JASON on “Science of Cyber Security,” Recommends New Centers

Steven Aftergood, of the always excellent Secrecy News blog, notes the release of a new report by the JASON panel, an influential, independent advisory committee for the Department of Defense that focuses on issues in science and technology, on the “Science of Cyber Security.” Specifically, DOD asked the panel to examine the theory and practice of cyber security, and “evaluate whether there are underlying fundamental principals that would make it possible to adopt a more scientific approach.”

The committee has released their report on the issue (the Federation of American Scientists managed to obtain a copy (pdf)), have concluded that there is a science of cyber security, but it “seems underdeveloped in reporting experimental results, and consequently in the ability to use them.” The primary recommendation of the committee is to have the DOD sponsor “multiple cyber-security science based centers and projects within universities and other research centers.” The programs should have “a long time horizon and periodic reviews of accomplishments.”

Centers, the panel believes, have several attractive features:

  • they give the sponsors access to the best ideas and people;
  • they give the sponsor a chance to bias the work towards their versions of common problems;
  • there is an opportunity for these centers and programs to leverage a unique collection of resources internal to the DOD, including defensive data and experience from running internal networks.

The centers would be different than DARPAs projects in that the centers “would be expected to make steady progress on a broad set of topics, rather than limit themselves to revolutionary ideas or to try to solve the latest cyber-security crisis.”

Centers would also act as connecting points for the software industry, which would accelerate the translation of new ideas into useful tools for developers. The panel believes that this would correct a long-standing deficiency wherein some very sophisticated approaches to assessing and reasoning about the security of current systems are not available in the form of developer tools, perhaps because there’s insufficient market for the private development of the tools.

A number of representatives from academia, industry and government briefed JASON on the issues, including CRA’s Government Affairs Chair Fred Schneider.

JASON reports often form the basis of action within DOD on S&T matters, and there’s no reason to suggest that the recommendations in this report won’t get consideration. Whether the investment in centers actually happens is, of course, also dependent on the DOD’s budget situation, which is in a bit of flux at the moment until Congress hammers out a final agreement on an FY 11 budget and the Administration releases its plan for FY 12. But it wouldn’t be surprising to see an effort to incorporate the reports recommendations in future DOD budgets.

In any case, the report is well-written and well worth a read.

JASON on “Science of Cyber Security,” Recommends New Centers