Exciting area with big challenges

Dick: – Security was of course very important already in the beginning of the digital era, but it has now been a while since we passed the level where computers are just everywhere in our society. When the impact of information technology has become so great that even preschool children are digital, no one can deny that digital security does not only affect various niche areas any longer, but rather the whole society. It has become even more important that we understand what challenges the digitalisation entails.

Miroslaw: – There has been quite a change in how software is designed, which has also changed the conditions for cyber security. Twenty years ago, we designed isolated software products where one computer program had limited tasks. Nowadays, we have opened up all kinds of apps and systems where different kinds of software are connected, which makes it significantly more difficult to assess, monitor and control IT security of individual apps and the entire computer systems.

– Compared to twenty years ago, most things now are written in open-source code and the software is based on cloud services that are built from small components based on open-source libraries and code. An example of this problem is the attack on Coop in the summer of 2021, where the attack was done on a system that was used by another system that was in turn used by Coop. The most prominent examples of systems which are used by virtually all software today are Curl and log4j software libraries – they are used in our cars, in our computers, in everything – but they are still just small libraries. This makes us very vulnerable if there is a security vulnerability in one of them, which we’ve learnt the hard way when a vulnerability was discovered in log4j.

– Since our systems are so interconnected, it becomes very difficult to control who has access to what. The systems we use in our teaching, for example: the Canvas system is connected to Teams and the Office system. All systems require authentication, and it is increasingly difficult to check that everything is accomplished correctly. Even though we know a lot more about cyber security today than we did twenty years ago, it is more difficult to have any kind of control. We want our lives to be digital to a higher and higher extent, we want to be able to do so many things online, but then much more connection is required – and thus much more to be controlled.

– And also; previously we didn't have much valuable information in our computers and there were simply not so many reasons for unauthorized people to try to launch an attack. Today it looks different, partly because the systems are much more interconnected, and it is possible to access information in new ways.

– A hacker can get into a system, stay there unnoticed for quite some time, collect a lot of data, and plant their Trojans or ransomware - and then start an attack an evening during a weekend or in the middle of the holiday season when hardly a single IT technician is on duty and can detect anything.

 – We need to improve our work on cyber security and not only in terms of technological development, but also how we organise our technology. Where do we have our backups for example?

Janne: – If we move on to the area of security linked to surveillance, there are continuously new political proposals. One proposal from the other week means that the Swedish government will be able to demand from the telecom operators to intercept all mobile calls in Sweden, not just in case of a possible crime. It is a far-reaching proposal. Partly to place the requirement for the interception of all our conversations precisely on private actors and not on the police, and partly that it would generally be a huge intrusion into personal integrity.

– Another example in terms of security and private actors is when Arlanda recently procured a Chinese company, Nuctech, for technology for the airport's security controls. Nuctech today supplies security technology to most of the airports in Europe. Considering the recent TikTok controversy, this becomes noteworthy. This could mean that Nuctech could be required to hand over sensitive information about the whereabouts of various individuals.

Dick: – From the authorities' point of view and also perhaps from the researchers' point of view, it has been seen that surveillance for increased safety in society is in one scale and then you have the integrity of the individual in the other scale. If you want strong privacy for the individual, you must forego surveillance and security. If you want high security with the help of surveillance, you must give up privacy. But researchers who focus on the citizen perspective have discovered that the citizens of society rarely understand this contraposition themselves. Citizens seem to think that we can have both strong integrity and a high degree of surveillance and do not reflect that these are in some kind of opposite relationship. Therefore, they often say yes to various surveillance systems without seeing that it actually involves an invasion of privacy.

– What controls the inclination to accept increased surveillance is the trust people have in the party that handles the surveillance. Trust is built by benevolence, competence och integrity– where the experience of benevolence is the strongest factor. If citizens feel secure that the party monitoring them is on their side so to speak, they are generally positive to increased monitoring.

Janne: – What today appears as legitimate surveillance can turn into something completely different in case of a regime change. Regulations can be changed and already collected data can be used in other ways than what was originally intended. Although people are generally quite positive about surveillance, it is difficult to get an overview of the scope and consequences. Citizens are usually very negative about private actors selling information about them, but they still freely share information about themselves on various platforms. But I still think that most people are, after all, more attentive and more restrictive with what they share today than five or ten years ago.

Dick: – The computer capacity has increased so much that it is possible to run an analysis of enormous amounts of information in a different way today. Even though we are now fertilizing with digital tracks, there are yet machines that can chew through all that. This means that all of us nowadays not only theoretically but also in reality are monitored.

Miroslaw: – Yes, not only monitored, but also influenced by the large algorithms that are running. In small steps, the algorithms shift our opinions not only politically but also in terms of consumption. I read in an article that Google actually decides where we go on vacation. On the internet, we get hints in different ways about which destinations we should be interested in.

Janne: – Yes, and Amazon and Netflix and similar recommendation systems, they clearly affect us in a way that we do not really understand or notice.

Miroslaw: – In the past you were also influenced, but then by your friends and colleagues. You discussed something together and you then formed your opinion. In the infancy of social media, it was still like that, but in a wider social network. Now we can't really trust that what's being shared is something that my friends have shared, it might as well be an algorithm behind it that wants to influence me in some direction.

Janne: – This relates to the concept of performativity, which means that what we express in our language also does something to us and our world. Algorithms greatly influence how we perceive reality – everything from political opinions to behavioural patterns. Based on about 60 like clicks, it is possible to figure out everything from religious and political preferences to a variety of other fairly detailed things and thus be able to target different messages.

– And then we have the phenomenon which often is called the assemblage idea, which means that even very simple technologies such as cameras and sensors become powerful when they are connected. If you combine the large amounts of data collected with very simple technology, it can become incredibly powerful.