Tuesday, May 18, 2010

Why Apply Evolutionary Biology to Information Security?

Very few security professionals will agree that the situation within information security is globally improving.  There may be local pockets in which an organization is able to hold/maintain a strong security posture.  Problems discovered over a decade ago (e.g. Buffer Overflows, Cross Site Scripting, etc.) still persist, and are consistently rated as being some of the most dangerous programming flaws (see the OWASP Top 10 and the CWE/SANS Top 25).  The state of cybersecurity is severe enough that some professionals are seeking solutions for financial institutions which assume that the clients that they are conducting business transactions with are compromised.  Given that some estimates find that well over 90% of the systems on the Internet are not fully patched, and a significant percentage of the systems on the Internet are compromised with at least one form of malware, this is a reasonable approach.

Events like these can be considered to be signs that efforts in the area information security are failing.  There can be many reasons that an entity fails in a game; one possible reason is that the rules of the game are not understood.  If the rules of the game are not understood, it can be difficult at best to consistently play a game well, especially if the rules are stacked against you.  Lately there have been a number of organizations looking to implement "game changing" strategies.  Again, changing the rules requires that the rules are understood.

Most fields of science have one or more major theories which are used to explain observable phenomenon and provide a basis for testing and interacting with the world.  Physics has the Theory of General Relativity and the Standard Model, Chemistry has the Periodic Table and Quantum Mechanics, and Biology has Genetics and Evolution.  Despite being drawn from several scientific fields of study such as Mathematics, Linguistics, and Solid State Physics, with the more recent introduction of Psychology and Economics, information security lacks a framework to provide predictive and testable hypothesizes.

Some institutions have recognized that simply teaching computer science provides an approach that is too narrow of a focus for their curriculum, and have reorganized their departments to apply a more broad-based and interdisciplinary approach to their studies and moved into the field of Informatics.  Bioinformatics and Security Informatics being some specific examples of the resulting reorganization.  There are already attempts to apply the concepts of biology to information security, as there are attempts to build automated immune systems, predicting computer virus outbreaks with models similar to those that are used for their biological analogies, and programs are being implemented with evolutionary algorithms to facilitate machine learning.

The hypothesis that is being presented is that information security is an evolutionary system, similar to what is occurring naturally and can be modeled and explained by the field of evolutionary biology.  Specifically some of the situations that are occurring in the field can be understood as an evolutionary arms race (e.g. malware).  Evolutionary Biology has existed for 150 years and been able to provide an understanding of one of the most complicated natural systems in existence; life.  Some of the frameworks within evolutionary biology can be directly applied, while others may need to be modified or even replaced, and others may even prove to not apply.  Applying evolutionary biology could provide a richer understanding of the rules in which the game is being played.  Once the rules are understood, it should be possible to understand where and how the rules can be modified to change the game in a meaningful and substantive way.