Cyberspace Science and Cyberspace Security Science: Why Both?

by Carl Hunt

In an October, 2010 blog, I commented about the importance of asking “the right questions” in critical situations.  “It’s the questions, not the answers, which most guide us in strategic thinking and understanding…And equally important, it is the order in which you ask questions and experience discovery through responses to those questions that help you form strategies.” I wrote these words citing the inspiration of mentor Dr. David Schum of George Mason University.

It’s an odd if fascinating experience to quote yourself from a previous writing to make a point, but it’s also boring and probably doesn’t raise many new challenges in thinking.  So, I’ll try to springboard off that “inspirational” quote to distinguish why we need two “disciplines”: one the major and one the minor, to study cyberspace.  It may turn out we need many more, but these two will provide a great start to test the limits of human thinking about connectivity!

Why do we need both a Science of Cyberspace and a Science of Cyberspace Security, the latter of which receives significantly more emphasis?

We require them both because they are so deeply interwoven that we need both a general understanding of the environment of cyberspace and we critically need to understand how to secure it.  Science to secure cyberspace may have a shorter-term, technological focus, but together they may ultimately satisfy the requirement for prosperity in this new environment.

It will be scientific-based study, informed by the process of meaningful inquiry, that will help us see beyond a purely technological domain and restore some methodological insights into what is happening to man in the advent of the hyper-connected age of cyberspace.

You can probably tell by now that I consider a Science of Cyberspace to be the major discipline!

In considering both cyberspace in general and cyberspace security in particular, it’s about the questions we ask that drive new and hopefully relevant discovery, and that’s the construct I’ll use to discuss both efforts.  The nature of these questions will help discern the differences in our quest to understand cyberspace from these two strongly related perspectives.

I’ll start with the Science of Cyberspace Security requirement based on a recently released government-sponsored effort called “Science of Cyberspace Security” published in November, 2010 by the MITRE Corporation and the JASON group.

If one didn’t already know it before reading this report, it’s easy to see why security demands the most attention since business, academia and government (and indeed the world’s economic systems) have built a critical reliance on what cyberspace offers in terms of connectivity and access.  Cyberspace security is also a core component of the overall SENDS Project, including the SENDS modeling and simulation environment, SENDSim.  It’s a vital topic!

The JASON report provided answers, but what were the questions they addressed?

The report used nine basic questions to organize thinking within their findings, having been provided these questions by their government sponsorship (according to page 3 of the report, also where we find the start of the questions).  The reader interested in cyberspace security should refer to the JASON report to form their own conclusions, but the idea of building a strategic position around important questions is the focus here.

As Dave Schum always advised, it really helps if you’re working with “the right questions.”  All in all, it appears the government provided the JASON group with meaningful questions and they responded well within the framework of those questions.  But, were they the “right questions?”

We need to ask how suitable the questions were to guide us in strategic thinking and understanding of cyberspace.  Perhaps they were a reasonable start, yet they were narrowly focused on the “minor” discipline of the study of cyberspace: the Science of Cyberspace Security.  To really be “the” questions that guide us in better understanding cyberspace, they must be broadened to address the entirety of the environment.

The questions provided, as rooted in scientific exploration as they were, did not get at the issues we’ve raised in SENDS about people and community as the key part of the solution space.  Any line of inquiry for the study of the Science of Cyberspace will need to focus on people: people as users, people as designers, people as protectors, people as attackers and people as solutions.  The JASON study addressed the questions they were provided well enough, but again, were they “the right questions?”  Did these questions help objectively frame their responses and allow for full impartiality?  After all, that’s a significant purpose of meaningful inquiry.

While we don’t have access to the instructions provided to the JASON panel, we do have the list of the questions they were provided by the sponsor.  For those who focus on the role of people in cyberspace, it’s gratifying to see that question 5 did ask if social sciences, among others, could serve as topics that could “contribute to a science of cyber security?”

The body of the JASON study interwove important topics that are people-centric in their substance.  These topics include game theory, trust, biologically-inspired immune responses and metric collection/ assessments.  For the most part, however, the JASON group focused on technological prescriptions.  A significant Department of Energy December, 2008 report, “A Scientific Research and Development Approach To Cyber Security,” cited over-reliance on a technology focus as a chief complaint, as has SENDS since its origins.  SENDS found inspiration from the DOE work. Did the JASON line of inquiry enhance thinking in that regard?  Readers should decide for themselves.

The sponsor’s questions did lead to one critical response from the report, however:  “The most important attributes (of a Science of Cyberspace Security) would be the construction of a common language and a set of basic concepts about which the security community can develop a shared understanding.”  We have asserted the same requirement from the beginning of SENDS (here and here, for example), as did the DOE imply in its report.  It appears this principle applies to both a science of cyberspace security and a more general science of cyberspace (in fact, that’s a contributing factor to resolving wicked problems, another core component of SENDS).

But, there’s much more to understanding cyberspace and the questions we need to ask about it than cyberspace security.  That’s why we need a broader “Science of Cyberspace.”  To better secure cyberspace, it would be helpful to more fully understand what’s going on inside the environment as a whole.  Some might argue that the immune system seems to work just fine without knowing all the details about the host it’s protecting or the characteristics of the attacker.  But as the JASONs so rightly point out, an immune system is at best an inspiration for how to do better security.

In their study of systems, scientists and engineers typically try to address hard questions through broad understanding and awareness, and use an approach that provides deeper insights about the whole of a system.  While studying the immune system may help with understanding how the body defends itself, studying the immune system alone does not suffice for the study of the entire human body.  Likewise, studying the science of cyberspace security alone does not give us the broader understanding of the whole needed to study the entirety of the cyberspace system.

Since cyberspace is a socio-technological environment, built, explored and exploited by people (at least for the time being), we need to start understanding more about the ecology of the environment and how it’s changing human behavior as a whole.  We’ve seen that cyberspace as a massively interconnecting environment has already altered the nature of crime and spying (people-centric activities), and thus why there is a critical need for a science of cyberspace security.  That’s just one family of problems we face, however, because we don’t understand cyberspace holistically.

We need to ask questions about cyberspace, not just about cyberspace security.  Broadening our aperture of questions helps us accomplish the main objectives of science: explain and predict.  Many more questions need to be focused on the people part of cyberspace.  We began that process from the earliest drafts of the Science of Cyberspace White Paper (first drafted in March, 2009, by the way, and now posted in its eighth major draft, noted above) and in our earliest blogs (here and here, for example).

We also need not be put off when we find evidence or results that refute our hypotheses (another term for questions), either.  It’s just as important to publish findings that surprise us and rebut previously held notions as it is to present results that confirm our initial positions.  Science is about impartiality and repeatability of objectively derived findings.  A recent piece in the New Yorker Magazine, entitled “The Truth Wears Off: Is there something wrong with the scientific method?” bears that out.

In a sense, trying to do a science of cyberspace security without at least simultaneously doing a more general science of cyberspace may fall into the category of the cautions of the New Yorker piece…we need to ask questions about the whole environment, not just part of it.  That’s the approach SENDS and the Science of Cyberspace are taking.  Our success, however, will be in large part because of the insightful work the JASONs, the DOE and others are doing, just as they may also benefit from SENDS.

Cyberspace is immense, and it will take all we humans have to understand it, explore it, exploit it and protect it.  We’re all in this together.

SENDS 2010: The Year in Review

by Carl Hunt, Bob Schapiro and Craig Harm

In sports, when an underdog team surprises everyone and gets into the playoffs, they can’t wait until the next game.  That’s what the SENDS team is feeling right now: the thrill of anticipation as we see our season extended and the team getting better and better when it counts.

Our goal has always been to empower the public to create the future of cyberspace and become part of the SENDS team.  A few months ago, we were in the odd position of being able to open positions on the team, but not having a lot of people to join.  Now that is changing...fast.

From the beginning, SENDS has been fortunate to enjoy the active participation of great thinkers...including some of the people who actually set the course for the future of the Internet.  Most of these people work for the government and major software firms, hired for their expertise in cyber-security.  But as scientists, they wish to transcend that role and discover what makes cyberspace tick.  They know this can only be discovered by working with the people who use the Internet every day; in short, almost everyone – it’s a big team!

That’s where SENDS comes in.

To be blunt, until a few months ago, our resources for reaching the public were not what we hoped they’d be.  But the seeds we planted started to thrive, growing stronger every day.  With this posting, we have now published 31 blogs in the 3½ months from the first entry.  We’ve been fortunate to be highlighted in several online fora, including James Fallows’ Atlantic Magazine blog, the DoD’s Armed with Science blog, and an interesting site called “OhMyGov!”  We’ve even been invited to two Highlands’ Forum meetings to talk about SENDS and participate in discussions of Design in Cyberspace.

The important thing is that you are reading this blog...and if you’re like most of the people who now read and contribute, six months ago you had no idea what SENDS was.  You joined the team!

In 2011, we look forward to empowering people in many ways, as with our initiative for you to help create the new vocabulary of cyberspace.  In fact, thanks to contributors, we have a lot to build on to strengthen and broaden the team.  As 2010 draws to a close, however, it’s worth talking about the direction the SENDS Pilot project has traveled from its inception and to try to put it into context.  That, along with new team members’ contributions, creates the synergy for 2011.

SENDS began in 2009 as a proposal to address the observations of a December, 2008 US Department of Energy White Paper entitled “A Scientific Research and Development Approach To Cyber Security.”  Thus, SENDS began as a project to address cyberspace security, expanding on several of the thoughts from that very fine DOE paper.

It became clear after a 90-day study, however, that in order for the US and indeed all users of cyberspace to explore and exploit the environment, security was necessary but not a sufficient condition to unleash the potential cyberspace has to enhance prosperity on a national and global scale.  We took this challenge to potential government sponsors and they agreed.

In a June, 2010 interagency, multidisciplinary forum in Arlington, VA, the current SENDS Pilot Project was initiated, identifying four main tasks to accomplish in the 12-month pilot.

As we embarked on the project, new ideas came to light as a result of the collaboration of the diverse SENDS participants.  The SENDS tasks were still relevant, but we found that we needed to look through the lenses of living systems and ecology to develop holistic perspectives about the greatest connecting fabric mankind has known.

Several prominent advisors told us that the ecological perspective is a valuable way to think about the challenges of cyberspace prosperity and security, particularly when considered through the standpoint of what is found in wicked problem resolution literature.  The wicked problem resolution advice is good because it also helps us think about the social context of problem definition and resolution: it’s a people challenge, just as are cyberspace prosperity and security.

We took this good advice and blended it with the thoughts of guest bloggers to produce what we think is an objective viewpoint about how cyberspace is emerging around us and how it will affect us in the future.  We looked at people, processes and technology as a convergent and emergent phenomenon (starting here).  These insights have been continuously informed by multiple perspectives, possible through the connectivity that cyberspace offers.

This holistic view is why SENDS is more than just another cyberspace security project.

Through the efforts of a variety of authors, the SENDS Blog has been fortunate to provide diverse perspectives on the SENDS tasks through several backgrounds…the SENDS wiki site has augmented and expanded these perspectives.

Broad thinking about one of the two most long-term focused SENDS tasks, Education and Academic Curricula, for example, has led to contributions from no less than four authors about this important topic.  We have had the good fortune to hear from a school teacher in Canada, an Emmy-Award winning documentary director/ producer, a director of a nationally recognized science center in Florida and a retired military officer (here and here), each sharing distinctive perceptions about how America must look at education in the connected age.

Another long-term task, a Center for Cyberspace Science, has generated equally important and diverse perspectives, ranging from the use of advanced modeling and simulation capabilities to the development of a “cyberspace laboratory.”  When put into the context of better understanding concepts like community in cyberspace and formulating meaningful inquiry about this new environment, a center for studying the remarkable power of cyberspace connectivity seems mandatory for better understanding this new world.

The task to develop relevant models and simulations (M&S) as a “laboratory” for cyberspace is indeed one of the tasks we have invested considerable resources in.  The SENDS M&S team collected data from a variety of subject matter experts, including military, law enforcement and commercial practitioners to develop SENDSim.  This M&S environment, shown in its early stages here, is one of the first products of the Center.

We are also developing SENDSim to become a useful tool to gain insights on the kind of socio-technological convergence issues we’ve been discussing above.  Speaking of understanding socio-technological convergence, the SENDS team has also been fortunate to publish the insights of a senior media analyst to help clarify challenges to look at cyberspace in this way (here and here).  We’ve even had an innovative software developer write about the development of programming languages in the context of socio-technological convergence and ecology!

Another early product of the Center is a White Paper on the Development of a Science of Cyberspace, that while in early draft form, may serve as a framework for the consideration of important topics to demonstrate how such a discipline would be studied.  We will see more similar products from the Center as the Pilot continues, and we expect to write about them here in this blog.

The first six months of the SENDS Pilot Project have been exciting, and chronicling it within the pages of the SENDS Blog has been rewarding considering the diversity of the authors who have contributed.  The remaining six months of the Pilot should be equally rewarding as we see the maturity of SENDSim emerge.

We look forward to experiencing greater government, commercial, academic and even individual relationships as we improve on the Science White Paper through more diverse input, and synergize SENDS through collaboration with other efforts.  We also look forward to formalizing relationships that move the Center for Cyberspace Science into a suitable home.

In coming weeks, we’ll port over this blog and much of the wiki material to a SENDS-dedicated site at www.sendsonline.org.  We’ll announce the movement of the site in this blog and on the wiki when we’re up and running.  Please visit us there, and continue to send your thoughts to words@sendsonline.org or through comments within this blog.

It’s been a great first six months for the rapidly growing SENDS team and we can hardly wait for the next six.  The playoffs await and the season continues!

Community in Cyberspace: Real or Imagined?

By Carl Hunt

What do the reactions to the recent WikiLeaks (also here), Facebook, and your town have in common?  Well, since you saw the title to this week’s blog already, you guessed it: community.  The line of inquiry we take up today, however, is how “real” are these communities and what do they mean to us in terms of individual and collective human behaviors?

Since we talked a bit about Facebook previously, we'll focus on real "imagined" communities.

We all experience effects of behavior and one of the very first insights we consider is the effects of behavior in cyberspace-based communities.  Regardless of nation-state ties or physical locations, the virtual communities of cyberspace can create real effects that cause challenges to the traditional structure of government or business.  The communities that formed to do “virtual combat” against those that initially cut off access to the WikiLeaks site caused real damage that can be measured in lost income or customer confidence.  While the level of damage caused is still being debated, it was indeed quantifiable.

Equally as interesting, there is no evidence that any of the groups (communities, if you will) had ever met or coordinated their attacks on each other before the recent US government-related WikiLeaks were released.  These communities may have previously existed but their objectives and capabilities remained largely unnoticed until a rationale manifested itself and these groups self-identified around a common cause.  They “imagined” a status that empowered them to act as members of a community.

So, what is an imagined community as opposed to a real community?  Is there a difference as far as cyberspace communities are concerned?

Americans, Chinese, French, and even Somali citizens understand their ties to a nation-state entity.  In some populations, the concept of nationalism creates great personal patriotism and fervor, and in some a personal identification with national spirit is less relevant.  But in all cases, according to Cornell emeritus professor, Benedict Anderson, some quality of fraternity emerges and a people develop a sufficient sense of national identity that they come to be willing to die for their identity and the national entity.

Since we have not yet fought any full-blown Cyber World War, it’s unclear yet how such a strong sense of “nationalism” will play out in cyberspace.  Anderson’s ideas about imagined communities still resonate strongly in both real and virtual life, however.  We’ll have to see how the notion of willingness “to die for their identity” as a part of a community, whether physical or virtual, will play out, but there are insights we can start to accrue, as the recent wikileaks episodes clear.

NY Times technology reporter and author Nick Bilton has begun to address the idea of imagined community as it applies to cyberspace in I Live in the Future and Here’s How it Works (Crown, 2010).  Bilton writes “…we are constantly weaving in and out of small and large, obvious and imagined communities.”  Cyberspace, or the digital realm, as Bilton further clarifies it, is an “always on, real-time, creating, consuming society,” and the media has been bringing this trend to human community for many years, perhaps centuries, as noted by both Anderson and Bilton.

Writes Bilton about Anderson’s perspectives on community and the media: “In the same way that Anderson recognized that the printing press and its ability to communicate in a person’s language could break up power structures and create meaningful and powerful nations, so too may our online communities reshape and remake both our own personal imagined nations and our traditional ways of communicating.”

The creation of new globally-connected, yet often self-detached imagined communities such as the participants in the wikispaces conflict demonstrate is important to watch.  Community may be real or virtual but it is in the mind of the beholder what role and actions the inhabitants may take, and in fact, cyberspace may amplify those roles and accelerate behaviors around the globe.  While we may never see the Cyber World War, we will likely see constant transformation of conflict as enabled by cyberspace and imagined communities.

Study and modeling of these communities is a critical objective of SENDS as we have noted here and here, for example.  Creation of common terms and concepts so that we can better understand the wicked nature of the problems we discover along the way is also a mandate.  Before we can understand communities and new forms of conflict in cyberspace, we have come to grips with the nature of cyberspace, and we need your help.  Please send us your thoughts to words@sendsonline.org and let’s move forward with this real and important community!

SENDS and the Wicked Problem Resolution Approach

By Carl Hunt

From the earliest versions of the SENDS White Papers and the SENDS Science of Cyberspace White Papers, we have proposed the study and adoption of the concepts related to Wicked Problem Resolution (WPR) in trying to understand and tackle issues related to the phenomenon of cyberspace and cyberspace security. In fact, several in SENDS Consortium meetings have confidently asserted that cyberspace security is a wicked problem. For that reason, the major SENDS papers have discussed WP in some detail, although to date we have not talked much about how to integrate WPR and the Science of Cyberspace. We begin to do that here.

Earlier this year, Australian academics/authors Valerie Brown, John Harris and Jacqueline Russell published a volume of essays they edited and co-wrote titled Tackling Wicked Problems through the Transdisciplinary Imagination (Earthscan, London, 2010). The principles embodied in the text reflect much of what is considered as complexity science: the multidisciplinary body of research that embraces challenges from diverse research perspectives (see for example: Waldrop, Complexity: The Emerging Science at the Edge of Order and Chaos, Touchstone, 1992; Kaufmann, At Home in the Universe: The Search for the Laws of Self-Organization and Complexity, Oxford, 1996; and Miller and Page, Complex Adaptive Systems, Princeton University Press, 2007).

Transdisciplinary approaches differ from the multidisciplinary perspectives of complexity science in the following way: transdisciplinary thinking is the “collective understanding of an issue…created by including the personal, the local, and the strategic, as well as specialized contributions to knowledge,” note the co-authors in the Introduction to Tackling Wicked Problems. They go on to write that such “open” thinking includes not only the scientific disciplines, but also includes “all validated constructions of knowledge and their worldviews and methods of inquiry” (p. 4). As documented throughout the book, imaginative inquiry is at the heart of resolving WP.

It’s also important to note that we don’t try to “solve” WP, but rather to resolve them due to their complex and dynamic nature. Resolving problems is a different tactic than solving them: "resolving" speaks to an iterative process in which there is a recognition that there is no final or "right" solution, whereas problem "solving" looks for the "right" or ultimate answer. Leveraging the power of cyberspace to accomplish resolution will be a powerful contribution that our budding Science of Cyberspace can make.

There’s much more to discuss when it comes to WPR and the Science of Cyberspace, and we will continue to present those observations right here in this blog. At this point, it’s important to set the stage and seek the beauty of convergence and synergy by identifying imaginative ways to proceed in dealing with wicked problems, harnessing the connectivity of cyberspace.

It’s not about being wrong or right, either, as the academic definitions of the WP literature tell us: “Solutions to wicked problems are not right or wrong, simply ‘better,’ ‘worse,’ ‘good enough,’ or ‘not good enough.’” (Rittel, Horst and Webber, “Dilemmas in a General Theory of Planning,” Policy Sciences 4, Elsevier, 1973 (this is the ground-breaking paper that began to formalize thinking about WP)).

The convergence of WPR literature, creative and imaginative inquiry, complexity science and a better understanding of cyberspace are all at the root of harnessing the power of mass interconnectivity to identify and better deal with the very hard problems we face now and in the future. Humanity is only beginning to see the benefits and the pitfalls of globalization and the connective power that is emerging from new technologies and social science-based understanding of these environments.

Here’s the closing point: the study of WP in the light of Complexity Science tells us that humans can be simply right or that we can be simply wrong, but we can’t be complexly right or complexly wrong. To appreciate this assertion, it helps to know how complexity science works (including exchange, self-organization and emergence), and it really helps to understand cyberspace theories (which we are only now exploring). The bottom line, however, is that WP are real and they’re tough to tackle because they are complex by their very nature, and the power of cyberspace (and cyberspace sciences) may present the best way to approach WPR.