There is a growing recognition that “humans are now [deeply] embedded in three interconnected systems”--social, environmental, and cyber--and the sustainable development of this planet “rest[s] not only on the sustainability of the social and the natural system, but also on ... the cyber system.” The global expansion of cyberspace, however, has seen a dramatic rise in cyberattacks, many of which have involved high-profile breaches in data and privacy. The ever-increasing scale of these attacks, many of which are at times state sponsored, has revealed the woeful inadequacy of existing cybersecurity practices, prompting the need for more holistic and coordinated efforts at the national and international levels to deal with this crisis that threatens to undermine the cyber system. New solutions for cybersecurity is a collection of chapters by cybersecurity experts working on strategies to avert this crisis.
Part 1, “Management, Organizations & Strategy,” describes a complex array of organizations that have emerged to deal with “security issues in the cyber domain.” These institutions, however, face challenges in coordinating their efforts due to significant diversity in their “missions, mandates, interests, opportunities, and constraints,” and their limited ability to identify and prosecute cybercriminals. The contributors to this section explore strategies for overcoming these challenges, which includes lateral intergovernmental cooperation and an institutional architecture that allows for mapping “degree of vulnerability versus the effectiveness of organizational response.” The section also elaborates on a systems thinking approach to cybersecurity, which takes a holistic approach to meeting the security needs of organization stakeholders and managing security risks. Finally, there is a discussion on bug bounty programs, a market for researchers who get paid by companies for discovering security vulnerabilities in their products.
The architectural design decisions in the systems we use today have evolved from those used in the past, which focused more on optimizing performance to overcome constraints imposed by limited computing power. The C programming language and its derivatives played a significant role in systems programming, creating security vulnerabilities that have only been amplified with the advent of the Internet. The principle of least privilege, which requires software processes to run only with the rights they require, is extremely difficult to implement in such environments, making it easier to gain access to unnecessary rights. Part 2, “Architecture,” presents computer architectures that have been developed from the ground up with security in mind. These include the capability hardware enhanced RISC instructions (CHERI) instruction-set architecture (ISA), whose goal is to insert a secure foundation underneath the extant software stacks, with minimal disruption, while fundamentally overcoming the security vulnerabilities and creating trustworthy systems. The inherently secure processor (ISP) architecture, on the other hand, extends the conventional processor with additional circuitry that enforces security policies while executing instructions of an ordinary application. Another promising approach is the cyber moving target (MT) that changes the static nature of computer systems, making mounting security attacks extremely difficult. So that the same attack cannot compromise the same system in the future, or so computer systems cannot be compromised by the same attack, MT techniques introduce nondeterminism in the internal structures of a system (randomization), introduce heterogeneity among computer systems (diversity), and continuously change the properties of a system (dynamism). While these architectures may be useful in averting security threats that intend to damage, control, or steal valuable information from machines, there is an emerging class of security threats known as stealing reality attacks that can avoid detection by many of the current security strategies in place. The goal of such an attack is to “steal social network and behavioral information [using] data collection and network science inference techniques.”
The final part, “Systems,” discusses the dark web, social physics, and behavioral biometrics as ways to manage cybersecurity, as well as the challenges surrounding the security and privacy of personal data given the proliferation of Internet of Things (IoT) devices through which such data can be aggregated. Several IoT and big data ecosystem platforms are described, including ones based on the Open Connectivity Foundation (OCF), the Massachusetts Institute of Technology (MIT) open algorithms (OPAL) platform, and Enigma. These platforms enable personal data sharing while guaranteeing privacy. Part 3 ends with a call to action, asking the community to join forces in creating a secure, shareable, and universal identity and data sharing system. MIT, in collaboration with US and European Union (EU) governments and thought leaders from around the world, has started such an open-source project (Trust::Data, http://trust.mit.edu) to fulfill this mission.
The book concludes with the challenging situation in which we find ourselves: deeply embedded in the cyber system. It characterizes our condition as living in some kind of “cyber hell” that we have created for ourselves. Sadly, however, national governments continue to cut science and technology funding at a time when more is needed. Waiting for cybersecurity to evolve naturally against cyber threats is not an option. Getting out of this situation demands developing ways fundamentally different from how cybersecurity is implemented in our current systems. This book offers that fresh perspective, and researchers will find it a great resource for new ideas. It is a must-read for academics, graduate students, and practitioners in the field of cybersecurity who want to join forces in turning the tide for a better future.