Just like leaders in every other field you can imagine, academics have been hard at work studying information security. Most fields aren’t as replete with hackers as information security, though, and their contributions are felt much more strongly in the private sector than in academia.
The differing motives and professional cultures of the two groups act as barriers to direct collaboration, noted Anita Nikolich in her “Hacking Academia” presentation at the Cypher Con hacking conference recently held in Milwaukee. Nikolich recently finished her term as the program director for cybersecurity at the National Science Foundation’s Division of Advanced Cyberinfrastructure.
For starters, academics and hackers have very distinct incentives.
“The topics of interest tend to be the same — the incentives are very different,” Nikolich said.
“In the academic community, it’s all about getting tenure, and you do that by getting published in a subset of serious journals and speaking at a subset of what they call ‘top conferences,'” she explained. “For the hacker world … it could be to make the world a better place, to fix things, [or] it could be to just break things for fun.”
These differences in motivations lead to differences in perception — particularly in that the hacker community’s more mischievous air discourages academics from associating with them.
“There is still quite a bit of perception that if you bring on a hacker you’re not going to be able to put boundaries on their activity, and it will harm your reputation as an academic.” Nikolich said.
The perception problem is something other academics also have observed.
The work of hackers holds promise in bolstering that of academics, noted Massimo DiPierro, a professor at DePaul College of Computing and Digital Media.
Hackers’ findings are edifying even as things stand, he contended, but working side-by-side with one has the potential to damage an academic’s career.
“I think referencing their research is not a problem. I’ve not seen it done much [but] I don’t see that as a problem,” DiPierro said. “Some kind of collaboration with a company is definitely valuable. Having it with a hacker — well, hackers can provide information so we do want that, but we don’t want that person to be labeled as a ‘hacker.'”
Far from not working actively with hackers, many academics don’t even want to be seen with hackers — even at events such as CypherCon, where Nikolich gave her presentation.
“It’s all a matter of reputation. Academics — 90 percent of them have told me they don’t want to be seen at hacker cons,” she said.
While both researchers agreed that their colleagues would gain from incorporating hackers’ discoveries into their own work, they diverged when diagnosing the source of the gulf between the two camps and, to a degree, even on the extent of the rift.
Academic papers have been infamously difficult to get access to, and that is still the case, Nikolich observed.
“Hackers, I found, will definitely read and mine through the academic literature — if they can access it,” she said.
However, it has become easier for hackers to avail themselves of the fruits of academic study, according to DiPierro.
“A specific paper may be behind a paywall, but the results of certain research will be known,” he said.
On the other hand, academia moves too slowly and too conservatively to keep up with the private sector, DiPierro maintained, and with the hackers whose curiosity reinforces it. This limited approach is due in part to the tendency of university researchers to look at protocols in isolation, rather than look at how they are put into practice.
“I think most people who do research do it based on reading documentation, protocol validation, [and] looking for problems in the protocol more than the actual implementation of the protocol,” he said.
That’s not to say that DiPierro took issue with academia’s model entirely — quite the contrary. One of its strengths is that the results of university studies are disseminated to the public to further advance the field, he pointed out.
Still, there’s no reason academics can’t continue to serve the public interest while broadening the scope of their research to encompass the practical realities of security, in DiPierro’s view.
“I think, in general, industry should learn [public-mindedness] from academia, and academia should learn some of the methodologies of industry, which includes hackers,” DiPierro said. “They should learn to take a little bit more risks and look at more real-life problems.”
Academics could stand to be more adventurous, Nikolich said, but the constant pursuit of tenure is a restraining force.
“I think on the academic side, many of them are very curious, but what they can learn — and some of them have this — is to take a risk,” she suggested. “With the funding agencies and the model that there is now, they are not willing to take risks and try things that might show failure.”
While Nicolich and DiPierro might disagree on the root cause of the breakdown between hackers and academic researchers, their approaches to addressing it are closely aligned. One solution is to allow anyone conducting security research to dig deeper into the systems under evaluation.
For Nikolich, that means not only empowering academia to actively test vulnerabilities, but to compensate hackers enough for them to devote themselves to full-time research.
“Academics should be able to do offensive research,” she said. “I think that hackers should have financial incentive, they should be able to get grants — whether it’s from industry, from the private sector, from government — to do their thing.”
In DiPierro’s view, it means freeing researchers, primarily hackers, from the threat of financial or legal consequences for seeking out vulnerabilities for disclosure.
“I would say, first of all, if anything is accessible, it should be accessible,” he said. “If you find something and you think that what you find should not have been accessible, [that] it was a mistake to make it accessible, you [should] have to report it. But the concept of probing for availability of certain information should be legal, because I think it’s a service.”