Vision on vulnerabilities
The concept ‘vulnerability’ forms a golden thread in the career of Associate Professor Jeroen van der Ham-de Vos: not only does his research at the University of Twente revolve around the management of vulnerabilities in computer security, but he is also actively involved in ethical committees to create awareness among computer scientists about possible vulnerabilities associated with their research.
How did you end up in security research?
‘When in high school I was trying to decide which subject to study, I stumbled upon a course called Cognitive Artificial Intelligence at Utrecht University. At that time, I had already devoured the works of science fiction writer Isaac Asimov, and I had gotten intrigued by the notion of artificial intelligence. The course program turned out to comprise a wide variety of fields, ranging from linguistics to philosophy, psychology and computer science. This has shaped me in many ways.
During my studies, internet was an upcoming technology. As a volunteer, I contributed to establishing and further developing the university campus network, which triggered my interest in network engineering. That is why, after obtaining my master’s in AI, I also pursued an additional master in security and network engineering, and even conducted PhD and postdoc research in that same field. Then I wanted to migrate more toward security, since I felt that I could really make a difference there. I was appointed as the second researcher ever at the National Cyber Security Centre, where, after my transfer to the University of Twente eight years later, I kept working for a day a week.’
What is it that you like about the field?
‘Security has a societal relevance, it is a multidisciplinary field, and there are a lot of ethical aspects associated with it, which I find fascinating. It is a very creative field that is still under development, so there is a lot you can contribute there.
Currently, there is a need to professionalise the field. We need solid theoretical models that can tell us how to keep an organisation safe and secure.
Take municipalities. At the moment, they can turn to some cyber security company to conduct a pen test and give them an idea of how good their security is. But when they would approach a different company, the outcome of such a test can be vastly different. Every security company has its own way of working. How can we provide guarantees that an organisation has indeed done all it should have?’
What is your current research about?
‘At the moment, I am mostly working on vulnerability management. How should an organisation deal with vulnerabilities, what processes are needed, and how should one prioritise what to work on first? One of the aspects of vulnerability management involves disclosure, and that is an obvious topic for ethical aspects to come into play. How and when do you inform who about vulnerabilities and possible risks? And how does this affect the person or organisation that has identified the vulnerability in the first place?
One of my PhD students for example is currently working on identifying Internet-of-Things systems that are vulnerable to attacks, and is investigating the best ways to inform users about possible leaks. Another PhD student informed municipalities about a vulnerability and is analysing how they dealt with the reports.’
You have a long history of setting up and taking part in ethical committees. When it comes to computer science, what kinds of ethical issues should researchers be aware of?
‘Virtually every data set comes with its own ethical aspects. You need to think about how to collect your data, for what purpose you can and cannot use it, how and for how long can you store it, and if your data set might contain any biases. Especially when you are working with human subjects or personal data, It is imperative to think upfront about the impact of your research and any liability or other legal issues that might be associated with it.
My first encounter with this topic was when I was still at the University of Amsterdam, a little over ten years ago. I was doing network research that revolved around The Pirate Bay, a torrent website where users can share files like movies, music and software. After a series of law suits about copyright infringement, the site was forbidden in the Netherlands. We wanted to see how this ban would influence the distribution of copyrighted material, only to find that it made no difference whatsoever.
During that project, I realised that I had collected IP addresses of people who essentially were breaking the law by exchanging copyrighted material. That is very sensitive personal information. I consulted with the legal department on what to do, and they simply said: to be safe, just don’t engage in this type of research at all. This is an interesting dilemma: how can you work on societal relevant research without risking to go to jail yourself?
As a result of this experience, I started an ethical committee at the University of Amsterdam. After my move to Twente, I became active in the ethical committee here as well.’
How can an ethical committee be of help?
‘I see it as our task to provide a service to both the individual researcher and to society. We want to help researchers think about ethical aspects upfront, to both prevent any problems along the way and improve their research. We have developed a questionnaire that helps researchers get an idea of the issues to take into account when they are designing an experiment. And in Twente, we respond within two weeks to anyone who comes to us with a question or a proposal.
Also when it comes to these ethical committees, I think we are in need of some further professionalisation. Now, every individual ethical committee at each university is reinventing the wheel. What’s more, if a researcher at university A takes some joint research proposal to the local committee, and a colleague at university B does the same at their home institution, they might not get the same advice.
That is why we are constructing a working group within IPN with the aim to exchange knowledge among ethical committees, starting a community and hopefully work on standardisation. We have had a first meeting which was very constructive, the next is in the making. It is my personal ambition to end up with a national association focussing on ethical aspects of computer science that can act as an interlocutor for funding agencies and policy development at universities on this topic.
So, my message to anyone with any experience or ideas about the role or way of working of ethical committees in our field is: please join us and subscribe to our mailinglist.’