Summary: Despite over 50 years of intensive research and experimentation, we still are plagued with systems that are fragile, compromised, and impossible to fully trust. There is near-daily news of compromises and losses, from criminals, nation-state actors, and vandals. The cyber ecosystem we have developed and upon which society is increasingly reliant appears to develop (or have exposed) a new vulnerability as soon as a current one is patched, and old problems keep being introduced. Why do we have such problems? I contend it is traceable to one root cause: we don't understand what cyber security really is. Without good definitions we cannot formulate good metrics. With the absence of good metrics we can't really tell whether we are spending our money and time on useful approaches. Furthermore, the only metrics available to most decision-makers is based simply on cost and speed -- neither of which reflects security or safety. This talk explores this idea in more depth, and should be understandable to non-specialists. I include discussion of some open research problems that -- if successfully addressed -- would lead to improvement of our cyber ecosystem.
