Practicing a Science of Security a Philosophy of Science Perspective
Total Page:16
File Type:pdf, Size:1020Kb
Practicing a Science of Security A Philosophy of Science Perspective Jonathan M. Spring Tyler Moore David Pym University College London The University of Tulsa University College London Gower Street 800 South Tucker Drive London WC1E 6BT London WC1E 6BT Tulsa, OK 74104-9700 Alan Turing Institute [email protected] [email protected] [email protected] ABSTRACT Experiments Structured observations of the empirical are untenable world Our goal is to refocus the question about cybersecurity re- Reproducibility Evaluate by repetition, replication, varia- search from ‘is this process scientific’ to ‘why is this scientific is impossible tion, reproduction, and/or corroboration process producing unsatisfactory results’. We focus on five No laws of common complaints that claim cybersecurity is not or can- Mechanistic explanation of phenomena nature not be scientific. Many of these complaints presume views to make nature intelligible No single associated with the philosophical school known as Logical Em- Specialization necessitates translation ontology piricism that more recent scholarship has largely modified or rejected. Modern philosophy of science, supported by mathe- ‘Just’ Both science and engineering are neces- matical modeling methods, provides constructive resources engineering sary to mitigate all purported challenges to a science of security. Table 1: Five common complaints raised by the science of cy- Therefore, we argue the community currently practices a bersecurity community and positive reframing from the phi- science of cybersecurity. A philosophy of science perspective losophy of science literature. suggests the following form of practice: structured observa- tion to seek intelligible explanations of phenomena, evaluating explanations in many ways, with specialized fields (including engineering and forensics) constraining explanations within Its proponents claim a science of security is needed for ongo- their own expertise, inter-translating where necessary. A ing progress. Per the historian of science Dear, scientific is natural question to pursue in future work is how collecting, used here as “a very prestigious label that we apply to those evaluating, and analyzing evidence for such explanations is bodies of knowledge reckoned to be most solidly grounded in different in security than other sciences. evidence, critical experimentation and observation, and rig- orous reasoning” [20, p. 1]. We take our definition of security KEYWORDS from RFC 4949: “measures taken to protect a system” [81]; of course see the RFC for the meaning of measure, protect, security research; science of security; cybersecurity; history and system. As a starting point, then, we consider a science of science; philosophy of science; ethics of security of security to be the label we should apply to the most solidly ACM Reference format: grounded bodies of knowledge about measures one can take Jonathan M. Spring, Tyler Moore, and David Pym. 2017. Prac- to protect a system. ticing a Science of Security. In Proceedings of New Security The following items have resonated as serious obstacles to Paradigms Workshop, Santa Cruz, California, USA, Oct 1–4, the practice of a science of security: 2017 (NSPW ’17), 19 pages. DOI: 10.475/xxx_x • Experiments are impossible in practice, because they are unethical or too risky; • Reproducibility is impossible; 1 INTRODUCTION • There are no laws of nature in security; There has been a prominent call to improve the research and • Information security will not be a science until we all practice of information security by making it more ‘scientific’. agree on a common language or ontology of terms; • Computer science is ‘just engineering’ and not science Permission to make digital or hard copies of all or part of this work at all: questions of science of security are misplaced. for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage We will argue that a philosophy of science perspective and that copies bear this notice and the full citation on the first page. shows these obstacles are either misguided or can be over- Copyrights for components of this work owned by others than ACM come. The purported obstacles are frequently not genuine must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, challenges because they rely on outdated conceptions of sci- requires prior specific permission and/or a fee. Request permissions ence, which yields a simplistic idea of evaluating evidence for from [email protected]. claims (falsification) and a naïve reductionism to universal NSPW ’17, Santa Cruz, California, USA © 2017 ACM. 978-1-4503-6384-6. laws that supposedly underpin all scientific endeavors. Al- DOI: 10.475/xxx_x ternatively, modern philosophy of science tends to describe, NSPW ’17, Oct 1–4, 2017, Santa Cruz, California, USA Jonathan M. Spring, Tyler Moore, and David Pym if applied adequately to security, what good security practi- sense of deductive proof) that the sun will rise tomorrow tioners already do. Security is, as practiced, already a kind based on the observations. of science. Table 1 summarizes our positive perspective on Consistent with logical empiricism, Carnap proposed a executing a science of security. method for verification by working on atomic elements of Section 2 provides a brief background on the logical em- logical sentences, and expanding observational sentences out piricist movement within philosophy of science. Section 3 based on rules from atomic observations [15]. The goal of examines prior statements to detail the obstacles to practic- empiricism is to be grounded in observations. The goal of ing a science of security. Section 4 explains how philosophy of verification is to integrate those observations into a framework science informs the scientific process already taking place in of general knowledge, in the form of statements in first- cybersecurity research, and Section 5 suggests some construc- order logic, that can justify predictions. Carnap thus links tive steps forward for improving the reliability and growth induction and deduction, bypassing Hume’s complaint. of general, sharable knowledge in security. Yet it became clear that verification might not always be achievable. It is against this backdrop that Popper proposed 2 PHILOSOPHY OF SCIENCE PRIMER the more limited objective of falsification [74], which claims Philosophy of science we cannot verify logical statements at all. Instead, Popper is a field that has developed as a dis- 3 course on top of science: a second-order reflection upon the asserts that the best we can do is hope to falsify them. first-order operation of the sciences [89]. For three centuries, Even the more limited goal of falsification was shown to the scholars we now recognize as scientists were called ‘natural be untenable with Kuhn’s challenge to Popper in 1962 [54]. philosophers’, and there was no separate group of philoso- Kuhn refutes the premise that scientists operate on logical phers of science. In inter-war Vienna, a group of thinkers who statements. Rather, he argues that key examples, literally identified as ‘the Vienna Circle’ came to challenge both the ‘paradigms’, are scientists’ operative cognitive model. Later prevailing metaphysics and political Romanticism (i.e., the work in philosophy of science has refined the shape of these mechanistic Church and European facism).1 This movement emphasized cognitive models —- one prominent method is as explanations themes of observation of the world, trust in science, high (see, e.g., [37]) — and improved understanding value on math and logic, and modernism. A key movement of how data are processed to provide evidence for phenomena of the Circle has come to be called logical empiricism, for its (see, e.g., [7]). reliance on logical rules based on empirical observations.2 Even ignoring Kuhn’s socio-scientific critique, falsification We briefly introduce two of the main tenets of logical is about mapping observations into logic. Popper is silent on empiricism: (i) empiricism and verification and (ii) unity or designing reliable observations and choosing what logic or reduction of scientific fields [15]. These tenets coalesced in the conceptual framework in which we should reason. These two 1930s, were refined through the 50s, and by 1970 had suffered problems are more important, and would provide more ac- ample critiques to be changed beyond recognition. This tionable advice, than whether something is falsifiable. More historical trajectory makes it intellectually dangerous to rely useful than falsification are modern discussions of investiga- upon logical empiricist arguments or concepts uncritically. tive heuristics for scientists [4], models of when a conclusion Yet, Section 3 finds much logical-empiricist work uncritically from observations is warranted [69], and accounts of causa- assimilated in current statements on science of cybersecurity. tion that make use of intervention and statistics rather than logical implication [96]. Empiricism and verification. Statements testable by obser- Reduction of science to first principles. The other tenet vation were considered to be the only “cognitively meaningful” of logical empiricism often unwittingly inherited by debates statements [89]. Although logic and mathematics are the in science of security regards the unity of science or the re- most reliable forms of reasoning, logical empiricists did not duction of science to single first