Software Engineering Institute

October 9, 2018—Researchers from both Carnegie Mellon University (CMU) and the Software Engineering Institute (SEI) have been honored by the National Security Agency (NSA) for papers submitted to the agency's annual Best Scientific Cybersecurity Paper Competition. The NSA conducts this competition to promote the development of scientific foundations for the field of cybersecurity.

This year's winning paper, How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games, was co-authored by CMU's Tiffany Bao and David Brumley in collaboration with researchers from the University of California, Santa Barbara.

The SEI's Jonathan Spring, a senior vulnerability researcher in the CERT Division, also won the notice of the NSA. Spring co-authored the paper Practicing a Science of Security: A Philosophy of Science Perspective, which examined obstacles to the practice of a science of security. The competition judges cited this work for addressing the philosophical question, "What is a science of security?"

Spring’s research concerns human decision making in computer security incident response, one of the mission threads of the SEI’s CERT Division. Part of his work elucidates the ways in which security practitioners in general, and specifically incident responders, function as scientists in the conduct of their work. Spring plans to further develop this analysis at the SEI and apply his reasoning to specific problems.

In commending the paper, the NSA noted, “The reviewers in the competition appreciate their work in helping to shape and mature the security discipline.” Spring coauthored the paper with Tyler Moore and David Pym while pursuing a Ph.D. at University College London. In recognition of their work, the NSA has invited the authors to discuss their perspectives at the Hot Topics in Science of Security (HoTSoS) meeting in April 2019.

“I was pleasantly surprised that the paper committee mentioned our paper,” said Spring. “Our intended contribution is to refocus the question about cybersecurity research from ‘Is this process scientific?’ to ‘Why is this scientific process producing unsatisfactory results?’ The purpose is to generate more productive answers and get better at moving the practice forward.”

Spring works in the Threat Analysis Directorate of the SEI CERT Division. His current work focuses on evidence and reasoning in security, via logic and philosophy of science, applied to practical problems. Spring joined the SEI in 2009. In 2015 he began work on a doctorate. Spring has also served as an adjunct professor at the University of Pittsburgh and as a researcher for the Internet Corporation for Assigned Names and Numbers (ICANN). Spring holds master’s and bachelor’s degrees from the University of Pittsburgh.