Science of Security

                                                     Science of Security

The National Security Agency (NSA) sponsors the Science of Security (SoS) Initiative for the promotion of a foundational cybersecurity science that is needed to mature the cybersecurity discipline and to underpin advances in cyberdefense. 

The SoS initiative works in several ways:

  1. Engage the academic community for foundational research
  2. Promote rigorous scientific principles
  3. Grow the SoS community

The Science of Security initiative together with academia, industry, and other government partners is making a strong effort to create a research community dedicated to building security science. We are seeking to discover formal underpinnings for the design of trusted systems which include contributions from the disciplines of computer science, mathematics, behavioral science, economics and physics. Our work addresses both the establishment of pieces of security science as well as how security science is created.

What is security science? 

The creation of a security science is seen as an evolving long-term research endeavor. It is not assumed that a holistic body of knowledge that scientifically addresses all aspects of security: economics, behavioral science, computer science, physics, etc. will be successful. There is not one assured path that will create security science. It will require building both the theory of how to create science and specific artifacts of security science work. The infancy of this work will be directed at "experiments" seeking to explore methods to create possible pieces that enable this science, as well as creating a large collaborating community leveraging the cutting edge research to push new bounds in security.

Some of the NSA’s efforts in the area of security science are:

  • Research Lablets - Stimulates basic research to create scientific underpinnings for security; advocates for scientific rigor in security research; creates and broadens a Science of Security community and culture in the IC; identifies "hard problems" in security that require science as a community focus and measurement of progress.
    • Currently there are six funded research lablets; Carnegie Mellon University, International Computer Science Institute, North Carolina State University, University of Illinois at Urbana-Champaign, University of Kansas, and Vanderbilt University.
  • Best Scientific Cybersecurity Paper Competition – Offers a yearly award that highlights papers which display scientific rigor in the multidisciplined area of security research.
    • This year's winners of the 7th Annual Best Scientific Cybersecurity Paper Competition was Evaluating Fuzz Testing by George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks.
    • The 7th Competition selected two papers for an honorable mention award. The first paper, Continuous Formal Verification of Amazon s2n by Andrew Chudnov, Nathan Collins, et al. The second paper ro receive an honorable mention was Meltdown: Reading Kernel Memory from User Space by Moritz Lipp, Michael Schwarz, et al.
  • International Intel Science and Engineering Fair Award (ISEF) – Science of Security first sponsored an award at the Intel International Science and Engineering Fair (Intel ISEF) in 2015. The award was created to encourage high school students to pursue scientific research in cybersecurity and related fields. The award is open to high school students who compete in the ISEF finals. Students from all over the world, usually 70-80 countries are represented in the finals. In 2017,  a new award was added to recognize outstanding mathematics contributions.
    • The 2019 ISEF Science of Security First Place Award Winner was Suha Hussain. Our Second Place SoS Award Winners were Alice Guo, Divya Amirtharaj and Gabrielle Liu and the honorable mention awards went to Michael Brockman, Adam Kelly, and Advay Koranne.
    • If you are looking to do a science fair project in cybersecurity, visit the SOS VO page on how to get started.
  • Science of Security Virtual Organization - Provides a focal point for security science related work, and a collaborative environment the community can use to further advance security science.

SoS "Hard problems":

The Principal Investigators (PIs) of the Science of Security Lablets in collaboration with NSA Research, developed the "Five Hard Problems" as a measure to establish the beginnings of a common language and guage progress. These five hard problems were selected for their level of technical challenge, their potential operational significance, and their likelihood of benefiting from emphasis on scientific research methods and improved measurement capabilities. These hard problems are not intended to be all inclusive of everything that needs to be done in cybersecurity but rather five specific areas that need scientific progress.

  1. Scalability and Composability - Challenge: Develop methods to enable the construction of secure systems with known security properties from components with known security properties, without a requirement to fully re-analyze the constituent components.
  2. Policy-Governed Secure Collaboration - Challenge: Develop methods to express and enforce normative requirements and policies for handling data with differing usage needs and among users in different authority domains.
  3. Security-Metrics-Driven Evaluation, Design, Development, and Deployment - Challenge: Develop security metrics and models capable of predicting whether or confirming that a given cyber system preserves a given set of security properties (deterministically or probabilistically), in a given context.
  4. Resilient Architectures - Challenge: Develop means to design and analyze system architectures that deliver required service in the face of compromised components.
  5. Understanding and Accounting for Human Behavior - Challenge: Develop models of human behavior (of both users and adversaries) that enable the design, modeling, and analysis of systems with specified security properties.

More information about these initiatives can be found on the Science of Security Website.