“As far as the laws of Mathematics refer to reality, they are not certain; and as far as they are certain, they do no not refer to reality.” -Einstein
As cyberthreats evolve and grow at an exponential rate every day, the theory and practice of cybersecurity needs to adopt a more scientific approach, becoming more structured and systematic so that scientific methods can be applied. Though many efforts have been attempted by cyber experts in the past, the first widely known document on Science of Cybersecurity was published by MITRE Corporation during November 2010.
Cybersecurity is a sub-discipline of computer science, leaning heavily on all areas of science, (mathematical, physical, or social). In addition, it borrows analogies from other research fields—namely epidemiology, economics and clinical medicine. Interestingly, the document points out several sub-fields of computer science that are relevant to cybersecurity and can be analyzed in the current digital context:
- Model checking: Developing a specification of an algorithm and then validating the correctness of that specification under the specific assumptions of the model. Model checking provides a useful and rigorous framework for examining security issues. This is currently being used in data analytics and AI solutions for enabling cybersecurity.
- Cryptography: Examines communication in the presence of an adversary and the assumed power of that adversary to unearth messages. Though many strong algorithms have evolved over time, currently the advent of quantum computing is leading the way for use of quantum encryption algorithms.
- Type theory: Type theory is a mathematical logic. It is a collection of rules of inference that result in judgements. This is used to strengthen the security of software programs.
- Randomization: The use of obfuscation, where the data paths and variables of a program are disguised or randomized to build defenses against some modes of attack.
- Game theory: Helps in prioritizing cyber defense activities.
Challenges in Defining the Science of Cybersecurity
Cybersecurity has special difficulties and unique challenges in defining it as a science. The authors of the paper Science, Security, and the Elusive Goal of Security as a Scientific pursuit have put forth the following challenges and the counter responses:
- Adaptive adversary: Cybersecurity faces adaptive, intelligent adversaries who keep changing the methods of attack based on counter measures adopted.
- Absence of Invariant Laws: Cybersecurity is too connected with human behavior. It will be difficult to have universal laws.
- Evolving Technology: Cybersecurity needs to deal with constantly evolving software and hardware technology and the inherent compatibility issues.
- Hypothetico-Deductive Model: Cybersecurity should satisfy the following axioms in order to be treated as science:
- Form a hypothesis from what is observed
- Formulate falsifiable predictions from those hypotheses
- If new observations agree with the predictions, a hypothesis is supported (but not proved); if they disagree, it is rejected.
It has been pointed out by authors that numerous branches of sciences have overcome difficulties that once seemed unique and inseparable. Even biological and military systems must guarantee robustness in the presence of adversaries. The completeness and elegance of the mathematical expression of physics cannot be matched with other sciences, but that does not make other sciences less scientific. To quote Godfrey-Smith, “most biology has little use for the concept of a law of nature, but that does not make it less scientific.”
To further the discussions, there is no exact science present in the universe. As evolutionary biologist Francisco Ayala states, “A hypothesis is scientific only if it is consistent with some but not other possible states of affairs, not yet observed, so that it is subject to the possibility of falsification by reference to experience.” Also, as Popper famously pointed out, “A theory which is not refutable by any conceivable event is non-scientific. Irrefutability is not a virtue of a theory (as people often think) but a vice.”
Therefore, from the discussions, cybersecurity can be defined as a science and should be pursued with rigorous scientific approach and methodologies. Some suggested measures are as follows:
- The security community should learn from other disciplines and other literature and be ready to question security foundations and established concepts.
- The end goal of security research is to improve outcomes in the real world. Any mathematical model should stand the test of reality.
- Security researchers across the globe should collaborate on their work and develop an evolving and up-to-date body of knowledge to counter ever-growing threats from cyber criminals and advances in technology.
- There should be close stakeholder cooperation between the private and public sectors, as well as between civil society and the combination of technology with human expertise and experience.
Author’s note: The opinions expressed are of the author’s own views and do not represent those of the organization or of the certification bodies with which he is affiliated.