CLTC Announces New Grantees — New Projects Announced

The Berkeley Center for Long-Term Cybersecurity (CLTC) announced the first round of grantees this week, and I am excited for the support for a couple of my current projects. I am currently collaborating with Jim Dempsey at the Berkeley Center for Law and Technology (BCLT) and Nicholas Weaver at the International Computer Science Institute (ICSI) to examine cybersecurity information sharing and how current practices and policies may impact emerging security needs. I am also working with John Chuang and the Biosense lab group to study the unique privacy and security implications of emotional and physiological data and how this will be shaped by existing laws and policies. Based on our study, we hope to provide recommendations for future actions in order to optimize outcomes with this emerging data class. I will also contribute to Deirdre Mulligan’s study looking at how “cybersecurity” has evolved in federal policy, funding, and organizational development. I am thrilled to work with such talented researchers, and will keep everyone posted on the progress and research products from these projects.

Funded Abstracts from CLTC:

Unpacking Cybersecurity “Information Sharing” for an Uncertain Future

Leads: Jim Dempsey, Executive Director, Berkeley Center for Law & Technology; Elaine Sedenberg, PhD candidate, School of Information

Partners: Nick Weaver, Senior Scientist, International Computer Science Institute

For years, the phrase “information sharing” has been used in cybersecurity policy discussions without much attention to what is to be shared, and also without reference to sharing mechanisms already in place. We will unpack this overused—but under-defined—term and will seek to bring granularity to the understanding of information sharing initiatives. This project includes an inventory and analysis of information currently exchanged or contemplated under new legislation, the associated efficacy, cost/risk/benefit tradeoffs, and emerging future information sharing needs. The team brings legal, policy, and technical expertise together, along with quantitative and qualitative methodologies to provide ready-to-implement recommendations for policymakers, researchers, and industry stakeholders.

Security and Privacy of Biosensing at Scale

Leads: John Chuang, Professor, School of Information; Tapan Parikh, Professor, School of Information

Next-generation ubiquitous biosensors will allow us to continuously monitor a wide range of physiological signals, from which many inferences can be drawn — our identity, our activities, our mental and emotional states, memories and thoughts, as well as predispositions to diseases and behaviors. Novel biosensing applications and business models will raise new security and privacy challenges that are not yet anticipated nor fully understood. We will probe how people interpret (or misinterpret) the meaning of biosignals in different contexts, to shed light on how and when biosignals might become sensitive. We will investigate the feasibility of user authentication using neural signals captured using novel methods, and the possibility of user re-identification from anonymized brainwave signals. We will interrogate ubiquitous biosensing technologies from an ethical, law, and policy perspective. By studying these different facets of biosensing security and privacy, we hope to uncover, understand, and address the security challenges when these technologies are deployed at scale.

Cybersecurity: Meaning and Practice

Lead: Deirdre Mulligan, Associate Professor, School of Information

Partners: Kenneth A. Bamberger, Professor of Law; David Bamman, Assistant Professor, School of Information; Geoffrey Nunberg, Adjunct Professor, School of Information; Elaine Sedenberg, PhD candidate, School of Information; Richmond Wong, PhD candidate, School of Information

There is little empirical research documenting the various meanings of cybersecurity in use in distinct communities, their relationships, and the activities they drive in practice.  This project, “Cybersecurity: Meaning and Practice” seeks to expand upon the examination of cybersecurity’s meaning using the theoretical framework of “securitization” (Nissenbaum 2005) and explore the relationship between meaning and practice. Our long-term goal is to conduct qualitative semi-structured expert interviews, quantitative text analysis, and discourse analysis to provide an (admittedly partial) answer to the foundational question of cybersecurity’s meaning, its relationship to practices in the field including policy development, funding, and organizational activities to advance cybersecurity, and the cybersecurity futures and risks it imagines.  Under this scoping grant, we will define the selection criteria and boundaries for the subjects of analysis, and assess the landscape of available data in different domains that can form the foundation for empirical study.