Cyberspace Science and Cyberspace Security Science: Why Both?

by Carl Hunt

In an October, 2010 blog, I commented about the importance of asking “the right questions” in critical situations.  “It’s the questions, not the answers, which most guide us in strategic thinking and understanding…And equally important, it is the order in which you ask questions and experience discovery through responses to those questions that help you form strategies.” I wrote these words citing the inspiration of mentor Dr. David Schum of George Mason University.

It’s an odd if fascinating experience to quote yourself from a previous writing to make a point, but it’s also boring and probably doesn’t raise many new challenges in thinking.  So, I’ll try to springboard off that “inspirational” quote to distinguish why we need two “disciplines”: one the major and one the minor, to study cyberspace.  It may turn out we need many more, but these two will provide a great start to test the limits of human thinking about connectivity!

Why do we need both a Science of Cyberspace and a Science of Cyberspace Security, the latter of which receives significantly more emphasis?

We require them both because they are so deeply interwoven that we need both a general understanding of the environment of cyberspace and we critically need to understand how to secure it.  Science to secure cyberspace may have a shorter-term, technological focus, but together they may ultimately satisfy the requirement for prosperity in this new environment.

It will be scientific-based study, informed by the process of meaningful inquiry, that will help us see beyond a purely technological domain and restore some methodological insights into what is happening to man in the advent of the hyper-connected age of cyberspace.

You can probably tell by now that I consider a Science of Cyberspace to be the major discipline!

In considering both cyberspace in general and cyberspace security in particular, it’s about the questions we ask that drive new and hopefully relevant discovery, and that’s the construct I’ll use to discuss both efforts.  The nature of these questions will help discern the differences in our quest to understand cyberspace from these two strongly related perspectives.

I’ll start with the Science of Cyberspace Security requirement based on a recently released government-sponsored effort called “Science of Cyberspace Security” published in November, 2010 by the MITRE Corporation and the JASON group.

If one didn’t already know it before reading this report, it’s easy to see why security demands the most attention since business, academia and government (and indeed the world’s economic systems) have built a critical reliance on what cyberspace offers in terms of connectivity and access.  Cyberspace security is also a core component of the overall SENDS Project, including the SENDS modeling and simulation environment, SENDSim.  It’s a vital topic!

The JASON report provided answers, but what were the questions they addressed?

The report used nine basic questions to organize thinking within their findings, having been provided these questions by their government sponsorship (according to page 3 of the report, also where we find the start of the questions).  The reader interested in cyberspace security should refer to the JASON report to form their own conclusions, but the idea of building a strategic position around important questions is the focus here.

As Dave Schum always advised, it really helps if you’re working with “the right questions.”  All in all, it appears the government provided the JASON group with meaningful questions and they responded well within the framework of those questions.  But, were they the “right questions?”

We need to ask how suitable the questions were to guide us in strategic thinking and understanding of cyberspace.  Perhaps they were a reasonable start, yet they were narrowly focused on the “minor” discipline of the study of cyberspace: the Science of Cyberspace Security.  To really be “the” questions that guide us in better understanding cyberspace, they must be broadened to address the entirety of the environment.

The questions provided, as rooted in scientific exploration as they were, did not get at the issues we’ve raised in SENDS about people and community as the key part of the solution space.  Any line of inquiry for the study of the Science of Cyberspace will need to focus on people: people as users, people as designers, people as protectors, people as attackers and people as solutions.  The JASON study addressed the questions they were provided well enough, but again, were they “the right questions?”  Did these questions help objectively frame their responses and allow for full impartiality?  After all, that’s a significant purpose of meaningful inquiry.

While we don’t have access to the instructions provided to the JASON panel, we do have the list of the questions they were provided by the sponsor.  For those who focus on the role of people in cyberspace, it’s gratifying to see that question 5 did ask if social sciences, among others, could serve as topics that could “contribute to a science of cyber security?”

The body of the JASON study interwove important topics that are people-centric in their substance.  These topics include game theory, trust, biologically-inspired immune responses and metric collection/ assessments.  For the most part, however, the JASON group focused on technological prescriptions.  A significant Department of Energy December, 2008 report, “A Scientific Research and Development Approach To Cyber Security,” cited over-reliance on a technology focus as a chief complaint, as has SENDS since its origins.  SENDS found inspiration from the DOE work. Did the JASON line of inquiry enhance thinking in that regard?  Readers should decide for themselves.

The sponsor’s questions did lead to one critical response from the report, however:  “The most important attributes (of a Science of Cyberspace Security) would be the construction of a common language and a set of basic concepts about which the security community can develop a shared understanding.”  We have asserted the same requirement from the beginning of SENDS (here and here, for example), as did the DOE imply in its report.  It appears this principle applies to both a science of cyberspace security and a more general science of cyberspace (in fact, that’s a contributing factor to resolving wicked problems, another core component of SENDS).

But, there’s much more to understanding cyberspace and the questions we need to ask about it than cyberspace security.  That’s why we need a broader “Science of Cyberspace.”  To better secure cyberspace, it would be helpful to more fully understand what’s going on inside the environment as a whole.  Some might argue that the immune system seems to work just fine without knowing all the details about the host it’s protecting or the characteristics of the attacker.  But as the JASONs so rightly point out, an immune system is at best an inspiration for how to do better security.

In their study of systems, scientists and engineers typically try to address hard questions through broad understanding and awareness, and use an approach that provides deeper insights about the whole of a system.  While studying the immune system may help with understanding how the body defends itself, studying the immune system alone does not suffice for the study of the entire human body.  Likewise, studying the science of cyberspace security alone does not give us the broader understanding of the whole needed to study the entirety of the cyberspace system.

Since cyberspace is a socio-technological environment, built, explored and exploited by people (at least for the time being), we need to start understanding more about the ecology of the environment and how it’s changing human behavior as a whole.  We’ve seen that cyberspace as a massively interconnecting environment has already altered the nature of crime and spying (people-centric activities), and thus why there is a critical need for a science of cyberspace security.  That’s just one family of problems we face, however, because we don’t understand cyberspace holistically.

We need to ask questions about cyberspace, not just about cyberspace security.  Broadening our aperture of questions helps us accomplish the main objectives of science: explain and predict.  Many more questions need to be focused on the people part of cyberspace.  We began that process from the earliest drafts of the Science of Cyberspace White Paper (first drafted in March, 2009, by the way, and now posted in its eighth major draft, noted above) and in our earliest blogs (here and here, for example).

We also need not be put off when we find evidence or results that refute our hypotheses (another term for questions), either.  It’s just as important to publish findings that surprise us and rebut previously held notions as it is to present results that confirm our initial positions.  Science is about impartiality and repeatability of objectively derived findings.  A recent piece in the New Yorker Magazine, entitled “The Truth Wears Off: Is there something wrong with the scientific method?” bears that out.

In a sense, trying to do a science of cyberspace security without at least simultaneously doing a more general science of cyberspace may fall into the category of the cautions of the New Yorker piece…we need to ask questions about the whole environment, not just part of it.  That’s the approach SENDS and the Science of Cyberspace are taking.  Our success, however, will be in large part because of the insightful work the JASONs, the DOE and others are doing, just as they may also benefit from SENDS.

Cyberspace is immense, and it will take all we humans have to understand it, explore it, exploit it and protect it.  We’re all in this together.

SENDS 2010: The Year in Review

by Carl Hunt, Bob Schapiro and Craig Harm

In sports, when an underdog team surprises everyone and gets into the playoffs, they can’t wait until the next game.  That’s what the SENDS team is feeling right now: the thrill of anticipation as we see our season extended and the team getting better and better when it counts.

Our goal has always been to empower the public to create the future of cyberspace and become part of the SENDS team.  A few months ago, we were in the odd position of being able to open positions on the team, but not having a lot of people to join.  Now that is changing...fast.

From the beginning, SENDS has been fortunate to enjoy the active participation of great thinkers...including some of the people who actually set the course for the future of the Internet.  Most of these people work for the government and major software firms, hired for their expertise in cyber-security.  But as scientists, they wish to transcend that role and discover what makes cyberspace tick.  They know this can only be discovered by working with the people who use the Internet every day; in short, almost everyone – it’s a big team!

That’s where SENDS comes in.

To be blunt, until a few months ago, our resources for reaching the public were not what we hoped they’d be.  But the seeds we planted started to thrive, growing stronger every day.  With this posting, we have now published 31 blogs in the 3½ months from the first entry.  We’ve been fortunate to be highlighted in several online fora, including James Fallows’ Atlantic Magazine blog, the DoD’s Armed with Science blog, and an interesting site called “OhMyGov!”  We’ve even been invited to two Highlands’ Forum meetings to talk about SENDS and participate in discussions of Design in Cyberspace.

The important thing is that you are reading this blog...and if you’re like most of the people who now read and contribute, six months ago you had no idea what SENDS was.  You joined the team!

In 2011, we look forward to empowering people in many ways, as with our initiative for you to help create the new vocabulary of cyberspace.  In fact, thanks to contributors, we have a lot to build on to strengthen and broaden the team.  As 2010 draws to a close, however, it’s worth talking about the direction the SENDS Pilot project has traveled from its inception and to try to put it into context.  That, along with new team members’ contributions, creates the synergy for 2011.

SENDS began in 2009 as a proposal to address the observations of a December, 2008 US Department of Energy White Paper entitled “A Scientific Research and Development Approach To Cyber Security.”  Thus, SENDS began as a project to address cyberspace security, expanding on several of the thoughts from that very fine DOE paper.

It became clear after a 90-day study, however, that in order for the US and indeed all users of cyberspace to explore and exploit the environment, security was necessary but not a sufficient condition to unleash the potential cyberspace has to enhance prosperity on a national and global scale.  We took this challenge to potential government sponsors and they agreed.

In a June, 2010 interagency, multidisciplinary forum in Arlington, VA, the current SENDS Pilot Project was initiated, identifying four main tasks to accomplish in the 12-month pilot.

As we embarked on the project, new ideas came to light as a result of the collaboration of the diverse SENDS participants.  The SENDS tasks were still relevant, but we found that we needed to look through the lenses of living systems and ecology to develop holistic perspectives about the greatest connecting fabric mankind has known.

Several prominent advisors told us that the ecological perspective is a valuable way to think about the challenges of cyberspace prosperity and security, particularly when considered through the standpoint of what is found in wicked problem resolution literature.  The wicked problem resolution advice is good because it also helps us think about the social context of problem definition and resolution: it’s a people challenge, just as are cyberspace prosperity and security.

We took this good advice and blended it with the thoughts of guest bloggers to produce what we think is an objective viewpoint about how cyberspace is emerging around us and how it will affect us in the future.  We looked at people, processes and technology as a convergent and emergent phenomenon (starting here).  These insights have been continuously informed by multiple perspectives, possible through the connectivity that cyberspace offers.

This holistic view is why SENDS is more than just another cyberspace security project.

Through the efforts of a variety of authors, the SENDS Blog has been fortunate to provide diverse perspectives on the SENDS tasks through several backgrounds…the SENDS wiki site has augmented and expanded these perspectives.

Broad thinking about one of the two most long-term focused SENDS tasks, Education and Academic Curricula, for example, has led to contributions from no less than four authors about this important topic.  We have had the good fortune to hear from a school teacher in Canada, an Emmy-Award winning documentary director/ producer, a director of a nationally recognized science center in Florida and a retired military officer (here and here), each sharing distinctive perceptions about how America must look at education in the connected age.

Another long-term task, a Center for Cyberspace Science, has generated equally important and diverse perspectives, ranging from the use of advanced modeling and simulation capabilities to the development of a “cyberspace laboratory.”  When put into the context of better understanding concepts like community in cyberspace and formulating meaningful inquiry about this new environment, a center for studying the remarkable power of cyberspace connectivity seems mandatory for better understanding this new world.

The task to develop relevant models and simulations (M&S) as a “laboratory” for cyberspace is indeed one of the tasks we have invested considerable resources in.  The SENDS M&S team collected data from a variety of subject matter experts, including military, law enforcement and commercial practitioners to develop SENDSim.  This M&S environment, shown in its early stages here, is one of the first products of the Center.

We are also developing SENDSim to become a useful tool to gain insights on the kind of socio-technological convergence issues we’ve been discussing above.  Speaking of understanding socio-technological convergence, the SENDS team has also been fortunate to publish the insights of a senior media analyst to help clarify challenges to look at cyberspace in this way (here and here).  We’ve even had an innovative software developer write about the development of programming languages in the context of socio-technological convergence and ecology!

Another early product of the Center is a White Paper on the Development of a Science of Cyberspace, that while in early draft form, may serve as a framework for the consideration of important topics to demonstrate how such a discipline would be studied.  We will see more similar products from the Center as the Pilot continues, and we expect to write about them here in this blog.

The first six months of the SENDS Pilot Project have been exciting, and chronicling it within the pages of the SENDS Blog has been rewarding considering the diversity of the authors who have contributed.  The remaining six months of the Pilot should be equally rewarding as we see the maturity of SENDSim emerge.

We look forward to experiencing greater government, commercial, academic and even individual relationships as we improve on the Science White Paper through more diverse input, and synergize SENDS through collaboration with other efforts.  We also look forward to formalizing relationships that move the Center for Cyberspace Science into a suitable home.

In coming weeks, we’ll port over this blog and much of the wiki material to a SENDS-dedicated site at www.sendsonline.org.  We’ll announce the movement of the site in this blog and on the wiki when we’re up and running.  Please visit us there, and continue to send your thoughts to words@sendsonline.org or through comments within this blog.

It’s been a great first six months for the rapidly growing SENDS team and we can hardly wait for the next six.  The playoffs await and the season continues!

A Center for the Science of Cyberspace

by Carl Hunt

In the 14 October blog, I discussed strategies for SENDS and described one of the four SENDS Pilot tasks dealing with the development and application of sophisticated modeling and simulation tools. Specifically, I described a project we call SENDSim. As you recall, SENDSim provides a laboratory for experimentation in SENDS.

There are several purposes for SENDSim, but one of the most important deals with visualizing interactions of people, technologies and policies in order to design a better process of inquiry for understanding cyberspace both tactically and strategically. The discussion of inquiry (and thus evidence-based) strategy and tactics is as important to cyberspace operations and defense as it is to national security and prosperity, as we’ve noted throughout these blogs and the entire SENDS Pilot Project.

In speaking about strategy for cyberspace, we turn now to another of the SENDS Pilot tasks: Prototype a Center for the Science of Cyberspace. This task has two main purposes, supported by all the others.

The first main purpose of this task is to foster the development of a Science of Cyberspace (as we have proposed here and discussed here and here). We want to achieve this objective while simultaneously accomplishing the second purpose of creating a virtual center for collaborative inquiry, discussions and hosting of the laboratories we are deploying through SENDSim and other similar projects.

The quest to develop a scientific discipline follows an interest of the original SENDS project leadership to think about cyberspace as an ecosystem, a synergistic collection of entities that thrive in balance with each other and the sustaining environment. This description points to why we cannot think of cyberspace as any one "big thing" and why cyberspace protection and security can never be composed of any one technological approach: we need science to frame an objective, inquiry-derived discussion about cyberspace.

In the current Science of Cyberspace White Paper, we devote a good deal of space to describing the sustaining environment of cyberspace. For this blog, we only point out that it is a blend of people and technology that empower the processes of exchange and self-organization to produce emergent effects and behaviors, as we’ve previously described here and here. It is these cyberspace-enabled effects and behaviors that we want to study and understand.

To help sustain and better formalize the development of the Science of Cyberspace, we are using the SENDS Substrate as an initial “Center for Cyberspace Science.” This allows us to collaborate through reviews and comments without having to come together to meet physically. We still intend to meet several times a year, but science requires plugging along consistently, openly and collaboratively challenging ideas and testing, and refining inquiry and evidence. At this point, the substrate can do this in a rudimentary way and allow us to make initial progress with smaller financial investments. It also harnesses the power of cyberspace connectivity.

As the Pilot Project progresses, we'll continually open the SENDS Substrate to more and more people interested in progressing the Science of Cyberspace and the studies that will support it. This blog, for example, is already generating what appears to be an international audience with readers (we hope) from the UK, Singapore, France and the Philippines, as well as the US. This is in keeping with developing the Science of Cyberspace as “Open Science.” We are pleased to welcome these readers.

You’ll note that I used the terms “evidence-based” and “inquiry-based” several times in today’s blog. We’ll close the discussions today on why those terms are so important, pointing back again to the work of David Schum. When it comes to science, inquiry emerges from many sources, including the process of discovery through tools such as SENDSim. Refinement of inquiry into something useful that helps to prove or refute the “answers” we uncover in our questions requires analysis and testing of evidence: the more open, the better.

The process of inquiry and testing evidence that can then be modeled and subjected to further scrutiny turns curiosity into science. It is in this area that Dave and his years of work in developing a “science of evidence” have made such a great contribution. His inspiration and the insights of those he exhorts us to study will help guide SENDS in developing and refining a Science of Cyberspace and a Center in which to explore it.

As promised, we’ll discuss the other tasks and more about SENDS in the near future. We’ll also present some brief book reviews of contemporary texts (just released) such as Steven Johnson’s new book Where Good Ideas Come From and Kevin Kelly’s What Technology Wants. Both of these works apply directly to SENDS and the Science of Cyberspace. We look forward to sharing their insights with our readers.