Cyber Hard Problems Workshop Recap
- Shannon Lantzy
- Jun 27
- 3 min read
The National Academies of Science released a publication on Cyber Hard Problems. I thought it would be about post-quantum cryptography, so I downloaded the publication but did not plan to attend the workshop.
Boy, was I surprised when I opened the publication and all the hard problems were about risk assessment, culture, organizations, incentives, and market failure. This is my cup of tea!
(Side note: Was my impression that all the "hard" problems actually people problems, or was that just confirmation bias? I reviewed the list again...yes, probably confirmation bias. I have a hammer, these looked like nails, except for #9.)
I popped on the Wednesday webinar and heard music to my ears. Window Snyder talked about ROI and making the business case for hardcore cybersecurity solutions. Adam Shostack discussed the need for measurement, similar to public health. Heather Adkins of Google talked about the “hyperscalers” approach to security, and how she “really wants to bring anthropologists in” to study the problem from first principles.
I cancelled all my meetings so that I could show up in-person to the second day. Sandia’s Doug Ghormley and Christopher Harrison presented, arguing that a mission-centric approach is needed. The place for funding is national defense, but the missions get shrouded in secrecy and therefore not publishable or generalizable. They called for a use case and likened the approach to the cancer moonshot.
I commented/pitched a “perfect use case” to demonstrate viable solutions in a meaningful moonshot-style challenge, but without the need for massive government investment. Spoiler alert: t1d tech innovation! Technology for type diabetes provides an ideal proving grounds for solving Cyber Hard problems. (More on that in a future post.)
Technology for type diabetes provides an ideal proving grounds for solving Cyber Hard problems.
The NIH CIO, Adele Merrett, who has been in her role for only six months, spoke to the group. She emphasized the need to educate young people to tinker, solve, and create (so that they may become the new wave of engineers later in life). I was impressed by her adept navigation of multiple roles while sitting on the panel: she’s in charge of protecting the systems of the NIH enterprise, while balancing the tradeoffs of the NIH’s highly collaborative and information-generating mission (the enterprise information security hat AND the enterprise information freedom hat). Phew! What a role!
Other takeaways:
The panelists discuss the role of market forces in driving security improvements and the challenges of aligning incentives with security outcomes. "Market forces are the problem!" "No, market forces have given us solutions!" My take: Information asymmetries are one of the biggest problems, and solving an asymmetry (e.g., with evidence, or credible third party assessment) enables market forces to do their magic
Mary Ellen Zirko introduced the topic of human system interaction and usable security, highlighting the challenges of complex security decisions and the need for better design.
Josiah Dykstra introduced himself, sharing his experience at the National Security Agency and his realization of the importance of human factors in cybersecurity.
It was a great event.
(And to the three people I chose to reschedule so that I could make this meeting, my apologies. I hope our conversation will be that much more valuable for my having learned from this workshop and its presenters.)
~Shannon, the Optimistic Optimizer
