Friday, June 21, 2013

The Critical Need for Liberal Arts in Security

"As we strive to create a more civil public discourse, a more adaptable and creative workforce, and a more secure nation, the humanities and social sciences are at the heart of the matter, the keeper of the republic - a source of national memory and civic vigor, cultural understanding and communication, individual fulfillment and the ideals we hold in common."

Security professionals often state that security is an art, not a science. This field demands a certain degree of finesse, elegance, imagination, creativity, and a find-grained understanding of technology. We characterize the act of securing assets and information as finding the right balance between people, process, and technology, the security triumvirate. Yet, look at any job posting in security over the past 15 years (about the duration of time that I've worked in the field), and you find this:

Education: Degree in Computer Science, Mathematics, or any comparable field.

As a cognitive psychologist by education with an emphasis on media arts and sciences from my time studying at the MIT Media Lab, I'm what many would consider a nontraditional security professional. I came to the field by way of usability engineering (how we perceive technology) and business intelligence (what technology tells us about our behaviors), eventually moving into security domains of architecture, executive management, and social engineering. While it all makes complete sense when I tell the full story, I continue to get questioned about my success in this field despite not really fitting into the "comparable field" metric.

Oh, you went to MIT…that explains it.

A statement that I've heard my entire career, it is like people are trying to develop some dissonant reasoning for why I was able to break into the field without getting the right degree. What most people don't appreciate is that MIT has long recognized that a vigorous liberal arts education is critical for developing the best scientists and engineers. To graduate, undergraduates must take just about one liberal arts course each term, several of which must include a rigorous research project and lengthy final paper. Because of those requirements, it's common for a MIT graduate to have a liberal arts minor in fields such as literature, music, philosophy, management, and media.

Sure, a strong background in technology is critical and MIT certainly forces all students to have an expert-level foundation to succeed, but there's more to it. While I've worked with many computer scientists and systems engineers, some of the best people I've worked with have nontraditional degrees from other institutions in writing, philosophy, even physical education. Why is that?

Many of the "comparable field" folks that I've worked with are strong adherents to structure and logic. They've developed processes over the years that work best for them, approaches to problems that yield optimal results, understanding of the finer details of technology and code that allow them to achieve miraculous results. But, for all of their analytical strengths, they tend to be rigid when it comes to change. Any new variable is generally associated with past conditions to emphasize its similarities to what is already known at the expense of how its different.

From a security perspective, research into attack graphs illustrates the prior points. For example, a doctoral computer science thesis entitled "Scenario Graphs and Attack Graphs" by Oleg Sheyner at Carnegie Melon University gives a very strong analysis of how security researchers can use their knowledge of an environment to determine all of the paths that a hacker may use to attack targets in that environment. Despite its relevance, I doubt the practicality of the research because it takes a very academic "know everything" approach that is the antithesis of how an attacker targets an environment.

You see, hackers are, by their nature, anti-structural agents. To deconstruct an environment, a hacker uses his knowledge as a tool but leverages his imagination as the means. He doesn't examine all of the vulnerabilities that the environment may contain and select one to target. Rather, he examines how the environment functions and identifies plausible ways to use those functions to his benefit. Our research efforts would be more effective if, instead of trying to identify everything wrong with the environment, we aimed more to understand how the environment looks functionally to someone on the outside, the environment's attack surface, and then focusing our efforts on defending at those discrete points that present the highest potential for damage. 

"Three out of four employers want schools to place more emphasis on the skills that the humanities and social sciences teach: critical thinking and complex problem-solving, as well as written and oral communications."
- The Heart of the Matter; American Academy of Arts and Sciences

Innovation is driven by disruptive change, not incremental steps. We tend to think that we live in an innovative age, but you may be surprised by how little real innovation there has been. Take a critical look at our computer systems, networking capabilities, and physical infrastructure, and you'll recognize that the only thing that has really changed in the past since their inception has been speed and quality of service, not function. Computers have gotten faster and more powerful, but are still based on the exact same technology invented around 50 years ago. We're able to pass extreme amounts of data over the Internet, but still do so using protocols designed roughly 40 years ago. Power distribution has become more consistent, but is still carried using the same grids laid out in the early 20th century. Why? I would argue in part that our over-emphasis on STEM education and the logical comfort on making incremental improvement on what already exists has stymied our threshold for the disruption needed to truly innovate.

Contemporary security takes advantage of our logical underpinnings and our disheartening collective decrease in critical thinking skills. "Comparable field" folks, critical assets in the fight, are nonetheless ineffective tools simply because they focus on the pursuit of improving every fault and their perception of relative infallibility when it comes to their efforts. In my experience, they are the folks that struggle most with flexibility and adaptability to change, looking first for some predefined structure that will provide the foundation for their work or defining some rule to explain why technological change is unnecessary. When hackers succeed, traditional security pros will throw up their hands and blame the hackers, blame the users, blame management, all to deflect the most rational target for the blame, that the relatively ancient foundations of the technology are weak and are failing.

We are capable of winning the war despite the long string of lost battles. But, doing so will require that we change our approach and begin to think more critically, creatively, and disruptively like our adversaries. Look again at the security triumvirate, and you may notice that STEM only applies to one of the three points: technology. Continuing to focus on STEM at the expense of humanities will only serve to sacrifice the other two points, our understanding of people and process, and along with it our innovative edge and our ability to defend against our adversaries. The American Academy of Arts & Sciences is now calling for that trend to change. It's up to us to answer the call.