CCC’s recent Computing Futures Symposium featured a wealth of thought-provoking panels, including an in-depth discussion on the state of cybersecurity. This panel brought together leading experts, including Yan Shoshitaishvili (Arizona State University), Claire Vishik (Stealth Startup), Rachel Greenstadt (New York University), and Jeremy Epstein (Georgia Tech Research Institute), who discussed their journeys into the field, their current endeavors, and their visions for the future. The conversation, moderated by Drew Lohn (Center for Security and Emerging Technology (CSET), highlighted both persistent challenges and promising opportunities in the ever-evolving landscape of digital security.

Cybersecurity Education and the Workforce Pipeline

One of the most pressing topics addressed was the state of cybersecurity education and the workforce pipeline. Shoshitaishvili painted a stark picture of curricula being simplified at the university level to accommodate rapidly growing class sizes, raising concerns about the preparedness of future cybersecurity professionals. He also highlighted the emerging impact of AI on student demand for computer science and potential shifts in international student demographics. Epstein echoed these concerns, lamenting the short-sighted cuts to programs like CyberCorps, which are vital for training the next generation of U.S. citizens in cybersecurity. Vishik also offered a view from the industry perspective, suggesting that a significant number of qualified professionals are available, with many receiving valuable on-the-job training. The consensus, regardless, was on the critical need for innovative educational models, including hands-on platforms and interdisciplinary approaches, to bridge the skills gap.

Overestimated vs. Underestimated Areas in Cybersecurity

The discussion then shifted to what areas of cybersecurity are currently overestimated or underestimated. Shoshitaishvili brought up the historical example of binary analysis, once considered a “solved” problem but now recognized as a critical and evolving field. Vishik introduced a framework for understanding visibility in cybersecurity, emphasizing that system-breaking efforts, high-profile threat agents, and significant economic incentives often dictate what gains public attention, regardless of inherent complexity. Greenstadt further elaborated on the economic lens, connecting the rise of phenomena like ransomware to financial viability and highlighting the importance of understanding the motivations behind various threat actors, from nation-states to cybercriminals. Epstein boldly nominated quantum computing’s impact on cryptography as overhyped for most practical applications, arguing that traditional software vulnerabilities will remain the primary attack vector for the foreseeable future.

Critical Infrastructure and “People Problems”

The panel also delved into the increasingly critical issue of critical infrastructure, with Epstein underscoring that virtually “everything is critical infrastructure” now, and even small businesses are vulnerable to attacks with far-reaching consequences. This point was powerfully reinforced by Shoshitaishvili, who warned that compromised “pizza ovens” could become a part of massive botnets, leading to denial-of-service attacks on vital systems. The conversation culminated in a thought-provoking exchange about “people problems” in cybersecurity. Greenstadt highlighted the outdated assumption of “one user, one device” and the need to design security models that align with how people actually use technology. Shoshitaishvili pointed to persistent human vulnerabilities, such as users readily clicking through warnings, as a reminder that even groundbreaking technical research can be undermined by basic human behavior. The panelists agreed on the need for continued research into user tolerance for security functions, the optimal age to begin cybersecurity education, and a more nuanced understanding of how individuals define and prioritize privacy and trust.

The panel offered a comprehensive and candid assessment of the cybersecurity landscape, acknowledging the remarkable advancements in the field, while underscoring the enduring challenges related to workforce development, the gap between theoretical and practical security, and the critical “people problems” that continue to plague digital safety. The discussion served as a powerful call to action, urging continued innovation in education, a re-evaluation of research priorities, and a more holistic approach to understanding and addressing the human element in cybersecurity.

Thanks for reading, and stay tuned over the next few weeks for recordings of this panel, as well as the rest of the sessions at the 2025 Computing Futures Symposium.