Skip to main content Skip to navigation

Scaling Trust: An anthropology of cyber security

A project supported by a Future Leaders Fellowship from UK Research and Innovation
Duration: Oct 2019 - Sept 2026
PI: Matt Spencer

UKRI  logo

Scaling Trust: An Anthropology of Cyber Security

With growing dependency on digital infrastructure, vulnerability to cyber disaster becomes a defining context for social life. In 2017, the Wannacry crypto-ransomware infected computers across large parts of the UK's National Health Service, leading to thousands of cancelled medical appointments; weeks later the NotPetya malware caused chaos across many industries and continents. Later that year, the Equifax hack compromised the details of 140 million people, and in 2018, an outage at the UK bank TSB left thousands of customers defrauded. Behind each failure—to patch systems, to secure networks, to implement good governance—is a problem of scales: the smallest “weak link” can end up compromising the security of the whole system. And because complete security is unattainable in practice, living well with infrastructures has become a question of trust.

It is the premise of this project that trust is not a “user’s problem”. Behind the services and utilities that we rely on in daily life, we can find an array of professional cyber security practices aiming to win and maintain trust, to question it and manage it across scales. Understanding how they go about doing that, their successes and failures, is the purpose of this study.

The Fellowship

Through interviews, ethnographic fieldwork and participatory workshops, the project examines the social processes through which knowledge and trust are negotiated in the security profession: how practitioners imagine the trust implicit in their cyber security evaluations, the ways in which they make trust explicit, or call things into question as technologies and processes demanding further evaluation.

The focus in the first phrase of the project will be primarily on contexts of Critical National Infrastructure, looking at processes of assurance involved in the delivery of technological assets, and on new forms of evaluation brought in with regulation such as the Network and Information Systems directive.

The study will develop an anthropology of trust in cyber security, informing the wide community of scholarship on society and technology, governance and security. The project also engages closely with policymakers in order to feed in to current debates across government and industry. And by developing practitioner workshops around their predicaments of trust, the fellowship aims to contribute to expanding the methodological toolkit for cyber security engagement.


Creative Malfunction: Finding Fault with Rowhammer

Cyber security aims to make technical systems responsive to an uncertain environment of new and previously unanticipated forms of malfunction, new kinds of vulnerability and techniques for exploiting them. This paper analyses security vulnerability research, working from a close reading of the Rowhammer problem with Dynamic Random Access Memory (DRAM). The history of Rowhammer's discovery and subsequent research provides an exceptionally clear case study for exploring the historicity of vulnerability: the very nature of the problem, and how it might be fixed, remained uncertain and provisional for many years as security practitioners explore its implications. From a philosophical point of view, these pragmatic challenges generate insights into the nature of technical function and normativity, and thus what it means for things to malfunction and to be repaired.

Engines, Puppets, Promises: The Figurations of Configuration Management

One of the principle challenges for managing complex technical architectures is configuration: ensuring component parts are in their appropriate states. In this paper I examine the history and philosophy of the discipline of IT configuration management. Since the 1990s, configuration management grappled with the problem of configuration on a fundamental level, reimagining not just what state things should be in but what kind of relation pertains between a source of truth and a recipient system. The need to address infrastructures at scale led not only to the development of decentralised systems for automated configuration management, but also to creative thinking about the nature of human-machine and machine-machine relations, most notably in the notion of 'smart intentional infrastructures' elaborated in Mark Burgess's Promise Theory. The essay draws on theories of figuration in order to bring the technical philosophy of configuration into dialogue with social science of infrastructures.


Characterising Assurance: Scepticism and Trust in Cyber Security

One of the founding concerns of computer security was how to make secure computer systems knowably secure. However, for decades, schemes for producing assurance of digital technologies have undergone a continual churn, old schemes being problematised, reformed and replaced with new initiatives, due to challenges around cost, coverage and incentives. This process has continued to today, with the cyber security assurance landscape in the UK currently undergoing significant transformations. Drawing on interviews with cyber security practitioners, this paper examines how practitioners account for the problems with assurance. Using theoretical insights from discourse analysis and literary theory, I suggest that characterisation becomes a productive lens through which to analyse current transformations and future challenges for being assured about technology.

In preparation