by Boris Taratine and Ganna Pogrebna
For many centuries, the progress of humanity was fostered by setting up important goals for the future. These goals reflected major challenges faced by the humankind. In 2015, global leaders under the umbrella of the United Nations set up 17 goals to reach a “better” world by 2030. Each of the UN goals targets an important problem such as poverty, hunger, climate change, etc. Yet, none of these goals target cyber spaces, concentrating primarily on the physical world. This seems to be rather short-sighted as the humanity is facing a number of important challenges in digital spaces and it is necessary to consider these challenges now to ensure that humanity advances in both physical and digital domains in sync. We do not pretend to know all the questions, yet, it would seem that the public debate on important digital goals is long overdue. Some of these goals could be: protection of digital human rights; better cybersecurity for all; prevention of digital inequality; harmonization of AI and human interactions; to name a few.
Such goal-setting is important not only at the global level, but also zooming in on individual domains. Think of David Hilbert, who presented a set of important problems in mathematics at the International Congress of Mathematicians in the Sorbonne, Paris in 1900. These problems outlined the roadmap for the development of mathematics for many years and continue to do so as some of them still remain unresolved.
Major Cyber Security and Cyber Defence Problems
In the digital world, Cyber Security is among the important digital domains where such problem identification is necessary. While many organizations and outlets regularly overview the trends in cyber security or discuss major cyber threats, fostering progress requires building sustainable cyber infrastructures through setting fundamental goals. We believe that there are 12 goals informed by important problems, which can be partitioned into 4 clusters forming the ticking clock of fundamental future cyber security problems.
1. How to consistently define the security of a system and the methods to demonstrate it?
Defining system cyber security: While many definitions exist, coming up with a universal set of necessary and sufficient characteristics of what constitutes as secure system is a fundamental challenge of the future.
2. How to compare the relative security of two systems?
Comparing security levels: We know very little about how to conduct the relative comparisons between several systems in terms of their cyber security, that yet to be defined too.
3. What is the relationship between the security of a system and its compliance to an arbitrarily chosen cyber security framework?
Separating security and compliance: Organizations make their systems compliant with various cyber security frameworks. Yet, the number of cyber security breaches increase year by year suggesting that compliance does not increase systems’ security.
4. How to strengthen the security of a system without increasing strength of its adversary?
Increasing security without empowering adversaries: Advances in cyber security become known to the cybercriminals almost immediately. Therefore, increased security often makes adversaries stronger. One of the main challenges is to find ways in which security can be achieved without raising the adversarial competence. Maybe we are solving the wrong problem? Maybe instead of building "more secure" systems we rather learn how to run insecure systems in the hostile environments safely?
5. How to identify and prevent the adversary's code from running on shared hardware/environment?
Securing shared spaces: In a shared environment, the possibility does not equal zero because the hardware does not have a moral imperative to tell the “good” and “bad” apart and the software that offers separation cannot be proven perfect. This makes the question of safety of shared environments opened.
6. How to remotely tell apart the legit user of a remote system and an adversary who remotely controls the system when this system is compromised?
Remote identification of adversaries: Even the ever-popular so-called “zero-trust” does not consider this problem or offers a reliable solution.
7. How to identify and eliminate finite number of all bugs in the arbitrary program code?
Efficient bug detection: Vulnerabilities may remain dormant for years even in open source code. Exploitable vulnerability is an often cause for successful compromise. Eradicating the bugs will eradicate the large class of attacks.
8. How to compare the strength of two passwords against a non-brute force compromise?
Password efficiency: A random adversary facing a random user would unlikely make a successful guess should the password be not in the top popular passwords list. Finding the balance between the password strength and its appropriateness for various environments is an important problem for the future because a “something you know” factor would likely be in use for long.
9. How to deconflict security and privacy?
Deconflicting security and privacy: Security is often achieved at the expense of privacy. Yet, is it really necessary to invade someone’s privacy to make the system or an environment safer? Understanding whether and what can offer a solution to this problem is a key question.
10. How to educate users to recognize, detect and avoid cyber security threats?
Quality cyber security education: Many of cyber security measures concentrate on improving technology. Yet, it is also necessary to improve human understanding of cyber threats and educate people to deal with these threats more effectively.
11. How do we make sure that security systems are understood by all users?
Inclusive cyber security design: Cyber security measures are often not accessible to an average user as they are often too complex. Providing simple and accurate explanations to sophisticated cyber rationales is necessary for building inclusive cyber security systems.
12. How to eradicate justification of the security measures by narrative fallacies?
Cyber fallacies eradication: Many arguments in cyber security are built on logical fallacies. For example, “zero trust” cyber security is built on “never trust always verify” principle, which is impossible in principle due to the fact that a security system ultimately needs to trust something/someone. Avoiding such contradictions is necessary to prevent flaws in system design.
We admit that we do not know all answers, however, we believe some of these goals can be set and achieved in our lifetime through interdisciplinary collaboration and public debate.
In your opinion, what are the top 3 fundamental cyber security problems? Fill out our survey by clicking HERE. You do not have to agree with the problems listed above. Just tell us what you think!