Since joining RIT in August 2015, Josephine Wolff, assistant professor of public policy in the College of Liberal Arts and faculty affiliate for the Golisano College of Computing and Information Sciences has been using her talents to bolster RIT’s interdisciplinary offerings. She recently spoke about the importance of ethics and policy in cybersecurity.
What is the connection between public policy and cybersecurity?
Wolff: Policy is integral to the challenges of cybersecurity. The policies we create—whether they dictate how long your passwords are or how companies can share threat information—are hugely influential in determining how we address security risks, whom we view as responsible for addressing those risks and the consequences for parties who fail to address them adequately.
How did you mix these areas of study?
Wolff: In college, I studied the wonderful and fascinating area of cryptography—but I found that it rarely lies at the root of the large-scale security incidents we read about in the news. I wanted to work on research that could have direct and concrete applications to current security risks, so I gradually became more interested in the design of computer systems, as well as the policies that influence and constrain technical design decisions.
Why is it important to teach ethics?
Wolff: Teaching ethics gives us an opportunity to step back from controversial policy debates and try to disentangle the different worldviews and ethical frameworks that guide everyone’s opinions. In cybersecurity, understanding those ethical views is central to grasping the debates around trade-offs between privacy and national security—for instance, in the ongoing controversy around encryption.
Why are policy and law critical for cybersecurity education?
Wolff: RIT students studying to become penetration testers or system administrators may never see the inside of a courtroom, but it’s still important for them to have some basic understanding of what is illegal and how the laws can be interpreted. I also hope to give students some sense of the ways in which the systems they design influence policy-making and vice-versa.
Talk about why you choose to write about cybersecurity for Slate magazine.
Wolff: I care about communicating the computer security challenges we face as a society to a non-academic and non-technical audience. These people have a huge role to play in helping us address these challenges and they’re constantly being subjected to a seemingly never-ending flood of misinformation, hyperbole and fear mongering. It’s also a lot of fun for me and it’s a terrific complement to academic research and writing.
Where do you see the future of cybersecurity going?
Wolff: I think the future of cybersecurity will involve a lot more focus on metrics—how we measure the impact of different defenses or policies. It will also likely include a greater emphasis on the so-called “Internet of Things” and understanding how our interactions with technology shape security. Of course, I’m a little biased, but I would also expect to see a lot more emphasis on the role of policy in future cybersecurity discussions, as policy-makers and other people who are not computer scientists increasingly consider these issues to be their problem.