“Why Is Cybersecurity Not a Human-Scale Problem Anymore?”
Communications of the ACM, April 2020, Vol. 63 No. 4, Pages 30-34
By Gaurav Banga
As a discipline, [university Computer Science] must start thinking of cybersecurity as a probabilistic risk optimization problem.
Rarely a day goes by that we don’t see news about the poor state of affairs in cybersecurity. From data breaches at Target, the U.S. Office of Personnel Management, Sony, Disney, Yahoo!, Equi-fax and Marriot, the drumroll continues unabated. We are now in a world, where it’s a matter of when, not if, an organization is compromised by a cyber-attack.
Most of us think of cybersecurity as a series of controls (tools and knobs) that an organization has to implement, and it seems perplexing why cyber-defenders in the situations mentioned here failed to take the necessary steps to protect themselves. Our focus on addressing cybersecurity challenges has been around inventing new controls (or enhancing existing ones) and implementing them correctly in the enterprise. This is an inadequate view.
In this Viewpoint, we show why cybersecurity is a very difficult problem. The enterprise attack surface is massive and growing rapidly. There are practically unlimited permutations and combinations of methods by which an adversary can attack and compromise our networks. There is a big gap between our current tools and methods, and what is needed to get ahead of cyber-adversaries.
In order to improve cybersecurity posture and decrease breach risk, we must reason about what actions will bring about the greatest reduction of breach risk for the enterprise. This also requires calculating cyber-resilience—the ability of an enterprise to limit the impact of cyber-attacks. Analyzing and improving enterprise cybersecurity posture is not a human-scale problem anymore. Plugging in some numbers into Figure 4, for an organization with a thousand employees, there are over 10 million time-varying signals that must be analyzed to accurately predict breach risk. For an organization with 100,000 employees, we must incorporate several 100 billion time-varying signals in the risk calculation.
It is useful to note the huge gap between the requirements for cybersecurity professionals who can understand and address the challenges of a practically unlimited attack surface (Figure 4), and the education and training being offered in university computer science programs. A recent study noted none of the top 10 CS undergraduate programs require a cybersecurity course in order to graduate. While a small (but increasing) number of professional master’s degree cybersecurity programs are now being offered by top 40 CS departments, these tend to focus on a handful of basic elements of computer security, particularly crypto—and how to secure a small number of points on the attack surface of Figure 1 using existing tools. Some programs teach incidence response and forensics.
About the Author:
Gaurav Banga is the Founder and CEO of Balbix, Inc., in San Jose, CA, USA.