SECRECY NEWS
from the FAS Project on Government Secrecy
Volume 2010, Issue No. 99
December 14, 2010

Secrecy News Blog: http://www.fas.org/blog/secrecy/

JASON: SCIENCE OF CYBER SECURITY NEEDS MORE WORK

"Cyber security is now critical to our survival but as a field of research [it] does not have a firm scientific basis," according to the Department of Defense. "Our current security approaches have had limited success and have become an arms race with our adversaries. In order to achieve security breakthroughs we need a more fundamental understanding of the science of cyber security."

To help advance that understanding, the DoD turned to the JASON defense advisory panel, which has just produced a new report on the subject.

"There is a science of cyber security," the JASONs said, but it "seems underdeveloped in reporting experimental results, and consequently in the ability to use them."

The JASON report began by noting that "A science of cyber security has to deal with a combination of peculiar features that are shared by no other area of study."

"First, the background on which events occur is almost completely created by humans and is digital. That is, people built all the pieces. One might have thought that computers, their software, and networks were therefore completely understandable. The truth is that the cyber-universe is complex well beyond anyone's understanding and exhibits behavior that no one predicted, and sometimes can't even be explained well [after the fact]," the report said.

"Second, cyber security has good guys and bad guys. It is a field that has developed because people have discovered how to do things that other people disapprove of, and that break what is thought to be an agreed-upon social contract in the material world. That is, in cyber security there are adversaries, and the adversaries are purposeful and intelligent."

The JASON report went on to discuss the importance of definitions (including the definition of cyber security itself, which is "imprecise"), the need for a standard vocabulary to discuss the subject, and the necessity (and difficulty) of devising experimental protocols that would permit development of a reproducible experimental science of cyber security.

"There are no surprises in this report, nor any particularly deep insights," the JASON authors stated modestly. "Most people familiar with the field will find the main points familiar." Also, "There may be errors in the report, and substantive disagreements with it."

In fact, however, the report is full of stimulating observations and is also, like many JASON reports, quite well written. While cyber security fundamentally requires an understanding of computer science, the report explained that it "also share aspects of sciences such as epidemiology, economics, and clinical medicine; all these analogies are helpful in providing research directions." An analogy between cyber security and the human immune system, with its "innate" and "adaptive" components, was found to be particularly fruitful.

"At the most abstract level, studying the immune system suggests that cyber security solutions will need to be adaptive, incorporating learning algorithms and flexible memory mechanisms.... [However,] adaptive solutions are expensive in terms of needed resources. Approximately 1% of human cells are lymphocytes, reflecting a rather large commitment to immune defense. [By analogy,] one should therefore expect that significant amount of computational power would be needed to run cyber security for a typical network or cluster."

The report recommended DoD support for a network of cyber security research centers in universities and elsewhere. With barely a hint of irony, the JASONs also endorsed an April 2010 statement by Wang Chen, China's chief internet officer, that "Leaking of secrets via the Internet is posing serious threats to national security and interests."

A copy of the new JASON report was obtained by Secrecy News. See "Science of Cyber-Security," November 2010.


HOW MANY PEOPLE HAVE SECURITY CLEARANCES?

How many government employees and contractors hold security clearances for access to classified information? Remarkably, it is not possible to answer that question today with any precision. But it should be possible by next February, officials said at a House Intelligence Subcommittee hearing on December 1.

Currently there is no precise tally of the number of cleared persons, and there is no way to produce one, said John Fitzpatrick, Director of the ODNI Special Security Center.

"We can find definitively if any individual has a clearance at any one point in time," he told Rep. Anna Eshoo, the subcommittee chair. But "to take that point in time and define the number of all the people that do takes a manipulation of data in databases that weren't intended to do that."

"To give a precise [answer] requires, I think, due diligence in the way we collect that data and the way that data changes." And in fact, "we have a special data collection to provide a definitive answer on that in the February 2011 IRTPA report," referring to an upcoming report required under the 2004 Intelligence Reform and Terrorism Prevention Act.

In the meantime, Mr. Fitzpatrick said, "To give a ballpark number [of total security clearances] is not difficult."

Well then, Rep. Eshoo asked, "What would a ballpark figure today be?"

"Oh, I'd like to take that one for the record," Mr. Fitzpatrick replied. "It's -- you know, I'd give you -- I'd like to take that one for the record."

Based on prior reporting by the Government Accountability Office, the ballpark figure that we use is 2.5 million cleared persons. ("More Than 2.4 Million Hold Security Clearances," Secrecy News, July 29, 2009).

******************************

Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists.

The Secrecy News blog is at:
      http://www.fas.org/blog/secrecy/

To SUBSCRIBE to Secrecy News, go to:
     http://www.fas.org/sgp/news/secrecy/subscribe.html

To UNSUBSCRIBE, go to:
      http://www.fas.org/sgp/news/secrecy/unsubscribe.html

OR email your request to saftergood@fas.org

Secrecy News is archived at:
      http://www.fas.org/sgp/news/secrecy/index.html

SUPPORT the FAS Project on Government Secrecy with a donation here:
      http://www.fas.org/member/donate_today.html