Cyber Security: Is it now a new major subject like Computer Science?

A recent report in Chinese media caught my eye: Cyber Security (网络空间安全 in Chinese, which literally means “Network Space Security” but I believe is how the English word “Cyber Security” is translated into Chinese) is now a major subject at the same level as Computer Science according to a recent change made to the regulations governing PhD programmes in China. The change was proposed in June 2015 by China’s Office of the State Council Academic Degrees Committee (国务院学位委员会), and the first 29 universities got their Cyber Security PhD programmes officially approved in late February 2016. The news quickly spread in Chinese media and some researchers claimed this a major milestone for Cyber Security research in China (e.g. see Prof Yixian Yang‘s blog article).

This news is interesting to me because it matches how I feel Cyber Security as a research subject is (and should be) heading for. Traditionally (and still so in most universities), research on cyber security is conducted under the name Computer Security, Information Security or Data Security (although the last is relatively less used). Even at Surrey, we are running an MSc programme under the name Information Security rather than Cyber Security. As a term Cyber Security (or Cybersecurity as more often used in other EU states and America) appeared much later, probably not earlier than 1994 according to Merriam-Webster. This term becomes more popular in recent years and its use has been promoted by governments of many major nations in the world including the UK, the US and the European Commission. The “beauty” of replacing the word “computer”, “information” or “data” by “cyber” is that we can look at security in a far more diverse and dynamic context e.g. we can look at systems involving both humans and computers and also social aspects rather than just technical ones. In other words, Cyber Security as a term has a more interdisciplinary flavour than other traditional terms, thus being able to reflect the increasing complexity of security problems we are facing in today’s highly digitised and well connected world.

The interdisciplinary nature of Cyber Security research can be seen from memberships of many UK government recognised Academic Centres of Excellence in Cyber Security Research (ACEs-CSR). Taking SCCS (ACE-CSR at Surrey) as an example, while all Core Members are from Computer Science and Electrical and Electronic Engineering Departments, our Associate Members are from many different departments including Sociology, Law, Psychology, Business, and Economics. A similar pattern can be observed in some other ACEs-CSR such as Cyber Security Oxford, Security Lancaster, and CyberSecurity Southampton.

The newly created Cyber Security subject in China also has a clear interdisciplinary feature. For a university to be eligible for having a Cyber Security PhD programme, it has to have ALL the following PhD programmes established: Computer Science and Technologies, Information and Communication Engineering, Mathematics (the last one can be replaced by a secondary level subject Cryptography). It is clear the new PhD programme has a strong technical flavour, which may be explained by the fact that the new subject is classified under Engineering category — which means students graduated from a Cyber Security PhD programme will be awarded a PhD in Engineering (工学博士) degree. It is interesting to see how social aspects of Cyber Security will be considered in future development of China’s PhD programmes — will we one day see a PhD degree across more than one category?

If you are not familiar with Chinese PhD programmes: all PhD programmes offered by Chinese universities are under quality control by the Office of the State Council Academic Degrees Committee, and a university is not allowed to start a PhD programme before getting an official approval by the committee. All PhD programmes are categorised using a subject list with three levels (higher to lower): category (门类), Level-1 subject (一级学科), Level-2 subject (二级学科).

While most established publication venues in Cyber Security are still considered part of Computer Science (e.g. IEEE S&P, ACM CCS, USENIX Security, ISOC NDSS, ACSAC, ESORICS, etc.), more interdisciplinary venues have started emerging in recently years. One example is Journal of Cybersecurity published by Oxford University Press, whose website says “The journal is premised on the belief that computer science-based approaches, while necessary, are not sufficient to tackle cybersecurity challenges. Instead, scholarly contributions from a range of disciplines are needed to understand the human aspects of cybersecurity.” — This is something I personally share and appreciate.

Update (2 April 2016): On 25 March 2016, 257 individuals and organisations with interest in cyber security co-founded the Cyber Security Association of China (CSAC, 中国网络空间安全协会 in Chinese). See news from China’s Xinhua News Agency (English edition reported by the People’s Daily is here). CSAC is not a scientific association, but more an industry-facing body, so I expect a new association for cyber security researchers will be soon formed or CSAC will have a special chapter focusing on cyber security research. Since there has been a Chinese Association for Cryptographic Research (CACR, 中国密码学会 in Chinese) established in 2007, it will be interesting to see how CACR and CSAC/the new cyber security research association will interact with each other — it may not be an impossible thing to see the two organisations merge into a single one since cryptography can be considered a sub-area of cyber security.