I am tired, so very tired. This month I took a trip to Japan, would love if the entire goal of the trip was to eat Kobe beef and real sushi, but sadly, no. The goal was go to Akita International University and teach Cyber Security for a week long Winter term course. I can think of no better method of preparing a course, an activity that usually takes months and in ordinate amount of daily stress (waking up in the morning in terror realizing you forgot to prepare for class that day) than going to the north of Japan during a blizzard and forcing myself to do it over a week long period.
Of course most of the research had already been done. The course was loosely structured on my book with Ryan Maness, Cyber War versus Cyber Realities: Cyber Conflict in the International System to be released on Oxford University Press soon. The title of the course was Cyber Security and International Politics settling on my general theme of pushing the need for international relations contexts in the examination of cyber security issues added with empirical analysis. Often the field of cyber security discards or ignores the context of international disputes in examining incidents of cyber conflict. This led some people to seem to think Sony was hacked by China. Why because China is big and capable, I guess?
I decided to basically shove the development of 15 lectures into a period of five days. Hence why I am so tired, both preparing and teaching this monstrosity of a course has been an ordeal. But it is necessary, cyber security is a clearly important topic given both the policy interest, but also the general lack of concrete analysis. Most of the field is generally focused on hyperbole and fears of a cyber Pearl Harbor rather than nuanced analysis typical in other academic fields.
Here is the course outline:
Day 1
1) The Sony Hack and International Politics
2) The Nature of Cyber Fear
3) Defining the Domain
Day 2
1) What Do We Know About Cyber Security: Foundations
2) What Do We Know About Cyber Security: Modern Hype
2) Case Study – Stuxnet: Harbinger of the Future?
Day 3
1) Cyber Deterrence and Strategy: Payoffs and Honeypots
2) Cyber Theory: Offense, Defense, and Restraint
2) Cyber Regionalism, Espionage, and Terror
Day 4
1) The Need for Empirical Analysis
2) Dynamics of Cyber Conflict
3) The Impact on Foreign Policy
Day 5
1) Normative Perspectives and Justice in Cyber Security
2) Research Gaps: Legal Perspectives, Repression, and Human Rights
3) What Do We Know About Cyber Security Now?
The general structure was to go through an important cyber conflict issues and theories, starting with the Sony Hack dissecting the facts versus the dialogue of the incident. I then moved towards examining the foundations of cyber fear and exaggerations in the media to establish the need for careful academic analysis of the domain. The first day ends with a sweeping coverage of definitions and terms that serve as a foundation for the rest of the class. Day 2 focused on the literature and the foundation authors versus the cyber revolution debate. The day wraps up with the most famous cyber incident so far, Stuxnet, examining the facts versus the hyperbole of the event. Day 3 covers international relations theory and cyber security, covering major authors like Gartzke and others, plus going through the theories we develop for the Oxford book. Day 4 is focused on empirical evidence and facts. We start with coverage of the debate in international relations between quantitative versus qualitative research, settling on the need for both but clearly including careful empirical analysis in order to examine the reality of statements and conjecture. We then cover evidence on cyber disputes so far (from our JPR article) and then evidence on the impact of cyber disputes on foreign policy interactions (from a forthcoming Armed Forces and Society article). Day 5 covers norms, institutions, and legal analysis. This day needs to be fleshed out a bit more since we are lacking quite a bit on research on cyber repression and other forms of cyber activities by states. The class wraps up with the review of the field and what we have covered.
Some things are clearly left out of the class. I would like to spend a day on cyber-crime and the economics of cyber security. It would also be useful to go over non-state cyber actors and the psychology of a hacker.
There certainly are challenges to teaching cyber security, one being a high awareness of technology versus a lack of understand of how cyber security actually works. That is why in the future I would like to find a good simulation of an actual cyber-attack to let the students experience the details of such operations. Absent of a simulation, a good movie will do. Haven’t seen Black Hat, but it’s unlikely that will serve. There quite a few documentaries on the internet that I will need to check out. Certainly Wargames would be fun, but it is a bit outdated. Skyfall could potentially work if you had the students dissect the reality of a similar cyber attack. Student interest is certainly not a problem, given the general interest in all things popular culture and computer based, but also the clear need for cyber security professionals in industry, suggesting cyber security is one of the growing fields looking to hire skilled workers.
Teaching in Japan has been wonderful. I found the students, bright, interesting, and highly engaged. Overall, I am glad I undertook this effort and built a class for the future. But as I said, I am really tired, effectively cramming an entire semesters of work into one week.