Practicing a Science of Security A Philosophy of Science Perspective Jonathan M. Spring Tyler Moore David Pym University College London The University of Tulsa University College London Gower Street 800 South Tucker Drive London WC1E 6BT London WC1E 6BT Tulsa, OK 74104-9700 Alan Turing Institute [email protected] [email protected] [email protected] ABSTRACT Experiments Structured observations of the empirical are untenable world Our goal is to refocus the question about cybersecurity research Reproducibility Evaluate by repetition, replication, variation, from ‘is this process scientic’ to ‘why is this scientic process pro- is impossible reproduction, and/or corroboration ducing unsatisfactory results’. We focus on ve common complaints that claim cybersecurity is not or cannot be scientic. Many of No laws of Mechanistic explanation of phenomena to these complaints presume views associated with the philosophical nature make nature intelligible school known as Logical Empiricism that more recent scholarship No single Specialization necessitates translation has largely modied or rejected. Modern philosophy of science, ontology supported by mathematical modeling methods, provides construc- ‘Just’ Both science and engineering are necessary tive resources to mitigate all purported challenges to a science of engineering security. Therefore, we argue the community currently practices Table 1: Five common complaints raised by the science of a science of cybersecurity. A philosophy of science perspective cybersecurity community and positive reframing from the suggests the following form of practice: structured observation to philosophy of science literature. seek intelligible explanations of phenomena, evaluating explanations in many ways, with specialized elds (including engineering and forensics) constraining explanations within their own expertise, inter- translating where necessary. A natural question to pursue in future protect, and system. As a starting point, then, we consider a sci- work is how collecting, evaluating, and analyzing evidence for such ence of security to be the label we should apply to the most solidly explanations is dierent in security than other sciences. grounded bodies of knowledge about measures one can take to KEYWORDS protect a system. The following items have resonated as serious obstacles to the security research; science of security; cybersecurity; history of practice of a science of security: science; philosophy of science; ethics of security • Experiments are impossible in practice, because they are ACM Reference format: unethical or too risky; Jonathan M. Spring, Tyler Moore, and David Pym. 2017. Practicing a Science • of Security. In Proceedings of 2017 New Security Paradigms Workshop, Santa Reproducibility is impossible; Cruz, CA, USA, October 1–4, 2017 (NSPW 2017), 18 pages. • There are no laws of nature in security; DOI: 10.1145/3171533.3171540 • Information security will not be a science until we all agree on a common language or ontology of terms; • 1 INTRODUCTION Computer science is ‘just engineering’ and not science at all: questions of science of security are misplaced. There has been a prominent call to improve the research and prac- tice of information security by making it more ‘scientic’. Its propo- We will argue that a philosophy of science perspective shows nents claim a science of security is needed for ongoing progress. Per these obstacles are either misguided or can be overcome. The pur- the historian of science Dear, scientic is used here as “a very pres- ported obstacles are frequently not genuine challenges because they tigious label that we apply to those bodies of knowledge reckoned rely on outdated conceptions of science, which yields a simplistic to be most solidly grounded in evidence, critical experimentation idea of evaluating evidence for claims (falsication) and a naïve and observation, and rigorous reasoning” [20, p. 1]. We take our reductionism to universal laws that supposedly underpin all scien- denition of security from RFC 4949: “measures taken to protect tic endeavors. Alternatively, modern philosophy of science tends a system” [81]; of course see the RFC for the meaning of measure, to describe, if applied adequately to security, what good security practitioners already do. Security is, as practiced, already a kind of Permission to make digital or hard copies of part or all of this work for personal or science. Table 1 summarizes our positive perspective on executing classroom use is granted without fee provided that copies are not made or distributed for prot or commercial advantage and that copies bear this notice and the full citation a science of security. on the rst page. Copyrights for third-party components of this work must be honored. Section 2 provides a brief background on the logical empiricist For all other uses, contact the owner/author(s). movement within philosophy of science. Section 3 examines prior NSPW 2017, Santa Cruz, CA, USA © 2017 Copyright held by the owner/author(s). 978-1-4503-6384-6/17/10. statements to detail the obstacles to practicing a science of security. DOI: 10.1145/3171533.3171540 Section 4 explains how philosophy of science informs the scientic NSPW 2017, October 1–4, 2017, Santa Cruz, CA, USA Jonathan M. Spring, Tyler Moore, and David Pym process already taking place in cybersecurity research, and Sec- logical statements at all. Instead, Popper asserts that the best we tion 5 suggests some constructive steps forward for improving the can do is hope to falsify them.3 reliability and growth of general, sharable knowledge in security. Even the more limited goal of falsication was shown to be untenable with Kuhn’s challenge to Popper in 1962 [54]. Kuhn 2 PHILOSOPHY OF SCIENCE PRIMER refutes the premise that scientists operate on logical statements. Philosophy of science is a eld that has developed as a discourse Rather, he argues that key examples, literally ‘paradigms’, are sci- on top of science: a second-order reection upon the rst-order entists’ operative cognitive model. Later work in philosophy of operation of the sciences [89]. For three centuries, the scholars science has rened the shape of these cognitive models —- one we now recognize as scientists were called ‘natural philosophers’, prominent method is as mechanistic explanations (see, e.g., [37]) — and there was no separate group of philosophers of science. In and improved understanding of how data are processed to provide inter-war Vienna, a group of thinkers who identied as ‘the Vienna evidence for phenomena (see, e.g., [7]). Circle’ came to challenge both the prevailing metaphysics and Even ignoring Kuhn’s socio-scientic critique, falsication is political Romanticism (i.e., the Church and European facism).1 This about mapping observations into logic. Popper is silent on design- movement emphasized themes of observation of the world, trust ing reliable observations and choosing what logic or conceptual in science, high value on math and logic, and modernism. A key framework in which we should reason. These two problems are movement of the Circle has come to be called logical empiricism, more important, and would provide more actionable advice, than for its reliance on logical rules based on empirical observations.2 whether something is falsiable. More useful than falsication are We briey introduce two of the main tenets of logical empiri- modern discussions of investigative heuristics for scientists [4], cism: (i) empiricism and verication and (ii) unity or reduction models of when a conclusion from observations is warranted [69], of scientic elds [15]. These tenets coalesced in the 1930s, were and accounts of causation that make use of intervention and statis- rened through the 50s, and by 1970 had suered ample critiques to tics rather than logical implication [96]. be changed beyond recognition. This historical trajectory makes it Reduction of science to rst principles. The other tenet of logical intellectually dangerous to rely upon logical empiricist arguments empiricism often unwittingly inherited by debates in science of or concepts uncritically. Yet, Section 3 nds much logical-empiricist security regards the unity of science or the reduction of science work uncritically assimilated in current statements on science of to single rst principles. There are two senses of unity here that cybersecurity. are not often properly distinguished: methodological unity and Empiricism and verication. Statements testable by observation unity of content by reduction to a single set of models. A unity were considered to be the only “cognitively meaningful” state- of methods would mean that, although individual sciences have ments [89]. Although logic and mathematics are the most reliable distinctive approaches, there is some unifying rational observation forms of reasoning, logical empiricists did not take them to rely and evaluation of evidence among all sciences. This view was de- on observation but instead accepted them as true by denition, emphasized within logical empiricism. With confusing terminology, following Russell and early Wittgenstein. Therefore, according to modern arguments often return to this idea under mosaic unity the logical empiricist view, the key scientic challenges are how or pluralism: the sciences are about widely dierent subjects, but to verify a statement is in fact about the world, and how to mean- there are important shared social and methodological outlooks that ingfully integrate observations into logic and mathematics. Such unify