-Executive Summary-

Cybersecurity is a highly abstracted idea and relies on extensive use of metaphor to convey those ideas in a tangible way. Despite the pervasive use of metaphor in the field, the corpus of computer science literature holds little discussion of the interaction between metaphor and subsequent security design. When thinking of interaction with a computer, one might use metaphor to view the action of rearranging sequences of information as writing a letter or rearranging pieces of paper on a larger board rather than an abstract data process. Similarly, one might imagine an attack on critical infrastructure security systems as physical attack or virus infection.

The physical attack metaphor is often addressed through system designs that are inspired by military architecture, with castles serving as the most dominant metaphor in the cybersecurity field. This metaphor, while apt, only serves to protect against one dimension of threat: intrusion. When designed around a castle metaphor, a computer system becomes vulnerable in similar ways to historic castles. These castles, strong against a frontal assault, are weak against deception or covert entry. Similarly, computer systems may provide formidable barriers to simple attacks that originate from outside a network but are vulnerable to compromise from within. Once the defenses of a computer system are compromised, the metaphor of castle as security design loses both aptness and effectiveness.

In 2009, devastating cyberattacks against Iranian nuclear centrifuges exploited dimensions of vulnerability in a system designed around the castle metaphor of defense. In a surprising paradigm shift, attackers destroyed physical systems by compromising software systems rather than simply compromising the system or exfiltrating data. The attack was unique in two significant ways: the scale of damage caused by the attack far exceeded what one would expect from a single system, and the vector of attack drew from ideas wholly outside the realm of computer science. Such an attack exploited these new ideas and the underlying assumptions about castles—that they could not be taken from external threat—to develop a strategy that bypassed nearly every defense mechanism and run unchecked through an internal network.

A similar idea allowed the strongest of fortresses to be taken by stealth and guile and demonstrated that ideas from a source domain (in this case, castles) are adapted to a target domain (cybersecurity) will carry parts of a solution set but also parts of a problem set that may go undetected if viewed solely through the lens of the source domain metaphor. The weaknesses of the dominant castle metaphor in cybersecurity applications do not require abandoning existing security measures. Instead, those solutions may be augmented by looking to diverse and divergent source domains, wholly outside the realm of computer science. By viewing problems from different metaphorical lenses, computer scientists may look to any number of ideas from immunology or biology and correct flaws that would otherwise remain undiscovered. As one example, metaphors drawn from a study of vertebrate immune systems may ameliorate weaknesses in the defense-in-depth model used for critical infrastructure.

Future research in areas of epidemiology (drawing experience from contact tracing and social distancing to limit the spread of the computer virus), machine learning (comparing and consolidating blacklist and whitelist data sets), and human interface (resolving exploits related to computer systems that inherently trust human input) may mark the beginning of a new and exciting period in computer science. Other ideas in new and emergent fields, from arachnology to zoology, allow for new and exciting opportunities to reinterpret and reimagine the wicked problems of cybersecurity and provide unbounded solution sets that address each dimension of threat posed to a system. All of this is possible with a thoughtful review of how metaphors from emergent fields play a role in augmenting the dominant metaphors in cybersecurity applications.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top