Sunday, April 14, 2019

Why Is Breakthrough Innovation in Cyber Security So Hard?

Short answer: Innovation activities tend to focus on just a few pieces at a time, treating it as a simple problem. That doesn't create breakthroughs because the system* is too complicated.
* "system" = technology, information, people, processes, organizations, institutions, economics,...
In Sciences of the Artificial, Herbert Simon argued that most evolved systems (natural and artificial) were "partially decomposable" (if not fully decomposable) into units or subsystems that could be studied and understood in isolation. While cyber security is partially decomposable for many purposes, it is my conjecture that it is much less decomposable than we believe or desire.

What this means is that breakthrough innovations will depend on many, simultaneous inventions, including crossing system levels.

Innovation as Chemistry

One way to understand this is through the Theory of Autocatalytic Networks, borrowed from Biochemistry and imported into Sociology by John Padgett and Woody Powell in their book The Emergence of Organizations and Markets.

In chemistry, one type of molecule A has a catalytic effect on another B when the presence of A increases the production of B.  “Autocatalysis” is a complete loop of catalytic relationships  ABCA which creates a self-sustaining, self-stabilizing process.  Autocatalytic loops can be simple or complicated, and some autocatalytic loops are built from sets of simple autocatalytic loops.

In human society, organizations, and technology, you can think of “molecules” as being functional capabilities, not just behaviors or processes, and think of “catalysis” as coupling, not just input-output connections.  Coupling is ontological -- the definition and structure of B depends upon A, so if A changes, then B either has to change or is no longer functional.  Think of “autocatalytic loop” as closure or completeness of functional coupling.

With this theoretical lens, we can define invention as the creation of new autocatalytic cycles, and sometimes breaking or modifying existing autocatalytic cycles.  We might imagine the invention process as the “ecological soup” in which reactive processes take place, including experiments, accidents (happy or sad), and purposeful research.

The Appeal of Simple Solutions

This diagram shows how people usually think about making innovation in cyber security: "It’s a simple matter of inventing two or three things and connecting them together in creative ways and ... BANG! INNOVATION!"

Sadly, no.

A simple 3 molecule auto-catalytic network.  Arrows are catalytic relations.
From the last few years, here are a few tag lines of so-called "breakthrough innovations" that were highly touted but didn't change things fundamentally:
  • "Provable Security"
  • "End-to-end encryption"
  • "AI and/or machine learning for anomaly detection/prevention/whatever"
  • "Cyber insurance for everyone"
  • "National Cyber Leap Year" -- my analysis

When the Going Gets Complicated

Here is what a breakthrough innovation will probably look like (but we don’t really know in detail):
A complicated autocatalytic network that doesn't easily decompose into simple networks.

A Practical Example

Let me move out of the theoretical and conceptual, and look at a practical example showing the interrelations between necessary inventions.  (Please excuse me for skipping over many details and not providing references.)
  1. It has been recognized for over 10 years that misaligned and missing incentives is a root cause, but ...
  2. ... this requires better security metrics, including aggregate metrics, ...
  3. ... including methods for quantifying risk and ... 
  4. ... aggregating risk at a business unit or enterprise level in economic units (e.g. risk capital $) along with ...
  5. ... innovation in incentive instruments, because existing incentive instruments don't cut it.  This all requires ...
  6. ... innovation in how we measure and manage security performance, including capability building and learning, which of course depends on...
  7. ... better models of adversarial innovation, because we may be in a Red Queen arms race with adversaries, so simple improvements may leave us falling behind.
  8. All this has to translate into major changes in human behavior at all levels,  so we need innovation in framing, nudges, norm-formation, etc.
I'll stop here, but notice that I haven't even brought in the technology and information aspects of cyber security.  

To be clear, I am not arguing that everything is connected to everything else and no innovation is possible unless we research everything.  That's too extreme and hopeless.  I am just saying the breakthrough innovations will look much more like the bottom diagram than the top diagram.


Achieving this type of sophisticated set of interdependent inventions will probably require processes that “smash together” talent, ideas, and resources that don’t easily work together, in a concentrated way to sustain these complex loops.

1 comment: