Cyber security challenges

Cyber security is difficult. It’s actually so difficult that a few years ago the US National Academy of Engineering named securing the cyberspace as one of Grand Challenges of Engineering. Other challenges were e.g. providing access to clean water for everyone and making solar energy economical.

What makes cyber security so hard? There are several reasons. One is the complexity of networks and services. It is plain impossible for anyone to fully understand all the technologies, players, connections and code behind any important or popular service. Second is irrationality of users’ behavior. We tend to think that people are rational, risk-calculating machines. Although we know that’s not the case, services are still designed based on assumption that users will make rational decisions and behave. Third reason is that economics doesn't work for better security. Security level of software-based services is very difficult to explain and prove to users. The implication is that users won’t pay for better security, because they don’t see what they will get. That creates a well-known “market for lemons” problem, where it makes sense for vendors and service providers to implement just the minimum acceptable level of security.

It seems that there are endless list of reasons for cyber security problems, but I’ll add just one more. Fourth reason is that software engineering is very young science. We don’t well understand how to create quality software, not to mention secure software. Sometimes it seems to me that we are like kids playing with all new and fancy technology wanting it all right now without thinking of dangers.

So, how to tackle these problems? I afraid that cyber security will go south for a while before it’s going to get better. The most important thing needed is an attitude change of consumers and vendors. Consumers shouldn't accept insecure products and services – and we should understand that there’s a price tag coming with security. Vendors should make security of their products and services user-friendly, visible and understandable. Security should be sold as an enabler and protector of privacy. We’ll probably need regulation in order to get rid of the externalities and to speed up the process.

All our complex Internet services are based on code. It’s not just that Facebook page or cloud service, but the whole Internet runs on code. All the devices connected to it run some code. Then we stack all these separately coded devices, components and products together to create some new service, what the original developer never thought of. Hence our inability to create secure, quality software is a real problem. From my experience most developers would like to create good, secure code and many even know how to do it, but they have no time or incentives to do so. Universities need to start teaching how create good, secure software for modern, complex environments. Organizations need to understand that coding security in to the services require resources - it’s not just the user visible features that matters.

We certainly need better security products and automation to protect complex software-based services from ever increasing threats. I’m worried that there seems to be lack of security innovations. Technology innovations happen very fast horizontally and often also vertically, but security innovations happen much slower pace and most (if not all) of them seem to be horizontal innovations. We should have more non-security people involved in designing security of products and services. We need views regarding human behavior, economics, user interfaces, etc. Cyber security is too important to be left just to cyber security experts. We also should aim higher that “just security” or even resilience. We should think about anti-fragile systems – systems that become more secure if someone tries to breach them.

Cyber security will stay as a grand challenge for a long time. We need to understand that security can’t be isolated from technology, people, processes and organizations. We need to raise above technology and look at the bigger picture to build secure services. Cyber security will get worse before it’ll get better. We have taken the first step to right direction, though, by understanding that it’s the challenge worth solving.