5
Toward Community Coordination and Progress

Cybersecurity is a fundamental societal problem with extraordinary scope and dimensionality, including technical, human, business, and policy. The challenge is exacerbated by the difficulties of measurement. Without good ways to measure security, incentives are hard to frame, and so action becomes difficult to motivate, especially when there are benefits to expediency. For some of the previously identified cyber hard problems, there has been extensive technical progress. These levers are important and essential, and indeed there are strong reasons to expand and accelerate technical work. But transformational impact on many of the hard problems identified in this report requires, additionally, collaboration with stakeholders involved with business and policy.

Driving this is that security is an attribute of a cyber system within a context of operation. A cyber system includes hardware, software, services, and associated supply chains. It also includes how a system and its associated data interact with other systems. The context of operation includes the ways in which the system interacts with the world, including with human users and operators, as well as with other systems—and, importantly, with potential cyber adversaries who may seek access to confidential data, or ability to tamper with data, or disruption of operations. Examples of context of operation range from civil infrastructure operations and national security systems to consumer applications for financial services, health care, and online media.

UNDERSTANDING AND MEASURING PROGRESS

The previous chapters have described pervasive difficulties in measuring security attributes, challenges that affect the ability to frame incentives for stakeholders, especially when counter incentives are present, such as cost and schedule (which also have the benefit of being easily measurable). Thus, making progress on assessments and related interventions is essential and valuable. Here are some elements of this broad challenge of framing and defining measurable security-related attributes.

1. Cyber risk. Prioritizing security interventions requires a comprehensive look at the three principal elements of cyber risk:
   1. Reducing vulnerability of the system itself through engineering choices and using modeling and analysis to support assessments. There are many kinds of vulnerability, and each has associated models, analysis techniques, and preventive engineering practices.
   2. Reducing potential consequence of compromise through adjustments to the ways systems can interact in the world, including the ways they interact with people.
   3. Understanding potential threats that are associated with the role of that system and society and with the attack surfaces that are exposed (as a consequence of choices regarding both system design and context of operation). Security is distinguished from most engineering disciplines because it must always anticipate a well-resourced, capable adversary motivated to undermine security for some benefit. When vulnerabilities in a system cannot readily be repaired, a natural step is to alter the operational role of that system to reduce exposure of attack surfaces and consequences of compromise.
2. Transparency in support of evaluation. Security is a complex aspect of an entire system. In an evaluation process, information asymmetry (the differences between what a producer knows and what a consumer knows) creates challenges, especially when powerful producers have rational incentives both to thwart transparency and to benefit from this to game perceptions to their benefit. Even with full transparency, these aspects of risk are difficult to assess and improve and will likely remain difficult.
   1. Direct evaluation of opaque “black box” systems though testing will not yield reliable results with regard to security.

2. 2. Direct evaluation with transparency—supported by models and evidence—is the only way to achieve fully confident judgments and reasonable trade-offs regarding specific aspects of security.
   3. Indirect evaluation based on engineering processes rather than on engineered artifacts will also not yield reliable results. However, evidence of attention—in systems design and in scoping of operational context—to security engineering principles, such as least privilege, can increase confidence.

   In many areas, barriers of scale and usability are being successfully challenged to advance our capacity for direct and fully trustworthy judgments about particular security-related quality. These steps apply regardless of whether it is a national security system, a social media service, or a consumer-facing mobile app.

   A particular challenge in both evaluation and operation is the capacity of sophisticated adversaries to gain access to systems and their supply chains in ways that may often afford them greater knowledge of the details of a system and its elements than operators, evaluators, and sometimes even developers (when there is opacity in the supply chain). Highly capable adversaries may synthesize both a more holistic and a more detailed knowledge about a system than its users, operators, evaluators, and even developers.¹

3. Increments of transparency. The challenge of security assessment is exacerbated by adverse business, legal, and regulatory norms. In the absence of security measures, business incentives (cost, schedule, minimized liability) lead to insecure systems. Small improvements in measures and in transparency, for example, the recent efforts to encourage a software bill of materials and “zero trust” practices, can result in both security improvements and in momentum to further transparency. There are a few security attributes that can be reliably assessed, if attested to by a third party. Experimentations are to be encouraged in this regard. Rewarding transparency and evidence-based attestations in acquisitions will likely be helpful.
4. Targeted compliance standards. Generic security standards and frameworks are not necessarily straightforward to implement in various constrained environments. Although some verticals have created specific compliance standards for regulatory purposes, there’s a need for more extensive development of “templates” and mitigations that have been shown to work under various technical and economic constraints. The MITRE organization has been doing

4. strong work in this area, but it needs to include adaptation for small and medium businesses and other resource-poor entities.
5. Assessing increments of progress. Security challenges are rarely “solved,” but rather are subject to increments of progress. Password composition practices provide an example. For many years, there was a widely held belief that complex passwords, frequently changed, were the best practice.² For users without password managers, this meant a compromise on usability, since these complex passwords (multiple special characters, numerals, upper and lower case, etc.) were difficult to remember and to type. Indeed, there was folk wisdom that, regarding user authentication, one could have either security or usability, but not both. Empirical studies subsequently demonstrated that longer passphrases could be both memorable and secure.^3,4 This disrupted the folk wisdom and gave way to improved National Institute of Standards and Technology password guidance.

It is daunting that the cyber hard problems are complex and do not lend themselves to simple “magic bullet” solutions. Some say that cybersecurity is a marathon and not a sprint, but for many of the problems, the struggle will be ceaseless—as systems grow in complexity and ambition, and cyber adversaries grow in capability and motivation. Choices will have to be made about managing a portfolio of research to make progress on multiple fronts. There is no choice but to engage in the struggle, and with relentless vigor—since the capabilities gained from cyber systems are now essential to advancing health, education, communications, commerce, national security, scientific research, and information dissemination. Cyber systems enhance productivity and create new kinds of economic value—and there is no limit in sight in the scope and impact of what they can be doing in the future.

INFORMING RESEARCH INVESTMENTS AND POLICY ACTIONS

The cyber hard problems identified in this report can be used by various sectors and entities as reference for research and development (R&D) investments as well as incentives and policy actions.

• Academic researchers in cybersecurity can frame their work in the context of the hard problems to connect with partners working on other aspects—technical, policy, business, societal, and so on. This is because, as noted, many aspects of the problems—and potential progress toward solutions—are not purely theoretical or technical. Researchers engaged in multidisciplinary studies (i.e., cybersecurity plus law, policy, international relations, engineering, psychology, economics) can benefit both by helping in framing the overarching problems and also providing applicable wisdom from their disciplines.
• Industry is at the forefront of both the creation and the use of the great diversity of societally relevant cyber systems. On the demand side, there are challenges in evaluation and acceptance evaluation, defining operational workflows, and integrating systems into a broader enterprise including other systems. On the producer side, there are challenges both in addressing the technical requirements and appropriating technical advantages while also providing customers and users with evidence to support their confident acceptance of the products and services offered. This is important both for established players and for new entrants. Additionally, these cyber hard problems provide a framing to facilitate targeted R&D collaboration with higher education and for sector-wide initiatives.
• Policy makers and federal research funding agencies can look at the cyber hard problems list as a framing for sponsorship of strategically relevant cyber research, in both the mission-focused mode and the exploratory mode. In the mission-focused mode, many of these areas directly affect national security—and not just in the sense that cybersecurity failures create cascading effects across critical infrastructure and economic activity but also in the enactment of the continuous and often intense engagement with cyber adversaries. Opportunities exist for incentives and regulation to address cybersecurity risk that now affects nearly all sectors and consumers. The cyber hard problems also can provide useful framing for international alignment of cybersecurity policy and processes for resilience. This can complement the de facto alignment that is a consequence of the global presence of tech firms.