Cyber crime erodes trust in the authorities
Professor Sasse believes that shared values and a general trust in political authorities are two of the reasons why the Nordic region has become a role model for the rest of Europe in the area of societal security.
“We need to think about how to create a resilient digital society instead of thinking of cyber security as a national security problem. The Nordic countries have understood that this is the way to go, and are showing us through their leadership that collaboration is the key. The Nordic societies have the same set of values and the citizens have a very high level of trust in their governments. This makes it easier to work together on cyber security and other security issues, as the populations trust their governments to do their best to protect them. That is not always the case in other countries, and something we can all learn from,” Dr Sasse explains.
New security threats
When asked to elaborate on the main risks in cyber space, Professor Sasse recounted an old story about a bank robber.
“Willy Sutton was asked by reporter Mitch Ohnstad why he robbed banks. According to Mr Ohnstad, he replied, “Because that’s where the money is.” In the past decade many of our transactions, especially those of value, have moved online, for instance, internet banking and retail shopping, so it’s natural that crime has followed us there,” says Dr Sasse.
“It becomes problematic if the internet is disrupted or we just don’t feel safe there anymore. The impact on our lives will be significant.”
Technological development has exploded over the past 10–15 years, posing entirely new risks to society.
“Ten to fifteen years ago we talked about hackers and others who caused trouble partly for fun or because they wanted to show off what they could do or were simply bored, but in 2016 we have to deal with sophisticated organised crime. For instance, we have “companies” that extort people by locking their computers and demanding money to unlock it through “customer service”. Ironically people who experience this often say that the “customer service” was very good. It’s very sad, but that’s how the landscape has changed,” Dr Sasse says, before offering a few internet security tips.
“The single best advice is not to reuse passwords that you use for very sensitive accounts: anything related to the government, internet banking or your main email account. The main reason is that criminals now collect information and profile individuals. And if they are able to get a hold of one of your passwords, which is fairly easy, the damage could be severe,” Sasse explains.
“A more general piece of advice if you find yourself in a situation where you suspect someone is trying to trick you, either through an e-mail or a call, stay calm and speak with other people. The criminals want to isolate and deceive you. It is always a good idea to speak with family, friends or colleagues,” she points out.
Eroding trust in the authorities
Cyber crime takes many different forms and Dr Sasse believes the most damaging actions target the general population’s trust in the authorities.
“One route is trying to disrupt the country’s national economy or infrastructure, transport or electricity. The other route, which is more subtle and that we need to consider more, is attacks that systematically try to undermine the credibility of a government and its trust. Spreading disinformation that leads to people not trusting the government, for instance, hijacking key information channels such as a popular social network like Twitter. If the message is credible it can spread quite quickly and cause damage, even more so since news agencies and news outlets pick up information from each other, often without the necessary background check. This can create panic and weaken the credibility of the alleged sender. In terms of the resources required, it is easier to execute this type of attack than others and such actions represent a major security threat,” Professor Sasse explains.
“There are fundamental problems with the way we communicate online. If you receive an email from a government official, you don’t have an easy way of checking if it is the real deal,” the professor states. “We need user-friendly infrastructure available to ordinary citizens, with technology that makes it possible to encrypt and verify where messages come from. Cyber security shouldn’t only be about stopping the bad guys from doing something; it also means building systems that are resilient, that we still can get something done, even if there is a major disruption.”
More surveillance is not the answer
In the struggle to ensure societal security the debate invariably turns to how much surveillance should be introduced and how much consideration should be given to protecting an individual’s right to privacy.
"It has not been proven that the key to a more secure society lies in mass surveillance. It’s an illusion that if you have more data then you can find everything or everyone. You don’t make the needle easier to find by making the haystack bigger."
“I think that all leading security researchers agree that there isn’t a trade-off between security and privacy. The ability to have privacy is an essential part of a free society, even if law enforcement agencies or other government segments believe more surveillance makes their work easier. I don’t think anyone really wants total surveillance and government control,” states Dr Sasse.
“From a scientific point of view it has not been proven that more surveillance yields a 100 per cent secure society, so supporters of surveillance should be very careful about making that very promise.”
Believes young people want privacy protection
Dr Sasse also thinks that young people will engage in more privacy-protective behaviour and will increasingly avoid commercial organisations that keep track of their digital lives.
“Today’s digital generation of young people growing up is used to spending a lot of time online. From an early age they interact socially through computers, phones, etc. As they grow older they will probably become very aware of how much they are under surveillance by others who know what they read, when they read, what kind of music they listen to, and – if they have a Fitbit or similar tracker – how often they exercise, how long they sleep and, potentially, their emotional state. I think we will see that young people will engage in more privacy-protective behaviour, for example by using encrypted channels,” says Professor Sasse.
A platform for European dialogue on societal security
Dr Sasse has been researching human-centred aspects of security, protection of personal privacy, identity and trust for over 15 years, and in her view NordForsk’s Nordic Societal Security Programme is examining this area from a fresh perspective. She was one of the speakers during NordForsk’s session on societal security at the European Science Open Forum (ESOF) held in Manchester in July 2016.
“I think that the programme’s focus on a resilient digital society is absolutely spot on. Building an understanding of what that means and how we can achieve it is essential for the future. As a European citizen I would hope that the Nordic programme will continue to collaborate with other countries, as seen in the latest cyber security call where the UK and the Netherlands were involved. The programme could act as a platform for extended dialogue throughout the research area in Europe,” Professor Sasse said, adding:
“I would say that the Nordic Societal Security Programme emerged as a needed counterpoint to some of the more technology-focused EU research programmes, establishing another perspective on how we should confront security issues.”
International cooperation a must
Professor Sasse emphasises the importance of international research cooperation in general and particularly within the area of cyber security.
“The NordForsk programme clearly outlines the importance of international cooperation, both in societal security in general, but perhaps especially on cyber security, as there are no borders digitally. I’ve been involved in European research projects for 25 years and it has been of enormous value to see the bigger picture and to be able to combine the best of ideas and technology that we have. In the future, international research cooperation on cyber security will be even more important as some countries have a shortage of young people pursuing the training needed to work in the field. With international cooperation universities gain better access to a large pool of talent to work on the next generation of technology and make it safe and secure,” concludes Professor Sasse.
About the Societal Security Programme
The Nordic countries have cooperated closely on societal security for several decades. In recent years, this tradition has been supplemented by a number of political initiatives across national borders. A Nordic expert group explored the prospects for Nordic cooperation in the field of societal security. Based on their recommendations, the Nordic Societal Security Programme was launched in 2013. Following the programme’s first call for proposals, two Nordic Centres of Excellence were granted a total of NOK 45 million. The overall budget is NOK 123 million. An international call for proposals in the area of society, integrity and cyber security was completed in March 2016 in cooperation with the Economic and Social Research Council (ESRC) from the United Kingdom and the Netherlands Organisation for Scientific Research (NWO). The Nordic Societal Security Programme is currently being funded by the Academy of Finland, the Icelandic Centre for Research – RANNIS, the Swedish Civil Contingencies Agency, the Norwegian Directorate for Civil Protection, the Research Council of Norway and NordForsk.
The interview was first published in NordForsk Magazine 2016.
Text: Tor Martin Nilsen
Photo: Terje Heiestad/NordForsk