Impact case study database
Search and filter
Filter by
- Royal Holloway and Bedford New College
- 11 - Computer Science and Informatics
- Submitting institution
- Royal Holloway and Bedford New College
- Unit of assessment
- 11 - Computer Science and Informatics
- Summary impact type
- Technological
- Is this case study continued from a case study submitted in 2014?
- No
1. Summary of the impact
The Transport Layer Security (TLS) protocol is used by billions of people on a daily basis for secure web browsing, and many other activities such as e-commerce, social networking and Internet banking. In 2013, Paterson led a team that found significant cryptographic weaknesses in the RC4 encryption algorithm when used in the TLS protocol. At that time, RC4 was used in approximately 50% of all TLS-secured web browsing sessions. As a direct consequence of the research, major vendors including Apple, Google, Microsoft and Mozilla removed RC4 as an encryption option in their browsers, and the RC4 usage figure is now well below 1%. By identifying and fixing a problem in a protocol that is core to Internet security, the research has benefitted the world’s digital infrastructure and its billions of daily users.
2. Underpinning research
By default, Internet traffic is vulnerable to eavesdropping and modification. Transport Layer Security (TLS) is a protocol that has become the de facto method for securing application-layer messages sent on the Internet. TLS is implemented in all major web browsers and servers and is used daily by billions of people for applications such as e-commerce, social networking and Internet banking.
In a sequence of papers published in top conference venues beginning in 2013 [R1 to R5], a team led by Prof. Paterson identified flaws in the way TLS encrypts data when it uses a particular encryption algorithm, RC4. This resulted in cryptographic attacks that compromised the confidentiality goal of TLS. The flaws result from the RC4 algorithm having many tiny biases in its outputs. These biases make it possible to infer plaintext data that should be protected by TLS in certain situations, such as when TLS is used to protect browser-to-website communications. The team systematically explored RC4 biases, found ways to exploit them in attacks in the TLS context, did simulation work to estimate attack complexities, and then implemented the attacks to validate the findings [R1]. As part of the follow-up work, the team analysed the attack scenarios more carefully and uncovered even more powerful attacks [R4]. This work established that RC4 in TLS had no long-term future. In turn this forced the industry to act in changing how browsers use TLS.
At the time the 2013 analysis [R1] was announced, roughly 50% of all TLS traffic was using RC4. This figure had become inflated because of prior work attacking the other widely deployed encryption mode in TLS, the subject of a REF 2014 case study from RHUL. Paterson’s team, and other researchers (notably Vanhoef and Piessens at USENIX 2015), then built on the 2013 paper to drive the attacks towards practicality. The end result was that the continued used of RC4 in TLS became indefensible. By the middle of 2018, less than 1% of all TLS traffic was using RC4 [R5].
In addition, Paterson’s 2014 papers at FSE [R2] and ASIACRYPT [R3] showed that similar attacks could be applied to an important wireless encryption protocol, WPA/TKIP. In their follow-up work in 2015, Vanhoef and Piessens showed that the 2014 WPA/TKIP attack could be made fully practical, meaning that this protocol is no longer safe to use.
The initial team consisted of AlFardan (PhD student, now Principal Security Architect at Cisco), Bernstein (Research Professor at University of Illinois, Chicago), Paterson (EPSRC Leadership Fellow, now Professor of Computer Science at ETH Zurich), Poettering (PDRA, now at IBM Research, Switzerland) and Schuldt (PDRA, now permanent staff member at AIST Japan). One of the follow-up works involved van der Merwe (EPSRC CDT PhD student, now Head of Cryptographic Engineering with Mozilla) and Garman (visiting scientist from Johns Hopkins University, USA, now Assistant Professor at Purdue University). One of the papers was an invited paper at ASIACRYPT 2014 [R3], corresponding to Paterson’s prestigious invited talk at the same conference. Another of the papers [R5] won a Distinguished Paper Award at ACM Internet Measurement Conference in 2018.
3. References to the research
[R1] N.J. AlFardan, D.J. Bernstein, K.G. Paterson, B. Poettering and J.C.N. Schuldt. On the Security of RC4 in TLS. In USENIX Security Symposium 2013. Online at: https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/alFardan.
Top security conference (acceptance rate in 2013: 15.9%)
[R2] K.G. Paterson, B. Poettering and J.C.N. Schuldt. Plaintext recovery attacks against WPA/TKIP. In C. Cid and C. Rechberger (eds.), Fast Software Encryption 2014, Lecture Notes in Computer Science, Vol. 8540, pp. 325-349, Springer 2014.Online at: https://link.springer.com/chapter/10.1007/978-3-662-46706-0_17
Full version online at: http://eprint.iacr.org/2013/748
Top venue for research in symmetric cryptography (acceptance rate in 2014: 31.3%).
- [R3] K.G. Paterson, B. Poettering and J.C.N. Schuldt. Big Bias Hunting in Amazonia: Large-scale Computation and Exploitation of RC4 Biases (Invited Paper) In T. Iwata and P. Sarkar (eds.), ASIACRYPT 2014, Lecture Notes in Computer Science Vol. 8873, pp. 398-419, Springer, 2014. Online at: https://doi.org/10.1007/978-3-662-45611-8_21
Invited paper and talk at one of the top three annual cryptography conferences (acceptance rate in 2014: 21.6%).
[R4] C. Garman, K.G. Paterson and T.J. van der Merwe. Attacks only get better: Password recovery attacks against RC4 in TLS. In USENIX Security Symposium 2015. Online at: https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/garman
Top security conference (acceptance rate in 2015: 15.7%).
[R5] P. Kotzias, A. Razaghpanah, J. Amann, K.G. Paterson, N. Vallina-Rodriguez and J. Caballero. Coming of Age: A Longitudinal Study of TLS Deployment. Proceedings of the Internet Measurement Conference 2018, IMC 2018, Boston, MA, USA, October 31 - November 02, 2018. ACM 2018, pp 415-428. Online at: https://conferences.sigcomm.org/imc/2018/papers/imc18-final193.pdf
Winner of one of three distinguished paper awards at the leading venue for research on large-scale measurement of the Internet (acceptance rate in 2018: 24.7%).
Funding:
Paterson (PI), EPSRC Leadership Fellowship (EP/H005455/1) “Bridging Theory and Practice in Cryptography”, 2010-2015, GBP1,239,094 (funded research of Paterson, Poettering, Schuldt).
Paterson (co-I), CDT in Cyber Security (EP/K035584/1), 2013-2019, GBP3,807,975 (funded research of van der Merwe).
Paterson (joint PI), GBP52,000 and INR1,500,000 (both approximate figures) from EPSRC and DST, India for twinned workshops at ISI Kolkata and ICMS Edinburgh on “Security of Symmetric Ciphers in Network Protocols”, under the EPSRC-DST Indo-UK Initiative in Applied Mathematics, 2014-2015.
4. Details of the impact
Accelerating the deprecation of RC4 and improvement of Transport Layer Security
In February 2015, the IETF, the organization that maintains the TLS standard, published a document entitled “Prohibiting RC4 Cipher Suites” formally deprecating the use of RC4 in TLS, see [E8]. This document cites Paterson’s 2013 research paper, stating “ *Recent cryptanalysis results […] exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. These recent results are on the verge of becoming practically exploitable […] As a result, RC4 can no longer be seen as providing a sufficient level of security for TLS sessions.*”
Major vendors, including Apple, Google, Microsoft and Mozilla changed the way their desktop and mobile browsers perform encryption in TLS as a direct consequence of the research. This is clearly evidenced in the accompanying letters of support from Apple [E1], Google [E2] and Mozilla [E3], and from the formal Microsoft announcement in September 2015 that RC4 would no longer be supported in its browsers [E6]; similar public announcements were made by Google [E5] and Mozilla [E7], also in September 2015. These four vendors account for the vast majority of the web-browsing market. Google, Microsoft and Mozilla performed a coordinated switch off of RC4 in their browsers in early 2016, while Apple disabled RC4 in version 10 of Safari desktop (and in iOS 10 in mobile clients) in September 2016.
The world’s leading content distribution networks and website hosting services also changed their default configurations to stop using RC4. A good example is provided by Cloudflare, whose letter of support [E4] states that Paterson’s research “ represented a real threat to the security of TLS” and also states that “[a]s a result of the work, Cloudflare changed the TLS configuration for millions of web domains”.
The amount of TLS traffic encrypted using RC4 has dropped sharply – from approximately 50% of all traffic in 2013 to reach less than 1% by the middle of 2018. This drop is documented in Paterson’s award-winning paper published at ACM IMC 2018, and there is a clear correlation between a drop in the amount of RC4 traffic with the switching off of support for RC4 in major browsers (see figure below, taken directly from the ACM IMC paper) (R5).
As well as leading to the abandonment of RC4 in TLS in web browsers, Paterson’s RC4 research promoted the widespread adoption of TLS 1.2 in web browsers and web servers. TLS 1.2 was standardized in 2008 but, in early 2013, before Paterson’s RC4 research was announced, none of the four main web browsers supported this later version of TLS offering stronger encryption options. By mid-2018, all four browsers did, and the amount of traffic using stronger encryption algorithms (namely AES-GCM) is now approximately 90% (the majority of the remainder still uses CBC mode, and, as noted above, almost none uses RC4). To quote from Mozilla’s letter of support [E3], “ As a direct result of this work, the TLS community rapidly moved to deprecate RC4, resulting in RFC 7465, which banned them entirely” and “ *Dr. Paterson’s work was also a major impetus behind the move to AES-GCM.*” This impact is also evidenced by Apple’s letter of support [E1]: “ TLS 1.2 adoption rates went from a negligible percentage in 2013 to around 90% by 2016”.
In April 2014, the IETF TLS Working Group began to work on a new version of TLS, and this work was completed in late 2018 with the issuance of TLS 1.3 as RFC 8446 ( https://tools.ietf.org/html/rfc8446). This new version does not allow RC4 at all; the TLS Working Group’s charter ( https://datatracker.ietf.org/wg/tls/charter) explicitly says that one of the priorities for TLS 1.3 was to “ Update record payload protection cryptographic mechanisms and algorithms to address known weaknesses in the CBC block cipher modes and to replace RC4.” Thus, Paterson’s research is having a long-lasting impact on the development of the TLS protocol as a whole. To quote from Mozilla’s letter [E3], “ It is very rare to see this direct and immediate an impact by research on a standard as widely deployed as TLS”.
Beyond the impact of the research on the web, it has impacted other sectors including improving the security of card payment data protection. The initial RHUL attack on RC4 in 2013 was assigned a Common Vulnerabilities and Exposures record (CVE-2013-2566). In 2014 the CVE score eventually became high enough that the US Department of Commerce National Institute of Standards and Technology (NIST) published “Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations” [E9] in which the use of RC4 was not approved. Following the NIST guidelines in February 2015 the Payment Card Industry Security Standards Council banned the use of RC4 when assessing compliance with the PCI-DSS standard for payment data protection [E10].
Global benefits of improved security
Since just about everything that we do on the Internet, including e-commerce, website logins and e-mail relies for its security on TLS, a vulnerability in TLS has a blanket impact, affecting individuals, service providers, merchants, governments, utilities and the military. More succinctly, identifying and fixing a security problem in a protocol that is core to Internet security benefits the approximately 4,800,000,000 Internet users ( http://www.internetlivestats.com/internet-users/), which includes the 2,200,000,000 email users and the approximately 600,000,000 website owners, as well as the companies that provide service hosting solutions and the service providers that run them. The global annual value of e-commerce alone has been estimated at several trillions of US dollars. To suggest a percentage of this that could be affected by the research would be speculation, and of course by detecting and preventing a problem we lose the chance to measure its effects. However, it is clear that the total value of e-commerce makes it an enormous target that justifies attacker efforts to implement very sophisticated attack strategies, and so the research to identify and fix serious vulnerabilities in TLS, the main protocol used to secure e-commerce, and thereby to contain losses, is absolutely vital. The longer-term beneficiary is the emerging electronic society at large, which will benefit from having more secure, and therefore more confidence-inspiring systems. We conclude by quoting from Cloudflare’s letter of support [E4]: “ This research was highly significant: TLS is one of the world's most important secure protocols, and the foundation for most secure communications on the Internet, so understanding and improving its security is of critical importance to Cloudflare’s mission and the Internet at large.”
5. Sources to corroborate the impact
[E1] Letter of support from Christopher A. Wood, IETF TLS Working Group co-chair and, formerly, engineer at Apple.
[E2] Letter of support from Adam Langley, Principal Software Engineer, Google.
[E3] Letter of support from Eric Rescorla, editor of TLS 1.3 specification and Chief Technology Officer for Firefox, Mozilla.
[E4] Letter of support from Nick Sullivan, Head of Research at Cloudflare.
[E5] Google announcement concerning intent to deprecate RC4, 01/09/2015:
[E6] Microsoft announcement concerning end of support for RC4, 01/09/2015:
[E7] Mozilla announcement of plan to end support for RC4, 01/09/2015:
[E8] A. Popov, “Prohibiting RC4 cipher suites”, RFC 7465 (February 2015):
[E9] NIST Special Publication 800-52 Revision 1, ‘Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations’ (April 2014) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
[E10] PCI SSC Bulletin on impending revisions to PCI DSS, PA-DSS (13/02/2015):
https://www.pcisecuritystandards.org/pdfs/15_02_12_PCI_SSC_Bulletin_on_DSS_revisions_SSL_update.pdf).
- Submitting institution
- Royal Holloway and Bedford New College
- Unit of assessment
- 11 - Computer Science and Informatics
- Summary impact type
- Technological
- Is this case study continued from a case study submitted in 2014?
- No
1. Summary of the impact
Research at Royal Holloway supported the development of WebSphere Liberty and HyperLedger, two of IBM’s flagship enterprise products, vital to the IBM Cloud Computing and Blockchain Platform. These developments consolidated IBM as the market leader in blockchain, securing 32% of a global market worth approximately USD700,000,000 (01-2018) in 2018. IBM’s blockchain platform has been used to track conflict minerals, providing an immutable record of the resources throughout the supply chain, and to reduce ocean plastic waste through monetizing recycling in economically disadvantaged parts of the world.
2. Underpinning research
This case study highlights the impact of the RHUL team’s research into the theory and practice of large-scale distributed computing systems conducted over the past seven years. Such systems occupy a major part of today’s computing technology landscape ranging from Internet-of-Things devices to data-intensive platforms operated by big Internet companies (such as IBM, Google, and Amazon). Specifically, the research of the case study team provides algorithmic foundations for new distributed system technology that IBM has been and is currently building in two key areas of its business: Cloud Computing and Blockchain.
In cloud computing, the main contribution has been made to WebSphere Liberty, a distributed application server for the IBM cloud. The key challenge was to implement a repository for storing critical configuration data (such as information about server capacity and the registry of deployed applications) that guarantees continuous data availability despite high update rates, machine failure and intermittent network connectivity.
The RHUL team's solution arose from its research into the foundations of data replication in transactional data stores. This research produced a new theoretical framework, called a Transaction Certification Service, TCS (R1). TCS extends and adapts the decades old Atomic Commitment Problem by Gray to modern transactional data stores (such as Google Spanner), facilitating their formal analysis and uncovering their core algorithmic insights. The RHUL team's research in scalable data replication protocols, consensus, and distributed transactions (R1, R2), as exemplified by the TCS framework, resulted in a new reconfigurable replication protocol (patents in references R5 and R6) that was incorporated into WebSphere Liberty in 2014. The protocol guarantees that in most situations, the configuration repository can continue serving update transactions even when its underlying physical composition is changing.
In the Blockchain area, the team's research has resulted in several contributions critical to IBM's open-source Hyperledger Fabric project (HLF). HLF implements a general purpose permissioned blockchain infrastructure for secure management of critical assets (such as cryptocurrency, customer and product registries, etc.) within a network of businesses. Typically, each business will maintain its own instances of a ledger and an asset database to protect privacy and security of its sensitive business data. HLF consists of an ordering service that maintains a replicated ledger of transactions, and a collection of peers that store replicas of the asset database. The primary challenge was to develop a data diffusion protocol to guarantee that data reaches all peers quickly even if some of the peers behave unreliably. An additional challenge was to devise a cross-organisation transaction protocol that could withstand malicious attacks without leaking sensitive information.
The RHUL team's solution to the first challenge leveraged their previous research into large-scale data diffusion in adversarial settings (R4), which proposed a number of randomized protocols with well-defined message reliability and performance properties. These laid the foundation for a scalable and robust data propagation technology that was adopted by IBM in 2017 in the context of the HLF project.
For the second challenge, the RHUL team developed a new cross-chain transaction scheme to guarantee the required levels of fault tolerance and security, based on their recent research into cross-shard transaction commit protocols as part of the TCS framework (R1). Finally, in ongoing work the team is incorporating techniques from their research on secure hardware for cloud computing (e.g. Intel SGX) into transaction processing protocols of Hyperledger. This will enhance the HLF protocols’ failure-tolerance while reducing the costs of data replication and software complexity.
3. References to the research
The research has been published in peer reviewed proceedings of the most important international conferences in the fields of the theory of distributed computing, theoretical computer science and security research in distributed systems and networks. Patents are held with co-inventors at IBM and Technion - Israel Institute of Technology. (Royal Holloway researchers are shown in bold)
Gregory Chockler and Alexey Gotsman. Multi-Shot Distributed Transaction Commit. Received Best Paper Award in the Proceedings of 32nd International Symposium on Distributed Computing (2018) DOI: https://arxiv.org/abs/1808.00688.
Alexey Gotsman, Anatole Lefort, and Gregory Chockler. White-Box Atomic Multicast. In Proceedings of the 49th IEEE/IFIP International Conference on Dependable Systems and Networks (2019) https://arxiv.org/abs/1904.07171.
Artem Barger, Gregory Chockler et al. Scalable Communication Middleware for Permissioned Distributed Ledgers. In Proceedings of the 10th ACM Systems and Storage Conference (2017) https://doi.org/10.1145/3078468.3078492.
John Augustine, Gopal Pandurangan, Peter Robinson, Scott Roche, Eli Upfal. Enabling Efficient and Robust Distributed Computation in Highly Dynamic Networks. In Proceedings of the 56th Annual IEEE Symposium on Foundations of Computer Science (2015) DOI: 10.1109/FOCS.2015.29.
Efficient Fail-Over in Replicated Systems, Vita Bortnikov, Shlomit Shachor, Ilya Shnayderman, and Gregory Chockler, US Patent 9,329,950, (2016). Available from HEI on Request.
Continuous Operation During Reconfiguration Periods, Vita Bortnikov, Gregory Chockler, Dmitri Perelman, Shlomit Shachor, Ilya Shnayderman, and Alexey Roytman, US Patent 8,943,178, (2015), (filled in 2012 and issued in 2015). Available from HEI on Request.
Grants:
IBM Shared University Research Award for GBP22,482.86 (2017). PI: Gregory Chockler. The award "recognizes the quality of Prof Chockler program - Scalable and Resilient Data Replication for Distributed Ledgers and Blockchains - and its importance to IBM industry."
4. Details of the impact
Context
Prior to the research of the case-study team (2014 to 2020), IBM was struggling with the problem of how to scale and secure their distributed computing products for the cloud computing and Blockchain industries. Solutions founded on Royal Holloway’s research helped to consolidate IBM as a market leader in these industries. This case study describes the economic benefits to IBM and its customers, as well as how the research led to environmental and societal benefits through IBM’s Blockchain platform.
Scaling IBM Cloud Computing to serve large enterprise customers
In the cloud computing sphere, the main beneficiaries were IBM and large enterprise customers using WebSphere Liberty (WL), IBM's market-leading application server platform.
In 2014, the scalability of large enterprise customer deployments of WL was increasingly bottlenecked by the inability of WL's replicated configuration store, Liberty Collectives, to handle the corresponding load increase from configuration and critical metadata updates. These enterprise customers were particularly important to IBM, since access to the Liberty Collectives feature is only available as part of the lucrative WL 'Network Deployment' premium enterprise license.
As a result of Royal Holloway’s research, IBM was able to meet these customers' scalability requirements. According to Vita Bortnikov, Distinguished Engineer, Chief Architect for Cloud and Blockchain Platforms at IBM Research, Haifa, the research “ ... has been contributing to a sustained growth in the product's customer base as well as contributing to new revenue streams.” (Source S1). The financial and economic impact of the research on IBM was recognised by an outstanding recognition award from IBM research, which according to Vita Bortnikov “ *... reflects not only novelty and technical innovations of the work, but also impact it made on IBM revenue of the WebSphere Liberty product it was contributed to.*” (S1)
As an indication of the total economic impact (TEI) and return on investment (ROI) of WL for IBM's customers, IBM commissioned an independent study in 2018 by Forrester (S2). The study surveys 30 US-based IT decision makers in large multinational companies (approximately 14,000 employees and USD4,000,000,000 revenue for a typical company). The overall benefit of WebSphere Liberty to these organisations is estimated at approximately USD150,000,000 (09-2018) over 3 years (USD5,000,000 per org).
Meeting commercial demands of IBM’s Blockchain Platform for security and scalability
Direct beneficiaries of the team’s work in the Blockchain space are IBM and IBM customers and industry consortia using HyperLedger Fabric (HLF). HLF provides the foundation for IBM’s market leading Blockchain platform, in combination with associated cloud computing technology such as IBM Cloud Pak for Applications, of which WL is a key component.
Prior to 2017, the market for so-called 'permissioned' enterprise blockchains was in its infancy, but its potential to transform whole industries through increased collaboration between industry competitors was clear. In conversations with market leaders from several industries (e.g. food and shipping/logistics), IBM identified several key technical shortcomings of existing permissioned Blockchains, which according to IBM’s Vita Bornikov included *“…large volume of transactions and transaction provenance.*” (S1).
To address these issues, in 2017 IBM incorporated Royal Holloway’s research into a new gossip-based dissemination framework for HLF. According to IBM's Vita Bortnikov " Since 2017 there is a huge number of commercial deployments and consortiums based on HLF … The work of this research was instrumental to the important requirements of those customers" (S1). Prominent examples of these consortia include FoodTrust and TradeLens, which according to IBM's Vita Bortnikov " ... are probably the biggest Blockchain consortiums today." (S1). Founding members of FoodTrust include household names such as Walmart and Nestle (S3), while TradeLens (S4) involves 175 unique organizations as of 2019, including 5 of the world’s 6 largest ocean carriers (e.g. Maersk) (S5). In addition to benefiting its customers, the economic and financial impacts on IBM were recognised through IBM outstanding awards at both research and corporate level (S1).
To illustrate the total economic impact on IBM’s customers of IBM DLT (Blockchain), in 2018 IBM commissioned an independent survey by Forrester (S6). Forrester interviewed six organisations with experience using IBM’s Blockchain, including three Canadian companies in the utilities, financial services and IT industries, a global transport and logistics company, and a joint venture of nine global banks. The survey estimated a net benefit from IBM’s Blockchain for a typical organisation over 5 years of between USD2,700,000 (low) - USD36,000,000 (high). For IBM, the revenue from HLF was estimated at approximately USD220,000 (07-2018) per customer per year in licensing and ongoing development fees after an initial pilot phase. Furthermore, in 2018 IBM’s share of the overall blockchain market of approximately USD700,000,000 (01-2018) was estimated at 32% (S10).
Improving the Environment and benefitting Human Rights
Finally, through the IBM Blockchain platform the team’s research has contributed to substantial environmental and societal impacts. For example, a company called PlasticBank are using IBM Blockchain to reduce ocean plastic waste through monetizing recycling in economically disadvantaged parts of the world (S7). As of 2020, PlasticBank have recovered over 14,000 tonnes of ocean-bound plastic, with collectors active in countries such as Haiti, the Philippines and Indonesia (S8).
As another example, iPoint, a market leader in the field of conflict minerals reporting software, used IBM Blockchain in 2018 to 2019 to launch SustainBlock, a platform to track conflict minerals from areas such as the Democratic Republic of Congo and Rwanda, providing an immutable record of the resources throughout the supply chain (S9). SustainBlock gives mines an incentive to comply with sustainability and conflict-free mining requirements, and helps downstream companies ensure their products aren’t used to finance conflicts and are free of slavery and child labour. A pilot study of SustainBlock was conducted in 2019, focused on two tungsten mining sites in the African Great Lakes region. To participate in the network, the companies needed to prove they are following responsible business practices.
5. Sources to corroborate the impact
S1: Letter of support written by Vita Bortnikov, Distinguished Engineer and Chief Architect for Cloud and Distributed Middleware, IBM Research
S2: A Forrester Total Economic Impact (TEI) Study on WebSphere Liberty commissioned by IBM, (2018), ( https://hosteddocs.ittoolbox.com/tei_websphere_liberty.pdf )
S3: Coin Telegraph article (2018): Walmart, IBM Blockchain Initiative Aims to Track Global Food Supply Chain, ( https://cointelegraph.com/news/walmart-ibm-blockchain-initiative-aims-to-track-global-food-supply-chain)
S4: IBM Blog post, (2018) TradeLens: How IBM and Maersk Are Sharing Blockchain to Build a Global Trade Platform, ( https://www.ibm.com/blogs/think/2018/11/tradelens-how-ibm-and-maersk-are-sharing-blockchain-to-build-a-global-trade-platform/)
S5: Unblocked article, (2019), Blockchain supply chain: Interview with Richard Stockley, IBM, ( https://un-blocked.co.uk/2019/10/02/blockchain-supply-chain-interview-richard-stockley-ibm/)
S6: A Forrester Total Economic Impact (TEI) Study on IBM Blockchain commissioned by IBM, (2018), ( https://www.ibm.com/downloads/cas/QJ4XA0MD)
S7: IBM Client Stories article (2020), Revolutionizing recycling by creating an ecosystem for plastic, ( https://www.ibm.com/blockchain/use-cases/success-stories/#section-5)
S8: Impact of the Plastic Bank (2020), ( https://plasticbank.com/our-impact/)
S9: IBM Block chain User Cases Showcase (2020), ( https://www.ibm.com/blockchain/use-cases/success-stories/#section-10)
S10: IBM Share of Blockchain market news item (2018), ( https://uk.news.yahoo.com/walmart-embraces-ibm-apos-blockchain-200500127.html)
- Submitting institution
- Royal Holloway and Bedford New College
- Unit of assessment
- 11 - Computer Science and Informatics
- Summary impact type
- Societal
- Is this case study continued from a case study submitted in 2014?
- No
1. Summary of the impact
Cyber-crime costs the UK billions of pounds and threatens national security. However, the effects of cyber insecurities on everyday life are not widely acknowledged. Professor Coles-Kemp’s research demonstrated how people are often cyber security’s strongest link, rather than the weakest. It shows that for cyber security to be effective, security professionals must address the security issues that people across society face in their everyday lives. This work has led to a transformation of professional cyber security practice and the development of security guidance by the UK’s National Cyber Security Centre (NCSC) that is centred on people and their daily lives.
2. Underpinning research
Digital technology has moved beyond the controlled environments of corporate and government settings, and it is now ubiquitous in every aspect of life: political, social, corporate and institutional. All parts of society – from welfare claimants to school children and grandparents - are now expected to be on-line and this presents a real challenge to those tasked with ensuring cyber security: how do they engage people across a broad social spectrum and achieve secure practices in the context of diverse day-to-day experiences? The importance of socially inclusive cyber security policies was emphasised by the then CEO of NCSC, Ciaran Martin, in a speech to the Confederation of British Industry in 2017 *(*E.5.5): “ First and foremost, among these is the importance of human factors in designing security policies and controls: every solution must survive contact with the user.”
Prior to Coles-Kemp’s research there was little focus on the challenges of widening participation in cyber security programmes. Since 2008, she has researched the social experience of cyber security with a focus on marginalised and under-served communities, often deemed ‘hard to reach’. Using community-based participatory research methods, she has worked with families of prisoners, refugees and economically deprived communities as well as office workers who feel excluded by digital programmes. This research showed that framing cyber security advice and policy in line with their security goals as well as in the context of the day to day lives of communities increases their participation in cyber security implementation and training programmes. (R.3.1, R.3.3, R.3.2).
A creative securities approach has been developed through Coles-Kemp’s peer-reviewed robust research on the design and use of participatory research methods to address issues of cyber security (R.3.4). Working with the NCSC’s Sociotechnical Security Group, Coles-Kemp both developed and tested participatory methods within organisations from the corporate sector, central and local government and in community settings using workshops, focus groups and interviews (R.3.1, R.3.3, R.3.4 and R.3.5) and over the course of the last eight years has worked with 1,470 research participants. The research showed that if technology is not useful to people, or if it damages their wellbeing, they are less likely to comply with cyber security policies and practices (R.3.1). It also showed that some of the insecurities people face in their everyday lives both result from and are amplified by their interactions with digital technology; and that these everyday issues must be considered when security practitioners frame cyber security advice and promote safer digital practices (R.3.1). This research resulted in digital design principles and methods to both teach and deliver safer, more inclusive digital services (R.3.2, R.3.6). The research tested and developed participatory methods of engagement, termed “ creative securities”, to uncover the fundamental barriers and challenges to safer digital practices.
The creative securities approach was used to investigate how security practices and policies could take account of the political, economic and social aspects of cyber security risk, and the impacts such aspects have on the cyber security concerns of each participant group (R.3.3). These research methods effectively revealed that people consider issues of cyber security in relation to the benefits they derive from digital technology and therefore expert advice must be carefully aligned with these benefits to work effectively. Since 2013 Coles-Kemp has conducted research with 270 cyber security practitioners and digital service providers to better understand their engagement methods and explore how these might be made more people-centred to widen participation in cyber security programmes (R.3.5, R.3.6). Between 2016 and 2019 she also used a creative securities approach to research the cyber security concerns of 240 Syrian and Iraqi refugees in Sweden, leading to greater understanding of the benefits of digital service access via mobile phones (R.3.2, R.3.3). By engaging multiple communities and working in different organisational settings, Coles-Kemp’s research has produced robust methods to widen participation in cyber security programmes and improve the take-up of safer digital practices.
In 2020 Coles-Kemp was commissioned by the Department for Digital, Culture, Media & Sport (DCMS) to undertake research as part of a wider digital identity consultation. The brief was to focus on issues of digital inclusion and e-safety as well as the opportunities, barriers and challenges to digital identity use, set-up and maintenance as a part of access to essential everyday digital services. The research was undertaken with grassroots community groups and took place against the backdrop of the COVID-19 pandemic. As a result, the research also identified some of the pressures and challenges of safely using digital technologies during COVID lockdowns.
3. References to the research
These research outputs have been published in peer-reviewed venues, and are underpinned by research funded by EPSRC, ESRC, TSB, EU FP7 and AHRC.
[R.3.1] Coles-Kemp, L., Zugenmaier, A., & Lewis, M. 2014. “Watching You Watching Me: The Art of Playing the Panopticon”. Digital Enlightenment Yearbook 2014: Social Networks and Social Machines, Surveillance and Empowerment, ISBN 978-1-61499-450-3. Chapter Available from HEI on Request.
[R.3.2] Jensen, R.B, Coles-Kemp, L & Talhouk, R 2020, When the Civic Turns Digital: Designing Safe and Secure Refugee Resettlement in ACM CHI Conference on Human Factors in Computing Systems: CHI'20. ACM, pp. 1-14. https://doi.org/10.1145/3313831.3376245
[R.3.3] Coles-Kemp, L., Jensen, R.B. and Talhouk, R., 2018, April. In a new land: mobile phones, amplified pressures and reduced capabilities. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (pp. 1-13). https://doi.org/10.1145/3173574.3174158
[R.3.4] Dunphy, P., Vines, J., Coles-Kemp, L., Clarke, R., Vlachokyriakos, V., Wright, P., McCarthy, J., Olivier., 2014, Understanding the experience-centeredness of security and privacy technologies. in Proceedings of the 2014 New Security Paradigms Workshop. ACM, 2014. p. 83-94. https://doi.org/10.1145/2683467.2683475
[R.3.5] Coles-Kemp, L., Jensen, RB., Heath CP., 2020, Too Much Information: Questioning Security in a Post-Digital Society. in CHI '20: CHI Conference on Human Factors in Computing Systems. ACM, pp. 1-14. https://doi.org/10.1145/3313831.3376214
[R.3.6] Williams, P & Coles-Kemp, L 2019, Teaching as a Collaborative Practice: Reframing Security Practitioners as Navigators. in Z Pan (ed.), Transactions on Edutainment . vol. XV, Lecture Notes in Computer Science, vol. XV, Springer, pp. 108-128. https://doi.org/10.1007/978-3-662-59351-6_10
4. Details of the impact
“Professor Coles-Kemp’s research has shown that people’s needs, values and preferences have hitherto not been part of cyber security goals and yet are integral to building a more secure organisation…. Professor Lizzie Coles-Kemp’s research and thought leadership in the field has been central to this mindset shift, along with a portfolio of multidisciplinary research that we recognise to being critical to the success of NCSC’s endeavours both now and well into the future”. Head of Research, National Cyber Security Centre (E.5.5).
Coles-Kemp’s research has transformed how the National Cyber Security Centre (NCSC) engages with stakeholders and increased socially inclusive forms of cyber security practice. Her research provided an evidence-based approach that has driven a culture change, resulting in marginalised neighbourhoods and other communities putting in place digital security practices appropriate to their situations. Safer digital inclusion has gained greater political focus during the COVID pandemic and the importance of a digital security for all has come to the fore. Coles-Kemp’s research has informed policy discussions and shaped cyber security practice at a national level in the UK, and as well as providing guidance to communities in the UK, Australia and Sweden.
Informing a step-change in cyber security policy and practices:
The primary beneficiary of Coles-Kemp’s research is NCSC, the UK’s major source of cyber security knowledge for business, industry, government and third sector. Coles-Kemp’s research on the wider social dimensions to security practice has been adopted by the NCSC. It has been central to the organisation, changing the way they design security policies and controls to include with the people who use it. This has led to a significant step-change in its objectives and methods used when engaging with stakeholders resulting in wider participation in cyber security practices and the recognition of a more diverse range of cyber security issues.
This step change was first signalled in the NCSC’s keynote speech at the leading industry conference, CyberUK, in March 2017 (E.5.1) . In 2019, NCSC published guidance, You Shape Security (E.5.2, E.5.5), which emphasises the need for wider engagement practices using approaches such as creative securities to build trust between people and security practitioners. Engagement with the You Shape Security guidance has been extensive, receiving 5,500 unique page views, and a recommendation as a resource by the Centre for the Protection of National Infrastructure (CPNI) (E.5.4). NCSC has used this guidance and Coles-Kemp’s Creative Security engagement toolkit (E.5.2, E.5.5 ) to engage private and public organisations and the wider cyber security community and promoted this approach across its client base. The benefits of this people-centred approach are described by a NCSC client as: “ new trust and communication channels between our employees and the security practitioners in understanding day-to-day frustrations and barriers to good behaviours and in wanting to develop practical, usable solutions that fit with [our] operations and culture.” General Manager, Cyber Resilience, AXELOS (E.5.7).
NCSC has adopted Coles-Kemp’s creative security methods to deliver parts of its sociotechnical events programme. Examples include the use of creative security methods to run workshops at CyberUK, a security industry conference that attracts approximately 8,000 delegates each year (E.5.5). In 2016 her creative methods were used in a CyberUK workshop to encourage people-centred approaches among cyber security practitioners, and their feedback helped NCSC to position the You Shape Security guidance. In 2017, NCSC used Coles-Kemp’s toolkit in a CyberUK workshop where circa 50 security practitioners used creative engagements to describe and explore their career paths into cyber security (E.5.5). The approach was also used to encourage more girls to consider computing and cyber security as a career. The technical architect of the CyberFirst Girls competition for Year 8 girls applied Coles-Kemp’s thinking, reaching more than 4,000 girls in 2018 (E.5.5).
Coles-Kemp’s research has also influenced security practitioners in Melbourne, Australia who are part of The Security, Influence and Trust Group – a Melbourne-based security practitioner organisation. The group has placed Coles-Kemp’s people-centred approach at the core of its programme since its inception in 2016. “ This relationship helps to ensure our communities continue to benefit from new methodologies to solve complex cyber security challenges.” Co-Founder Security, Influence and Trust group, Australia *(*E.5.6 ).
Creating digital security resilience within marginalised communities and young people:
Coles-Kemp’s collaborative research with third sector and educational organisations has shaped understandings of digital security issues leading to process, practice and policy change.
Marginalised communities: Coles-Kemp’s research in Sunderland between 2013 and 2016 led community groups (Pallion Action Group, Parker Trust and the Jubilee Centre) to identifying the security issues that affect them. This enabled community workers to develop support programmes that engaged a wider community in digital security issues. For example, digital welfare research conducted with Pallion Action Group enabled community workers to plan for changes to the welfare system (E.5.8). The Director of Parker Trust and Manager of Pallion Action Group explains the research has (E.5.8): “ given us a sense of the challenges that our community is likely to experience as a result of the services going on-line and this enabled us to plan ahead and put the necessary support in place.” Coles-Kemp’s research was also used by Pallion Action Group to set-up a support group for families separated by prison.
Between 2018 and 2020, Coles-Kemp extended this mode of engagement to work with hard-to-reach groups in Hull to support the establishment of practical programmes for safer digital inclusion. She then used the same approach with two schools in Southern Sweden that specialised in supporting refugees to re-settle in Sweden in order to help the schools develop safer digital inclusion programmes.
Young People: Coles-Kemp’s research has been adopted by those working with young people to address issues of digital safety and develop a pupil-centered e-safety programmes. For example, a secondary school in Oxfordshire used Coles-Kemp’s participatory approach to establish a pupil committee that works together with staff and senior management to develop and implement school e-safety policies. The research has led to a transformation of the school’s e-safety programme and practice, leading to more controlled mobile phone and social media use, the reduction of pupil stress-levels and a programme of collaborative engagement with parents and pupils (E.5.9).
Safer Digital Inclusion in a Post-COVID Society
In the build-up to the UK’s COVID lockdown in March 2020, Coles-Kemp’s expertise was sought after to inform programmes orientated towards community digital service delivery. As part of her work as Co-Investigator on the EPSRC-funded Network+ Not-Equal, Coles-Kemp worked with other members of Not-Equal to consult with 20 non-academic partners, predominantly from the Third Sector, to find out what challenges they faced in their work to support communities (E.5.3). This consultation enabled Coles-Kemp to understand the pressures and challenges of safely using digital technologies during COVID lockdowns. This informed the community research that Coles-Kemp undertook during the latter half of 2020, including a consultation on digital identity commissioned by DCMS.
DCMS used this report to inform its digital identity programme. The need to focus on safer digital inclusion has become even more apparent in the shift to digital delivery and engagement necessitated by the COVID pandemic and, as a result, the consultation report has been of use to a number of other government departments and agencies, including the Ministry of Justice, Office for National Statistics and NCSC. The work was described by Matt Warman, the Minister for Digital Infrastructure, as “ *vital research on digital identity and inclusion that will inform our policy development going forward, ensuring everyone who wants a digital identity can have one.*” (E.5.10)
5. Sources to corroborate the impact
[E.5.1]: People-centered security webpages and transcript: https://www.ncsc.gov.uk/speech/people--the-strongest-link
[E.5.2 ]: You Shape Security guidance with reference to creative security webpages:
https://www.ncsc.gov.uk/collection/you-shape-security
[E.5.3]: Not-Equal COVID Action Report: https://not-equal.tech/wp-content/uploads/2020/07/Not-Equal_COVID-19_CallToAction_Report.pdf
[E.5.4]: Inclusion of You Shape Security as an approach to security culture change by
CPNI: https://www.cpni.gov.uk/insider-risks/security-culture
Testimonials:
[E.5.5]: Head of Research, NCSC (testimonial)
[E.5.6]: Co-founder of the Australian Security, Influence and Trust group (testimonial)
[E.5.7]: General Manager, Cyber Resilience, AXELOS (testimonial)
[E.5.8]: Manager of Pallion Action Group and Director of Parker Trust (testimonial)
[E.5.9]: Head teacher, school in Oxfordshire (testimonial)
[E.5.10]: Department for Digital, Culture, Media & Sport (testimonial)