Cybersecurity Crisis

The software crisis in the late 1960 and early 1970s was driven by the challenge of creating useful and efficient computer programs in a planned engineering process, that is in a well defined amount of time and with predictable costs. Software engineering has evolved as a discipline since then and we have far better tools and techniques in place today for a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software. Nowadays, we face a new crisis, let me call it the cybersecurity crisis, which is triggered by the need to build systems that deliver service that can be justifiably be trusted even in the face of malicious attacks.

The cybersecurity crisis manifests itself in particular in software in embedded devices that are (directly or indirectly) connected to the Internet and often produced by companies that have little experience with maintaining software systems and with takingw responsibility for products after products have been sold. Device security has become a major issue since attacks on devices do not require physical proximity anymore and the number of embedded devices connected to communication networks is exploding. The cybersecurity crisis has already led to large critical infrastructures, where the owners of the infrastructure are not sure anymore who has control over the infrastructure. In addition, we know that individuals, organizations, and governments are building armies out of ‘hacked’ devices that can be used to attack other devices and services and that states invest money to prepare themselves for what is commonly called cyberwarfare these days.

Today’s crisis must be dealt with by two main lines of actions: (i) establishing market regulations and (ii) research and development of new techniques for building secure and trustworthy software and execution platforms. The first action, regulating markets by establishing baseline security requirements and a certification system, has been suggested by major players in the computer security field, both recognized individuals as well as consortiums driven by major industrial players. The different political systems are working on proposals in this direction (see for example the EU Cybersecurity Act adopted in 2019 in Europe).

The second action is an effort to increase research on new techniques for building secure and trustworthy software and execution platforms. This is happening both via publicly funded research programs (e.g., EU cybersecurity projects like Concordia, Echo, Sparta and CyberSec4Europe) but also via efforts driven by the industry, which is increasingly well aware of the risks caused by the cybersecurity crisis. These research efforts have to result in solutions providing better device security, network security, software/system security, data/application security and user data security (privacy).

Like with the software crisis described in the 1970s, it can be expected that it will take decades to address today’s cybersecurity crisis as we will need to find new technical solutions that will be useful in an economic context, we will have to educate future engineers to increase their awareness of cybersecurity aspects, and we will have to work through the political systems to establish regulations that govern technology and that provide us a framework where people can reasonably trust the systems around them.