Cybersecurity in Central Asia

In 2018, I was in the second year of my PhD trajectory and in the best traditions of spreading my academic self thin, I decided to take the initiative to mainstream cybersecurity in Central Asia.

It was not an easy task

When I started approaching regional actors about cybersecurity, I was often met with something along the lines of: "We don't have stable electricity yet, and you want to talk about cybersecurity?". But I believed that the absence of reliable electricity did not mean the absence of digital threats. The cost of inaction would be far greater than the cost of early preparation.

So, I turned to the beloved OSCE Academy in Bishkek. I proposed a cybersecurity module as part of the Politics and Security Master's program. As a leading platform for research, education and dialogue in Central Asia, the Academy was receptive. That decision planted the seed for something that progressively developed.

Since that first cohort, I have now worked with seven generations of young leaders from across Central Asia and beyond. What an absolute honor and joy this journey has been. Over time, the course expanded to include students from both the Politics and Security and the Economic Governance tracks. The diversity in the classroom has been phenomenal. I've had the privilege of teaching students from Afghanistan, Azerbaijan, Canada, Denmark, Georgia, Kazakhstan, Kyrgyzstan, Mongolia, the Netherlands, Russia, Tajikistan, Turkmenistan (finally more of them!), and Uzbekistan. Each group brought unique perspectives, but the shared curiosity and drive to address cybersecurity challenges has always been the common thread.

So, what issues do we address?

We start with a fundamental question that turns out to be not so simple: What is cybersecurity? We break into groups and try to craft our own working definitions. The results are always wonderfully diverse, and often conflicting. Students are then introduced to how different governments, NGOs, international tech corporations, and cybersecurity bodies define it. The point isn’t to land on one “correct” answer but to appreciate the multidimensional, contested nature of cybersecurity.

From there, we explore key terminology and actors:

• Distributed denial-of-service (DDoS) attacks, ransomware, exploit, malware, spyware, Trojan horse, firewall, zero-day vulnerabilities

• Cybercrime, cyber terrorism, cyber espionage, cyber activism

  
  

We dive into how these blurry categories play out in real-life cases. Students quickly see that what one actor calls “cyber activism,” another calls “cybercrime.”

One of the course highlights is a simulation game where students act as an NGO under pressure, navigating political threats, social pushback, and cyberattacks all at once. It’s fast-paced, stressful, and always sparks deep reflection.

We continue with digital divides and the role of big tech in cybersecurity. We zoom in on the Internet of Things and learn about Hyppönen's Law: “If it’s smart, it’s vulnerable.”

We weave theory and practice, from surveillance studies, panopticism, and the data double to practical cyber hygiene exercises.

We also tackle digital vigilantism and the nuanced challenges of online vulnerability. One of my favorite activities, borrowed from my wife’s toolkit, is asking students to draw their perception of privacy. No words allowed. Just an image. The results are not just profound, they are fun!

On another day, we pivot to information security, especially timely as Foreign Information Manipulation and Interference (FIMI) grows into a major threat, supercharged by AI penetration and deepening filter bubbles. Students reflected on their own media diets, mapping their information ecosystems. We unpacked propaganda, disinformation, and the anatomy of influence operations.

On Day 4, students presented what will be their final projects - policy papers on cybersecurity cases they cared about. I always love this part. I get to learn from them about issues in Central Asia and beyond, through the lens of their own expertise and passion.

The final day is always special

We ran two future-oriented exercises. First, using forecasting tools like the Futures Triangle, we asked: What will cybersecurity look like in Central Asia five years from now?Students shared predictions grounded in trends, drivers, and possible scenarios.

Then, we took it one step further: Inspired by Dr. Etienne Augé’s work on desirable futures, we asked: What would your ideal cybersecurity landscape look like five years from now? Not predictions, but constructions. What would you build, if you could? This is always a challenging but exciting exercise, no matter where I give it, be it in Bishkek, Groningen, or Rotterdam. It forces creative, outside-the-box thinking.

Before we wrapped up, I introduced them to the basics of qualitative methods in digital research, a brief but important primer for those who want to take their cybersecurity journey further.

As always, we took the traditional group photo outside the Academy building. The last day is a strange mix of emotions: Pride. Gratitude. Nostalgia for the student days we shared. A hint of homesickness.

There are tough moments in academia, but good things happen. For me, coming back and giving back is one of those moments that still wakes up the butterflies in the stomach.