NECSI logo

Principles of Security: Human, Cyber and Biological
New England Complex Systems Institute
238 Main Street Suite 319, Cambridge, MA 02142
Phone: 617-547-4100 Fax: 617-661-7711

Cite as Blake Stacey and Yaneer Bar-Yam, Principles of Security: Human, Cyber and Biological Report to the Chief of Naval Operations Strategic Studies Group, arXiv in press, (June 1, 2008 / public February 28, 2013).


Cybersecurity attacks are a major and increasing burden to economic and social systems globally. Here we analyze the principles of security in different domains and demonstrate an architectural flaw in current cybersecurity. Cybersecurity is inherently weak because it is missing the ability to defend the overall system instead of individual computers. The current architecture enables all nodes in the computer network to communicate transparently with one another, so security would require protecting every computer in the network from all possible attacks. In contrast, other systems depend on system-wide protections. In providing conventional security, police patrol neighborhoods and the military secures borders, rather than defending each individual household. Likewise, in biology, the immune system provides security against viruses and bacteria using primarily action at the skin, membranes, and blood, rather than requiring each cell to defend itself. We propose applying these same principles to address the cybersecurity challenge. This will require: (a) Enabling pervasive distribution of self-propagating securityware and creating a developer community for such securityware, and (b) Modifying the protocols of internet routers to accommodate adaptive security software that would regulate internet traffic. The analysis of the immune system architecture provides many other principles that should be applied to cybersecurity. Among these principles is a careful interplay of detection and action that includes evolutionary improvement. However, achieving significant security gains by applying these principles depends strongly on remedying the underlying architectural limitations.

Internet's architectural flaws feed cyber-threats, say researchers.

CAMBRIDGE, MA. (February 28, 2013) - In his State of the Union address this month, President Obama named hackers and "cyber-attacks" as amongst the greatest economic and national security threats to the United States. The President has a point; earlier last week, a report by the security firm Mandiant linked a unit of China's People's Liberation Army to hundreds of cyberattacks on Western corporations, while the The New York Times, Wall Street Journal, and Washington Post all recently announced they had been targeted as well.

The President's response was to issue an executive order calling for greater sharing of information between the private and public sectors on cyberattacks and threats, but civil liberties have raised questions about government invasions of privacy. How can we build a hacker-proof Internet without compromising basic freedoms?

A new report by the New England Complex Systems Institute (NECSI) lays the problem, and the solution, at the door of the Internet itself. "The current design of the Internet is inherently insecure," said Yaneer Bar-Yam, president of NECSI and a co-author of the study. Any node can be attacked from any other node, requiring the entire network to be hardened against all possible attacks - an unrealistic goal, Bar-Yam said.

"Making every computer on the Internet - including every tablet, PC, server, and smartphone - impervious to attacks is impossible," he added. An effective response requires reconstructing the architecture of the Internet itself. The report proposes substantial changes to the routers in charge of switching data packets between network nodes.

"Collective security-preventing attacks would require that the routers of the Internet themselves would need to have protocols that allow refusal of transmission based upon content or extrinsic information such as point of origin," according to the study.

The authors' discussion of Internet security is placed with the larger context of all network structures. The study compares Internet attacks to biological threats and systems, in which the same fundamental principles of network structures used in communication, transportation and defense mechanisms also apply.

"The human body bases its main line of defense in its primary transportation system - the blood stream - and in its skin and membranes," says Bar-Yam. "The immune system would collapse if it only acted within individual cells. Likewise, consider what America might look like if every home and office was required to be a fortress in the absence of the police and military patrolling neighborhoods and defending national borders."

The study, "Principles of Security: Human, Cyber and Biological," was performed at the request of a long-term planning military group, the Strategic Studies Group, which reports to the Chief of Naval Operations, the head of the Navy. The report is being released for the first time to the public this week.

For media inquiries, contact:

Karla Bertrand, Press Relations, 617-547-4100

Clare Froggatt, Program Coordinator, 617-547-4100