Cyber Resilience. It’s the latest craze in the field. But what does it mean? And more importantly, is it a useful concept? It may seem like a strange question to ask for my first blog post at the Global Resilience Institute but I have found that agreeing on definitions and frameworks is an important though often overlooked step in the field (anyone who disagrees should google “active defense” to see why).
Intuitively, everyone in the field grasps the importance of being resilient. The executive order that created the NIST Cybersecurity Framework called out resilience as the goal for its development. The Framework itself makes a few references to the topic but its long glossary does not include an entry for it.
On a basic level, everyone in the field understands resilience at a dictionary-level: we want to recover quickly from incidents; to keep a cyber attack (there’s another ill-defined term) from being a company-ending event. But what the concept means in practice is illusive.
As I struggled with thinking about what cyber resilience means, I solicited input from the twitterverse and received some useful views.
Brandon Valeriano at the Marine Corps University suggested that resilience is about getting enterprises to take seriously the often neglected function of recovery. I can’t disagree with that conclusion, though I continue to wonder why we get more out of labeling this activity ‘cyber resilience’ instead of sticking with recovery.
Jeff Carr and Andreas Haggman both suggested that resilience was about making security adaptive – not necessarily about taking a hit and bouncing back to form, but changing in response to an attack. Jeff offered up the illustration of moving a workload under attack on one virtual machine to a different virtual machine. Again, I believe these are useful concepts but question why ‘adaptive security’ is not a better, more descriptive term.
Kate Charlett flagged DOD’s Mission Assurance approach as a useful construct; the idea of being able to “fight through” even when systems are compromised to be able to carry out missions objectives (or business goals).
In an offline conversation, I was pointed to a paper by a group of researchers at Stockholm University that attempted to define the concept. While the paper is behind a paywall (note: if you want to define a topic, publishing behind a paywall is not a good way to do it) the definition as pulled from the abstract is “resilience refers to the ability to continuously deliver the intended outcome despite adverse cyber events.”
It’s a useful starting point but suggests that resilience has less to do with the loss of data and more to do maintaining business or mission objectives. From this perspective, Equifax nailed resilience as it kept right on collecting new data and selling it to customers even as that data was exiting its system. Only if the incident forces Equifax out of business would it fail to meet this definition. Given that the future looks like it is going to hold a lot more WannaCrys and Petyas, that may be okay.
One offline commenter felt strongly these incidents highlighted a need to move away from “cybersecurity” as a goal (with protecting information as the main outcome) to a resilience model in which organizations completely rethink their spending and technology stack. In his view, resilience isn’t so much a gloss that overlays traditional frameworks but a replacement for it.
Under this rubric, an organization’s crown jewels wouldn’t be the servers that host the databases with the most valuable information but the systems that allow the organization to function at its most basic level (ie domain controllers). Resilience would mean assuring that there are no single points of failure and that these vital systems will always remain operational.
The final point I thought worth relaying is that cyber resilience may be most useful as a concept outside the enterprise. That the goal is national resilience or at least networks (whether communication, transportation, electrical or other) that are resilient in the face of cyber threats.
It may be that a resilience model for cybersecurity is much more similar to resilience in the physical world where the goal is avoiding disruption and self-inflicted wounds following an incident. By this way of thinking, cyber resilience may not be so much about any single company’s “security” but about the reliance on any single company by many players in the ecosystem. If there is one thing we should have learned from this most recent wave of attacks its that reliance on a single point of failure whether a domain controller or a cloud provider is bad cyber __________ (I’ll let you fill in the blank).