The information security profession has long mined biology for metaphors to describe cyber threats. For example, we call certain forms of malware “viruses” or “worms”. If the malware successfully installs, we call the event an “infection” and follow up with a “forensic” investigation. If a malware “strain” changes, we call it a “mutation”.
Some have attempted to develop these casual metaphors into more rigorous frameworks. Academic papers such as “Biological Approach to System Information Security (BASIS)” have been published. Biologists reciprocated by adopting computer science metaphors, especially in the emerging bioinformatics field, which treats DNA “code” like software and models protein interactions like computer networks.
Cyber security is an immature profession, but in recent years we’ve seen an influx of investment and occasional breakthroughs. A fair comparison in biology might be the current state of cancer research. Full understanding of cancer’s underlying mechanisms still eludes us, but nonetheless treatments have gained effectiveness thanks to major R&D investments.
Biologists find cancer in nearly all multicellular organisms on Earth. A 2015 Royal Society paper “Cancer across the tree of life: cooperation and cheating in multicellularity” gives examples of cancer-like tumors in plants, insects, mushrooms, fish, corals, even algae and slime molds. Although they have different cell structures, and evolved on different branches of the tree of life, they all experience cancer. It seems to be an inherent problem in all multicellular lifeforms.
Well-behaved cells abide by five fundamental rules of multicellular life: (a) limited reproduction, (b) programmed cell death, (c) tissue specialization, (d) resource sharing, (e) supporting the surrounding environment.
By contrast, cancer cells exhibit (a) unlimited proliferation, (b) unauthorized lifespan, (c) independent purpose, (d) resource monopolization, and (e) environmental degradation. These tiny rebels choose selfish interests over the greater good. If the rebellion spreads, the result is a tumor. Such antisocial behavior is called “cellular cheating”.
Tension between individual and collective needs is not unique to cell biology. Cancer may be an instance of a common pathology arising in complex cooperative systems. Members of a community, asked to surrender certain personal benefits in order to gain benefits for and from the larger group, may be tempted to “cheat” to improve their personal circumstances. The group tries to detect and extinguish cheating, but a small amount is tolerable. However, when too many neighbors emulate a cheater, then it can spread and destroy the whole community. We recognize this anti-pattern in cancer cells, computer networks, urban planning, economics (e.g., “tragedy of the commons”), fraud (e.g., “Ponzi” schemes), and more generally in all of us slightly sociopathic humans who may cheat at anything from sharing our toys to paying our taxes.
Cancer is therefore a common metaphor for social disorders, including criminal behaviors. Cybercrime can certainly resemble cancer in the ways it arises, mutates, spreads, consumes resources, and harms its hosts.
Cancer seems a better metaphor than viruses for classes of malware that repurpose benign software (e.g, Trojans) or propagate across computer networks by subverting norms of expected behavior (e.g., TCP protocol attacks). Like cancer, denial of service attacks consume resources to the point of depletion and annihilation. Insider attacks resemble cancer when a trusted user places his or her personal gain above the good of the organization.
Can the cancer analogy help us improve cyber defenses? The recent success of immunotherapy suggests a possible strategy. In computer networks, the “immune system” consists of antivirus, firewalls, access controls, etc. As machine learning comes to these controls, they grow smarter about recognizing suspicious behavior with less false positives.
More traditional cancer treatments, such as radiation and chemotherapy, are more drastic. The cyber analogy would be wiping and reimaging hard drives to eradicate malware, or black holing network traffic to prevent malware spreading. Static code analysis finds software bugs like gene therapy finds DNA mutations. Network segmentation is a safeguard against "metastasis".
Such analogies have limits. But so far, the interdisciplinary dialog between biology and computer science has been fruitful. We hope it continues. Cancer research is the recent beneficiary of a federal “moonshot” program that brings coordination and information sharing incentives in addition to dollars. Maybe cyber security needs a moonshot too.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.