Cyberspace Science and Cyberspace Security Science: Why Both?

by Carl Hunt

In an October, 2010 blog, I commented about the importance of asking “the right questions” in critical situations.  “It’s the questions, not the answers, which most guide us in strategic thinking and understanding…And equally important, it is the order in which you ask questions and experience discovery through responses to those questions that help you form strategies.” I wrote these words citing the inspiration of mentor Dr. David Schum of George Mason University.

It’s an odd if fascinating experience to quote yourself from a previous writing to make a point, but it’s also boring and probably doesn’t raise many new challenges in thinking.  So, I’ll try to springboard off that “inspirational” quote to distinguish why we need two “disciplines”: one the major and one the minor, to study cyberspace.  It may turn out we need many more, but these two will provide a great start to test the limits of human thinking about connectivity!

Why do we need both a Science of Cyberspace and a Science of Cyberspace Security, the latter of which receives significantly more emphasis?

We require them both because they are so deeply interwoven that we need both a general understanding of the environment of cyberspace and we critically need to understand how to secure it.  Science to secure cyberspace may have a shorter-term, technological focus, but together they may ultimately satisfy the requirement for prosperity in this new environment.

It will be scientific-based study, informed by the process of meaningful inquiry, that will help us see beyond a purely technological domain and restore some methodological insights into what is happening to man in the advent of the hyper-connected age of cyberspace.

You can probably tell by now that I consider a Science of Cyberspace to be the major discipline!

In considering both cyberspace in general and cyberspace security in particular, it’s about the questions we ask that drive new and hopefully relevant discovery, and that’s the construct I’ll use to discuss both efforts.  The nature of these questions will help discern the differences in our quest to understand cyberspace from these two strongly related perspectives.

I’ll start with the Science of Cyberspace Security requirement based on a recently released government-sponsored effort called “Science of Cyberspace Security” published in November, 2010 by the MITRE Corporation and the JASON group.

If one didn’t already know it before reading this report, it’s easy to see why security demands the most attention since business, academia and government (and indeed the world’s economic systems) have built a critical reliance on what cyberspace offers in terms of connectivity and access.  Cyberspace security is also a core component of the overall SENDS Project, including the SENDS modeling and simulation environment, SENDSim.  It’s a vital topic!

The JASON report provided answers, but what were the questions they addressed?

The report used nine basic questions to organize thinking within their findings, having been provided these questions by their government sponsorship (according to page 3 of the report, also where we find the start of the questions).  The reader interested in cyberspace security should refer to the JASON report to form their own conclusions, but the idea of building a strategic position around important questions is the focus here.

As Dave Schum always advised, it really helps if you’re working with “the right questions.”  All in all, it appears the government provided the JASON group with meaningful questions and they responded well within the framework of those questions.  But, were they the “right questions?”

We need to ask how suitable the questions were to guide us in strategic thinking and understanding of cyberspace.  Perhaps they were a reasonable start, yet they were narrowly focused on the “minor” discipline of the study of cyberspace: the Science of Cyberspace Security.  To really be “the” questions that guide us in better understanding cyberspace, they must be broadened to address the entirety of the environment.

The questions provided, as rooted in scientific exploration as they were, did not get at the issues we’ve raised in SENDS about people and community as the key part of the solution space.  Any line of inquiry for the study of the Science of Cyberspace will need to focus on people: people as users, people as designers, people as protectors, people as attackers and people as solutions.  The JASON study addressed the questions they were provided well enough, but again, were they “the right questions?”  Did these questions help objectively frame their responses and allow for full impartiality?  After all, that’s a significant purpose of meaningful inquiry.

While we don’t have access to the instructions provided to the JASON panel, we do have the list of the questions they were provided by the sponsor.  For those who focus on the role of people in cyberspace, it’s gratifying to see that question 5 did ask if social sciences, among others, could serve as topics that could “contribute to a science of cyber security?”

The body of the JASON study interwove important topics that are people-centric in their substance.  These topics include game theory, trust, biologically-inspired immune responses and metric collection/ assessments.  For the most part, however, the JASON group focused on technological prescriptions.  A significant Department of Energy December, 2008 report, “A Scientific Research and Development Approach To Cyber Security,” cited over-reliance on a technology focus as a chief complaint, as has SENDS since its origins.  SENDS found inspiration from the DOE work. Did the JASON line of inquiry enhance thinking in that regard?  Readers should decide for themselves.

The sponsor’s questions did lead to one critical response from the report, however:  “The most important attributes (of a Science of Cyberspace Security) would be the construction of a common language and a set of basic concepts about which the security community can develop a shared understanding.”  We have asserted the same requirement from the beginning of SENDS (here and here, for example), as did the DOE imply in its report.  It appears this principle applies to both a science of cyberspace security and a more general science of cyberspace (in fact, that’s a contributing factor to resolving wicked problems, another core component of SENDS).

But, there’s much more to understanding cyberspace and the questions we need to ask about it than cyberspace security.  That’s why we need a broader “Science of Cyberspace.”  To better secure cyberspace, it would be helpful to more fully understand what’s going on inside the environment as a whole.  Some might argue that the immune system seems to work just fine without knowing all the details about the host it’s protecting or the characteristics of the attacker.  But as the JASONs so rightly point out, an immune system is at best an inspiration for how to do better security.

In their study of systems, scientists and engineers typically try to address hard questions through broad understanding and awareness, and use an approach that provides deeper insights about the whole of a system.  While studying the immune system may help with understanding how the body defends itself, studying the immune system alone does not suffice for the study of the entire human body.  Likewise, studying the science of cyberspace security alone does not give us the broader understanding of the whole needed to study the entirety of the cyberspace system.

Since cyberspace is a socio-technological environment, built, explored and exploited by people (at least for the time being), we need to start understanding more about the ecology of the environment and how it’s changing human behavior as a whole.  We’ve seen that cyberspace as a massively interconnecting environment has already altered the nature of crime and spying (people-centric activities), and thus why there is a critical need for a science of cyberspace security.  That’s just one family of problems we face, however, because we don’t understand cyberspace holistically.

We need to ask questions about cyberspace, not just about cyberspace security.  Broadening our aperture of questions helps us accomplish the main objectives of science: explain and predict.  Many more questions need to be focused on the people part of cyberspace.  We began that process from the earliest drafts of the Science of Cyberspace White Paper (first drafted in March, 2009, by the way, and now posted in its eighth major draft, noted above) and in our earliest blogs (here and here, for example).

We also need not be put off when we find evidence or results that refute our hypotheses (another term for questions), either.  It’s just as important to publish findings that surprise us and rebut previously held notions as it is to present results that confirm our initial positions.  Science is about impartiality and repeatability of objectively derived findings.  A recent piece in the New Yorker Magazine, entitled “The Truth Wears Off: Is there something wrong with the scientific method?” bears that out.

In a sense, trying to do a science of cyberspace security without at least simultaneously doing a more general science of cyberspace may fall into the category of the cautions of the New Yorker piece…we need to ask questions about the whole environment, not just part of it.  That’s the approach SENDS and the Science of Cyberspace are taking.  Our success, however, will be in large part because of the insightful work the JASONs, the DOE and others are doing, just as they may also benefit from SENDS.

Cyberspace is immense, and it will take all we humans have to understand it, explore it, exploit it and protect it.  We’re all in this together.

Graphical Languages in the Cyberspace Ecospace

by Sandy Klausner

editor’s note: Sandy Klausner is the founder and CEO of CoreTalk Corporation, the designer of the Cubicon programming language, described at http://www.coretalk.net/.  The opinions and concepts proposed by Sandy reflect his thinking about new types of programming languages, and web-based architectures including Cubicon.  SENDS does not endorse any specific product, but seeks to ensure members and guests of the Private-Public partnership of the SENDS Consortium are aware of novel thinking proposed by those associated with the Consortium and its efforts.

As reflected throughout the SENDS Blog (here and  here, for example), the SENDS Project seeks to understand the nature of cyberspace as a complex adaptive system (CAS) as well as reflectively thinking about cyberspace itself as a meta-system.  Not only is cyberspace characterized as such a CAS, but increasingly the computer architectures and programming languages that support cyberspace-based communications must also support these levels of functionality.

This functionality, discussed previously, includes the processes of exchange, self-organization and emergence.  Let’s look at each of these through the lens of computer network architecture.

Exchange – The exchange of concepts and information requires a semantic basis to enable software agents to infer relationships and manage content and services without human intervention.  This machine processing requires unprecedented levels of automation to support massive exchanges between billions of people and information transactions around the world.  New graphical languages must enable domain experts to create, share and execute software agents that process knowledge, transact services and enable social networking to evolve to new levels of collective intelligence.

Self-organization – People, systems and information need the ability to self-organize through cyberspace.  Such capability mandates a new computer science, infused with the inspirations of complexity science, where software artifacts are inherently recombinant to energize self-organization.  This first principle science will enable unprecedented levels of interactions and interoperability that can be visualized as dynamic system models.

Emergence – As noted in Carl Hunt’s earlier blog, this self-organization process is the transmission that moves exchange into emergence.  Emergence of novel behaviors, fresh opportunities and new organizational structures must be simulated in new graphical languages that support cyberspace evolution, providing insights into complex cyberspace realms.  These visual simulations will be easily shared across domains, providing novel ways to understand complex systems and provide continuous dynamic feedback to all participants in knowledge evolution.

Knowledge Processing

Borrowing from the SENDS blog on “Ecospace”, Figure 1, below, helps to visualize the major interactions that take place to create both the opportunity and the requirements for coevolution within cyberspace and its interacting elements.  Service exchanges and knowledge processing are at the heart of this interaction.  The figure also depicts several categories of emergence that are both ingredients and products of the coevolving world of massive interconnectivity that cyberspace enables.

There are two basic forms of systems that coevolve with each other through exchanges and processing that compose cyberspace: human systems and machine systems (together they accommodate the production of something useful).  Emergent characteristics from human and machine behaviors, technologies, cultures and governances all synergize to produce what we recognize as cyberspace.

The services that we introduce to make the network valuable as well as the threats to those services are also part of the coevolving landscapes.  Just as in predator-prey models of ecosystems, the threat is an integral consideration of a holistic perspective of cyberspace.  Finally, both natural and artificial adaptations take place that ensure cyberspace is a constantly changing, coevolving environment that truly requires the augmentation of more modern architectures and graphical programming languages.

Figure 1 - The Programming Language-Architecture View of the Cyberspace Ecology (courtesy CoreTalk Corp.)

New Software Paradigm will Manage Systems Complexity

The gap between generational advances in hardware (Moore’s Law), users’ application demands, and software’s ability to productively utilize both continues to expand … with no end in sight.  This gap can only be closed by greatly automating the software life cycle that can effectively overcome complexity bottlenecks.

A new software paradigm must address seven fundamental cyberspace complexity challenges that can be characterized in the following ways:

Semantic Web – As RDF & OWL remain underutilized, a graphical language must provide the required formalization of ‘context’ and ‘community’ architecture to fully support a global semantic substrate across cyberspace

Service-oriented Architecture – As SOA remains too ad hoc, new approaches must provide the requisite technology for machine-to-machine (M2M) interactions to truly scale across billions of devices

Smart Grid – As hard real-time environments are difficult to encode, a graphical language and a contextualized infrastructure must provide the following capabilities for a National “Smart Grid” to be realized sooner:

- ability to create and evolve interoperable standards

- mediation of services between disparate devices in a community

- execution environment that deterministically processes events in real time

“Manycore” processing – As threading is failing to scale, a fused software/hardware architecture must provide an effective parallel programming mechanism that can harness the power of emerging “manycore” processors

Software re-use – As current programming language ecosystems lack componentry architecture, a recombinant technology must enable a fertile exchange of high value intellectual property assets

Malware – As current immunization technologies are increasingly less effective, next generation programming must prevent malware infiltration through a robust ‘whitelist’ security model for all software components and apps

IP (intellectual property) tracking & licensing – As the Open Source model lacks a viable business model, a graphical language must ultimately support the ‘Open Design’ software model that provides direct compensation/recognition for authors based on virtual supply chains

Conclusions

As a proponent of what the SENDS Project calls “Open-Source Science,” these discussions about new, exchange-based programming languages and architectures are an important augmentation not only to a science-based approach to understanding cyberspace, but to spur greater innovation in the development of these capabilities.

I think the Cubicon programming language that CoreTalk has designed is consistent with the principles SENDS initially proposes for architecture and language development.  As is the case with all open-source evolution, however, the market and its users will decide.  In the meantime, the public-private partnership SENDS seeks to leverage is a viable path forward to doing good science in cyberspace and generating more secure environments for national and global prosperity.



SENDS and Sensibility

by Carl Hunt

Jane Austen’s novel, Sense and Sensibility, tells a story of rich, dynamic dealings among an interesting cross-representation of the people of late 18^th Century English life. The successes and failures of the characters of the story, moderated by the emotions and realties of the time, are a microcosm of life even today.  The characters lived their lives through complex interactions basically devoid of technology yet ultimately made wise and “sensible” decisions about their lives that produced a relatively “happy ending.”

One almost wonders how they accomplished this without Facebook and Twitter.

Seeking an understanding of the sensibilities of how people interact, make decisions and take actions in the interconnected environment of cyberspace is a major objective of SENDS.  Emotion plays a significant role in how people relate in any social environment.  That’s a key distinction between human and machine interaction.

Machines don’t yet communicate well without a detailed “understanding” of the instructions they are passed through code, yet people often do.  Cyberspace in the current age is about people most of all, and how they communicate with each other.

In spite of misunderstandings, people still accomplish objectives and create relationships that frequently succeed.  Disasters do happen and even battles are fought over what began as emotional reaction, but so far humanity hasn’t ended because of misinterpreted or deceptive communications.  Humans seem to do okay.

Since emotion and sensibility so often drive human behavior, the question arises about how to model motivations and behaviors so that they can better inform simulations about network operations and defense.  To start coming to grips with this challenge, we introduced a SENDS approach previously in these blogs: SENDSim, the SENDS cyberspace modeling and simulation environment.

How we define and frame an environment such as cyberspace has a great deal to do with how we model it.  Bob Schapiro suggested several important considerations and challenges earlier this week.  If we define cyberspace solely as a battlefield environment, for example, our vocabulary reflects that bias, and the characteristics of the simulation agents we model might also inappropriately reflect such biases.

Department of Homeland Deputy Secretary Jane Holl Lute raised the challenge of properly defining cyberspace in a recent speech at Black Hat in July of this year.  In her speech, Deputy Secretary Lute asked “Cyberspace: is it a war zone? Is it a marketplace, a neighborhood, a school, a highway, a do loop of our past activities, a playground, a sandbox…” and made several important points about its diversity.

It’s easy to see how emotions have driven the debate up to this point, as well as how sensibilities must be driven by human common sense and logic to help us get this right.  Deputy Secretary Lute is asking a very important and very sensible question.

To seek answers to those questions in SENDS, we are placing a significant level of confidence in modeling and simulation to help us better understand how people interact with each other and the technologies of cyberspace.  Approaches like SENDSim, along with the insights of users of cyberspace, as Bob pointed out, may the only way we’ll ever be able to define and begin to comprehend something so vast and complex.

SENDSim offers an economical opportunity to build a laboratory that helps us experiment with human insights and test interactions.  It offers us a way to address the dilemma Deputy Secretary Lute raises while ensuring we capture the nuances of human and technological interaction.  Examining the behaviors of each is critical to understanding cyberspace in a way that reflects both “Sense and Sensibility.”

Jane Austen’s characters apparently did well enough in their life without cyberspace, but most of us now rely on it for almost all forms of communications.  As Bob implored, please help us get these definitions right.  Help us do better science and experimentation, in the appropriately defined environment, by engaging in the “open-source science” of cyberspace.

To quote Bob from last time, please “send us your thoughts at words@sendsonline.org.”