Take two APIs and call me in the morning: How healthcare research can cure cyber crime

May 28, 2024 TH Author

Opinion Some ideas work better than others. Take DARPA, the US Defense Advanced Research Projects Agency. Launched by US President Dwight Eisenhower in 1957 response to Sputnik, its job is to create and test concepts that may be useful in thwarting enemies. Along the way, it’s helped make happen GPS, weather satellites, PC technology, and something called the internet.

The country’s current president, Joe Biden, brazenly stole the idea of DARPA (only without the killy stuff in favor of health) to model a new research agency to help the human population better optimize for the meatbags we were born in. Two years ago, ARPA-H was born.

ARPA-H is a fascinating entity; check out this video interview with its inaugural director. Its mission is to find areas of health science and technology that have the potential to make a big, long-lasting effect on the population, but which haven’t attracted commercial or academic attention. Having found ten to 20 of these, ARPA-H gives project managers money, autonomy and support and presses the go button. The idea is to create something that can survive in the wild, attracting enough investment to fulfill the initial idea.

This is by no means limited to developing drugs or tech for the end-user patients, but also creating the tools and frameworks that can accelerate such developments across the board. If it makes health work better and nobody’s doing it already, then it’s up for grabs – most certainly including cyber security. After all, it’s been making health IT professionals sick for years.

The recently announced UPGRADE project is at heart an automated superhuman security devops beast. It will scan for vulnerabilities and work out when to apply patches, even coming up with novel mitigations, all in the context of health systems and their very high sensitivity to disruption. One of the major components is the digital twin, where the framework experiments on a mirror image of the system it’s protecting. Twins are very popular in medical research, so that’s apt.

It’s also apt to think of UPGRADE as the beginning of digital immunology: medical analogies are popular in cyber security, and for good reason. Like the human immune system, it is desperately needed. If it works even a bit, its applications outside the health sector will be immediate and obvious. Herd immunity, when enough systems are protected to make developing attacks unproductive, would be a wonderful thing. If it works.

Given the size and importance of the potential market outside health, not to mention the moral good of cutting off criminals at the command line, why has no commercial outfit made a go of it yet? Untold billions flow inside big tech and venture capitalists. ARPA-H is kicking off UPGRADE with $50 million, which is a lot to humans but a rounding error in Microsoft’s AI megabinge or Meta’s baffling VR gogglebox.

Some of the reason why no one has previously put a lot of cash behind this is that no big tech company cares about security except for its own services and products. Companies that do work across platforms don’t have the resources to take a chance on big, risky projects. ARPA-H, on the other hand, is even designed to try things that will fail. Progress is built on failure as evolution is built on death.

Indeed, UPGRADE faces a number of challenges that may make its path from concept to commerce impossible. Take the digital twin idea; it’s very powerful and enables entirely new ways to test safely, automatically and reliably. Yet creating a digital twin of a complex environment is hard, and tracking changes is harder. Likewise, applying patches automatically seems like a really good idea, and it is. Until you find out how little support there is for consistently doing this, let alone testing and identifying the cascade of problems that can follow. A lot of network-connected devices are closed boxes: you cannot mirror what you cannot see, let alone fix it.

What’s missing from digital immunology is what makes biological immune systems work in the first place – common components and common pathways. There is huge diversity in living creatures, but huge commonality at cellular levels and within. Pathogens take advantage of this to subvert the health of the host, while the host’s immune system uses this to deploy common defenses against a wide range of such threats.

This is missing in IT – or rather, while there is a high level of similar designs doing similar work, it is very hard to find it across products. There is no common API for patches and upgrades. There is no common design language to describe what anything does. That level of systemic visibility is entirely absent, making essential safeguarding and management extremely difficult for humans or machines.

Thus UPGRADE will be as hard to make work as it is desperately needed. It will find itself in a hostile environment created by an industry that sees no responsibility for making it better, and has no motivation to change.

Change it must, and for this we can turn to one final analogy between silicon and carbon creatures – evolution and survival of the fittest. Changes in design that better match a changed environment favor those who can change over those who cannot.

One model of software is far easier to change than any other. FOSS does not wait for permission to change, nor does it do so in the exclusive interest of commercial drivers. It is literally open to the UPGRADE team to ask open source developers to help create and adopt the low-level language of sustainable security. Of course, the system will have to work with the reality of today, but it will help shape that reality too.

If a device or a service is inherently more secure in an automated security environment than its competition, it is much to be preferred. Co-evolution is a very powerful idea, and open source is uniquely suited to the dance. It wouldn’t be the first time it changed the rules of the game, and cyber security so desperately needs that change. ®