Rooted in computer science, cybersecurity has grown in complexity, expanding its influence beyond the digital realm and into the social sciences and legal affairs. The link between the technical components of cybersecurity and policy and law is therefore vital to ensure, as it serves as the backbone for effective cybersecurity governance.

Susan Landau and Laurin Weissinger at the Fletcher School at Tufts University established a workshop, “Putting the Tech into Cybersecurity Policy: A Workshop for Social Science and Legal Scholars,” to invite students and junior faculty in social, policy, and legal aspects of IT to hone into fundamental technical underpinnings of cybersecurity. As an attendee, I gathered some key insights for a scholar to approach cybersecurity risk management:

1. Understand Hacker Tactics: Attackers will target the weakest point in a system and avoid directly attacking the theoretical robustness of a cryptographic algorithm. When implemented property, cryptographic algorithms are generally resistant to attacks and hackers refrain from challenging the fundamental math. Therefore, Dr. Edlyn V. Levine at Harvard University held that basic attack strategies like applying brute-force attacks, exploiting implementation flaws, and intercepting unencrypted data continue to prevail. An attacker may also circumvent cryptography and exploit the human vulnerability, as commonly seen with social engineering or phishing tactics. As a result, secure implementation practices to deploy strong cryptographic algorithms are essential to protect sensitive data and communications.
2. Apply Effective Threat Management: Organizations need to perform effective threat management and STRIDE and DREAD can help identify and assess those threats. Mentioned by Dr. Weissinger, STRIDE can determine threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege, and DREAD can help rank threats: Damage, Reproducibility, Exploitability, Affected Users/Assets, Discoverability. Determining potential threats and their rankings are crucial for potential mitigation; however, the results of this exercise are time-bound.
3. Guard Against Supply Chain Attacks: Supply chain attacks are primarily the result of vulnerability exploitation and deliberate insertion of defects or malware, according to Dr. Levine. Systems are susceptible to exploitation if there are inadequate security practices, subpar implementations, or overlooked vulnerabilities in the weakest link in the chain. The insertion of malicious hardware can be especially damaging because it may not be detected until activated. To ensure the trustworthiness and resilience of products delivered to consumers, robust security measures, risk assessments, and best practices are crucial.
4. Foster Collaborative Security: Collaboration between industry stakeholders, government agencies, and international partners is vital to address global supply chain security. Horizontal integration and globalization have provided malicious actors with an easier route to exploit the IC (Integrated Circuit) supply chain, per Dr. Levine. The lack of transparency has caused fabless companies – those who design microchips but contract out manufacturing -- and their customers a lack of control over their supply chain, which creates vulnerabilities and the risk of security breaches. The complexity of the technology further hinders detection, increasing the chance that vulnerabilities go unnoticed. Additionally, fragmentation and the presence of a secondary market amplify the risk of counterfeit electronics infiltrating the supply chain.

A comprehensive approach is needed to construct policy that combines technical expertise with insights form social science and legal perspectives. Embracing a culture of proactive risk management can effectively anticipate and address cybersecurity challenges.

‍