Dan Geer wrote an essay for the National Science Foundation on whether Cyber Security can be considered a science. The short version is this: what constitutes a “science” is somewhat loose, however based on some commonly held dimensions, cyber security is not yet a science, and most likely could be considered a proto-science. Mr. Geer’s essay is worth reading for yourself, since there is far more nuance than this post will cover.
Similarly, Alex Hutton has also stated in some previous talks that information security is something of a trade craft and not a science. Information security, cyber security, or whatever moniker we want to assign it, does indeed seem to be more of a trade craft than a science or engineering discipline.
Mr. Geer’s essay points out a few unique challenges in cyber space relative to other scientific disciplines: a major part of the “thing” being modeled is sentient adversaries that can adapt, learn and deceive, and also that the rapid evolution of technology.
There seem to be other confounding factors as well: the “constituent components” of cyber security are arbitrary and implemented in wildly different fashions by different people and organizations with different levels of skill and incentives, to different specifications, with non-obvious defects, and so on. Translating just a slice of the challenges in cyber security to civil engineering would yield that some timbers used in construction might objectively look similar but have hidden flaws that manifest under certain circumstances, placing a structure’s integrity at risk. The flaws with the timber are not apparent and not easily detectable without incurring extraordinary expense, and even so, not all flaws are likely to be uncovered.
With respect to technology producers, the “building materials” we have to work with in information technology are flawed in many ways, most of which are unseen. With respect to the implementers of technology, the ways in which systems are architected and implemented are generally arbitrary, utilitarian and do not in, any appreciable way, reflect the uncertainty inherent in the technology being used.
If timbers were so structurally flawed, civil engineering, building codes, architecture, engineering and so on would need to accommodate for the uncertainty that comes with building a structure that relies on such timbers. Information technology very inconsistently deals with this uncertainty. The constant spate of breaches seems to indicate that the uncertainty is often not properly accounted for.
Information technology, and by extension information security, is currently a craft. Some are exceptionally good at their craft, and some are quite poor. The proliferation of information technology into daily lives has, in my view, created a somewhat low barrier to entry into this craft. As a result, we have an extremely wide variation in the quality and care with which information technology is implemented. Similar to furniture or jewelry created by craftsmen, some of it is exceedingly well designed and built and others are complete crap.
Evolving information security into a science has been a personal interest of mine for some time. I would propose that a key aspect, though not the only aspect by far, of translating information security into a science is a more objective approach to designing and implementing “systems” that are inherently resilient to failure within certain parameters. Failure to properly engineer at a “system level” view of information technology is what I see most often leading to the most complex security issues. This will very likely mean that some current technical implementations don’t economically fit into a more scientific future state, which will mean that technology producers will need to adapt accordingly to support the market.
A significant part of this will be clearly understanding the limitations of technology components and designing in a safety margin and detective capabilities that indicate failure.
This is a complicated topic. I certainly do not think I have the answers, but I believe I can see the problem, or at least some manifestations of the problem. As Mr. Geer points out in his essay, the way forward is through continued research, continued evolution of our understanding, better defining the “puzzles” that need to be solved and searching for a paradigm that addresses those puzzles, as well as ensuring that practitioners have a common level of competence.
The question is how to start taking those steps.
Thanks to my Twitter friend Rob Lewis (@infosec_tourist) for the link to Mr. Geer’s essay and his constant needling of me in this direction.