Skip to content

The Battle for Science

October 18, 2014

I’m currently taking a screenwriting class at Pittsburgh Filmmakers. Every week, we have to write a scene. The assignment was to write dialogue that was 5 words or less per line.

INT. CONFERENCE ROOM – DAY.

DANA, a Republican staffer for the House Committee on Science, Space, and Technology, is accustomed to being underestimated. LAUREL, her Democrat counterpart, is trying to keep her frustration under control. Both are in a National Science Foundation (NSF) conference room reviewing materials about studies that have received funding.

DANA

Please hand me the folder.

LAUREL

How about a trade?

DANA

Are you serious?

LAUREL

Yes, I want an answer.

DANA

Fine. Ask.

LAUREL

Why this study?

DANA

Not this again.

LAUREL

Do you understand peer review?

DANA

Do you understand debt?

LAUREL

Science is fundamental to innovation.

DANA

Not this science.

LAUREL

What’s that supposed to mean?

Dana picks up a folder off the table at random.

DANA

Oppression in Nepal?

LAUREL

You mean, understanding depression?

Dana picks up another folder.

DANA

Bringing dioramas to life?

LAUREL

Raising awareness about environmental issues.

DANA

None of this seems wasteful?

LAUREL

This seems wasteful.

Laurel looks in dismay at the stacks of folders covering the table.

DANA

Let’s agree to disagree.

LAUREL

No.

DANA

Excuse me?

LAUREL

I can’t agree to disagree.

DANA

Do you need a break?

LAUREL

I need to understand why.

DANA

Congress has oversight of NSF.

LAUREL

But we’re not scientists.

DANA

So we can’t have opinions?

LAUREL

Scientists should judge scientific merit.

DANA

This is common sense.

LAUREL

So scientists are biased?

DANA

Obviously.

LAUREL

And you’re not?

DANA

I’m not funded by NSF.

LAUREL

You’re funded by religious zealots.

DANA

That is completely unprofessional.

LAUREL

I apologize. That was insensitive.

DANA

I’ve seen enough for today.

LAUREL

You’re done?

DANA

I’ll be back here tomorrow.

LAUREL

So we’re not done.

DANA

Not even close.

LAUREL

You realize you can’t win.

DANA

Oh, there will be reform.

LAUREL

You may control the agenda -

Dana interrupts.

DANA

We won’t baby scientists anymore.

On the Edge of Failure

October 18, 2014

I’m currently taking a screenwriting class at Pittsburgh Filmmakers. Every week, we have to write a scene, so this is my first attempt. The assignment was to write an eating scene.

INT. RESTAURANT – DAY.

STACY, a psychology PhD student, has a sarcastic sense of humor to make up for her perpetual feeling of being on the edge of failure. Her best friend, NAOMI, a biology PhD student, is a week away from her due date. Both are lesbians and have a casual intimacy.

NAOMI

Stacy!

Naomi stands up to hug Stacy.

STACY

I swear you are bigger every time I see you.

Stacy touches Naomi’s belly.

NAOMI

Oh god I know. I can’t believe I let Kim convince me to get pregnant instead of adopt.

STACY

Well it’s a little late to change your mind.

NAOMI

I know. I’m just nervous about the baby coming out of my vagina part.

STACY

Please, we’re about to eat.

Flamboyantly gay WAITER enters.

WAITER

What can I get you two?

NAOMI

Do you have anything spicy? But not too spicy?

STACY

You sound like a crazy person.

WAITER

The baby wants what the baby wants!

NAOMI

Well, actually, I was reading this article that babies can get accustomed to tastes in the womb and I want my baby to be able to eat spicy foods even though I don’t actually like them.

STACY

Definitely crazy.

WAITER

Well, we have chili!

NAOMI

I’m not sure that’s the right kind of spicy. Whatever, I’ll have that.

STACY

And you’ve already started accepting second-best for your child.

Naomi gives Stacy a look.

I’ll have a bacon cheeseburger.

NAOMI

Do you ever order anything else here?

STACY

Tried and true, baby.

NAOMI

Well anyway, I should send you that fetal palate paper. It was actually really funny. They literally included photos of babies tasting garlicky milk who had been exposed to high and low levels of garlic in the womb. They made the cutest faces.

STACY

And we call ourselves scientists.

NAOMI

It was almost as good as that paper about the T-rex gait where they had pictures of chickens with plungers attached to their butts.

STACY

Where do you find these articles?

NAOMI

Science. I have to read something while waiting for all those doctors appointments. Anyway, what about you? How’s not being pregnant?

STACY

Well clearly I need to make more time to read the literature. I don’t know. I’m running a new experiment on lie-detection. Although I’m starting to think I should run it on Kira.

Food arrives.

NAOMI

You think she’s cheating on you?

STACY

No, she’s just been acting strangely. I think she’s going to break up with me.

NAOMI

Isn’t that what you wanted?

STACY

Well yeah but not like this. Maybe I should break up with her first.

NAOMI

Or you could try the thing where you have an honest conversation.

STACY

You know some people wonder why we never got together.

NAOMI

You’re changing the subject.

STACY

Oh look at the time, got to run.

Stacy grabs the rest of her burger and rushes out, mouthing “Sorry”.

NAOMI

(to herself)

Well I guess I’ll get the rest of this to go.

Thoughts on the AAAS Forum on Science & Tech Policy

May 5, 2014

The Forum started with a panel on the budget context. There were some comments about the FIRST act, which I need to understand better.

Hunter Rawlings (President of Association of American Universities) spoke about policy for science issues such as the negative impacts of regulatory burden, need for immigration reform, PhD program reform controversy, and intellectual property/patents issues. He also emphasized the need to treat science as an investment vs. spending and the need for academic freedom.

As reported below by the National Center for Science and Engineering Statistics, David Wilson (President of Morgan State University) pointed out that Historically Black Colleges and Universities (HBCU’s) are disproportionately responsible for graduating black engineers. Given the changing demographics of our nation, we need to worry about educating black engineers to ensure our nation stays competitive. Based on his talk, I believe we need better programs at top schools to support black students to get degrees in science and engineering (like the Meyerhoff Scolars Program at UMBC). Given the disparities between outcomes at HBCU’s and other institutions, there are clearly negative forces at work that need to be confronted.

Image

In the afternoon, I went to a breakout session on “Strengthening Engagement of Scientists and Engineers in the Policy Process“. A couple of interesting notes that came up include:

  • COMPASS is a resource for communicating science to policymakers
  • There are many science policy fellowships
  • The Center for Science & Democracy of the Union of Concerned Scientists is tracking how policy and science work together
  • If you are at Purdue University, University of Pennsylvania, Stanford University, or University of Washington, you can participate in the Emerging Leaders in Science & Society
  • Antioch University has a program for translating research into policy
  • The importance of listening when communicating science
  • The broadness of policy from drafting bills to executing programs
  • A couple of bold ideas came out such as forming a younger version of the National Academy of Science
  • NIH offers “Broadening Experiences in Scientific Training (BEST) awards, [which] provide support for institutions to develop novel ideas in training and workforce development”

The following day, there was an interesting session on Reproducibility in Science that I live-tweeted. I learned about the Open Science Framework, which I plan to use for my current project. We also discussed incentive problems such as the file-drawer problem, the difficulty of publicly critiquing senior scientists as a junior scientist (e.g. in PubMed comments), and incorporating experimental design into research ethics trainings. I also learned about the Consolidated Standards of Reporting Trials (CONSORT) and the EQUATOR network, which is enhancing the quality and transparency of health research.

There was also a session on emerging technologies such as 3D printing and nanotech, which emphasized that technology can both solve and cause problems. Finally, there was a showing of an episode of Years of Living Dangerously – which featured Christmas Island, a place I have actually been to.

Overall, it was an interesting conference but tended to get repetitive and had a clear bias toward the natural sciences. For all the talk about the importance of the social and behavioral sciences, there were not a lot of social scientists being highlighted. The vast majority of the audience seemed to be future, current, and former AAAS fellows so there was a strong sense of preaching to the choir. While I found some of the speakers tedious, I was impressed by some of the issues that were brought up during the question and answer sessions. I definitely learned about some great resources and am looking forward to exploring the science & technology policy space more in the future!

NSF GRFP Summary 2013-2014

April 25, 2014
tags:

I finished my first year as an NSF Graduate Research Fellow! Despite feeling like I haven’t accomplished much, I have managed to rack up a list of “achievements”.

NSF Table SummaryWe also have to write a 1-page description of our activities:

As part of the Energy and Behavior Group at Carnegie Mellon University (CMU), I do behavioral research to improve programs in the energy industry given the shift toward smart grid technology.

At present, I am developing a model to describe how behavior interacts with cybersecurity risk in the energy sector. I am interested in identifying which human behaviors have the biggest impact on cybersecurity risk as well as which behaviors are capable of being changed. I am developing potential models of cybersecurity risk that incorporate human behavioral elements in order to quantify the robustness of different strategies, such as quarantining vulnerable computers or improving anomaly detection. In the models, these types of strategies interact with human behavior and incentive structures, which can undermine or amplify their effectiveness. This work will aid in developing cybersecurity policy to improve national security.

In addition, I have been involved in several projects related to communicating residential energy use to consumers. In one study, I identified that participants understood tables of electricity information better than graphical formats, highlighting the need to empirically test communications rather than rely on intuition.1 I was also involved in a study on the impact of literacy for comprehension of energy conservation materials2 and in-home display design3. This work has been shared with industry as part of the Carnegie Mellon Electricity Industry Center (CEIC).

Beyond my research, I have focused on increasing student engagement with policy issues as the president of the Students for Science & Tech Policy club. I organized a lecture series with topics ranging from how to write an op-ed to Pittsburgh’s new open data policy. I also worked with the CMU Government Affairs office to organize a trip to Washington DC where we met with representatives from the National Academy of Science, congressional staff, and a think tank to learn more about the policy environment in DC as well as potential careers.

I have also engaged in outreach to encourage women and minorities to consider a STEM career. In high school, I participated in a Women in Science and Engineering (WISE) program at Garrison Forest School, an all-girls school in Baltimore, MD. In December, I visited my high school to talk to current students and answer their questions about engineering school and life afterwards. I also taught an energy audit lesson to rising 10th graders during a summer camp organized by my department.

References:

[1] Canfield, C., Bruine de Bruin, W. & Wong-Parodi, G. (2014). Redesigning bills: The effect of format on responses to electricity use information. Manuscript submitted for publication. [2] Wong-Parodi, G., Bruine de Bruin, W., & Canfield, C. (2013). Effects of simplifying outreach materials for energy conservation programs that target low-income consumers. Energy Policy, 62, 1157–1164. [3] Krishnamurti, T., Davis, A. L., Wong-Parodi, G., Wang, J., & Canfield, C. (2013). Creating an in-home display: Experimental evidence and guidelines for design. Applied Energy, 108, 448–458.

NAE Engineering for You Video Entry: Skin Deep

April 4, 2014

I’m currently taking the Motion Picture Fundamentals course at Pittsburgh Filmmakers. For the digital project, I decided to make a movie for the NAE Engineering for You Video Contest. We brainstormed about a bunch of different ideas and, as you can see, settled on artificial skin.

Since I’m an engineer, I had to make a prototype version using iMovie before we learned how to use Final Cut Pro in the class. It was really helpful for me to think about how to put the movie together before I ran out of time for filming. You can see that prototype version (which I entered in the CMU version of the NAE contest) here.

If You Feel Secure, You’re Probably Not Secure

June 23, 2013

As I head home from the Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) Summer School, I wanted to capture some of my immediate reactions. The photo is from the Ameren Smart Grid Training Platform.

  • It is difficult for operations and IT staff to communicate because they use the same words to mean very different things. For example, in operations ‘security’ focuses on reliability while in IT it is more about preventing attacks. IT people think about communications being routable on a network but electricity is not routable in the power grid to the same extent.
  • There is a need for more personnel trained in cybersecurity specifically. People are very worried about the workforce pipeline.
  • SCADA systems are particularly vulnerable because they don’t get patched frequently (because of reliability concerns, lack of supported software, maintenance contracts etc.), have no operating system and thus can’t support anti-virus protection, and lack basic security features such as encryption.
  • AMI systems have specific vulnerabilities because the hardware is outside of a secure perimeter (thus at risk for tampering) and there is a monoculture of devices so one vulnerability could affect a lot of people. However, (luckily) it’s also not a very good pathway to a SCADA system.
  • Security is defined by three aspects: confidentiality, integrity, and availability (CIA). Different systems put more emphasis on different aspects. For example, an enterprise system is most concerned about confidentiality while a control system is more concerned about availability. Security is addressed through people, process, and technology (and policy).
  • Main defense/hygiene capabilities include cryptography (encryption), authentication (certificates, key management), and redundancy.
  • There are engineering requirements that oppose security such as latency. Encryption increases the latency of communications, which can make the difference between a large or small blackout in an emergency situation.
  • There is a lack of documentation. Most power plants rely on CAD drawings. However, there isn’t a way to capture all of the software settings in this format.
  • I started thinking about the value of freedom vs. need for secrecy in the government. I should write another post on that.
  • Corporate culture might play a big part in how well companies address cybersecurity.
  • I really enjoyed the hands-on lab experience. It’s one thing to talk about sniffing a network in an abstract sense and quite another to actually see it. I was impressed by how easy it is to learn so much information about a network with a couple simple commands.
  • There is a need for simplicity in network architecture. Utilities that have huge systems cannot keep track of complexity.
  • There are many 3rd party connections that reduce security such as contractors and vendors.
  • Defense in depth is a good strategy. Defense by obscurity is not.
  • There is an intersection between physical and cyber security. Physical security tools such as cameras can be used both to commit as well as identify cybercrime.

I also made a lot of great contacts with people at utilities, NERC, FERC, DOE, PJM, and contractors who are involved in NERC CIP compliance. In terms of my research it seems like there is specific interest in work related to:

  • Spear phishing -> it is a problem and cannot be solved with training and technology. Companies do phishing campaigns to train employees to not click links but many people still fall for them. Ultimately, these attacks prey on people’s kindness, which may be hard to train out of them. A different strategy could be more effective.
  • Insider threat -> this is a very dangerous attack vector and difficult to protect against.
  • Regulatory uncertainty -> it might be interesting to have a time component to identify how beliefs and misconceptions change as regulations change (ex. CIP v3 to v5).
  • Information sharing -> this is not incentivized and utilities don’t trust the ISAC as much because it is part of NERC (the compliance authority).

Again, these are all immediate impressions and not necessarily backed up by data.

Thoughts on the NIST Cybersecurity Framework Workshop

May 30, 2013

Since it was on campus, I attended part of the NIST Cybersecurity Framework Workshop to get a sense of how to develop my mental models project. They reported on some initial findings from the Request for Information (RFI) and had breakout groups to discuss the gaps that needed more information. I attended two of the four breakout sessions – “The Business of Cyber Risk” and “Threat Management”.

A couple things popped out to me based on the discussions:

  1. There are fundamental internal and external communication problems - This was true for the RFI as well as our discussions. We spent time debating the definition of threat vs. vulnerability vs. risk because everyone was using those words differently. It’s hard to have a conversation across sectors without a common language for cybersecurity. In addition, individuals raised questions about how to communicate cybersecurity risks to others within the business, ex. executives.
  2. People desire simplicity – they want the framework to be simple (as well as risk-based, flexible etc.). In talking to some individuals from the Energy Sector, they also spoke of a desire for simpler regulations that were not so onerous for compliance. This reminded me of the notion that simple policy is better policy. Smaller companies just want cybersecurity to be easy – they want the framework to point them to best practices and tell them what to do. For most business, cybersecurity is a distraction that they want to go away. Particularly for the Energy Sector, there is also a desire for certainty so that they can make business decisions without worrying about what next year’s cybersecurity rules will be.
  3. The most useful information-sharing is happening in informal channels - This is because official sources of information, particularly the kind that is published publicly, are not timely and business entities do not trust that they will be protected if they share information. For official information, by the time you are notified of a threat, it is too late to do anything about it. More useful, timely information is coming from peers who have built a trust relationship and share real-time threat information. Some of this is happening within NDA’s in a quid pro quo environment where you can get kicked out for never sharing information (unlike an ISAC). There is a lot of concern about liability if, for example, shared information is wrong. There was a desire to completely separate compliance and information-sharing functions of regulatory agencies – for the Energy Sector, NERC is the regulatory agency and also runs the ES-ISAC. As a result, business entities are hesitant to share information that may implicate them in non-compliance.
  4. Threat information is repetitive - I’m not sure about this – but it seems like this could have implications on attention due to heuristics and biases. Threats that are “over-shared” may seem more or less important than others. If this information is perceived as noise, it might not be considered as carefully? It probably depends on the level of analytics in use (if any). This is also why the informally shared information is more useful – it is generally more relevant, specific, and actionable.
  5. There are perverse incentives – Particularly for the Energy Sector, there are numerous perverse incentives as a result of the compliance-based approach. Utilities delay upgrades to make auditing easier. For example, early cybersecurity regulations were concerned about IP protocols so some utilities avoided upgrading their serial control systems to avoid regulation – even if IP protocols offered needed improvements (ex. improved situational awareness). There is also little incentive to be certified as a black start asset since there are additional costs associated with securing those assets – as a result, the reliability of the system is lower because there are fewer black start designated resources.

I can’t verify the validity of all of these statements – but they were thoughts/stories shared during the workshop that I found particularly interesting.

Follow

Get every new post delivered to your Inbox.