Why Is Cybersecurity So Hard?

After nearly 20 years of trying and billions of dollars in investment, why are organizations are still struggling with cybersecurity? In fact, the problem seems to be getting worse, not better. Answering this question requires moving beyond a purely technical examination of cybersecurity. It’s true that the technical challenges are very real; we don’t know how to write bug-free code, for example. But if you look at the challenge more broadly, even if we resolved the technical issues, cybersecurity would remain a hard problem for three reasons:

• It’s not just a technical problem


• The rules of cyberspace are different from the physical world’s


• Cybersecurity law, policy, and practice are not yet fully developed

The first reason — that cybersecurity is more than just a technical problem, incorporating aspects of economics, human psychology, and other disciplines — has been explored in other articles in this cybersecurity series. However, the other two reasons also contribute strongly to making cybersecurity difficult, and our approaches must take them into account.

Differing Rules in Cyberspace

Cyberspace operates according to different rules than the physical world. I don’t mean the social “rules” but rather the physics and math of cyberspace. The nodal nature of a light-speed network means that concepts like distance, borders, and proximity all operate differently, which has profound implications for security. First, with distances greatly reduced, threats can literally come from anywhere and from any actor. Second, the borders in cyberspace don’t follow the same lines we have imposed on the physical world; instead they are marked by routers, firewalls, and other gateways. Proximity is a matter of who’s connected along what paths, not their physical location.

(HBR.org Daily: today)