design; and the freedom allowing users
to download and install software with
a single click makes us all vulnerable
to being socially engineered to install
software without any sound evidence
or knowledge of what the software will
do. It’s not likely that we will be able
to retrain 10 million software developers, nor to motivate them to voluntarily
spend extra time on security when the
economic benefit of doing so falls to
others. That’s an economics of information security challenge—as is that
fact that historically, almost all software is sold on an as-is basis without
liability for consequences.
Why are cyberthreats/attacks becoming more sophisticated with each
passing year?
BRENT WATERS: One can attribute this
to two basic reasons. First, technology
in general becomes better and more
sophisticated over time. One would expect the sophistication of cyberattacks
to also flow in that same direction.
Another important factor is that with
more and more data stored on computing devices, the value in launching attacks increases. For example,
there have been multiple attacks that
exposed private communications and
photos of celebrities. Ten years ago,
without smartphones, these photos
either wouldn’t be taken or wouldn’t
be accessible. As another example, in
this election cycle we have seen that
attacks (for example, the DNC emails)
have the potential to shake up organizations and possibly shift outcomes in
elections. This type of power will not
only interest the usual attackers, but
will also attract extremely well-funded
state sponsored adversaries.
With the public more concerned about
cybersecurity than ever before, what
should be the top cybersecurity priorities for the new U.S. administration?
DAN BONEH: The highest priority
for the new U.S. administration is to
shore up the cyber defenses of government systems. Events like the 2015 attack on the office of personnel management that exposed the personnel
records of over 21 million people, or
the compromise of the IRS systems
that may have exposed personal data
from over 700,000 taxpayers, should
not happen again.
PATRICK MCDANIEL: Our federal IT systems, as we have learned repeatedly,
are very much antiquated, due to things
like underfunding. But if our society is
to become more secure, then we need
to focus on updating and fixing those
federal systems. One way in which we
could do this would be for the current
administration to immediately priori-tize creating a national two-factor authentication system, either for federal
employees or even more broadly. Although that sounds somewhat boring,
I think that is the single simplest thing
we can do to reduce the threats against
the information systems we have in
this country. A good friend and colleague of mine, Farnam Jahanian, the
Provost of Carnegie Mellon University,
has said, ”We are not good at doing the
easy things, and we need to get better
at them.”
What are the biggest challenges
faced by industry in defending against
cyberattacks, and what technologies/
approaches can help them overcome
these challenges?
LEN ADLEMAN: I think the issues
raised in the question transcend in-
dustry. From my forthcoming book,
Memes: How Genes, Brenes and Cenes
Shape Your Life and Will Shape the
Future of Humanity:
We will soon see religions, nations,
and economies rise and fall in cyber-
space. These entities will be no less
powerful and have no less impact on
our lives than their current “brick and
mortar” counterparts. Political, eco-
nomic, and even military power will be
diffuse; the physical locations of like-
minded people will be less important
than their numbers and connectivity.
If the U.S., Russian, and Chinese
governments are not working on black
hat programs that, in the event of war,
will knock out the computational infrastructure of the other two, they aren’t
doing their jobs. Such programs are
weapons of mass destruction, and, if
used, the death toll could be colossal.
A first world country with no computational infrastructure is a country with
no economy, no food, no power and ultimately not a country at all.
What are your biggest security
concerns as they relate to the influx
of connected devices in the Internet
of Things (Io T)?
PATRICK MCDANIEL: When it comes to
Io T and the future of security, I have a
vision of two possible futures. The first
scenario comes at a significant cost.
But I believe this to be the more optimistic future, because we will understand the trade-off between cost and
value, and we’re going to pay for it so
we can live in a world in which we have
much better security than we do today.
The second, and in my view, the
more pessimistic scenario is a world
in which we have just become used
to insecurity. There is a kind of really
toxic resignation among some members of the cybersecurity research
community as well as industry and
government, that today’s systems are
unfixable and that we don’t have the
technology, time or resources to make
ourselves more secure. I think this
is a particularly dim and uncomfortable scenario, not only because the
kinds of benefits we see from technology would be greatly diminished, but
our potential for changing life on this
planet—from healthcare, to society,
to communications, to quality of life
to energy efficiency, to protecting the
environment—will be vastly diminished, if we just accept insecurity.
©2017 ACM 0001-0782/17/04 $15.00
“The Internet is
developing so quickly,
along so many paths,
that while
we address
current problems,
we cannot even
anticipate those
that are emerging.”