Communications of the ACM

design; and the freedom allowing users to download and install software with a single click makes us all vulnerable to being socially engineered to install software without any sound evidence or knowledge of what the software will do. It’s not likely that we will be able to retrain 10 million software developers, nor to motivate them to voluntarily spend extra time on security when the economic benefit of doing so falls to others. That’s an economics of information security challenge—as is that fact that historically, almost all software is sold on an as-is basis without liability for consequences.

Why are cyberthreats/attacks becoming more sophisticated with each passing year?

BRENT WATERS: One can attribute this to two basic reasons. First, technology in general becomes better and more sophisticated over time. One would expect the sophistication of cyberattacks to also flow in that same direction. Another important factor is that with more and more data stored on computing devices, the value in launching attacks increases. For example, there have been multiple attacks that exposed private communications and photos of celebrities. Ten years ago, without smartphones, these photos either wouldn’t be taken or wouldn’t be accessible. As another example, in this election cycle we have seen that attacks (for example, the DNC emails) have the potential to shake up organizations and possibly shift outcomes in elections. This type of power will not only interest the usual attackers, but will also attract extremely well-funded state sponsored adversaries.

With the public more concerned about cybersecurity than ever before, what should be the top cybersecurity priorities for the new U.S. administration?

DAN BONEH: The highest priority for the new U.S. administration is to shore up the cyber defenses of government systems. Events like the 2015 attack on the office of personnel management that exposed the personnel records of over 21 million people, or the compromise of the IRS systems that may have exposed personal data from over 700,000 taxpayers, should not happen again.

PATRICK MCDANIEL: Our federal IT systems, as we have learned repeatedly,

are very much antiquated, due to things like underfunding. But if our society is to become more secure, then we need to focus on updating and fixing those federal systems. One way in which we could do this would be for the current administration to immediately priori-tize creating a national two-factor authentication system, either for federal employees or even more broadly. Although that sounds somewhat boring, I think that is the single simplest thing we can do to reduce the threats against the information systems we have in this country. A good friend and colleague of mine, Farnam Jahanian, the Provost of Carnegie Mellon University, has said, ”We are not good at doing the easy things, and we need to get better at them.”

What are the biggest challenges faced by industry in defending against cyberattacks, and what technologies/ approaches can help them overcome these challenges?

LEN ADLEMAN: I think the issues
raised in the question transcend in-
dustry. From my forthcoming book,
Memes: How Genes, Brenes and Cenes
Shape Your Life and Will Shape the
Future of Humanity:
We will soon see religions, nations,
and economies rise and fall in cyber-
space. These entities will be no less
powerful and have no less impact on
our lives than their current “brick and
mortar” counterparts. Political, eco-
nomic, and even military power will be
diffuse; the physical locations of like-
minded people will be less important
than their numbers and connectivity.

If the U.S., Russian, and Chinese governments are not working on black hat programs that, in the event of war, will knock out the computational infrastructure of the other two, they aren’t doing their jobs. Such programs are weapons of mass destruction, and, if used, the death toll could be colossal. A first world country with no computational infrastructure is a country with no economy, no food, no power and ultimately not a country at all.

What are your biggest security concerns as they relate to the influx of connected devices in the Internet of Things (Io T)?

PATRICK MCDANIEL: When it comes to Io T and the future of security, I have a vision of two possible futures. The first scenario comes at a significant cost. But I believe this to be the more optimistic future, because we will understand the trade-off between cost and value, and we’re going to pay for it so we can live in a world in which we have much better security than we do today.

The second, and in my view, the more pessimistic scenario is a world in which we have just become used to insecurity. There is a kind of really toxic resignation among some members of the cybersecurity research community as well as industry and government, that today’s systems are unfixable and that we don’t have the technology, time or resources to make ourselves more secure. I think this is a particularly dim and uncomfortable scenario, not only because the kinds of benefits we see from technology would be greatly diminished, but our potential for changing life on this planet—from healthcare, to society, to communications, to quality of life to energy efficiency, to protecting the environment—will be vastly diminished, if we just accept insecurity.