Are Passwords Part of The Problem?

by Bob Schapiro

How many new passwords did you have to create in the past few months?

Spam is the first culprit when people think of the clutter that’s choking the Internet, but passwords aren’t far behind. Passwords are a security “solution” that’s part of the problem.

In fact, with the CONFIKR virus living comfortably on millions of home computers, maybe all of this cyber-clutter is not just an annoyance; it’s an actual security threat.

A few months ago I attended a conference with people from all the big companies and government agencies. Many of the speakers wondered why the gosh-darn American public doesn’t take cyber-security seriously…at least seriously enough to create stronger passwords. The consensus was that people need more education.

I don’t think we’re dumb. We’re just overwhelmed.

Maybe my situation is unique. I enrolled for a course at a university and had to create four new passwords—one each for the registrar, bursar, health service and to get my email. This week I subscribed to a magazine and had to create three new passwords: One to manage my subscription, one for the online version and another for the environmental organization that publishes the magazine.

But the most galling experience comes from—who else?—my cell-phone company. I can’t name them for legal reasons but it’s a huge company known for really lousy reception. (Let them come to court and claim that distinction.)

When I got my new cell-phone, I had to get a “micro cell” device because I get zero reception in my home. In order to connect it, of course, I needed a “user name and password” distinct from the ones I already have with both the phone company and with the company that makes my phone. (If you’re counting, I needed three passwords just to make the first phone call from my home.)

While installing the configuration software—to get the warranty—I got one of those little drop-down boxes where I had to “agree” to their terms. The word “agree” was in the flashing blue box, in case I was confused about what I was supposed to do. (I put “agree” in ironic quotation marks because the word is supposed to mean that you actually concur with something.)

I don’t know what possessed me, but I decided to actually read the agreement. I scrolled through a few pages of tiny print before downloading the whole thing. It was over 200 pages! Of tiny type! I know there was fine print before the Internet, but this is insane. When I bought my first car I had to sign seven or eight pages of small print and I thought that was a lot.

We’ve all clicked that flashing “agree” button. We know how the world works now. Are you really going to return that piece of software—the one you’re already installing—because of sub-paragraph xvii on page 128?

But not so long ago, all you’d need for the warranty is keep the receipt.

What is the effect of all these meaningless passwords and agreements? Imagine if you only had to create five or six passwords…for your employer, your bank, a few others…do you think you might take them all more seriously? Most of us used to think twice before signing a long document. Now we don’t even look anymore. In fact, if you took all of this seriously, you wouldn’t be able to get through daily life in the cyber age.

You probably have your own stories. We’d like to hear them. Just send them to words@sendsonline.org or make your comments to this blog below.

Not to boast—okay, to boast a little—SENDS has the attention of the major players who are shaping cyberspace. Participating in SENDS will help you be heard.

SENDS seeks to discover what is inherent in cyberspace. My guess is that passwords are not. In the future, you may just swipe your thumbprint at any computer…or there may be facial recognition.

Right now, a lot of so-called cyber-security is driven by marketers. Yet companies will stop these people if they see a downside. A few years ago many websites absolutely needed to know your social security number and mother’s maiden name “to help us protect you.” Then they discovered that they were liable if there was data theft…and all of a sudden, they decided that this information was not so vital after all.

What do you think is vital…and what is intrusive cyber-clutter? Let us know at words@sendsonline.org. We’ll pass it along.

Community in Cyberspace: Real or Imagined?

By Carl Hunt

What do the reactions to the recent WikiLeaks (also here), Facebook, and your town have in common?  Well, since you saw the title to this week’s blog already, you guessed it: community.  The line of inquiry we take up today, however, is how “real” are these communities and what do they mean to us in terms of individual and collective human behaviors?

Since we talked a bit about Facebook previously, we'll focus on real "imagined" communities.

We all experience effects of behavior and one of the very first insights we consider is the effects of behavior in cyberspace-based communities.  Regardless of nation-state ties or physical locations, the virtual communities of cyberspace can create real effects that cause challenges to the traditional structure of government or business.  The communities that formed to do “virtual combat” against those that initially cut off access to the WikiLeaks site caused real damage that can be measured in lost income or customer confidence.  While the level of damage caused is still being debated, it was indeed quantifiable.

Equally as interesting, there is no evidence that any of the groups (communities, if you will) had ever met or coordinated their attacks on each other before the recent US government-related WikiLeaks were released.  These communities may have previously existed but their objectives and capabilities remained largely unnoticed until a rationale manifested itself and these groups self-identified around a common cause.  They “imagined” a status that empowered them to act as members of a community.

So, what is an imagined community as opposed to a real community?  Is there a difference as far as cyberspace communities are concerned?

Americans, Chinese, French, and even Somali citizens understand their ties to a nation-state entity.  In some populations, the concept of nationalism creates great personal patriotism and fervor, and in some a personal identification with national spirit is less relevant.  But in all cases, according to Cornell emeritus professor, Benedict Anderson, some quality of fraternity emerges and a people develop a sufficient sense of national identity that they come to be willing to die for their identity and the national entity.

Since we have not yet fought any full-blown Cyber World War, it’s unclear yet how such a strong sense of “nationalism” will play out in cyberspace.  Anderson’s ideas about imagined communities still resonate strongly in both real and virtual life, however.  We’ll have to see how the notion of willingness “to die for their identity” as a part of a community, whether physical or virtual, will play out, but there are insights we can start to accrue, as the recent wikileaks episodes clear.

NY Times technology reporter and author Nick Bilton has begun to address the idea of imagined community as it applies to cyberspace in I Live in the Future and Here’s How it Works (Crown, 2010).  Bilton writes “…we are constantly weaving in and out of small and large, obvious and imagined communities.”  Cyberspace, or the digital realm, as Bilton further clarifies it, is an “always on, real-time, creating, consuming society,” and the media has been bringing this trend to human community for many years, perhaps centuries, as noted by both Anderson and Bilton.

Writes Bilton about Anderson’s perspectives on community and the media: “In the same way that Anderson recognized that the printing press and its ability to communicate in a person’s language could break up power structures and create meaningful and powerful nations, so too may our online communities reshape and remake both our own personal imagined nations and our traditional ways of communicating.”

The creation of new globally-connected, yet often self-detached imagined communities such as the participants in the wikispaces conflict demonstrate is important to watch.  Community may be real or virtual but it is in the mind of the beholder what role and actions the inhabitants may take, and in fact, cyberspace may amplify those roles and accelerate behaviors around the globe.  While we may never see the Cyber World War, we will likely see constant transformation of conflict as enabled by cyberspace and imagined communities.

Study and modeling of these communities is a critical objective of SENDS as we have noted here and here, for example.  Creation of common terms and concepts so that we can better understand the wicked nature of the problems we discover along the way is also a mandate.  Before we can understand communities and new forms of conflict in cyberspace, we have come to grips with the nature of cyberspace, and we need your help.  Please send us your thoughts to words@sendsonline.org and let’s move forward with this real and important community!

Information Operations and Cyberspace: It's “Time” to Chat

By Craig Harm

Last week, Carl Hunt and I had the opportunity to talk about the SENDS effort at the Defining IO/Cyber Spectrum Operations Conference hosted at SPAWAR, Charleston, SC.  The conference was conducted by the Association of Old Crows.  The conference theme was “Defining IO & Cyber Capabilities in 21^st Century warfare”.  Keynote speakers were headlined by Vice Admiral “Mike” McConnell, U.S. Navy (retired) who was previously the Director of the National Security Agency and the Director of National Intelligence.  This was an important conference!

Discussions the first day centered on the strategic issues of DoD and national cyber operations and defense efforts.  While we heard how each of the military services is reorganizing to make cyber operations a more main-stream activity, we also heard about the complexity of their network management and defense challenges.  Senior-level operators expressed their concerns about being unable to see into their own networks.  The speakers included an Army general officer, a reservist on active duty, who has also worked in senior leadership positions in the commercial sector.

Many of the senior-level presenters on the first day talked about their efforts to secure their own networks.  As would be expected from those with such responsibilities, they all seemed to focus on the key areas of management, oversight, accountability, command and control and roles and missions.   These points were highlighted by recurring mention of organizational studies, effectiveness inspections, committee formations and “way-ahead” talks.

The second day was focused more on the “tactical” level and network operations.  A key point about network dependencies was brought up during these discussions.  The upshot of all of the presentations was that despite the talk of Net Centric Operations and Warfare, the DoD is really Net Dependent, and it is this Net Dependency that presents the most opportunities for vulnerability; this creates a driving force behind the requirement for secure networks.   With over 1.4 million DoD users on the network (including an increasing mobile presence), the challenge for network operators is building the culture to ensure users are protecting data and the network.

Yes, despite the leap in technologies and accessibility, it is still a culture issue – a people issue.

Although the details and the content of most of the discussions about Information Operations (IO) were classified, there were some key points of interest we can discuss here.  The first and foremost to me is the incongruence of the definition of Information Operations and what it is composed of.   Even today, there is still debate about what IO is and how it’s done.  The conventional DoD definition of IO includes both electronic warfare (EW) and computer network operations (CNO).   While some of these discussions look and feel “new”, such as computer network operations, the main themes are not, as I point out below.

The third and last day was conducted as a panel forum on new technologies.  The panel members were asked to address “What are some new technologies on the horizon, and how are these technologies transitioned to the warfighter?  What are Cyber and Net-Centric Warfare, and how will these capabilities help the warfighter?”

There were discussions and presentations on adaptive antenna technologies, text and video content extraction, as well as Information Management systems: the technologies of cyber-enabled operations, if you will.  It was in these sessions that Carl presented the SENDS Project.  His was the only presentation of the entire conference to specifically address the need to understand the human part of cyberspace, the linkage between “new” and “old” thinking about Information Operations (see below).

Many of the presentations during the conference alluded to the human element, but none called it out specifically.   In addition to giving a basic overview of the SENDS philosophy and the concept of the Science of Cyberspace, Carl talked of how the biggest source of both gratification and aggravation in the growth of cyberspace is in innovation….persistent, emergent innovation, a human process, by the way.

There is a paradox of sorts, where the ultimate uses of technologies and policies in many cases deviate to a use that was not the original intent.  This, Carl pointed out, is the manifestation of emergence from human, technological and cultural exchanges.  Cyberspace is a breeding ground for adaptation and innovation.  People interacting with other people, often through cyberspace technologies, show us daily how adaptive and yet unpredictable we truly are: this also helps explain why social science, while making progress, still has a long way to go!

After hearing three days of talk about the importance of Information Operations, the tremendous focus and effort within the DoD towards these operations, and the monumental challenges DoD has to overcome to implement them I began to wonder why this seems so new to people.  Information, communication, connectivity and secure lines of communication have historically always been important, vital parts of our lives as humans.

Several in the conference pointed out that during the revolutionary war, it was George Washington’s tremendous human network for gathering information that enabled him to outmaneuver the British and keep the Colonial Army intact.  While moving to intercept Robert E. Lee's army of Northern Virginia, Union soldiers from George B. McClellan's Army of the Potomac discovered a misplaced copy of Lee's detailed battle plans wrapped around three cigars; even though McClellan failed to exploit the discovery to victory, he was still able to achieve a tactical draw at Antietam (interestingly, some of the first “cyberspace” technologies such as the telegraph, linked people during that time).  World War II saw the dependence on wireless transmission, another manifestation of cyberspace.  The Allied exploitation of Japanese codes and the German Enigma machine gave a significant advantage to the Allied war efforts.

So why is there the sudden emphasis on Information Operations?  Why is this different now, in the 21^st Century, than it has been in the past?  Why are these operations drawing so much attention from our national leaders in the last few years?

I believe what is really making this different is rooted in the effects modern cyberspace connectivity brings to operations.  Near-ubiquitous human connectivity and the massive quantities of data, interacting through the technology of cyberspace, have a transformational temporal impact.  It is really about time, and the massive human-human, human-machine and machine-machine interactions that modern, fast-paced flows of information enable.   SENDS is attempting to gain an understanding of these same themes through the study of exchange, emergence and self-organization.

These elements that cyberspace brings to Information Operations makes things different now, more than at any other period in history.  And it is these elements, including the effects of time, through which we must gain a more fundamental understanding before any study, reorganization or new policy will ever have any significant impact.

The US Ambassador to Cyberspace?

by Carl W. Hunt

Several members of the SENDS Consortium have reviewed the SENDS Science of Cyberspace White Paper. This paper proposes interdisciplinary ways to proceed in the development of such a body of science, including education (which in fact is a separate SENDS task, and discussed in an earlier blog). One important topic that was only briefly mentioned in the White Paper, however, is the policy and political science approach to a Science of Cyberspace.

In the White Paper we briefly discuss pending legislation that has gone to committee (Senate Bill 3193, “International Cyberspace and Cybersecurity Coordination Act of 2010”) and follow-up articles on the US State Department (e.g., here and here) about their potential responsibilities under such an act if it became law. While it is not clear if this particular legislation will be enacted, it’s apparent that at least some in the Administration and Congress consider the uniqueness and the ubiquity of cyberspace as an environment that requires a diplomatic presence in order to engage in the international emergence of globally present interconnectivity. Some observers quoted in the two articles cited even mentioned an “Ambassador to Cyberspace.”

It’s worth discussing a bit more about what such a diplomatic position might entail, what could be some of its contributions, and what SENDS might do in support of such an effort. Two recent publications point even more directly at the need for this discussion. The first, a Wired Magazine piece from the October, 2010 edition, entitled “Post-State Diplomacy,” raises the issue of how a nation-state like the US conducts diplomacy with non-nation-states within cyberspace. Although slightly irreverent in its approach, Wired presents a good point about diplomacy that we’ll take up in future blogs.

The Wired piece is particularly worth discussing in the context of new thinking about the “Global Commons” and the ways in which cyberspace is such an important component of it. This is brought out in a recent essay by Capt Mark Redden, USN, and Col Michael Hughes, USAF, “Global Commons and Domain Interrelationships: Time for a New Conceptual Framework?” from the National Defense University’s Institute for National Strategic Studies (INSS). They discuss the Commons as air, sea, space and cyberspace.

The INSS paper tells us that for the last 60 years, it has been the responsibility of the US military to guarantee national access to the Commons (see US National Defense Strategy). Both military and diplomatic challenges in the last 10-12 years are changing this paradigm, according to the essay, with the domain of cyberspace bringing about the most acute challenges. “Despite its breadth of use within both the civilian and defense sectors, the U.S. defense community’s understanding of the full impact of cyberspace on military capabilities and operations is modest at best,” note Redden and Hughes.

Unfortunately, Redden and Hughes miss several important opportunities to discuss interrelationships of the “Commons” environments in the context of Interagency interdependencies and their own “interdomain” interactions. Fortunately, they do briefly discuss the issues in relationship to the DIME construct (Diplomacy, Informational, Military and Economic bases for national power) at least raising the visibility of non-military perspectives in US relationships in the Commons, including cyberspace.

Diplomacy is critical, not only for traditional reasons, but for what the authors call “expanding interdomain relationships,” which means all the components of the Commons interacting and becoming ever more interdependent. This is even more relevant when thinking about the domains of the Commons interacting within the context of how Whole of Government entities think about the Commons consistent with their own organizational missions: “interdomain” perspectives can have multiple contexts. This line of thinking is a key contribution the INSS presents for the Interagency community to explore.

The investigation of many things “inter-” (interaction, interdependency, interrelationships, “interdomain”, etc.,) compose a major part of SENDS research. Interdomain, interagency thinking is a significant area that SENDS offers to synergize with the approach it takes in the development of the Science of Cyberspace. Redden and Hughes do a fine job teasing out the important insights about the environments of the “interdomain” to think about here, but it is at least as important to think about non-military perspectives as it is the military roles.

We would like to discuss more of the role an “Ambassador of Cyberspace” might play in shaping a fuller articulation of a national strategy for security and prosperity, and will solicit more participation as the SENDS Pilot unfolds. For the time being though, we want to ask readers and followers of SENDS to think about how we as a national entity interact with the rest of the world from a diplomatic standpoint.

How would the “US Ambassador to Cyberspace” interact with others, state and non-state, and what would they seek in representing the nation? As the Wired piece points out, dealing with non-states requires a different type of “diplomacy” than what we have practiced in state-to-state interrelationships.

Those of us taking on the work of developing a Science of Cyberspace appreciate the important assertions and questions raised by the Wired Magazine article and the INSS essay. As we have suggested in other presentations on SENDS, we may find insights from the way business and non-governmental organizations interact with both states and non-states, but that is only a proposal for the first “Ambassador to Cyberspace” to explore.

Several of the SENDS advisors worked on a project a few years ago that produced a concept we called the “CyberDIME” which we'll talk more about in future blogs as part of the challenge the Wired Magazine article poses. This notion suggests diminishing the role that the military takes in “interdomain” and “international” interrelationships, which while not the focus of the INSS paper, must be considered in the age of massive interconnectivity. SENDS also offers to open the forum for this discussion, as well.