II. Security Science & Policy Analytics

The cyber domain is central to the profound revolution, driven by technology and market forces, that has already turned entire industrial sectors into producers of cyber-physical systems. Smart systems of all sorts are all around us—autonomous vehicles, military platforms, intelligent buildings, smart energy systems, intelligent transportation systems, robots, and smart medical devices and so forth. Industrial platforms such as the Internet of Things are becoming household items. Here, too, the Co-evolution Dilemma is evident in almost all contexts and in almost all levels of analysis: Changes in technology are moving at much faster rates than policy responses and institutional adaptations. This is evident. Less well understood—or even appreciated as an increasingly critical issue—is the connection, and sometimes the gap, between the technical operations of systems and the expectations of policy.

Our research on the Security Science addresses specific manifestations of the Co-evolution Dilemma.

As part of the Department of Defense Program on the Science of Security and Privacy for the National Security Agency, the purpose of our work on analytics for cybersecurity policy of critical cyber-physical infrastructure systems is to develop analytical methods to support the national strategy for cybersecurity, as outlined in the Presidential Executive Orders and National Defense Authorization Acts.

Proof of Concept

The proof-of-concept, or initial case application, focuses on cybersecurity of the smart grid for electric power systems. Cyber-physical systems (CPS) are embedded in an increasingly complex ecosystem of cybersecurity policies, guidelines, and compliance measures designed to support all aspects of operation during all phases of a system's life cycle. By definition, such guidelines and policies are written in linear and sequential text form—word after word—often with different parts presented in different documents.

Operationally, our goal is to provide analytics for greater transparency and clarification of cybersecurity policies and guidelines, specifically to:

  1. overcome the limitations of the conventional text-based form, 
  2. extract knowledge embedded in policy guidelines, and 
  3. assist the user community—analysts and operators—in their implementation.
“NIST-as-Lab” Test Case” Policies & Directives for Cybersecurity for Smart Grid of Electric Power Systems
“NIST-as-Lab:" test case of policies & directives for cybersecurity for smart grid of electric power systems.
Source: Choucri (2019).

Strategically, our goal is to construct a platform of new tools for application to policy directives, regulations, and guidelines across diverse domains and issue areas. The platform and tools are designed to enable users to explore mission-related system properties, issues, concerns, or contingencies.

The research design is shown below:

Research Design: Multi-methods data-based platform of analytics for cybersecurity.
Research design: multi-methods data-based platform of analytics for cybersecurity.
Source: Choucri (2019).

The proof-of-concept addresses the "hard problem" of Policy Governed Secure Collaboration, as defined by the Science of Security and Privacy Program.

Text to Data & Metrics to Models

Our "raw" database consists of major reports prepared by the National Institute for Standards and Technology (NIST) shown in the table below.

Cybersecurity Policy Ecosystem: Policy Data-Base for Smart Grid Cyber-Physical System
Cybersecurity policy ecosystem: policy database for smart grid cyber-physical system.
Source: Choucri (2019).

Clearly, considerable efforts are always being made to "mine" NIST materials; however, few initiatives explore the potential value-added of drawing on multi-methods for knowledge extraction and/or developing analytical tools to support user understanding of policy directives and analysis, identify vulnerabilities and impacts, and eventually, enable relevant action.

Policy Data Linkage Methods

We begin with constructing the "as-is," system-specific structured model from NIST analysis and network representation. In general, however, throughout this project we must draw on different policy documents. This means that we have to create an interface and linkage strategy.

The figure below shows both process and results to date:

  1. Method for Linked Database
  2. NIST Reference Model for Smart Grid
  3. Design Structure Matrix constructed (DSM) from NIST reference model
  4. Network model of smart grid derived from DSM
  5. Network model showing NIST specifications of security requirements and impact levels for Smart Grid model base

The figure below illustrates steps in the research design that model the "as-is" system state and further model generation. Much of the information required to take next steps is distributed across different policy documents.

Elements of Research Design (Simplified)
Elements of research design (simplified).
Source: Choucri (2020).

We are developing the method in an "experimental" mode. Once completed, the next challenge is to formalize our method of connecting policy documents. We are currently exploring a computational alternative.

Interim research reports of this ongoing project are available here.


Increasingly, we are beginning to recognize the challenges of securing the long chain of global communication infrastructure. Central to the overall global system is the complex network of undersea communication cables, the landing points, and the Internet Exchanges.

This research project explores the entire "long chain," presents some illustrative data, and puts forth a multi-method research design for the analysis of long-chain systems of information and/or communications technology, infrastructure, services, ownership, providers, and networks – both within a state and outside its jurisdiction – all essential for unimpeded global operations.

Global network of undersea communication cables and landing points.
Global network of undersea communication cables and landing points. 
Source: Choucri and Agarwal (2019).

We have developed a "proof-of-concept" inquiry for the data requirements essential to support end-to-end integrated research, along with highlights of some initial empirical analysis, with China as a case in point.

Preliminary results focusing on Securing the Long-Chain of Cyber-Physical Global Communication Infrastructure are available in Choucri and Agarwal (2019).


Almost everyone recognizes the salience of cyberspace as a fact of daily life. Given its ubiquity, scale, and scope, cyberspace has become a fundamental feature of the world we live in and has created a new reality for almost everyone in the developed world and, increasingly, for people in the developing world. This project provides an initial baseline for representing and tracking institutional responses to a rapidly changing international landscape, "real" as well as virtual. We argue that the current institutional landscape for managing security issues in the cyber domain has developed in major ways, but that it is still "under construction." We also expect institutions for cyber security to support and reinforce the contributions of information technology to the development process.

We begin with:

  1. highlights of international institutional theory and an empirical "census" of the institutions-in-place for cyber security, and then turn to
  2. key imperatives of information technology-development linkages and the various cyber processes that enhance developmental processes,
  3. major institutional responses to cyber threats and cyber crime as well as select international and national policy postures so critical for industrial countries and, increasingly, for developing states as well, and
  4. the salience of new mechanisms designed specifically in response to cyber threats.

For information, see: Choucri, Madnick, and Koepke (2017) and Choucri, Madnick, and Ferwerda (2014).


Control-point analysis explores power and influence dynamics among actors in the cyber and international relations realms. For example, the actors that actually manage and operate regions of the Internet are Internet service providers. Within their regions, they exercise ultimate control of the completion of connections; if they do not forward the digital information packets that make Internet transfers work, the operation fails. Other aspects of the Internet experience are controlled by other actors—those who develop operating systems, build browsers, make web content, and so on.

The challenge is to identify who does what, when, and how. The Figure below shows the result of our approach applied to China.

Control-point analysis of Chinese government attempts to control the Internet.
Points of control as used by the government of China.
Source: Choucri and Clark (2019, 202).
Note: Distinction between primary actor (e.g., the ISP) and the state is not illustrated.

Related is another issue, especially important in the China case, control over access points into China. The Figure below shows the result of China controls via autonomous systems, noted for April 2018 and verified as of August 2019.

Autonomous Systems (AS) nodes for Internet access in China.
Autonomous Systems (AS) nodes for Internet access in China. 
Source: Choucri and Agarwal (2019).
Note: Nodes in Red and Gray color indicate AS located within and outside China respectively.


As a dynamic, uncertain, and competitive environment, cyberspace presents unique challenges for defense and security. The overall risk is further compounded by the uncertainty that comes with persistent vulnerability. With foundations frequently resting upon technologies that were never designed for security, existing infrastructure still possesses undiscovered vulnerabilities, and new technology brings new, unknown avenues for malicious exploitation.

For cyber operators, this dynamic and uncertain nature of competition in cyberspace means that rapid technological responsiveness is a necessity. As such, capable cyber defense fundamentally depends on the ability to rapidly integrate new cyber technologies to out-adapt adversaries. Often the needed capabilities already exist and are employed in the private sector. A key challenge, then, for military cyber defenders is the quick acquisition and adoption of these innovations.

Our work in collaboration with colleagues in the U.S. Air Force led to three broad recommendations for reforming acquisitions policy to better meet the DoD's objective of delivering performance at the speed of relevance, especially in cyberspace. These are:

  1. Manage rather than avoid risk—especially time-based risk,
  2. Delegate authority to the lowest reasonable level, and
  3. Treat different problems differently.

The first of these is especially challenging for the purposes of operational analysis and applied analytics.