Cyber security is one of the fastest moving areas, where new vulnerabilities are found and acted upon within hours. For academia the traditional timescales for picking-up on things, and then moving forward is often measured in the time it takes to get a paper published and then disseminated, and then picked-up by the community. It is often this agreement within a community that moves an area forward, and can be measured in the time differences between conferences, where one presenter may outline a new method and the year later there are many researchers taking about it. Thus the timescales involved are often months, if not years.
Fast moving pace
Generally, academic research in Cyber Security, especially outside the US, is struggling to keep up with the latest issues. One of the key reasons for this, apart from the long delays involved, is that there is extensive funding from industry into probing and discovering new vulnerabilities, and in developing new and innovative security solutions. Academia is thus struggling to keep pace with industry and the demands of fast responses.
The race to find new compromises and make the headlines is often key to developing a strong reputation in the industry (while many of the existing players are working under NDAs with their customers so cannot publish the things they find). With OpenSSL, the Finnish security firm Codenomicon discovered the flaw around the same time as it was found by Google, and even registered a vulnerability ID and a domain name, before it they released the information on it. For them, they knew that there was a strong business model in gaining a strong reputation for leaders in the area. With Heartbleed, the issue was mainly over by the time that academia could get themselves into gear, which is strange in the scientific community, where in many research areas a problem is found, and it can take years for academia to test out new methods of addressing the problem, and present new ideas (with all their associated evaluation).
Another example of where there is a strong business model for Cyber security research related to CyberVor, the Russia based Cyber gang, who had stolen over 1.2 billion usernames and passwords, and millions of associated email addresses. The company who discovered the operation, Hold Security, have since said it will charge $120 (£71) a month for a “breach notification service”. This must make the service one of the most profitable ever created, as the gathering of data across the involves minimal costs, and although there is a cost in maintaining the software to gather the agents, the toolkits for gathering the information are fairly well developed, and it becomes an integration development, with the support for their clients to add the details that there company is interested in. Hold Security then sit back, and monitor the Internet, and pick off any data which pin-points the company.
Again, the Boleto fraud in Brazil, it was a company (RSA) who announced a large-scale fraud of Boleto Bancário (or Boleto as it is simply known), and which could be the largest electronic theft in history ($3.75bn). Overall with the fraud there were nearly 200,000 infected IP addresses that had the infection on their machine.
Access to Data
One of the major barriers for academia is the access to real data, and the ethics involved in dealing with this. For many companies, they have direct access to data feeds coming on from companies, and can aggregate these together to analyse trends and pin point issues. They can then feed these to their R&D teams to work on new ways to address the problems. In this way companies are generating new IP, which they keep and sell-on into their services. For academia, this is a new world, where they do not have the privileges of accessing the same data as everyone else, and it industry which is making the massive leaps within Cyber Security.
The problems caused by possible ethics issues was highlighted with the recent suspected compromise of the Tor network. For this academic researchers identified an underlying flaw in Tor’s network design, and which has led the Tor Project has warned that an attack on the anonymity network could have revealed user identities. This message was in response to the work of two researchers from Carnegie Mellon University (Alexander Volynkin and Michael McCord) who exploited the infrastructure. At present SEI has a Defense Department until June 2015, and is worth over $110 million a year, with a special target on finding security vulnerabilities.
Overall the attacks ran from January 2014, and were finally detected and stopped on 4 July 2014. In response to the vulnerability being found the Tor team, in a similar way to the OpenSSL Heartbleed announcement, where informed that the researchers were to give a talk at the Black Hat hacker conference in Las Vegas. The sensitives around the area is highlight by the fact that the talk was cancelled, due to neither the university nor SEI (Software Engineering Institute) approving the talk. The Tor project, through Roger Dingledine blog entry on 4 July 2014, revealed that identities could have been revealed over the period of the research.
But Academia looks at long term issues…
While there is always an argument around academia looking at the longer term issues. Unfortunately, in the current landscape, it is the ability to look at the new things that are evolving on a short term basis, and the longer term things are often disappearing as new cracks appear. I am reminded of one journal that stopped accepting cryptography papers, as these papers, while novel in their approach, had very little to contribute to the existing methods, and there was very little chance of the methods ever being used in systems. While they were interesting to a closed community, they did little to move forward barriers of science. Unfortunate too, academic is often measured on its citation count, and not necessary on its ability to address key fundamentals areas within cyber security. At present, few people can actually see beyond the current vulnerability, and many area struggling to see the three to five year horizon for research, let alone look at the ten year vision. The cards, though, are very much with industry just now, as they have access to real-life systems, and can see the new methods than intruders can use to break systems.
And in the UK …
In the UK there has been moves to match-up security agencies, such as through GCHQ and the NCA, but perhaps it is the linkages to industry that need to be developed further, as industry often has access to data, and will see lower-level threats. At present, there are some forums for academia and industry to come together and discuss issues, but there needs to be an increase in the frequency of these, so that industry and academia keep each other synchronised on the key focal points, and how research work might be focused. Issues around sharing data is, though, a major barrier in Cyber security, and it is one that is not easily fixed. Threats to industry and within high risk businesses such as in health care, energy and finance are key areas that require a close collaboration between industry and academia, especially in creating new information architectures that can scale, but also which are inherently secure.
As has been seen in the US, the tension between funders and academic research may become an issue, so it is thus important the academia understand the commitments it makes to funders in Cyber security research, and make sure that ethics and permissions are granted at the right time, as dissemination and the related impact of work is a key assessor in academic excellence. The current model of assessment will struggle to fit, as sensitive work within Cyber security is often closed for publication within peer reviewed conferences, especially in the cases where the core data and methods must be reviewed.
Cyber security is one of the fastest moving industries ever created, and often issues are exposed and acted upon within days or hours, thus academia needs to try and keep up, and work with, industry, as issues can appear and disappear within a blink of the eye, without any input from academia. The strongest bounds that we have just now is our links to our collaborators, and these allow us to keep up-to-date both in terms of our teaching and our research. Academia, in Cyber research, needs to listen more to industry, and learn about the problems that need to be solved. I appreciate that this does happen in academia, but in Cyber Security, it is a fundamental thing, and needs to be a continual dialogue.