 |
Panel Presentations Quarterly Lablet Meeting at CMU July 2015 |
The Science of Security (SoS) quarterly Lablet meeting, sponsored by NSA, was hosted by the Carnegie Mellon University Lablet on July 14 and 15, 2015. Quarterly meetings are held to share research, coordinate, present interim findings, and stimulate thought and discussion about the Science of Security. Two panel sessions produced lively discussions about the nature of the Science of Security and the developing Science of Privacy.
Science of Security
The Science of Security panel addressed the concept and tenets of the emerging science of security (SoS). A panel of Lablet faculty members led by moderator Bill Scherlis (CMU), offered observations about the nature of science generally and how modern cybersecurity issues relate. Following opening remarks by the panelists, a lively discussion among them and the audience took place. The panel consisted of Dave Nicol (UIUC), Carl Landwehr (GWU), Jonathan “Jono” Spring (CMU CERT), Emerson Murphy-Hill (NCSU), Tudor Dumitras (UMD), and Bill Scherlis (CMU), serving as moderator.
In his opening remarks, Scherlis stated much of what we do is modeling that we relate to artifacts and phenomena. Good models are good because they are resonant, support reasoning. But adversaries attempt to escape the model, that is, to find work-arounds; given this, what does it mean to say the Science of Security? Offering what he labelled a “provocative comment” he offered the opinions that it is incorrect to say it [Science of Security] will simply be more rigorous. He thinks focusing on the right dimensions will disproportionately improve what we do in practicality and productivity. For example, he says there is a robust consensus on the 5 hard problems. Another example is the emphasis on measurement and methodology. He says we are not focusing on all of cybersecurity; by focusing and being attentive to scope, we will do better in internal collaboration and in engineering better systems.
Carl Landwehr reviewed the history and evolution of cybersecurity thinking. Don Good, University of Texas, did work in 1986 that suggested a need to “review foundations of computer security.” 15 years later Fred Chang, distinguished professor and scholar at SMU, asked what was the science in security? So the question has been asked for a while.
Landwehr avers it is engineering, not science, according to much of the literature such as the Mitre-JASON study. He clarifies that it is really Science of Cybersecurity—that security is way broader topic. To be scientific, a subject must be empirical, testable, rigorous, broad, and incremental. There are different types of science—Aristotelian, Newtonian, Darwinian, and now behavioral economics.
Citing Herbert Simon in his 1969 “Sciences of the Artificial” [n.b. 1969. The Sciences of the Artificial. MIT Press, Cambridge, Mass, 1st edition. "objects (real or symbolic) in the environment of the decision-maker influence choice as much as the intrinsic information-processing capabilities of the decision-maker." He explained "the principles of modeling complex systems, particularly the human information-processing system that we call the mind" One important distinction is that science teaches about actual things while engineering deals with artificial things. We must, according to Landwehr, make an effort to understand real problems in real systems and understand how experiments enhance knowledge.
Jonathan (“Jono”) Spring asked “What is SoS? How does our understanding advance SoS?” His answer to the first is the second. He avers SoS is it not just engineering because philosophy is integral to science and that building community and building consensus, are part of building science. SoS offers unique challenges: confluence of these obstacles: engineered mechanisms designed by someone else who may want to thwart us and digital economics and the oddness of zero marginal costs and non-rival goods.
Tudor Dumitras said a big component of SoS is moving toward systems that have measurable elements that allow us to capture the advantages and limitations of real world adversaries. Observation and experimentation give us insights and ways to defeat these adversaries. Measurement also allows correction for model drift and change over time. He added that there is value in reproducing older studies using modern data and techniques to validate those studies and use the knowledge gained to develop the principles.
Emerson Murphy-Hill said that cybersecurity to date has been like a radar gun. The radar gun generated the radar detector. Then the radar detector generated a radar detector detector and so on. Cybersecurity has been linear in its development of tools and foils extended on and on.
Dave Nichol says that the “piece of the elephant” that resonates with him is when we study SoS as first class objects. The primary question is “what is security?” He likens it to the Bell–LaPadula model of information flow. [n.b. The Bell–LaPadula Model is a state machine model used for enforcing access control in government and military applications.] Another piece of SoS is going from model to implementation. He says SoS is about studying security in a specific context—how to break a piece of cryptography.
Bill Scherlis quoted Tony Hoare “we treat our software as a phenomenon of nature.” We don’t control it, but merely building on a basis that is “tacit.”
Carl Landwehr countered that his can’t predict or control nature comment is at odds with predictability.
Bill Sanders commented that models are good—build them, learn from them and then build better models.
Jono Spring commented that we can have the conversation across a range of models—but then asked whether we can translate among each other or only one adjacent person who understands the jargon?
The panel wrapped up their discussion.
(ID#: 15-6136)
Science of Privacy
The second panel discussed the emerging question of the Science of Privacy in a fundamental way. As with the panel discussion about the Science of Security, the panel offered opening remarks, and an interactive discussion with the audience ensued. The Science of Privacy panel included Adam Tagert (DoD), Travis Breaux (CMU), Munidar Singh (NCSU), Serge Egelman (Cal-Berkeley), and Lorrie Cranor (CMU), acting as Moderator.
In introducing the panel, Bill Scherlis stated “privacy is ‘an issue of the day’” and not as far along in its conceptual development at the Science of Security. This discussion was intended to stimulate thinking and discussion within the community about privacy and its relationship to cybersecurity.
In her opening remarks, Lorrie Cranor said it is typical to have a panel and also for panels to disagree about definition of privacy. The topic is current, but there is also a body of work about the nature of privacy, primarily from legal scholars and behaviorists.
Serge Egelman identified http://teachingprivacy.org as a source of materials for teachers and described plans for doing a MOOC courseware. The material cited includes 10 principles. Edelman states that one shouldn’t figure on finding a single absolute definition of privacy, that researchers should simply define how they are using it for their specific work.
Adam Tagert stated privacy is about information and not about the technical aspects. Considerations of privacy are about setting up rules so that information can be provided in just enough detail—data minimization.
Munidar Singh says that privacy, like security, is always about a human and correlates to human identities.
Travis Breaux offered a pluralistic view suggesting that privacy has many different definitions. The researchers job is to just tell which one is being used. Privacy, he adds, is trust based and that sharing information between two is one thing, but adding a third party creates a much greater problem. Need to focus.
Audience member Comment/question: why didn’t anyone say it is about expectations? How do we reconcile these with other expectations? How do you guarantee these expectations are met?
Lorrie Cranor—P3P project { n.b. The Platform for Privacy Preferences Project (P3P) enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. 2007] thought the goal was to restrict the flow of information but that companies thought it was not about restricting data flows but to control or manage those flows. She countered with another open question: What metrics are there?
Serge Egelman: one metric is expectations; in the lab, give tests on privacy attitudes
Travis Breaux: We have to be able to measure privacy knowing that each member of the population has different privacy expectations. Working on design requirements shows there are conflicting goals sometimes. Systems are changing as well as users, so we will need to collect data for analysis.
Munidar Singh: measure reactions.
Adam Tagert: being transparent is really hard. With privacy, there is a need to get to a point where we can identify the privacy thresholds.
Travis Breaux: There is a lack of knowledge about predictability in current methods such as k-anonymity.
Audience member: what is privacy about? Negative things happening. So we need to know what the outcomes are, and what the consequences are, the likelihood of certain outcomes, and what the final things are people care about.
Lorrie Cranor: privacy is context dependent.
Bill Scherlis: if there are no models, how can you figure out what is ok and what is not? Not monetized.
Travis Breaux: there is a variable market for info
Audience member: back to expectations: how do we measure and what are the formalisms we have created aligned with people’s expectations?
Serge Edelman: What is the difference between privacy and security? Is there any reason to care?
Carl Landwehr asked whether a science of privacy is possible without a definition.
Serge Edelman said we need consistent definitions and consistent metrics.
Singh Munidar suggested we need to scope the problem.
Jono Spring countered by asking whether SoS is all about definitions.
Wrap up comments:
Adam Tagert: we need to get to a scientific understanding or it.
Serge Edelman: We need to do more to understand and inform expectations.
Mudinar Singh: Privacy is about norms.
Travis Breaux: We can use engineering to “suss” out the problem and use that information to inform the science.
(ID#: 15-6137)
Note:
Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.