Communications of the ACM
Security
Cybersecurity as Illuminator for the Future of Computing Research
Credit: Carlos Castilla
Today, forces as disparate as the ever-increasing centrality of computing to modern society, the intellectual and technical maturing of the discipline itself, changing expectations about the impact of research results, and evolving conceptions of effective researcher career paths drive us to reflect on how the field and profession of computing research should grow and change in response.
In this column, we suggest that the role of cybersecurity in real-world systems, and the costs of its absence, are making the effects of these forces visible to the cybersecurity research community both particularly clearly and particularly early. Hence, lessons being learned by cybersecurity researchers today can help illuminate the path toward evolution of the larger computing research enterprise tomorrow. To explore this idea, we outline several motivating forces we see at play and some lessons cybersecurity researchers are drawing from them. We then turn to the field more broadly, and propose a series of questions worth asking and exploring in that context.
We start by suggesting that failing to fully consider these forces in the context of much past cybersecurity research, development, and deployment has produced disastrous consequences for society. Security continues to be a nonintegrated consideration in the design and operation of many computing systems, addressed narrowly rather than holistically. Equally, security is still viewed by much of the computing research community in a narrow technical context, leading to results poorly aligned with motivating real-world needs. Human factors are poorly understood and insufficiently considered.
The result of these limitations is well known—insecure computational structures with dramatic real-world consequences appear almost routine. Recent examples include Stuxnet, Log4j, SolarWinds, Colonial Pipeline, Hospital targeted ransomware, APT41, Russian Cozy Bear, and many more. Not only do these failings affect our day-to-day lives, but they also have serious impacts on global geopolitical dynamics.
Given this troubling litany, it is reasonable to ask a simple question: Why? And another: What, if anything, can we do about it?
Obviously, research limitations are not the only factor contributing to real-world failures in the security and privacy domain. But to the extent that research can help fix the problem, we argue that a key reason current cyber-security research has not been more effective is that the fundamental nature of the required research has changed.
The Challenge
Today's real-world cybersecurity challenge, and thus today's most compelling cybersecurity research, is increasingly defined by forces and trends that separate it from the simpler circumstances of the field's founding era. The forces contributing to this new stage of the cybersecurity research life cycle are many and complex, but four defining axes can be identified. These are:
- Emergence of computing as a fundamental underpinning of modern society, and thus the scope and breadth of the cybersecurity challenge.
- Intellectual maturing of the discipline itself.
- Increasing requirement to connect to and integrate with peer disciplines.
- Complexity and sophistication of research responsive to these forces, with corresponding challenges to research structure, organization, and environment.
In a nutshell, the field of cybersecurity research is growing up. No longer is it the empirical, early-stage discipline of 50 or even 20 years ago, aiming to address relatively straight-forward problems in limited and clearly defined circumstances. Yet it is also not, and may never be, the fully mature, highly structured, stylized, and regulated domain of a traditional engineering profession such as civil or mechanical engineering. It is, instead, a field in transition—facing new responsibilities and the challenge of integrating itself effectively into the larger nontechnical world, in a fashion it is unfamiliar with and has not needed to do until now.
To the credit of cybersecurity researchers and the cybersecurity research community, this challenge is increasingly recognized and accepted. As examples, cybersecurity research is frequently framed in a multidisciplinary context with usability experts, sociologists, economists, and others similarly related. Where possible and appropriate, rigor and formal methods are applied in favor of empirical evaluations. Testbeds and similar research infrastructures increasingly focus on effective real-world modeling rather than synthesizing artificial experiments. Each of these, along its own axis, is evidence of a maturing discipline—an effective response to the forces we described here.
Security is still viewed by much of the computing research community in a narrow technical context, leading to results poorly aligned with motivating real-world needs.
But cybersecurity is by no means unique in facing the challenges of maturity. These same forces are relevant to many other aspects of modern computing research—robust and reliable systems, usability and accessibility, bias and discrimination, and perhaps most importantly, the increasingly visible interplay between technologies such as ubiquitous social networking and the stability of society itself. In each of these domains, the interplay between increasing sophistication of the technology and the increasing level of societal dependence on it creates the forces we describe.
For this reason, the goal of creating understandings, conditions, tools, methods, structures, and research culture needed to carry out computing research that effectively responds to these larger forces reaches well beyond the cybersecurity domain. And, because the cybersecurity community is quickly gaining experience with this challenge, we can learn lessons from cybersecurity research today to help shape the evolution of computing research writ large tomorrow.
Hence, what we seek is a two-part next step—to extend these lessons from the cybersecurity community to other aspects of computing research, while further strengthening and systematizing our community's response to its own evolving circumstances.
The Response
We outline a response to these observations framed as a series of questions. Our objective is to snapshot a moment in time in the process of the cybersecurity research field's development, capture and clarify the fundamental forces driving the process, and explore strategies and approaches available to our research community as it shapes both its own and society's future.
We begin by stating two lessons learned that we believe our community largely agrees on.
- Too often, today's security and privacy research is narrowly focused on a few specific areas of investigation. Too often we allow ourselves—or are forced—to focus narrowly in service of granular research objectives (graduating students, publishing, obtaining tenure, shipping a new product on deadline). This is both because such research is easier to organize and carry out than a more integrated approach would be, and because current incentive structures—publication, novelty, immediate implementability, and individual visibility as a principal virtue—demand it.
- Cybersecurity is not solely an engineering discipline. It requires deep involvement from those who understand non-technical motivations, forces, and incentives—economists, sociologists, anthropologists, and other similar disciplines—to create the holistic perspectives that can anticipate and guide effective real-world strategies. This reality creates an environment that is rich for collaborations, partnerships, and new forms of commercial and academic working relationships—yet at the same time is deeply challenging due to fundamental differences in research culture, methodology, and approach. This is not a new point. But it is essential to realize both how difficult it is to do and how central it is to success.
In this light, we ask how these lessons can be carried forward into the broader computing research enterprise. Our key observation is the ultimate driver behind our lessons in the cybersecurity domain is the maturation process previously described in "The Challenge." For this reason, we suggest the cybersecurity community's experience with these and similar lessons applies equally well to other aspects of computing research that are undergoing this same maturation process.
To leverage this observation we enumerate a set of topic areas fundamentally affected by the maturation process, and consider within each area some concrete questions that can help to guide, shape, and systematize a research environment responsive to this quickly changing landscape.
The Questions
We consider four broad areas, and outline several specific questions within each area as exemplars.
Area 1: Strategies for Identifying and Emphasizing Emerging Technical Directions. In this area, we ask:
- How should we as a community identify enabling technical directions early and encourage researchers to pay attention? Can we do this more effectively in the future? What new community structures, tools, collaborations, and activities might support this?
- How should the computing research community better balance "new exploratory research" and "systematization of knowledge," creating incentives and motivations to do both?
- Can we identify specific technical directions that serve as exemplars or motivators? Are there developing research areas around integrating computing research into larger societal concerns and other technical disciplines? Systematizing knowledge and making it more accessible?
Area 2: Recruiting Talent and Fostering Research Careers. In this area, we ask:
- How does the changing landscape of "computing research" as a field affect the recruiting landscape? The nature of desirable educational background and preparation? Substantively meaningful efforts to broaden participation?
- In this light, what steps might different elements within our community take to strengthen interest in research careers? Can we better address negative cultural perceptions, and strengthen positives, about research as a career? About computing research in particular?
- What new and emerging strategies for K–12 and undergraduate learning would lead to stronger interest and capability in research fundamentals? How might our community best support and evangelize these strategies across the broad educational landscape?
Area 3: New Models for Research. In this area, we ask:
- Could our community better leverage existing research in the dynamics of collaborative, interdisciplinary, cross-sector, and loosely coupled communities of practice to guide and deepen our use of these structural models? Does computing research pose its own unique research questions in this regard, and if so can we draw attention to these questions as their own subject of study?
- Pragmatically, how might the computing research community make cross-cutting, collaborative, and multidisciplinary research efforts more effective and easier to carry out?
- Can we identify specific levers that could be utilized to explore and validate new research models? Similarly, can we identify specific impediments that could be removed?
Area 4: Revisiting Research Funding Models. In this area we ask:
- Are changes to current models of research funding needed to catalyze advance in the three areas above?
- What can we learn from alternative research funding models globally?
- What is the role of policy-driven approaches, cross-community private funding, and new forms of industry-academic partnerships?
The Call
These questions are, of course, not new. Many have been considered thoughtfully for years. What is different now is the dramatic and increasingly apparent change in the relationship between computing, computing research, and the larger society in which these things reside. Drawing from experience in the cybersecurity research community and examining emerging trends in the evolution of our field, we see new merit and new power in connecting the many conversations already under way into a unified, unifying, and visionary whole. We hope to create a conversation that is interesting, informative, and valuable to:
- Established computing research professionals with strong interests and/or viewpoints about the evolution of their chosen field.
- Younger computing researchers interested in their own place and career path within our rapidly changing profession.
- Research colleagues, whose interests focus on areas and disciplines where advanced computing, data science, artificial intelligence, and related capabilities represent an existing or emerging enabler for their own research area.
- Industry technologists and policymakers interested in shaping the future relationship between computing research and the many consumers of our field's research results.
- Research policy professionals and those concerned with the advancement of future computing research in a larger societal or economic context.
- Science and technology communicators and others interested in the emergence of new computing research paradigms.
This column is one step among many we are exploring to advance this discussion. We are actively seeking opportunities for you to shape the conversation, contribute your views directly, and engage with others that both share your specific interests and bring differing perspectives. We invite you to join us!
The Digital Library is published by the Association for Computing Machinery. Copyright © 2022 ACM, Inc.
No entries found