Communications of the ACM

editor’s letter
ONE CAN GET a good picture of what is “hot” in technol- ogy by attending a Tech Summit. Such events are now held regularly in places
trying to compete with Silicon Valley. I
attended such a summit a few weeks
ago. So what’s hot? FinTech (financial
technology), MedTech (medical tech-
nology), Io T (Internet of Things), and
autonomous cars are all hot. These
areas attract a high level of venture cap-
ital, and one can expect them to grow
and reshape the financial, medical,
and transportation industries. Under-
lying these technologies is, of course,
the Internet—our “network of insecu-
rity”—so we can expect cyber insecu-
rity to spread across more and more
aspects of our lives.

Cyber insecurity seems to be the normal state of affairs these days. In June 2015, the U.S. Office of Personnel Management announced it had been the target of a data breach targeting the records of as many as 18 million people. In late 2016, we learned about two data breaches at Yahoo! Inc., which compromised over one billion accounts. Lastly, during 2016, close to 20,000 email messages from the U.S. Democratic National Committee were leaked via WikiLeaks. U.S. intelligence agencies argued that the Russian government directed the breaches in an attempt to interfere with the U.S. election process. Furthermore, cyber insecurity goes way beyond data breaches. In October 2016, for example, emergency centers in at least 12

U.S. states had been hit by a deluge of fake emergency calls. What cyber disaster is going to happen next?

So here we are, 70 years into the
computer age and after three ACM
Turing Awards in the area of cryptog-
raphy (but none in cybersecurity), and
we still do not seem to know how to
build secure information systems.

This state of affairs was bemoaned in 2005 by then ACM President David Patterson, who argued (https://goo.

gl/9QbuZc), “We must protect the security and privacy of computer and communication users from criminals and terrorists while preventing the Or-wellian vision of Big Brother.” Yet here we are, over a decade later, and Patterson’s passionate appeal is as relevant as ever! That is not to say we have not made significant progress in the development of security-enhancing techniques, but we have not really succeeded in making information-tech-nology infrastructure more secure.

As information technology permeates more and more aspects of our lives, the stakes are getting higher and higher. The risk is no longer merely about compromised privacy. We must worry now about the integrity of vital infrastructure components, including the electrical-power grid, the telecommunication system, the financial system, and the transportation system. And yet, our community marches forward with no special sense of urgency.

The basic problem, I believe, is that security never gets a high-enough priority. We build a computing system for certain functionality, and functionality sells. Then we discover security vulnerabilities and fix them, and security of the system does improve.

Microsoft Windows 10 is much, much better security-wise than Windows XP.

The question is whether we are eliminating old vulnerabilities faster than we are creating new ones. Judging by the number of publicized security breaches and attacks, the answer to that question seems to be negative.

This raises some very fundamental questions about our field. Are we investing enough in cybersecurity research? Has the research yielded solid scientific foundations as well as useful solutions? Has industry failed to adopt these solutions due to cost/benefit?

More fundamentally, how do we change the trajectory in a fundamental way, so the cybersecurity derivative goes from being negative to being positive?

We can draw an analogy to car safety.

Over the past 100 years, the amount of vehicle miles traveled has been steadily increasing, but fatalities with respect to vehicle miles traveled have been decreasing. Car safety has been increasing mostly due to government regulation. For example, the U.S. Congress established the National Transportation Safety Board in 1926. Why is there no National Cyber Security Board?

Cyber libertarianism refers to the belief that individuals should be at liberty to pursue their own tastes and interests online. Cyber libertarianism is a common attitude in the tech community;

“regulation stifles innovation” is the prevailing mantra. One could imagine a similar attitude being applied to the car industry, but history has shown that regulation and innovation can co-exist. The tech community has not been able to address the cybersecurity situation on its own; it is time to get governments involved, via laws and regulations. Numerous issues will have to be debated and resolved, but we must accept, I believe, that the cybersecurity problem will not be resolved by the market.