The Coin of the Realm: Understanding and Predicting Relative System Behavior

By Brian Russell and John Bicknell

Coin of the realm (noun phrase)

  1. The legal money of a country
  2. Something valued or used as if it were money in a particular sphere



Complexity is an enduring feature of the national security landscape, and decision-makers continue to grapple with this phenomenon. Complexity is not the same as merely complex. This may sound like a distinction without a difference; however, complex systems scientists disagree. Complexity characterizes the behavior of a system whose components interact in multiple ways and follow local rules, leading to nonlinearity, randomness, collective dynamics, hierarchy, and emergence.

Cold War interactions between the United States and Soviet Union were complex, according to Josh Kerbel. In contrast, today’s post-Cold War networked world with cheap access to technology is characterized by complex systems dynamics, as described above. Traditional analysis tools and historical statistical techniques do not sufficiently capture system complexity; more comprehensive mathematical tools which are linked to fundamental properties are needed to better understand the world, make predictions, and improve decision making. Entropy, which measures the changing variety of activity states in complex systems, is one such measure.

This article discusses a way of understanding and predicting relative system behavior–what we call “The Coin of the Realm.” After discussing the importance of predicting relative system behavior, we define our usage of entropy. Then, we review a recent study of interacting geostationary (GEO) satellite ecosystems. We then present several case studies which relate the findings to other domains of national security interest and the information professionals community.

The Coin of the Realm

From a systems confrontation perspective, understanding and predicting relative blue (friendly) and red (adversary) systems behavior is of great value for private organizations, government agencies, and the national security community in general. Coordinated activities, emergent (uncoordinated) relationships, and stimulus-response patterns between systems are all discoverable. Why is this important? System behavior may increase certain vulnerabilities at certain times. This must be understood relative to when red could exploit those vulnerabilities. A useful construct is the basic cyber risk framework: risk = threat + vulnerability.

From a cybersecurity perspective, network defenders ultimately want to know when a known vulnerability is matched to an existing threat that can exploit that vulnerability. You can’t defend everywhere all the time so prioritizing defensive efforts is critical. Therefore, having a keen and even predictive ability to know when and where a cyberspace threat will attack your network with a viable capability (i.e. will actually exploit the known vulnerability) is a huge operational advantage.  And nowadays, we are well beyond the era of static network behavior. Chaos engineers and failure-as-a-service companies test resiliency. With software defined networks and ever increasing use of cloud technology for network resourcing, friendly networks are very dynamic, meaning vulnerabilities will change through time and must be considered in relation to possible threat vectors. With a predictive ability to gauge friendly network performance and shifting vulnerabilities in relation to red attack vectors, network owners will be in a much better position to employ network capabilities to balance both mission requirements and network defense.

This construct is applicable across all operational domains–including the newest one for the Department of Defense–space. Certain United States Space Force units, for example, are interested in understanding and predicting the relative motion and activities of red and blue satellites which are in weapons engagement zone proximity. Take this one step further and consider the cross-domain advantages of understanding relative system behaviors. As the Space Force considers relative satellite constellation behavior in its own domain, ground force commanders are incredibly interested in the intelligence, surveillance, and reconnaissance (ISR) capabilities of both red and blue satellites in terms of understanding red ground force movement or protecting blue forces from adversary observation. 

Understanding the relative state of order between the two systems, and who has the most true sense of the relative variety of activities, is in the best position to exploit opportunity relative to the other system. Since so much of the command and control of military forces happens through the cyberspace domain, the operational advantage of a capability that can synthesize and predict system behaviors across all domains is immense. It is: The Coin of the Realm.

Entropy and Variety and Complex Systems

Entropy is a term often used to describe several phenomena. This section first recaps several ways entropy gets applied to problems; then we describe how we interpret entropy.

People frequently think of entropy in the context of the 2nd Law of Thermodynamics as a measure of order or chaos and invoke the common notion that the entropy of the universe is increasing inevitably towards chaos. While true, importantly, this concept of entropy applies to closed systems which do not interact with other systems. So, the universe may be considered a closed system. But, what about systems which are not closed? 

In his book, Order Out of Chaos, Nobel Prize recipient Ilya Prigogine observes that in order for systems to form and persist, they feed continually off the energy, matter, or information contained in the surrounding environment while transferring information and disorder to the surrounding environment. Though Prigogine conceived this while working in chemistry and physics, the concept quickly gained acceptance in other fields of study.

The United States Marine Corps famously adapted the work of complexity thinker, United States Air Force COL John Boyd. In his 1976 Paper on Destruction and Creation, Boyd synthesized concepts from Gödel, Heisenberg, and the 2nd Law of Thermodynamics which eventually became the famous Observe, Orient, Decide, Act (OODA) loop. Boyd asserted that we shape and are shaped by our environment in a dialectic with the goal “to improve our capacity for independent action.” Channeling Gödel, Boyd agrees that it is logically impossible to know everything about a system. Moreover, our measurements and observations about the system are always imperfect, which brings in Heisenberg’s uncertainty principle. Finally, Boyd asserts that entropy–which is a measure of the space of possibilities—is directly related to the potential for doing work or the capacity for taking action. High entropy implies a low potential for doing work or a high degree of confusion and disorder; low entropy implies just the opposite.

These concepts were infused into the Marine Corps’ maneuver warfighting doctrinal publication, MCDP 1 (previously FMFM 1) where “The offense and defense exist simultaneously as necessary components of each other, and the transition from one to the other is fluid and continuous.” Moreover, MCDP 1 defines a “culminating point at which we can no longer sustain the attack and must revert to the defense. It is precisely at this point that the defensive element of the offense is most vulnerable to the offensive element of the defense, the counterattack.” Can entropy measures help identify moments when systems are vulnerable and may be influenced?

Entropy is related to the space of possibilities, and it has physical meaning in terms of the behavior of systems. The generalization of entropy is mathematically what we call complexity, and it is closely linked to the definition of information developed by Claude Shannon. Entropy measures can expediently characterize overall system states, as well as the variety of activities at any moment. Ross Ashby, a noteworthy British cybernetics pioneer, developed The Law of Requisite Variety which is linked explicitly to Shannon’s information entropy. Understanding system variety is key to managing the system or countering system dynamics; entropy measures are useful to understand changes in the variety of activities within systems.

Due to their nonlinear and chaotic nature, complex systems are notoriously difficult to predict. A contemporary of Prigogine, Ross Ashby offers a practical observation which is useful to keep in mind:

“[T]ruth for truth’s sake may be justified when the truth is unchanging; but when the system is not completely isolated from its surroundings, and is undergoing secular changes, the collection of truth is futile, for it will not keep.”

Other complex systems thinkers like Yaneer Bar-Yam would likely agree with Ashby. Complex systems change so dynamically that insight generation capabilities must be always processing data and serving up new insights. In any system of interest, therefore, the very most recent observations have the best opportunity to predict what is likely to happen next.

Prominent thinkers like Dr. Karl Friston are finding entropy as a useful concept in the study of consciousness and cognition. In a recent podcast, Dr. Jordan Peterson and his guest, Dr John Vervaeke, discuss Friston’s research and their assessment of human sensemaking. The human mind seeks meaning (order) and entropy frustrates that goal of obtaining order. The human mind desires clarity in understanding where it is in space and time and where it is going in space and time. This kind of disorder, putting the adversary on the horns of multiple dilemmas, is exactly what national security leaders want to create in the minds of adversaries and conversely we want to maintain a sense of order within our own formations.

Near-term systems interactions are predictable, which speeds data-driven decision making. If ecosystems can be monitored continually using entropy time series, then fleeting opportunities will become evident where actors can make decisions which gain advantage steadily over time. It’s not a kinetic/kill mindset; it’s a competition mindset about steadily making better, faster, data-driven decisions with compounding effects.

GEO Satellite Ecosystem Relative Behavior

We recently completed a study designed to understand relative system behaviors in the contested Space Domain. We analyzed satellite ecosystems in GEO orbit and assessed relationships between these ecosystems based upon observed maneuvers using cross-correlation. It is reasonable to assume there are provocations and responses on orbit in the contested space domain. Since these entropy measures are based upon orbital maneuvers, blue/red planning and execution cycles and cognitive inferences are possible. This study takes an important first step towards The Coin of the Realm by testing the hypothesis that system-level correlations (red/blue interactions) are discoverable.

The GEO orbital regime is a circular orbit 35,786 km (22,236 mi) in altitude above Earth’s equator and following the direction of Earth’s rotation. An object in such an orbit has an orbital period equal to Earth’s rotational period and so to ground observers it appears motionless, in a fixed position in the sky. GEO satellite systems may be defined in various ways. For example, individual satellites are each a system. Groups of satellites may be defined as systems such as by country of origin, orbital slot, mission, and other definable characteristics. We analyzed GEO satellite orbital maneuver ecosystems from the United States (US), the Commonwealth of Independent States (CIS), and the People’s Republic of China (PRC). Satellites from each country were selected based upon observed high maneuver variety (entropy).

Time series information entropy measures for each of the three countries studied were cross-correlated by lagging observations (+/-) 7 days to find objectively how they match up with each other and where the best matches occur. When the time series is filtered down to a 1-month period, larger statistically significant correlations are present among the three countries compared to a longer analysis time period. For both the US and CIS, maneuver variety tends to increase 5-7 days before PRC maneuver activity. Correlations may reflect a general tendency for satellite operators, by country, to react according to near-term predictable schedules. Continual sliding window time series cross-correlation may be an efficient, explainable method for understanding changing operational tempo and tactics. Future work should experiment further with minimal time series analysis window size, correlate GEO ecosystems derived from different maneuver ontologies or satellite on-board activities, correlate systems from other domains of interest such as corporate internal ecosystems, cyber ecosystems, etc, and decompose time series entropy signals using inverse Fourier transforms.

Case Studies

Just as Blue and Red GEO systems interact in both intentional and emergent ways, so do systems in other domains of interest. These four vignettes highlight both defensive and offensive possibilities.

Cyberspace Operations

A Blue Cyber Protection Team (CPT) is tasked with protecting an allied partner’s critical infrastructure network from an advanced persistent threat (APT). The team must simultaneously mask its presence from the APT while also tipping and queuing other elements of the cyber mission force with signature information of the APT that can be used to attack and defeat that threat at the time and place of the partner nation’s choosing. This kind of cyberspace domain agility, to shift from the defense to the offense (and vice versa), can only be accomplished with a keen and very quick understanding of how a newly discovered red force APT cyber vulnerability is exploitable by an available and “ready to fire” blue force cyberspace weapon. 

Space Combat Power Projection Ambush TTP

A Blue Space Force planning cell is tasked with the mission to degrade Red’s ISR capabilities in GEO. They have developed TTPs for exploiting certain conditions, and they patiently lie in wait. While persistently monitoring this ecosystem, operators notice a surprising confluence of recent maneuver activities in the Red GEO ecosystem which triggers their ambush TTP. Pre-identified Red GEO satellites which are most likely to exhibit certain maneuvers given their maneuver histories are targeted for counter measures which impede ISR collections while simultaneously preserving the scenario for future use. The Guardians quickly reset for the next opportunity…

Ground Combat Information Advantage

The Blue J2 (intelligence staff directorate) persistently monitors activities of interest throughout the area of operations (AO) in order to identify and exploit adversary seams and gaps. Activities such as cyber attacks, key leader meetings, unit movements, contextual social media postings, financial transactions, kinetic fighting, and more are derived from numerous sources and organized in close-to-real-time. Moreover, the activities are geo-located. In coordination with the Blue J3 (operations directorate) and operational commanders, exploitation TTPs were developed and rehearsed to degrade adversary operations when the AO experiences transition. At such moments, operational commanders expect specific activities at specific locations and deploy combined arms maneuver which degrade Red efforts.

Red Cognitive Inferences

In the midst of regional conflict between the allied country’s neighbor (red) and another regional allied country, a United States Army Corps headquarters and subordinate forces deploy from CONUS to an allied partner country to participate in that country’s homeland defense exercise. The theater commander issues guidance to the Corps commander to ensure exercise participation by his forces is “transparent and predictable” in the eyes of red force commanders just across the border to ensure the exercise is not viewed as escalatory by red. In this case, the Corps commander needs a keen understanding of how his force’s movements and behaviors in the exercise are perceived and understood by red force units across the border, including those trying to observe or exploit blue forces below the threshold of armed conflict in the cyberspace and space domains.


Governments and military organizations need to transition from linear, kinetic geopolitical approaches to a continual competition mindset where decision making volume and speed matters. This is true whether an organization is defending against cyber threats, a country is waging war on a distributed terrorist organization, or a commander is camouflaging information operations activities in order to blend with the surrounding information environment.

Diverse, growing data streams enable non-intuitive insights from which decision makers may identify and capitalize on fleeting opportunities to anticipate changes and increase operational costs for opponents. Better, faster, data-driven decisions advantage one player over another and enable maneuver warfare below the level of armed conflict by anticipating what is likely to happen next.

We demonstrated that relative system behaviors are discoverable, predictable and useful. In a competitive systems confrontation context, red and blue systems may be directly or indirectly dependent on the actions or perceptions of what each system is doing or ready to do. It is important, therefore, to understand how red and blue systems change over time depending on changes in aggregate varieties of activities (entropy). This enables prediction for not only actions to be taken but also the time it takes for other systems to react to actions. Understanding and predicting relative system behavior is “The Coin of the Realm.”

About the authors

Brian Russell is a recently retired colonel in the United States Marine Corps. After commissioning from North Carolina State University, he served the earliest parts of his 27-year career as an artillery officer with multiple combat deployments including service as a Military Transition Team Leader in Habbaniyah, Iraq, the executive officer of Brigade Headquarters Group in Helmand Province, Afghanistan and Plans Director in Bagram, Afghanistan for a combined joint special operations task force. After giving up command of 1st Air Naval Gunfire Liaison Company in Camp Pendleton CA, he was selected to attend the College of Information and Cyberspace at National Defense University as the sole Marine student in the inaugural resident cyberspace strategy war college program. This educational opportunity earned him a set of orders to US Cyber Command where he served in the Fires and Effects division and subsequently served as the J5 Plans Director of Joint Task Force ARES. Most recently he commanded II Marine Expeditionary Force Information Group (II MIG) in Camp Lejeune, North Carolina where he provided joint all domain effects for the MEF commander, 2d and 6th Fleets and multiple key allies and partners. He is also a member of the Information Professionals Association.

John Bicknell is the CEO and Founder of More Cowbell Unlimited. A national security thought leader and passionate analytics visionary, he has written extensively on national security matters related to information warfare, critical infrastructure defense, and space situational awareness. Before retiring from the United States Marine Corps in 2010 as a Lieutenant Colonel, John served worldwide, most notably in Afghanistan and at the Pentagon. He led enterprise-level process intensive human resources supply chain projects designed to discover inefficiencies, architect solutions, and re-purpose manpower savings. In his corporate career, he operationalized an Analytics Center of Excellence for a large EdTech firm, among other accomplishments. John is a member of the Military Operations Research Society (MORS) and InfraGard. He is also Vice President for the Information Professionals Association and host of The Cognitive Crucible podcast. His Master’s degree from the Naval Postgraduate School emphasizes econometrics and operations research.