Adversaries are investing in cyber operations capabilities that pose grave danger to the systems we rely on. At the same time, our software and computing systems are increasing in complexity and becoming less predictable. The situation is further exacerbated by the intrinsically inseparable social and technical aspects of the problem; cyber adversaries leverage both technical and social vulnerabilities to penetrate and compromise commercial and non-profit critical infrastructure. A commercial cybersecurity market has emerged to exploit this situation, while research and development continues. This market, however, is not improving our understanding of system resiliency or helping build more secure systems up front. Many of the current approaches to managing risk from current and future cyber threats are too complicated and/or too abstract to be effective in practice.
Recent talks and workshops suggest that the path taken to date may have created insurmountable challenges. For example, at the National Academies of Sciences, Engineering and Medicine Forum on Cyber Resilience Workshop Series, the following observation was made:
Current cybersecurity approaches provide some minimal facilities for prevention and recovery, such as securing simple programs and isolating complex programs or sanitizing their inputs. However, [Butler] Lampson said current approaches fall short in securing more complex systems or maintaining security after changes are made. He also observed that users cannot be expected to be skilled or informed enough to make good security decisions...
We solicit participation of researchers, practitioners and government stakeholders across different disciplines to hold a conversation on potential strategies to address the aforementioned issues. This one-day interdisciplinary workshop is devoted to discussing key system aspects and operational policies at the technological and organizational levels that lead to repeatably good, predictable behaviors.