More SENDS Blogs Available at SENDSOnline.org!

By Carl Hunt

Trying to make the best use of time and cyberspace, we’ve posted 14 additional blogs at http://sendsonline.org/category/blog/ since the last one posted at this site. If you haven’t been over to see them, it’s worth the trip!

As we draw the SENDS Pilot Project to a close, we’re documenting the results and describing a lot about the future of SENDS, particularly in terms of the four main Pilot Project tasks: cyberspace science, cyberspace modeling, education in cyberspace, and the SENDS Consortium.

We are assessing the results on the SENDS Academic Curricula survey and will be releasing insights on what some very smart people think about cyberspace education in particular and cyberspace science in general. You’ll find that over at SENDSOnline.org, too.

All of this is available at SENDSOnline.org. Check it out and let us know what you think!

SENDS Blogs at SENDSOnline.org

By Carl Hunt

Greetings, SENDS Blog Readers. Our stat reports show that we still have quite a few visitors to the SENDS Blog at this site. We greatly appreciate your interest!

As a reminder, we’ve stopped posting here since 7 February 2011 and are now posting at SENDS Online, our main website for all things SENDS. The new Blog Page is also there and we’ve been posting some cool pieces on Cyber Education, Music, Programming, Social Science and Community in Cyberspace, Virtual Worlds, and of course Cyberspace Science. There’s even a new column called the Blogging Luddite for the older generations!

Please visit us at the new site and keep up to date with what we’re doing with SENDS. Let us know what you think!

The End and the Beginning

by Carl Hunt

The SENDS Website is open for business, as many of you have already found out. SENDS colleague and fellow blogger Craig Harm has done a magnificent job organizing and managing the SENDSonline.org site and the feedback has been very good so far!

That means that this will be the final posting of the SENDS & the Science of Cyberspace Blog on this site. Future blogs will be posted at SENDSonline.org at the SENDS Blog Page, where it will be easy to subscribe, follow your favorite bloggers and search the topic index both textually and graphically, thanks to a novel tool called Infomous from SENDS’ partner, Icosystem.

We are grateful to the contributions of our blogging family and looking to grow that family in the new SENDSonline.org site. In the near future, our readers will find more about the SENDS Pilot tasks and track progress on the development of SENDSim and the SENDS Center for Cyberspace Science. The exploration continues!

The SENDS site will also host new versions of the SENDS White Paper for a Science of Cyberspace Science, incorporating new inputs from contributors and reviewers.

The new SENDSonline.org site will feature new opportunities for more involvement in the development of ongoing SENDS’ thinking and exploration, including you! SENDS fellow blogger and colleague Bob Schapiro will be writing about that soon.

We have a lot to do to complete the Pilot in June, but thanks to the contributions of our members and bloggers, we have a remarkably broad base of insights to make sure we stay in explore mode as much as possible. Your help will make sure we keep SENDS going well beyond the Pilot.

Please visit us at SENDSonline.org and stay in touch with the blogs and the project. Join us, follow us and help us move forward in exploring cyberspace and building this new science together.

Signing off Here!

- Carl Hunt

Seeing the Invisible

by Jack Holt

When I was a boy, my grandfather taught me a Cherokee Proverb which I have pondered my entire life. It didn’t make much sense to me at the time, but the more I thought about it, and the more I grew, and the more I learned, and the more I did, and the more people I met, worked with, and engaged with, the more I began to see what the proverb meant.

I suppose that’s what proverbs are supposed to do. They guide you toward some universal truth that is unknowable at the time. Unknowable because you haven’t lived the time and it is time that is the critical factor.

While time is the critical factor, experience is the determining factor and thought multiplies the effect for it is what you give your thought to that determines what your experience is and the time you will give to a task and hence what you learn. This is true whether it’s cyberspace time or the “old-fashioned” variety of time! 

The proverb stated: “If you listen to whispers, you will not hear screams.” For a close-knit, tribal people this meant paying attention to those around you. Even in a hyper-connected age like the one we experience in cyberspace, it means the health of the whole is the responsibility of the individual. It means an acculturated community. It means seeing the invisible…an invisible that transcends both the tribe and the physical world, if you look and listen closely enough.

Why do we so often miss seeing the invisible? Perhaps because we are looking and listening in the wrong places.

What makes people who they are? Why do they do what they do? How can we know such things? Time, experience, thoughtfulness: just as my grandfather inferred in his proverb.

Listening to people, learning from them, learning all we can about them. What are their proverbs, their poetry, and their music? These are the tools of enculturation: how we learn and apply values of a culture.

To know a people’s language is just the beginning, to know their thoughts is to know them. This is what it means to socialize. This is how we will ultimately exploit cyberspace as a species. In the meantime, let’s listen…

Beyond Passwords: A Vision for Personal Information Management

by Sandy Klausner

Introduction

Bob Schapiro’s previous SENDS blog post asserted that passwords are a security “solution” that’s part of the problem. Unfortunately, managing multiple passwords is just the tip of the iceberg regarding the cyber-security challenges that we collectively face. This post reflects on the current effort to redefine cyber-security and explores what empowering individuals to manage their personal information and cyber-presence might look like. A companion piece that fleshes out more of a required framework will follow next week.

The NSTIC initiative

The National Institute of Standards and Technology's (NIST) website recently described the emphasis of the current administrations effort on identities and privacy. The National Strategy for Trusted Identities in Cyberspace (NSTIC) “is an Obama Administration initiative aimed at establishing identity solutions and privacy-enhancing technologies that will improve the security and convenience of sensitive online transactions through the process of authenticating individuals, institutions, and underlying infrastructure - such as routers and servers.

“The NSTIC envisions a cyber world - the Identity Ecosystem - that improves upon the passwords currently used to login online. The Identity Ecosystem will provide people with a variety of more secure and privacy-enhancing ways to access online services. The Identity Ecosystem enables people to validate their identities securely when they're doing sensitive transactions (like banking) and lets them stay anonymous when they're not (like blogging)…People and institutions could have more trust online because all participating service providers will have agreed to consistent standards for identification, authentication, security, and privacy,” notes the NISTC website.

Universal ID Management

While the NSTIC goal of securing identity is an important first step, the path to enhancing user privacy is a much longer road to travel. The framework for a Universal ID Management infrastructure will need to include the ability to provide users with at least some level of consistency and control over how their private information is accessed and treated.

Today, simple address formats are diverse and make on-line registration efforts much more cumbersome than they should be. Today, if you’re one of the unfortunate individuals applying for work on company job boards, the inconsistency and repetitiveness of the experience can be downright maddening. As we move toward an ever-growing list of on-line information about us, including biometrics and medical records, the need for a consistent if not fully intelligent framework becomes even more apparent.

Managing personal information also branches into the realm of automation.  When we do have a consistent and convenient way to transfer our address where needed, there should also be a simple mechanism to make updates virtually automatic. For example, if I move, I should be able to update my secure profile and have that change ripple to every single user of that information, including utilities, banks, on-line shopping sites I’ve registered with, magazine subscriptions, etc. Clearly, there has to be a robust identification mechanism in place to ensure only I could make such sweeping changes. But, it would be negligent to craft a new Identity Ecosystem that did not enable such basic management features.

Distribution rights

Another aspect of personal information that warrants attention is the user’s ability to track and manage distribution of their personal information. In its simplest form, that means a user should be able to select who gets access to what piece of personal information in a manner as simple as selecting from a list of people, institutions or websites they frequent and whether or not the recipient can post the information in a public format. Exerting this type of control over a person’s biography is a great example.

But, the concept of managing personal data can expand much further. If we consider the stories we tell about ourselves on social media sites to be an element of personal information, we find eroding levels of control. Facebook has been a classic example. Their privacy policy in 2005 read:

“No personal information that you submit to Thefacebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings.”

On April 2010, Facebook’s privacy policy read:

“When you connect with an application or website it will have access to General Information about you.  The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting. ... The default privacy setting for certain types of information you post on Facebook is set to “everyone.” ... Because it takes two to connect, your privacy settings only control who can see the connection on your profile page.  If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection.”

Facebook goes beyond the information you post and adds information others post about you to build a more complete corporate profile of you. If someone posts something erroneous about you and it gets added to Facebook’s corporate profile, it’s not clear you would know it. Certainly, anyone can assemble a profile of you from assembling the results from search engines but there should be an ‘official’ profile where the owner can manage the content and control who has access to what, independent to any one website’s evolving policies.

It may also be the right time to address the individual’s rights in the shadowy world of the personal information marketplace. Many people don’t realize that their profile is a common source of profit for companies that collect large databases of members/subscribers/contestants, etc. Today, many companies are sensitive, if not passionate, about protecting their customer’s information, but anytime you’ve been registered for a free magazine subscription or answered a few required questions to access something on a commercial site, there is the potential that the information is used to create distribution lists that are sold for direct mail campaigns, fund raising, surveys, etc.

While this practice has been in place for decades, it is only fair to ask the question if it is reasonable for someone to sell your personal information without permission, or at least provide some form of compensation...especially with the advent of recent web services that offer to provide a wealth of aggregated information about an individual for a fee. It could indeed open an entirely new market dynamic if individuals had the ability to assign a value to the distribution of their personal information and there was sufficient automation in place to award an individual micropayment for each use of a specific information packet for a specific class of organization.

Users who hate unsolicited information could simply raise the price on the right to trade in their information until they get the level of relevant information they desire (this assumes at a sufficiently high price, no one will engage unless there is high certainty of a positive response). On the other side, people who wanted to maximize the monetary return for just being who they are could adjust the price to extract the maximum income from the authorized selling of their personal information to specific classes of solicitors. Clearly, such a scheme could never be foolproof, even if laws were created to support it, since anyone could simply copy your information and sell into a black market. But, as in most circumstances, the vast majority of honest businesses would align and sustain such a concept if the implementation was sufficiently painless.

Independent of monetization, it would be wonderful if you could track instances of your personal information as it was distributed through the Internet. It would potentially make it much easier for individuals to assess their footprint in ways that current search engines could never reveal.

Location-based services

Another area that warrants attention is location based services. A growing list of services delivers valuable information, but exposure of private data can vary significantly per application. Moreover, each service has its own privacy schemes and settings which can change over time. Also, it’s often difficult for the user to know with certainty when their location is being accessed outside of specific requests or if it is being tracked by individual service providers or other members of a mutual service.

While some people are happy to publicly publish every moment of their existence, any new identity framework needs to provide fine-grained control of how location information can be used and who can have access to it down to the individual level. This includes the service provider as well.  The user should be able to control whether the service provider is allowed to accumulate location information or if each record must be deleted after the completion of a transaction.  Most important, the user should be able to declare their preferences and settings in one global profile that drives interactions which each service provider.

The framework should also allow a user with a GPS-enabled cell phone or mobile device to make anonymous transactions. For example, the user’s profile can verify that the phone/device is subscribed to a service without revealing who the user is and, for metered services, track the number of available transactions remaining. By providing the service and geo coordinates, there is no need to pass information that could identify the user such as the cell phone number to a location service provider. Under this scheme, you can check for local restaurants and entertainment, or get whatever relevant ad or promotion information is significant without the service provider being able to track your location or location records. Of course, the wireless provider will always have such records, but containment of such information is always a first step toward better personal security.

Conclusion

Overall, if a framework is put in place to allow these scenarios to be developed and evolved over time, a picture emerges of an internet environment that is much friendlier and allows the individual to tune their cyber-presence in ways that are barely imagined today.

The challenge in driving this vision to reality is the enormous complexity of the framework that would be required to deliver such a vision if it’s built on today’s computing architectures. Fortunately, there is advanced thinking and technology that could make such an interconnected environment practical. That will be the topic of my next post.

Editor’s note: Sandy Klausner is the founder and CEO of CoreTalk Corporation, the designer of the Cubicon executable design language, described at http://www.coretalk.net/. The opinions and concepts proposed by Sandy reflect his thinking about new types of programming languages, and web-based frameworks including Cubicon. SENDS does not endorse any specific product, but seeks to ensure members and guests of the Private-Public partnership of the SENDS Consortium are aware of novel thinking proposed by those associated with the Consortium and its efforts.

Are Passwords Part of The Problem?

by Bob Schapiro

How many new passwords did you have to create in the past few months?

Spam is the first culprit when people think of the clutter that’s choking the Internet, but passwords aren’t far behind. Passwords are a security “solution” that’s part of the problem.

In fact, with the CONFIKR virus living comfortably on millions of home computers, maybe all of this cyber-clutter is not just an annoyance; it’s an actual security threat.

A few months ago I attended a conference with people from all the big companies and government agencies. Many of the speakers wondered why the gosh-darn American public doesn’t take cyber-security seriously…at least seriously enough to create stronger passwords. The consensus was that people need more education.

I don’t think we’re dumb. We’re just overwhelmed.

Maybe my situation is unique. I enrolled for a course at a university and had to create four new passwords—one each for the registrar, bursar, health service and to get my email. This week I subscribed to a magazine and had to create three new passwords: One to manage my subscription, one for the online version and another for the environmental organization that publishes the magazine.

But the most galling experience comes from—who else?—my cell-phone company. I can’t name them for legal reasons but it’s a huge company known for really lousy reception. (Let them come to court and claim that distinction.)

When I got my new cell-phone, I had to get a “micro cell” device because I get zero reception in my home. In order to connect it, of course, I needed a “user name and password” distinct from the ones I already have with both the phone company and with the company that makes my phone. (If you’re counting, I needed three passwords just to make the first phone call from my home.)

While installing the configuration software—to get the warranty—I got one of those little drop-down boxes where I had to “agree” to their terms. The word “agree” was in the flashing blue box, in case I was confused about what I was supposed to do. (I put “agree” in ironic quotation marks because the word is supposed to mean that you actually concur with something.)

I don’t know what possessed me, but I decided to actually read the agreement. I scrolled through a few pages of tiny print before downloading the whole thing. It was over 200 pages! Of tiny type! I know there was fine print before the Internet, but this is insane. When I bought my first car I had to sign seven or eight pages of small print and I thought that was a lot.

We’ve all clicked that flashing “agree” button. We know how the world works now. Are you really going to return that piece of software—the one you’re already installing—because of sub-paragraph xvii on page 128?

But not so long ago, all you’d need for the warranty is keep the receipt.

What is the effect of all these meaningless passwords and agreements? Imagine if you only had to create five or six passwords…for your employer, your bank, a few others…do you think you might take them all more seriously? Most of us used to think twice before signing a long document. Now we don’t even look anymore. In fact, if you took all of this seriously, you wouldn’t be able to get through daily life in the cyber age.

You probably have your own stories. We’d like to hear them. Just send them to words@sendsonline.org or make your comments to this blog below.

Not to boast—okay, to boast a little—SENDS has the attention of the major players who are shaping cyberspace. Participating in SENDS will help you be heard.

SENDS seeks to discover what is inherent in cyberspace. My guess is that passwords are not. In the future, you may just swipe your thumbprint at any computer…or there may be facial recognition.

Right now, a lot of so-called cyber-security is driven by marketers. Yet companies will stop these people if they see a downside. A few years ago many websites absolutely needed to know your social security number and mother’s maiden name “to help us protect you.” Then they discovered that they were liable if there was data theft…and all of a sudden, they decided that this information was not so vital after all.

What do you think is vital…and what is intrusive cyber-clutter? Let us know at words@sendsonline.org. We’ll pass it along.

The Evolution of Cyberspace: Virtual Worlds

By Craig Harm

Cyberspace 2020.  What will it be like?  Can we even contemplate what our “web presence” will be like?  Less than ten years ago Facebook, Twitter and MySpace did not exist.  And while they may have seemed to just appear, there was actually a logical evolution to their emergence.  Following and logically extending this evolution may help us postulate how our cyberspace interactions will look ten years from now.

It’s amazing how history can repeat itself, even in cyberspace.

Let’s first look at what may have been the beginning of internet-based direct social interactions, instant messaging (IM).  Peer-to-peer functions like IM and chat started as early as the 1980s with bulletin board based chat.  But it was in the early 1990’s with the modern network connectivity that Internet-wide, GUI-based messaging clients really began to take-off. 

ICQ, AIM (formerly AOL Instant Messenger) and Windows Messenger were just a few examples of this capability.  These services offered similar capabilities allowing users to create profiles, add users as friends, conduct real-time live chats via text services, exchange files and even conduct video chats.  They allowed the development of true, though virtual social networks between people that had perhaps never physically met.

As technological capabilities continued to grow, so too did the evolution of IM.  With the introduction of voice-over-IP (VoIP) new IM services began to take hold.  Systems like Skype and Vonage allowed users to connect to telephones, both landlines and mobile, thus expanding the virtual social network capabilities even further. 

Internet-based social networking began as only something “geeks” did and it was based on generalized online communities such as Theglobe.com (1994),] Geocities (1995) and Tripod.com (1995).  But as the desire, capability and social culture evolved, new methods of social networking emerged.  By the end of the 1990’s, technology was helping to develop more advanced features to meet the growing user need to find and manage friends on-line: to enhance a social network. 

Out of the development of these new social networking methods a new generation of social networking sites began to emerge.  One of the first, Friendster, soon became part of the Internet mainstream.   Followed by MySpace and the professional’s social networking systems, LinkedIn there was a rapid increase in social networking sites' popularity. 

Launched in February 2004, Facebook, a social network service website now with more than 600 million active users, is rapidly becoming symbolic of what internet-based social networking is about.    In Facebook, users create a personal profile, add other users as friends and exchange messages, including automatic notifications when they update their profile.  Additionally, users may join common interest user groups, organized by workplace, school, or college, or other characteristics.   Facebook, the subject of the recent film The Social Network has garnered our interest, participation and consumed our on-line attention unlike any cyber phenomena, so far. 

Enabled by expansive technological advancements, virtual, highly social worlds are emerging to meet evolving user needs for social interaction.  Second Life (SL), launched in June 2003, is a virtual world accessible through the Web.  Users, called “Residents”, interact with each other through personally created profiles called avatars.  Residents create a personal profile, add other users as friends and exchange messages.  In addition to these functions, which are similar in purpose to Facebook, residents can also explore, meet other residents, socialize, participate in individual and group activities, and create and trade virtual property and services with one another, or travel throughout the world.   SL is designed on the premise that users can build virtual objects, either fictional or based on real items, and share, trade or sell them throughout the system.

Ever since two computers could be connected together, people have found new ways to compete with each other in games.  Initially just point-to-point, person-to-person, over the last 10-15 years gaming has evolved to connect substantial numbers of players through the Web.  With the emergence of Massively Multiplayer Online Role-Playing Games (MMORPG), enabled by high-speed networking and Flash- and Java- based technologies, an Internet revolution has occurred where websites can utilize streaming video, audio, and a whole new environment for user interactivity. 

In the last 5 years or so, online gaming has exploded in popularity.  Computer role-playing games in which a very large number of players interact with one another within a virtual game world are running on a constant presence through services such as Xbox Live (23 million members) and games like Runescape (150M) and World of Warcraft (12M).  With so many members, online gaming is a serious cyberspace presence.  When you couple this immense cyber presence with the $5-10 monthly membership fees, MMORPG is also BIG business.

But, like all other technology-enabled cyberspace capabilities there is an evolution on-going.  Powered by concepts discussed previously in these blogs (exchange, emergence and self-organization) online gaming is evolving.  Social networking capabilities which previously required multiple services are routinely “packaged” into on-line gaming systems. 

Enabled through a user-created avatar, players within Xbox Live, World of Warcraft and Runescape can now maintain social contact with friends on-line…in fact, they actually have to maintain and leverage these social networks to achieve objectives in the games they play! 

Text, voice and video chat, status-updates, and profile creation are integral components of these online game systems.  Users no longer need to go to separate individual sites and systems to maintain their social network.  Convergence and coevolution are definitely at work in these environments.

For people though, the real evolution is not the integration of technical capabilities.  It is the emergence of culture acceptance and user comfort with interacting with others inside of virtual worlds.  Today’s younger generation processes an evolved skill set, mental accommodation, and social acceptance of interacting within these virtual worlds.  They are in these worlds every day, for hours at a time. 

For many users, the only interaction they have with some of their friends is within these worlds, where they are maintaining contact and staying informed of real world activities and events.  It is as though there is an overlap for them of the real world and these virtual worlds, and the so-called barriers between them seem to blur through continued presence in virtual environments.

So what do I think Cyberspace 2020 will look like?  Based on this evolution we’ve just discussed, I envision a cyberspace where users will no longer log onto a machine, open multiple applications, and interact with the Web via a browser.  

In 2020, I see us “logging” into the Web through personalized devices directly into our virtual world.  Many of us may even stay logged on constantly!

Acting through personally created profiles (through our avatars), we will interact with our social network just as we would face-to-face.  It’s almost certain that we will even see our avatars empowered with new capabilities that allow them to interact on our behalf, buying movie tickets, making dinner reservations and so on.

Our virtual world will be our interface to the rest of the World Wide Web and people everywhere!  Cyberspace 2020 will likely be even more interconnecting and more social, but it will almost certainly change the way we live, work and play.

Stay connected for more on the impacts of virtual worlds right here in the SENDS blogs.

Cyberspace Science and Cyberspace Security Science: Why Both?

by Carl Hunt

In an October, 2010 blog, I commented about the importance of asking “the right questions” in critical situations.  “It’s the questions, not the answers, which most guide us in strategic thinking and understanding…And equally important, it is the order in which you ask questions and experience discovery through responses to those questions that help you form strategies.” I wrote these words citing the inspiration of mentor Dr. David Schum of George Mason University.

It’s an odd if fascinating experience to quote yourself from a previous writing to make a point, but it’s also boring and probably doesn’t raise many new challenges in thinking.  So, I’ll try to springboard off that “inspirational” quote to distinguish why we need two “disciplines”: one the major and one the minor, to study cyberspace.  It may turn out we need many more, but these two will provide a great start to test the limits of human thinking about connectivity!

Why do we need both a Science of Cyberspace and a Science of Cyberspace Security, the latter of which receives significantly more emphasis?

We require them both because they are so deeply interwoven that we need both a general understanding of the environment of cyberspace and we critically need to understand how to secure it.  Science to secure cyberspace may have a shorter-term, technological focus, but together they may ultimately satisfy the requirement for prosperity in this new environment.

It will be scientific-based study, informed by the process of meaningful inquiry, that will help us see beyond a purely technological domain and restore some methodological insights into what is happening to man in the advent of the hyper-connected age of cyberspace.

You can probably tell by now that I consider a Science of Cyberspace to be the major discipline!

In considering both cyberspace in general and cyberspace security in particular, it’s about the questions we ask that drive new and hopefully relevant discovery, and that’s the construct I’ll use to discuss both efforts.  The nature of these questions will help discern the differences in our quest to understand cyberspace from these two strongly related perspectives.

I’ll start with the Science of Cyberspace Security requirement based on a recently released government-sponsored effort called “Science of Cyberspace Security” published in November, 2010 by the MITRE Corporation and the JASON group.

If one didn’t already know it before reading this report, it’s easy to see why security demands the most attention since business, academia and government (and indeed the world’s economic systems) have built a critical reliance on what cyberspace offers in terms of connectivity and access.  Cyberspace security is also a core component of the overall SENDS Project, including the SENDS modeling and simulation environment, SENDSim.  It’s a vital topic!

The JASON report provided answers, but what were the questions they addressed?

The report used nine basic questions to organize thinking within their findings, having been provided these questions by their government sponsorship (according to page 3 of the report, also where we find the start of the questions).  The reader interested in cyberspace security should refer to the JASON report to form their own conclusions, but the idea of building a strategic position around important questions is the focus here.

As Dave Schum always advised, it really helps if you’re working with “the right questions.”  All in all, it appears the government provided the JASON group with meaningful questions and they responded well within the framework of those questions.  But, were they the “right questions?”

We need to ask how suitable the questions were to guide us in strategic thinking and understanding of cyberspace.  Perhaps they were a reasonable start, yet they were narrowly focused on the “minor” discipline of the study of cyberspace: the Science of Cyberspace Security.  To really be “the” questions that guide us in better understanding cyberspace, they must be broadened to address the entirety of the environment.

The questions provided, as rooted in scientific exploration as they were, did not get at the issues we’ve raised in SENDS about people and community as the key part of the solution space.  Any line of inquiry for the study of the Science of Cyberspace will need to focus on people: people as users, people as designers, people as protectors, people as attackers and people as solutions.  The JASON study addressed the questions they were provided well enough, but again, were they “the right questions?”  Did these questions help objectively frame their responses and allow for full impartiality?  After all, that’s a significant purpose of meaningful inquiry.

While we don’t have access to the instructions provided to the JASON panel, we do have the list of the questions they were provided by the sponsor.  For those who focus on the role of people in cyberspace, it’s gratifying to see that question 5 did ask if social sciences, among others, could serve as topics that could “contribute to a science of cyber security?”

The body of the JASON study interwove important topics that are people-centric in their substance.  These topics include game theory, trust, biologically-inspired immune responses and metric collection/ assessments.  For the most part, however, the JASON group focused on technological prescriptions.  A significant Department of Energy December, 2008 report, “A Scientific Research and Development Approach To Cyber Security,” cited over-reliance on a technology focus as a chief complaint, as has SENDS since its origins.  SENDS found inspiration from the DOE work. Did the JASON line of inquiry enhance thinking in that regard?  Readers should decide for themselves.

The sponsor’s questions did lead to one critical response from the report, however:  “The most important attributes (of a Science of Cyberspace Security) would be the construction of a common language and a set of basic concepts about which the security community can develop a shared understanding.”  We have asserted the same requirement from the beginning of SENDS (here and here, for example), as did the DOE imply in its report.  It appears this principle applies to both a science of cyberspace security and a more general science of cyberspace (in fact, that’s a contributing factor to resolving wicked problems, another core component of SENDS).

But, there’s much more to understanding cyberspace and the questions we need to ask about it than cyberspace security.  That’s why we need a broader “Science of Cyberspace.”  To better secure cyberspace, it would be helpful to more fully understand what’s going on inside the environment as a whole.  Some might argue that the immune system seems to work just fine without knowing all the details about the host it’s protecting or the characteristics of the attacker.  But as the JASONs so rightly point out, an immune system is at best an inspiration for how to do better security.

In their study of systems, scientists and engineers typically try to address hard questions through broad understanding and awareness, and use an approach that provides deeper insights about the whole of a system.  While studying the immune system may help with understanding how the body defends itself, studying the immune system alone does not suffice for the study of the entire human body.  Likewise, studying the science of cyberspace security alone does not give us the broader understanding of the whole needed to study the entirety of the cyberspace system.

Since cyberspace is a socio-technological environment, built, explored and exploited by people (at least for the time being), we need to start understanding more about the ecology of the environment and how it’s changing human behavior as a whole.  We’ve seen that cyberspace as a massively interconnecting environment has already altered the nature of crime and spying (people-centric activities), and thus why there is a critical need for a science of cyberspace security.  That’s just one family of problems we face, however, because we don’t understand cyberspace holistically.

We need to ask questions about cyberspace, not just about cyberspace security.  Broadening our aperture of questions helps us accomplish the main objectives of science: explain and predict.  Many more questions need to be focused on the people part of cyberspace.  We began that process from the earliest drafts of the Science of Cyberspace White Paper (first drafted in March, 2009, by the way, and now posted in its eighth major draft, noted above) and in our earliest blogs (here and here, for example).

We also need not be put off when we find evidence or results that refute our hypotheses (another term for questions), either.  It’s just as important to publish findings that surprise us and rebut previously held notions as it is to present results that confirm our initial positions.  Science is about impartiality and repeatability of objectively derived findings.  A recent piece in the New Yorker Magazine, entitled “The Truth Wears Off: Is there something wrong with the scientific method?” bears that out.

In a sense, trying to do a science of cyberspace security without at least simultaneously doing a more general science of cyberspace may fall into the category of the cautions of the New Yorker piece…we need to ask questions about the whole environment, not just part of it.  That’s the approach SENDS and the Science of Cyberspace are taking.  Our success, however, will be in large part because of the insightful work the JASONs, the DOE and others are doing, just as they may also benefit from SENDS.

Cyberspace is immense, and it will take all we humans have to understand it, explore it, exploit it and protect it.  We’re all in this together.