Confronting Core Problems in Cybersecurity
Whatever their motivation, attackers often operate with impunity, explained Manferdelli. “Unlike other crimes, you can be in one country and commit a cybercrime in another country. Sometimes it’s hard to tell who did it, because if they’re practiced, they’re probably very good at concealing their tracks. It’s a little bit like a perfect crime, and it’s a growing business. The chances of you getting punished for it are close to zero. So, there’s almost no deterrence-based prevention.”
Because there is little to deter attackers from acting, companies need to protect themselves, their products, and their customers’ data — but many are not investing enough in doing so, said Manferdelli. “Often, companies discount cyber threats at first, or think they can handle it by a PR campaign. They don’t want to spend the money on getting things safe or reliable if no one cares.”
Those who do work to safeguard their systems face an array of challenges. “Most cyber systems are incredibly complex, and the supply chain for them is wildly globalized,” said Manferdelli. “The supply chains for the products and systems you have to make safe are vast and involve many, many people. They were often designed years ago, before anybody worried about this stuff.”
He noted that there isn’t always an attacker behind every cyber mishap, pointing to the Alaska Airlines IT outage in July that led to grounded planes and cancelled flights. “Cyber systems are so complex that people can inadvertently build critical systems in ways that are fragile.”
The Underlying Hard Problems
Driving many of the vulnerabilities in computer systems are “cyber hard problems” — fundamental challenges that are identified in the National Academies report. Its authors hope to motivate the cyber community — government, industry, academia, and research funders — to work together to solve them.
Some of the hard problems are technical, such as the challenge of securing cyber-physical systems: computer systems that drive action in the physical world. These systems are used in everything from military weapons to household appliances and car brakes, but their complexity — and the shortage of engineers who understand them — can make them vulnerable.
“Cyber-physical systems are complex and require interdisciplinary expertise to understand, and very few people are able to analyze them,” said Manferdelli. “Software engineers incompletely understand software, and hardware engineers incompletely understand hardware. But often the problem with cyber-physical systems is right between those two, at the interface.” The report urges sustained investments to develop secure engineering practices for these systems, along with a workforce with expertise in them.
Other hard problems go beyond the technical realm — for example, to the lack of economic incentives to improve cybersecurity systems. Suppliers of cyber systems are seldom held liable even for the shoddiest products, the report says. And because there is currently no way to measure a system’s security — and therefore no way a company can credibly claim “my system is the most secure” in the marketplace — there is no economic reward for assuring security, and so little incentive to do so, Manferdelli explained.
To help solve this problem, industry groups can develop and promote good practices, and government agencies can establish and enforce regulatory standards, the report says.
“Governments have a classic role in dealing with this market failure — there’s no way to value security right now, and hence no market incentive for improvement,” said Manferdelli. “I think governments are struggling with that, but they definitely have a role in providing the right economic incentives and the right legal policy. It is hard, though.”
Collaborating to Advance Cyber Resilience
While the report lays out fundamental research and policy priorities for the cyber community, a complementary effort — the Forum on Cyber Resilience — convenes experts from industry, academia, and government to respond to new and critical problems as they emerge.
The forum monitors evolving issues in cybersecurity and holds meetings and workshops to examine particular topics. The conversations provide nuanced, contextual, and evidence-based expert analyses to inform government, industry, and the public.
“One of the real benefits is we can act quickly, and we have access to a huge range of expertise,” said Manferdelli, pointing to the National Academies’ ability to tap experts not only from the tech world but also from legal, medical, national security and other spheres.
“It would be hard to find another place where you have so much integrated knowledge,” he said. “It doesn’t always yield the solution right away, but it helps inform the discussion. And sometimes it actually does help solve the real problem pretty quickly.”
Although discussions about cybersecurity inherently focus on problems linked to our reliance on cyber systems, Manferdelli stresses that it’s also important to remember the benefits. “Our lives are much, much better because of cyber capabilities,” he said, pointing to many people’s ability to work remotely during COVID — which helped save the economy — and broader access to education and entertainment. Cyber-physical systems have also enabled productivity gains in manufacturing, national security, and physical infrastructure.
“It’s not all a sad story,” he said. “It’s kind of a good story overall. But it’s a story we’re unaccustomed to making better in a principled way. So, I think that’s the challenge. There is research to be done. There’s motivation to be provided. And much more work to be done.”
Sara Frueh is Senior Writer at the National Academies of Sciences, Engineering, and Medicine. The article was originally posted to the website of the National Academies.
