Is it possible to create a perfectly secure cybersystem? Not if you intend to let anyone use it. Is it possible to create a cybersystem that won’t inevitably be crippled by attacks? Most people would say no to this, too. But John Manferdelli, who is the executive director of Northeastern’s Cybersecurity and Privacy Institute, thinks we can.

“Engineers are used to building things that will be resilient to passive threats, like the weather on a building, for example,” Manferdelli said on Tuesday at this year’s first installment of the Contemporary Issues in Security and Resilience Studies speaker series. “The real reason it’s so hard to secure a cybersystem is because you have to understand the attacker. You have to be secure against malicious people. Nature isn’t malicious.”

Manferdelli said that keeping cybersystems secure will require the people who design them to have to plan for when they fail and to be prepared to respond quickly to an attack.

Researchers find the tipping point between resilience and collapse in complex systems

A cybersystem is any system that’s connected to or controlled by a computer program. The electrical grid is one example. The banking system is another. Cyberweapons, used by the U.S. military, are still another. They’re complex systems that we rely on daily.

“Every sector is cyber-enabled,” Manferdelli said. “And these are all things people expect to trust.”

Keeping these complex systems safe requires a Herculean effort, and even then it’s almost never 100 percent secure from attacks, Manferdelli said.

Northeastern recruits top cybersecurity expert from Google to lead new institute

That’s because unlike systems of the past, cybersystems have to be able to withstand people who are actively trying to attack it and then bounce back gracefully when they are attacked. These two concepts—defense and the ability to bounce back quickly—are the foundation of what makes a system resilient, Manferdelli said.

“It’s not just about building a perfect system, because you can’t do that,” he said. “It’s building it, monitoring it, changing it—you have to think like an attacker or you’ll lose.”  

Waiting to perfect a cyberysystem before acting is almost certain disaster, Manferdelli said. When under attack, it’s better to deploy “an O.K. defense to buy time” than to wait until you can mount the perfect defense, he said.

“We live in a complicated world, where our normal notions of resilience are much simpler and easier to implement than the measures required to make cybersystems resilient,” Manferdelli said. “But cybersystems allow us to live vastly more complex and interconnected lives.” When organizations incorporate the strategies he discussed Tuesday, he added, “I do believe cyberresilience is possible.”