We Need A Discipline of Cyber Public Health

I’m very excited that, on Monday, I’ll be giving a Distinguished Lecture, “We Need A Discipline of Cyber Public Health” at Ruhr University Bochum.

It ties together some deeper analysis of where we are with the discipline of security engineering, some of the challenges we face, and how we can solve them.

The abstract is: For all the tragedy the coronavirus has brought and difficulties in fighting it, we have a discipline of public health. Scientists are advancing the science of public health. We have public health institutions at many scales: local, national and international. They are defining, gathering and distributing statistical measures. Those measures include most prominently deaths, but also hospital admissions, and for some diseases doctor diagnoses. We have guidance for the public. We have few equivalents in the world of cybersecurity. We do not know how many computers have malware on them. We do not know what the equivalent of deaths are: is it systems lost to ransomware? What if they were backed up? We do not study means of infection or transmission rates. These issues are important to me both in a broad sense and in a very specific one. Much of my work is focused on threat modeling: the anticipation of future security problems in technology. What problems ought we anticipate and address? Some security problems are a result of developer errors. These errors include selecting bad tooling, using tools badly, or failing to recognize that they must authenticate, sanitize or otherwise apply security knowledge to a situation. Other problems are what we call “user error,” but that assignment of blame is, itself, hotly contested and often unfair. Security experts rarely give advice on the level of “wash your hands.” Their advice is rarely consistent with other experts, or the public. People are naturally confused and give up. These are all things that public health statistics could help us define and measure. Because we cannot quantify how computers are compromised, or the causes, it is hard to justify answers to the question of “what should developers know about security?” We know there are aspects of security developers must consider, but the time and attention of developers is a scarce resource. Educating and training them effectively is dependent on prioritization, and for that we need cyber public health and its measurement capabilities.

https://casa.rub.de/en/news/distinguished-lectures/infos/adam-shostack-shostack-associates
[Updated to add: Video is now here.