Cybersecurity as Illuminator for the Future of Computing Research

“Cybersecurity as Illuminator for the Future of Computing Research”
Communications of the ACM, May 2022, Vol. 65 No. 5, Pages 39-41
Security
By John Wroclawski, Terry Benzel

“Security is still viewed by much of the computing research community in a narrow technical context, leading to results poorly aligned with motivating real-world needs.”

Today, forces as disparate as the ever-increasing centrality of computing to modern society, the intellectual and technical maturing of the discipline itself, changing expectations about the impact of research results, and evolving conceptions of effective researcher career paths drive us to reflect on how the field and profession of computing research should grow and change in response.

In this column, we suggest that the role of cybersecurity in real-world systems, and the costs of its absence, are making the effects of these forces visible to the cybersecurity research community both particularly clearly and particularly early. Hence, lessons being learned by cybersecurity researchers today can help illuminate the path toward evolution of the larger computing research enterprise tomorrow. To explore this idea, we outline several motivating forces we see at play and some lessons cybersecurity researchers are drawing from them. We then turn to the field more broadly, and propose a series of questions worth asking and exploring in that context.

We start by suggesting that failing to fully consider these forces in the context of much past cybersecurity research, development, and deployment has produced disastrous consequences for society. Security continues to be a nonintegrated consideration in the design and operation of many computing systems, addressed narrowly rather than holistically. Equally, security is still viewed by much of the computing research community in a narrow technical context, leading to results poorly aligned with motivating real-world needs. Human factors are poorly understood and insufficiently considered.

The result of these limitations is well known—insecure computational structures with dramatic real-world consequences appear almost routine. Recent examples include Stuxnet, Log4j, SolarWinds, Colonial Pipeline, Hospital targeted ransomware, APT41, Russian Cozy Bear, and many more. Not only do these failings affect our day-to-day lives, but they also have serious impacts on global geopolitical dynamics.

Given this troubling litany, it is reasonable to ask a simple question: Why? And another: What, if anything, can we do about it?

Obviously, research limitations are not the only factor contributing to real-world failures in the security and privacy domain. But to the extent that research can help fix the problem, we argue that a key reason current cyber-security research has not been more effective is that the fundamental nature of the required research has changed.

The Challenge

Today’s real-world cybersecurity challenge, and thus today’s most compelling cybersecurity research, is increasingly defined by forces and trends that separate it from the simpler circumstances of the field’s founding era. The forces contributing to this new stage of the cybersecurity research life cycle are many and complex, but four defining axes can be identified. These are:

Emergence of computing as a fundamental underpinning of modern society, and thus the scope and breadth of the cybersecurity challenge.

Intellectual maturing of the discipline itself.

Increasing requirement to connect to and integrate with peer disciplines.

Complexity and sophistication of research responsive to these forces, with corresponding challenges to research structure, organization, and environment.

In a nutshell, the field of cybersecurity research is growing up. No longer is it the empirical, early-stage discipline of 50 or even 20 years ago, aiming to address relatively straight-forward problems in limited and clearly defined circumstances. Yet it is also not, and may never be, the fully mature, highly structured, stylized, and regulated domain of a traditional engineering profession such as civil or mechanical engineering. It is, instead, a field in transition—facing new responsibilities and the challenge of integrating itself effectively into the larger nontechnical world, in a fashion it is unfamiliar with and has not needed to do until now.

To the credit of cybersecurity researchers and the cybersecurity research community, this challenge is increasingly recognized and accepted. As examples, cybersecurity research is frequently framed in a multidisciplinary context with usability experts, sociologists, economists, and others similarly related. Where possible and appropriate, rigor and formal methods are applied in favor of empirical evaluations. Testbeds and similar research infrastructures increasingly focus on effective real-world modeling rather than synthesizing artificial experiments. Each of these, along its own axis, is evidence of a maturing discipline—an effective response to the forces we described here.

Read the Full Article »

About the Authors:

John Wroclawski is Senior Director for Strategic Initiatives at the Information Sciences Institute of the University of Southern California, Marina del Rey, CA, USA.

Terry Benzel is Director of the Networking and Cybersecurity Research Division at the Information Sciences Institute of the University of Southern California, Marina del Rey, CA, USA.