Why "Following the Science" in Cybersecurity Is Misguided
Why “Following the Science” in Cybersecurity Is Misguided
The phrase “follow the science” has become a rallying cry in modern discussions, often used to invoke the authority of experts and dismiss alternative perspectives. While this approach may work in structured fields like medicine or physics, its application to cybersecurity is fundamentally flawed. Unlike static disciplines grounded in controlled experiments, cybersecurity thrives on adaptability, practical experience, and real-world problem-solving. This article explores why relying solely on “following the science” in cybersecurity often misses the mark and highlights the importance of embracing diverse paths to innovation.
The Ever-Evolving Nature of Cyber Threats
Cybersecurity operates in a domain where adversaries constantly adapt, exploit vulnerabilities, and outpace defensive measures. Take IP spoofing, first detailed in Phrack1. This tactic showcased how attackers could impersonate trusted systems by falsifying IP addresses. The technique quickly evolved as countermeasures emerged, rendering traditional academic timelines inadequate. Peer-reviewed studies often take years to publish, while new threats emerge in days. By the time academia validates a solution, the attack vector may already be obsolete.
Practical examples abound. Aleph One’s seminal work “Smashing The Stack For Fun And Profit” in Phrack2 provided a groundbreaking explanation of buffer overflows. This wasn’t the product of academic rigor but of hands-on experimentation and real-world insight. Such works, later adopted by academia, highlight the necessity of creativity, intuition, and immediacy—qualities that structured scientific methods struggle to cultivate.
Pragmatism in Cybersecurity Practices
The best cybersecurity practices often arise from lessons learned during real-world breaches and insights shared informally among practitioners. Consider “Pass the Hash” attacks: first documented by Paul Ashton in 19973, this method exploited NTLM authentication protocols without needing plaintext passwords. Later, Hernan Ochoa expanded the concept, creating tools that automated and refined the attack. These innovations forced organizations to rethink their security models and demonstrated how field-driven discoveries often outpace academic solutions.
Industry-led innovations also illustrate this dynamic. Frameworks like MITRE ATT&CK, a catalog of adversary tactics, emerged from the collective knowledge of analysts confronting real threats. Similarly, Check Point Software Technologies, a pioneer in firewalls, was born from Gil Shwed’s practical initiative, not academic research. These examples underline how immediate needs drive impactful solutions in cybersecurity.
The Role (and Limits) of Academia
Academia plays a foundational role in areas like cryptography, where rigorous principles underpin advancements. RSA encryption and the Digital Signature Algorithm (DSA), for instance, stem from academic research. However, their real-world application from SSL/TLS deployments by Netscape to Bitcoin’s use of SHA-256—relied on practitioners addressing practical challenges like scalability and evolving threats.
Interestingly, academia has also drawn on industry-led innovations. For example, the early development of intrusion detection systems (IDS) by companies like Haystack Labs provided the groundwork for academic research into anomaly detection and behavioral analysis. Similarly, private-sector advancements in machine learning for malware detection have influenced numerous academic studies that formalized and expanded upon these methods.
The gap between academia and industry often hinders progress. Researchers lack access to live data due to legal constraints, limiting actionable insights. Meanwhile, practitioners innovate rapidly to address pressing challenges. For instance, Google’s Project Zero proactively uncovers vulnerabilities before attackers exploit them4, exemplifying how industry drives real-world security improvements.
Lessons from Other Disciplines
In other fields, such as medicine, practitioners often adapt on the fly when immediate solutions are needed. During the COVID-19 pandemic, doctors employed untested treatments like convalescent plasma therapy based on preliminary evidence. Similarly, cybersecurity professionals rely on frameworks like the NIST Cybersecurity Framework and battle-tested playbooks to counteract ransomware attacks. These scenarios highlight the importance of intuition, experience, and adaptability in high-stakes situations.
Moving Beyond “Follow the Science”
The mantra “follow the science” often veers into dogma, elevating select expert opinions while stifling alternative ideas. Humanity’s greatest advancements frequently arise outside structured scientific systems. The Wright brothers’ first flight and the development of modern firewalls exemplify breakthroughs driven by necessity and ingenuity rather than academic rigor.
Positive examples of balanced approaches abound. The Cyber Threat Alliance (CTA) facilitates real-time threat intelligence sharing among industry leaders. Collaborative efforts between private firms and government agencies like the Cybersecurity and Infrastructure Security Agency (CISA) address critical vulnerabilities. Such initiatives underscore how diverse paths to innovation—from practitioner-led research to interdisciplinary collaboration—enhance cybersecurity.
Final Thoughts: A Pragmatic Path Forward
Cybersecurity is a battlefield, not a laboratory. The phrase “follow the science”, often wielded with almost religious fervor, oversimplifies complex realities. Real progress comes from embracing a diversity of approaches—intuition, practical problem-solving, and theoretical insights alike. By valuing real-world application over academic idealism, we can better secure the systems that underpin our modern lives. Let’s move beyond empty slogans and foster a culture that values ingenuity and adaptability in the face of ever-changing threats.
Footnotes
-
Phrack (Issue 48, “IP Spoofing Demystified”, available at https://phrack.org/issues/48/14) [Accessed: 19.12.2024]. ↩
-
Phrack (Issue 49, “Smashing The Stack For Fun And Profit”, available at https://phrack.org/issues/49/14) [Accessed: 19.12.2024]. ↩
-
Archived vulners article of Bugtraq available at https://vulners.com/exploitpack/EXPLOITPACK:6627273D3BFEC2A58E0A43C7D7DE2B75 [Accessed: 19.12.2024]. ↩
-
Google Project Zero, available at https://googleprojectzero.blogspot.com [Accessed: 19.12.2024]. ↩