Analyst(s): Fernando Montenegro
Publication Date: June 23, 2025
The National Academies’ 2025 Cyber Hard Problems (CHP) report provides helpful insights for understanding the foundational cybersecurity challenges that, if addressed, could significantly boost societal resilience. Futurum analyzes how these ten core problems reveal cybersecurity’s evolution from a technical discipline to a strategic, socio-economic imperative.
Key Points:
- The report identifies ten core CHP spanning technical, economic, and societal challenges, from supply chain security to AI governance.
- Economic misalignment remains central to cybersecurity challenges, creating market dynamics that discourage security investment externally and within organizations.
- The evolution from technical to strategic cybersecurity requires new approaches to leadership, vendor messaging, and cross-functional collaboration.
Overview:
The 2025 Cyber Hard Problems report, supported by the Office of the National Cyber Director and the National Science Foundation, builds on decades of similar efforts while capturing the massive transformation in cybersecurity since 1995. The near-universal adoption of cloud computing, artificial intelligence, complex global supply chains, and cyber-physical system integration has introduced unprecedented scale and complexity.
The ten identified problems encompass risk assessment and trust, secure development, system composition, supply chain security, economic incentives, human-systems interactions, information provenance and disinformation, cyber-physical systems, artificial intelligence challenges, and operational security. These problems are interconnected and rooted in complexity, economics, and human behavior rather than purely technical considerations.
Central to multiple challenges is the issue of misaligned economic incentives. Externally, the classic “market for lemons” problem persists, where buyers cannot assess actual security quality, leading sellers to compete primarily on features and price rather than security. Internally, security teams struggle to align with organizations focused on speed and innovation, often treated as cost centers rather than strategic enablers without clear metrics linking security to business outcomes.
The report’s emphasis on supply chain and system composition highlights the “soft” supply chain vulnerability. Modern applications assembled from thousands of third-party components create massive, opaque attack surfaces, requiring practitioners to understand software development intricacies. While initiatives such as Software Bills of Materials provide transparency, trust, and verification at scale across numerous indirect dependencies remain the core challenge.
Including challenges around cyber-physical systems confirms that industrial security is no longer niche. As technology embeds in power grids, factories, vehicles, and medical devices, consequences extend beyond data loss to physical safety and societal function. These environments typically feature long technology lifecycles, complicated patching processes, and potential kinetic effects from failures.
The AI challenge encompasses multiple dimensions: securing AI systems against theft, poisoning, and manipulation; defending against AI-powered adversaries who can scale social engineering and vulnerability discovery; and ensuring opaque, non-deterministic AI systems operate safely when integrated into critical infrastructure.
Industry observers should watch several key developments:
- Whether the CHP framework flows into strategic boardroom and policy discussions, providing a shared vocabulary for cross-functional cyber risk conversations
- How the CISO role continues transforming from technical manager to business strategist, fluent in economics and organizational psychology
- Whether vendors shift from fear-based messaging to positioning offerings as addressing specific hard problems rather than simply selling technical capabilities
The full report is available via subscription to Futurum Intelligence’s Cybersecurity IQ service—click here for inquiry and access.
Futurum clients can read more in the Futurum Intelligence Portal. Non-clients can learn more here: Cybersecurity Practice.
Declaration of Generative AI and AI-Assisted Technologies in the Writing Process
While preparing this work, the author used Anthropic Claude Sonnet to summarize the original report. After using this service, the author reviewed and edited the content as needed. The author takes full responsibility for the publication’s content.
About the Futurum Cybersecurity Practice
The Futurum Cybersecurity Practice provides actionable, objective insights for market leaders and their teams so they can respond to emerging opportunities and innovate. Public access to our coverage can be seen here. Follow news and updates from the Futurum Practice on LinkedIn and X. Visit the Futurum Newsroom for more information and insights.
Author Information
Fernando Montenegro serves as the Vice President & Practice Lead for Cybersecurity at The Futurum Group. In this role, he leads the development and execution of the Cybersecurity research agenda, working closely with the team to drive the practice's growth. His research focuses on addressing critical topics in modern cybersecurity. These include the multifaceted role of AI in cybersecurity, strategies for managing an ever-expanding attack surface, and the evolution of cybersecurity architectures toward more platform-oriented solutions.
Before joining The Futurum Group, Fernando held senior industry analyst roles at Omdia, S&P Global, and 451 Research. His career also includes diverse roles in customer support, security, IT operations, professional services, and sales engineering. He has worked with pioneering Internet Service Providers, established security vendors, and startups across North and South America.
Fernando holds a Bachelor’s degree in Computer Science from Universidade Federal do Rio Grande do Sul in Brazil and various industry certifications. Although he is originally from Brazil, he has been based in Toronto, Canada, for many years.
