Secrecy News

JASON: Science of Cyber Security Needs More Work

“Cyber security is now critical to our survival but as a field of research [it] does not have a firm scientific basis,” according to the Department of Defense.  “Our current security approaches have had limited success and have become an arms race with our adversaries.  In order to achieve security breakthroughs we need a more fundamental understanding of the science of cyber security.”

To help advance that understanding, the DoD turned to the JASON defense advisory panel, which has just produced a new report (pdf) on the subject.

“There is a science of cyber security,” the JASONs said, but it “seems underdeveloped in reporting experimental results, and consequently in the ability to use them.”

The JASON report began by noting that “A science of cyber security has to deal with a combination of peculiar features that are shared by no other area of study.”

“First, the background on which events occur is almost completely created by humans and is digital.  That is, people built all the pieces.  One might have thought that computers, their software, and networks were therefore completely understandable.  The truth is that the cyber-universe is complex well beyond anyone’s understanding and exhibits behavior that no one predicted, and sometimes can’t even be explained well [after the fact],” the report said.

“Second, cyber security has good guys and bad guys.  It is a field that has developed because people have discovered how to do things that other people disapprove of, and that break what is thought to be an agreed-upon social contract in the material world.  That is, in cyber security there are adversaries, and the adversaries are purposeful and intelligent.”

The JASON report went on to discuss the importance of definitions (including the definition of cyber security itself, which is “imprecise”), the need for a standard vocabulary to discuss the subject, and the necessity (and difficulty) of devising experimental protocols that would permit development of a reproducible experimental science of cyber security.

“There are no surprises in this report, nor any particularly deep insights,” the JASON authors stated modestly.  “Most people familiar with the field will find the main points familiar.”  Also, “There may be errors in the report, and substantive disagreements with it.”

In fact, however, the report is full of stimulating observations and is also, like many JASON reports, quite well written.  While cyber security fundamentally requires an understanding of computer science, the report explained that it “also share aspects of sciences such as epidemiology, economics, and clinical medicine;  all these analogies are helpful in providing research directions.”  An analogy between cyber security and the human immune system, with its “innate” and “adaptive” components, was found to be particularly fruitful.

“At the most abstract level, studying the immune system suggests that cyber security solutions will need to be adaptive, incorporating learning algorithms and flexible memory mechanisms…. [However,] adaptive solutions are expensive in terms of needed resources.  Approximately 1% of human cells are lymphocytes, reflecting a rather large commitment to immune defense.  [By analogy,] one should therefore expect that significant amount of computational power would be needed to run cyber security for a typical network or cluster.”

The report recommended DoD support for a network of cyber security research centers in universities and elsewhere.  With barely a hint of irony, the JASONs also endorsed an April 2010 statement by Wang Chen, China’s chief internet officer, that “Leaking of secrets via the Internet is posing serious threats to national security and interests.”

A copy of the new JASON report was obtained by Secrecy News.  See “Science of Cyber-Security,” November 2010.