Is it possible to create a perfectly secure cybersystem? Not if you intend to let anyone use it. Is it possible to create a cybersystem that wonât inevitably be crippled by attacks? Most people would say no to this, too. But John Manferdelli, who is the executive director of Northeasternâs Cybersecurity and Privacy Institute, thinks we can.
âEngineers are used to building things that will be resilient to passive threats, like the weather on a building, for example,â Manferdelli said on Tuesday at this yearâs first installment of the Contemporary Issues in Security and Resilience Studies speaker series. âThe real reason itâs so hard to secure a cybersystem is because you have to understand the attacker. You have to be secure against malicious people. Nature isnât malicious.â
Manferdelli said that keeping cybersystems secure will require the people who design them to have to plan for when they fail and to be prepared to respond quickly to an attack.
Researchers find the tipping point between resilience and collapse in complex systems
A cybersystem is any system thatâs connected to or controlled by a computer program. The electrical grid is one example. The banking system is another. Cyberweapons, used by the U.S. military, are still another. Theyâre complex systems that we rely on daily.
âEvery sector is cyber-enabled,â Manferdelli said. âAnd these are all things people expect to trust.â
John Manferdelli said âthe real reason itâs so hard to secure a cybersystem is because you have to understand the attacker.â Photo by Matthew Modoono/Northeastern University
Keeping these complex systems safe requires a Herculean effort, and even then itâs almost never 100 percent secure from attacks, Manferdelli said.
Northeastern recruits top cybersecurity expert from Google to lead new institute
Thatâs because unlike systems of the past, cybersystems have to be able to withstand people who are actively trying to attack it and then bounce back gracefully when they are attacked. These two conceptsâdefense and the ability to bounce back quicklyâare the foundation of what makes a system resilient, Manferdelli said.
âItâs not just about building a perfect system, because you canât do that,â he said. âItâs building it, monitoring it, changing itâyou have to think like an attacker or youâll lose.â Â
Waiting to perfect a cyberysystem before acting is almost certain disaster, Manferdelli said. When under attack, itâs better to deploy âan O.K. defense to buy timeâ than to wait until you can mount the perfect defense, he said.
âWe live in a complicated world, where our normal notions of resilience are much simpler and easier to implement than the measures required to make cybersystems resilient,â Manferdelli said. âBut cybersystems allow us to live vastly more complex and interconnected lives.â When organizations incorporate the strategies he discussed Tuesday, he added, âI do believe cyberresilience is possible.â
