By Eric N Hatleback
I argue that marking a proper distinction between two types of research in the cybersecurity field obviates the present debate concerning a “science of cybersecurity.” Once the terminology has been properly disambiguated, the accurate descriptor for the current state of the practice of cybersecurity becomes apparent: it is a protoscience. Further, once a definition for ‘science’ is specified, it becomes clear that the protoscientific state is capable of trending in the proper direction, namely toward science and away from pseudoscience.
In a recent publication, Alexander Kott notes that “the central role of models in science is well recognized; it can be argued that a science is a collection of models, or that a scientific theory is a family of models or a generalized schema for models.” (Kott,1 p. 30). Although there are alternative proposed solutions to the demarcation problem, taking Kott’s model-based approach to defining science affords the opportunity to address—and make progress toward solving—the recent debate concerning a potential “science of cybersecurity.”i Kott references the debate in terms of a lacuna in our present categorization of cybersecurity research:
even for those in the cyber security community who agree with the need for a science of cyber—whether it merits an exalted title of a new science or should be seen merely as a distinct field of research within one or more of [the] established sciences—the exact nature of the new science, its scope and boundaries remain rather unclear. (Kott,1 p. 1)
Kott’s statements provide the backdrop for two tasks, both of which I aim to accomplish here. The first is to articulate, in an accessible fashion, a disambiguation of the phrase “science of cybersecurity.” Doing so addresses Kott’s query about the scope of a science of cybersecurity. The second task is a consequence of the first: it is an assessment of the current state of the practice of cybersecurity in terms of whether it is, or can be, scientific.
I argue that marking a proper distinction between two types of research in the cybersecurity field obviates the present debate concerning a science of cybersecurity. Once the terminology has been properly disambiguated, the accurate descriptor for the current state of the practice of cybersecurity becomes apparent: it is a protoscience. Further, if we adopt a definition for “science” in line with the one chosen by Kott, we can see that the protoscientific state is capable of trending in the proper direction: toward scienceand away from pseudoscience.
Section 2 is spent identifying the distinction between the referents of the terms cybersecurity and science of cybersecurity. With that distinction in place, Section 3 proceeds with an analysis of the present state of “cybersecurity” and “science of cybersecurity,” with the aim of establishing that cybersecurity is protoscientific. Section 4 contains concluding remarks.
2 Cybersecurity: Science and practice
The process of disentangling cybersecurity from science of cybersecurity requires an explicit effort to symmetrize the terminology itself. Cybersecurity is a practice. It is, roughly, the activity of defending the technological assets of some entity from an adversary’s attempts to meddle with those assets in some way. The “defending” can take many forms, including straightforwardly responding to attacks, preemptively researching human motivational and game theoretic tendencies to anticipate the actions of attackers, or deciding what actions to take upon gaining knowledge of an as-yet-unexploited vulnerability.ii When we refer to cybersecurity, we refer to actions of this sort—to the practice of cybersecurity. Accordingly, in what follows, I will utilize the term practice of cybersecurity, denoted cybersecurityp, when referring to the act of cybersecurity itself.
By contrast, is it clear that cybersecurityp is distinct from the (potential) science of cybersecurity, hereafter denoted cybersecuritys. This is so because the science of cybersecurity—cybersecuritys—refers to the collective properties of cybersecurityp, such as its methods, principles, and laws.iii These properties emerge from an analysis of cybersecurityp discipline-wide; individual instances of cybersecurityp do not reveal such collective qualities. The different denotation of each of the two terms is the first of three clear indicators that cybersecurityp and cybersecuritys are distinct in terms of their research subject matter.
The second indicator arises from the traditional scope of scientific research. The distinction between cybersecurityp and cybersecuritys fits the landscape of “traditional” sciences. Consider physics, for example. Physicists do physics: they generate theories, they think of clever ways to test the theories, and they experiment to instantiate the clever tests. Additionally, however, there is a set of people who study what the physicists do, how the physicists operate, and what the implications are of what the physicists are reporting. These people—philosophers of physics—study the way the practice of physics is undertaken, as well as the implications of the discoveries of the physicists. The philosophers of physics focus on experimental method, the epistemological foundations that ground the claims of the physicists, and the like. There are other groups of this sort for other sciences, too: philosophers of biology, philosophers of cosmology, and so forth. Collectively, the group comprises the philosophy of science field. Sometimes, the scientists themselves are also philosophers of their respective sciences, but those cases are fairly rare. By and large, but not exclusively, a researcher of the sort under discussion here is chiefly a scientist (a physicist, a biologist, a cosmologist, etc.) or chiefly a philosopher of science. Correspondingly, the distinction between cybersecuritypand cybersecuritys fits this structure: cybersecurityp researchers correspond to the scientists, and cybersecuritys researchers correspond to the philosophers of science. In that sense, cybersecuritys could instead be labeled “philosophy of cybersecurity.”iv
The third indicator that cybersecurityp and cybersecuritys are distinct fields of research is that the distinction enables the evaluative element of science to arise for cybersecurity. Just as the physicist could do physics research either scientifically or unscientifically, so, too, a cybersecurityp researcher is capable of undertaking cybersecurityp research scientifically or unscientifically.v Note, importantly, that in both cases, the scientist still undertakes the “base” activity: the physicist still undertakes physics, and the cybersecurityp researcher still undertakes cybersecurityp research, regardless of whether the research is done scientifically or unscientifically. Neither researcher undertakes the philosophical task: the physicist (in the example) is not undertaking philosophy of physics while performing physics research, and the cybersecurityp researcher is not undertaking cybersecuritys research while performing cybersecurityp research. These are different fields, with different targets of study. The same separation holds true for the evaluation of the research, as well: the cybersecurityp researcher, regardless of whether he or she does the work scientifically or not, still does not undertake cybersecuritys research. If we fail to distinguish cybersecurityp from cybersecuritys, we are left only with “cybersecurity research” as a singular bulk entity, and our hunt for a “science of cybersecurity” reduces to the oversimplification of attempting to judge whether cybersecurity research as a whole is scientific. No unifying answer will surface from that inquiry (indeed, none has thus far), chiefly because that task is ambiguous. To disambiguate the task, we need the capability to evaluate cybersecurityp research and distinguish scientific cybersecurityp research from unscientific cybersecurityp research. Cybersecuritysresearch is what provides the tools for making that evaluation.
Two small tangent discussions involving the qualities of cybersecuritys and cybersecurityp are in order before proceeding.vi The first involves defining the members of the group labeled “cybersecurityp researchers.” The uniqueness of the computing discipline blurs the line that separates engineers and scientists in that domain.vii The blurring introduces a potential complication: insofar as the narrative thus far has correlated cybersecurityp researchers with “scientists,” it is unclear (for example) whether industry software engineers are scientists—cybersecurityp researchers—in the same way that university computer science department faculty members are scientists. In the present context, the complication is sidestepped by recognizing that it is not a researcher’s role that invokes the “cybersecurityp” label, but rather it is the researcher’s action that invokes the label. So long as a researcher is engaged with the activity of defending technological assets (broadly construed, as discussed at the outset of this section), that researcher (for present purposes) is undertaking cybersecurityp research at that time. Put another way, cybersecurityp and cybersecuritys are areas of research, rather than classificatory roles, so specific roles—software engineer, faculty member, etc.—cannot be intrinsically linked to cybersecurityp (or cybersecuritys). Just as the same person might, at one time, undertake experimental physics research (as a scientist) and might, at another time, undertake a study of the metaphysical implications of that experimental physics research (as a philosopher of physics), so, too, an industry software engineer (or a university faculty member) might undertake cybersecurityp research at one time and cybersecuritys research at another time. The subject matter, not the researcher’s role, delineates cybersecurityp from cybersecuritys.
Second, with respect to the domains of the two fields, the inherent adversarial nature of cybersecuritypreveals an interesting difference between its output and the output of some of the traditional sciences to which it has been analogized thus far. Because cybersecurityp researchers operate within a dynamic (adversarial) environment, the results of their research often are rendered obsolete by their adversaries. Accordingly, cybersecurityp researchers must frequently revisit (and revise) previously-obtained results. Traditional scientists (physicists, for example) face no such dynamic environments. The results obtained by those scientists (assuming the results are veridical) remain valid and can be built upon, so the need rarely arises to return to square one. This distinction potentially explains an apparent mismatch between traditional scientists and cybersecurityp researchers. Whereas traditional scientists are able to proceed, as part of the traditional scientific trajectory, from obtaining their results to interpreting them (for example, by attempting to generate laws to describe large swaths of results), cybersecurityp researchers instead must contend with adversarial actions that render obsolete their previously-obtained results.viii In these cases, tasks (such as the foundational unification of data and results into law-like generalities) that would normally be undertaken by scientists (cybersecurityp researchers) fall instead into the domain of cybersecuritys researchers.
Because cybersecurityp is in a nascent state, it is only beginning to develop its own set of researchers focused on cybersecuritys. At this early stage, the cybersecuritys literature arises mainly from a select few researchers in cybersecurityp who branch out with the occasional publication addressing cybersecuritys. Examples of this sort include Roy Maxion (with his focus on experimental practice in cybersecurityp), Fred Schneider (with his focus on urging cybersecurityp researchers to search for potential scientific laws of cybersecurityp), and Alexander Kott (with his approach to defining science and evaluating the fit between that definition and cybersecurityp).1,11,12 Although the bulk of the work done by these researchers lies in the cybersecurityp domain, they address cybersecuritys when they study the way cybersecurityp is undertaken.
Although cybersecuritys could be referred to by a different label (perhaps, as suggested earlier, ‘philosophy of cybersecurity’), it has instead received the ambiguous label ‘science of cybersecurity’, which has generated the confusion that the present work is aiming (in part) to disentangle. Indeed, the distinction between cybersecurityp and cybersecuritys has, in fact, been identified in several places in the literature. For example, the abstract to the 2010 JASON report opens by stating:
JASON was requested by the DoD to examine the theory and practice of cyber-security, and evaluate whether there are underlying fundamental principles that would make it possible to adopt a more scientific approach, identify what is needed in creating a science of cyber-security, and recommend specific ways in which scientific methods can be applied. (JASON,13 p. v)
In the present terminology, JASON was contracted to investigate cybersecurityp to determine whether cybersecuritys could be developed. The following year, the US Government issued its strategic plan for cybersecurity research, in which it is noted that “the science of security has the potential of producing universal laws that are predictive and transcend specific systems, attacks, and defenses.” (Executive Office of the President,14 p. 11). It is not cybersecurityp that would produce the universal laws; rather, cybersecurityswould generate the laws that would thereby facilitate a higher level of success for cybersecurityp.ix
Nonetheless, in the years since, the debate concerning the “science of cybersecurity” has devolved due to the loss of keeping the referents of cybersecuritys and cybersecurityp distinct from each other. To illustrate, I will close this section with a clear, extended example of the field’s deep-rooted conflation of cybersecurityswith cybersecurityp. Although what follows is merely a single episode, it accurately exemplifies the lack of the distinction between cybersecuritys and cybersecurityp in the cybersecurity field.
In a two-issue burst in 2012, the National Security Agency’s The Next Wave periodical covered the subjects of “Developing a blueprint for a science of cybersecurity”15 and “Building a national program for cybersecurity science.”16 The titles of the two issues suggest an emphasis on cybersecuritys, but the contents of the issues instead reflect a decidedly even mixture of pieces focused on cybersecurityp and pieces focused on cybersecuritys.
Then, in 2015, The Next Wave revisited the topic with its issue entitled “Building a Science of Cybersecurity: The Next Move.”17 In that issue, the same mixture of cybersecuritys and cybersecurityp contributions emerges. However, the Guest Editor’s Column that opens the publication, penned by Stuart Krohn, offers hope that the distinction between cybersecurityp and cybersecuritys has taken root. Krohn identifies several important cybersecuritys foci in the column, particularly when he writes:
It is essential that this new science be grounded on common definitions. Throughout the years, there has been much debate about the nature of science—what it is, and what methods are best. The works of Karl Popper on falsifiability, of Pierre Duhem on the testing of hypotheses as parts of whole bodies of theory, and of Thomas Kuhn on shifts in scientific paradigms, are fine examples of this. No doubt we will continue that broader discussion in relation to security science… (Krohn,17 p. i)
The mention of Popper, Duhem, and Kuhn, all of whom are renowned philosophers of science, highlights the earlier-articulated relationship between philosophers of science and cybersecuritys researchers. The inclusion of those philosophers of science in the discussion appears to bode well for the establishment of the distinction between cybersecuritys and cybersecurityp. However, what follows the ellipsis in the quote above reveals that cybersecuritys and cybersecurityp are, instead, viewed as interchangeably as they ever have been: “…but that is not our interest here.” (Krohn,17 p. i). Krohn then describes the contents of the issue, which is dedicated to “the next move” in “building a science of cybersecurity”:
This issue of TNW describes research contributing to the development of security science. Included are highlights of two workshops initiated by the Special Cyber Operations Research and Engineering subcommittee: one on the adoption of cybersecurity technology, the other on computational cybersecurity in compromised environments…. Interspersed are several more in-depth papers on topics including power grid security, phishing, privacy, cyber-physical systems, and a competition aimed at building better code. (Krohn,17 p. i)
Despite directly distinguishing cybersecuritys research and accurately identifying it as the philosophy of science correlate to cybersecurityp, Krohn proceeds to conflate cybersecuritys with cybersecurityp by classifying material that unambiguously falls under cybersecurityp as “research contributing to the development of security science.” The result is that the issue dedicated to building a science of cybersecurity—dedicated to cybersecuritys research of the sort initially mentioned by Krohn in his column—instead is filled with cybersecurityp research.
We see, then, that when one inquires whether there can be a “science of cybersecurity,” there are two significant questions being asked simultaneously:
- “Can cybersecurityp be scientific?”
- “Can cybersecuritys exist?”
The “debate” about the issue arises when discussants intend to address one interpretation of the question without acknowledging which interpretation is intended. By distinguishing cybersecurityp from cybersecuritys, we are able to navigate the ambiguity.
[ For the full article and more images, click here. ]