“Defence Against the Dark Artefacts: Smart Home Cybercrimes and Cybersecurity Standards”
post by Stanislaw Piasecki (2018 cohort)
Dr. Lachlan Urquhart (Lecturer in Technology Law, University of Edinburgh and former CDT student) had the first idea in terms of the paper’s topic, which has evolved quite significantly since then concerning its content, structure and methodology. The paper has been written by myself, Lachlan and Professor Derek McAuley (Professor of Digital Economy, Faculty of Science, University of Nottingham). The initial version was based on the practice-led project module completed during the 2018-2019 academic year (part of the Horizon CDT PhD programme). The first title of the project was “Defence Against Dark Artefacts: Mapping Smart Home Cybersecurity Standards”. While I was working on the PLP, the United Kingdom Department for Digital, Culture, Media and Sport (DCMS) published a series of documents aggregating various standards in its “Code of Practice for Consumer Internet of Things (IoT) Security” and the associated “Mapping of IoT security recommendations, guidance and standards to the UK’s Code of Practice for Consumer IoT Security”. During the same period of time, the European Union Agency for Network and Information Security (ENISA) mapped standards in its “IoT Security Standards Gap Analysis”. We realised that the mapping has already been done both at national and EU levels and, as a result, focused our work on analysing the assumptions underpinning emerging EU and UK smart home cybersecurity standards, changing the article’s title to “Defence Against the Dark Artefacts: Smart Home Cybercrimes and Cybersecurity Standards”. Staying up to date was crucial to making our paper relevant and as accurate as possible. I considered the publication of the documents mentioned above as a positive development as I was able to completely focus on the analysis of the assumptions upon which IoT standards are based, the most interesting aspect of our project in my view. My motivation to write this paper has always been to stir discussions about those assumptions and contribute to moving policies into a positive direction for EU and UK citizens. While the main objective of our work has not changed, the means to achieve our goals did. For example, as a result of team discussions, we decided to use the routine activity criminological theory to explain security risks associated with the current design of many smart products. This theory has supported effective policymaking and crime prevention strategies for a long time and has recently been applied more frequently to “virtual” world-related scenarios. Discussing and contributing ideas with my co-authors was a great experience, which certainly improved the content of our article.
We started discussing the outline of the paper already in 2019. My professional background is in law and politics, and our project also involved work in fields such as computer science, cybersecurity and criminology. For this reason, the interdisciplinary nature of our team was helpful and important. In addition to online research and team discussions, I organised meetings with experts from the University and with people I met during various events (such as the 2019 EUROCRIM conference in Ghent, Belgium) to receive advice. However, the interdisciplinary nature of our project remained a challenge for me and involved much reading and discussions to better understand the computer science and criminological aspects of our article, especially at the beginning of my PhD journey (I was still getting familiar with certain basic terminology used in the computer science field). In my opinion, this part of the paper preparation process greatly enhanced my research knowledge and skills. While I will never become a computer scientist, learning about this field of study by reading journal papers, books but also asking questions to computer scientists continues to help me in proposing the most relevant and accurate legal solutions, as my work often lies at the intersection of law and technology. Writing this journal paper has reminded me of the value and importance of interdisciplinary work.
In terms of the review process, the initial journal, to which we submitted our paper had difficulties in finding reviewers and we decided to withdraw our submission. We made this decision before any reviewer was found. I discussed this with my co-authors to make sure that this was ethical (until then, I did not know that withdrawing the submission was in some cases an acceptable decision) and we contacted together the journal in question to be certain that they are comfortable with this as well. This is why the publication process has been much longer than anticipated. This has also influenced our work as we had to stay up to date with new research and technological developments, and include them into our paper while waiting for reviews. Subsequently, we decided to submit our article to the Computer Law and Security Review journal, known for its interdisciplinary nature. The reviewers were quickly selected and we started working on their comments.
Two persons reviewed our work and, in my opinion, the comments were fair. The reviewers were open to discussing them and it felt as if they really wanted to improve our paper rather than just criticise it. The article required a minor revision, which has been completed after two cycles of amendments. While we agreed with some comments, we disagreed with others but always found a common solution. I did anticipate some suggestions. For example, in terms of the structure of the paper, I have suspected that this might be something that they could comment on as I was hesitating myself on how to order specific sections. In this regard, the reviewers helped me in seeing this issue more clearly and finding the right solution. They also suggested citing additional articles, defining certain technical terms and giving more examples of real-world situations to illustrate my arguments. This has definitely improved our paper. In terms of the remarks we disagreed with, we were able to explain to the reviewers what we meant by particular statements and convince them that they are important. This also allowed us to refine those statements and make them clearer for future readers.
While publishing our paper took a rather long time due to the necessity to withdraw our first submission and switch journals, writing this article was a valuable and challenging process, my first publication of interdisciplinary work, an opportunity to collaborate with more experienced researchers and learn about various aspects of journal paper publications. I have already applied what I learned by submitting a second paper this year (based on the first two chapters of my PhD), which has been recently conditionally accepted for publication. Among others, this time I tried to use more concrete real-life examples to support my statements and define technical terms. Even though there might be very well-written articles, I think that there is always room for reviewers’ suggestions to further improve them, and I look forward to participating in the review process again in the future.