As part of the Department of Defense Program on the Science of Security and Privacy for the National Security Agency, the purpose of our work on analytics for cybersecurity policy of critical cyber-physical infrastructure systems is to develop analytical methods to support the national strategy for cybersecurity, as outlined in the Presidential Executive Orders and National Defense Authorization Acts.

Proof of Concept

The proof-of-concept, or initial case application, focuses on cybersecurity of the smart grid for electric power systems. Cyber-physical systems (CPS) are embedded in an increasingly complex ecosystem of cybersecurity policies, guidelines, and compliance measures designed to support all aspects of operation during all phases of a system's life cycle. By definition, such guidelines and policies are written in linear and sequential text form—word after word—often with different parts presented in different documents.

Operationally, our goal is to provide analytics for greater transparency and clarification of cybersecurity policies and guidelines, specifically to:

1. overcome the limitations of the conventional text-based form, 
2. extract knowledge embedded in policy guidelines, and 
3. assist the user community—analysts and operators—in their implementation.

“NIST-as-Lab:" test case of policies & directives for cybersecurity for smart grid of electric power systems. Source: Choucri (2019).

Strategically, our goal is to construct a platform of new tools for application to policy directives, regulations, and guidelines across diverse domains and issue areas. The platform and tools are designed to enable users to explore mission-related system properties, issues, concerns, or contingencies.

The research design is shown below:

Research design: multi-methods data-based platform of analytics for cybersecurity. Source: Choucri (2019).

The proof-of-concept addresses the "hard problem" of Policy Governed Secure Collaboration, as defined by the Science of Security and Privacy Program.

Text to Data & Metrics to Models

Our "raw" database consists of major reports prepared by the National Institute for Standards and Technology (NIST) shown in the table below.

Cybersecurity policy ecosystem: policy database for smart grid cyber-physical system. Source: Choucri (2019).

Clearly, considerable efforts are always being made to "mine" NIST materials; however, few initiatives explore the potential value-added of drawing on multi-methods for knowledge extraction and/or developing analytical tools to support user understanding of policy directives and analysis, identify vulnerabilities and impacts, and eventually, enable relevant action.

Policy Data Linkage Methods

We begin with constructing the "as-is," system-specific structured model from NIST analysis and network representation. In general, however, throughout this project we must draw on different policy documents. This means that we have to create an interface and linkage strategy.

The figure below shows both process and results to date:

1. Method for Linked Database
2. NIST Reference Model for Smart Grid
3. Design Structure Matrix constructed (DSM) from NIST reference model
4. Network model of smart grid derived from DSM
5. Network model showing NIST specifications of security requirements and impact levels for Smart Grid model base

The figure below illustrates steps in the research design that model the "as-is" system state and further model generation. Much of the information required to take next steps is distributed across different policy documents.

Elements of research design (simplified). Source: Choucri (2020).

We are developing the method in an "experimental" mode. Once completed, the next challenge is to formalize our method of connecting policy documents. We are currently exploring a computational alternative.

Interim research reports of this ongoing project are available here.

References:

• Choucri, N., (2019). Year 1 Progress Report: Analytics for Cyber-Physical System Cybersecurity: Policy-Governed Secure Collaboration. Proceedings of the SoS Quarterly Meeting, July, 2019.
• Choucri, N., (2020). Analytics for Cyber-Physical System Cybersecurity: Policy-based Methods for Risk Analysis. (CAMS Weekly Research Briefing, July 10, 2020). MIT Sloan School of Management.

Increasingly, we are beginning to recognize the challenges of securing the long chain of global communication infrastructure. Central to the overall global system is the complex network of undersea communication cables, the landing points, and the Internet Exchanges.

This research project explores the entire "long chain," presents some illustrative data, and puts forth a multi-method research design for the analysis of long-chain systems of information and/or communications technology, infrastructure, services, ownership, providers, and networks – both within a state and outside its jurisdiction – all essential for unimpeded global operations.

Global network of undersea communication cables and landing points.  Source: Choucri and Agarwal (2019).

We have developed a "proof-of-concept" inquiry for the data requirements essential to support end-to-end integrated research, along with highlights of some initial empirical analysis, with China as a case in point.

Preliminary results focusing on Securing the Long-Chain of Cyber-Physical Global Communication Infrastructure are available in Choucri and Agarwal (2019).

Reference:

• Choucri, N., & Agarwal, G. (2019). Securing the long-chain of cyber-physical global communication infrastructure. Proceedings of the 2019 IEEE International Symposium on Technologies for Homeland Security (HST), 1–7.

Almost everyone recognizes the salience of cyberspace as a fact of daily life. Given its ubiquity, scale, and scope, cyberspace has become a fundamental feature of the world we live in and has created a new reality for almost everyone in the developed world and, increasingly, for people in the developing world. This project provides an initial baseline for representing and tracking institutional responses to a rapidly changing international landscape, "real" as well as virtual. We argue that the current institutional landscape for managing security issues in the cyber domain has developed in major ways, but that it is still "under construction." We also expect institutions for cyber security to support and reinforce the contributions of information technology to the development process.

We begin with:

1. highlights of international institutional theory and an empirical "census" of the institutions-in-place for cyber security, and then turn to
2. key imperatives of information technology-development linkages and the various cyber processes that enhance developmental processes,
3. major institutional responses to cyber threats and cyber crime as well as select international and national policy postures so critical for industrial countries and, increasingly, for developing states as well, and
4. the salience of new mechanisms designed specifically in response to cyber threats.

For information, see: Choucri, Madnick, and Koepke (2017) and Choucri, Madnick, and Ferwerda (2014).

References:

• Choucri, N., Madnick, S. E., & Koepke, P. (2017). Institutions for cyber security: International responses and data sharing initiatives (MIT CISL Working Paper No 6). MIT Sloan Management School.
• Choucri, N., Madnick, S., & Ferwerda, J. (2014). Institutions for cyber security: International responses and global imperatives. Information Technology for Development, 20(2), 96–121.

Control-point analysis explores power and influence dynamics among actors in the cyber and international relations realms. For example, the actors that actually manage and operate regions of the Internet are Internet service providers. Within their regions, they exercise ultimate control of the completion of connections; if they do not forward the digital information packets that make Internet transfers work, the operation fails. Other aspects of the Internet experience are controlled by other actors—those who develop operating systems, build browsers, make web content, and so on.

The challenge is to identify who does what, when, and how. The Figure below shows the result of our approach applied to China.

Points of control as used by the government of China. Source: Choucri and Clark (2019, 202). Note: Distinction between primary actor (e.g., the ISP) and the state is not illustrated.

Related is another issue, especially important in the China case, control over access points into China. The Figure below shows the result of China controls via autonomous systems, noted for April 2018 and verified as of August 2019.

Autonomous Systems (AS) nodes for Internet access in China.  Source: Choucri and Agarwal (2019). Note: Nodes in Red and Gray color indicate AS located within and outside China respectively.

References:

• Choucri, N., & Clark, D. (2019). International Relations in the Cyber Age: The Co-Evolution Dilemma. MIT Press.
• Choucri, N., & Agarwal, G. (2019). Securing the long-chain of cyber-physical global communication infrastructure. Proceedings of the 2019 IEEE International Symposium on Technologies for Homeland Security (HST), 1–7.

As a dynamic, uncertain, and competitive environment, cyberspace presents unique challenges for defense and security. The overall risk is further compounded by the uncertainty that comes with persistent vulnerability. With foundations frequently resting upon technologies that were never designed for security, existing infrastructure still possesses undiscovered vulnerabilities, and new technology brings new, unknown avenues for malicious exploitation.

For cyber operators, this dynamic and uncertain nature of competition in cyberspace means that rapid technological responsiveness is a necessity. As such, capable cyber defense fundamentally depends on the ability to rapidly integrate new cyber technologies to out-adapt adversaries. Often the needed capabilities already exist and are employed in the private sector. A key challenge, then, for military cyber defenders is the quick acquisition and adoption of these innovations.

Our work in collaboration with colleagues in the U.S. Air Force led to three broad recommendations for reforming acquisitions policy to better meet the DoD's objective of delivering performance at the speed of relevance, especially in cyberspace. These are:

1. Manage rather than avoid risk—especially time-based risk,
2. Delegate authority to the lowest reasonable level, and
3. Treat different problems differently.

The first of these is especially challenging for the purposes of operational analysis and applied analytics.

References:

• Klemas, T., Lively, R., Atkins, S., & Choucri, N. (2021). Accelerating cyber acquisitions: Introducing a time-driven approach to manage risks with less delay. The ITEA Journal of Test and Evaluation, 42, 194-202.
• Klemas, T., Lively, R. & Choucri, N. (2018). Cyber acquisition: Policy changes to drive innovation in response to accelerating threats in cyberspace. Proceedings of the 2018 International Conference on Cyber Conflict (CYCON U.S.), 103–120.