Recently (2017/2018) CLaC members have been working with colleagues in Cyber Security. Specifically, Emma Moreton was involved in a two year EPSRC project: Evaluating Cyber Security Evidence for Policy Advice (ECSEPA), led by Madeline Carr at UCL in collaboration with a range of partners including the Sociotechnical Security Group at the NCSC and the Cyber Policy team at the FCO.

The project sought to provide support for cyber security policy makers in the UK, specifically those civil servants who provide short and long term policy advice, either in response to specific crisis incidents or in the context of longer term planning for national security and capacity building. This cohort is of particular significance to UK cyber security because:

  • they are a relatively small and disparate group, with varying levels of technical expertise;
  • their responsibility and impact goes well beyond their own organizations to shape the national and international landscape; and,
  • there is a real lack of research to support this particular community, either in identifying specific challenges they face or in developing more effective mechanisms for doing so.

The 2016 UK Cyber Security Strategy set a clear objective for government to “detect, understand, investigate and disrupt hostile action taken against us”. In response, this project set out three main objectives:

1. Evaluate what exactly constitutes the evidence presented to and accessed by policy makers, how they privilege and order that evidence and what the quality of that evidence is.

2. Identify the particular challenges of decision making in this context and evaluate how effectively policy makers make use of evidence for forming advice.

3. Develop a framework to assess the capacity of evidence-based cyber security policy making that can be used to make recommendations for improvement and that can be re-applied to other public, private and international cohorts.
Part of the research involved collecting and analysing (using corpus linguistic and computational methods) both Cyber Security Strategy documents as well as NCSC monthly Threat Reports to explore the various ways in which cyber threats are discursively constructed, looking in particular at how the language surrounding Active Cyber Defence has evolved over the past five years. We plan to publish some of these findings in 2019.