The aim of this innovative research program is to make a major contribution to the emerging cross-disciplinary conversation on cybersecurity by developing new empirical, theoretical and policy insights on the governance and regulation of online harms. The expected breakthroughs will stem from the cross-pollination of criminology, computer science and regulatory scholarship, as well as the fusion of public and privately-held datasets complemented with in depth interviews and twelve country case studies to assess the comparative impact and effectiveness of a broad range of cybersecurity policies. The findings will enhance Canada’s capacity to protect its digital ecosystem and reinforce its resilience.
While human societies are in the midst of a Digital Revolution that is proving as transformative and disruptive as the two Industrial Revolutions that preceded it, the complex problem of how new emerging techno-social assemblages should be safeguarded against a broad range of manufactured online risks remains an unsolved puzzle (Giddens 1999). Alarming headlines remind us daily that the personal and financial data that we entrust to our employers, insurers, banks or retailers, are being plundered on a systematic basis by hackers who exploit a broad range of technical vulnerabilities or human errors (Verizon 2015). The revelations made by Edward Snowden also highlighted how the intelligence agencies that are supposed to protect us against such threats are in fact busy developing a massive bulk-surveillance apparatus (Bauman et al. 2014). Meanwhile, police organizations are facing severe budgetary constraints and can hardly hire, train and retain the specialized investigators and forensic experts required to prosecute local and international cybercrimes (Council of Canadian Academies 2014). In this fast evolving and uncertain environment, private companies see attractive business opportunities, marketing a broad range of products and services, from cybersecurity insurance policies to antivirus solutions or new authentication technologies. The global cybersecurity market is estimated by Gartner to be worth $77 billion in 2015, and will grow to $156 billion by 2019 if forecasts prove correct. Yet, despite these massive investments, the situation does not seem to improve and cybersecurity remains an elusive objective.
This unique mix of: 1) rapidly transforming criminal-risks; 2) government crime-control institutions that seem unable to innovate at the required pace and whose capacities are being shaped by expanded national security mandates; 3) and private interests bent on profiteering from this highly uncertain context creates substantial and complex policy challenges. The main one is arguably the coordination of collective action among a plural set of institutional actors pursuing diverging objectives, operating under different rationalities and responding to singular incentives.
While many fields of research are producing valuable new knowledge on this emerging cybersecurity ecosystem, their insights remain all too often fragmented. Computer scientists focus on the technical dimension of systems’ vulnerabilities with limited interest for the psychological and behavioural forces at work (Anderson 2008), while criminologists and sociologists examine the social organisation and career trajectories of individual online offenders without always focusing on how technical and economic decisions made by private and public stakeholders might facilitate cybercrimes (Holt and Bossler 2014). Legal scholars, for their part, study legislative and regulatory approaches in the digital domain, but with a clear preference for access and privacy issues over security considerations (Lessig 2006). Some forums created by computer scientists have sought to build bridges with the social sciences (in particular psychology and economics) and are yielding promising results (see for example the Symposium on User Privacy and Security or the Workshop on the Economics of Information Security, both held annually). Social scientists however have not yet erected similar interdisciplinary tents, despite their unique expertise in the complex craft of designing institutions that can manage and mitigate a broad range of societal risks (Braithwaite 2014).
The theoretical goals of this program are to examine cybersecurity as a public good that is produced by a mix of interdependent and mutually adjusting government and market mechanisms. The polycentric governance framework has been used to great effect by political scientists to understand the management of water resources or the provision of police services, and it is ideally suited to study inherently complex problems such as cybersecurity, where the appearance of chaos conceals a broad range of productive or perverse arrangements that must be unpacked (Ostrom 2010). In order to make sense of actual and potential outcomes in polycentric systems, the nodal governance framework developed by Foucaldian criminologists helps us focus on the diversity of governing nodes whose knowledge and capacities are defined by five core features: mentalities (ways of thinking), technologies (sets of methods), resources, institutions (structures to mobilize the former) and constraints (Drahos et al. 2005, Dupont 2014). The security network approach complements the polycentric and nodal governance literatures by providing the tools to think more systematically about the structure of ties linking governing nodes that have traditionally been analyzed separately (Dupont 2004). It will help us identify key cybersecurity actors, structural holes hindering the circulation of information (Burt 1992), institutional brokers fostering cooperation, and emergent effects resulting in positive or negative outcomes. The empirical focus of this program will be on the development of a data warehouse hosted at the Cyber Criminology Lab that will serve as a repository for case studies produced by the Chair as well as aggregate open and proprietary datasets from organizations such as the OECD (Key ICT Indicators), the ITU (World Telecommunication/ICT Indicators and Global Cybersecurity Index), the World Bank (Knowledge Economy Index), the UNODC (Comprehensive Cybercrime Questionnaire), NATO (International Cyber Development Review database), Symantec (WINE database), ESET (Antivirus and Online Scanner Database), or Microsoft (Malicious Software Removal Tool Database). Access to the data and key informants will be enabled by the nominee’s role as Scientific Director of SERENE-RISC, Canada’s Smart Cybersecurity Network, which will act as a gateway to an existing sprawling network of government, industry and international partners and a powerful knowledge transfer platform. Privileged access to the proprietary datasets (Symantec, ESET and Microsoft) and confidentiality parameters have already been secured by the nominee. By creating a central hub that will consolidate cybercrime and cybersecurity statistics, but also qualitative case-studies, it will be possible to measure the impact of prevention, disruption and mitigation strategies and to compare their effectiveness. Finally, this program will maintain a strong policy focus and generate evidence-based actionable knowledge that will be available to public and private decision-makers. Many of cybersecurity’s commonly accepted practices (such as password management guidelines) are based on mere beliefs promoted by private interests. Developing open criteria that can be used to assess the claims made by various cybersecurity nodes and communicating this program’s findings through an array of easily accessible and user-friendly tools will encourage a more informed and balanced debate.
Ce contenu a été mis à jour le 19 décembre 2017 à 15 h 16 min.