Modern field guide to security and privacy

Opinion: What cybersecurity can learn from citizen science

In an era where citizen science projects such as StarDust@Home are becoming more common and more effective, cybersecurity researchers can leverage this movement to get better insight into the threat landscape.

|
Dr. Zoran Popovic / University of Washington
Dr. Zoran Popovic (l.) developed the citizen science project FoldIt, which used students playing a game to do biologic research.

It used to be that identifying, analyzing, and cataloging the natural world was considered the bailiwick of professional experts and academics, as it was deemed too complex – or perhaps too dusty and obscure – to be done by amateurs.

But as anyone who has observed an online forum thread dissecting the minutiae of geek culture can attest, hobbyists can be remarkably thorough in their exploration of topics they are passionate about. And it is often a point of pride to pick the subject that is the least conventional or popular.

The idea of citizen science is to include amateur science enthusiasts in the collection and processing of data. Thanks to the Internet, we’ve seen a surge in the number of self-taught experts in a variety of subjects. New participation platforms are social and gamified – utilizing people’s desire to compete or collaborate with others who share their passion.

How this process plays out differs from one app to the next, according to their needs: StarDust@Home asks volunteers to help sort through samples captured by the Stardust spacecraft when it flew through the coma of comet Wild 2 in 2004. They do this by viewing movies of the contents of the aerogel tiles that were used as collectors.

The security community is ripe for using the citizen science in similar ways to these. Most antimalware vendors make use of customer samples for adding detection and cleaning to their products. Many security companies use customers’ reports to gather file reputation, telemetry and prevalence data. And bug reports come from researchers of all ages and education levels – not just professional security researchers. “Month of Bug” events are a more controversial way that security is gamified. Could security companies or organizations be doing more to engage enthusiasts to help improve our response to security issues?

It could be argued that the stuff of security research – especially malware research – is potentially harmful in the hands of amateurs and should be handled only by seasoned professionals. Not only that, security is an adversarial system where the criminals would likely try to game the system to improve their profits. These are important concerns that would need to be addressed.

But the citizen science approach provides good lessons. Having a platform that is moderated by experts would be essential to confirm the user’s results and vet for clueful, benignly motivated users. Groups of users – or at least their computers – could band together to tackle particularly complex problems such as ransomware encryption.

The idea isn't to give every goofball or Internet troll the ability to add data to your database. That's a great way to put your whole project at risk. The solution to ensuring that only people who are genuinely interested participate is a concept that computer security folks are very familiar with: “Trust but verify.”

Regular users are allowed to perform analysis of samples and add reports; good reports and results increase a user’s rank. In the end, however, an expert makes the final confirmation.

For instance, FoldIt is an incredibly extensible puzzle game that allows players to fold virtual proteins: sort of a 3D Tetris crossed with a Lego Mindstorms kit. Those substances envisioned by players are then presented to scientists to use in their own research in a variety of fields, including medicine and biofuel. Users of iNaturalist submit photos tagged with geolocations and observations for plants, animals and fungi. Users can request or offer identification of submissions, learn about the wildlife at various locations, and connect with others who share their interests, while researchers get the benefit of improved census data.

These citizen science projects show that many hands can make light work of what researchers from a variety of disciplines might consider the more arduous aspects of their job. Hobbyists often enjoy the chance to bond or compete with others who share their interests, and we could use this fact to help put a dent in the never-ending wall of security research that needs to be done.

Lysa Myers began her security career in malware research in the days before the Melissa virus outbreak in 1999. Because keeping up with all that change can be difficult, as a security researcher at ESET, she aims to provide practical analysis of security trends and events for companies and consumers alike. Follow her@LysaMyers.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Opinion: What cybersecurity can learn from citizen science
Read this article in
https://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0605/Opinion-What-cybersecurity-can-learn-from-citizen-science
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe