Shostack + Friends Blog Archive


"A Scientific R&D Approach to Cyber Security"

Charlie Catlett, CIO of Argonne National Labs has released a report on “A Scientific R&D Approach to Cyber Security” (Powerpoint summary, community wiki).

It’s a very interesting report. There’s a lot to agree with in terms of a research agenda. They’re looking to compose trustworthy systems from untrusted components, to create self-protective data and software, and to use mathematicsc for predictive awareness for secure systems.

I have two issues with it, one small and one large. The small issue is that the report places mathematics on a pedestal, and goes so far as to refer to economic analysis as a ‘metaphor.’ Mathematics is clearly quite useful, but the problems we experience are often no longer mathematical, but about the meaning of things, and that is a human problem.

Much bigger is that in all the discussions of bringing to bear the power of science, there’s no mention of the data acquisition problem. That is, you can do all the modeling you want, but if you’re not gathering rich data sets about what goes wrong, you can’t test those models or craft informed hypotheses.

I applaud Catlett for seeing the need for real science, and hope that the future research agenda will involve partnerships with those who handle the human side of computer security, as well as joining the New School call for more and more data.