FAS

JASON: Science of Cyber Security Needs More Work

12.14.10 | 3 min read | Text by Steven Aftergood

“Cyber security is now critical to our survival but as a field of research [it] does not have a firm scientific basis,” according to the Department of Defense.  “Our current security approaches have had limited success and have become an arms race with our adversaries.  In order to achieve security breakthroughs we need a more fundamental understanding of the science of cyber security.”

To help advance that understanding, the DoD turned to the JASON defense advisory panel, which has just produced a new report (pdf) on the subject.

“There is a science of cyber security,” the JASONs said, but it “seems underdeveloped in reporting experimental results, and consequently in the ability to use them.”

The JASON report began by noting that “A science of cyber security has to deal with a combination of peculiar features that are shared by no other area of study.”

“First, the background on which events occur is almost completely created by humans and is digital.  That is, people built all the pieces.  One might have thought that computers, their software, and networks were therefore completely understandable.  The truth is that the cyber-universe is complex well beyond anyone’s understanding and exhibits behavior that no one predicted, and sometimes can’t even be explained well [after the fact],” the report said.

“Second, cyber security has good guys and bad guys.  It is a field that has developed because people have discovered how to do things that other people disapprove of, and that break what is thought to be an agreed-upon social contract in the material world.  That is, in cyber security there are adversaries, and the adversaries are purposeful and intelligent.”

The JASON report went on to discuss the importance of definitions (including the definition of cyber security itself, which is “imprecise”), the need for a standard vocabulary to discuss the subject, and the necessity (and difficulty) of devising experimental protocols that would permit development of a reproducible experimental science of cyber security.

“There are no surprises in this report, nor any particularly deep insights,” the JASON authors stated modestly.  “Most people familiar with the field will find the main points familiar.”  Also, “There may be errors in the report, and substantive disagreements with it.”

In fact, however, the report is full of stimulating observations and is also, like many JASON reports, quite well written.  While cyber security fundamentally requires an understanding of computer science, the report explained that it “also share aspects of sciences such as epidemiology, economics, and clinical medicine;  all these analogies are helpful in providing research directions.”  An analogy between cyber security and the human immune system, with its “innate” and “adaptive” components, was found to be particularly fruitful.

“At the most abstract level, studying the immune system suggests that cyber security solutions will need to be adaptive, incorporating learning algorithms and flexible memory mechanisms…. [However,] adaptive solutions are expensive in terms of needed resources.  Approximately 1% of human cells are lymphocytes, reflecting a rather large commitment to immune defense.  [By analogy,] one should therefore expect that significant amount of computational power would be needed to run cyber security for a typical network or cluster.”

The report recommended DoD support for a network of cyber security research centers in universities and elsewhere.  With barely a hint of irony, the JASONs also endorsed an April 2010 statement by Wang Chen, China’s chief internet officer, that “Leaking of secrets via the Internet is posing serious threats to national security and interests.”

A copy of the new JASON report was obtained by Secrecy News.  See “Science of Cyber-Security,” November 2010.

publications
See all publications
Nuclear Weapons
Blog
New Voices on Nuclear Weapons Fellowship: Creative Perspectives on Rethinking Nuclear Deterrence 

To empower new voices to start their career in nuclear weapons studies, the Federation of American Scientists launched the New Voices on Nuclear Weapons Fellowship. Here’s what our inaugural cohort accomplished.

11.28.23 | 3 min read
read more
Science Policy
Article
Expected Utility Forecasting for Science Funding

Common frameworks for evaluating proposals leave this utility function implicit, often evaluating aspects of risk, uncertainty, and potential value independently and qualitatively.

11.20.23 | 11 min read
read more
Nuclear Weapons
Report
Nuclear Notebook: Nuclear Weapons Sharing, 2023

The FAS Nuclear Notebook is one of the most widely sourced reference materials worldwide for reliable information about the status of nuclear weapons and has been published in the Bulletin of the Atomic Scientists since 1987. The Nuclear Notebook is researched and written by the staff of the Federation of American Scientists’ Nuclear Information Project: Director Hans […]

11.17.23 | 1 min read
read more
Social Innovation
Blog
Community School Approach Reaches High of 60%, Reports Latest Pulse Panel

According to the National Center for Education Statistics’ August 2023 pulse panel, 60% of public schools were utilizing a “community school” or “wraparound services model” at the start of this school year—up from 45% last year.

11.17.23 | 4 min read
read more