In 2008, the Information Security Panel of the NSA initiated a conversation on the scientific underpinnings of computer security. High profile security failures in critical government systems caused the NSA to question whether there may be a lack of scientific rigor in cybersecurity engineering. They contrasted this to the security associated with cryptographic systems, which while still imperfect, seemed to result in far fewer security failures. As a result, the NSA, in cooperation with the Intelligence Advanced Research Program Research Projects Activity (IARPA) and the National Science Foundation (NSF), sought to explore whether there may be a scientific foundation to cybersecurity: universal governing laws, fundamental principles, the scientific method, and the systemization and generalization of knowledge.
In November 2008, the NSA, IARPA, and the NSF convened the “Workshop on the Science of Security” (i.e. science of cybersecurity) in Berkeley, California. The dialogue focused on the complexity of creating a foundational science of cybersecurity and the ability to produce systems that are secure in real world settings. The Global Science of Security Virtual Organization (SoS VO) notes that a science of cybersecurity would encompass “a body of knowledge containing laws, axioms and provable theories relating to some aspect of system security. [Cyber]security science should provide an understanding of the limits of what is possible in some security domain, by providing objective and qualitative or quantifiable descriptions of security properties and behaviors.” However, articulating a concise definition for the science of cybersecurity is problematic due to the abstract and artificially constructed nature of the cyber environment. For the purposes of this blog, Dusko Pavlovic’s parallel with the challenges of fortress defense is a particularly insightful example.
Fortresses have throughout history been used as a mechanism to protect a populace from external adversaries. A fortress’ physical barriers consisting of walls and gates can be paralleled to cyberspace’s access controls and authentication protocols. These are static architectural views of security. However as the Greeks’ use of the Trojan horse in the Greco-Trojan wars demonstrates, there is a need to protect a city once adversaries penetrate, infiltrate, or subvert static defenses. This requires a more dynamic form of flexible defense. The science of cybersecurity would provide those dynamic defenses. A science of cybersecurity would rely on “predictive analytics, based on mining the data gathered by active or passive observations, network probes, honeypots, or direct interactions” to identify and respond to those adversaries. Similarly to an immune response in the body, a science of cybersecurity would identify threats, adapt to those threats, and seek to eliminate them.
Complicating the security picture is the difficulty in establishing the difference between systems and the external environment in the cyber domain. “In large networks, with immense numbers of processes, the distinction between the system and the environment becomes meaningless.” The task of science is to delineate the distinction between the system and the environment, dynamically responding to changes and adapting to them. To meet these challenges cybersecurity specialists are drawing on diverse disciplines for inspiration: physics, mathematics, cryptology, the social sciences, and even fields as disparate as astronomy, meteorology, agriculture, and medicine.
The Berkley workshop gave birth to new research programs such as the Team for Research in Ubiquitous Secure Technology (TRUST) , research ‘lablets’ at select research institutions throughout the United States , and cooperative initiatives with foreign partners in the United Kingdom and Canada. Recent scientific initiatives have included Geometric Logic for Analyzing Security with Strands, Quantifiable/Refinement of Hyper Properties, and Integrity of Untrusted Computations.
There is potential to expand cooperative programs to study the science of cybersecurity beyond historically close U.S. allies to areas of future geostrategic importance. As Robert Meushaw, the former technical director of the NSA’s Information Assurance (IA) Research laboratory has noted, developing a robust science of cybersecurity will be a long term process that will require broad based collaboration. Indeed, cyber threats are ubiquitous the world over. The computer security company McAfee, a wholly-owned subsidiary of Intel Corporation, notes that every year there is an increase of over a million new viruses and logic bombs, and that figure is increasing. While the science of cybersecurity may provide a mechanism to address core cybersecurity challenges, it also has the potential to build more robust international scientific partnerships.
This blog is adapted from a longer article that will be appearing in the March edition of Seminar magazine titled, “The Softpower of Science in Indo-U.S. Cybersecurity Cooperation.”