Cyber Hard Problems: Focused Steps Toward a Resilient Digital Future (2025)
Chapter: Front Matter
Consensus Study Report
NATIONAL ACADEMIES PRESS 500 Fifth Street, NW Washington, DC 20001
This activity was supported by the Office of the National Cyber Director (ONCD) with the assistance of the National Science Foundation under grant CNS-1933974. Any opinions, findings, conclusions, or recommendations expressed in this publication do not necessarily reflect the views of any organization or agency that provided support for the project.
Any opinions, findings, conclusions, or recommendations expressed in this publication do not reflect the views of ONCD.
International Standard Book Number-13: 978-0-309-73489-9
International Standard Book Number-10: 0-309-73489-4
Digital Object Identifier: https://doi.org/10.17226/29056
This publication is available from the National Academies Press, 500 Fifth Street, NW, Keck 360, Washington, DC 20001; (800) 624-6242 or (202) 334-3313; http://www.nap.edu.
Copyright 2025 by the National Academy of Sciences. National Academies of Sciences, Engineering, and Medicine and National Academies Press and the graphical logos for each are all trademarks of the National Academy of Sciences. All rights reserved.
Printed in the United States of America.
Suggested citation: National Academies of Sciences, Engineering, and Medicine. 2025. Cyber Hard Problems: Focused Steps Toward a Resilient Digital Future. Washington, DC: The National Academies Press. https://doi.org/10.17226/29056.
The National Academy of Sciences was established in 1863 by an Act of Congress, signed by President Lincoln, as a private, nongovernmental institution to advise the nation on issues related to science and technology. Members are elected by their peers for outstanding contributions to research. Dr. Marcia McNutt is president.
The National Academy of Engineering was established in 1964 under the charter of the National Academy of Sciences to bring the practices of engineering to advising the nation. Members are elected by their peers for extraordinary contributions to engineering. Dr. John L. Anderson is president.
The National Academy of Medicine (formerly the Institute of Medicine) was established in 1970 under the charter of the National Academy of Sciences to advise the nation on medical and health issues. Members are elected by their peers for distinguished contributions to medicine and health. Dr. Victor J. Dzau is president.
The three Academies work together as the National Academies of Sciences, Engineering, and Medicine to provide independent, objective analysis and advice to the nation and conduct other activities to solve complex problems and inform public policy decisions. The National Academies also encourage education and research, recognize outstanding contributions to knowledge, and increase public understanding in matters of science, engineering, and medicine.
Learn more about the National Academies of Sciences, Engineering, and Medicine at www.nationalacademies.org.
Consensus Study Reports published by the National Academies of Sciences, Engineering, and Medicine document the evidence-based consensus on the study’s statement of task by an authoring committee of experts. Reports typically include findings, conclusions, and recommendations based on information gathered by the committee and the committee’s deliberations. Each report has been subjected to a rigorous and independent peer-review process and it represents the position of the National Academies on the statement of task.
Proceedings published by the National Academies of Sciences, Engineering, and Medicine chronicle the presentations and discussions at a workshop, symposium, or other event convened by the National Academies. The statements and opinions contained in proceedings are those of the participants and are not endorsed by other participants, the planning committee, or the National Academies.
Rapid Expert Consultations published by the National Academies of Sciences, Engineering, and Medicine are authored by subject-matter experts on narrowly focused topics that can be supported by a body of evidence. The discussions contained in rapid expert consultations are considered those of the authors and do not contain policy recommendations. Rapid expert consultations are reviewed by the institution before release.
For information about other products and activities of the National Academies, please visit www.nationalacademies.org/about/whatwedo.
COMMITTEE ON CYBER HARD PROBLEMS
JOHN MANFERDELLI (NAE), Datica Research, Chair
HYRUM ANDERSON, Cisco
JOSIAH DYKSTRA, Trail of Bits
PAUL ENGLAND (NAE), Datica Research
MARITZA JOHNSON, Good Research
ANGELOS D. KEROMYTIS, Georgia Institute of Technology
WENDY NATHER, 1Password
STEFAN SAVAGE (NAE), University of California, San Diego
WILLIAM L. SCHERLIS, Carnegie Mellon University
MARK SEIDEN, Internet Archive
WINDOW SNYDER, Thistle Technologies
MARY ELLEN ZURKO, MIT Lincoln Laboratory
Study Staff
THƠ H. NGUYỄN, Senior Program Officer, Study Director
JON K. EISENBERG, Senior Board Director
SHENAE A. BRADLEY, Administrative Coordinator
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
LAURA M. HAAS (NAE), University of Massachusetts Amherst, Chair
DAVID DANKS, University of California, San Diego
CHARLES ISBELL, University of Wisconsin–Madison
ECE KAMAR, Microsoft Research Redmond
JAMES F. KUROSE (NAE), University of Massachusetts Amherst
DAVID LUEBKE, NVIDIA Corporation
DAWN C. MEYERRIECKS, The MITRE Corporation
WILLIAM L. SCHERLIS, Carnegie Mellon University
HENNING SCHULZRINNE, Columbia University
NAMBIRAJAN SESHADRI (NAE), University of California, San Diego
KENNETH E. WASHINGTON (NAE), Medtronic, Inc.
Staff
JON K. EISENBERG, Senior Board Director
SHENAE A. BRADLEY, Administrative Assistant
THƠ H. NGUYỄN, Senior Program Officer
GABRIELLE M. RISICA, Program Officer
AARYA SHRESTHA, Senior Financial Business Partner
NNEKA UDEAGBALA, Associate Program Officer
Reviewers
This Consensus Study Report was reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise. The purpose of this independent review is to provide candid and critical comments that will assist the National Academies of Sciences, Engineering, and Medicine in making each published report as sound as possible and to ensure that it meets the institutional standards for quality, objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process.
We thank the following individuals for their review of this report:
BOB BLAKLEY, Mimic Networks, Inc.
L. JEAN CAMP, Indiana University
VINTON G. CERF (NAS/NAE), Google, LLC
JUAN E. GILBERT, University of Florida
JAMES R. GOSLER (NAE), Johns Hopkins University Applied Physics Laboratory
JOHN CHRIS INGLIS, U.S. Naval Academy
PAUL C. KOCHER (NAE), Independent Researcher
SUSAN LANDAU, Tufts University
CARL E. LANDWEHR, University of Michigan
EUGENE H. SPAFFORD, Purdue University
FLORIAN TRAMÈR, ETH Zürich
Although the reviewers listed above provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations of this
report nor did they see the final draft before its release. The review of this report was overseen by WILLIAM H. PRESS (NAS), The University of Texas at Austin, and STEVEN M. BELLOVIN (NAE), Columbia University. They were responsible for making certain that an independent examination of this report was carried out in accordance with the standards of the National Academies and that all review comments were carefully considered. Responsibility for the final content rests entirely with the authoring committee and the National Academies.
Acknowledgments
The committee is grateful for the many experts who generously contributed their time and insight to make this study possible.
We extend our gratitude to the broader community for their engagement with this project. Finally, we appreciate the collaborative efforts of every member of the staff team.
This page intentionally left blank.
Contents
Process for Evaluating and Deliberating the Cyber Hard Problems
Hard Problems from the 1995 and 2005 InfoSec Research Council Reports
Progress Over the Past 20 Years
2 KEY CONSIDERATIONS FOR CYBER RESILIENCY
Considerations for Engineering Resilient Cyber Systems
Cyber Hard Problem 1: Risk Assessment and Trust
Cyber Hard Problem 2: Secure Development
Cyber Hard Problem 3: System Composition
Cyber Hard Problem 4: Supply Chain
Cyber Hard Problem 5: Policy Establishing Appropriate Economic Incentives
Cyber Hard Problem 7: Information Provenance, Social Media, and Disinformation
Cyber Hard Problem 8: Cyber-Physical Systems and Operational Technology
Cyber Hard Problem 9: Artificial Intelligence and Emerging Capabilities
Cyber Hard Problem 10: Operational Security
Functional Cyber Hard Problems
Operational Cyber Hard Problems
New Technology Cyber Hard Problems
5 TOWARD COMMUNITY COORDINATION AND PROGRESS
Understanding and Measuring Progress
Informing Research Investments and Policy Actions
Preface
Cyber systems are a critical component of society today. New cyber capabilities are continuing to emerge and advance at a dizzying pace, leading to a massive increase in both complexity and ubiquity. The difficulty of building, implementing, and maintaining resilient cyber systems similarly scales. Concurrently, societal factors such as incentives, competition, and geopolitics are making these challenges hard to grasp, let alone tackle. The Office of the National Cyber Director sponsored this study with the assistance of the National Science Foundation in September 2023. The National Academies of Sciences, Engineering, and Medicine convened the Committee on Cyber Hard Problems to conduct a consensus study to create a current list of “cyber hard problems.” This effort builds on cyber hard problem lists developed in 1995 and 2005 under the auspices of the federal InfoSec Research Council. The full statement of task is provided in Appendix A.
In distilling and articulating a list of the hard problems that challenge our ability to build high-performing, reliable, and secure cyber systems, the goal of this report is to motivate community action toward addressing them. The list of hard problems and accompanying analyses can serve as a reference to develop research agendas, inform public and private investments, and catalyze new collaborations.
This study leverages the National Academies’ extensive work in cybersecurity (including the Forum on Cyber Resilience), national security, and computing and its societal impacts. The committee first met in person in February 2024 and conducted approximately bi-weekly information-gathering sessions through September 2024. It heard from a wide range of actors and stakeholders, including cybersecurity researchers and practitioners, economists, policy experts, and industry operators and users of cyber systems and infrastructure (see Appendix B). These inputs provided the committee with a deeper understanding of cyber technologies, applications, and cyber resilience challenges across multiple sectors.
The report targets an audience consisting of policy makers who need a comprehensive background in the technical issues affecting cybersecurity. The report should also be of interest to researchers, research program managers, engineers, product planners and producers of cyber systems generally, and users (“consumers”) of cyber systems. The committee hopes the report illustrates the complex, interconnected set of effects that determine the security and resilience of cyber systems.
