Table of Contents
While Cisco often focuses on business growth and market leadership, our most rewarding work happens when we set those metrics aside. These projects aren’t about driving profits — they’re about using our expertise to tackle challenges that benefit everyone.
I want you to meet Dr. Hyrum Anderson, a senior director of AI & security in Cisco’s new Foundation AI team. Over the past several years, Hyrum has been obsessed with how artificial intelligence (AI) and machine learning (ML) are impacting the cybersecurity industry. During his time with Cisco and at Robust Intelligence before that, Hyrum has been on a self-proclaimed crusade to get people to understand the cybersecurity risks from AI/ML.
Due to his high-profile work, Hyrum was approached by the U.S. National Academies of Sciences, Engineering and Medicine (NASEM), a private non-profit dedicated to providing independent, objective advice to inform policy and confront challenging issues for the benefit of society. The organization asked Hyrum to join a group of 12 cybersecurity experts to study the principal challenges facing the industry today. The result was the third edition of the Cyber Hard Problems report published last month. Last updated in 2005, this latest edition of Cyber Hard Problems: Focused Steps Toward a Resilient Digital Future focuses on the massive evolution that has occurred in cybersecurity, digital systems and society as a whole over the last several years. The rapid pace of change has upended the industry – forcing enterprise security teams to rethink how they identify, prioritize and mitigate cyber risk in the modern world.
By highlighting these challenges, the authors of the report hope to motivate community action toward addressing them. The list of hard problems and accompanying analyses serve as a reference to develop research agendas, inform public and private investments and catalyze new collaborations. Most importantly, Hyrum and the rest of the committee hope to make the world a safer place for digital computing, communications and operations.
A PDF of the report can be downloaded directly from the National Academies, and a webinar that walks viewers through the report’s findings is also available.
The More Things Change, the More They Stay the Same
Two decades is a long time in the cybersecurity world. Twenty years ago, when the National Academies last published the Cyber Hard Problems report, social media was for college kids with .edu emails and the global pandemic had yet to drive business online. Cloud computing was nascent and was still without online storage and elastic compute. Most applications and data still lived behind enterprise edge firewalls. Endpoint security still meant antivirus agents. And remote work, when it was permitted, meant accessing the network through a Virtual Private Network (VPN).
In terms of technology, the Internet of Things (IoT) was still getting off the ground, and AI was largely still science fiction. From a threat standpoint, attackers mostly used brute force to break down perimeter defenses while phishing, zero-days and other adaptive and evasive attacks weren’t on many people’s radar.
Today, nearly all residents of middle- and high-income countries have access to broadband, smartphones and personal computers. This was not the case when the first report was published in 1995 or even in 2005 when the second edition came out. Today, the world’s population uses this infrastructure to obtain critical services previously obtained in other ways and to control home and office devices.
In addition, a large fraction of commercial computing has migrated to cloud infrastructure operated by a small number of providers, making them a potentially critical failure node. Attacks come from actors that are often funded or otherwise supported covertly by nation states. The astonishing accumulation of personal information available from data brokers and collected from a fusion of advertising and social media has made social engineering attacks much more effective. And, the advent of Bitcoin and other cryptocurrencies has provided a relatively safe channel for ransom, extortion and other illicit payments. Additionally, the last 20 years has seen the rise of social media and the resultant rise of globally sourced, globally distributed disinformation with little regulation and even less effective protection against it.
“The National Academies undertook this effort to clearly define and elevate the most pressing cyber challenges facing the U.S. today,” said Tho Nguyen, senior program officer and the cyber hard problems study director at the National Academies. “The refreshed list aims to guide national attention and investment toward areas where progress is most needed to strengthen the security and competitiveness of our cyber ecosystem.”


A Comprehensive and Rewarding Process
The committee met in December at the beginning of 2024 to discuss the framework for the report. Over the next several months, cyber experts from the business world, vendors, academia, government and industry bodies briefed the committee on what they considered to be the industry’s greatest challenges.
According to Nguyen, it was important to include Cisco in the process because the company has been on the front lines of cybersecurity for nearly four decades. “Cisco’s long-term perspective — spanning multiple technology shifts and threat evolutions — brought unique and practical insights into the real-world dimensions of these hard problems… helping ground the report in operational reality and industry relevance.”
Nguyen also praised Hyrum for his contribution in “one of the fastest-emerging areas of cyber risk. His input helped shape the committee’s understanding and framing of challenges related to securing AI systems, an area vital to sustaining the US’ global AI leadership.”
Once a list of hard problems was finalized, members of the committee wrote the chapters based on their specialized expertise. Collaboration amongst committee members and subject matter experts was crucial as topics tended to overlap and impact each other. And an impressive group of reviewers provided much needed feedback.
“The experience was eye-opening,” Hyrum told me in a conversation shortly after the report had been published. “There has appropriately been a lot of attention about the impact of AI on cybersecurity, but what struck me is how these risks amplify deeper, ongoing themes. Even among seasoned cybersecurity experts on the committee, it was humbling to acknowledge just how much human nature — our habits, our assumptions, our incentives — shapes the cybersecurity risks that we face. The hard problems don’t fall into neatly segmented categories. Instead, they overlap and reinforce one another, highlighting key areas where focused effort could make a meaningful impact.”
The hope, Hyrum continued, is that the Cyber Hard Problems report serves as a long-term reference point for change, giving policy makers and business leaders a framework for adapting their cybersecurity strategies in line with current and future considerations. The last report was published 20 years ago. Imagine what the world is going to look like in the next 20 years.
10 Cyber Hard Problems to Solve
The Cyber Hard Problems report updates and expands the critical list of challenges facing cyber resiliency today – offering focused, actionable guidance for researchers, practitioners and policymakers around the world.
- Risk assessment and trust
- Secure development
- Secure composition
- Supply chain
- Policy establishing appropriate economic incentives
- Human-system interactions
- Information provenance, social media and disinformation
- Cyber-physical systems and operational technology
- AI as an emerging capability
- Operational security
Cisco is Leading the Way to a Safe, Secure World
The world of cybersecurity is in constant flux as it continues to address and adapt to massive sea changes that impact everything from the way we interact with each other to the way we work.
“By identifying and articulating today’s most pressing cyber hard problems, the National Academies aim to inform and inspire action — from policymakers and industry leaders to researchers and the public,” Nguyen said. “Ideally, the report will serve to foster greater awareness of cyber risks and guide investment and innovation toward meaningful solutions. Our ultimate hope is that, when this list is revisited in another decade, none of the current problems remain unsolved or unaddressed—that real progress will have been made in building a safer and more resilient cyber future.”
Led by people like Hyrum Anderson, Cisco is revolutionizing how infrastructure and data connect and protect organizations in the AI era.
Check out Cyber Hard Problems: Focused Steps Toward a Resilient Digital Future and learn how change is impacting the way we identify, prioritize and mitigate cyber risk in the modern world.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
Share: