Monday, January 10, 2011

Cyberspace Science and Cyberspace Security Science: Why Both?

by Carl Hunt

In an October, 2010 blog, I commented about the importance of asking “the right questions” in critical situations.  “It’s the questions, not the answers, which most guide us in strategic thinking and understanding…And equally important, it is the order in which you ask questions and experience discovery through responses to those questions that help you form strategies.” I wrote these words citing the inspiration of mentor Dr. David Schum of George Mason University.

It’s an odd if fascinating experience to quote yourself from a previous writing to make a point, but it’s also boring and probably doesn’t raise many new challenges in thinking.  So, I’ll try to springboard off that “inspirational” quote to distinguish why we need two “disciplines”: one the major and one the minor, to study cyberspace.  It may turn out we need many more, but these two will provide a great start to test the limits of human thinking about connectivity!

Why do we need both a Science of Cyberspace and a Science of Cyberspace Security, the latter of which receives significantly more emphasis?

We require them both because they are so deeply interwoven that we need both a general understanding of the environment of cyberspace and we critically need to understand how to secure it.  Science to secure cyberspace may have a shorter-term, technological focus, but together they may ultimately satisfy the requirement for prosperity in this new environment.

It will be scientific-based study, informed by the process of meaningful inquiry, that will help us see beyond a purely technological domain and restore some methodological insights into what is happening to man in the advent of the hyper-connected age of cyberspace.

You can probably tell by now that I consider a Science of Cyberspace to be the major discipline!

In considering both cyberspace in general and cyberspace security in particular, it’s about the questions we ask that drive new and hopefully relevant discovery, and that’s the construct I’ll use to discuss both efforts.  The nature of these questions will help discern the differences in our quest to understand cyberspace from these two strongly related perspectives.

I’ll start with the Science of Cyberspace Security requirement based on a recently released government-sponsored effort called “Science of Cyberspace Security” published in November, 2010 by the MITRE Corporation and the JASON group.

If one didn’t already know it before reading this report, it’s easy to see why security demands the most attention since business, academia and government (and indeed the world’s economic systems) have built a critical reliance on what cyberspace offers in terms of connectivity and access.  Cyberspace security is also a core component of the overall SENDS Project, including the SENDS modeling and simulation environment, SENDSim.  It’s a vital topic!

The JASON report provided answers, but what were the questions they addressed?

The report used nine basic questions to organize thinking within their findings, having been provided these questions by their government sponsorship (according to page 3 of the report, also where we find the start of the questions).  The reader interested in cyberspace security should refer to the JASON report to form their own conclusions, but the idea of building a strategic position around important questions is the focus here.

As Dave Schum always advised, it really helps if you’re working with “the right questions.”  All in all, it appears the government provided the JASON group with meaningful questions and they responded well within the framework of those questions.  But, were they the “right questions?”

We need to ask how suitable the questions were to guide us in strategic thinking and understanding of cyberspace.  Perhaps they were a reasonable start, yet they were narrowly focused on the “minor” discipline of the study of cyberspace: the Science of Cyberspace Security.  To really be “the” questions that guide us in better understanding cyberspace, they must be broadened to address the entirety of the environment.

The questions provided, as rooted in scientific exploration as they were, did not get at the issues we’ve raised in SENDS about people and community as the key part of the solution space.  Any line of inquiry for the study of the Science of Cyberspace will need to focus on people: people as users, people as designers, people as protectors, people as attackers and people as solutions.  The JASON study addressed the questions they were provided well enough, but again, were they “the right questions?”  Did these questions help objectively frame their responses and allow for full impartiality?  After all, that’s a significant purpose of meaningful inquiry.

While we don’t have access to the instructions provided to the JASON panel, we do have the list of the questions they were provided by the sponsor.  For those who focus on the role of people in cyberspace, it’s gratifying to see that question 5 did ask if social sciences, among others, could serve as topics that could “contribute to a science of cyber security?”

The body of the JASON study interwove important topics that are people-centric in their substance.  These topics include game theory, trust, biologically-inspired immune responses and metric collection/ assessments.  For the most part, however, the JASON group focused on technological prescriptions.  A significant Department of Energy December, 2008 report, “A Scientific Research and Development Approach To Cyber Security,” cited over-reliance on a technology focus as a chief complaint, as has SENDS since its origins.  SENDS found inspiration from the DOE work. Did the JASON line of inquiry enhance thinking in that regard?  Readers should decide for themselves.

The sponsor’s questions did lead to one critical response from the report, however:  “The most important attributes (of a Science of Cyberspace Security) would be the construction of a common language and a set of basic concepts about which the security community can develop a shared understanding.”  We have asserted the same requirement from the beginning of SENDS (here and here, for example), as did the DOE imply in its report.  It appears this principle applies to both a science of cyberspace security and a more general science of cyberspace (in fact, that’s a contributing factor to resolving wicked problems, another core component of SENDS).

But, there’s much more to understanding cyberspace and the questions we need to ask about it than cyberspace security.  That’s why we need a broader “Science of Cyberspace.”  To better secure cyberspace, it would be helpful to more fully understand what’s going on inside the environment as a whole.  Some might argue that the immune system seems to work just fine without knowing all the details about the host it’s protecting or the characteristics of the attacker.  But as the JASONs so rightly point out, an immune system is at best an inspiration for how to do better security.

In their study of systems, scientists and engineers typically try to address hard questions through broad understanding and awareness, and use an approach that provides deeper insights about the whole of a system.  While studying the immune system may help with understanding how the body defends itself, studying the immune system alone does not suffice for the study of the entire human body.  Likewise, studying the science of cyberspace security alone does not give us the broader understanding of the whole needed to study the entirety of the cyberspace system.

Since cyberspace is a socio-technological environment, built, explored and exploited by people (at least for the time being), we need to start understanding more about the ecology of the environment and how it’s changing human behavior as a whole.  We’ve seen that cyberspace as a massively interconnecting environment has already altered the nature of crime and spying (people-centric activities), and thus why there is a critical need for a science of cyberspace security.  That’s just one family of problems we face, however, because we don’t understand cyberspace holistically.

We need to ask questions about cyberspace, not just about cyberspace security.  Broadening our aperture of questions helps us accomplish the main objectives of science: explain and predict.  Many more questions need to be focused on the people part of cyberspace.  We began that process from the earliest drafts of the Science of Cyberspace White Paper (first drafted in March, 2009, by the way, and now posted in its eighth major draft, noted above) and in our earliest blogs (here and here, for example).

We also need not be put off when we find evidence or results that refute our hypotheses (another term for questions), either.  It’s just as important to publish findings that surprise us and rebut previously held notions as it is to present results that confirm our initial positions.  Science is about impartiality and repeatability of objectively derived findings.  A recent piece in the New Yorker Magazine, entitled “The Truth Wears Off: Is there something wrong with the scientific method?” bears that out.

In a sense, trying to do a science of cyberspace security without at least simultaneously doing a more general science of cyberspace may fall into the category of the cautions of the New Yorker piece…we need to ask questions about the whole environment, not just part of it.  That’s the approach SENDS and the Science of Cyberspace are taking.  Our success, however, will be in large part because of the insightful work the JASONs, the DOE and others are doing, just as they may also benefit from SENDS.

Cyberspace is immense, and it will take all we humans have to understand it, explore it, exploit it and protect it.  We’re all in this together.