The Center for Long-Term Cybersecurity is pleased to welcome Laurin Weissinger as a Visiting Scholar for the Spring 2017 semester. Originally from Stuttgart, Germany, Weissinger was trained as a social scientist but has also spent 13 years working in IT as a systems administrator, and he has worked in a consultancy with a focus on technology. He is completing his DPhil (PhD) at the University of Oxford, where he is affiliated with Cyber Security Oxford and works at the Extra-Legal Governance Institute, which focuses on the study of economic and social activity governed by institutions and structures outside the state.
Through his research, Weissinger is developing novel methods for assessing cyber risk within organizations, in part by using network analysis to identify which individuals are most at risk for a cyberattack, based on factors such as their access to high-value data and their relationships to other people. “If you have a server that holds important information that you don’t want to get out, that is a target at risk,” he explains. “Everyone who has access to that server also has a higher risk, because they’re more interesting for potential attackers.”
By focusing on humans and social processes, such as how and why people cooperate, Weissinger is developing predictive analysis methods to assess how technology-related risks move from one person to another. “Over time, I can make predictions based on what they do, who they are, and what kind of connections they have,” he says. “You need a lot of people to maintain security. They have to work together, trust each other, and also be able to trust external organizations. How do you build trust between people, and what can regulation do to facilitate the development of better standards, better links between different individuals and teams?”
At the center of Weissinger’s work is an interest in the state of regulation (or lack thereof) within the IT industry, which currently has few professional standards or licensing systems in place. “One of the big questions in corporations is, how can I tell whether this guy who claims to be a great penetration tester is also loyal to me, and won’t just use this job to sell off my data,” he explains. “In the field of medicine, professionals have to pass exams and be certified, and if they commit malpractice, they will be banned. But we don’t see this when it comes to IT security. There is no state licensing system that says, this person is qualified.”
Without a clear governance structure in place, Weissinger says, people are forced to make judgments based on other factors, such as whether a person has been vouched for by a trusted colleague. “A lot of people in this area will tell you, I don’t trust degrees, I don’t trust certifications, I want to get this person in here and grill them,” he says. “But you also need people who do things you don’t know how to do, so how do you test them? It becomes more complex.”
Overlapping with this work, Weissinger is also investigating how buyers and sellers assess each other’s trustworthiness in online markets for illicit goods (such as Silk Road). He notes that, while some illicit organizations (like the mafia) function as “overseers” in illicit markets by providing a degree of authority and protection, online markets are more anonymous and so do not have clear protections in place. “How do they get a transaction going,” Weissinger asks, “if they don’t know who the other person is and don’t know where they are?”
A first-time visitor to Berkeley, Weissinger says he is excited to tap into the resources and people across the campus community to pursue his research. In addition to auditing classes and participating in CLTC programs, he also hopes to take advantage of Berkeley’s proximity to Silicon Valley to connect with security teams and other industry professionals, as well as law enforcement officials, regulators, and representatives from organizations like ICANN. “This being a massive tech hub makes some of this easier because I can meet people in person and go to events,” he says. “Doing this by Skype from the UK doesn’t work that well, particularly in security, where people like to have a look at you in person.”
Ultimately, he hopes that his work will further understanding around trust and technology—and help reduce the amount of risk that organizations take on as they expand their use of digital networks. “There is a lot we have to do when it comes to regulation and governance policy to make things more difficult for criminal elements and other adversaries,” he says. “This is something that has to change in the medium to long term, because we are relying on IT more and more. A lot needs to change on the (OPSEC) operations security level—as well as in the technology—to stop these issues.”