Hej København!

The cold doesn't bite in Copenhagen on this Sunday at the end of November 2023. It's more of a gentle nibbling that accompanies the tiny falling snowflakes. Only right by the canal is the wind blowing so cold that shivers run up against our clothes. It's just after 4 p.m. when we check into the Tivoli conference hotel and it's already pitch dark outside. In winter, the days are short in the Danish capital. Well, not for us. One of the four largest information security conferences in the world awaits us: the ACM Conference on Computer and Communications Security, which is actually always just called CCS. Slight déja-vu, because these so-called top-tier conferences also included the USENIX Security Symposium, which we attended in Anaheim, California, in August 2023.

Good intentions - doomed to fail

Once again, I made a resolution to attend at least a few interesting presentations, perhaps on web security or data protection topics. Something that even people like me, who haven't studied computer science, can understand. The sobering truth is that by the end of the week, I hadn't listened to a single lecture to the end. That's okay, because: The thing I can learn here, and the thing the researchers are visiting for, doesn't have that much to do with technical knowledge. These conferences are a big networking event. Young researchers can present their work to the international research community for the first time and experienced researchers can catch up with old acquaintances.

30 years of CCS

This year's CCS is special. The conference will celebrate its 30th anniversary in 2023 and - as will become clear in the following days - will have a number of specials to offer. What makes it even more special for us is that CISPA-Faculty Cas Cremers is this year's Program Committee Chair (PC Chair for short) of CCS. Cas had already briefly explained to me what this means during our trip to California. But I wouldn't really understand it until these few days. The conference itself is actually only the tip of the iceberg, most of the hard work has been done many months in advance: The chairs have to mobilize many people who are willing to review hundreds of papers, take responsibility for the various conference topics and lead the talk sessions. They also determine which quality criteria the submitted papers must meet and set the focus of the content.

Hard facts about CCS

Following Sunday's workshops on topics such as data protection in the digital society and security in the Internet of Things (IoT), the main conference starts at 9 a.m. on Monday. This morning, Cas will be on stage together with his co-chair Engin Kirda from Northeastern University to give the roughly 1,000 researchers in the hall a deeper glimpse into the preparations for the conference: 436 people are part of the program committee this year and were mainly busy reviewing papers in the months leading up to the conference. More than 1200 scientific papers were submitted to CCS by researchers from all over the world. Over 3000 reviews were written, as each paper always has several reviewers. Tens of thousands of comments were written by these reviewers to help the authors improve their work.

eingereichte Paper

Mitglieder des Programmkomitee

Vorträge

After two cycles, each with three rounds of review, 19 percent of the papers were finally accepted. I have no idea whether that is a good or bad rate. The plenum seems satisfied with this number. The conference participants can expect more than 230 presentations over the next three days. The topics are diverse: software and web security, blockchain technologies, applied cryptography and machine learning, to name but a few. A look back at the history of the conference shows just how strong and fast the research community is growing. In the founding year 1993, there were just 60 paper submissions, of which 22 were accepted - a mere fraction of what is presented today. So much for the facts.

The perennial theme of diversity

From this first welcome on early Monday morning, it is clear that these conferences are above all a place for the research community to address its own pressing issues. In Copenhagen, the question of how to achieve more diversity among the participants is raised again. To me, one dimension of diversity still seems to pose the greatest challenge in IT security research: Gender. The proportion of women in computer science and in cybersecurity research is still very low. According to the Federal Statistical Office, only around a fifth of computer science students in Germany are female. According to a study by the ISC2 (short for International Information System Security Certification Consortium), the proportion of women working in IT security jobs worldwide is only slightly better at around 25 percent. This industry is also suffering from a shortage of skilled workers. Unfortunately, the proportion of diverse people who are neither male nor female is not even recorded.

On stage, Cas clearly advocates promoting diversity even more and also has a specific suggestion: "We should also introduce an event like GREPSEC at CCS." I already got to experience GREPSEC at the USENIX Security Symposium. It's a workshop for doctoral students in the fields of computer security and data protection that focuses specifically on underrepresented population groups. Other suggestions from the panel include the introduction of childcare at the conference and the wider involvement of associations that specifically promote diversity.

Business as usual?

Throughout his half-hour presentation on stage, Cas seems relaxed and at ease. When I meet him later during a coffee break, however, he still seems pretty energized. I ask him how he's doing. He positively gushes that he is feeling better now that the opening is over. "I have a mixed relationship with speaking in front of so many people. Once I'm on stage, it clicks. I'm always nervous beforehand. Now that the opening is over, I'm a bit more relaxed. You don't speak in front of 1000 people every day." He adds the last sentence because I must have looked at him with a little disbelief. I'm not quite sure why I think he's a superhuman who doesn't mind something like that. Maybe because he seemed so natural when he was speaking? Or because he is so well known in the research community? When I joined CISPA around three years ago, I quickly realized that Cas was what is colloquially known as a big shot. Among other things, he was involved in the development of the Corona-Warn-App and somehow I had the feeling that I could hear the high level of respect for him everywhere. Unfortunately, this respect only grows when you play foosball against Cas. It's one of his great passions and it's really damn hard to beat him.

"I have a mixed relationship with speaking in front of so many people. Once I'm on stage, it clicks. I'm always nervous beforehand. Now that the opening is over, I'm a bit more relaxed. You don't speak in front of 1000 people every day."

Cas Cremers
CISPA-Faculty

Business as usual!

The really fantastic Danish food gives me and my colleague Tobias (who took all the great photos) a real boost before we start documenting our researchers' presentations. Now it's time to spend the day taking pictures, writing posts and sweating along in support of our researchers. In the evening, there's a meeting to celebrate the 30th anniversary and the announcement that we can expect a big banquet and party the next day. We snap a few photos at the subsequent poster session, where our ERS team presents a paper. ERS is short for Empirical Research Support. It is a team of psychologists who support the researchers at CISPA in the design of studies and conduct research on topics themselves. At CCS, they will present a paper on evaluating the quality of common transcription services used for interviews in cybersecurity studies.

To be continued

On day 2 of CCS Copenhagen, we are treated to a huge banquet and party, as well as insights into the subtle distinctions between the conferences. Ali Abbasi takes us on a little space adventure and Cas Cremers reflects on the power of his words.