JASON: Science of Cyber Security Needs More Work

“Cyber security is now critical to our survival but as a field of research [it] does not have a firm scientific basis,” according to the Department of Defense.  “Our current security approaches have had limited success and have become an arms race with our adversaries.  In order to achieve security breakthroughs we need a more fundamental understanding of the science of cyber security.”

To help advance that understanding, the DoD turned to the JASON defense advisory panel, which has just produced a new report (pdf) on the subject.

“There is a science of cyber security,” the JASONs said, but it “seems underdeveloped in reporting experimental results, and consequently in the ability to use them.”

The JASON report began by noting that “A science of cyber security has to deal with a combination of peculiar features that are shared by no other area of study.”

“First, the background on which events occur is almost completely created by humans and is digital.  That is, people built all the pieces.  One might have thought that computers, their software, and networks were therefore completely understandable.  The truth is that the cyber-universe is complex well beyond anyone’s understanding and exhibits behavior that no one predicted, and sometimes can’t even be explained well [after the fact],” the report said.

“Second, cyber security has good guys and bad guys.  It is a field that has developed because people have discovered how to do things that other people disapprove of, and that break what is thought to be an agreed-upon social contract in the material world.  That is, in cyber security there are adversaries, and the adversaries are purposeful and intelligent.”

The JASON report went on to discuss the importance of definitions (including the definition of cyber security itself, which is “imprecise”), the need for a standard vocabulary to discuss the subject, and the necessity (and difficulty) of devising experimental protocols that would permit development of a reproducible experimental science of cyber security.

“There are no surprises in this report, nor any particularly deep insights,” the JASON authors stated modestly.  “Most people familiar with the field will find the main points familiar.”  Also, “There may be errors in the report, and substantive disagreements with it.”

In fact, however, the report is full of stimulating observations and is also, like many JASON reports, quite well written.  While cyber security fundamentally requires an understanding of computer science, the report explained that it “also share aspects of sciences such as epidemiology, economics, and clinical medicine;  all these analogies are helpful in providing research directions.”  An analogy between cyber security and the human immune system, with its “innate” and “adaptive” components, was found to be particularly fruitful.

“At the most abstract level, studying the immune system suggests that cyber security solutions will need to be adaptive, incorporating learning algorithms and flexible memory mechanisms…. [However,] adaptive solutions are expensive in terms of needed resources.  Approximately 1% of human cells are lymphocytes, reflecting a rather large commitment to immune defense.  [By analogy,] one should therefore expect that significant amount of computational power would be needed to run cyber security for a typical network or cluster.”

The report recommended DoD support for a network of cyber security research centers in universities and elsewhere.  With barely a hint of irony, the JASONs also endorsed an April 2010 statement by Wang Chen, China’s chief internet officer, that “Leaking of secrets via the Internet is posing serious threats to national security and interests.”

A copy of the new JASON report was obtained by Secrecy News.  See “Science of Cyber-Security,” November 2010.

No Responses to “JASON: Science of Cyber Security Needs More Work”

  1. George Smith December 14, 2010 at 1:48 PM #

    Haw! This is a bit of combination sucker bait and IQ test. If you take it too seriously, you flunk.

    An analogy between cyber security and the human immune system, with its “innate” and “adaptive” components, was found to be particularly fruitful.

    Or you could also view cybersecurity as the sale of a never-ending subscription service, one which does a daily categorization and identification of malware such — called enumerating badness — and pushing out new editions to cover it all.

    The amount of security software running on many individual computers often takes up more than 1 percent of the whole. Perhaps the JASONs have not experienced those mundane moments when surfing the net and your resident anti-virus scanner bogs the computer as whatever the latest packed-full of active goodness page downloads to you.

  2. George Smith December 15, 2010 at 3:11 PM #

    Interestingly, the media — particularly Fox News — increasingly refers to WikiLeaks and Julian Assange as a cybersecurity problem. Often, they are conflated with the issue of cyberwar being conducted against the United States.

    If one is fond or even mildly attracted to the immune system analogy, then what is WikiLeaks? From my standpoint, it’s a global immune reaction directed at the United States. As well as other governments and agencies singled out as corrupt, or in this case, as diseased.

  3. Kelsey Gregg December 15, 2010 at 10:34 PM #

    I like the immune system analogy in terms of function needed (innate and adaptive detection systems), but it falls apart when trying to connect the large number of lymphocytes to computational power.

    1st, Lymphocytes have to circulate and bump into specific molecules, in a specific order, to become active. To make these somewhat random interactions happen at a high enough rate to signal properly, there needs to be a large number of them. Computers just need to send a direct signal through a network to become active – no random interactions required. This does not require high computational power.

    2nd, the process of making novel immunoglobulins (antibodies) requires the continual creation and destruction of a huge number of lymphocytes. A random number generator is all that a computer needs to serve a similar function, which typically does not require high computational power.

    Since a computer network is based on processes fundamentally different from the immune system, the # of lymphocytes in the human body cannot elucidate the computational power needed for cybersecurity. (Computer networks are more analogous to the nervous system, a direct network of data transmission.)

  4. D Byrd December 21, 2010 at 4:05 AM #

    Somebody please define cybersecurity and we can move forward. Define as in limit, constriain or otherwise characterize to that it’s limiting case is something besides “stuff that affects or is affected by computers” – which is a smidge wide. If its human-driven, then why isn’t it psychology or sociology or just criminology? If it’s technical, why isn’t it comp sci or information management? The problem with cybersecurity is that its a way for anybody to collect money with a short compound word and the noise level is so high, virtually nothing actually gets done, but it makes a marvelous 3 ring circus to watch. I know this because I’ve been in the trade since about 1970-ish and the merry go round of self licking ice cream cones has just begun to get interesting.