It’s common for governors and mayors to declare a state of emergency and activate the National Guard in the aftermath of hurricanes, tornadoes, and other natural disasters. But last month, officials in Minnesota took these steps in the wake of a major cyberattack on the city of St. Paul — a testament to how disruptive these attacks have become. The attack, and the city’s efforts to contain the damage, hobbled city operations and a range of services online and in real life for citizens.

“Cyberattacks are an enormous problem, and it’s getting worse in the sense that more people and products and services rely on cyber components,” said John Manferdelli, an independent consultant and National Academy of Engineering member, in a recent interview.

Manferdelli, a mathematician and cryptographer who has held cybersecurity leadership positions at Microsoft, Intel, and Google, is now leading work at the National Academies to steer the nation’s cyber systems toward greater security and resilience. He recently chaired a committee that wrote the report Cyber Hard Problems: Focused Steps Toward a Resilient Digital Future, and currently leads the Forum on Cyber Resilience.

The shifting landscape of cyberattacks

“There are two reasons the attacks are increasing,” said Manferdelli. “One is that the use of cyber technology is just exploding — everything is cyber enabled. And the second is, it’s easy to do. People have made some progress on making it less easy to do, but not a lot. The prevention regime is pretty modest.”

Governments are some of the most skilled cyberattackers, often launching “polite” attacks meant to collect intelligence rather than to disrupt anything, Manferdelli said. “But increasingly, attacks are actually meant as sort of a weapon. So, in Ukraine, for example, there have been loads of cyberattacks on critical infrastructure in the last year or two — wastewater plants, electrical generation, telecommunications.”

Frequently attackers’ motivation is solely monetary, as in ransomware attacks, in which an attacker locks an individual’s or company’s data and demands payment for its release. “There’s been a gigantic increase in these attacks over the past two years, and it’s still growing,” he said. “They are carried out by countries and just regular old criminals.”

Whatever their motivation, attackers often operate with impunity, explained Manferdelli. “Unlike other crimes, you can be in one country and commit a cybercrime in another country. Sometimes it’s hard to tell who did it, because if they’re practiced, they’re probably very good at concealing their tracks. It’s a little bit like a perfect crime, and it’s a growing business. The chances of you getting punished for it are close to zero. So, there’s almost no deterrence-based prevention.”

Because there is little to deter attackers from acting, companies need to protect themselves, their products, and their customers’ data — but many are not investing enough in doing so, said Manferdelli. “Often, companies discount cyber threats at first, or think they can handle it by a PR campaign. They don’t want to spend the money on getting things safe or reliable if no one cares.”

Those who do work to safeguard their systems face an array of challenges. “Most cyber systems are incredibly complex, and the supply chain for them is wildly globalized,” said Manferdelli. “The supply chains for the products and systems you have to make safe are vast and involve many, many people. They were often designed years ago, before anybody worried about this stuff.”

He noted that there isn’t always an attacker behind every cyber mishap, pointing to the Alaska Airlines IT outage in July that led to grounded planes and cancelled flights. “Cyber systems are so complex that people can inadvertently build critical systems in ways that are fragile.”

The underlying hard problems

Driving many of the vulnerabilities in computer systems are “cyber hard problems” — fundamental challenges that are identified in the National Academies report. Its authors hope to motivate the cyber community — government, industry, academia, and research funders — to work together to solve them.

Some of the hard problems are technical, such as the challenge of securing cyber-physical systems: computer systems that drive action in the physical world. These systems are used in everything from military weapons to household appliances and car brakes, but their complexity — and the shortage of engineers who understand them — can make them vulnerable.

“Cyber-physical systems are complex and require interdisciplinary expertise to understand, and very few people are able to analyze them,” said Manferdelli. “Software engineers incompletely understand software, and hardware engineers incompletely understand hardware. But often the problem with cyber-physical systems is right between those two, at the interface.” The report urges sustained investments to develop secure engineering practices for these systems, along with a workforce with expertise in them.

Other hard problems go beyond the technical realm — for example, to the lack of economic incentives to improve cybersecurity systems. Suppliers of cyber systems are seldom held liable even for the shoddiest products, the report says. And because there is currently no way to measure a system’s security — and therefore no way a company can credibly claim “my system is the most secure” in the marketplace — there is no economic reward for assuring security, and so little incentive to do so, Manferdelli explained.

To help solve this problem, industry groups can develop and promote good practices, and government agencies can establish and enforce regulatory standards, the report says.

“Governments have a classic role in dealing with this market failure — there’s no way to value security right now, and hence no market incentive for improvement,” said Manferdelli. “I think governments are struggling with that, but they definitely have a role in providing the right economic incentives and the right legal policy. It is hard, though.”

Collaborating to advance cyber resilience

While the report lays out fundamental research and policy priorities for the cyber community, a complementary effort — the Forum on Cyber Resilience — convenes experts from industry, academia, and government to respond to new and critical problems as they emerge.

The forum monitors evolving issues in cybersecurity and holds meetings and workshops to examine particular topics. The conversations provide nuanced, contextual, and evidence-based expert analyses to inform government, industry, and the public.

“One of the real benefits is we can act quickly, and we have access to a huge range of expertise,” said Manferdelli, pointing to the National Academies’ ability to tap experts not only from the tech world but also from legal, medical, national security and other spheres.

“It would be hard to find another place where you have so much integrated knowledge,” he said. “It doesn’t always yield the solution right away, but it helps inform the discussion. And sometimes it actually does help solve the real problem pretty quickly.”

Although discussions about cybersecurity inherently focus on problems linked to our reliance on cyber systems, Manferdelli stresses that it’s also important to remember the benefits. “Our lives are much, much better because of cyber capabilities,” he said, pointing to many people’s ability to work remotely during COVID — which helped save the economy — and broader access to education and entertainment. Cyber-physical systems have also enabled productivity gains in manufacturing, national security, and physical infrastructure.

“It’s not all a sad story,” he said. “It’s kind of a good story overall. But it’s a story we’re unaccustomed to making better in a principled way. So, I think that’s the challenge. There is research to be done. There’s motivation to be provided. And much more work to be done.”

Related Resources

• Cyber Hard Problems: Focused Steps Toward a Resilient Digital Future

• Forum on Cyber Resilience