JASON’s thoughts on information security


The JASON group recently released the report Science of Cyber-Security (PDF) that the US Department of Defense hired them to write. In particular, the DoD asked these nine questions:

  1. What elements of scientific theory, experimentation, and/or practice should the cyber security research community adopt to make significant progress in the field? How will this benefit the community? Are there philosophical underpinnings of science that the cyber security research community should adopt?
  2. Are there “laws of nature” in cyberspace that can form the basis of scientific inquiry in the field of cyber security? Are there mathematical abstractions or theoretical constructs that should be considered?
  3. Are there metrics that can be used to measure with repeatable results the cyber security status of a system, of a network, of a mission? Can measurement theory or practice be expanded to improve our ability to quantify cyber security?
  4. How should a scientific basis for cyber security research be organized? Are the traditional domains of experimental and theoretical inquiry valid in cyber security? Are there analytic and methodological approaches that can help? What are they?
  5. Are there traditional scientific domains and methods such as complexity theory, physics, theory of dynamical systems, network topology, formal methods, mathematics, social sciences etc. that can contribute to a science of cyber security?
  6. How can modeling and simulation methods contribute to a science of cyber security?
  7. Repeatable cyber experiments are possible in small closed and controlled conditions but can they be scaled up to produce repeatable results on the entire Internet? To the subset of the Internet that support DoD and the IC?
  8. What steps are recommended to develop and nurture scientific inquiry into forming a science of cyber security field? What is needed to establish the cyber security science community?
  9. Is there reason to believe the above goals are, in principle, not achievable and if so, why not?

The JASON group's answers to these questions are in this report, along with lots of other interesting, big-picture thoughts about the information security industry. At 88 pages, this report isn't exactly short, but it's well worth reading for anyone who works in the industry.

Leave a Reply

Your email address will not be published. Required fields are marked *