You may not realize it, but online fraud and other cyber threats can have serious ramifications for national security. To learn more, we sit down with Melissa Griffith, PhD candidate in political science at UC Berkeley and a researcher at the Center for Long-Term Cybersecurity. Unlike most of our guests, who zoom in on how fraud works in their vertical, Melissa zooms out: she studies how large corporations, governments, and governmental agencies deal with fraud on a global scale. What happens when large businesses and government agencies encounter new cyber threats? What happens when they fail? And how do fights over cybersecurity play out on the international stage?
Evan: Welcome to “Trust & Safety in Numbers” presented by Sift Science. I’m your host, Evan Ramzipoor. We’re back from our hiatus with a guest I’m really excited about. The Internet hasn’t been new in a long time, obviously, but online fraud and cybersecurity have always been new fields. Fraud and security threats evolve quickly and unexpectedly. As businesses try to make sense of everything from cryptocurrency fraud to data breaches, researchers are doing the same. That’s why I’m sitting down with Melissa Griffith. Melissa is a Ph.D. candidate in political science at UC Berkeley, my alma mater, and a researcher at the Center for Long-Term Cybersecurity. As you probably know, most of our guests look at fraud through a microscope to zoom in on the way fraud works in their specific vertical. Melissa is going to walk us through a different approach, zooming out to see how governments and governmental agencies and large businesses deal with fraud and cybersecurity. But first, let’s warm up with a quick fraud fact.
Did you know that fraudsters are increasingly relying on code words and other tricky tactics to commit content fraud on online communities and marketplaces? To learn more, check out “Content Moderation Best Practices” on the Sift Science blog. Now onto the interview.
So Melissa, tell me a little bit about yourself.
Melissa: Yes. So I’m a Ph.D. candidate in political science at the University of California out in Berkeley and I focus on both international security and cybersecurity.
Evan: And what’s your dissertation about?
Melissa: My dissertation looks at national defense in cyberspace, so I’m interested in two of the European Union’s easternmost member countries, Finland and Estonia. I particularly look at how they’ve understood the threat of cyber conflict. So how do they perceive this threat? How do they define cyber conflicts, cyber war and the types of states or actors they’re worried about in that space. And then subsequently how that perception shapes the types of defense strategies they actually pursue in practice. And so I’m looking at both the sort of what they’re doing now, but also this progression and why it evolved in the ways that it did.
Evan: For the purposes of this conversation, what do you mean when you say cybersecurity?
Melissa: So in the most basic sense, if we took the simplest definition of cybersecurity, cybersecurity means securing activity, infrastructure, services, data, etc., that are reliant on or occur in cyberspace. In other words, you protect and defend your own use of cyberspace. If we try to parse it down a little bit more in the technical space, you might look at the two different factors. You could look at specific tools that you might deploy in cybersecurity. Think antivirus software, firewalls, encryption software, just to name a few, or you might look at the types of attacks or intrusions you might face. These would be things like phishing attacks, man in the middle, malware, denial of service. Again, just to name a few, so what’s the purpose of an attack? What’s the desired outcome of an attack? And if you take this purpose or desired outcome as a core starting place, you get a different range of definitions of cyber threats and cyber risks. You get cyber warfare, cyber conflict, cyber terrorism, cyber crime, cyber espionage.
Evan: Melissa says that for political scientists, these terms are constantly evolving. I studied political science myself, so I know how people in that field love to hash out definitions, but the business of hashing out definitions isn’t just academic. It’s important. Think about trust and safety teams. It’s really hard to fight fraud if you don’t know whether it’s content fraud or payment fraud that you’re dealing with. Similarly, it’s hard for governments to develop strategies to fight cyber threats without concrete definitions.
Melissa: So that specific definition I used, kind of roundly come back to your original question, focuses on this intersection between discussions over tools and types of attacks and the more technical space, but also to add this political dynamic around conflict and warfare and so that’s the nexus in which I am operating.
Evan: How has the way we conceptualize cybersecurity evolved over time and how do you think it will continue to do so?
Melissa: From the vantage of my research on national defense, I do think there’s been a clear trajectory from narrow to broad over the past, say, 15 to 25 years when it comes to understanding cybersecurity and I want to kind of take a second maybe to walk through that. So I think if you start with cybersecurity in its narrowest sense, it’s about securing devices. This is antivirus software, this is what you worry about if you’re KONE in Finland and you want to secure a specific elevator. It’s what you worry about if you’re Nokia and you are supplying secure telecommunications, in their case, radios to the Finnish Defence Forces. This is fairly narrow. You secure a device, a computer, a phone, an elevator.
It moves slightly wider, our understanding of cybersecurity, to critical functionality of a business or an institution. You see this broader scope in discussions around cybersecurity in NATO, the North Atlantic Treaty Organization, where the conversations in its earliest stages were about securing existing infrastructure from attack so that NATO could continue to do its job. So it’s securing what you already had, your critical functionality. You see it in the EU right now with discussions around how to secure Galileo, which is the new mapping software and corresponding satellite network. It’s about securing a specific service that already exists and you see it in Finland where the early focus was on how to secure your business or a particular bank from attack.
Evan: And then the term “cybersecurity” becomes much broader once we stopped talking about how to keep a specific entity safe and start talking about how to keep a sector safe. So it’s not just about making sure banks are safe, but we’re talking about banking as a whole.
Melissa: How do you secure our healthcare system? How do you secure energy sectors rather than a specific company or a specific hospital or a specific database? The broader discussion in the broader understanding of cybersecurity is now about securing states, securing economies, securing democracies, and this conversation, if you take banking as an example, rests at a much higher level. It’s not how do we ensure access and services in a bank or a banking sector. It becomes much more about what role does finance play in the broader Finnish ecosystem.
Evan: Does cybersecurity mean something different to a business than it does to a country? And what are some challenges that a business might face in fighting fraud and cyber crime, but that a government might not face and vice versa?
Melissa: So if you think about, for example, securing devices and securing your own company, these are both decisions that businesses and institutions make all the time. In the physical space and also in cyberspace, it’s very much in the wheelhouse. However, you cannot expect a specific bank or a media platform to fully take the lead on these broad systemic security risks that plague an entire society, entire regions and potentially globally particularly because these types of systemic risks fall pretty reasonably outside of business risk model and outside their own capabilities to address it. It’s a key point to make that cybersecurity is incredibly challenging because there’s no clear distinction in terms of responsibility between all these different spaces, but also because sometimes the actor that is most proximate to the incident, a business, for example, is not as readily capable or even can be reasonably expected to be the primary responder. If we think about these more systemic issues.
Evan: Melissa says there are basically two things here that make cybersecurity and fraud so difficult to pin down. First, as most merchants and people in the e-commerce space well know, fraud and security are changing all the time. Attacks and methods that may have been familiar yesterday may be obsolete tomorrow. Second, when businesses take steps to keep their customers safe, their actions might have national security consequences and implications.
Melissa: There are externalities to all of these decisions that businesses are making. However, businesses are not in the business of making national defense decisions or setting national defense policy that’s still very much the responsibility of the state. So in addition to thinking about this sort of tiered ladder and where we think businesses might best fit in on that ladder and government might best fit in, I think it’s important to understand that when you move from device to systemic understandings of cybersecurity, the scope and the tools of businesses and governments aren’t equivalent in that space.
Evan: Do governments act alone in ensuring their cyberspace remains secure or what kinds of actors do they work with?
Melissa: Governments do not act alone, and more importantly, they cannot act alone to secure cyberspace or to ensure cyberspace is secure. Cyberspace underpins to some degree or another almost all activity in advanced industrial economies. That means countries like Finland, like the US, like Japan, like Germany, like Australia, like South Korea. This is a massive structure that underpins almost all activity we undertake as an individual and that governments and businesses undertake in any given day. So states face a threat that is highly distributed and it’s highly distributed in sort of two key factors or two key features. First is that there is a wide range of targets that a cyber intrusion or a cyber attack could be directed toward, and many of these targets are nonstate entities.
Evan: Think about it this way. If a cybercriminal targets a massive healthcare provider or an energy company or even, I don’t know, Sony Pictures just to name someone, that’s not just a threat to those businesses and their customers, that’s a threat potentially to national security.
Melissa: There’s also a question of responses and where capabilities are held for adequate response. So which actors do you need to adequately respond to an attack and who holds the resources to respond? This might be resilience in the moment of an attack, deterrents to prevent a future attack, and responses after an attack has already taken place. You hear a lot, probably you have heard a lot in these types of conversations, certain buzzwords like private-public partnership and multistakeholder approaches, and these just both point to the idea that neither the private sector nor the public sector can address cybersecurity unilaterally.
Evan: Let’s close by talking about the issue of trust. Businesses can lose their customers’ trust if they suffer a data breach and especially if they don’t take any meaningful steps to reassure their customers that their information is being protected after the data breach. But we’ve also seen actors who might appear to do everything right after a data breach and they still lose their customers’ trust. So in the event of a data breach or another attack, what can a business or a government entity do to regain trust?
Melissa: Honestly, this is incredibly hard to address, this issue of trust. It’s also very much at the same time become a buzzword and discussions on cybersecurity and policy circles and business circles and academic circles is you’re hearing this word “trust” pop up a lot that it’s not necessarily how do you secure systems, but how do you secure systems in a manner that maintains trust? How do you manage risk in a manner that maintains trust? So I think one approach is this discussion that’s about moving away from cybersecurity and moving toward managing cyber risk.
Evan: It’s more than just an issue of definitions. Melissa says these are two entirely different approaches. If you frame your approaches addressing risk, then you’re thinking about systemic issues rather than reacting to specific problems. You’re asking what kinds of behaviors are more likely to put your customers or citizens at risk. Taking a risk-based approach allows you to minimize the impact of an attack.
Melissa: And if you can minimize that impact, you’re more likely to be able to maintain trust. So I think there’s this sense that if we can move away from security and managing security toward or creating security toward managing risk, that’s a way to address this trust question in a more meaningful manner. Another approach is to regulate and create standards for businesses to follow, and this is kind of centered on the idea that security and risk can be overseen in a responsible manner. So while accidents might happen, we can require a certain level of security from all actors in any given space. So if you have greater trust or if you want greater trust, you’re able to achieve that by having a really strong baseline of security in place in your country or in the EU or the US or wherever else you might be. That’s going to increase trust in that system because people know that we had done the reasonable steps.
Melissa: There’s this other approach which you probably have seen in the news, which is the current UK strategy to a certain extent, that you might be able to argue that the UK may increase trust in cybersecurity and in infrastructure in their country because they’re now making infrastructure financially liable if they don’t have adequate cybersecurity measures in place.
Evan: And the last strategy that Melissa mentions is simple. It can be really important to tell your customers or users a good story.
Melissa: Public relations, and I’m hesitant to say “spin,” but just public relations, right? The face you put forth to your customers and the broader consumer base, the citizenry will play a role in how breaches are viewed and how subsequent trust may or may not be damaged. So I do think there’s an outward facing component of that.
Evan: Thanks for joining me on “Trust & Safety In Numbers.” Until next time, stay vigilant, fraud fighters.