For every complex problem there is an answer that is clear, simple, and wrong - H. L. Mencken

Cyber security is an continuing problem for governments, the private sector and individuals around the world. It is now unusual for more than a month to pass without news of a large and often significant cyber attack. For some victims these attacks are an annoyance while for others they are costly and result in compromised secrets, stolen proprietary designs or reputational damage. The May 2011 attacks against Sony's online PlayStation gaming networks were estimated to have cost 171 million dollars in damage and lost revenue. In the same month, American defence contractor Lockheed Martin suffered a serious breach that was facilitated by electronic identity tokens stolen in an earlier attack against security company RSA.

The litany of breaches, thefts and damage continues with ominous regularity, but why is cyber security such a difficult arena in which to make progress? Is it something that can be solved or must we learn to accept a measure of insecurity? In part, this is a problem made more acute by increasing social and technological complexity. Software, supply chains, social networks and more: the underpinning structures of our daily lives are increasingly interconnected and are interacting at greater speed, and a reliable cyberspace is an essential component of all of these. It is too expensive and disruptive to start with a clean slate every time a major overhaul is needed. We merely upgrade and add layers to the original model - whether it is the internet, a computer operating system or an electrical grid - until its complexity is too much for any one person to comprehend.

This complexity also means that accidents, oversights or malicious acts in cyberspace often produce cascading effects or unintended consequences, making substantive progress feels like a Sisyphean task. When things go wrong, the inherent fragility of our networks is laid bare for all to see. In addition, the number of actors or stakeholders involved in constructing, maintaining or using cyberspace is growing. This complicates the search for simple, swift or elegant solutions to cyber security problems, such as national or international agreement on norms of behaviour, jurisdictional disputes, and cyber crime and espionage.

Wickedness

Because of these factors and others, cyber security falls squarely into the category of a 'wicked problem'. First coined in 1973 by academics Professor Horst Rittel and Professor Melvin Webber, wicked problems tend to be found in the realm of public and policy planning, where social dynamics add complexity, and progress is often incremental and slow. Examples include climate change, narcotics trafficking, urban planning, gang crime, health care and cyber security. These problems resist easy definition (i.e. there is little or no shared understanding of the problem) and are complicated by independent or interdependent stakeholders, each of which advocates their own preferred definition and 'solution' to the problem.

However, wicked problems cannot be objectively solved; they can only be made better or worse. They are the opposite of 'tame' problems, such as producing a vaccine or building a skyscraper, which may be simple or complex, but which can be solved by applying standardised techniques or methods. A tame problem can be defined and it is clear when the problem-solving process is finished - when a bridge is completed or a mathematical theorem is proved - or when it has not been finished and further work is needed.

Wicked problems do not follow such a clear pattern. Gaining agreement on what the problem is seems hard enough when a dozen corporate board members, politicians or urban planners are seated around the table. But even when consensus has been achieved, implementation can be slow and frequent experimentation may be needed before any improvement is shown. Before progress can be measured the necessary resources may dry up, or a change in political or corporate leadership may cause the problem (or solution) to be redefined yet again. Wicked indeed...

A Framework for Complexity

The wicked problem framework is useful for clarifying and understanding the nature of complex problems that surround and frustrate us - cyber security being a prime example. It encourages deeper analysis as well as frequent experimentation with potential solutions. It rejects over-simplification and helps to explain why wicked problems tend to linger for years or decades, defying the best efforts of governments and societies.

Once the scale of a challenge like cyber security is made less opaque, the path is opened for creative ideas that more adequately address not just the symptoms but the root causes of the problem. The process of identifying wicked problems was described by Rittell and Webber in ten rules, which have subsequently been narrowed down to six by author and independent researcher Dr Jeff Conklin.

YOU DON'T UNDERSTAND THE PROBLEM UNTILYOU HAVE DEVELOPED A SOLUTION.

Every proposed solution for cyber security problems (e.g. cyber crime or espionage) reveals additional layers of the problem that add complexity (e.g. terminological inconsistency, non-existent legal structures, varying national interests). The process of searching for a solution reveals numerous stakeholders who define the problem differently and propose different solutions.

WICKED PROBLEMS HAVE NO STOPPING RULE.

The problem of cyber security can never be solved (i.e. total security of any network is a myth); it can only be made better or worse. Attempts to improve security or optimise the existing situation will vary depending on the availability of finite resources such as time, money, reputation and political will.

SOLUTIONS TO WICKED PROBLEMS ARE NOT RIGHT OR WRONG.

They are determined according to the individual stakeholder's values and interests. In cyberspace this is reflected in the subjective application of national or international law, or in the varying motivations of individual actors to tackle cyber security problems. A problem may transcend borders, but the resources devoted to the problem often fragment along national or corporate lines.

EVERY WICKED PROBLEM IS ESSENTIALLY UNIQUE AND NOVEL.

The social, political or cultural dynamics that underpin or exacerbate a problem vary widely. Cyber crime may appear to follow broadly similar patterns around the globe, but the motivations that drive it, the legal and political environments within which it takes place, and the resources available to address it vary significantly and cannot be generalised.

EVERY SOLUTION TO A WICKED PROBLEM IS A 'ONE-SHOT OPERATION'.

Every attempted solution produces side effects, some of which are unintended and may give rise to other problems. The larger the scale of the proposed solution the more its implementation will alter the fundamental nature of the problem (e.g. the decades-long American 'war on drugs', or proposals to re-engineer the internet for greater security). In addition, attempting to solve a wicked problem by defining it narrowly (to make it more 'manageable') will likely result in a solution equally insubstantial and insufficient.

WICKED PROBLEMS HAVE NO GIVEN ALTERNATIVE SOLUTIONS.

There are a host of options and potential solutions, and experience and creativity are needed to chart a path forward. This is especially pertinent given that each wicked problem is unique, and what worked last year or last month may be manifestly unsuitable today.

A WAY FORWARD?

Where does this leave us, when dealing with problems which have no objective solution? Merely describing the silhouette of a problem is not enough, and demonstrates a lack of imagination. There is real value in peeling back multiple layers in an attempt to reveal the true scale and scope of a problem, even if what is uncovered is unpleasant, messy and politically unpalatable. The wicked problem framework attempts to do this, in the process revealing not only hidden complexities but also the inherent insufficiency of simplistic solutions.

Low barriers to entry in cyberspace mean that anyone can participate according to their motivation and expertise. It allows the freedom for 'permissionless innovation', meaning that creation, destruction and disruption will occur with regularity. The early innovators and creators of cyberspace retain an advantage. But opportunities for substantive unilateral action, such as one country or corporation maintaining control or dictating the 'rules' of cyberspace, are diminishing as the domain becomes truly global and stakeholders multiply exponentially. For the foreseeable future, societies must learn to live with a level of insecurity (real or perceived) that is greater than that which we have become accustomed to in physical domains.

Cyber security is a means, not an end. And while greater security is possible in most corners of cyberspace, there is no law of nature that mandates swift or unbroken progress, regardless of political aspirations or corporate slogans. The United Nations Convention on the Law of the Sea continues a process that has been underway for more than three centuries, yet piracy still thrives in corners of the world. Simplifying a thorny, inter-connected issue like cyber security may be attractive in the short term but it cannot deliver lasting change. Only by acknowledging and attempting to understand the complexity of this wicked problem can progress be made.

 

Twitter: @ihavenet

 

 

Copyright © 2011 The World Today. All rights reserved.