The Grendel Report: Embrace the Complexity of Cyber Defense

http://doublethoughtweb.com/harvard-business/embrace-the-complexity-of-cyber-defense/

201317

Stephanie Forrest, Steven Hofmeyr, and Benjamin Edwards

Embrace the Complexity of Cyber Defense

Traditionally, cyber security research has focused on technical solutions to specific threats: for example, how to filter spam or protect PCs and mobile devices against the latest malware. This approach has greatly enhanced our ability to defend information systems against attack. Widespread use of antivirus, intrusion detection technologies, improved cryptography algorithms, and methods for blacklisting infected web sites are just a few examples of how technical advances have improved cyber defense.

Such technical improvements will not be sufficient, however. Today's cyber-issues involve systemic social, economic, organizational, and political components. Ordinary people have little incentive to secure their home computers using available technology; Internet censorship and surveillance is intertwined with questions of free speech and privacy; and concern over Chinese cyber-espionage is now a high-priority diplomatic issue. The mismatch between speed-of-light electronic communications and the time required for human institutions to respond to data privacy concerns is large and growing. These types of cyber-issues must be addressed not only with technological solutions, but also on the social, political, and policy levels.

This task is more challenging than it sounds. Most computation today occurs on the Internet, one of the most complex human artifacts ever devised. Developing appropriate solutions requires understanding networks comprised of multitudes of heterogeneous layered subnetworks managed by organizations around the world, each with their own policies and incentives.

We can tackle this problem using tools from the growing field of Complexity Science.

Complexity science seeks to find the universal principles and mathematics underlying and unifying a wide variety of complex systems, including the Internet, biological systems, ecologies, markets, and economic systems, political systems, and societies. Such systems consist of many independent and self-interested agents (biological cells, firms, nations, computers, and people), each adapting their behaviors in response to their environments and other actors in the system. Global patterns and trends emerge from these low-level interactions that cannot be predicted by a study of the individual components in isolation.

Malicious elements are ubiquitous in complex systems. Just as there are cyber security threats in the Internet, there are viruses, parasites, and bacteria in biology; bullies in social networks; and rogue nations in the international community. Studying the general principles that complex systems use to manage such threats can suggest techniques for tackling the problem of cyber security.

In particular, biological systems have evolved to cope with a multitude of threats such as proliferating pathogens, autoimmunity, arms races, deception, and mimicry. One design strategy that helps biological systems achieve robustness to these threats is diversity — genetic diversity in a species, species diversity in an ecosystem, and molecular diversity in an immune system. Its opposite, uniformity in design, allows us to achieve economies of scale but also leaves us vulnerable to widespread and targeted attacks that exploit homogenous infrastructures.

Cyber infrastructure today resembles biological monocultures, and recent market trends towards vertical integration (Apple), cloud storage (Google), and computing (Amazon's Compute Cloud) will worsen the situation.

Diversity is just one of many strategies that biological systems have adopted to protect themselves and continue functioning in the face of attack. Complexity Science can help us understand how malicious agents affect the growth and functioning of complex systems and suggest how to influence them to mitigate damage.

Complex systems are often regarded as a group of abstract nodes linked together to form a network. The study of these networks, called network science, has successfully identified tipping points in disease epidemics and cascading failures in power grids. In the case of the Internet, network science can provide important guidelines for policymakers — for example, by determining that security interventions by the 20 largest Internet Service Providers (ISPs) in the world will be considerably more effective than relying on interventions by thousands of ISPs chosen at random.

Although network science enables us to understand important common properties of complex systems, it is too abstract to capture the unique factors influencing the dynamics of specific systems. For that we rely on other approaches, such as agent-based modeling (ABM), which allows us to incorporate domain-specific knowledge into a computer model. With ABM we can explore the consequences of allowing each abstract node in the network to adapt or learn, reacting to local conditions. ABM differs from the traditional modeling used in science, such as the mathematical models in climate science, which are based on physics where the primitive elements are not adaptive. ABM is well-suited for modeling systems where economic self-interest and politics intersect with technology, such as in the Internet. In fact, we have shown that when self-interested agents are included in a model of the Internet, policies that seem to be effective in the short-term actually exacerbate the cyber security problem in the long-term. This effect is similar to the overuse of antibiotics promoting antibiotic resistance in bacteria.

Agent-based modeling is particularly useful for studying complex systems that exhibit "long-tail" behavior, where there is huge variability in outcomes. In such systems, real-world experiments with limited sample sizes are often misleading and can misdirect policymakers. Using ABM we can study a large number of simulated scenarios, giving a clearer picture of which cyber security policies will work best in the long run, even with highly variable outcomes.

Game Theory is useful for understanding strategic interactions when parties have competing interests. It is relevant to the Internet, where we see an ongoing arms race between attackers and defenders, between those trying to spread information and those trying to censor it, and so forth. Game Theory can help us understand how better to defend the system, or conversely, how better to evade it. Important concepts such as the "Price of Anarchy" measure how the efficiency of a system degrades through selfish behavior (cyber attacks) and how much cooperation might help. Game Theory is also useful for studying how cooperation can evolve among independent parties, which can guide the choice of policies to encourage desirable behavior. Complex systems rarely eliminate malicious threats permanently. Rather, they develop strategies for managing and coexisting with them in a way that minimizes damage to the overall system.

The best approach to cyber security will emphasize defenses that are robust to unforeseen perturbations, evolvable in response to changing conditions, and self-repairing in the face of damage. By embracing the complexity of today's technological networks and their linkages to human behavior, social norms, and economic incentives, we can make our online world safer and freer.

Data Under Siege
An HBR Insight Center Why Businesses Should Share Intelligence About Cyber Attacks Why Your CEO Is a Security Risk Beware Trading Privacy for Convenience Four Things the Private Sector Must Demand on Cyber Security

Full Story at Stephanie Forrest, Steven Hofmeyr, and Benjamin Edwards