Opinion: What cybersecurity can learn from citizen science

In an era where citizen science projects such as StarDust@Home are becoming more common and more effective, cybersecurity researchers can leverage this movement to get better insight into the threat landscape.

Security

It used to be that identifying, analyzing, and cataloging the natural world was considered the bailiwick of professional experts and academics, as it was deemed too complex – or perhaps too dusty and obscure – to be done by amateurs.

But as anyone who has observed an online forum thread dissecting the minutiae of geek culture can attest, hobbyists can be remarkably thorough in their exploration of topics they are passionate about. And it is often a point of pride to pick the subject that is the least conventional or popular.

The idea of citizen science is to include amateur science enthusiasts in the collection and processing of data. Thanks to the Internet, we’ve seen a surge in the number of self-taught experts in a variety of subjects. New participation platforms are social and gamified – utilizing people’s desire to compete or collaborate with others who share their passion.

How this process plays out differs from one app to the next, according to their needs: StarDust@Home asks volunteers to help sort through samples captured by the Stardust spacecraft when it flew through the coma of comet Wild 2 in 2004. They do this by viewing movies of the contents of the aerogel tiles that were used as collectors.

The security community is ripe for using the citizen science in similar ways to these. Most antimalware vendors make use of customer samples for adding detection and cleaning to their products. Many security companies use customers’ reports to gather file reputation, telemetry and prevalence data. And bug reports come from researchers of all ages and education levels – not just professional security researchers. “Month of Bug” events are a more controversial way that security is gamified. Could security companies or organizations be doing more to engage enthusiasts to help improve our response to security issues?

It could be argued that the stuff of security research – especially malware research – is potentially harmful in the hands of amateurs and should be handled only by seasoned professionals. Not only that, security is an adversarial system where the criminals would likely try to game the system to improve their profits. These are important concerns that would need to be addressed.

But the citizen science approach provides good lessons. Having a platform that is moderated by experts would be essential to confirm the user’s results and vet for clueful, benignly motivated users. Groups of users – or at least their computers – could band together to tackle particularly complex problems such as ransomware encryption.

The idea isn't to give every goofball or Internet troll the ability to add data to your database. That's a great way to put your whole project at risk. The solution to ensuring that only people who are genuinely interested participate is a concept that computer security folks are very familiar with: “Trust but verify.”

Regular users are allowed to perform analysis of samples and add reports; good reports and results increase a user’s rank. In the end, however, an expert makes the final confirmation.

For instance, FoldIt is an incredibly extensible puzzle game that allows players to fold virtual proteins: sort of a 3D Tetris crossed with a Lego Mindstorms kit. Those substances envisioned by players are then presented to scientists to use in their own research in a variety of fields, including medicine and biofuel. Users of iNaturalist submit photos tagged with geolocations and observations for plants, animals and fungi. Users can request or offer identification of submissions, learn about the wildlife at various locations, and connect with others who share their interests, while researchers get the benefit of improved census data.

These citizen science projects show that many hands can make light work of what researchers from a variety of disciplines might consider the more arduous aspects of their job. Hobbyists often enjoy the chance to bond or compete with others who share their interests, and we could use this fact to help put a dent in the never-ending wall of security research that needs to be done.

Lysa Myers began her security career in malware research in the days before the Melissa virus outbreak in 1999. Because keeping up with all that change can be difficult, as a security researcher at ESET, she aims to provide practical analysis of security trends and events for companies and consumers alike. Follow her@LysaMyers.