20+years of cyber (in)security: what have we seen? what have we learned? what might we do?