On my two hour run today I was thinking about information security and the research vectors that I see within the discipline. I don’t publish very much so I have little effect on the space. I was thinking about how the discipline hasn’t moved forward and more importantly how it seems to be stagnant within the field of systems security versus thinking about information. I apologize up front if this sounds disjointed, normally I use a structured writing method and this is more stream of consciousness. So if my normal writing sucks this will be worse.
I recently received an excellent call for papers Learning from Authoritative Security Experiment Results from Matt Bishop. The principle of the conference is to talk about research where the results were nothing new, or not statistically significant. As the call for papers discusses sometimes these are the most interesting results of all. Well I get excited about them, but I happen to be sitting on a dissertation that though scientifically valid and significant for a variety of reasons has a hypothesis that was not proven (poor Popper would shudder). Why? Because knowing what you don’t know is more important than what you do know. Personally I believe that is the absolute principle of research that makes it work. If I know the answer why would I research it? I really like great questions much more than right answers.
I run across people all the time that do not know the difference between information security and systems security. Most academic programs are about the securing of systems with the expectation that information will be secured. Most hacking curriculums are about overcoming the technical controls of systems to insure that the information confidentiality, integrity and availability is breached. Systems hacking towards information breach is always a two stage process. To most people that is revolutionary if somewhat of a duh moment.
To me the worst thing is modern information theory was produced by guys like Claude Shannon, David Bell, John von Neuman, and Alan Turing. Basically three dead guys and one still kicking. And, we don’t have guys like this around today adding to the body of knowledge is significant ways. There are dozens of awesome authors to go along with these guys like Saltzer and various authors like Boehm. I won’t mention Spafford because it looks like I’m sucking up, but his book on Unix security is still one of my favorites. Back to Matt Bishop: His big book on infosec is a compendium of these authors ideas (see I’m not totally whacked off track yet).
We have lots of alchemy within the discipline. I see lots of people talking about things like defense in depth thinking that 2+2+2+2=8 where 2 elements of security layered 4 times equates to 8 elements of security. A pretty simple way of looking at things. Unfortunately in most instances defense in depth is (2+2+2+2)/4=2 or 2 elements of security added “n” times is divided by the “n” or is a simple average of the security not additive. The first strategy is usually fine for a logical design, but the real result of the security is found in the latter formulation. It becomes more apparent if you think about the information flows rather than the system interconnections. For me to put it in a blog post is pretty simple, and there has been a lot of stuff published on this using empirical methods (see previous blog posts on defense in depth for a deep literature review).
This comes back to the fact I can’t find a modern day Claude Shannon. Maybe he/she is hiding in a laboratory somewhere kicking out research, but even Shannon didn’t publish nearly as much as a current professor would be expected. Anybody wanting to buy me his collected works should do so soon. Maybe the modern day Claude Shannon can be found among his award participants but though they are all excellent scholars I don’t think they’re advancing the theory nearly as fast as the person the award is named after.
Why all this discussion about a long dead guy? Information assurance and security is a discipline that is welded to several other disciplines. Information assurance and security is completely a multi-disciplinary problem. Much like computer science there is a spiderweb of intersecting interests and stakeholders tugging the information component back and forth. Networking, computing, programming, content creation, social interaction and controls, human computer interaction, databases and warehousing of data, and so much more make up the information flows and understanding the principles across such a wide swath is difficult at best and horrific in principle. A lot of effort dealing with information theory is put into cryptography, but that is frosting on a cake. Computer science has become a system oriented science and information technology has limited itself to processor based systems.
So what do we get if we identify the next Claude Shannon? The person who will define computing for the next fifty years. The person who will understand the inherent conceptual pieces of computing and define it for the rest of us long before it is sexy or fancy accepted practice. Somewhere out there is a person looking at what we’re doing and I’d like to think preparing to explain that to the rest of us. I’m betting they don’t publish very often and are working for a corporation that really doesn’t understand what they have going for them. Almost unfairly, the primary work of advancing the computing era we’ve enjoyed over the last 50 years came out of corporate laboratory environments. Even today 50 or so video games development is orders of magnitude more in expenditure than the NSF total computer science funded research. It’s a rough comparison but put another way the total NSF computer science research budget is about one f35.
So, somewhere out there is the person who is going to define the future. We have really gotten into celebrating the tiny little advancements we’ve made in the past few decades and instantiated a religion of computing fairly well. Somewhere though is the Thomas Kuhn derived paradigm shift agent for computing that will explain the way forward. I’m looking but you should be too.
Sorry it’s a rough post but it’ll do.