

176

Cybersecurity in Humanities and Social Sciences

Where the two cases studied have focused on cybersecurity documents, the next section provides an initial investigation into the influence of classical military philosophy on information warfare writings. 6.7. An analysis of the influence of classical military philosophy on seminal information warfare texts This section aims to illustrate the influence of classical military philosophers on seminal information warfare texts and a military operational document. The two common works were used for the classical philosophy: Clausewitz’s On War [CLA 84] and Sun Tzu’s The Art of War [SUN 00]. Four seminal documents on information warfare are correlated with these two works: two from China and two from the USA: 1) Information Warfare by Wang Baocun and Li Fei [BAO 96]; 2) Challenges of Information Warfare by Wang Pufeng [PUF 96]; 3) Information, Power and Grand Strategy by John Arquilla and David Ronfeldt [ARQ 97]; 4) JP3-13 Information Operations [JCS 14]. Originally, another document had also been selected; however, the document was scanned as an image and the software was unable to perform the correlation as it could not extract the words. This highlights a limitation of using software, in that the data sources need to be compatible with the software. Even though the documents are from different periods and their original languages are different, the focus is on the influence of the classical philosophy which is expected to occur over time, and the translations can still influence later concepts. To illustrate the influence of the classical works on the information warfare texts, a comparison of the correlations (based on the words in the documents) between the information warfare documents and each of the classical works is provided. The results are listed in Table 6.8. As evident from Table 6.8, the correlations with Clausewitz’s On War are larger than the correlations with Sun Tzu’s The Art of War for all documents,

Qualitative Document Analysis for Cybersecurity and Information Warfare Research

177

albeit that in some cases the difference is very small. From this it can be concluded that Clausewitz’s writings are more influential. However, future research can be conducted to ascertain what aspects of the early military philosophy is relevant or influential in information warfare. Document

On War

The Art of War

Information Warfare

0.296

0.226

Challenges of Information Warfare

0.263

0.201

Information, Power and Grand Strategy

0.368

0.194

JP3-13 Information Operations

0.166

0.108

Table 6.8. Correlation of classical military philosophy and information warfare texts

In addition to the limitation mentioned above regarding the document format needing to be compatible with the software, another consideration arises from this initial study. Of the six documents used, four were translated. This raises the possibility of misinterpretation by the translators, or bias being introduced prior to the QDA. With three examples of QDA being applied to cybersecurity and information warfare, the following section reflects on the suitability of QDA and the challenges that were experienced. 6.8. Reflections on qualitative document analysis for information warfare and cybersecurity research The focus of the chapter is on qualitative document analysis; this was conducted to investigate the similarities and possible influence among 12 national cyber strategy documents, and to assess the alignment of the South African Cybercrimes Bill to international documents. The NVivo software was used to provide word clustering and the Pearson correlation for the document sets, word clouds to visualize word frequency, and text queries to illustrate the prevalence of specific concepts within the documents. The document clustering and the Pearson correlation effectively showed the relationships among documents within their respective sets. This proved to be a useful tool (among other tools and methods) to gain a high-level view of similarities (or lack thereof) among documents. As indicated in [VAN 19], this is not only relevant to academic research, but is also

178

Cybersecurity in Humanities and Social Sciences

applicable to intelligence analysis, in this particular case, strategic cyber intelligence. The ability to quickly analyze a variety of sources (including computer code) to ascertain relationships can illustrate commonalities that may aid in attributing attacks to particular groups, or indicate re-use of code. Assessments of cybersecurity documents may be used to categorize nations, providing initial warnings of which are potential threats in cyberspace. The word clouds adequately visualized the prevalence of words within the document sets. The research in this chapter only assessed the word frequency for the whole data set; however, there is scope to analyze individual documents for comparison purposes. A possible bias was illustrated where multiple versions or drafts of a document are being assessed within a broader set, in that these drafts then count specific words multiple times, skewing the prevalence in the overall set. The text queries gave a useful insight into the prevalence of a concept or term in the cybersecurity documents within the context of the individual document (the number of mentions as well as the percentage of the content). This provides an indication on the relative importance of the concept within the strategy. When displaying a word tree based on the query, the phrase of interest is shown within context as it appears in various documents. This provides useful contextual information, and the tool will give the researcher (or intelligence analyst) quick insights over a large document set. A number of limitations were illustrated in the three cases presented. The incompatibility of source documents with software used to aid analysis resulted in a document being excluded. The use of translations may introduce bias or misinterpretation on the part of the translator. As both information warfare and cybersecurity involve the use of deception, both the researcher and the sources may have been maliciously influenced to alter perceptions or introduce bias. The researcher is also limited in the content covered by the documents, with little ability for further enquiry; in other forms of qualitative research, such as interviews, the researcher is able to design questions to focus on the key criteria, and has the opportunity to ask follow-up questions for clarity or more information. Often QDA alone is not sufficient, and additional information is required in order to provide in-depth analysis; for example, the relationship between documents may be evident, but the reasoning behind this may not be clear. In addition, as information warfare and cybersecurity are sensitive topics, access to documents may be restricted.

Qualitative Document Analysis for Cybersecurity and Information Warfare Research

179

Qualitative document analysis can therefore be seen as an important tool for researching cybersecurity and information warfare from a human and social science perspective. However, there are possible limitations that can impact on the research that need to be taken into consideration. 6.9. Conclusion Information warfare and cybersecurity can be seen as inherently multidisciplinary and transdisciplinary in nature. However, they are traditionally associated with technical research such as computer science. There are a number of aspects to information warfare and cybersecurity that required human and social science-related research methodologies. This chapter illustrates the use of document analysis, with particular examples of three use cases: the analysis of national cyber-strategies to determine likely cooperation and/or influence; the comparison of the South African Cybercrimes Bill to international cybercrime legislation to determine and illustrate alignment; and investigating the influence of classical military philosophy on information warfare texts. Through the use of document clustering and the associated Pearson correlation matrix, the similarities among the national cybersecurity strategies were evident. The relationships mostly aligned with political collaboration, illustrating that document analysis is suitable for the use case of assessing strategy influences. Similar analysis illustrated the alignment of the South African Cybercrimes Bill, and highlighted that the later drafts moved towards alignment with the SADC Model Law and to a lesser degree the Budapest Convention; however, there was increasing deviation compared to the AU cybercrime document. This use case effectively demonstrated the importance of document analysis to ascertain alignment of national legislation with international best practices. In this case, a possible limitation of document analysis was highlighted – that when investigating multiple versions of the same document in conjunction with other documents, content analysis (word frequency) will be biased towards the versions as similar concepts will be repeated for each draft or version. Qualitative document analysis is therefore suitable for the assessment of cybersecurity documents for academic research and potentially for strategic intelligence analysis. Future research will investigate the use cases for

180

Cybersecurity in Humanities and Social Sciences

cyber threat intelligence feeds, and online political posturing related to cybersecurity. Future work can include further application of QDA to assess the alignment of newly released cybersecurity documents and their alignment to international norms, and further investigation into the influence of classical military theorists on modern information warfare concepts. 6.10. References [AFR 14] AFRICAN UNION AFRICAN UNION, Convention on Cyber Security and Personal Data Protection, available at: https://au.int/sites/default/files/treaties/29560-treaty-0048_-_ african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf (accessed 11th July 2019), 2014. [ARM 10] ARMISTEAD L., Information Operations Matters, Potomac Books, Washington, DC, 2010. [ARQ 97] ARQUILLA J., RONFELDT D., “Information, power, and grand strategy: In Athena’s camp—Section 2”, in ARQUILLA J., RONFELDT D. (eds), In Athena’s Camp: Preparing for Conflict in the Information Age, RAND Institute, Santa Monica, pp. 417–438, 1997. [BAB 14] BABBIE E., The Basics of Social Research, 6th edition, Wadsworth Cengage, Belmont, 2014. [BAO 96] BAOCUN W., FEI L., “Information warfare”, Chinese Views of Future Warfare, National Defense University Press, available at: https://fas.org/irp/world/china/docs/iw_ wang.htm (accessed 30th October 2019), 1996. [BOW 09] BOWEN G., Document Analysis as a Qualitative Research Method, available at: https://www.emerald.com/insight/content/doi/10.3316/QRJ0902027/full/html (accessed 21st July 2019), 2009. [BRA 07] BRAZZOLI M.S., “Future prospects of information warfare and particularly psychological operations”, in LE ROUX L. (ed.), South African Army Vision 2020, Institute for Security Studies, Pretoria, pp. 217–232, 2007. [CAN 18] PUBLIC SAFETY CANADA, Security and Prosperity in the Digital Age, Consulting on Canada’s Approach to Cyber Security, Government of Canada, 2018. [CHA 08] CHATTERJI S.K., “An overview of information operations in the Indian army”, IOSphere, special edition, pp. 10–14, 2008. [CHI 15] CHISMON D., RUKS M., Threat Intelligence: Collecting, Analysing, Evaluating, MWR InfoSecurity and Centre for the Protection of National Infrastructure, available at: https://www.ncsc.gov.uk/content/.../MWR_Threat_Intelligence_whitepaper-2015.pdf (accessed 12th April 2016), 2015.

Qualitative Document Analysis for Cybersecurity and Information Warfare Research

[CHI 16] GOVERNMENT 2016.

OF

181

CHINA, National Cyberspace Security Strategy, 27 December

[CLA 84] VON CLAUSEWITZ C., On War, (translated by M. HOWARD and P. PARET) Princeton University Press, Princeton, 1984. [COA 16] COMMONWEALTH OF AUSTRALIA, Australia’s Cyber Security Strategy: Enabling innovation, growth and prosperity, Government of Australia, 2016. [COE 01] COUNCIL OF EUROPE, Convention on Cybercrime, Budapest, European Treaty Series. no. 185, 2001. [COF 96] COFFEY A., ATKINSON P., Making Sense of Qualitative Data, Complementary Research Strategies, Sage Publications, London, Thousand Oaks and New Delhi, 1996. [EST 14] MINISTRY OF ECONOMIC AFFAIRS Government of Estonia, 2014.

AND

COMMUNICATION, Cyber Security Strategy,

[GUI 17] GUIORA A.N., Cybersecurity: Geopolitics, Law, and Policy, Routledge, New York, 2017. [HMG 16] HER MAJESTY'S GOVERNMENT, National Cyber Security Strategy 2016-2021, 2016. [HUN 18] HUNTER M., TILLEY A., “Cybercrimes Bill defanged, but our privacy rights are still not secured”, Daily Maverick, available at: https://www.dailymaverick.co. za/article/2018-12-21-cybercrimes-bill-defanged-but-our-privacy-rights-are-still-not-secured/ (accessed 11th July 2019), 21 December 2018. [HUT 01] HUTCHINSON W., WARREN M., Information Warfare: Corporate Attack and Defense in a Digital World, Butterworth Heinemann, Oxford & Auckland, 2001. [IIS 18] INTERNATIONAL INSTITUTE FOR STRATEGIC STUDIES, “Editor’s introduction: Western technology edge erodes further”, The Military Balance, vol. 118, no. 1, pp. 5–6, 2018. [IND 13] MINISTRY OF COMMUNICATION AND INFORMATION TECHNOLOGY, National Cyber Security Policy, Government of India, 2013. [ITU 13] INTERNATIONAL TELECOMMUNICATIONS UNION, HIPSSA – Computer Crime and Cybercrime: SADC Model Law, available at: https://www.itu.int/en/ITU-D/ Cybersecurity/Documents/SADC%20Model%20Law%20Cybercrime.pdf (accessed 17th July 2019), 2013. [JAM 15] GOVERNMENT OF JAMAICA, National Cyber Security Strategy, 2015. [JAP 18] GOVERNMENT OF JAPAN, Cybersecurity Strategy, (Provisional Translation), 27 July 2018. [JCS 14] JOINT CHIEFS November 2014.

OF

STAFF, JP3-13 Information Operations, Washington, DC, 20

[MAN 99] MANNING C., SCHÜTZE H., Foundations of Statistical Natural Language Processing, MIT Press, Cambridge, 1999.

182

Cybersecurity in Humanities and Social Sciences

[MAU 14] REPUBLIC OF MAURITIUS, National Cyber Security Strategy 2014-2019: For a Resilient and Secure Mauritius, 2014. [MOJ 15] MINISTER OF JUSTICE AND CORRECTIONAL SERVICES, Draft Cybercrimes and Cybersecurity Bill, Republic of South Africa, 2015. [MOJ 17] MINISTER OF JUSTICE AND CORRECTIONAL SERVICES, Cybercrimes and Cybersecurity Bill, Republic of South Africa, 2017. [MOJ 18] MINISTER OF JUSTICE AND CORRECTIONAL SERVICES, Cybercrimes Bill, Republic of South Africa, 2018. [OAK 98] OAKLEY A., “Gender, methodology and people’s ways of knowing: Some problems with feminism and the paradigm debate in social science”, Sociology, vol. 32, pp. 707–31, 1998. [PRE 16] PRETORIUS B., Cyber-Security and Governance for Industrial Control Systems (ICS) in South Africa, Masters dissertation, University of KwaZulu-Natal, Durban, 2016. [PUF 96] PUFENG W., “The challenge of information warfare”, Chinese Views of Future Warfare, National Defense University Press, available at: https://fas.org/irp/world/ china/docs/iw_mg_wang.htm (accessed 30th October 2019), 1996. [RAM 19] RAMLUCKAN T., VAN NIEKERK B., LEENEN L., “Research challenges for cybersecurity and cyberwarfare: A South African perspective”, Proceedings of the 18th European Conference on Cyber Warfare and Security, Coimbra, Portugal, pp. 372–378, 4–5 July 2019. [ROF 15] REPUBLIC OF FRANCE, French National Digital Security Strategy, 2015. [SAU 07] SAUNDERS M., LEWIS P., THORNHILL A., Research Methods for Business Students, 4th edition, Financial Times Prentice Hall, Edinburgh Gate, Harlow, 2007. [SAU 19] SAUNDERS M., LEWIS P., THORNHILL A., Research Methods for Business Students, 8th edition, Pearson Education Limited, Harlow, 2019. [SEA 18] SEARCH SECURITY, “Definition: Cybersecurity”, TechTarget, available at: https://searchsecurity.techtarget.com/definition/cybersecurity (accessed 21st July 2019), May 2018. [SSA 15] STATE SECURITY AGENCY, National Cybersecurity Policy Framework, Government Gazette, Republic of South Africa, 4 December 2015. [STU 15] STUPPLES D., “What is information warfare?” World Economic Forum, available at: https://www.weforum.org/agenda/2015/12/what-is-information-warfare/ (accessed 22nd May 2019), 3 December 2015. [SUN 00] SUN TZU, The Art of War (translated by L. GILES), Allandale Online Publishing, Leicester, 2000. [USA 18] UNITED STATES OF AMERICA, National Cyber Strategy of the United States of America, September 2018.

Qualitative Document Analysis for Cybersecurity and Information Warfare Research

183

[VAN 19] VAN NIEKERK B., RAMLUCKAN T., DUVENAGE P., “An analysis of selected cyber intelligence texts”, Proceedings of the 18th European Conference on Cyber Warfare and Security, Coimbra, Portugal, pp. 554–559, 4–5 July 2019. [VEN 09] VENTRE D., Information Warfare, ISTE Ltd, London and John Wiley & Sons, New York, 2009. [WAT 08] WATTENBERG M., VIÉGAS F.B., “The Word Tree, an interactive visual concordance”, IEEE Transactions on Visualization and Computer Graphics, vol. 14, no. 6, pp. 1221–1228, 2008.

7 

Anti-feminist Cyber-violence as a Risk Factor: Analysis of Cybersecurity Issues for Feminist Activists in France

7.1. Introduction Concerning the process of transforming informal modes of political participation, the literature presents online activism as a new stage of contestation in the context of the cyberization of social interactions. Studies in the sociology of social movements have been very interested in the structuring effects of social media on collective action, but almost always through the prism of mobilization by highlighting their organizational or strategic dimension. Based on a broad interpretation of the definition of cybersecurity, this study is more concerned with feminist uses of Web 2.0 and the relationship between insecurity and security in online spaces for feminist activists. Starting from a conception of an online–offline continuum, this chapter examines cybersecurity issues for feminist activists based on a comparison between spaces of protest in Quebec and France. The preliminary results of our thesis, which examines the online and offline consequences of cyber-violence and cyberstalking on feminist activist trajectories, argue that online activism is not a passive and less costly form of engagement [MOR 11]. Our results also show that there seem to be no specificities to online activism compared to conventional modes of political participation [RES 00] beyond the risks and costs associated with Chapter written by Elena WALDISPUEHL.

186

Cybersecurity in Humanities and Social Sciences

activism and mobilization. The cost is observable at the personal level (time, money, energy), while the risk is the anticipated legal, social and physical threat [MCA 91]. This chapter is in line with the differentialist approach, which allows a rethinking of the concept of political participation in order to broaden its scope to include expressive dimensions [MON 11]. Web 2.0 is a set of digital spaces that are not based on a universally shared experience [MAR 04]. In other words, online browsing experiences are structured according to the position of the users, who are the core of the Web 2.0 infrastructure, which is composed of several types of interactive, participatory and interconnected spaces. Cyberspace thus represents a “new arena of interaction” [CHO 12] where certain expressive dimensions can become sources of insecurity for certain categories of social actors, such as feminist activists in our case study. A major cause of insecurity is anti-feminist actions and attacks against feminist activists, who are prime targets [LAB 15]. Cyber-violence against feminist activists is intended to control, coerce or silence them [MAN 13]. A considerable amount of this online violence comes from online anti-feminism networks, which are increasingly linked to the alternative right (alt-right) and the extreme right [NAG 17]. The ubiquity of cyberspace and its reticular structures make feminist activists the target of cyber-violence in real time through the contraction of time and space [HIN 13] and the predominance of anonymity [MAN 00] of cyber stalkers confronting feminists, who are not in the majority. This constant and real threat has multiple effects on feminist use of Web 2.0 in a context of polarization and politicization of trolls [COL 17], which is said to produce a Balkanization of public space [SUN 01]. Cyber-violence against feminist activists is thus an unavoidable subject when it comes to rethinking cybersecurity issues and more specifically the relationship between the feelings of security and insecurity. In this chapter, we propose to broaden the definition of cybersecurity to include the subjective integrity of activists as well as their data. Indeed, feminist activists recounted in semi-directed interviews how cyber-violence and cyber-harassment are repeated and organized tactics that have serious consequences on trajectories. Antifeminist cyber-violence thus produces a real social, economic, political and psychological cost for these feminist activists1. In order to better 1 Semi-structured interview data also show that feminist activists use forms of cyber-violence and cyber-harassment to target other feminists and masculinists. For the purpose of this chapter, these data will not be examined here and will instead be published at a later stage.

Anti-feminist Cyber-violence as a Risk Factor

187

understand this violence, we propose to understand this issue through the online–offline continuum as well as the continuum between security and insecurity. This chapter takes an interdisciplinary approach by gathering literature in social movement sociology, feminist studies and Internet studies to simultaneously address cybersecurity issues for both feminist activists and the researcher in the context of online research. Firstly, the methods used in this research to address the cybersecurity issues of feminist activists will be discussed. In particular, we will explain the specificities of online ethnography and the difficulties of online fields in a context of insecurity for participants. This section will also include a reflection on emotional labor and empathy, which are skills studied by a researcher involved in any ethnographic approach. Secondly, the continuity of spaces will be illustrated across the online–offline continuum. Thirdly, cybersecurity issues will be tackled in the light of the anti-feminist insecurity mechanism, which is a set of structures and practices for the exercise of power. This device is that of the “manosphere”, which is a concept used to evoke the set of online discursive spaces that are misogynistic, sexist and antifeminist [JAN 17]. The insecurity mechanism is central to the analysis in order to understand how online spaces are not necessarily safe for all categories of Internet users and more particularly for feminist activists, who are the target of multiple forms of cyber-violence and cyberstalking. Online violence is thus an increasingly politicized weapon [WAL 19]. 7.2. Localization of an online field In order to make the continuity of the spaces methodologically operational, this research relies on data from semi-directive interviews (N = 50) and an eight-month online ethnography to observe interactions in several feminist and masculinist digital spaces. The interviews, in the form of storytelling, aim to reconstruct militant trajectories. The questions addressed were about their uses of social media, their online exposure and online safety practices, and their experiences of activism and cyberstalking. Interviews were conducted with feminist activists who have a large volume of online practices of resistance and protest. Participants in this study are at multiple intersections in terms of “gender/sex, race, class, ethnicity, age, disability and sexual orientation” [BIL 09 p. 70]. Interviews were also conducted with people with different types of feminist engagement to

188

Cybersecurity in Humanities and Social Sciences

illustrate the different divisions and tensions within the space for women’s causes2 [BER 12]. However, national affiliations are indistinguishable within the framework of this chapter. Instagram

Facebook

Twitter

Speakupchannel

Dans ton Miroir

@alicecoffin

Clitrevolution

La petite banane

@monachollet

Les folies passagères

Liberté, pilosité, sororité

@PayetaShnek

T’a pensé à ?

Marsault

Je m’en bats le clito

Ovocytemoi

@ValerieCG

Spmtamere

Valek

@anti-sexisme

Irenevrose

Memes royalistes

@Vivreavec

T’a joui?

Décider entre blancs

@PeabodyJoshua

Mon fils en rose

L’empêcheuse de penser en rond

@AssoLallab

Emma_clit

RDZ IV, 3 fois plus fort que Jésus

@RokhayaDiallo

Stop grossophobie

Collectif : Féministes contre le cyberharcèlement

@MwasiCollectif

Paye ta gouine

Paye ta féministe

@EloiseBouton @paye_ton_troll

Collectif_ntarajel

Check tes privilèges

@judithlussier

Table 7.1. Non-exhaustive table of spaces captured during online ethnography

As for the method of online ethnography or “netnography”, it aims to observe the online practices of feminist activists in the social Web. This strategy allows us to observe reactions to the creation and production of online feminist content, mainly on social media and a few blogs. To do so, we identified a corpus of online space that is feminist or antifeminist in order 2 Thus, interviews were conducted with individuals who identify with several feminist currents ranging from universalist, radical and abolitionist to intersectional, decolonial and queer feminists.

Anti-feminist Cyber-violence as a Risk Factor

189

to analyze the number of publications and the most active persons/avatars on the Facebook, Instagram and Twitter platforms3. Particular attention was paid to the relationship to the conflict as well as to forms of violence and their meanings. We also observed the tone of the comments, the language and vocabulary used, the degree of intimacy of the publications, the sharing of difficult or traumatic experiences, and the processes of politicization in the interactions. By studying the daily online exposure practices of feminist activists, it became possible to determine which types of content or publication elicit the most positive and negative reactions in the digital spaces being addressed. It also allowed us to more effectively target the dynamics of virality that can be generated by feminist discursive practices in a context of surveillance and self-surveillance. Therefore, it is important to consider the concept of lateral surveillance, which involves monitoring the digital activities of others, resulting in a “broad flow of information that [the user] did not want to see spread” in this way [CAR 12 p. 25]. Social media stimulates “consent to divulge personal information, to expand the surface of what can be shown and to expose oneself to others, thus reinforcing the tendency of individuals to observe themselves and others” [GRA 12 p. 53]. This produces a “chiaroscuro visibility” that translates into “a zone of controlled familiarity in which [users] make very personal elements of their daily lives public sometimes, while thinking that they are only addressing a network of close relations” [CAR 12 p. 26]. In a context of strong self-censorship of online interactions [DAS 13], there is a blurring effect between the boundaries of private and public spaces. Several interviewees revealed that they are very careful about their online exposure practices in order to control information about their private lives and protect their loved ones from the repercussions of potential violence. They develop digital practices that limit the possibilities of collecting information about their habits and place of residence by not sharing photos and not using geolocation tools. The majority of feminist activists who are parents also take precautions by not revealing their children’s faces on social media. This also applies to those whose parenthood is one of their main areas of cyber engagement, through blogs or Instagram accounts dedicated to maternity and paternity issues such as mental load or feminist pedagogy.

3 The accounts observed are generally present on each platform.

190

Cybersecurity in Humanities and Social Sciences

The ethnographic approach, whether online or offline, is defined by the researcher’s praxis in the field. Therefore, fieldwork represents the very foundations of ethnography [LIN 08]. A field is subsequently defined as the “methodological delineation of a specific place and time” that forms a context “in which social relationships occur that are accessible to the researcher” in order “to explain, understand or intervene in that field or context” [WAL 17b p. 101]. In this sense, Hammersley and Atkinson [HAM 07 p. 3] describe ethnography as a set of practices and attitudes of the researcher in a given geographical space: “the researcher participating, overtly or covertly, in people’s daily lives for an extended period of time, watching what happens, listening to what is said, and/or asking questions through informal and formal interviews, collecting documents and artefacts – in fact, gathering whatever data are available to throw light on the issues that are the emerging focus of inquiry.” The process of cyberization of societies [GRA 14] requires both a capacity to adjust methods of investigation [DIM 15] and new practices and questions in terms of ethics. Unlike traditional ethnography, Robert Kozinet [KOZ 09] defines “netnography” as a method for studying cultures and communities emerging from network interconnection and automated communications. Thus, access to networks via a connected computer becomes an indispensable intermediary for having access to an online field. This further interferes with the relationship between the researcher and the subject in this “new distinct physical location” [YEN 02 p. 10]. The ethnographic steps are not necessarily different between an online and an offline context. Rather, the steps are differentiated according to the nature of the field under investigation. Thus, adjustments to the ethnographic method are not only technological [BRA 19], but require different skills and attitudes since co-presence is rather remote [HIN 13] in online fields. Therefore, the advantage of this method is its flexibility to observe social interactions “without interfering” [SAY 13 p. 231]. To do this, it is important to take into account the fluidity of spaces in the context of an online ethnography. This method is simultaneously deployed in several digital spaces so that online fields are generally multi-situated [WAL 10]. This specificity makes it particularly difficult to methodologically circumscribe the boundaries of an online field. In order to facilitate the localization of an online field, the choice of the corpus of spaces to examine requires a significant period of pre-field observation. This

Anti-feminist Cyber-violence as a Risk Factor

191

technique has the effect of reducing the scope of the collection points and allows the researcher to be totally immersed in the selected digital environment. This process allows the boundaries of the field to be set online while allowing for fine analysis of the data by means of a smaller sample size. Like offline ethnography, netnography is interested in social relationships and “ordinary daily life” [PAS 11 p. 39] of users through a comprehensive approach that produces a “dense description” of a social reality [GEE 73 p. 27]. Ethnography is therefore a technique that allows culture to be read as a text [GEE 98]. In the online context, this is particularly interesting since the information is presented in the form of textual or pictorial traces in such a way that there is no raw data [GIT 13]. The data captured by online ethnography are therefore artifacts [HIN 09, 13], i.e. non-neutral constructs that have no direct link to reality [GIT 13]. Several researchers emphasize the importance of avoiding over- or underrepresentation of these traces in the process of data analysis [LAT 17]. In this study, we applied the model of Latzko-Toth, Bonneau and Millette to analyze the data in several phases, focusing on contextual information, fine descriptions of practices and meanings attributed by actors. For data triangulation purposes, the final phase of this analysis technique was completed by means of interviews. This way of doing things makes it possible to grasp the meanings that users attribute to their own practices in a sociotechnical framework [LUP 15] and in a logic of oversight of digital traces [DUB 15]. In addition, online ethnography makes it possible to trace social interactions that took place in the past [HAN 11] and to observe subjects in secret. Thus, netnography allows researchers to multiply the possibilities of not revealing themselves in order to observe user interactions without intervening and without even reporting their presence. Nevertheless, this passive observation (lurking) gives rise to much debate and subsequently to many ethical issues [LUK 17]. For some, passive, undisclosed observation represents an unethical strategy [MAN 00, MUR 08]. For others, it may be necessary because the researcher’s intervention may interfere with online interactions [HAM 10, MAU 07], especially when dealing with vulnerable or marginalized online communities [LAN 05].

192

Cybersecurity in Humanities and Social Sciences

7.2.1. Online ethnographic work and empathy To overcome these methodological and ethical pitfalls, Mary Elizabeth Luka and Mélanie Millette [LUK 18 p. 4] propose adopting research practices oriented towards a commitment to mutual care with respect to privacy and participant consent in the context of research with a feminist epistemology. Therefore, a perspective of care and a commitment to mutual care within the framework of an online ethnography makes empathy the focus of this methodological approach. This empathy takes a lot of energy on an emotional level while influencing the relationship between the researcher and the subject. In this sense, “the notion of empathy could be inscribed at the very heart of the definition of anthropology” based around the dialogical nature of the field and the process of object construction [GAL 08 p. 3]. However, some authors believe that empathy is not a sine qua non of the ethnographic method. Martina Avanza [AVA 08] explains that it is quite possible to carry out an ethnographic process without developing empathy for “one’s natives” whom one “does not like” by developing strategies such as “feigning compassion”. In her research on the anti-abortion movement in the United States, Véronique Pronovost [PRO 13, 19] argues instead that ethnography requires emotional work that contributes to the complexity and contextualization of the researcher–subject relationship while breaking down binary categories and not giving a Manichean interpretation of ethnographic findings. This deconstruction of binarity also allows us to escape the dynamics between movement and counter-movement, which are structural in the framework of this research. My online field is particular in the sense that a permanent duality prevails between the categories of subjects. Empathy would be quite distinguished and would not have the same criteria for application, depending on whether it is a question of feminist activists or masculinists and antifeminists. This differentiated empathy is explained in particular by my epistemological position as a researcher and feminist in the field of the sociology of social movements. It is therefore important for me to position myself [HAR 04] within my field in a perspective of knowing where I am [HAR 88]. This positioning also allowed me to gain several forms of access to the field by facilitating the bond of trust with the participants [BOY 15]. Moreover, I can get around the empathic constraint since I am not interested in the motivations of antifeminist and masculinist actors, but only in the effects of their violent interactions targeting feminists. Thus, it is important to consider

Anti-feminist Cyber-violence as a Risk Factor

193

the context of the field research and its objectives, whether online or offline, to establish a variation in the register of empathy. Certainly, being exposed in an immersive way and over a long period of time to violent interactions and narratives of aggression causes great mental fatigue. The emotional work involved in the exercise of empathy is extremely energy-intensive, while at the same time produces significant physical sequelae during the research process. There is a mutual reinforcement between my own and my participants’ feelings of exhaustion about their own experiences of cyber-violence and cyberstalking. In order to distance myself from my research results and in a logic of self-care, I have been writing a logbook since the beginning of the netnography. The aim is to describe my emotions and thoughts about the more difficult and violent content that I observe on a daily basis. A re-reading of my field notes reveals that as the online ethnography unfolds, I begin to feel more unsafe reading gender-based insults and hate speech. This violence is not directly addressed to me, but I nevertheless feel a certain backlash and I identify with the people who are targeted by it. As Sara Ahmed [AHM 12] argues, to identify as a feminist is to be permanently assigned to a difficult category and to be in difficulty. This is all the more true online. The insecurity mechanism thus has consequences simultaneously for the subjects as well as for myself, as a researcher studying the effects of anti-feminist cyber-violence on trajectories. 7.2.2. Cybersecurity issues of an online field It is important to think about your own safety and to be reflective about your online safety practices. In fact, my field of research is articulated by important cybersecurity issues. Based on the experiences of colleagues in feminist studies who have been victims of harassment, home invasion, computer hacking and theft of their research data, I have been strongly sensitized to the dangers of taking a direct or indirect interest in the factors of the manosphere. As a result, I have developed a number of preventive practices to reduce the risk of cyber-attacks in the research process. For example, I have encrypted all of my research data from interviews, online observations and screenshots. To ensure my own security and that of my data, I use a VPN systematically to make access to my location more difficult. I have also backed up all my data to five external hard drives that I have placed in multiple locations. It is important to make it clear that I am

194

Cybersecurity in Humanities and Social Sciences

not techie. I have had to develop security capabilities due to the cybersecurity requirements of my online field. Faced with the risk of a cyber-attack, I was therefore forced to modify my practices to protect my sensitive data and ensure my safety as well as the safety of my participants. Sensitive data includes the personal information of feminist activists (telephone numbers, audio recordings and transcripts of interviews). Furthermore, all data are anonymized for preventive purposes, whereas my university’s obligations and ethical guidelines are only to ensure confidentiality of the data. However, my learning of techno-informatics knowledge is still limited, since I would qualify as a beginner in the field of cybersecurity. Moreover, I am relatively unsupervised by my university in the context of this research, although a technical and legal assistant can be offered in case of problems, to ensure the confidentiality of my data and my own computer’s security4. One of the interesting findings of my interviews is that there is a strong tension between knowing one is threatened and refusing to change one’s online practices, either to ignore the threat or to resist the fear. A majority of the people interviewed for this research do not change their online behavior or cybersecurity practices in this way until they have been “truly” cyber-attacked. In addition, participants generally minimized the violence they suffered while stressing its consequences for their psychological and physical well-being. So it was up to me to reconstitute the story of violence when someone told me that they had “only” received death threat letters at home after being doxxed or had a stalker for years who watched their every move online and offline. Finally, the continuity of online and offline spaces also means that researchers have very little respite, making it more difficult for them to leave the field temporarily or permanently. 7.3. Online–offline continuum The cyberization of social relations has profoundly altered the nature and scope of social interactions [VOD 10] while producing a continuity of spaces and universes of practices. From this perspective, we argue that online and offline spaces are co-constructed and interdependent. It is then important to grasp these two types of space simultaneously in order to truly understand 4 To compensate for the lack of supervision at my university, I have met independently with professors specializing in cybercrime and specialists in cybersecurity for university research.

Anti-feminist Cyber-violence as a Risk Factor

195

reality. Moreover, the literature does show a certain “porosity of boundaries in the virtual universe or between the ‘online’ and ‘offline’ universes” as well as “the hybridity of research data” [ROY 19 p. 2]. The continuity of the spaces is also explicit in the relationship between the researcher and subjects. As part of this research, the features of online ethnography mean that I have access to a very large volume of information and data on feminist activists – especially those who divulge many elements of their private lives through photos or testimonies of their daily realities. However, these people are not necessarily aware that I am qualitatively observing their exhibition practices and online interactions because of the possibility of lurking. Upon reflection, I preferred to use my personal social media accounts (Facebook, Twitter and Instagram) so that participants would be able to identify my civilian identity and facilitate a bond of trust when I made contact. This was confirmed several times during the interviews. This strategic choice of non-participatory observation is also explained by the context of the strong surveillance of feminist activists by members of online masculinist communities. Mélissa Blais’ work [BLA 18] on the men’s movement in Quebec shows how antifeminist networks develop strategies to neutralize and monitor the activities of feminists. Moreover, the specificities and uses of cyberspace facilitate these tactics of neutralization and surveillance in order to cause damage to the other movement and allow for greater social control [ZAL 09]. One of the most commonly used tactics is the organization of raids against online feminist spaces, according to the feminists interviewed. Raids are collective, planned and structured operations against feminist spaces or cyber-feminists in particular. Internet users are invited to insult, threaten, harass, identify those behind Facebook pages and Instagram and Twitter accounts, or to mass-report feminist digital spaces so that the platforms can delete or suspend them indefinitely. The raids are generally organized in online spaces that are part of the antifeminist movement such as the 18–25 forum of the blog jeuxvideo.com5 or the online community of the comic

5 See J. Darmanin, “La misoygnie du forum 18–25 de jeuxvideo.com est connue depuis des années”, BuzzFeedNews, available at: https://www.buzzfeed.com/julesdarmanin/jeuxvideocomdes-annees-de-harcelement-misogyne-et-de?utm_term=.rw90B9wbM#.wndqwrB1m, November 3, 2017.

196

Cybersecurity in Humanities and Social Sciences

book artist Marsault6. This tactic is intended to harm feminist online communities, censor feminist content and/or exhaust administrators. The French association Féministes contre le cyberharcèlement (Feminists Against Cyber-Harassment), which brings together mostly racialized and queer women, wrote a joint letter in the French newspaper Libération7 opposing the cyber-harassment of a feminist and anti-racist activist. The signatories claim that cyberstalking is an increasingly politicized weapon to silence subaltern voices. “All these bursts of violence, death threats, insults, endangerment, calls for rape, pornographic montages and incessant slut-shaming are so many bombs dropped to silence dissonant voices. Voices that upset and undermine the established order, denounce oppression and confront the dominators with their privileges to the point that the latter, finally realizing their extent, are afraid of seeing them diminish. […] Marsault’s actions, like those of the members of the “Ligue du LOL” (meaning the LOL League), provide us with ultimate proof, if any was needed, that online harassment is not a game for trolls, any more than a side-effect of the dematerialization of relationships that disinhibits idle Internet users dying of boredom on their sofas. Online harassment is a weapon, and the trolls whom we never cease to hear about are nothing more than petty soldiers in an army at war against women, racialized people, people of color, disabled people, LGBTQIA+ people, fat people, neuro-atypical people, marginalized people and most human rights activists.”8 Raids and other tactics to attack feminists and their ideas are part of a pattern of “soft repression” [FER 05]. In contrast to State-centric approaches, the concept of soft repression makes it possible to address unconventional forms of political violence. Considering that the feminist movement simultaneously targets the State and society for their claims, Mira Marx Ferree shows that this “soft” mobilization, which is not strictly aimed at the 6 See Sarah Lefèvre: “I’ve received more than 1,200 insulting messages on Facebook”. Available at: https://www.streetpress.com/sujet/1484847871-temoignage-victime-cyberharc element?fbclid=IwAR2MEckCJeEZfHTOJFfal9tn0EPmr3C-U8ozdSNmX5cISckeNiXzETA 2QZM, January 19, 2017. 7 Association Féministes contre le cyberharcèlement, “Contre le cyberharcèlement nous ferons front”, Libération. Available at: URL https://www.liberation.fr/debats/2019/02/12/ contre-le-cyberharcelement-nous-ferons-front_1708949, February 12, 2019. 8 This is a citation of the feminist collective Féministes contre le cyberharcèlement (Feminists Against Cyber-Harassment).

Anti-feminist Cyber-violence as a Risk Factor

197

political authorities, leads to equally soft forms of opposition by dominant State and non-State actors. The forms of this soft repression are: opposition through ridicule, stigmatization and stifling dominated voices by silencing them [FER 05]. Soft repression is particularly used by antifeminist networks to attack online feminist spaces and the people who build them. In our observation, the case of the Check tes privilèges9 (“Check your privileges”) page on Facebook speaks for itself. Between 2017 and 2018, Check tes privilèges was the victim of several coordinated attacks by anti-feminist networks. Several fake pages of the same name were set up, while the original page was continually being reported for non-compliance with Facebook’s publishing standards and rules in order to suspend or ban its content. Masculinist satires were produced using the same name and visual identity as Check tes privilèges. Many of these mimic pages have been closed, but some are still active, such as the Check tes privilèges VI page, which is presented as a space for “anti-feminazi resistance”. These fake pages regularly publish anti-feminist content by directly attacking feminist activists they identify in order to encourage raids against them. This masculinist appropriation of the Check tes privilèges page demonstrates we can observe the process of creating an antifeminist nebula that shares content between different pages like Paye ta Féministe (“Pay your feminist”) and RDZ IV, 3 fois plus fort que Jésus (“RDZ IV, 3 times stronger than Jesus”). This specific context of research induces real cybersecurity issues. I wished to also avoid becoming a target for certain masculinist and antifeminist networks, who have important connections with French extreme right groups such as Génération identitaire or Action française, to name only those shadow figures mentioned in our interview data. In short, the non-participant observation made it possible to limit the risks while avoiding a certain additional risk, given the relative insecurity of this field of investigation. To illustrate the continuity between online and offline spaces as well as the continuum between security and insecurity, we will use two examples that occurred during the five-month field phase in France10. The first 9 The cyber-activist who was harassed by Marsault’s online community circulates in the same feminist and anti-racist circles as the administrators of Check tes privilèges. 10 The identities of the individuals in these examples will not be disclosed in order to protect their privacy and preserve their integrity beyond their current vulnerability, even though the acts which have victimized them are public.

198

Cybersecurity in Humanities and Social Sciences

example will show the continuity of research spaces that are online and offline while presenting in a very concrete way the effects of lurking on the trust between the subject and researcher. This example will be illustrated through the complete and non-redacted transcription of my field notes. The second example will illustrate the continuity of the threat against feminist activists between online and offline spaces: “On April 23, 2019, I attended the third anniversary of the founding of Lallab, an association for and by Muslim women. It was a very unifying event that was meant to be safe for racialized, queer and Muslim women. In fact, I was one of the few white people at the event. Towards the end of the day, I thought I recognized someone in the crowd. I wasn’t quite sure it was this person. I thought I would be able to recognize her by the data in my online ethnography.” “The latter was the victim of a violent raid organized by the online community of a comic book artist with ideological links to the extreme right. She received more than 1,000 insults as well as death threats, rape and female genital mutilation threats in just a few hours. This feminist activist has also been the victim of doxxing causing severe post-traumatic stress and a suicide attempt. So, I was eager to meet this person I had already contacted beforehand to try to set up an interview. Nevertheless, I also felt like a stalker, since I had a significant amount of information about this racialized feminist activist, while at the same time being virtually invisible to her as an individual and researcher.” “After several hesitations due to her possible state of fragility and exhaustion, I decided to go and introduce myself after having exchanged a few words with her in a very informal way over the course of the day. I asked her if she was indeed the feminist and anti-racist activist who had won her trial against the cartoonist. Her gaze then froze, and she made an abrupt backward movement. She immediately asked me why I was asking her this question and seemed very worried and almost panicked. Then I apologized to her by explaining my approach and telling her that I had hesitated for a long time to come and see her during this Lallab event and that I wasn’t sure if it was really her.”

Anti-feminist Cyber-violence as a Risk Factor

199

“Eventually, she recognized me since several other feminist activists had told her about me and how I conducted my interviews in a non-oppressive way. Her attitude towards me at that time changed and she relaxed somewhat and became less on guard. She told me that she had wanted to answer me for a long time, but that she didn’t have the psychological strength to do so. She went on to say that 23 April 2019 was her first public appearance since the trial. I was deeply shocked by this event and I felt as if I was a source of insecurity and had betrayed the relationship of trust between researcher and subject.” The second example to illustrate the continuity of the spaces, and more precisely of the feeling of insecurity as well as of the antifeminist threat, is the story of a male feminist activist I was going to meet for an interview. After some discussion, we decided to set up a meeting. However, I had no further contact and I could not reach him anymore to determine the day and time of our meeting. Finally, I later learned through the media that he had been assaulted by three men because of his feminist involvement. His assailants hit him several times, telling him that they had warned him “to stop with those feminist sluts”. The attack was reportedly organized by identitarian activists in a town in northern France. This activist had already been targeted twice in the past for his feminist and anti-racist commitments11. In addition, the cyber-attacks and attacks on these two feminist activists have contributed significantly to their sense of insecurity in the public space. These examples also show in a very concrete way the continuity of spaces as well as between online and offline violence. Finally, these two examples show how this continuum can interfere with the relationship between the subject and researcher. 7.4. Continuum between security and insecurity In general, there is a “structural knowledge deficit on the risks of Web 2.0” in the literature [DUP 2010 p. 8]. In political science, cybersecurity work is generally State-centric, integrating it as a variable in international 11 This feminist activist has since recovered from his attack and says he is even more motivated to continue the struggle. Our interview has been postponed to a later date.

200

Cybersecurity in Humanities and Social Sciences

policy [VEN 16]. The literature is built around the concepts of cyber defense, cyber-attack, cyber terrorism and cybercrime in order to address the issues of cybersecurity. According to Hugo Loiseau, human risk remains “unthought of” in terms of cybersecurity, despite the influence of cyberspace on the social and political order [LOI 16]. Indeed, cybersecurity policies focus more on the technical aspects of this type of attack, often removing the political, social and economic motivations of the actors making cyber-attacks. The minimum definition of cybersecurity thus focuses on the technical security aspects of information systems by assessing their ability to “resist events originating in cyberspace that could compromise the availability, integrity or confidentiality of the data stored, processed or transmitted and the related services that these systems offer or make accessible” [ANS 19]12. Cybersecurity is also seen as simultaneously focusing on “protecting and attacking computer equipment” and “available information” in cyberspace, with the potential consequence of “damage to reputation, theft of sensitive data, digital hacking and other smear campaigns” [ARP 10 p. 9]. Through an extensive understanding of cybersecurity issues and their effects on the sense of insecurity and safety online, we propose to broaden the definition of cybersecurity to address both the subjective integrity of cyberspace users and the integrity of their data. A broadening of the definition of cybersecurity and its issues would reflect the processes of online subjectification. These processes thus make it possible to grasp the relationship with oneself and the self-awareness of the users of cyberspace, who construct themselves as political subjects. Alongside the strong continuities between online and offline identities [CAD 15], the integration of online subjectivities and subjectivation processes shows how the autonomy of the subject can be affected by the threats and effects of the antifeminist insecurity mechanism. There is thus a permanent tension between emancipatory and alienating subjectification, as reflected in the debates between optimistic and pessimistic approaches to the effects of cyberization on social relations and the political order. Therefore, a definition that integrates the security issues of online subjectivities would allow for an understanding of the consequences of cyber-violence and its political motivations when they are the product of anti-feminist strategies 12 Glossary from: Agence nationale de la sécurité des systèmes d’informations, “Glossaire”. Available at: http://www.ssi.gouv.fr/particulier/glossaire/c/.

Anti-feminist Cyber-violence as a Risk Factor

201

and tactics. These strategies and tactics aim to limit activists’ access to certain online spaces and to blur the dissemination of their feminist ideas in these same digital spaces. One of the most widely used antifeminist attacks in cyberspace is data theft, which is equivalent to identity theft. Nevertheless, we believe it is important not to think of the risks inherent in cyberspace only in terms of hackers, although hacking is a considerable risk factor for many feminist activists. In interviews, several of them said they had been victims of doxxing and then received death threat letters at home13. This phenomenon is a perfect illustration of the shift of violence from online to offline spaces. The case of a former Femen activist is revealing in this sense and shows the existence of a gradation of cyberviolence. Éloise Bouton14 was particularly targeted as one of the first people to join the French Femen network. She tells us in an interview about the types of cyber-violence that have affected her the most in the long-term and the difficulty for victims to file a complaint when they feel their psychological and physical integrity is threatened: “I think what still continues to really shock me is the physical attacks. Saying she has red hair, she stinks, and I’m a witch. I once posted a picture with my black cat and now I’m called a witch even more. The redhead with the cat. It’s still haunting me. Otherwise, death threats. I’ve had several. Also threats of rape. Outright death threats. I’ve filed charges before, and nothing ever happened. Once like that, I was threatened on Twitter. A guy told me he was going to throw me in acid, cut off my breasts and hang me. All of it. [...] I filed a complaint, they told me there was nothing they could do. I got really pissed off. […] I went back to the police station saying I’m a journalist, it’s a scandal, I’m going to do a story and everything. Obviously, I would never have done it. But of course it worked, unfortunately. And right away, the chief welcomed me, took my complaint and everything.”

13 It is also important to note that two of these activists had their personal information disclosed for malicious purposes by people who already knew their home address or phone number. Thus, doxxing does not necessarily require very advanced techno-informatics knowledge to be practiced as a tactic of control and threat. 14 This activist insists on using her civilian identity in the face of political struggle.

202

Cybersecurity in Humanities and Social Sciences

Her story begins with a series of raids on her personal accounts and more specifically the #PayeTonTroll account where she invited her subscribers, during the #MeToo period, to anonymously share testimonials of cyberviolence against women and feminists. Éloise Bouton recounts in an interview that she had to move twice after receiving threatening letters directly to her home. She continues her testimony by stressing the consequences of cyber-violence on the sense of security of her relatives. For example, she recounts how multiple threats endangered her roommate, who felt unsafe in her own home: “For example, all the trolls I might get during Femen with the fascisphere, but when he started phoning home at night on my landline and ringing on my intercom [...] At the time, I had a roommate. My roommate was a maths teacher and she had to get up at 6am to go to work at the other end of the Ile-de-France region. She clearly felt unsafe. She felt unsafe in our home. She didn’t sleep at night and all that. So, at one point, I thought I had to deal with this thing. She didn’t ask for anything, which also put her in a shitty position. Plus, she’s of Asian descent, so with the fascists... She’s a lesbian. We were actually thinking, she’s vulnerable too.” Twice she was also followed on the street and assaulted in the subway by the same people who harassed her online and who were affiliated with the extreme right. Éloise Bouton also recounts how the police had to intervene to secure a venue where she was performing a concert with her band after she received a series of death and rape threats on Twitter, particularly from her political opponents: “At the time, I was in a rock band and I was doing a concert in a place in Paris. And there were a lot of people who had called to assault me during the concert, to rape me and all that. There were basically police who came to secure the place. I had some kind of cops at the show, it was crazy. But the complaint… I mean, they took the threats seriously, they came in and they secured the place. But, there was no, the parallel complaint was dismissed. Which was very paradoxical. That was really crazy.” “That was crazy, and even for the other members of my band. I also felt that was enough. It put them in danger too, when they

Anti-feminist Cyber-violence as a Risk Factor

203

did nothing to anyone. They were at the concert and they were stressed. So they were collateral damage. I think that was the biggest incident in all the cyber-violence. It’s how cyberviolence actually has very real consequences in your life. That’s why... well, the discourse changed a little bit, but when I went to file a complaint at the time, I was told, ‘But that’s not real life, ma’am, that doesn’t count. It’s virtual, it doesn’t exist.’ So I wanted to tell them, ‘Yes it does, because I can see the consequences. And it’s not on the Internet, it’s there in my life.’ And actually, that’s really what affected me the most.” In addition, several deceptive escort service Web pages with her civilian identity and personal information were opened with the intention of damaging her reputation. She was inundated with requests for her alleged services as a sex worker, who charged for “brutal” practices according to her file. Knowing that her IP address was shared in what she calls the “fascisphere”, Éloise Bouton received help from activists from Anonymous who organized an action against her cyber aggressors. This counterattack deterred many of the cyber-attackers who were targeting the freelance journalist. She tells us that she has not gotten a contract for more than two years because of the impact of these waves of cyberstalking on her ability to work and her reputation. This example illustrates the sense of insecurity produced by online and offline violence against feminist activists because of their commitment and demands. Victims of anti-feminist cyber-violence and cyber-harassment are often exhausted and isolated and do not know how to respond to or report these forms of violence. To respond to these issues of cybersecurity and insecurity affecting feminist activists, associations have emerged in France around the mediatized cyber-harassment of journalist Nadia Daam and the Lallab association in 2017. The Collectif Féministes contre le cyberharcèlement, which brings together a majority of racialized and queer women, and organizes several conferences and workshops aimed at equipping women and feminists to develop safe online practices. Their objective is to provide legal support for victims of cyber-violence and to raise awareness among women and feminists about cybersecurity issues such as the protection of their data and online tools. The Collective also has an important function in denouncing and reporting cyber-violence and cybersexism, notably through the #SafeInternetDay campaign. For this collective, “cyber activism is necessary for the more traditional feminist struggle.

204

Cybersecurity in Humanities and Social Sciences

It allows causes which are invisible, sometimes even in feminist spaces, to find an audience and have a strong resonance.”15 However, this collective does not necessarily have the resources to support feminist activists who are the target of cyber-harassment in the form of hacking. In case of hacking, the collective works closely with the queer and feminist hacker space, Le Reset. It is an association that describes itself as a “space for tinkering” and “learning digital technologies”. The philosophy of this horizontal and self-managed association is in line with DIY logic, by encouraging people to learn certain forms of techno-computer knowledge. The members of Le Reset give all the necessary support and never touch computer equipment that does not belong to them. In an interview, Sam, who is one of the board members of Le Reset, tells us that during the collective’s workshops, many people come to meet these hackers because of cybersecurity issues following several episodes of cyber-violence and cyber-harassment. These two feminist collectives focus their activist practices around cybersecurity issues by insisting on the agency of users of cyberspace in order to strengthen their sense of security in a context of great insecurity for feminist activists. A minimal definition of cybersecurity would not allow for the integration and understanding of these security issues of online subjectivities. 7.5. Conclusion The architecture of Web 2.0, which is built around interaction and self-exposure, thus encourages “dialogue and information sharing” [MAB 14, p. 6]. While the “utopia of the Web” [FLI 01] is well-demonstrated in the literature, there is little work on the mechanisms and processes of exclusion in cyberspace. Since cyberspace is a distorted mirror of reality as a place of socialization and social control [WAL 17b], online spaces reproduce the dominant groups and structures of domination of offline spaces, although there is a distinction between the “material real” and the “virtual real” [LOI 19]. Moreover, cyberspace is not equally accessible due to the digital 15 See the interview with Annabelle Gasquez: Gasquez, A., Interview : Féministes contre le cyberharcèlement, la lutte est aussi digitale”, Deuxième page. Available at: https://www. deuxiemepage.fr/2017/01/18/interview-feministes-contre-le-cyberharcelement-lutte-digitale/? fbclid=IwAR3KbVGu6gcQ5faMaZrYStatxxnnugi9zxy0ssGz-TxzGfhpN3JlCb35_Nk, January 18, 2017.

Anti-feminist Cyber-violence as a Risk Factor

205

divide, but also due to different structures and systems of domination. In this sense, cyberviolence and cybersexism would constitute an obstacle to the citizenship of women and feminists [CAR 18] by reiterating a system of multiple injustices and insecurities. Anti-feminist cyber-violence and cyberstalking therefore represent real security issues for feminist activists while at the same time they break the principles of equality that have nourished the democratization of the Internet. Indeed, the pre-eminence of cyber-violence generates important factors of exclusion from digital spaces for feminist activists, who adapt their uses of Web 2.0 according to their assessments of the intrinsic risks of their online exposure. Although a majority of cyber-violence is already illegal and affects the integrity of feminist subjectivities, political and judicial arenas are still lagging behind. However, a number of legal cases concerning the issue have been made known in recent years in France and Quebec. Overall, we believe it is crucial to understand the processes of online subjectification and the sense of online insecurity of feminist activists. This chapter also initiated a reflection on the contexts of use and deployment of “netnography” to grasp phenomena that cross over between online and offline modes. This method thus makes it possible to observe types of interactions that would not always be accessible to researchers in more traditional ethnographic fields. However, this method raises a considerable number of ethical and cybersecurity issues for participants and researchers. The results of netnography cannot be used without an effort of triangulation with other methods, since online information is only digital traces. 7.6. References [AHM 12] AHMED S., “Les rabat-joie féministes (et autres sujets obstinés)”, Cahiers du Genre, vol. 2, no. 53, pp. 77–98, 2012. [ARP 10] ARPAGIAN N., La cybersécurité, Presses Universitaires de France, Paris, 2010. [AVA 08] AVANZA M., “Comment faire de l’ethnographie quand on n’aime pas ‘ses indigènes’ : une enquête au sein d’un mouvement xénophobe”, in BENSA A. (ed.), Les politiques de l’enquête, La Découverte, Paris, 2008. [BER 12] BERENI L., “Penser la transversalité des mobilisations féministes : l’espace de la cause des femmes”, in BARD C. (ed.), Les féministes de la 2ème vague, Presses universitaires de Rennes, Rennes, 2012.

206

Cybersecurity in Humanities and Social Sciences

[BIL 09] BILGE S., “Les théorisations féministes de l’intersectionnalité”, Diogène, no. 1, vol. 225, pp. 70–88, 2009. [BLA 18] BLAIS M., Masculinisme et violences contre les femmes : une analyse des effets du contremouvement antiféministe sur le Mouvement féministe québécois, PhD thesis, Université du Québec à Montréal, 2018. [BOY 15] BOYD D., “Making sense of teen life: Strategies for capturing ethnographic data in a networked era”, in HARGITTAI E., SANDVIG C. (eds), Digital Research Confidential: The Secrets of Studying Behavior Online, MIT Press, Cambridge, MA, 2015. [BRA 19] BRANTHONNE A., WALDISPUEHL E., “La netnographie pour étudier une communauté masculiniste en ligne : contributions méthodologiques d’un E-terrain”, Recherche qualitative, special edition, no. 24, pp. 6–19, 2019. [CAD 15] CADEC K., PROULX S., “Les représentations de l’amitié sur Facebook : un continuum hors ligne/en ligne”, Communication, vol. 2, no. 33, 2015. [CAR 12] CARDON D., “Montrer/Regarder. L’économie de la visibilité sur les réseaux sociaux d’Internet”, in MARQUET J., JANSSEN C. (eds), Lien social et Internet dans l’espace privé, Éditions Harmattan-Academia, Paris, 2012. [CAR 18] CARON C., “Les cyberviolences comme entrave à la citoyenneté des femmes. 2018”, Forum sur les cyberviolences contre les femmes du Réseau québécois en études féministes (RÉQEF), Montreal, 30 November 2018. [CHO 12] CHOUCRI N., Cyberpolitics in International Relations, MIT Press, Cambridge, MA, 2012. [COL 17] COLEMAN G.B., “From Internet farming to weapons of the geek”, Current Anthropology, vol. 15, no. 58, pp. 91–102, 2017. [DIM 15] DIMINESCU D., WIEVIORKA M., “Le défi numérique pour les sciences sociales”, Socio. La nouvelle revue des sciences sociales, no. 4, pp. 9–17, 2015. [DUB 15] DUBOIS E., FORD H., “Trace interviews: An actor-centered approach”, International Journal of Communication, no. 9, pp. 2067–2069, 2015. [DUP 10] DUPONT B., GAUTRAIS V., “Crime 2.0 : le web dans tous ses états!”, Champ pénal/Penal field, available at: http://journals.openedition.org/champpenal/778 [accessed February 23, 2018], 2010. [FER 05] FERREE M.M., “Soft repression: Ridicule, stigma and silencing in gender-based movements”, in DAVENPORT C., JOHNSTON H., MUELLER C. (eds), Repression and Mobilization, University of Minnesota Press, Minneapolis, MN, 2005. [FLI 01] FLICHY P., L’imaginaire d’Internet, La Découverte, Paris, 2001. [GAL 08] GALLENGA G., “L’empathie inversée au cœur de la relation ethnographique”, Journal des anthropologues, pp. 114–115, 2008. [GEE 73] GEERTZ C., Interpretation of Cultures, Basic Books, New York, NY, 1973.

Anti-feminist Cyber-violence as a Risk Factor

207

[GEE 98] GEERTZ C., “La description dense”, Enquête, available at: http://journals. openedition.org/enquete/1443 [accessed June 24, 2019], 1998. [GHE 17] GHERNAOUTI S., DUFOUR A., “Cybercriminalité et cybersécurité”, in GHERNAOUTI S. (ed.), Internet, Presses Universitaires de France, Paris, 2017. [GIT 13] GITELMAN L., Raw Data is an Oxymoron, MIT Press, Cambridge, MA, 2013. [GRA 14] GRAHAM M., DUTTON W.H. (eds), Society and the Internet: How Networks of Information and Communication are Changing Our Lives, Oxford University Press, 2014. [HAM 07] HAMMERSLEY M., ATKINSON P., Ethnography: Principles in Practice, Routledge, London, 2007. [HAM 10] HAMILTON K., HEWER P., “Tribal mattering spaces: Social-networking sites, celebrity affiliations, and tribal innovations”, Journal of Marketing Management, vols 3–4, no. 26, pp. 271–289, 2010. [HAN 11] HANLEY T., “Virtual data generation: Qualitative research, computers, and counseling psychology”, Counselling Psychology Reviews, vol. 4, no. 26, pp. 59–69, 2011. [HAR 98] HARAWAY D., “Situated knowledges: The science question in feminism and the privilege of partial perspective”, Feminist Studies, vol. 3, no. 14, pp. 575–599, 1998. [HAR 03] HARDING S., “Introduction: Standpoint theory as a site of political, philosophic, and scientific debate”, in HARDING S. (ed.), The Feminist Standpoint Theory Reader, Routledge, New York/London, pp. 1–16, 2003. [HIN 09] HINE C., “How can qualitative internet researchers define the boundaries if their projects?”, in MARKHAM A.N. and BAYM N.K. (eds), Internet Inquiry: Conversations about Method, SAGE Publications, Los Angeles, CA, 2009. [HIN 13] HINE C. (ed.), Virtual Research Methods, SAGE Publications, London, 2013. [KOZ 09] KOZINET R.V., Netnography: Doing Ethnographic Research Online, SAGE Publications, London, 2009. [LAB 15] LABARRE S., “Les féministes, les réseaux sociaux et le masculinisme : guide de survie dans un no woman’s land”, in BLAIS M., DUPUIS-DÉRI F. (eds), Le mouvementmasculiniste au Québec : l’antiféminisme démasqué, Les Éditions du RemueMénage, Montreal, 2015. [LAN 05] LANGER R., BECKMAN S.C., “Sensitive research topics: Netnography revisited”, Qualitative Market Research: An International Journal, vol. 2, no. 8, pp. 189–203, 2005. [LAT 17] LATZKO-TOTH G., BONNEAU C., MILLETTE M., “Small data, thick data: Thickening strategies for trace-based social media research” , in QUAN-HAASE A., SLOAN L. (eds), The SAGE Handbook of Social Media Research Methods, SAGE Publications, Thousand Oaks, CA, 2017. [LIN 08] LINSTROTH J.P., “Field research”, in GIVEN L.M. (ed.), The SAGE Encyclopedia of Qualitative Research Methods, SAGE Publications, Los Angeles, CA, 2008.

208

Cybersecurity in Humanities and Social Sciences

[LOI 16] LOISEAU H., “L’humain, grand oublié du phénomène cyber ? Piste de réflexion pour la cybersécurité”, in GARON R. (ed.), Penser la guerre au futur, PUL, Quebec, 2016. [LOI 19] LOISEAU H., “L’observation documentaire à l’ère du cyberespace”, Recherche qualitative, special edition, no. 24, pp. 20–35, 2019. [LUK 17] LUKA M.E., MILLETTE M., WALLACE J., “Towards ethical digital methods: A feminist perspective”, in ZIMMER M., KINDER-KURLANDA K. (eds), Internet Research Ethics for the Social Age: New Cases and Challenges, Peter Lang, New York, NY, 2017. [LUK 18] LUKA M.E., MILLETTE M., “(Re)framing big data: Activating situated knowledges and a feminist ethics of care in social media research”, Social Media + Society, January– March, pp. 1–10, 2018. [LUP 15] LUPTON D., “Personal data practices in the age of lively data”, in DANIELS J., GREGORY K., MCMILLAN COTTOM T. (eds), Digital Sociologies, Policy Press, Bristol, 2015. [MAB 14] MABI C., THEVIOT A., “Présentation du dossier. S’engager sur Internet. Mobilisations et pratiques politiques”, Politiques de communication, vol. 2, no. 3, pp. 5–24, 2014. [MAN 00] MANN C., STEWART F., Internet Communication and Qualitative Research. A Handbook for Researching Online, SAGE Publications, London, 2000. [MAN 13] MANTILLA K., “Gendertrolling: Misogyny adapts to new media”, Feminist Studies, vol. 2, no. 39, pp. 563–570, 2013. [MAR 04] MARKHAM A.N., “The Internet as research context”, in SEALE C., GOBO G., GUBRIUM J., SILVERMAN D. (eds), Qualitative Research Practice, SAGE Publications, London, 2004. [MAU 07] MAULANA A.E., ECKHARDT G.M., “Just friends, good acquaintances or soul mates? An exploration of web site connectedness”, Qualitative Market Research: An International Journal, vol. 3, no. 10, pp. 227–242, 2007. [MCA 91] MCADAM D., WILTFANG G., “The costs and risks of social activism: A study of sanctuary movement activism”, Social Forces, vol. 4, no. 69, pp. 987–1010, 1991. [MON 11] MONNOYER-SMITH L., “La participation en ligne, révélateur d’une évolution des pratiques politiques?”, Participations, vol. 1, no. 1, pp. 156–185, 2011. [MOR 11] MOROZOV E., The Net Delusion: The Dark Side of Internet Freedom, Public Affairs, 2011. [MUR 08] MURTHY D., “An examination of the use of new technologies for social research”, Sociology, vol. 5, no. 42, pp. 837–855, 2008. [NAG 17] NAGLE A., Kill All Normies: The Online Culture Wars from Tumblr and 4chan to the Alt-right and Trump, Zero Books, Winchester, 2017. [PAS 11] PASTINELLI M., “Pour en finir avec l’ethnographie du virtuel! : des enjeux méthodologiques de l’enquête de terrain en ligne”, Anthropologie et sociétés, vols 1–2, no. 35, pp. 35–52, 2011.

Anti-feminist Cyber-violence as a Risk Factor

209

[PRO 13] PRONOVOST V., La droite chrétienne américaine : une analyse féministe foucaldienne des cas du pasteur Mark Gungor et du mouvement des centres d’aide à la grossesse, Master’s thesis, Université du Québec à Montréal, 2013. [PRO 19] PRONOVOST V., “Étudier l’antiféminisme conservateur états-unien et québécois : enjeux et spécificités”, 57ème Congrès de la Société québécoise de science politique, Montreal, May 2019. [RES 00] RESNICK D., MARGOLIS M., Politics as Usual. The Cyberspace “Revolution”, SAGE Publications, 2000. [ROY 19] ROY N., GENDRON S., “L’ère du numérique : quelles possibilités et quels défis pour la recherche qualitative ?”, Recherche qualitative, special edition, no. 24, pp. 1–5, 2019. [SAY 13] SAYARD N., “La netnographie : mise en application d’une méthode d’investigation des communautés virtuelles représentant un intérêt pour l’étude des sujets sensibles”, Recherches qualitatives, vol. 2, no. 32, pp. 227–251, 2013. [SUN 11] SUNSTEIN C., Republic.com, Princeton University Press, NJ, 2011. [VOD 10] VODANOVICH S., SUNDARAM D., MYERS M., “Research commentary – Digital natives and ubiquitous information systems”, Information Systems Research, vol. 4, no. 21, pp. 711–731, 2010. [VEN 16] VENTRE D., “De l’utilité des indices de cybersécurité”, Club des Directeurs de Sécurité des Entreprises “Sécurité et stratégie”, vol. 22, no. 2, pp. 5–11, 2016. [WAL 10] WALKER D., “The location of digital ethnography”, Cosmopolitan Civil Societies Journal, vol. 3, no. 2, pp. 23–39, 2010. [WAL 17a] WALDISPUEHL E., BRANTHONNE A., MORRISETTE M., “L’ethnographie virtuelle, quand le terrain montre les enjeux éthiques de la méthode : une approche pour l’étude de la communauté virtuelle de la néomasculinité”, in LOISEAU H., WALDISPUEHL E. (eds), Cyberespace et science politique, de la méthode au terrain, du virtuel au réel, Les Presses de l’Université du Québec, Montreal, 2017. [WAL 17b] WALDISPUEHL E., “La nature du terrain en sciences sociales : une cartographie du cyberespace est-elle possible ?”, in LOISEAU H., WALDISPUEHL E. (eds), Cyberespace et science politique, de la méthode au terrain, du virtuel au réel, Les Presses de l’Université du Québec, Montreal, 2017. [WAL 19] WALDISPUEHL E., “Les communautés féministes en ligne sur Facebook et les pratiques de non-mixité à l’ère des espaces semi-privés”, Recherches féministes, special “Militantisme et mobilisations” edition, vol. 32, no. 2, pp. 149–166, 2019. [YEN 02] YEN A.C., “Western frontier or feudal society? Metaphors and perceptions of cyberspace”, Boston College Law School Faculty Papers, vol. 2, no. 17, pp. 1207–1263, 2002.

List of Authors

Hartmut ADEN Berlin School of Economics and Law Berlin Institute for Safety and Security Research Germany Michel DACOROGNA PRS Solutions Zug Switzerland Joseph FITSANAKIS Coastal Carolina University Conway South Carolina USA Marie KRATZ ESSEC Business School CREAR Cergy-Pontoise France

Hugo LOISEAU École de politique appliquée Faculté des lettres et sciences humaines Université de Sherbrooke Quebec Canada Trishana RAMLUCKAN School of Law University of KwaZulu-Natal Durban South Africa Brett VAN NIEKERK School of Mathematics, Statistics, and Computer Science University of KwaZulu-Natal Durban South Africa

212

Cybersecurity in Humanities and Social Sciences

Daniel VENTRE CESDIP Laboratory CNRS Guyancourt France

Elena WALDISPUEHL Département de Science Politique Université de Montréal Canada

Index

A, C, D antifeminist, 186–188, 192, 193, 195, 197, 199, 200, 203 cyber -attacks, 123, 126, 129, 139–141, 149, 150 -crime, 86, 87, 123, 126, 127, 130, 139, 149, 153, 154, 169, 170, 172, 174, 175, 179 legislation, 153, 154, 169, 170, 172, 175, 179 -espionage, 85 -harassment, 186, 196, 203, 204 -space, 2, 6, 8, 10, 11, 16, 17, 19, 25, 26, 33–38, 52 -terrorism, 86, 87 -threats, 87 -violence, 185 -warfare, 87, 109 risk, 123, 140, 147, 151 data protection, 67, 68 definition, 25 F, G, I feminism, 185–189, 192, 193, 195–205 France, 185, 197, 199, 202, 203, 205

Gendarmerie Nationale (GN), 123, 126, 127, 139–141, 149–151 insurance sector, 124, 130, 136, 149, 150 L, M, N legal perspective, 80 methodology, 1–8, 10, 11, 13, 16–18, 20, 67, 74, 77, 105, 156, 179 national cyber strategy, 154, 161, 163, 165, 167, 169, 177, 179 NVivo software, 154, 158, 159, 160, 161, 167, 169, 175, 177 O, P, Q online insecurity, 185, 205 online–offline continuum, 185, 187, 194 ontology, 52 personal data, 67, 69, 72, 73, 75, 76, 79, 80 political participation, 185 privacy, 67–69, 73, 75 public policy perspective, 67, 74, 77, 78 qualitative, 5, 8–10, 14, 18, 153, 154, 157–160, 167, 178

214

Cybersecurity in Humanities and Social Sciences

document analysis (QDA), 153, 154, 158, 160, 161, 167, 174, 177–180 Quebec, 185, 195, 205 S, T, U scientificity, 1–6, 9, 20

social media, 185, 187–189, 195 movements, 185, 187, 192 statistical exploration, 130 taxonomy, 48 typology, 43 uncertainty, 123

Other titles from

in Information Systems, Web and Pervasive Computing

2020 CLIQUET Gérard, with the collaboration of BARAY Jérôme Location-Based Marketing: Geomarketing and Geolocation DE FRÉMINVILLE Marie Cybersecurity and Decision Makers: Data Security and Digital Trust GEORGE Éric Digitalization of Society and Socio-political Issues 2: Digital, Information and Research SEDKAOUI Soraya, KHELFAOUI Mounia Sharing Economy and Big Data Analytics

2019 ALBAN Daniel, EYNAUD Philippe, MALAURENT Julien, RICHET Jean-Loup, VITARI Claudio Information Systems Management: Governance, Urbanization and Alignment AUGEY Dominique, with the collaboration of ALCARAZ Marina Digital Information Ecosystems: Smart Press BATTON-HUBERT Mireille, DESJARDIN Eric, PINET François Geographic Data Imperfection 1: From Theory to Applications

BRIQUET-DUHAZÉ Sophie, TURCOTTE Catherine From Reading-Writing Research to Practice BROCHARD Luigi, KAMATH Vinod, CORBALAN Julita, HOLLAND Scott, MITTELBACH Walter, OTT Michael Energy-Efficient Computing and Data Centers CHAMOUX Jean-Pierre The Digital Era 2: Political Economy Revisited COCHARD Gérard-Michel Introduction to Stochastic Processes and Simulation DUONG Véronique SEO Management: Methods and Techniques to Achieve Success GAUCHEREL Cédric, GOUYON Pierre-Henri, DESSALLES Jean-Louis Information, The Hidden Side of Life GEORGE Éric Digitalization of Society and Socio-political Issues 1: Digital, Communication and Culture GHLALA Riadh Analytic SQL in SQL Server 2014/2016 JANIER Mathilde, SAINT-DIZIER Patrick Argument Mining: Linguistic Foundations SOURIS Marc Epidemiology and Geography: Principles, Methods and Tools of Spatial Analysis TOUNSI Wiem Cyber-Vigilance and Digital Trust: Cyber Security in the Era of Cloud Computing and IoT

2018 ARDUIN Pierre-Emmanuel Insider Threats (Advances in Information Systems Set – Volume 10)

CARMÈS Maryse Digital Organizations Manufacturing: Scripts, Performativity and Semiopolitics (Intellectual Technologies Set – Volume 5) CARRÉ Dominique, VIDAL Geneviève Hyperconnectivity: Economical, Social and Environmental Challenges (Computing and Connected Society Set – Volume 3) CHAMOUX Jean-Pierre The Digital Era 1: Big Data Stakes DOUAY Nicolas Urban Planning in the Digital Age (Intellectual Technologies Set – Volume 6) FABRE Renaud, BENSOUSSAN Alain The Digital Factory for Knowledge: Production and Validation of Scientific Results GAUDIN Thierry, LACROIX Dominique, MAUREL Marie-Christine, POMEROL Jean-Charles Life Sciences, Information Sciences GAYARD Laurent Darknet: Geopolitics and Uses (Computing and Connected Society Set – Volume 2) IAFRATE Fernando Artificial Intelligence and Big Data: The Birth of a New Intelligence (Advances in Information Systems Set – Volume 8) LE DEUFF Olivier Digital Humanities: History and Development (Intellectual Technologies Set – Volume 4) MANDRAN Nadine Traceable Human Experiment Design Research: Theoretical Model and Practical Guide (Advances in Information Systems Set – Volume 9)

PIVERT Olivier NoSQL Data Models: Trends and Challenges ROCHET Claude Smart Cities: Reality or Fiction SAUVAGNARGUES Sophie Decision-making in Crisis Situations: Research and Innovation for Optimal Training SEDKAOUI Soraya Data Analytics and Big Data SZONIECKY Samuel Ecosystems Knowledge: Modeling and Analysis Method for Information and Communication (Digital Tools and Uses Set – Volume 6)

2017 BOUHAÏ Nasreddine, SALEH Imad Internet of Things: Evolutions and Innovations (Digital Tools and Uses Set – Volume 4) DUONG Véronique Baidu SEO: Challenges and Intricacies of Marketing in China LESAS Anne-Marie, MIRANDA Serge The Art and Science of NFC Programming (Intellectual Technologies Set – Volume 3) LIEM André Prospective Ergonomics (Human-Machine Interaction Set – Volume 4) MARSAULT Xavier Eco-generative Design for Early Stages of Architecture (Architecture and Computer Science Set – Volume 1)

REYES-GARCIA Everardo The Image-Interface: Graphical Supports for Visual Information (Digital Tools and Uses Set – Volume 3) REYES-GARCIA Everardo, BOUHAÏ Nasreddine Designing Interactive Hypermedia Systems (Digital Tools and Uses Set – Volume 2) SAÏD Karim, BAHRI KORBI Fadia Asymmetric Alliances and Information Systems:Issues and Prospects (Advances in Information Systems Set – Volume 7) SZONIECKY Samuel, BOUHAÏ Nasreddine Collective Intelligence and Digital Archives: Towards Knowledge Ecosystems (Digital Tools and Uses Set – Volume 1)

2016 BEN CHOUIKHA Mona Organizational Design for Knowledge Management BERTOLO David Interactions on Digital Tablets in the Context of 3D Geometry Learning (Human-Machine Interaction Set – Volume 2) BOUVARD Patricia, SUZANNE Hervé Collective Intelligence Development in Business EL FALLAH SEGHROUCHNI Amal, ISHIKAWA Fuyuki, HÉRAULT Laurent, TOKUDA Hideyuki Enablers for Smart Cities FABRE Renaud, in collaboration with MESSERSCHMIDT-MARIET Quentin, HOLVOET Margot New Challenges for Knowledge GAUDIELLO Ilaria, ZIBETTI Elisabetta Learning Robotics, with Robotics, by Robotics (Human-Machine Interaction Set – Volume 3)

HENROTIN Joseph The Art of War in the Network Age (Intellectual Technologies Set – Volume 1) KITAJIMA Munéo Memory and Action Selection in Human–Machine Interaction (Human–Machine Interaction Set – Volume 1) LAGRAÑA Fernando E-mail and Behavioral Changes: Uses and Misuses of Electronic Communications LEIGNEL Jean-Louis, UNGARO Thierry, STAAR Adrien Digital Transformation (Advances in Information Systems Set – Volume 6) NOYER Jean-Max Transformation of Collective Intelligences (Intellectual Technologies Set – Volume 2) VENTRE Daniel Information Warfare – 2nd edition VITALIS André The Uncertain Digital Revolution (Computing and Connected Society Set – Volume 1)

2015 ARDUIN Pierre-Emmanuel, GRUNDSTEIN Michel, ROSENTHAL-SABROUX Camille Information and Knowledge System (Advances in Information Systems Set – Volume 2) BÉRANGER Jérôme Medical Information Systems Ethics BRONNER Gérald Belief and Misbelief Asymmetry on the Internet

IAFRATE Fernando From Big Data to Smart Data (Advances in Information Systems Set – Volume 1) KRICHEN Saoussen, BEN JOUIDA Sihem Supply Chain Management and its Applications in Computer Science NEGRE Elsa Information and Recommender Systems (Advances in Information Systems Set – Volume 4) POMEROL Jean-Charles, EPELBOIN Yves, THOURY Claire MOOCs SALLES Maryse Decision-Making and the Information System (Advances in Information Systems Set – Volume 3) SAMARA Tarek ERP and Information Systems: Integration or Disintegration (Advances in Information Systems Set – Volume 5)

2014 DINET Jérôme Information Retrieval in Digital Environments HÉNO Raphaële, CHANDELIER Laure 3D Modeling of Buildings: Outstanding Sites KEMBELLEC Gérald, CHARTRON Ghislaine, SALEH Imad Recommender Systems MATHIAN Hélène, SANDERS Lena Spatio-temporal Approaches: Geographic Objects and Change Process PLANTIN Jean-Christophe Participatory Mapping VENTRE Daniel Chinese Cybersecurity and Defense

2013 BERNIK Igor Cybercrime and Cyberwarfare CAPET Philippe, DELAVALLADE Thomas Information Evaluation LEBRATY Jean-Fabrice, LOBRE-LEBRATY Katia Crowdsourcing: One Step Beyond SALLABERRY Christian Geographical Information Retrieval in Textual Corpora

2012 BUCHER Bénédicte, LE BER Florence Innovative Software Development in GIS GAUSSIER Eric, YVON François Textual Information Access STOCKINGER Peter Audiovisual Archives: Digital Text and Discourse Analysis VENTRE Daniel Cyber Conflict

2011 BANOS Arnaud, THÉVENIN Thomas Geographical Information and Urban Transport Systems DAUPHINÉ André Fractal Geography LEMBERGER Pirmin, MOREL Mederic Managing Complexity of Information Systems STOCKINGER Peter Introduction to Audiovisual Archives STOCKINGER Peter Digital Audiovisual Archives

VENTRE Daniel Cyberwar and Information Warfare

2010 BONNET Pierre Enterprise Data Governance BRUNET Roger Sustainable Geography CARREGA Pierre Geographical Information and Climatology CAUVIN Colette, ESCOBAR Francisco, SERRADJ Aziz Thematic Cartography – 3-volume series Thematic Cartography and Transformations – Volume 1 Cartography and the Impact of the Quantitative Revolution – Volume 2 New Approaches in Thematic Cartography – Volume 3 LANGLOIS Patrice Simulation of Complex Systems in GIS MATHIS Philippe Graphs and Networks – 2nd edition THERIAULT Marius, DES ROSIERS François Modeling Urban Dynamics

2009 BONNET Pierre, DETAVERNIER Jean-Michel, VAUQUIER Dominique Sustainable IT Architecture: the Progressive Way of Overhauling Information Systems with SOA PAPY Fabrice Information Science RIVARD François, ABOU HARB Georges, MERET Philippe The Transverse Information System

ROCHE Stéphane, CARON Claude Organizational Facets of GIS

2008 BRUGNOT Gérard Spatial Management of Risks FINKE Gerd Operations Research and Networks GUERMOND Yves Modeling Process in Geography KANEVSKI Michael Advanced Mapping of Environmental Data MANOUVRIER Bernard, LAURENT Ménard Application Integration: EAI, B2B, BPM and SOA PAPY Fabrice Digital Libraries

2007 DOBESCH Hartwig, DUMOLARD Pierre, DYRAS Izabela Spatial Interpolation for Climate Data SANDERS Lena Models in Spatial Analysis

2006 CLIQUET Gérard Geomarketing CORNIOU Jean-Pierre Looking Back and Going Forward in IT DEVILLERS Rodolphe, JEANSOULIN Robert Fundamentals of Spatial Data Quality