Course Syllabus

DHP P236/CS150-08 Cyber in the Civil Sector: Threats and Upheavals: Syllabus


Professor Susan Landau
Offices: Fletcher: Mugar 251D; Halligan: 241
Office Hours Spring 2018: Mondays 2:00-3:00 Halligan 241
Tuesdays 1:30-2:30 Mugar 251D (Fletcher)


Course Description: There is a myth that the Internet erases borders. But as Internet companies' ability to place localized ads show, that's false. What’s more accurate is that the Internet complicates a nation’s ability to control of the flow of information within its borders. (This is not a new challenge for sovereign nations; consider the telegraph.) This fluidity has created great economic opportunity and simplified trans-border access, the latter potentially threatening security and other basic state functions. With bits increasingly controlling the world around us, the Digital Revolution poses a highly disruptive threat. In this course, we'll explore cyber clashes in the civilian sector: from jurisdictional issues and the challenges posed by new technologies to criminal activities and impacts on civil infrastructures. While several of the topics are also covered in International Cyber Conflict:
 An Introduction to Power and Conflict in Cyberspace, DHP P249, the intersection between the two courses will be relatively minimal. Cyber in the Civilian Sector will have a greater focus on technology and, naturally enough, on the civilian, as opposed to national-security, side of the house.


Prerequisites: For CS students in A&S or SoE: COMP 11: Introduction to Computer Science and COMP 15: Data Structures. Note that this is a Fletcher graduate course: some technical and academic maturity is required.


Enrollment requirements: No programming background needed, but a willingness to, and interest in, playing with digital tools is required.


Course schedule: This course will meet weekly on Mondays and Wednesdays 11-12:20 during the 2018 spring term. There will be no class on February 28 and April 23.


Course Requirements:

You will have three written assignments and one group presentation. Three of the writing assignments will be three-page briefing papers; the fifth will be longer (ten pages) and will be written in conjunction with a group presentation for the final day of the module. Though the project and presentation will be a group effort, the paper itself should be an individual effort.



Three short papers (3 pages): 10% of grade each

Group presentation: 20%

Ten-page paper: 30%

Class participation: 20%

Class participation matters in your grade.

Note that there are no late assignments. Any assignment not handed in at the beginning of the class in which it was due will not be accepted, and you will receive a "0" for that particular effort.


Course Expectations:

The course has lots of readings and no exams---but class participation counts 20% of your grade. Do the reading before class, think about what you've read, and come in informed and ready to discuss the issues.

I like to grade papers with a pen in my hand and paper rustling. So please hand in your papers in hard copy as well also sending me a version via email (please put DHP P236/CS150-08 in the email subject; thanks). Papers are due at the beginning of class. There are no exceptions to that rule.

Writing well is important in virtually any career you might have, and I expect clear, careful writing in all assignments. Writing well involves thinking clearly, organizing your thoughts, and then expressing them clearly. Although three of the papers for this course are just three pages, don't be fooled by the short length of the assignments. Such brevity means you must work hard to get important ideas into a small amount of space (and please use 12 point fonts). Woodrow Wilson is said to have responded when asked how long it would take to write a speech, "That depends on the length of the speech. If it is a ten-minute speech it takes me all of two weeks to prepare it; if it is a half-hour speech it takes me a week; if I can talk as long as I want to, it requires no preparation at all. I am ready now." That's exactly right. Think hard, write down your ideas, and then express them succinctly.

My personal favorite book on writing is the decades-old Strunk and White, Elements of Style. If you need more help on writing, take advantage of the Tufts Writing Center.


Please also see the Course Policies page.


Course Syllabus


Important Note: This syllabus is a work in progress; some readings may change as the term progresses.

Second Important Note: There are a variety of readings in this course. The books are on reserve (though there may only be one copy, so plan accordingly). Any National Academies studies can be accessed for free online. Finally, note that unless otherwise noted, please read the entire assigned paper.

Topic I: How the world has changed

January 17: Introduction

  • Clashes and change enabled by cyber in the developed and developing world.
  • Cyber in Africa and the Arab Spring; Cyberespionage and Open Networks: the US/China clash.


January 22: The Digital Revolution in context

    • What cyberspace is: size, usage, and growth; genesis of the Internet.


Topic II: How the Internet: Technical and—Attempted and Successful—Policy Controls

January 24: Who controls the network? Guest Speaker: Scott Bradner

  • Differing players (IETF, ICANN, companies, nations).



January 29: How the Internet works: Part 1, cryptography

  • Public and symmetric key crypto
  • The Crypto Wars


January 31: How the Internet works: Part 2, protocols

  •  PKI, DNS, certs



February 5: Does Geography Matter? Part 1: Governments try to control events

  • How does Internet data flows change commerce and jurisdiction? Or do they?
  • Governments exercising local control: controls and costs.


Assignment: You are the staff member responsible for technical issues for a national elected official. Prepare a 3-page briefing paper on how to determine geographic location of an Internet user. Your brief should be non-technical but explain technical issues; your document should include the complexities of doing so and the circumstances under which it is possible.

February 7: Does Geography Matter? Part II: Governments control events




Topic III: An introduction to understanding cyberattacks


February 12: Why cybersecurity is hard:

  • Protect yourself. Two-factor authentication as a case study.



February 14: Why cybersecurity is hard:

  • Programming errors/complexity; interfaces are where the problems occur; security/usability tradeoffs; determining risk is hard.



February 21: Cyberthreats

  • Cyberexploit v cyberattack; how attacks occur; how surveillance changes in the Internet era; cyberexploits, an old tool, now repurposed.



February 26: A brief history of cyberattacks


“Lab” assignment: Go through two of your electronic devices (laptop, smartphone, etc.) with an eye to protecting your security and privacy. Explain the decisions you’ve made configuring them. In a three-page document, provide the general principles you’ve used to protect your devices, explain where you’ve deviated from them-and why. Include a bibliography of materials you used to make your choices; this bibliography is an important aspect of the assignment and is not part of the page count.


February 28: No class.

  • This would be an excellent time to work together on your group project.


March 5: Why securing systems is hard: attacks on protocols



March 7: Why securing systems is hard: attacks on protocols; unprotected systems.

  • Attacks on TLS.
  • The weakness of SCADA systems.



March 12: Why securing systems is hard: securing critical infrastructure is hard

  • NIST framework.



Topic IV: Cybercrime and its complexities


March 14: Tracing users, Tracing crime:

  • Part I: shutting it down: Spam and prescription drugs
  • Part II: jurisdictional issues: Attribution and following the money MLATs—and the difficulties of criminal investigations



March 26: Facebook, Advertising, and Privacy



March 28: Economics of information security

  • How big a problem?
  • Behavioral economics: how users react to security choices.
  • Economic incentives and alignments.




Topic V: Changing technologies and their implications


April 2: How technology changes basic assumptions

  • Cloud.
  • IoT.



You have a choice of topics.

  • You are a member of the National Security Council. Write a 2-page briefing document arguing why the North Korean attack on Sony rises to a national-security threat.
  • Pick one of the cyberattacks discussed in class, and propose a fix from either a regulatory or process (the latter within industry) standpoint that would prevent an attack of this sort in the future. Note that "of this sort" is intentionally vague. Part of this assignment is to scope the type of attack you seek to prevent. In this 2-page briefing document you present to your legislator or Chief Technology Officer you should delineate the costs (societal, economic, etc.) that are likely to ensue from your proposal and describe the likelihood of your solution's success.

Please be careful to cite; note that citations can be on page 3 (and thus not part of the page count).


April 4: Big data and machine learning on a massive scale



April 9: Attacking civil society

  • Attacks on voting.
  • Russian attacks: the technical steps behind how they worked.
  • Exploring risks to civil society.



April 11: What enabled the US to become a leader in cyber?

  • DARPA.
  • Ex ante regulation.
  • Capital.
  • What enables a nation to enter the market?
  • Scale matters.


Vannevar Bush, "As We May Think," Atlantic Monthly, July 1945, (recommended, not required).


April 18: Borders: Open net/open society; localization: national sovereignty and economic concerns.

  • EU response to Snowden: privacy or protectionism?



April 23: No class. Use the time to practice your group presentations.

April 25: Student presentations: what enables a country to compete in the digital economy?

Student presentations on what enables technology/country X to succeed, what causes it to fail (10-page individual briefing paper plus group presentation):

  • Blackberry
  • E-stonia
  • North Korea
  • South Korea
  • India
  • China
  • Israel and cybersecurity market
  • More topic choices to be added; you may also propose some.

 April 26, 4-5 pm: Student presentations (extra class)

  • Please note the date; the room is 231 Mugar.


April 30: Wrap-up: Discussion on what is needed to secure society.


Course Summary:

Date Details Due