Essential cybersecurity science build test and evaluate secure systems 1st edition josiah dykstra -
Essential Cybersecurity Science Build Test and Evaluate Secure Systems 1st Edition Josiah Dykstra
Visit to download the full and correct content document: https://textbookfull.com/product/essential-cybersecurity-science-build-test-and-evaluat e-secure-systems-1st-edition-josiah-dykstra/
More products digital (pdf, epub, mobi) instant download maybe you interests ...
Privacy, Regulations, And Cybersecurity: The Essential Business Guide Chris Moschovitis
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://safaribooksonline.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com.
Editors: Rachel Roumeliotis and Heather Scherer
Production Editor: Melanie Yarbrough
Copyeditor: Gillian McGarvey
Proofreader: Susan Moritz
Indexer: Lucie Haskins
Interior Designer: David Futato
Cover Designer: Ellie Volkhausen
Illustrator: Rebecca Demarest
December 2015: First Edition
Revision History for the First Edition
2015-12-01: First Release
See http://oreilly.com/catalog/errata.csp?isbn=0636920037231 for release details.
The O’Reilly logo is a registered trademark of O’Reilly Media, Inc.
EssentialCybersecurityScience,the cover image, and related trade dress are trademarks of O’Reilly Media, Inc.
While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work
are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. This book is not intended as legal advice. Please consult a qualified professional if you require legal advice.
978-1-491-92094-7
Preface
Who This Book Is For
Science applies to many areas of cybersecurity, and the target audience for this book is broad and varied. This book is particularly for developers, engineers, and entrepreneurs who are building and evaluating cybersecurity hardware and software solutions. Among that group, it is for infosec practitioners such as forensic investigators, malware analysts, and other cybersecurity specialists who use, build, and test new tools for their daily work. Some will have programming experience, others a working knowledge of various security tools (EnCase for forensics, Wireshark for network analysis, IDA Pro for reverse engineering, and so on). The scientific method can be applied to all of these disciplines. Cybersecurity science can be applied to everyday problems, including:
Testing for bugs in your new smartphone game
Defending corporate security choices given a limited budget
Convincing people that your new security product is better than the competition’s
Balancing intrusion detection accuracy and performance
The core audience is information security professionals who have worked in the field for 5−10 years, who are becoming experts in their craft and field, who are not formally trained in or exposed to scientific investigation in their daily lives, and who desire to learn a new approach that supplements and improves their work. I want you to walk away from this book knowing how to conduct scientific experiments on your everyday tools and procedures, and knowing that after conducting such experiments, you have done your job more securely, more accurately, and more effectively. This book is not intended to turn you into a scientist, but it will introduce you to the discipline of scientific thinking. For those new to the field, including students of cybersecurity, this book will help you
learn about the scientific method as it applies to cybersecurity and how you can conduct scientific experiments in your new profession. For nondevelopers involved in cybersecurity, such as IT security administrators who use, evaluate, buy, and recommend security solutions for the enterprise, this book will help you conduct hands-on experiments and interpret the scientific claims of others.
What This Book Contains
The first three chapters contain general information about the scientific method as it applies across many domains of cybersecurity. They cover the basic tenets of science, the need for science in cybersecurity, and the methodology for scientific investigation. Chapter 1 covers the scientific method and the importance of science to cybersecurity. Chapter 2 discusses the prerequisites needed to conduct cybersecurity experiments, from asking good questions to putting the results to work. It also includes a checklist to help you construct your own experiments. Chapter 3 includes practical details about experimentation including test environments and open datasets.
The remaining chapters are organized into standalone, domainspecific topics. You can read them individually, although new scientific topics and techniques in these chapters are applicable to other domains. These chapters explore how the scientific method can be applied to the specific topics and challenges of each domain. Each topic chapter contains an overview of the scientific pursuits in that domain, one instructive example of a scientific experiment in that field, introduction of an analysis method (which can be applied to other domains), and a practical example of a simple, introductory experiment in that field that walks through the application of the scientific method.
Chapter 4 is about cybersecurity science for software assurance, including fuzzing and adversarial models.
Chapter 5 covers intrusion detection and incident response, and introduces error rates (false positives and false negatives) and performance/scalability/stress testing.
Chapter 6 focuses on the application of science to cyber situational awareness, especially using machine learning and big data.
Chapter 7 covers cryptography and the benefits and limitations of provably secure cybersecurity.
Chapter 8 is about digital forensics including scientific reproducibility and repeatability.
Chapter 9, on malware analysis, introduces game theory and malware clustering.
Chapter 10 discusses building and evaluating dependable systems with security engineering.
Chapter 11 covers empirical experimentation for human-computer interaction and security usability.
Chapter 12 includes techniques for the experimental evaluation of security visualization.
Appendix A provides some additional information about evaluating scientific claims, especially from vendors, and how people can be misled, manipulated, or deceived by real or bogus science. There is also a list of clarifying questions that you can use with salespeople, researchers, and product developers to probe the methodology they used.
Conventions Used in This Book
The following typographical conventions are used in this book:
Italic
Indicates new terms, URLs, email addresses, filenames, and file extensions.
Constant width
Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords.
Constant width bold
Shows commands or other text that should be typed literally by the user.
Constant width italic
Shows text that should be replaced with user-supplied values or by values determined by context.
TIP
This element signifies a tip or suggestion.
NOTE
This element signifies a general note.
CAUTION
This element indicates a warning or caution.
Safari® Books Online
NOTE
Safari Books Online (www.safaribooksonline.com) is an on-demand digital library that delivers expert content in both book and video form from the world’s leading authors in technology and business. Technology professionals, software developers, web designers, and business and creative professionals use Safari Books Online as their primary resource for research, problem solving, learning, and certification training.
Safari Books Online offers a range of plans and pricing for enterprise, government, and education, and individuals.
Members have access to thousands of books, training videos, and prepublication manuscripts in one fully searchable database from publishers like O’Reilly Media, Prentice Hall Professional, AddisonWesley Professional, Microsoft Press, Sams, Que, Peachpit Press, Focal Press, Cisco Press, John Wiley & Sons, Syngress, Morgan Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning, New Riders, McGraw-Hill, Jones & Bartlett, Course Technology, and hundreds more. For more information about Safari Books Online, please visit us online.
How to Contact Us
Please address comments and questions concerning this book to the publisher:
O’Reilly Media, Inc.
1005 Gravenstein Highway North Sebastopol, CA 95472
800-998-9938 (in the United States or Canada)
707-829-0515 (international or local)
707-829-0104 (fax)
We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at http://bit.ly/essential-cybersecurity-science.
To comment or ask technical questions about this book, send email to bookquestions@oreilly.com.
For more information about our books, courses, conferences, and news, see our website at http://www.oreilly.com.
Find us on Facebook: http://facebook.com/oreilly
Follow us on Twitter: http://twitter.com/oreillymedia
Watch us on YouTube: http://www.youtube.com/oreillymedia
Disclaimer
The views expressed in this book are those of the author alone. Reference to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, do not necessarily constitute or imply endorsement, recommendation, or favoring by the United States Government or the Department of Defense.
Acknowledgments
My sincere thanks go to Rachel Roumeliotis, Heather Scherer, Nan Barber, and the entire team at O’Reilly for helping me through the editing and publication process. I am grateful to the brilliant and honest technical reviewers, Michael Collins and Matt Georgy, who improved many facets of the book. Thank you to my friends and colleagues who provided feedback and support on this project: Janelle Weidner Romano, Tim Leschke, Celeste Lyn Paul, Greg Shannon, Brian Sherlock, Chris Toombs, Tom Walcott, and Cathy Wu. I also wish to thank the community of friends, colleagues, and strangers that I interacted with at conferences, meetings, and workshops on cybersecurity science over the past few years, especially LASER, CSET, and HoTSoS. These conversations helped influence and contribute to many of the ideas in this book. Most importantly, thank you to my wife Alicia for her love and encouragement in this project and in all things.
Chapter 1. Introduction to Cybersecurity Science
This chapter will introduce the concept—and importance—of cybersecurity science, the scientific method, the relationship of cybersecurity theory and practice, and high-level topics that relate to science, including human factors and metrics.
Whether you’re a student, software developer, forensic investigator, network administrator, or have any other role in providing cybersecurity, this book will teach you the relevant scientific principles and flexible methodologies for effective cybersecurity. EssentialCybersecuritySciencefocuses on real-world applications of science to your role in providing cybersecurity. You’ll learn how to conduct your own experiments that can evaluate assurances of security.
Let me offer a few reasons why science is worth the trouble.
Science is respected. A majority of the population sees value in scientific inquiry and scientific results. Advertisers appeal to it all the time, even if the science is nonsensical or made up. People will respect you and your work in cybersecurity if you demonstrate good science. “In the past few years, there has been significant interest in promoting the idea of applying scientific principles to information security,” said one report.1 Scientific research can help convince your audience about the value of a result.
Science is sexy. In addition to respect, many nonscientists desire to understand and be part of a field they admire. Once perceived as dry, boring, and geeky, science is becoming a thing of admiration, and more and more people want to be identified with it.
Science provokes curiosity. Information security (infosec) professionals are curious. They ask good questions and crave information, as evidenced by the increasing value being placed on data science. Science is a vehicle for information, and answers stimulate more questions. Scientific inquiry brings a deeper understanding about the cybersecurity domain.
Science creates and improves products. In the commercial space, the market drives cybersecurity. Scientific knowledge can improve existing products and lead to groundbreaking innovation and applications. For infosec decision-makers, the scientifc method can make product evaluations defensible and efficient.
Science advances knowledge. Science is one of the primary ways that humans unearth new knowledge about the world. Participants in science have the opportunity to contribute to the body of human understanding and advance the state of the art. In cybersecurity in particular, science will help prove practices and techniques that work, moving us away from today’s practice of cybersecurity “folk wisdom.”
Scientific experimentation and inquiry reveal opportunities to optimize and create more secure cyber solutions. For instance, mathematics alone can help cryptographers determine how to design more secure crypto algorithms, but mathematics does not govern the process of how to design a useful network mapping visualization. Visualization requires experimentation and repeatable user studies. Validation in this context is more like justification for design choices. What is the optimal sampling rate for NetFlow in my situation? Trying to answer that question and maximize the validity of the answer is a scientific endeavor. Furthermore, you can learn and apply lessons from what others have done in the past.
What Is Cybersecurity Science?
Cybersecurityscienceis an important aspect of the understanding, development, and practice of cybersecurity. Cybersecurityis a broad category, covering the technology and practices used to protect computer networks, computers, and data from harm. People throughout industry, academia, and government all use formal and informal science to create and expand cybersecurity knowledge. As a discipline, the field of cybersecurity requires authentic knowledge to explore and reason about the “how and why” we build or deploy security controls.
When I talk about applying science and the scientific method to cybersecurity, I mean leveraging the body of knowledge about cybersecurity (science) and a particular set of techniques for testing a hypothesis against empirical reality (the scientific method).
THE MANY WAYS TO OBTAIN KNOWLEDGE
Scientific investigation is not the only way to obtain knowledge. Among the non-scientific methods can be common sense, intuition, and deduction.
Common sense describes knowledge that most people have in common, often relating to human experiences. Intuition is the acquisition of knowledge without conscious reasoning. Deduction uses given premises to reach conclusions (e.g., All men are mortal. Einstein is a man. Therefore, Einstein is mortal). Mathematics is deductive, because axioms are assumed to be true without being tested.
In his book What Engineers Know andHow They Know It, Walter Vincenti identified six categories of engineering knowledge that seem to apply to cybersecurity:
Fundamental design concepts
Criteria and specifications
Theoretical tools
Quantitative data
Practical considerations
Design instrumentalities
Another naive, but sadly common, method of advancing cybersecurity science is by uninformed and untested guessing. We guess about what users want tools to do. We guess about what to buy and how to deploy cybersecurity solutions. Guessing is uninformed and ineffective, and while it may appear to advance security, it is difficult to defend and often fails miserably.
Unfortunately, science has a reputation for being stuffy and cold, and something that only people in white lab coats are excited about.
As a cybersecurity practitioner, think of science as a way to explore your curiosity, an opportunity to discover something unexpected, and a tool to improve your work.
You benefit every day from the experimentation and scientific investigation done by people in cybersecurity. To cite a few examples:
Microsoft Research provides key security advances for Microsoft products and services, including algorithms to detect tens of millions of malicious Hotmail accounts.
Government and private researchers created Security-enhanced Linux.
Research at Google helps improve products such as Chrome browser security and YouTube video fingerprinting.
Symantec Research Labs has contributed new algorithms, performance speedups, and products for the company.
Cybersecurity is an appliedscience. That is, people in the field often apply known facts and scientific discoveries to create useful applications, often in the form of technology. Other forms of science include natural science (e.g., biology), formal science (e.g., statistics), and social science (e.g., economics). Cybersecurity overlaps and is influenced by connections with social sciences such as economics, sociology, and criminology.
WHAT ABOUT THE ART OF CYBERSECURITY?
You might be asking yourself, “Science is great, but what about the art of cybersecurity?” The word art connotes skill in doing something, especially as the result of knowledge or practice. There is art in becoming an expert at reverse engineering and malware analysis because skill, practice, and experience make practitioners better at those tasks.
Changing passwords every 30 or 90 days is an example of cybersecurity folk wisdom, or something people consider a “best practice” to use as a default policy, particularly people who lack the data or training for their own risk assessment. However, the art and practice of password management leads to different conclusions. Password strength is based on mathematical properties of the encryption algorithms used and the strength of modern computers. There is debate even among the world’s infosec experts about the benefits of website “password meters” and password expiration.
Art is one way to handle the ever-changing assumptions and landscape in cybersecurity. Take address space layout randomization (ASLR), for example. ASLR is a technique of randomizing code in memory to prevent buffer overflow attacks. Researchers have been studying the effectiveness and shortcomings of this technique for years. One frequently cited paper from 2004 experimentally showed a way to de-randomize memory even under ASLR. This example illustrates the change in knowledge over time.2
Like applied science, cybersecurity science often takes the form of applied research—the goal of the work is to discover how to meet a specific need. For example, if you wanted to figure out how to tune your intrusion detection system, that could be an applied research project.
The Importance of Cybersecurity Science
Every day, you as developers and security practitioners deal with uncertainty, unknowns, choices, and crises that could be informed by scientific methods. You might also face very real adversaries who are hard to reason about. According to a report on the science of cybersecurity, “There is every reason to believe that the traditional domains of experimental and theoretical inquiry apply to the study of
cyber-security. The highest priority should be assigned to establishing research protocols to enable reproducible experiments.”3
To get started, look at the following examples of how cybersecurity science could be applied to practical cybersecurity situations:
Your job is defending your corporate network and you have a limited budget. You’ve been convinced by a new security concept called Moving Target Defense, which says that controlling change across multiple system dimensions increases uncertainty and complexity for attackers. Game theory is a scientific technique well-suited to modeling the arms race between attackers and defenders, and quantitatively evaluating dependability and security. So you could try setting up an experiment to determine how often you’ll have to apply moving target defense if you think the attacker will try to attack you 10 times a day.
As a malware analyst, you are responsible for writing intrusion detection system (IDS) signatures to identify and block malware from entering your network. You want the signature to be accurate, but IDS performance is also important. If you knew how to model the load, you could write a program to determine the number of false negatives for a given load.
You’ve written a new program that could revolutionize desktop security. You want to convince people that it’s better than today’s antivirus. You decide to run analysis to determine whether people will buy your software, by comparing the number of compromises when using your product versus antivirus and also factoring in the cost of the two products. This is a classical statistical gotcha because you’ve introduced two incompatible variables (compromises detected and dollars).
You’ve developed a smartphone game that’s taking off in the marketplace. However, users have started complaining about the app crashing randomly. You would be wise to run an experiment with a random “monkey” that ran your app over and over,
pressing buttons in different sequences to help identify which code path leads to the crash.
Cybersecurity requires defenders to think about worst-case behaviors and rare events, and that can be challenging to model realistically. Cybersecurity comprises large, complex, decentralized systems—and scientific inquiry dislikes complexity and chaos. Cybersecurity must deal with inherently multiparty environments, with many users and systems. Accordingly, it becomes difficult to pinpoint the important variable(s) in an experiment with these complex features.
Cybersecurity is complex because it is constantly changing. As soon as you think you’ve addressed a problem, the problem or the environment changes. Amazon, which has reportedly sold as many as 306 items per second, commissioned a study to determine how many different shaped and sized boxes they needed. The mostly mathematical study went on for over a year and the team produced a recommendation. The following day, Amazon launched an identical study to re-examine the exact same problem because buyers’ habits had changed and people were buying different sized and shaped goods. Cybersecurity, like shopping habits, is a constantly changing problem, as evidenced by dynamic Internet routing and the unpredictable demand on Internet servers and services.
Science isn’t just about solving problems by confirming hypotheses; science is also about falsifiability. Instead of proving a scientific hypothesis correct, the idea is to disprove a hypothesis. This scientific philosophy came in Karl Popper’s 1935 book TheLogicof ScientificDiscovery. Popper used falsifiability as the demarcation criterion for science but noted that science often proceeds based on claims or conjectures that cannot (easily) be verified. If something is falsifiable, that doesn’t mean that it is false. It means that if the hypothesis were false, then you could demonstrate its falsehood. For example, if a newspaper offers the hypothesis “China is the biggest cyber threat,” that claim is nonfalsifiable because you can’t prove it
wrong. Perhaps it is based on undisclosed evidence. If the statement is wrong, all you will ever find is an absence of evidence. There is no way to empirically test the hypothesis.
Central motivations for the scientific method are to uncover new truths and to root out error, common goals shared with cybersecurity. Science has been revealing insights into “what if” questions for thousands of years. Businesses need new products and innovations to stay alive, and science can produce amazing and sometimes unexpected results to create and improve technology and cybersecurity. Science can also provide validation for the work you do by showing—even proving—that your ideas and solutions are better than others. If you choose to present your findings in papers or at conferences, you also receive external validation from your peers and contribute to the global body of knowledge.
Think about how much science plays a part at Google, even aside from security. The 1998 paper Google published on the PageRank algorithm described a novel idea that launched a $380 billion company. Today, Google researchers publish dozens of papers on security every year and those results inform security in their products and services, from Android to Gmail. Scientific advances conducted inside and outside the company undoubtedly save and make money for Google.
Lastly, learning science consists, in part, of learning the language of science. Once you learn the language, you’ll be better equipped to understand scientific conversations and papers. You will also have the ability to more clearly communicate your results to others, and it’s more likely that other amateur and professional scientists will respect your work.
The Scientific Method
The scientific method is a structured way of investigating the world. This group of techniques can be used to gain knowledge, study the
state of the world, correct errors in current knowledge, and integrate facts. Importantly for us, the scientific method contributes to a theoretical and practical understanding of cybersecurity.
Our modern understanding of the scientific method stems from Francis Bacon’s NovumOrganum(1620) and the work of Descartes, though others have refined the process since then. The Oxford English Dictionary defines the scientific method as “a method of observation or procedure based on scientific ideas or methods; specifically an empirical method that has underlain the development of natural science since the 17th century.” An empiricalmethodis one in which the steps are based on observation, investigation, or experimentation.
At its heart, the scientific method contains only five essential elements:
1. Formulating a question from previous observations, measurements, or experiments
2. Induction and formulation of hypotheses
3. Making predictions from the hypotheses
4. Experimental testing of the predictions
5. Analysis and modification of the hypotheses
These steps are said to be systematic. That is to say, they are conducted according to a plan or organized method. If you jump around the steps in an unplanned way, you will have violated the scientific method. In Chapter 2 we will discuss how to do each of these five steps.
There are also five governing principles of the scientific method. These principles are:
1. Objective. A fair, objective experiment is free from bias and considers all the data (or a representative sample), not just data that validates your hypothesis.
2. Falsifiable. It must be possible to show that your hypothesis is false.
3. Reproducible. It must be possible for you or others to reproduce your results.4
4. Predictable. The results from the scientific method can be used to predict future outcomes in other situations.
5. Verifiable. Nothing is accepted until verified through adequate observations or experiments. It’s interesting that the scientific method isn’t on the computer science curriculum in graduate school or computer security professional certifications. Many students and professionals haven’t considered the scientific method since grade school and no longer remember how to apply it to their profession. However, the problem may be systemic. Take performance, for example. Say you have a malware detection tool and want to analyze 1,000 files. A theoretical computer scientist might look at your malware detection algorithm and say, “the asymptotic bounds of this algorithm are O(n2) time,” meaning it belongs to a group of algorithms whose performance corresponds to the square of the size of the input. Informative, huh? It might be, but it masks implementation details that actually matter to the amount of wall clock time the algorithm takes in practice.
There are many research designs to choose from in the scientific method. The one you pick will be primarily based on the information you want to collect, but also on other factors such as cost. This book mainly focuses on experimentation, but other research methods are shown in Table 1-1.
Table1-1.Typesofoutputforvariousresearch methods
Research method
Case study
Aim of the study
Observe and describe
Research method
Survey
Natural environment observation
Longitudinal study
Observation study
Field experiment
Double-blind experiment
Literature review
Aim of the study
Observe and describe
Observe and describe
Predict
Predict
Determine causes
Determine causes
Explain
The way you approach cybersecurity science depends on you and your situation. What if you don’t have the time or resources to do precise scientific experiments? Is that OK? It probably depends on the circumstances. If you build software that is used in hospitals or nuclear command and control, I hope that science is an important part of the process. Scientists often talk about scientificrigor. Rigor is related to thoroughness, carefulness, and accuracy. Rigor is a commitment to the scientific method, especially in paying attention to detail and being unbiased in the work.
Cybersecurity Theory and Practice
“In theory, there is no difference between theory and practice. In practice, there is.”5 So goes a quote once overheard at a computer science conference. The contention of theory versus practice long predates cybersecurity. The argument goes that practitioners don’t understand fundamentals, leading to suboptimal practices, and theorists are out of touch with real-world practice. Research and science often emerge following practical developments. “The steam engine is a perfect example,” writes Dr. Henry Petroski. “It existed well before there was a science of thermodynamics to explain what was happening from a theoretical
point of view. The Wright Brothers designed a plane before there was a theory of aerodynamics.” Cybersecurity may follow a similar trajectory, with empiricists running a bit ahead of theorists.
The application of theory into practice has direct impact on our lives. Consider approaches to protecting a system from denial-of-service attacks. In theory, it is impossible to distinguish between legitimate network traffic and malicious traffic because malicious traffic can imitate legitimate traffic so effectively. In practice, an administrator may find a pattern or fingerprint in attack traffic allowing her to block only the malicious traffic.
One reason for the disconnect between theory and practice in cybersecurity is that there are few axioms in security. Despite decades of work in cybersecurity, the community has failed to uncover the building blocks that you might expect from a mature field. In 2011, the US government published “Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program”. As a result of this strategy, the government created the Science of Security Virtual Organization (SoS VO) to research “first principles and the fundamental building blocks for security and trustworthiness.” The NSA now funds academic research groups called “lablets” to conduct research aimed at “establishing scientific principles upon which to base trust in security” and “to bring scientific rigor to research in the cybersecurity domain.” This work aims to improve cybersecurity theory, which will hopefully in turn translate into practical cybersecurity implementations.
NOTE
Axioms are assumptions which are generally accepted as truth without proof. The mathematical axiom of transitivity says if x=y and y=z then x=z.
Pseudoscience
A word of caution: science can be used for good, but it can also be deceiving if misused, misapplied, or misunderstood. Pseudoscience, on the other hand, is a claim or belief that is falsely presented or mistakenly regarded as science. Theories about the Bermuda Triangle are pseudoscience because they are heavily dependent on assumptions. Beware of misinterpretation and inflation of scientific findings. Popular culture was largely misled by the media hype over the “Mozart effect,” which stemmed from a paper showing increased test scores in students who listened to a Mozart sonata.
Michael Gordin, a Princeton historian of science, wrote in his book ThePseudoscienceWars(University of Chicago Press, 2012), “No one in the history of the world has ever self-identified as a pseudoscientist.” Pseudoscience is something that we recognize after the work has been done. You should learn to recognize the markers of pseudoscience in other people’s work and in your own.
For more cautionary notes on scientific claims, especially in marketing, see Appendix A.
Human Factors
Science is a human pursuit. Even when humans are not the object of scientific investigation, as they often are in biology or psychology, humans are the ones conducting all scientific inquiry including cybersecurity. The 2015 Verizon Data Breach Investigations Report pointed out that “the common denominator across the top four [incident] patterns—accounting for nearly 90% of all incidents—is people.” This section introduces the high-level roles for humans in cybersecurity science and the important concept of recognizing human bias in science.
Roles Humans Play in Cybersecurity Science
Humans play a role in cybersecurity science in at least four ways: Humans as developers and designers. We will be talking a lot about cybersecurity practitioners in their roles thinking and acting as scientists.
Humans as users and consumers. Humans as users and consumers often throw a wrench into cybersecurity. Users are commonly described as the weakest link in cybersecurity.
Humans as orchestrators and practitioners. Our goal is to defend a network, data, or users, and we decide how to achieve the desired goal. Defenders must be knowledgeable of the environment, the tools at their disposal, and the state of security at a given time. Human defenders bring their own limitations to cyber defense, including their incomplete picture of the environment and their human biases.
Humans as active adversaries. Human adversaries can be unpredictable, inconsistent, and irrational. They are difficult to attribute definitively, and they masquerade and hide easily online. Worse, the best human adversaries abandon specific attacks more quickly than defenders like you can discover them. Scientific inquiry in chemistry and physics have no analogous opponent.
NOTE
For a very long time, scientific inquiry was a solo activity. Experiments were done by individuals, and papers were published by a single author. However, by 2015, 90% of all science publications were written by two or more authors.6 Today there is too much knowledge for one person to possess on his or her own. Collaboration and diversity of thought and skill make scientific results more interesting and more useful. I strongly encourage you to collaborate in your pursuit of science, and especially with people of different skills.
Human Cognitive Biases
Cognitive errors and human cognitive biases have the potential to greatly affect objective scientific study and results. Biasis an often misused term that when used correctly, describes irrational, systematic errors that deviate from rational decisions and cause inaccurate results. Bias is not the same as incompetence or corruption, though those also interfere with neutral scientific inquiry. Below are three biases that are especially useful to beware of as you think about science.
Confirmationbiasis the human tendency toward searching for or interpreting information in a way that confirms one’s preconceptions, beliefs, or hypotheses, leading to statistical errors. This bias is often unconscious and unintentional rather than the result of deliberate deception. Remember that scientific thinking should seek and consider evidence that supports a hypothesis as well as evidence that falsifies the hypothesis. To avoid confirmation bias, try to keep an open mind and look into surprising results if they arise. Don’t be afraid to prove yourself wrong. Confirmation bias prevents us from finding unbiased scientific truths, and contributes to overconfidence.
Daniel Kahneman, author of ThinkingFastandSlow, uses the acronym WYSIATI, for “what you see is all there is,” to describe overconfidencebias. Kahneman says that “we often fail to allow for the possibility that evidence that should be critical to our judgment is missing—what we see is all there is.” Without conscious care, there is a natural tendency to deal with the limited information you have as if it were all there is to know.
Cybersecurity is shaped in many ways by our previous experiences and outcomes. For example, looking back after a cybersecurity incident, our CEO might assign a higher probability that we “should have known” compared to the choices made before the incident occurred. Hindsightbiasleads people to say “I knew that would happen” even when new information distorts an original thought.
Hindsight also causes us to undervalue the element of surprise of scientific findings.
As you pursue science and scientific experimentation, keep biases in mind and continually ask yourself whether or not you think a bias is affecting your scientific processes or outcomes.
The Role of Metrics
It’s easy to make a mental mistake by substituting metrics for science. Managers like metrics—the analysis of measurements over time—because they think these numbers alone allow them to determine whether the organization is secure or succeeding. Sometimes metrics really are called for. However, counting the number of security incidents at your company is not necessarily an indication of how secure or insecure the company is. Determining the percentage of weak passwords for your users is a metric but not also a scientific inquiry. As we will see in Chapter 2, hypotheses are testable proposed explanations like “people take more risks online than in their physical lives.”
Don’t get me wrong: most experiments measure something! Metrics can be part of the scientific process if they are used to test a hypothesis. The topic of security metrics may also be the foundation for scientific exploration. The point is not to be fooled by believing that metrics alone can be substituted for science. To learn more about the active field of security metrics, visit SecurityMetrics.org, which hosts an active mailing list and annual conference.
Conclusion
The key concepts and takeaways about the scientific method presented in this chapter and used throughout the book are: Cybersecurity science is an important aspect of the understanding, development, and practice of cybersecurity.
Another random document with no related content on Scribd:
"Intrusted by the people for a second time with the office of President, I enter upon its administration appreciating the great responsibilities which attach to this renewed honor and commission, promising unreserved devotion on my part to their faithful discharge and reverently invoking for my guidance the direction and favor of Almighty God. I should shrink from the duties this day assumed if I did not feel that in their performance I should have the cooperation of the wise and patriotic men of all parties. It encourages me for the great task which I now undertake to believe that those who voluntarily committed to me the trust imposed upon the chief executive of the republic will give to me generous support in my duties to 'preserve, protect and defend the constitution of the United States,' and to 'care that the laws be faithfully executed.' The national purpose is indicated through a national election. It is the constitutional method of ascertaining the public will. When once it is registered it is a law to us all, and faithful observance should follow its decrees.
"Strong hearts and helpful hands are needed, and fortunately we have them in every part of our beloved country. We are reunited. Sectionalism has disappeared. Division on public questions can no longer be traced by the war maps of 1861. These old differences less and less disturb the judgment. Existing problems demand the thought and quicken the conscience of the country, and the responsibility for their presence as well as for their righteous settlement rests upon us all, no more upon me than upon you. There are some national questions in the solution of which patriotism should exclude partisanship. Magnifying their difficulties will not take them off our hands nor facilitate their adjustment. Distrust of the capacity, integrity and high purpose of the American people will not be an inspiring theme for future political contests. Dark pictures and gloomy forebodings are worse than useless. These only becloud, they do not help to point the way of safety and honor. 'Hope maketh not ashamed.'
{681}
"The prophets of evil were not the builders of the republic, nor in its crises have they saved or served it. The faith of the fathers was a mighty force in its creation, and the faith of their descendants has wrought its progress and furnished its defenders. They are obstructionists who despair and who would destroy confidence in the ability of our people to solve wisely and for civilization the mighty problems resting upon them. The American people, intrenched in freedom at home, take their love for it with them wherever they go, and they reject as mistaken and unworthy the doctrine that we lose our own liberties by securing the enduring foundations of liberty to others. Our institutions will not deteriorate by extension, and our sense of justice will not abate under tropic suns in distant seas.
"As heretofore so hereafter will the nation demonstrate its fitness to administer any new estate which events devolve upon it, and in the fear of God will 'take occasion by the hand and make the bounds of freedom wider yet.' If there are those among us who would make our way more difficult we must not be disheartened, but the more earnestly dedicate ourselves to the task upon which we have rightly entered. The path of progress is seldom smooth. New things are often found hard to do. Our fathers found them so. We find them so. They are inconvenient. They cost us something. But are we not made better for the effort and sacrifice, and are not those we serve lifted up and blessed?
"We will be consoled, too, with the fact that opposition has confronted every onward movement of the republic from its opening hour until now, but without success. The republic has marched on and on, and its every step has exalted freedom and humanity. We are undergoing the same ordeal as did our predecessors nearly a century ago. We are following the course
they blazed. They triumphed. Will their successors falter and plead organic impotency in the nation? Surely after one hundred and twenty-five years of achievement for mankind we will not now surrender our equality with other Powers on matters fundamental and essential to nationality. With no such purpose was the nation created. In no such spirit has it developed its full and independent sovereignty. We adhere to the principle of equality among ourselves, and by no act of ours will we assign to ourselves a subordinate rank in the family of nations.
"My fellow citizens, the public events of the last four years have gone into history. They are too near to justify recital. Some of them were unforeseen; many of them momentous and far reaching in their consequences to ourselves and our relations with the rest of the world. The part which the United States bore so honorably in the thrilling scenes in China, while new to American life, has been in harmony with its true spirit and best traditions, and in dealing with the results its policy will be that of moderation and fairness.
"We face at this moment a most important question that of the future relations of the United States and Cuba. With our near neighbors we must remain close friends. The declaration of the purposes of this government in the resolution of April 20, 1898, must be made good. Ever since the evacuation of the island by the army of Spain the Executive with all practicable speed has been assisting its people in the successive steps necessary to the establishment of a free and independent government prepared to assume and perform the obligations of international law, which now rest upon the United States under the Treaty of Paris. The convention elected by the people to frame a constitution is approaching the completion of its labors. The transfer of American control to the new government is of such great importance, involving an obligation resulting from our intervention and the treaty of peace, that I am glad to be advised by the recent act of Congress of the policy
which the legislative branch of the government deems essential to the best interests of Cuba and the United States. The principles which led to our intervention require that the fundamental law upon which the new government rests should be adapted to secure a government capable of performing the duties and discharging the functions of a separate nation, of observing its international obligations, of protecting life and property, insuring order, safety and liberty, and conforming to the established and historical policy of the United States in its relation to Cuba.
"The peace which we are pledged to leave to the Cuban people must carry with it the guarantees of permanence. We became sponsors for the pacification of the island, and we remain accountable to the Cubans no less than to our own country and people for the reconstruction of Cuba as a free commonwealth, on abiding foundations of right, justice, liberty and assured order. Our enfranchisement of the people will not be completed until free Cuba shall 'be a reality, not a name a perfect entity, not a hasty experiment, bearing within itself the elements of failure.'
"While the treaty of peace with Spain was ratified on February 6, 1899, and ratifications were exchanged nearly two years ago, the Congress has indicated no form of government for the Philippine Islands. It has, however, provided an army to enable the Executive to suppress insurrection, restore peace, give security to the inhabitants and establish the authority of the United States throughout the archipelago. It has authorized the organization of native troops as auxiliary to the regular force. It has been advised from time to time of the acts of the military and naval officers in the islands, of my action in appointing civil commissions, of the instructions with which they were charged, of their duties and powers, of their recommendations and of their several acts under Executive commission, together with the very complete general information they have submitted.
"These reports fully set forth the conditions, past and present, in the islands, and the instructions clearly show the principles which will guide the Executive until the Congress shall, as it is required to do by the treaty, determine 'the civil rights and political status of the native inhabitants.' The Congress having added the sanction of its authority to the powers already possessed and exercised by the Executive under the constitution, thereby leaving with the Executive the responsibility for the government of the Philippines, I shall continue the efforts already begun until order shall be restored throughout the islands, and as fast as conditions permit will establish local governments, in the formation of which the full co-operation of the people has been already invited, and when established will encourage the people to administer them. {682}
"The settled purpose, long ago proclaimed, to afford the inhabitants of the islands self-government as fast as they were ready for it will be pursued with earnestness and fidelity. Already something has been accomplished in this direction. The government's representatives, civil and military, are doing faithful and noble work in their mission of emancipation, and merit the approval and support of their countrymen. The most liberal terms of amnesty have already been communicated to the insurgents, and the way is still open for those who have raised their arms against the government for honorable submission to its authority.
"Our countrymen should not be deceived. We are not waging war against the inhabitants of the Philippine Islands. A portion of them are making war against the United States. By far the greater part of the inhabitants recognize American sovereignty, and welcome it as n guarantee of order and security for life, property, liberty, freedom of conscience
and the pursuit of happiness. To them full protection will be given. They shall not be abandoned. We will not leave the destiny of the loyal millions in the islands to the disloyal thousands who are in rebellion against the United States. Order under civil institutions will come as soon as those who now break the peace shall keep it. Force will not be needed or used when those who make war against us shall make it no more. May it end without further bloodshed, and there be ushered in the reign of peace, to be made permanent by a government of liberty under law."
UNITED STATES OF AMERICA: A. D. 1901 (March).
Rejection by the British government of the Interoceanic Canal Treaty as amended by the Senate.
See (in this volume)
CANAL, INTEROCEANIC: A. D. 1901 (MARCH).
UNITED STATES OF AMERICA: A. D. 1901 (March). Death of Ex-President Harrison.
Benjamin Harrison, President of the United States 1889-1893, died at his home in Indianapolis, on the afternoon of March 13, 1901, after an illness of a few days.
UNITED STATES OF AMERICA: A. D. 1901 (March-April). Capture of Aguinaldo, the Filipino leader. His oath of allegiance to the United States.
See (in this volume) PHILIPPINE ISLANDS: A. D. 1901 (MARCH-APRIL).
UNITED STATES OF AMERICA: A. D. 1901 (April). Organization of the enlarged regular army. Its strength, 76,000 men.
A Press despatch from Washington, April 24, announced that the
Secretary of War had approved recommendations of Lieutenant-General Miles for the organization of the army, not raising it to the full strength of 100,000 men authorized by Congress, but providing for a force of 76,787 enlisted men, distributed as follows: "Line of the army, 74,504; ordnance department, 700; signal corps, 760; post quartermaster sergeants, 150; post commissary sergeants, 200; electrician sergeants, 100; Military Academy detachment and band, 298; Indian scouts, 75.
The cavalry is to be organized into fifteen regiments, consisting of 12 troops of 85 enlisted men, which, with the bands, will make a cavalry force of 15,840 men. The infantry is to consist of 38,520 men, divided into 30 regiments of 12 companies each. The artillery corps will have a total of 18,862 men, of which the coast artillery will have 13, 734, organized into 126 companies of 109 men each; and the field artillery, 4,800 men, organized into 30 batteries of 150 men each. The engineer battalions will consist of 12 companies amounting to 1,282 men. This plan makes no provision for the employment of Filipino natives, but this is explained by the fact that the 12,000 authorized for the native military force was made a distinctive feature of the Army bill by Congress and separated from the Regular Army."
UNITED STATES OF AMERICA: A. D. 1901 (April). Petition from the workingmen of Porto Rico.
See (in this volume) PORTO RICO: A. D. 1901 (APRIL).
UNITED STATES OF AMERICA: A. D. 1901 (May).
Decision of the Supreme Court in the cases involving
questions touching the status of the new territorial possessions of the nation.
The opinions of the Supreme Court in the cases before it known as "the insular cases," involving questions touching the relations of the government of the United States to the insular possessions lately acquired (see above: A. D. 1900-1901), were announced on the 27th of May, as these sheets of the present volume were about to go to press.
In the case of Elias S. A. De Lima et al. the opinion of the majority of the Court, delivered by Justice Brown, was against the claim of the government to duties on goods imported into the United States from Porto Rico after the ratification of the treaty of peace with Spain and before the passage of the Porto Rican act of April 12, 1900.
See, (in this volume), PORTO RICO: A. D. 1899-1900; and 1900, APRIL).
It was held in this decisive opinion that Porto Rico, at the time the duties in question were collected, was not a foreign country, but a territory of the United States. Said Justice Brown: "If an Act of Congress be necessary to convert a foreign country into domestic territory, the question at once suggests itself, What is the character of the legislation demanded for this purpose? Will an act appropriating money for its purchase be sufficient? Apparently not. Will an act appropriating the duties collected upon imports to and from such country for the benefit of its government be sufficient? Apparently not. Will acts making appropriations for its postal service, for the establishment of lighthouses, for the maintenance of quarantine stations, for erecting public buildings, have that effect? Will an act establishing a complete local government, but with the reservation of a right to collect duties upon commerce, be adequate for that purpose? None of these, nor all together, will be sufficient, if the
contention of the government be sound, since acts embracing all these provisions have been passed in connection with Porto Rico, and it is insisted that it is still a foreign country within the meaning of the tariff laws. We are unable to acquiesce in this assumption that a territory may be at the same time both foreign and domestic. We are, therefore, of the opinion that at the time these duties were levied Porto Rico was not a foreign country within the meaning of the tariff laws, but a territory of the United States; that the duties were illegally exacted, and that the plaintiffs are entitled to recover them back."
But in the case of Samuel B. Downes et al. a different set of circumstances was dealt with, since the duties in question were on goods imported from Porto Rico after the passage of the Act of April 12 (called "the Foraker Act"). On the question thus presented the majority of the Court sustained the contention of the government, saying, in an opinion delivered by Justice Brown:
"We are of opinion that the island of Porto Rico is a territory appurtenant and belonging to the United States, but not a part of the United States within the revenue clause of the Constitution; that the Foraker act is constitutional so far as it imposes duties upon imports from such island and that the plaintiff cannot recover the duties exacted in this case." The following general conclusions were held by Justice Brown to be established:
"First That the District of Columbia and the Territories are not States, within the judicial clause of the Constitution giving jurisdiction in cases between citizens of different States.
"Second That Territories are not States, within the meaning of
revised statutes, section 709, permitting writs of error from this court in cases where the validity of a State's statute is drawn in question.
"Third That the District of Columbia and the Territories are States as that word is used in treaties with foreign powers, with respect to the ownership, disposition and inheritance of property.
"Fourth That the Territories are not within the clause of the Constitution providing for the creation of a Supreme Court and such inferior courts as Congress may see fit to establish.
"Fifth That the Constitution does not apply to foreign countries or trials therein conducted, and that Congress may lawfully provide for such trials before consular tribunals, without the intervention of a grand or petit jury.
"Sixth That where the Constitution has been once formally extended by Congress to Territories, neither Congress nor the Territorial Legislature can enact laws inconsistent therewith."
Five of the nine justices of the Court concurred in the decree announced by Justice Brown; but three of them, viz., Justices White, Shims and McKenna, placed their concurrence on different and quite opposed grounds, in an opinion prepared by Justice White. In their view of the case before the court, "the sole and only issue is, had Porto Rico, at the time of the passage of the Act in question, been incorporated into and become an integral part of the United States?" and their conclusion is reported to have been, that "the question when Porto Rico was to be incorporated was a political question, to be determined by the American people, speaking through Congress, and was not for the courts to determine."
The minority of the Court, consisting of Chief Justice Fuller,
Justices Harlan, Brewer and Peckham dissented from the decree rendered by the majority, and from the varying grounds on which the two sections of that majority had rested it. As summarized in press despatches of the day, their opinion, delivered by the Chief Justice, "absolutely rejected the contention that the rule of uniformity [that is, the constitutional provision that 'all duties, imposts and excises shall be uniform throughout the United States'] was not applicable to Porto Rico because it had not been incorporated into and become an integral part of the United States; the word incorporation had no occult meaning, and whatever its situation before, the Foraker act made Porto Rico an organized Territory of the United States." "The concurring opinion of the majority," said the Chief Justice, "recognized that Congress, in dealing with the people of new territories or possessions, is bound to respect the fundamental guarantees of life, liberty and property, but assumes that Congress is not bound in those territories or possessions to follow the rules of taxation prescribed by the Constitution. And yet the power to tax involves the power to destroy and the levy of duty touches all our people in all places under the jurisdiction of the Government. The logical result is that Congress may prohibit commerce altogether between the States and Territories, and may prescribe one rule of taxation in one Territory, and a different rule in another. That theory assumes that the Constitution created a government empowered to acquire countries throughout the world, to be governed by different rules than those obtaining in the original States and Territories, and substitutes for the present system of republican government, a system of domination over distant provinces in the exercise of unrestricted power. In our judgment, so much of the Porto Rican act as authorized the imposition of these duties is invalid and plaintiffs were entitled to recover."
Justice Harlan announced his concurrence with the dissenting opinion delivered by the Chief Justice. He regarded the
Foraker act as unconstitutional in its revenue provisions, and believed that Porto Rico, after the ratification of the treaty with Spain, became a part of the United States. In conclusion, Justice Harlan said: "The addition of Porto Rico to the territory of the United States has been recognized by direct action upon the part of Congress. It has legislated in recognition of the treaty with Spain. If Porto Rico did not by such action become a part of the United States it did become such, at least, when Congress passed the Foraker act. I can not believe that Congress may impose any duty, impost or excise with respect to that territory and its people which is not consistent with the constitutional requirement that all duties, imposts and excises shall be uniform throughout the United States."
No decision was rendered in the case of the Fourteen Diamond Rings, which involved questions relative to the status of the Philippine Islands in their relations to the government of the United States.
----------UNITED STATES OF AMERICA: End--------
UNITED STATES OF CENTRAL AMERICA. Its formation and dissolution.
See (in this volume) CENTRAL AMERICA: A. D. 1821-1898.
UNITED STATES STEEL CORPORATION.
See (in this volume) TRUSTS: UNITED STATES: THE CLIMAX, &c. UNIVERSITIES.
See (in this volume) EDUCATION.
UNIVERSITY OF PENNSYLVANIA:
Expeditions to explore the ruins of Nippur.
See (in this volume)
ARCHÆOLOGICAL, RESEARCH: BABYLONIA: AMERICAN EXPLORATION.
UNYORO: British regulation of the kingdom.
See (in this volume)
UGANDA: A. D. 1897-1898.
UR.
See (in volume 1) BABYLONIA, PRIMITIVE;
See (in volume 4) SEMITES; and (in this volume)
ARCHÆOLOGICAL RESEARCH: BABYLONIA.
{684}
URUGUAY: A. D. 1896-1899. Revolutionary movement. Assassination of President Borda. Blancos and Colorados. Restoration of tranquil government by the Vice President, Cuestas.
In November, 1896, a movement for the overthrow of President Borda was begun, with strong assistance from the neighboring Brazilian State of Rio Grande do Sul. Months of civil war followed, with varying fortunes, but the summer of 1897 found
the President parleying with the insurgents, endeavoring to make terms. His original opponents had been the party called that of the Blancos, or Whites; the Colorados, or Reds, had supported him; but he seemed to be making enemies among them. By an assassin of his own party he was shot, on the 25th of August, as he came from a service in the cathedral at Montevideo which commemorated the anniversary of Uruguayan independence. Senor Juan Luis Cuestas, the President of the Senate and ex-officio Vice President of the Republic, assumed the administration of the government, made peace with the insurgents, and prepared to deal with a faction in the Chambers which is said to have made good government impossible. "The Representatives had made themselves hated by violence, corruption, and attacks on property. Senor Cuestas accordingly removed all officials devoted to the Chambers, called out a thousand National Guards, and being thus master of the situation, on February 10th dissolved the Chambers and declared himself provisional President. He then appointed a 'Council' of eighty prominent citizens of all parties, invested them with the legislative power, and directed them to elect a new President, and to settle the method and time of the next elections. … According to the 'Times', correspondent, the citizens of Monte Video of all parties approved his action, not a stroke was struck for the Chambers, and public securities rose at once by from eight to fourteen points. Senor Cuestas, in fact, is trusted and competent."
The Spectator (London), March 26, 1898.
In due time, the Provisional President had to deal with a military revolt, which he effectually suppressed. Then, on the 1st of March, 1899, he was constitutionally elected President, after resigning his dictatorial powers for a fortnight, in order that the election might be freely held.
UTAH: A. D. 1895-1896.
Prohibition of polygamous marriages. Proclamation of admission to the Union.
On the 4th of January, 1896, a proclamation by the President of the United States, after reciting the provisions of the Act of Congress approved July 16, 1894, and the action taken by a convention of the people of Utah, held in accordance with the said act, in March, 1895, which convention "did, by ordinance irrevocable without the consent of the United States and the people of said State, as required by said act, provide that perfect toleration of religious sentiment shall be secured and that no inhabitant of said State shall ever be molested in person or property on account of his or her mode of religious worship, but that polygamous or plural marriages are forever prohibited," thereupon declared and proclaimed the creation of the State of Utah and its admission into the Union to be accomplished. The constitution of the new State has some radical features, providing for an eight-hours labor-day, and giving to women equal rights with men in suffrage and in eligibility to public office.
V.
VASSOS, Colonel, in Crete.
See (in this volume)
TURKEY: A. D. 1897 (FEBRUARY-MARCH).
"VEGETARIANS," The.
See (in this volume)
CHINA: A. D. 1895 (AUGUST).
VENEZUELA: A. D. 1895. Revolt suppressed.
An attempted rising, in the interest of Dr. Rojas Paul,
against the government of President Crespo, in the autumn of 1895, was quickly suppressed.
VENEZUELA: A. D. 1895 (July).
The question of the boundary of British Guiana taken up by the government of the United States.
Despatch of Secretary Olney to Ambassador Bayard.
For a number of years the government of the United States had been exerting itself to bring about the settlement of a long standing dispute between Great Britain and Venezuela concerning the line of boundary between the territory of Venezuela and that of British Guiana. In 1895 the effort became more resolute, as appeared in a lengthy despatch addressed, on the 20th of July, by the American Secretary of State, Mr. Olney, to the American Ambassador in London, Mr. Bayard. In this despatch Mr. Olney reviewed the long controversy which had been in progress, and recalled the communications on the subject which had passed between the governments of the United States and Great Britain since 1886. He then summarised "the important features of the existing situation" as represented in his recital, by the following statement:
"1. The title to territory of indefinite but confessedly very large extent is in dispute between Great Britain on the one hand, and the South American Republic of Venezuela on the other.
2. The disparity in the strength of the claimants is such that Venezuela can hope to establish her claim only through peaceful methods through an agreement with her adversary either upon the subject itself or upon an arbitration.
3. The controversy with varying claims on the part of Great Britain has existed for more than half-a-century, during which period many earnest and persistent efforts of Venezuela to
establish a boundary by agreement have proved unsuccessful.
4. The futility of the endeavour to obtain a conventional line being recognized, Venezuela, for a quarter of a century, has asked and striven for arbitration.
5. Great Britain, however, has always and continuously refused, and still refuses, to arbitrate except upon the condition of a renunciation of a large part of the Venezuelan claim, and of a concession to herself of a large share of the territory in controversy.
{685}
6. By the frequent interposition of its good offices at the instance of Venezuela, by constantly urging and promoting the restoration of diplomatic relations between the two countries, by pressing for arbitration of the disputed boundary, by offering to act as Arbitrator, by expressing its grave concern whenever new alleged instances of British aggression upon Venezuelan territory have been brought to its notice, the Government of the United States has made it clear to Great Britain and to the world that the controversy is one in which both its honour and its interests are involved, and the continuance of which it cannot regard with indifference."
Mr. Olney proceeds next to consider the rights, the interests and the duty of the United States in the matter, and to what extent, if any, it "may and should intervene in a controversy between and primarily concerning only Great Britain and Venezuela," and his conclusions on these points are founded on the doctrine set forth by President Monroe, of resistance to European intervention in American affairs. Quoting President Monroe's celebrated Message on the subject, in 1823, Mr. Olney remarks:
"The Message just quoted declared that the American continents
were fully occupied, and were not the subjects for future colonization by European Powers. To this spirit and this purpose, also, are to be attributed the passages of the same Message which treat any infringement of the rule against interference in American affairs on the part of the Powers of Europe as an act of unfriendliness to the United States. It was realized that it was futile to lay down such a rule unless its observance could be enforced. It was manifest that the United States was the only Power in this hemisphere capable of enforcing it. It was therefore courageously declared, not merely that Europe ought not to interfere in American affairs, but that any European Power doing so would be regarded as antagonizing the interests and inviting the opposition of the United States.
"That America is in no part open to colonization, though the proposition was not universally admitted at the time of its first enunciation, has long been universally conceded. We are now concerned, therefore, only with that other practical application of the Monroe doctrine the disregard of which by an European Power is to be deemed an act of unfriendliness towards the United States. The precise scope and limitations of this rule cannot be too clearly apprehended. It does not establish any general Protectorate by the United States over other American States. It does not relieve any American State from its obligations as fixed by international law, nor prevent any European Power directly interested from enforcing such obligations or from inflicting merited punishment for the breach of them. It does not contemplate any interference in the internal affairs of any American State, or in the relations between it and other American States. It does not justify any attempt on our part to change the established form of Government of any American State, or to prevent the people of such State from altering that form according to their own will and pleasure. The rule in question has but a single purpose and object. It is that no European Power or combination of European Powers shall forcibly deprive an
American State of the right and power of self-government, and of shaping for itself its own political fortunes and destinies. That the rule thus defined has been the accepted public law of this country ever since its promulgation cannot fairly be denied. …
"It is manifest that, if a rule has been openly and uniformly declared and acted upon by the Executive Branch of the Government for more than seventy years without express repudiation by Congress, it must be conclusively presumed to have its sanction. Yet it is certainly no more than the exact truth to say that every Administration since President Monroe's has had occasion, and sometimes more occasions than one, to examine and consider the Monroe doctrine, and has in each instance given it emphatic indorsement. … A doctrine of American public law thus long and firmly established and supported could not easily be ignored in a proper case for its application, even were the considerations upon which it is founded obscure or questionable. No such objection can be made, however, to the Monroe doctrine understood and defined in the manner already stated. It rests, on the contrary, upon facts and principles that are both intelligible and incontrovertible. That distance and 3,000 miles of intervening ocean make any permanent political union between an European and an American State unnatural and inexpedient will hardly be denied. But physical and geographical considerations are the least of the objections to such a union. Europe, as Washington observed, has a set of primary interests which are peculiar to herself. America is not interested in them, and ought not to be vexed or complicated with them. …
"If, … for the reasons stated, the forcible intrusion of European Powers into American politics is to be deprecated if, as it is to be deprecated, it should be resisted and prevented such resistance and prevention must come from the United States. They would come from it, of course, were it made the point of attack. But, if they come at all, they must
also come from it when any other American State is attacked, since only the United States has the strength adequate to the exigency. Is it true, then, that the safety and welfare of the United States are so concerned with the maintenance of the independence of every American State as against any European Power as to justify and require the interposition of the United States whenever that independence is endangered? The question can be candidly answered in but one way. The States of America, South as well as North, by geographical proximity, by natural sympathy, by similarity of Governmental Constitutions, are friends and allies, commercially and politically, of the United States. To allow the subjugation of any of them by an European Power is, of course, to completely reverse that situation, and signifies the loss of all the advantages incident to their natural relations to us. But that is not all. The people of the United States have a vital interest in the cause of popular self-government. … To-day the United States is practically Sovereign on this continent, and its fiat is law upon the subjects to which it confines its interposition. Why? It is not because of the pure friendship or good-will felt for it. It is not simply by reason of its high character as a civilised State, nor because wisdom and justice and equity are the invariable characteristics of the dealings of the United States. It is because, in addition to all other grounds, its infinite resources, combined with its isolated position, render it master of the situation, and practically invulnerable as against any or all other Powers.
{686}
All the advantages of this superiority are at once imperilled if the principle be admitted that European Powers may convert American States into Colonies or provinces of their own. The principle would be eagerly availed of, and every Power doing so would immediately acquire a base of military operations against us. What one Power was permitted to do could not be denied to another, and it is not inconceivable that the struggle now going on for the acquisition of Africa might be transferred to South America. If it were, the weaker countries
