What is the path forward for cybersecurity?
In light of all of the recent failures in cybersecurity, it is natural to ask the question, “What is the path forward now?” There is a lot of advice proffered by various entities on the best way to move forward, but people have been giving advice for decades and yet the SolarWinds and Exchange hacks still happened. It’s obvious that advice is not enough.
That is one reason I really appreciated the article linked below, which discusses the last 20 years of cybersecurity advice, how it has been translated into official reports, and why it may not be working. In particular, I really appreciate the following three points made by the author.
For years now people have been saying that companies simply are not mandated or incentivized to produce secure products. They make more money by cleaning up the mess afterwards than by producing and maintaining a secure product. That has to change. Really — that has to change. We need to incentivize and mandate secure products to protect both citizens and government, which often relies on COTS tools.
Closer to where I do work daily, to do good research we need to deeply understand the state of the art. This point is a bit obvious, but it’s worth remembering that we cannot be lazy when doing research. We need to go the extra mile and make sure we are truly contributing to the field, maybe taking risks rather than going with safer papers that make more incremental impact so that we can really make a difference.
- Most important efforts must be mandatory
- Align everyone’s incentives
- More R&D only makes sense if you know the state of the art
