Communications of the ACM

job harder. They are tools to be used as part of a broad defense strategy.

PATRICK MCDANIEL: There’s been an interesting transition of threats and attacks over the last 10 years, and what we’re seeing more frequently is professional attacks that more effectively monetize the vulnerabilities in computers. In particular we have seen the rise in things like ransomware, which has become a very serious problem for businesses, government agencies, and organizations that don’t have full-time professional cybersecurity staff.

Just looking at what is happened over the last six months in the U.S., it’s clear that misinformation has become a major weapon in the cyber-criminal’s arsenal. I think we will see even more attacks where misinformation is used to try and shape public policy, sway public opinion or even to alter people’s behaviors. Obviously the use of misinformation is nothing new—we’ve seen it before with stock market manipulation, etc.—but I think we’re going to see much newer and inventive uses of misinformation as a means of cyberattack.

PAUL VAN OORSCHOT: It’s a long-standing problem: software vulnerabilities allowing compromise of user devices and remote control of these compromised machines. This is easily addressed in theory, but harder to fix in the real world. Problems stem from long-ago and deeply entrenched architectural choices in operating systems; use of software applications which favor rich functionality over conservative

SINCE ITS INAUGURATION in 1966, the ACM A.M. Turing Award has recognized ma- jor contributions of lasting importance to computing. Through the years, it has become the most prestigious award in computing. To help celebrate 50 years of the ACM Turing Award and the visionaries who have received it, ACM has launched a campaign called “Panels in Print,” a collection of responses from Turing laureates, ACM award recipients and other ACM experts on a given topic or trend.

ACM’s celebration of 50 years of the ACM Turing Award will culminate with a conference June 23–24, 2017, at the Westin St. Francis in San Francisco. This unique event will highlight the significant impact of ACM Turing laureates’ achievements on computing and society, to look ahead to the future of technology and innovation, and to help inspire the next generation of computer scientists to invent and dream.

For our second Panel in Print, we invited 2002 ACM Turing laureate LEN ADLEMAN, 2014 ACM Prize in Computing recipient DAN BONEH, 2015 ACM Grace Murray Hopper Award recipient BRENT WATERS, and ACM Fellows PATRICK MCDANIEL and PAUL VAN OORSCHOT to discuss current issues in cybersecurity.

The cybersecurity discipline has developed rapidly. Do you think we are staying ahead of, or falling behind, the threats?

LEN ADLEMAN: I think that we are
behind. Cybersecurity is a cat-and-
mouse game. There can never be a fi-
nal victory. The Internet is developing
so quickly, along so many paths, that
while we address current problems,
we cannot even anticipate those that
are emerging.

BRENT WATERS: In the research realm of cryptography, we have made significant leaps in the past 15 years in terms of which new functionalities we can realize. These include solutions to problems such as identity-based encryption, attribute-based encryption, and fully homomorphic encryption, and potentially can realize an exciting primitive called indistinguishability obfuscation.

Where we seem to be facing problems is filling in the gap between sound cryptography and sound deployments. These deployments can fail for any number of reasons from bad software implementation, to poor design of new cryptography, to use of legacy cryptographic protocols.

What do you see as the top cybersecurity threats in 2017 and why?

DAN BONEH: Social engineering attacks remain one of the top cybersecurity issues in 2017. Phishing and related attacks are still effective at stealing user credentials. Targeted emails continue to be effective at fooling end users into installing unwanted software such as adware, malware, or ransomware. These are common occurrences, and are often the easiest way to gain a foothold on a targeted system. Two-factor authentication and application whitelisting can make the attacker’s