Cybersecurity, Politics, Governance and Conflict in Cyberspace – An Interview with Dr. Van Puyvelde
Reported by Kate McNeil, PaCCS Communications Officer
Earlier this month, I sat down to interview Dr. Damien Van Puyvelde, a lecturer at the University of Glasgow and co-author of the book Cybersecurity: Politics, Governance and Conflict in Cyberspace. Co-written with Dr. Aaron F Brantly (Virginia Tech, and U.S. Army Cyber Institute), this book examines the history and politics of cybersecurity from the perspective of social sciences. It was released in August 2019.
This interview has been edited and condensed for clarity.
Kate McNeil: Thank you so much for taking the time to sit down and chat about your new book. Would you mind getting started by telling our readers a little bit about yourself, and about how this book came about?
Dr. Van Puyvelde: I’m a lecturer in Intelligence and International Security at the University of Glasgow, and have a research interest in the host of security issues confronting contemporary societies. But the origins of this book can be traced back to my time working at the University of Texas – El Paso. My colleagues and I were developing a National Security Studies Institute, and part of that work involved bringing practitioners and researchers together to discuss national security threats within a university setting. In 2015, our annual colloquium focused on cybersecurity challenges across the public-private divide. We focused on the challenges of cross-sector collaboration to tackle pressing cybersecurity issues. A volume on US National Cybersecurity emerged from that colloquium, which I co-edited with Aaron Brantly, who, back then was based at the Army Cyber Institute at West Point (the United States Military Academy). Aaron and I kept our collaboration going, and decided to write this book on cybersecurity, politics, governance, and conflict.
What motivated you to write about those topics specifically? Was it a natural follow-up from your earlier work?
We wrote Cybersecurity for a series of reasons. First, we were both teaching social science courses on cybersecurity, and we were not very happy with the books that were available. We both had a sense that there was a lot of work being done in the social sciences on cybersecurity, but that many students still felt that hard – computer science and math skills – were needed if you wanted to study and understand cybersecurity and become a cybersecurity practitioner.
Clearly, based on the social science literature – which has been growing exponentially in this area for the last decade – there is much more scope for social scientists to be involved important debates surrounding cybersecurity. So, we were motivated by our experiences teaching and researching the politics and organisation of cybersecurity. This motivation was reinforced by our experiences at events with government and scholars. We felt there was a need to take stock of the field, to provide a coherent synthesis of what had been debated in social sciences and humanities on this topic. We also wanted to develop a coherent argument about what’s going on in this field, and what social sciences can bring to the study of cybersecurity. So, that’s really the genesis of this book.
Why write this book now?
I had a big discussion with a senior commissioning editor at Polity on contemporary security issues, and we agreed there was a gap for a book which made cybersecurity accessible to a non-technically minded audience. Achieving that level of accessibility become one of our goals in terms of writing the book.
Aaron and I felt there was a gap in the market for a book that was neither too sensationalist (in the book we talk about the prophets of cyber war) nor too technical. A lot of the media coverage and a big part of the academic debate at the time was using the language of war. The early debate on cybersecurity focused too much on cyber war, and Tom Rid famously argued that cyberwar will not take place. But some scholars felt the focus on war was taking up too much space in the conversation.
Our book touches upon the cyberwar debate, but we feel that there is so much more to cybersecurity than that. For example, there are ongoing debates about tensions between cybersecurity and civil liberties and about the governance of cyberspace. Those issues are equally, if not more important than “cyber war”. There is also a pre-history of cybersecurity linked to the history of computers which is significant, and which we cover in the first chapter of our book. From an intellectual point of view, we felt there was a gap in the literature and a need for these issues to be covered in a more comprehensive manner and in accessible format.
Who is your target audience? Who do you want to read this book?
The book has been written for a broad audience, to make cybersecurity accessible to readers who are not necessarily technically minded.
For us, working at universities, we tend to first think of undergraduate and master’s students. However, the great thing about this book is that it takes stock of a lot of different debates happening in academia and beyond. We focus on the social sciences, but we also make occasional references to other fields like medical research, history, and more technical literature on how the Internet works – always in an accessible way. The book can also be a great tool for more advanced scholars who are looking to make sure they have a solid foundational understanding of cybersecurity from different perspectives. Computer scientists who are not specifically used to reading about the politics of cyberspace and cybersecurity, and I would hope they could also benefit from reading our book. For them, this book provides another perspective, a more human and social perspective, on what is happening around computers and cybersecurity.
I also believe this book can add to the understanding of practitioners in the private sector, or indeed in government. There are signs, such the cyber 9/12 competition held by think tanks like the Atlantic Council and companies like BT, that these organizations are very interested in broadening access to cybersecurity. I know from my discussions with practitioners that government and private companies are interested in getting students from a greater variety of backgrounds and disciplines, into the field of cybersecurity. In that sense, the book seeks to open the door for a non-technical audience to enter that field, to give them a starting point from which they can dig further.
If there was one lesson you wanted your readers to take away from reading the book, what would it be?
In one sentence, I would say that the book puts humans at the centre of cybersecurity. The catchphrase here might be that cybersecurity is what we, humans, make of it. There is sometimes a tendency to think of cybersecurity as highly technical field – you need to know coding, it’s all about bits and bytes, zeros and ones on so many book covers. It all looks so complex. But really, what cybersecurity boils down to eventually is humans and their own complexity. Humans develop software, humans develop hardware, and humans use computers to interact with each other and the world. So, cybersecurity is inherently human.
When we look at some of the biggest cyber incidents, most of them are related to human error. These human errors have societal impact on people. So again, cybersecurity is a human-centred, social, political phenomenon.
What’s one thing you learned while writing the book that surprised you?
My key takeaway was a personal one. My research made me reflect on my personal approach to cybersecurity. It made me more aware of my daily routines, how I’m perceiving cybersecurity and how I’m in some ways practicing it.
There’s plenty of cybersecurity advice out there, and were told to protect our data in all sorts of ways. I began thinking more individually about ‘what threats am I trying to counter? What do I feel my use of computers is making me vulnerable to? Who am I most concerned about, and what am I most concerned about? Am I concerned that a criminal is trying to get my data? Am I concerned about a government agency trying to read my conversations? Am I concerned about trying to protect the products of my work and my research? Or is it all of the above?’ The point is that each specific threat requires a specific assessment, and specific measures to be taken.
We are bombarded with cybersecurity advice and recommendations. However, what it really boils down to is who we are as individuals and how we use computers in our lives. That is where we should start when we’re trying to think about how to be more secure when engaging with cyberspace. We need to start by thinking about how we use cyberspace, and what it is that we want to protect.
Was there anything you wished you could have talked about in this book that isn’t in there?
Good question. Our editing process was more about adding things to the book than taking stuff out. Which I hope means our ideas were well formed. However, one thing we might need to expand more upon, and that we did try to do, is to make cybersecurity a bit more global. There has been a tendency for the cybersecurity debates that have captivated scholars in the field of politics and international relations to be focused on big incidents – cases that have hit Western countries, or discussion of cyberwar between China and the US. Meanwhile, we don’t really know much about what cybersecurity might mean to somebody living in Senegal, India, or Colombia. There is a tendency to be Western-centric in a lot of the literature on security in the social sciences. Of course, Aaron and I are both “Global North” scholars. But one thing I would like to do in future is to expand and have more case studies that are from the “Global South”.
Many of the example case studies in the book are focused in the United States. Are there still lessons within it which would be particularly relevant to those here in the United Kingdom?
We do use a lot of US examples, but many of these problems are global. Many of the challenges are common to most Western countries, including the UK. For example, we have a discussion about the dark net and weapons markets in the section on cybercrime, and we discuss terrorists’ use of the Internet and how the Islamic State has been using cyberspace. These are not just problems for the US, they are problems of criminality in cyberspace that concern the UK too.
The same thing goes for information operations, and electoral interferences (the book discusses Russian interferences in the US and French elections). There has been a lot of discussion here in the UK about foreign influence in political campaigns. These are issues that more and more people are concerned with, and that governments are looking into. So, yes, I think a lot of the lessons learned in this book can very well be applied to the UK.
My favourite case study in this book was about a 75-year-old Georgian woman who damaged internet infrastructure while scavenging for copper. It really made me think about cyberspace in terms of physical infrastructure, which wasn’t something that I’d thought much about before.
Ah, yes, the Spade Hacker! It’s a great story. We tend to think of cyberspace as one layer, and we tend to think of cybersecurity in that logical-network layer (codes and protocols). Meanwhile, a great deal of the discussions, governance issues, and politics of cybersecurity have to do with the physicality of it. The Spade Hacker is a good example of that. That story also highlights the unintentional and unexpected character of some threats to cybersecurity, and their devastating impact. The Spade Hacker is not expecting to take down the Internet capabilities in a region of the world, yet she threatens access to cyberspace.
One of the themes which arises in this book is the space for individual freedom, and the role of government, in cyberspace. Do you see those as established roles, or as something that will continue to evolve?
The way we use the Internet is always evolving. We see that with the evolution of smart cities, the internet of things, and the expansion of cyberspace in our daily lives. As it becomes more prominent in our lives, of course government will look more and more into cyberspace.
I would say though, that government has been there from the start in cyberspace. The book makes that clear – that initial research into cyberspace was funded by governments, and that most, if not all, of the infrastructure of cyberspace is physically located in nation states. While a good chunk of that is privately owned, it is regulated by laws passed and implemented by governments.
I think government has always been there in some ways, and the idea that cyberspace was a space of total freedom was a utopia. It was a nice utopia, a very interesting utopia…. And some small pockets of cyberspace might provide a lot of freedom, which is important. But there has never been a hundred percent freedom in cyberspace, just like there will never be one hundred percent security in cyberspace. I would always see different groups of people interacting in cyberspace, and certainly governments – their sheer size, power, and extraordinary resources – are important actors. That said, they are not the only ones, and we see that big companies are increasingly challenging them in cyberspace – which is another issue that would deserve more attention from social scientists.
This article was written as part of the PaCCS in focus cyber series, which is running throughout the month of October in concurrence with European Cyber Security Month. The final post in this series will be released next Tuesday, October 29th. Other posts in this series can be found here.