Credit: Carlos Castilla
Today, forces as disparate as the ever-increasing centrality of computing to modern society, the intellectual and technical maturing of the discipline itself, changing expectations about the impact of research results, and evolving conceptions of effective researcher career paths drive us to reflect on how the field and profession of computing research should grow and change in response.
In this column, we suggest that the role of cybersecurity in real-world systems, and the costs of its absence, are making the effects of these forces visible to the cybersecurity research community both particularly clearly and particularly early. Hence, lessons being learned by cybersecurity researchers today can help illuminate the path toward evolution of the larger computing research enterprise tomorrow. To explore this idea, we outline several motivating forces we see at play and some lessons cybersecurity researchers are drawing from them. We then turn to the field more broadly, and propose a series of questions worth asking and exploring in that context.
We start by suggesting that failing to fully consider these forces in the context of much past cybersecurity research, development, and deployment has produced disastrous consequences for society. Security continues to be a nonintegrated consideration in the design and operation of many computing systems, addressed narrowly rather than holistically. Equally, security is still viewed by much of the computing research community in a narrow technical context, leading to results poorly aligned with motivating real-world needs. Human factors are poorly understood and insufficiently considered.
The result of these limitations is well known—insecure computational structures with dramatic real-world consequences appear almost routine. Recent examples include Stuxnet, Log4j, SolarWinds, Colonial Pipeline, Hospital targeted ransomware, APT41, Russian Cozy Bear, and many more. Not only do these failings affect our day-to-day lives, but they also have serious impacts on global geopolitical dynamics.
Given this troubling litany, it is reasonable to ask a simple question: Why? And another: What, if anything, can we do about it?
Obviously, research limitations are not the only factor contributing to real-world failures in the security and privacy domain. But to the extent that research can help fix the problem, we argue that a key reason current cyber-security research has not been more effective is that the fundamental nature of the required research has changed.
Today's real-world cybersecurity challenge, and thus today's most compelling cybersecurity research, is increasingly defined by forces and trends that separate it from the simpler circumstances of the field's founding era. The forces contributing to this new stage of the cybersecurity research life cycle are many and complex, but four defining axes can be identified. These are:
In a nutshell, the field of cybersecurity research is growing up. No longer is it the empirical, early-stage discipline of 50 or even 20 years ago, aiming to address relatively straight-forward problems in limited and clearly defined circumstances. Yet it is also not, and may never be, the fully mature, highly structured, stylized, and regulated domain of a traditional engineering profession such as civil or mechanical engineering. It is, instead, a field in transition—facing new responsibilities and the challenge of integrating itself effectively into the larger nontechnical world, in a fashion it is unfamiliar with and has not needed to do until now.
To the credit of cybersecurity researchers and the cybersecurity research community, this challenge is increasingly recognized and accepted. As examples, cybersecurity research is frequently framed in a multidisciplinary context with usability experts, sociologists, economists, and others similarly related. Where possible and appropriate, rigor and formal methods are applied in favor of empirical evaluations. Testbeds and similar research infrastructures increasingly focus on effective real-world modeling rather than synthesizing artificial experiments. Each of these, along its own axis, is evidence of a maturing discipline—an effective response to the forces we described here.
Security is still viewed by much of the computing research community in a narrow technical context, leading to results poorly aligned with motivating real-world needs.
But cybersecurity is by no means unique in facing the challenges of maturity. These same forces are relevant to many other aspects of modern computing research—robust and reliable systems, usability and accessibility, bias and discrimination, and perhaps most importantly, the increasingly visible interplay between technologies such as ubiquitous social networking and the stability of society itself. In each of these domains, the interplay between increasing sophistication of the technology and the increasing level of societal dependence on it creates the forces we describe.
For this reason, the goal of creating understandings, conditions, tools, methods, structures, and research culture needed to carry out computing research that effectively responds to these larger forces reaches well beyond the cybersecurity domain. And, because the cybersecurity community is quickly gaining experience with this challenge, we can learn lessons from cybersecurity research today to help shape the evolution of computing research writ large tomorrow.
Hence, what we seek is a two-part next step—to extend these lessons from the cybersecurity community to other aspects of computing research, while further strengthening and systematizing our community's response to its own evolving circumstances.
We outline a response to these observations framed as a series of questions. Our objective is to snapshot a moment in time in the process of the cybersecurity research field's development, capture and clarify the fundamental forces driving the process, and explore strategies and approaches available to our research community as it shapes both its own and society's future.
We begin by stating two lessons learned that we believe our community largely agrees on.
In this light, we ask how these lessons can be carried forward into the broader computing research enterprise. Our key observation is the ultimate driver behind our lessons in the cybersecurity domain is the maturation process previously described in "The Challenge." For this reason, we suggest the cybersecurity community's experience with these and similar lessons applies equally well to other aspects of computing research that are undergoing this same maturation process.
To leverage this observation we enumerate a set of topic areas fundamentally affected by the maturation process, and consider within each area some concrete questions that can help to guide, shape, and systematize a research environment responsive to this quickly changing landscape.
We consider four broad areas, and outline several specific questions within each area as exemplars.
Area 1: Strategies for Identifying and Emphasizing Emerging Technical Directions. In this area, we ask:
Area 2: Recruiting Talent and Fostering Research Careers. In this area, we ask:
Area 3: New Models for Research. In this area, we ask:
Area 4: Revisiting Research Funding Models. In this area we ask:
These questions are, of course, not new. Many have been considered thoughtfully for years. What is different now is the dramatic and increasingly apparent change in the relationship between computing, computing research, and the larger society in which these things reside. Drawing from experience in the cybersecurity research community and examining emerging trends in the evolution of our field, we see new merit and new power in connecting the many conversations already under way into a unified, unifying, and visionary whole. We hope to create a conversation that is interesting, informative, and valuable to:
This column is one step among many we are exploring to advance this discussion. We are actively seeking opportunities for you to shape the conversation, contribute your views directly, and engage with others that both share your specific interests and bring differing perspectives. We invite you to join us!
The Digital Library is published by the Association for Computing Machinery. Copyright © 2022 ACM, Inc.
No entries found