1
Introduction

CONTEXT

This report builds on two previous hard problems studies sponsored by the InfoSec Research Council in 1995 and 2005.¹ A lot has changed since those reports were written, but many of their conclusions still apply now, some with even greater force and effect. Today, computing and communication technologies are near-universally integrated in every aspect of society, vastly improving lives but adding new threats, introducing new technology and uses that far outstrip the classic information security perspective of the past.

The Cybersecurity and Infrastructure Security Agency (CISA) recently issued a report² illustrating the increasing importance of cyber resilience. The introduction of that report states as follows:

Access to electricity, transportation, the internet, and a myriad of other services are of paramount importance to the Nation’s societal and economic well-being. Each day, critical infrastructure operations ensure that National Critical Functions (NCFs), which serve as the operational backbone for modern society, are running. The NCFs

are the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

CISA, through the National Risk Management Center (NRMC), works with government and industry partners to identify and manage risks to the NCFs in a targeted, prioritized, and strategic manner to improve the resilience across the United States critical infrastructure.

Technological advances and hyperconnectivity have improved critical infrastructure operations and transformed the Nation’s 16 critical infrastructure sectors into a complex, interconnected ecosystem. At the same time, the integration of information and operational technologies and the complexity of supply chains has created new vectors through which adversaries can exploit vulnerabilities in assets, systems, and networks that enable America’s economic competitiveness and national security. Examples of NCFs include electricity generation that powers homes and businesses, transportation of commodities and people, and access to GPS data for cellular networks. An interruption to one NCF can have cascading consequences across industries and society.³

The goal of the 2005 cyber hard problems study was different from the present effort. The study was charged with producing “desirable research topics by identifying a set of key problems from a government perspective and in the context of IRC member missions” to “help guide the research program planning of the IRC member organizations.”⁴ By contrast, the scope of the present study is wider, expanded to “provide a current list of hard problems in cyber resiliency, building on earlier hard problems lists and expanding the scope from cybersecurity to cyber resilience” to “identify ways that the new list could be used to enhance community-wide coordination of R&D [research and development] activities.”⁵

This report benefits from the previous work but does not confine itself to identifying and prioritizing research hard problems, although it certainly does that. It also examines the ever more critical role of cyber in society in the context of its actual use (e.g., in NCFs, commerce, health care delivery, new mechanisms such as artificial intelligence [AI], and education). The scale, complexity, and impact of platforms, such social media,

7. Security with Privacy: Technical means for improving information security without sacrificing privacy
8. Enterprise-Level Security Metrics: Ability to effectively measure the security of large systems with hundreds to millions of users

The hard problems above are not homogeneous in nature. In some cases, solving the problem calls for research into new security mechanisms (global identity management); in some cases, it calls for new analytical techniques (security metrics); and in other cases, it requires a combination of new mechanisms, operations, and design methodologies (building secure systems). The heterogeneity of the hard problems is already visible in the 1995 InfoSec Research Council report. There, the “Functional Hard Problems of 1995” are summarized here:¹⁰

1. Intrusion and Misuse Detection: Commercial systems are still riddled with false positives and false negatives, especially in high-volume situations such as networking. Years of experience has shown that the general problem of intrusion detection leaves adversaries too much room to maneuver, and that the general approaches to intrusion detection are completely blind to certain classes of attack, such as life-cycle attacks. More research is yet to be done. This remains an unsolved problem.
2. Intrusion and Misuse Response: Given progress, and the degree to which response depends on detection, the emphasis of this area has been refocused on insider threat detection and detection of covert channels.
3. Security of Foreign and Mobile Code: Although difficult research remains, proof-carrying code and sandboxing represent important advances in limiting the potential negative effects of foreign and mobile code. However, even domestic production of software is being outsourced to firms offshore. Moreover, even at reputable software companies, insiders can be bought to plant malicious code into key products used by the U.S. government.
4. Controlled Sharing of Sensitive Information: Progress in digital rights management may ease policy specification challenges by empowering end users to set policies as required on information as it is being created. However, without a foundation of trustworthy enforcement mechanisms for enforcing separation, the value of this will be substantially diminished.
5. Application Security: Application security has seen important progress toward intrusion-tolerant applications that are able to function despite flawed

5. components. These systems can be designed to be less reliant on an underlying trustworthy computing base (TCB) than traditional applications. However, research remains to make these techniques work in distributed, asynchronous, time-critical environments. One of the most painful lessons has been that there will always be situations where the TCB is critical. So, developing truly trustworthy TCBs is still required for building scalable secure systems.
6. Denial of Service: Although research remains, progress has been made toward assuring the availability of information systems against denial-of-service attacks. Technology now exists to mitigate distributed denial-of-service attacks. Moreover, progress from traditional fault tolerance can now help mitigate other denial-of-service attacks. However, this technology is generally only available to large service companies.
7. Communications Security: The foundation of secure communications is the cryptography and an infrastructure for managing cryptographic keys. Here, practical solutions are economical and in general use. However, secure communications require authenticating security principals, including people as well as computers and programs. Despite progress in secure communications, authentication, which is a critical aspect of these systems, is seldom done properly.
8. Security Management Infrastructure: Although research remains, industry has already begun acquiring emerging security response management technologies. Additional research into security response management requires better situational awareness and attack attribution. The remaining work is captured in the operational security hard problem (CHP10) in Chapter 3.
9. Information Security for Mobile Warfare: Both homeland defenders and the military now depend on mobile and secure networked computing, particularly given risks of attack and the need for fire, police, rescue, and recovery personnel, to be able to securely coordinate crisis response via information systems, services, and networks. This is largely an implementation and standards problem and not a “basic technology” problem.

Despite progress, many of the problems identified in 1995 and 2005 remain unsolved as a practical matter and are exacerbated by scale, interconnection, and globalization. There are also many new hard problems that arise from societal, technological, infrastructure, and economic progress since 2005 as well as the increased impact of globalization.

PROGRESS OVER THE PAST 20 YEARS

When the Department of Homeland Security (DHS) developed its first (2009) roadmap for cybersecurity research,¹¹ it cited and drew directly from the 1995 and 2005 hard problem lists prepared by the InfoSec Research Council. Additionally, according to perspectives offered by participants in the previous cyber hard problems lists, the lists were used by individual program officers to defend funding research on a problem on that list.¹² Solicitations for work with an impact on such a problem was convincingly argued to be worthy of funding. There were also a number of convenings and other activities indirectly influenced by the lists and the process of developing them, including the DHS 2009 Roadmap for Cybersecurity Research.^13,14

Concrete progress has been made on some of the hard problems in the 1995 and 2005 reports. This progress is attributable to a number of factors, including research and development investments in deployable and more usable technology.

Security of communication channels can now be regarded largely as a solved research problem because of excellent, widely accepted, and available cryptographic standards and technology.¹⁵ Still, even today’s solutions are marred by failures in implementation and operation, including poor key management, weakness in random number generation, attacks on the certificate infrastructure (to which there have already been technical responses such as certificate pinning), attacks on Internet routing due to misconfiguration, and insecurity in the Internet’s Domain Name System. Insider risk also continues to affect the ability to solve this problem.¹⁶

Global identity management has made progress. There is a practical regime for two-factor authentication, and account recovery is routinely available for many commercial applications like health care. Access control for resources that may be widely shared under specified policy remains a problem—not because new mechanisms are needed, but because current implementations are inadequate (for reasons of safety, scale, interoperability, or simply the effort required to use them) for massive multi-user commercial services.

Denial-of-service attacks are no longer a significant threat to larger service providers and edge providers because of investment in multi-geographical presence, big pools of address space, and technology developed to identify and exclude attackers.

In 1995 (and even 2005), it was rare for people to interact with their physicians and medical records on their personal computers; relatively rare to do banking using a personal computer; relatively rare to take a course remotely; and relatively rare to interact on social media, watch a movie, or obtain most news online. Now such virtual interactions are commonplace, accelerated by the COVID-19 pandemic, and cyber access to services far outpaces traditional service delivery modes. Cyber increasingly controls physical infrastructure (e.g., Colonial Pipeline), transportation, electric service (transmission and distribution), automated factories, medical devices, and even water and sewer service. All of these operate on legacy technology that interacts with more recent, complex technology over the Internet. All are vulnerable to attack. Physical infrastructure increasingly employs sensors and actuators to operate cyber-physical systems (CPS), including critical infrastructure, home maintenance, medical devices, autonomous vehicles, and automated manufacturing. These CPS often employ security practices that are 10 or 15 years behind IT systems. They are often bespoke and are largely opaque. Both the hardware and software supply chains for CPS are far more diverse than IT—both specialized and global. This further complicates any attempt to address the cybersecurity and resilience challenges posed by these complex systems.^21,22

Today, very nearly all residents of middle- and high-income countries have access to broadband, smartphones, and personal computers. This was not the case in 1995 or even 2005. The world’s population uses this infrastructure to obtain critical services previously obtained in other ways and to control home and office devices.

A few cloud services, such as Amazon Web Services, Microsoft’s Azure, and Google Cloud, host corporate applications at centralized data centers located throughout the world. While the operational safety is probably better than most in-house operations, it is opaque to most customers. In 1998 and even 2005, most IT support was an internal function, and outsourcing was comparatively rare. Today, a large fraction of commercial computing has migrated to cloud infrastructure operated by a small number of providers, making them a potentially critical failure node.

The nature and sophistication of attackers has also changed. Attacks on U.S. systems come from around the globe, from actors that are often funded or otherwise supported covertly by nation states. The astonishing accumulation of personal information available from data brokers and collected from a fusion of advertising and social media has made social engineering attacks much more effective. The advent of Bitcoin