Shostack + Friends Blog Archive


Everybody complains about lack of information security research, but nobody does anything about it

For some years, I’ve been following the world of academic and industrial research on information security, especially interdisciplinary research.    There is wide-spread agreement on what needs to be done:

  • A Roadmap for Cybersecurity Research, by DHS
  • National Cyber Security Research and Development Challenges [link to no longer works], by the I3P
  • Toward a Safer and More Secure Cyberspace, National Academies
  • Report to the President on Cyber Security: A Crisis of Prioritization [link to no longer works] , by PITAC
  • Ensuring (and Insuring?) Critical Information Infrastructure Protection [link to no longer works], 2005 Rueschlikon Conference on Information Policy
  • Four Grand Challenges in Trustworthy Computing [link to no longer works] , Computing Research Association Conference, 2003
  • Others

But no one seems to be able to mobilize any signficant research into solutions.   It’s been very frustrating to see so much talk and so little action.   

This reminds me of the quote by Mark Twain, shown at left, which is the inspiration for the title of this post.

The latest iteration of this was a panel at RSA: “The role of research in industry and government“.  SC Magazine summarized the discussion this way:

A disconnect between the primary research sectors and a lack of appropriate funding in each is leading to decreased technological progress, exposing a huge gap in security that is happily being exploited by cybercriminals.

(read on for a diagnosis and two proposed solutions…)

Part of the problem is the the incentives to focus research on problems and not solutions.  I run into this a lot at academic and other “thought leadership” conferences.  Here’s how it was explained to me: It’s much easier to do a modest-sized research project that shows yet another failure in the economics of security than it is to do the complex, large-scale research that would be necessary to develop both theory and empirical support for solutions. 

The bias toward complaining and against doing research work is even stronger at industry conferences.  I don’t blame any individuals.  Simply put, everyone has a day job that pays them to solve near-term problems and deliver immediate payoffs.   High-risk, fundamental research does not fit that template.

There was one recent attempt to mobilize breakthrough research — the “National Cyber Leap Year Summit” last August, sponsored by NITRD.  As I’ve previously written, that effort was largely a waste of time and money because you can’t brainstorm your way through hard problems like this.

Gene Spafford (a.k.a. “Spaf”) is one person who has thought long and hard about how to effectively mobilize and support interdisciplinary information security research.  In the second half of this blog post, he mentions a white paper [link to no longer works] that he has been circulating in DC for feedback.   The white paper advocates “changing the way we fund some of the research and education in the US in cybersecurity” and makes specific recommendations.  It’s a good read and very thoughtful suggestions.  The second of his two suggestions can be summarized:

I suggest a program similar in nature to the MacArthur “Genius Grants” program: the ISPEG, or Information Security and Privacy Extended Grant. Some agency or agencies would provide ISPEG funding to a small number of researchers in multi-year fashion, to “do good things” in cybersecurity and privacy. The intent would be to fund these individuals without requiring specific proposals or highly structured budgets, and with minimal requirements for deliverables and constraints. The researchers would be encouraged to exercise vision and leadership to the betterment of the country and the field of cybersecurity. If they are carefully selected, this will naturally follow.

A small set of ISPEG awardees [should be] chosen annually. These individuals will be senior academic, tenured faculty, chosen on the basis of past accomplishments specifically in the fields of information security and privacy, and because of a commitment to service and education. [emphasis added]

I think this is a keen idea overall.  Several formal studies of scientific performance have shown that the most productive method for acheiving major research innovations is through senior, experienced researchers who have both freedom and adequate support over an extended period of time.  However, Spaf’s model is aimed at supporting only academic researchers and only those researchers who have been blessed by the academic system (“tenured”).  Yes, they merit this sort of support, but they aren’t the only people who can or should play in the advanced research arena. Therefore I want to propose another idea that could work in parallel with ISPEG.

Proposal: Information Security Pioneers Fellowship Program (ISPFP)

Here’s how it might work. A non-profit organization would administer the program and would be the “home” for a number of individuals (the “Pioneer Fellows”) who would have financial and institutional support for a period of time. In return for this support, they would serve as catalysts, leaders, orchestrators, and even program managers for innovative interdisciplinary research projects, esp. those that involve industry, academic, and government partners. They could also work on projects and activities that enable advanced research or help bring advanced research results to the masses: in education, industry, or government policy. For example, here are some specific project ideas that would be well suited for Pioneer Fellows:

  • Organizing and leading multi-organization proposal teams for advanced interdisciplinary InfoSec research projects (“Broad Agency Announcments” from DARPA, DHS, NSF, NIST, others).
  • Leading the specification and field testing of security metrics, e.g. Center for Internet Security’s consensus metrics , and also pilot implementations.
  • Leading the design and implementation of a statistically robust survey of information security practices, metric results, and costs, to displace the current “Computer Crime and Security Survey” [link to no longer works] (CSI/FBI).  (“Statistically robust” would include random sampling of organization populations, for example.)
  • Design and help implement a “Cyber CDC” for advanced vulnerability and threat research and intelligence.
  • Organize, lead, and/or collaborate in international research projects. 
  • Help integrate economics, organization science, and behavioral science into education, training, and certification programs for security managers and executives.

Being a non-profit (preferably 501c3), they could accept and administer donations from many sources — corporations, foundations, and government. This would open the door to funding from many sources, including organizations that don’t usually provide funding, including VCs, industry associations, privacy advocates, IT vendors and consultants of all stripes, etc.

The fellowship period and applicant qualifications are open to consideration.  Ideally, this program should be “idea capitalists”, knowing some people and ideas won’t payoff but others will be huge winners.  One thing for sure — we shouldn’t focus this program only on people who have been “officially” annointed by some hierarchy, some certification program, or by credentials alone. 

OK… now for all of you who might be frustrated with lack of action, this message is for you:  THIS IDEA COULD BE IMPLEMENTED IMMEDIATELY!

Sorry to shout, but I want that message to hit you between the eyes.

First, there are several candidates for host institution:

Second, there are a good list of possible projects, not only the list above but also ideas from any of the reports listed at the top of this post. 

Third, there are plenty of good candidates for Pioneer Fellows.  Just look for the people who are already doing pioneer work on their own dime or in their “spare time”.

Fourth, the funding would probably start flowing if the right executives were in the same room at the same time, and someone with sufficient “gravitas” asked for the order.  $35K to $50K per major sponsor is reasonable and comparable to other sponsorship arrangements.  Ten major sponsors would fund 8 to 10 Fellows, assuming they paid full salaries. Once this is all in place, we could probably solicit a “foundational grant” from a major government agency to ramp up recruitment and other administrative parts of the process.

That’s a sketch of the idea.  What do you think?

9 comments on "Everybody complains about lack of information security research, but nobody does anything about it"

  • It is not so much “lack”, but sheer idiocy of a good percentage of such research. In academia, ppl still invent signature-based NIDS (I can dig the references, if ya want to)

  • Rob Lewis says:

    Hi Russell,

    Nice post. Inspired, but tired, because as you say, years of talk and millions of dollars later, what does the security industry have to show for its efforts?

    You say there is widespread agreement about what needs to be done, yet nothing gets done and there are no solutions. Maybe the agreed upon direction is at fault?

    I don’t know if you ever caught my Amazon review of the New School, but I expressed a theory that no amount of effort in the current direction will bring success, and I explained why. The current security model is broken and no number of incremental improvements will fix it. Should we be shucking one more quarter for more sorry efforts?

  • PhilA says:

    Be part of the solution, Russell et al.

    Anyone that can shed light on the new direction and the new models to address the current and foreseeable risk can change our course. Do not give up and share your findings. Many of us are defending the fort and relying on the research to help guide us.

  • Peter King says:

    Great, thought-provoking post. I’m not sure I agree that there’s widespread agreement on what needs to be done.

    Spaf thinks the solution is a bunch of money for people who look like him. Industry is trying to sell kit. Even the good people in academia seem to work on flawlessly incremental stuff. The last time I went to Oakland they were building telescopes to read LCD screens around corners.

    Sorry for the negativity. I really admire what the book and this blog are trying to do. I think forums like this might be the best hope to make progress. Data: yes. Evidence: yes. I wish there was widespread acceptance of those needs, but I’m not sure I see that yet.

  • Russell, a great post as usual, and I am impressed by your breadth of references.

    I don’t think that the conundrums that face IT Security are going to be effectively addressed by freeing up the time of security experts or pioneers. As you say, we need need solutions and the only group who can make meaningful changes are IT solution providers. I would vote for funding people in such organisations to produce better solutions.

    Improving the state of IT Security will require a great deal of co-operation and behavioral changes that experts in the field are not well-suited to lead or execute. By and large I would say that we don’t need any more brilliant ideas, or at least we have enough work getting through those that have been provided over the last 20 years.

    What we do need is better policy and processes execution – use good passwords, don’t lose your unencrypted USB stick, know who access your data and why, follow secure programming principles, don’t follow arbitrary web links, and so on.

    It’s not so much that we need more time from experts, but more time from all the non-experts.

    rgs Luke

  • SteveD says:

    As someone working on their MS thesis in security, I used some of those lists to try and generate topics I could pursue that would help change the state of security. When I started I already had over 10 years in infosec. I went into it hoping to solve a big problem.

    While this may be a little different for doctorates, the Masters Thesis, once reality sinks in, was all about a quick hit of incremental change to just get it done, and possibly publish a high level paper. I believe that’s one of the reasons there are still quite a few papers being produced on NIDS. However, there are some interesting new areas that are borrowing from other disciplines just like data mining in the past: swarm intelligence, biological systems, etc.

    As stated, we have plenty of problems to go solve, its the way research is done that may be the problem. In my day job, which is a forward looking security architect, and my night job which is security research towards a Thesis, I still don’t have true support in solving anything on those lists.

  • Russell says:

    Great comments, all.

    I’m going to reply to some points in more depth in another blog post, but quickly:

    @Anton — sure, I’ll grant you that there’s a lot of research that doesn’t really advance the state of knowledge (“idiocy” as you call it), but I’m more interested spawning a few meaningful, game-changing research initiatives than I am about filtering the full range of research projects to reduce the amount of “idiocy”.

    @Rob — can you be more specific about how you’d define “second curve”? If you look through the references I listed, I think you will find that they *all* point to the need for research that is fundamentally different than current research directions.

    @PhilA — thanks for your support! I’m trying to be part of the solution. Rather like Archimedes, I’m looking for a place to stand so that I can then try to move the world! 🙂

    @Peter — when I said “wide-spread”, I was really thinking about all the recent committees, commissions, brain trusts, etc. who have looked long and hard at why InfoSec research hasn’t been more successful. They all come to similar conclusions, and often repeat each other. This is especially true in interdisciplinary areas like metrics, economics, usability, and policy. But outside of these thought-leader groups, you are right that the broader community doesn’t share the vision or the specifics.

    @Luke — I wouldn’t equate “experts” with “Pioneer Fellows”. It’s not just smart people thinking deep thoughts. As I listed in the post, I think the Fellows would have to be skilled at making things happen across sectors, as well as being leaders and evangelists.

    @SteveD — I hear you, brother! I’ve heard that story dozens of times. Once the trails have been blazed by Pioneers then it will be much easier for individual researchers and students to find attractive, interesting, and also *feasable* projects for theses and dissertations.

  • Rob Lewis says:


    I used that in the most general sense. I suggested to Adam a while ago that he should get a precise definition from Guy Kawasaki; it was his article.

    If one were to use the terms that Kawasaki did as a simple definition, something that worked 10-15 TIMES better rather than 10-15% better, I think that paints a picture of something startling, or ground shaking.

    In infosec, I don’t think that something that is an improvement in vulnerability scanning or automated patching etc, would qualify. Those are incremental improvements. Protecting systems with vulnerabilities that have no patch, or can’t be patched might or without the need to patch, might.

  • Hacking is not a crime says:

    Lack of research isn’t the issue. Lack of people with the right mindset is. No offense to anyone, but IMHO the kind of people who *want* to do “security research” aren’t the kind of people you want in that field. People who *just do* what is essentially security research, are. In other words, the system needs hackers, not professional students. Unfortunately, the system rewards the latter and throws the book at the former.

    Until you put an end to the status quo, the rest of the world (namely China) is happy to move on without you.

Comments are closed.