Gene Spafford gave an impassioned plea at an NSF meeting a few years ago about getting beyond the “security pageant”. I think it’s gotten worse since then — it’s a full-blown security circus. Research whose aim is to make systems more secure is less and less frequent. More and more we’re seeing attack-oriented work that is about demonstrating security vulnerabilities. Why is this? Well, attacks are easy to validate, unlike defenses. And they get publicity easily because the general public finds it interesting.
But is this really useful? In principle, the attack-oriented research should be providing the impetus to solve the real security problems.But we already know (or should know) that systems are poorly built from the security perspective. Attack-oriented work has become an end in itself, taking up air time from research that is trying to make things better. And researchers respond to the incentives — they’re doing more attack work themselves. They still write funding proposals that talk about defense, but the actual work somehow includes a lot more offensive work.
I fear the security community is succumbing to the “drunk under the streetlamp” phenomenon. We all know the truly meaningful research is on defense, but it’s not under the streetlamp — attack-oriented research is. So that’s where the community is focusing its attention.
How to fix this? I’m not sure, but this might be a case where we need to set quotas for security conferences programs. Comparing attack papers and defense papers is really apples-and-oranges. I think that a conference like Oakland should ideally take ~3 attack papers per year — just the very best of the bunch. And certainly not more than 25%. As someone who opposes top-down controls in almost all situations, this is hard for me to say. But something needs to be done.