To Advance Digital Security, Advocates Should Look to the Climate Movement

Ann Cleaveland is the Executive Director of UC Berkeley's Center for Long-Term Cybersecurity.

The costs of events such as the SolarWinds hack, the Colonial Pipeline ransomware attack, and countless other hacks and breaches continue to mount, yet cybersecurity largely remains the domain of technical experts. To make progress on the critical digital security problems of the next decade, cybersecurity will need to garner broader appeal. But where is the social movement that will reshape cybersecurity?

We have a ready playbook for movement building from another complex problem: climate change. Despite frustrations and setbacks, over decades climate advocates have refined a strategy of public engagement and mobilization, demonstrably shaping climate policies and behaviors. The passage of the most significant federal investment in clean energy and climate change mitigation measures to date in the U.S. Senate just last week is a testament to the movement’s long term commitment.

Digital security advocates can draw on three plays from the climate movement to do the same:

Play #1: Build New Constituencies

Social movements are about constituency building. Consumer advocates are a natural constituency to incubate privacy and security norms, and current mobilization efforts mainly come from this quarter. Yet consumer advocates are often unrepresentative of the population; what other natural constituencies might expand the community of who participates in cybersecurity?

Some of the biggest wins for climate have come from coalitions that may not have seemed obvious at the outset. The same will likely be true for cybersecurity. Consider the following constituencies with stakes in digital safety:

Young people live in the digital environment as much as the natural environment. In one of the most interesting convergences of climate and cybersecurity issues, Extinction Rebellion youth members have staged protests against YouTube video content that promotes climate change denial. When we understand digital security inclusively to encompass online disinformation and business models that exacerbate it, we don’t have to imagine a youth constituency that sees digital and environmental security as two sides of the same coin – it is already here.

The investment community is another important, albeit specialized, constituency group. Companies are recognizing that responsibility for a healthy planet and a healthy internet are core to business objectives, to a degree we haven’t seen before. The World Economic Forum has begun convening investors around the notion of cybersecurity as an increasingly prominent factor in long-term company success, and around investors’ responsibility to help incentivize security-by-design. But deeper work is needed to mobilize the investment community around systemic cybersecurity risk, in the same way that institutional investors now play a vocal role in climate debates.

Play #2: Export “Red Teaming” to Campaigning

Cybersecurity professionals are familiar with red team / blue team exercises, where one group of security professionals (the red team) attacks a network to help another group (the blue team) understand the weaknesses in its defenses. Red-teaming is also a useful practice for the development of advocacy campaigns. No obvious incumbent forms the core of an opposition to better cybersecurity the way that the fossil fuel industry has formed the core opposition in climate debates. But powerful interests will disagree on how to achieve better cybersecurity and where to make tradeoffs – we are seeing this already on issues ranging from end-to-end encryption to competition policy. Anyone with a stake in better cybersecurity policies needs to understand where the major players are likely to line up – and where factionalization among privacy and security advocates is likely to stall progress.

Play #3: Invest in Effective Communication

A body of theoretically informed, empirically tested knowledge on communicating about climate change, its effects, and response options has been built over the past several decades. In cybersecurity, the body of knowledge on effective communication between cybersecurity researchers, advocates, and the public needs to grow.

Cybersecurity communications is still hamstrung with the cliched imagery of the “hacker in a hoodie,” exactly the kind of distressing, solution-less imagery that climate communicators have learned is not effective in creating change. There is work underway to improve this state of the world, including pioneering research on video risk communication around topics such as password hygiene, and our own research on representations of cybersecurity. But the field will need many more such efforts if it is to engage hearts and minds.

Different audiences trust different messengers. Messengers from various faith communities have demonstrated this principle in the climate change arena. For instance, Pope Francis’s 2015 encyclical on global warming impacted how Catholic Americans view the issue of climate change. In a positive step for the cybersecurity realm, CISA has launched the #MoreThanAPassword campaign to demystify multi-factor authentication – but too little is understood about the effectiveness of the messengers.

How does a narrative like “saving the planet” become pervasive, and what is the equivalent for cybersecurity? What do we know about who the messengers should or could be in cybersecurity? How would these manifest differently across cultures and countries? A combination of talking to organizers in adjacent issue areas, polling, and research would yield insights into where and how public engagement in cybersecurity is likely to have the greatest impact on the ways in which society resolves the serious questions of privacy, security, and digital trust.

- - -

If we are to succeed in making the digital world more secure, there is everything to gain from accelerating a social movement to confront these problems, and to identify how they intersect with other key issues. Fortunately for the cybersecurity community, a field-tested blueprint already exists.