A Critical Assessment of Social Cybersecurity as a Technoscientific Enterprise
As I have noted, the socio-technical architecture of cyberspace presents a significant challenge for designing effective responses to the malicious use of information and communication technologies. A fundamental problem in countering offensive cyber operations is the proactive and effective detection of them. This challenge is closely linked to the difficulty of irrefutable attribution of responsibility. These offensive cyber operations can be understood on two levels. The first, and best-known, is most associated with the field of cybersecurity: practices that target the material infrastructure of networks and devices, such as ransomware, denial-of-service attacks, system infiltration, and other technical intrusions. The second level, which may overlap with the first and is the focus of my research, encompasses operations that exploit individual cognitive vulnerabilities.
It can be argued that these latter operations are more complex to prevent, identify, attribute, and counter at a technical level than cyber operations targeting computer systems, which are more traceable through intensive forensic analysis. In this sense, cybersecurity is a field called upon to expand its epistemological boundaries and take on a significant portion of the challenges posed by influence operations in cyberspace. In his 2023 book What is Cybersecurity, Tim Stevens argues that cybersecurity has become a basic element of contemporary public policy, one that cannot be treated solely from the perspective of technologists but demands engagement from the social sciences. However, cybersecurity research has tended to concentrate on software and hardware vulnerabilities that can be exploited, thereby often overlooking actions that—for political purposes—intervene in the dynamics of information consumption and distribution in cyberspace.
The social dimension is not absent from standard cybersecurity approaches, but the human factor is viewed primarily as a vulnerability. Practices such as setting a weak (i.e., crackable) password, introducing a contaminated USB drive into the local network, or falling for a phishing attack can severely compromise system integrity. As indirect victims of attacks targeting networks and computer systems, the impact is often reduced to the loss of sensitive information and the disruption of complex social services that now critically depend on this infrastructure. Yet progressively, cybersecurity is becoming a field of interest to a multiplicity of epistemic communities, integrated as a subfield of international relations and (critical) security studies. The shift is from viewing cybersecurity as a technical matter to framing it as a political (security) task.
The prevailing approaches in the discussion on defending against cybersubversion point to two main strategies. The first is oriented toward fostering social resilience through digital literacy actions or mass content moderation. This involves what is often called cognitive resilience, which aims to prevent the target audience from internalizing disinformation and propaganda. The second strategy entails a strategic partnership between state security agencies, software developers, and infrastructure managers to proactively counter threats—a path that includes some artificial intelligence and machine learning-assisted approaches.
Social Cybersecurity
And there are concrete operational proposals. The field of social cybersecurity studies is less than fifteen years old by my count. Its main, central figure, Kathleen Carley of Carnegie Mellon University, defines it—alongside a U.S. Army officer—as:
an emerging scientific area that uses science to characterize, understand, and forecast cyber-mediated changes in human behavior, society, culture, and politics, and to build the necessary cyber-infrastructure to enable society to retain its essential character in the midst of a changing information environment facing current and emerging social cyber threats .
It is a form of applied computational social science, meaning that new technologies and findings emerging from its development have immediate application in cyberspace. According to a 2019 report by the U.S. National Academies of Sciences, Engineering, and Medicine, a social cybersecurity researcher empirically and methodologically accounts for the socio-political context of activities in cyberspace, integrates theory and research on persuasion, influence, and manipulation with studies of human behavior online, and identifies pathways for the practical application of their research findings.
Computational Social Science is "an interdisciplinary field of study at the intersection of data science and the social sciences that seeks causal and predictive inferences", according to the Handbook of Computational Social Science. For author Claudio Cioffi-Revilla, it is about "advancing scientific understanding of society and social dynamics using the computational paradigm of complex adaptive systems." Studies in social cybersecurity tend to employ methods such as network analysis, automated information extraction, and agent-based simulation to provide evidence about who is manipulating online conversations and to define alternatives to counter that manipulation. This aligns with the core research areas of Computational Social Science.
Principal Contributions and Limitations of Social Cybersecurity
The field of social cybersecurity provides research lines and findings that contribute to the goal of countering political cybersubversion. Catch here some of its most recent contributions. The spectrum of topics is broad, not limited to disinformation and influence operations on social media, but also includes analyzing these dynamics in the broader context of the Internet. Other objects of study include the development of educational and training modules in critical thinking and the assessment of political and ethical issues related to media manipulation, among others.
However, a primary limitation of the field is that concrete user-layer interventions remain scarce. Solutions appear oriented toward informing policy or strengthening (U.S.) national security from a military operational standpoint, rather than understanding the user as an active agent with a role in the co-design and co-production of solutions. This is starting to change with ongoing integration with psychological studies. Another problem is the privileging of quantitative approaches in final assessments, such that the "social" within "social cybersecurity" is often reduced to the technical processing of a social problem. This is consistent with the broader conceptions and practical realizations of computational social science, but it is possible to improve on this point without discarding all the empirical value that the quantitative approach entails.
Source for the ChatGPT conversation used to generate the cover image.
Thanks for your contribution to the STEMsocial community. Feel free to join us on discord to get to know the rest of us!
Please consider delegating to the @stemsocial account (85% of the curation rewards are returned).
Thanks for including @stemsocial as a beneficiary of this post and your support for promoting science and education on Hive.
The fundamental nature of security remains unchanged since prehistory. People have always faced hazards they must either defend against or suffer, and the spectrum of hazards necessarily includes existential threats. People may scoff at the potential harm cyber threats can cause, but this neglects that malevolent actors can use any means of compromising security to commit every harm people can suffer, and definitely includes killing them. Something else that has never changed is that outsourcing security to others creates threats against which there is no security. The broad warp and weft of history is a tale of treachery and betrayal, from the betrayal of the Byzantine Empress by the Varangian Guard in 1071, to the imposition of famine a millennium later that starved tens of millions to death in the Great Leap Forward.
Because security must be personal, and leaving our security to others is abandoning security altogether, censorship and proprietary software necessarily reduce security. If we cannot audit code we depend on we cannot be secure from cyber threats. From Mt. Gox to the use of deposits on exchanges by Sun Yuchen to seize governance of Steem, the worst cyber security hazards are treachery and betrayal, as the worst security threats have always been.
Because I cannot secure my communications myself, I secure me from my communications being used as a weapon against me. For most of us, that is the best we can do, because we cannot audit the code running on our machines, cannot understand the hardware we are using, and cannot prevent our information from being gathered and used against us by our enemies, such as Goolag and Fakebook. Banks have seized my accounts and taken my money, corrupt courts have seized real property I held free and clear, and everyone I have ever loved has betrayed me to steal from me, including my own dear mother. I was working 11 hours a day 6 days a week logging, and could not actually go to the bank when it was open (before the internet was available), so I asked her to deposit my paychecks, from which she stole (~$40k adjusted for inflation) from our joint account. While the specific betrayals I have suffered are unique to me personally, the fact that trust can be betrayed is universal, and entrusting our security to anyone is creating potentially indefensible security risks history reveals has caused innumerable deaths and untold suffering.
While this reality is difficult to address in discussion regarding government, because the worst threat to government security is treachery and betrayal by government officials (and specifically those officials responsible for cyber security), I hope it informs your personal security measures.
Thanks!