Download PDF Fall Issue of The Bridge on Cybersecurity September 19, 2019 Volume 49 Issue 3 This issue features selected papers intended to provide a basis for understanding the evolving nature of cyber-security threats, for learning from past incidents and best practices, and for anticipating the engineering challenges in an increasingly connected world. Editors' Note: Cybersecurity—A Growing Challenge for Engineers and Operators Thursday, September 19, 2019 Author: Ruth A. David and Robert F. Sproull In today’s increasingly connected and interdependent world, cybersecurity is an issue that touches virtually every individual, organization, and institutional -entity—governmental and nongovernmental alike. According to ITSP Magazine, “There are three types of people in the world: those who have been attacked, those who will be attacked, and those who are being attacked right now and just don’t know it yet.” The same could be said of organizations or institutions. All have a role to play—both in safeguarding personal devices and in contributing to the protection of the systems to which these devices are connected. As computers shrink in size, computational -capabilities—hardware and software—are increasingly embedded in everyday objects, from personal devices such as smart phones and watches to personal vehicles and even dwellings (e.g., smart home systems). Similarly, complex infrastructures on which people depend for transportation, energy, communications, food production, water distribution, and healthcare delivery are increasingly computerized, as are the manufacturing and design processes that will create the next generation of systems and infrastructures. To be sure, the engineers who design and develop these systems and infrastructures play a vital role in addressing security concerns, but they cannot anticipate every conceivable threat that may manifest during operational use of their product—particularly since new attack surfaces are introduced when individual systems are connected to networks. Cybersecurity is defined by the National Institute of Standards and Technology (NIST 2011, p. B-3) as “the ability to protect or defend the use of cyberspace from cyber attacks,” and cyberspace is defined as “a global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, tele-communications networks, computer systems, and embedded processors and controllers.” Thus, cyber-security focuses on thwarting attack vectors that exploit network connections, but those connections typically occur in individual systems put into use by individual, organizational, or institutional operators who therefore play an equally vital role in addressing security concerns. Origins and Evolution of Cybersecurity Cybersecurity traces its roots to 1971, when Bob -Thomas unleashed what is considered the first computer worm (Townsend 2019). The worm was not malicious but was capable of jumping from one computer to another, a behavior not previously observed. Years later, in 1989, the first recognized denial of service (DoS) attack was attributed to Robert Morris (Townsend 2019). Once again, the intent was not malicious—Morris intended to highlight security flaws—but this time the damages were real. In the three decades since, attacks have grown in both sophistication and variety, and motivations now include monetary gain, identity theft, espionage, and operational disruption. Cybersecurity has become an arms race—and unfortunately, the odds favor the attackers. The market for cybersecurity products and services is large and continues to grow rapidly, primarily because of increasing cybercrime activities. Cybersecurity -Ventures reports that the global cybersecurity market was worth only $3.5 billion in 2004 and was expected to exceed $120 billion by 2017, and predicts that global cybersecurity spending will exceed $1 trillion cumulatively during the period from 2017 to 2021 (Morgan 2019a). In spite of substantial growth in cybersecurity spending, damages attributable to security breaches are also growing. In its Annual Cybercrime Report, Cybersecurity Ventures identified cybercrime as one of the biggest challenges confronting humanity and predicted that related costs will double—from $3 trillion in 2015 to $6 trillion annually by 2021 (Morgan 2019b). -Notably, the growing cost estimates are based not only on significant projected growth in adversarial attacks but also on increasing attack opportunities stemming from a cyberattack surface projected to be an order of magnitude greater by 2021 than it is today (Morgan 2019b). Cybersecurity: Why Is It So Hard? Attackers have the edge in the cybersecurity arms race. Reasons for this include the following: Attackers need to find only a single exploitable vulnerability, while defenders must identify and eliminate or mitigate all vulnerabilities. Because many copies of products or software are deployed, a single vulnerability can be widely -exploited. A stealthy attack may not be detected while it’s underway, leaving little opportunity for real-time defense. Geographic borders do not impede traffic in cyberspace, enabling stand-off attacks that often are hard to attribute. Cybersecurity is not just a technical problem—-system operators and users also provide attack surfaces. System builders often sacrifice security measures for operational convenience or market share -motivations. International norms, cybersecurity law, policy, and practice are not yet mature. These and related factors contribute to the complexities inherent to cybersecurity. In This Issue This issue of The Bridge cannot hope to cover the breadth or depth of important cybersecurity issues. Rather, we have selected papers intended to provide a basis for understanding the evolving nature of cyber-security threats, for learning from past incidents and best practices, and for anticipating the engineering challenges in an increasingly connected world. In the first article, David Clark takes an internet-centric view of cybersecurity and parses the problem into four parts to provide insights about measures to improve the situation. He observes that “perfect security is not possible.” Viable mitigation measures are context-specific. Nicole Beebe and Frederick Chang make the case for expanding the traditional definition of the insider threat to include both unwitting human agents and technology that act as trusted agents. They note that the complexity of this issue cannot be effectively addressed absent a true systems-engineered solution. Josephine Wolff uses perpetrator motivations—financial theft, espionage, public humiliation—as a framework for examining past cybersecurity incidents to distill recurring themes and lessons. She argues that improving cybersecurity best practices will require consideration of the entire security ecosystem, which extends well beyond a single entity under attack. Christian Hamer offers an experience-based perspective from Harvard University in which he addresses two types of cyberattacks: unauthorized access and business disruption. He lays out the key elements of a risk-based program and describes solutions that work in a large and very diverse organization, while acknowledging the need to anticipate ways in which future threats may evolve. Fred Schneider and Lyn Millett use case studies to examine the role of nontechnical issues in what appear to be technical matters, exploring the policy dimensions of cybersecurity engineering. Their paper draws on discussions hosted by the Forum on Cyber Resilience, a roundtable of the National Academies to facilitate the exchange of ideas among scientists, practitioners, and policymakers concerned with the resilience of the nation’s computing and communications systems. John Stankovic and Jack Davidson anticipate the cybersecurity challenges inherent in the rapidly growing Internet of Things, which presents new attack surfaces as well as new types of consequences for successful breaches. They note the dangers that may arise if speed to market and low-cost competition drive design trade-offs to sacrifice security considerations during product development. Ronnie Chowdhury, Mhafuzul Islam, and Zadid Khan address the rapid evolution of transportation systems based on advances in connected and automated vehicle technologies. Their article provides a deeper dive into one type of cyberphysical system that will connect to the growing Internet of Things. In the final invited paper, Tom Longstaff and Noelle Allon provide a perspective on what every engineer should know about cybersecurity, summarizing some key points from the other papers and putting them into the systems engineering context. While acknowledging that every engineer will not become a cybersecurity expert, given the likelihood that virtually every newly engineered system will contain some computational elements and will be connected to other systems in its environment in some way, every engineer should have at least a basic understanding of cybersecurity principles. Looking to the Future This issue offers a limited window into current and expanding cybersecurity challenges confronting -designers, developers, operators, and users of con-nected systems. The articles illustrate the need to address today’s vulnerabilities while anticipating increasingly sophisticated attackers. They also acknowledge that the increasing propensity to interconnect systems yields new benefits while simultaneously increasing both the quantity and variety of attack surfaces. This environment continues to favor the attackers. A key question is, therefore: What is needed to change the cost-benefit equation for the attacker? Answers will undoubtedly have policy implications and impact design choices. They could also result in different cybersecurity investment profiles for operators and may degrade user convenience, particularly for legacy systems. Options could include offensive as well as defensive measures. While it is important to continue to learn from past incidents and to effectively implement relevant best practices, these measures are insufficient in an era of rapid growth in both the quantity and sophistication of attackers together with rapid expansion in both the quantity and variety of attack surfaces. Robust exploration of proactive ways to change the cost-benefit -equation for attackers is needed. Acknowledgments We offer many thanks to the authors of these papers, who worked hard to deliver important messages to a broad audience in short articles. In addition, The Bridge asks outside readers to comment on papers and suggest improvements; we are grateful to Chris Bronk, Azim Eskandarian, Kevin Fu, Paul Kocher, Steve Lipner, Keith Miller, Bill Scherlis, David Sherry, and Mary Ellen Zurko, who generously dedicated their time to evaluate the papers in this issue. References Morgan S. 2019a. Global cybersecurity spending predicted to exceed $1 trillion from 2017 to 2021. Cybersecurity -Ventures’ 2019 Cybersecurity Market Report, Jun 10. Morgan S. 2019b. Cybercrime damages $6 trillion by 2021. 2019 Official Annual Cybercrime Report. Northport NY: Cybersecurity Ventures and Toronto: Herjavec Group. NIST [National Institute of Standards and Technology]. 2011. Managing Information Security Risk: Organization, Mission, and Information System View. NIST Special Publication 800-39. Gaithersburg MD. Townsend C. 2019. A brief and incomplete history of cyber-security. United States Cybersecurity Magazine, Jan 18. Ruth A. David (NAE) is retired president and chief executive officer of ANSER. Robert F. Sproull (NAE) is retired vice president and director of Oracle Labs and now an adjunct professor of computer science at the University of Massachusetts at Amherst.  https://www.itspmagazine.com/cybersecurity-quotes About the Author:Ruth A. David (NAE) is retired president and chief executive officer of ANSER and Robert F. Sproull (NAE) is retired vice president and director of Oracle Labs and now an adjunct professor of computer science at the University of Massachusetts at Amherst.