Innovations in Public Interest Cybersecurity
Introducing the July 2023 edition of PITUNiverse
Author: Ethan Zuckerman is an associate professor of public policy, communication, and information at the University of Massachusetts, Amherst, and director of the UMass Initiative for Digital Public Infrastructure, a research group studying and building alternatives to the existing commercial internet. His most recent book is Mistrust: Why Losing Faith in Institutions Provides the Tools to Transform Them.
Cybersecurity is More than "War by Digital Means"
As more of our lives move online, cyberattacks — once the province of Hollywood thrillers — have become an everyday threat to businesses, governments, and the basic social services we all depend on.
The 18,000 organizations affected by the 2020 SolarWinds cyberattack, which compromised systems at Microsoft, the U.S. Treasury Department, and even the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, are expected to spend over $100 billion repairing and replacing affected systems. In October 2022, the fourth-largest U.S. health system was forced to delay patient care and surgeries in hospitals from Seattle to Tennessee after hackers seized medical records and threatened to delete them unless they received payment. In 2022 alone, at least 15 U.S. hospital systems faced such ransomware attacks. Some victims replace their software and systems at the cost of millions of dollars, while others pay the ransoms — usually in cryptocurrency — so they can get back to doing business.
Cybersecurity, the art of defending against these attacks, has become a major focus for institutions from the military to police departments to commercial firms that consult with corporations to create security systems and defend against attacks. This large and growing industry is expanding at 12% a year and promises to hire thousands of graduating students in the years to come.
But understanding cybersecurity as solely a digital version of cops and robbers, or as war by digital means, obfuscates large sections of the everyday population whose livelihoods and mental and physical safety are routinely threatened by cyberattacks.
The Public Interest Technology University Network (PIT-UN) and public interest technologists more broadly are leading a growing movement to expand the scope of cybersecurity and reframe the field’s primary concerns to focus on the well-being of people and communities, not just technical systems, nation-states, and multibillion-dollar corporations.
Who is Cybersecurity for?
In this issue of PITUNiverse, Lana Ramjit of the Clinic to End Tech Abuse at Cornell Tech argues why and how we need to stop thinking solely about the security of technical systems and start thinking about the safety of vulnerable human populations such as survivors of intimate partner violence, where abusers use technology in all kinds of ways to stalk, harass, and surveil their victims.
Ramjit’s colleague Diana Freed explains that intimate partner violence forces us to invert everything we know about cybersecurity. Generally, we assume that cybersecurity should focus on the Russian Federation and other large, well-funded adversaries. But an abusive spouse is likely to know the answers to our security questions, such as our mother’s maiden name or the street where we grew up. How must we redesign cybersecurity strategies and tools if our adversary is someone who knows everything about us — and is uniquely positioned to cause harm to us and our loved ones?
We must learn to value flexible, human-mediated processes, rather than rigid systems and ‘magic bullet’ products.
Lana Ramjit, Cornell Tech
These are answerable questions, but only if we expand our understanding of what cybersecurity is and who gets to practice it. In addition to protecting corporate financial transactions and military battle plans, cybersecurity needs to ensure that dating doesn’t turn into stalking and that personal health data remains private. It means considering not just freedom of expression in social media spaces, but also the effects trolling and harassment can have in silencing historically marginalized voices. It means securing systems that help poor people receive food assistance. It means securing election systems, not just power grids.
Making Cyber Training Accessible and Interdisciplinary
To shift the focus from securing systems to securing people, we must shift the focus of who we train in cybersecurity as well. Justin Pelletier of the Rochester Institute of Technology and his colleagues have built a unique cybersecurity apprenticeship program customized to meet the needs of the deaf community. A military veteran himself, Pelletier makes a powerful argument that diversifying the cyberworkforce is not only the right thing to do, but also the smart thing to do when we consider the importance of diversity within teams that must cope with complex and well-resourced adversaries.
No matter your major, you can’t separate technology from the discipline.
Dr. Kevin Harris, Stillman College
This spring, students at Case Western Reserve university from across disciplines had the opportunity to try some of the tools of cybersecurity, such as packet sniffers and firewalls, and to learn from and question policymakers in Washington, D.C. on pressing issues in the field. And the growing Consortium of Cybersecurity Clinics that began with a PIT-UN Network Challenge grant is connecting hundreds of young technologists in local communities across the country with businesses and nonprofits in need of cybersecurity expertise. In a Q&A, Kevin Harris of Stillman College explains how he and his colleagues leveraged relationships and resources within PIT-UN to build a cybersecurity clinic uniquely suited to this historically Black college and its local community of Tuscaloosa, Alabama.
Building on Lived Experience
These projects are foundations for the field of public interest technology to build on as we embrace the responsibility of ensuring that the technologies central to daily life are made safe for everyone, not only corporations or communities that already have resources. As we know from work in other technology fields like machine learning, our most valuable insights often come from researchers’ and users’ firsthand experiences with the systems they study: Latanya Sweeney’s discovery that Google serves ads about criminal arrest records to people searching names common in the Black community, and Joy Buolamwini’s discovery that computer vision systems routinely miss or misclassify faces with darker skin, just to name a couple.
Public interest technology is uniquely positioned to help shift the goals of cybersecurity to include the needs, desires, and lived experience of the people and communities that have been left out of conversations about how we design, deploy, and govern technology. This July 2023 issue of PITUNiverse highlights powerful work being done across PIT-UN, and I hope it inspires you to think big about how you can partner with your colleagues and institutions to contribute to this growing movement