What is the latest thinking in the area of Resilience in Cyber Security?
Is it really all that new? Last year we had Secure by Design and that led to a lot of work around government and the MOD in particular. At CyberUK in March the buzz word was Resilience.
Whatever, the general idea is that we don’t have resilience at the moment and somehow we need it. First of all, we need to understand what resilience actually means.
In its 2022 report NCSC stated that resilience is “… having strong cyber defences where most attacks are prevented or blunted, and the ability to prepare, respond, recover and learn when attacks get through.”
The US National Academy of Sciences has this definition: “The ability to prepare and plan for, absorb, recover from, or more successfully adapt to actual or potential adverse events.”[1]
The National Academy of Sciences is not principally concerned with cyber security – their focus is disaster resilience. The opposite of resilience is brittleness, or fragility. It turns out that resilience in general is a wide field of study including biology, psychology and ecology as well as engineering, so maybe we need to look elsewhere for some examples of good resilience practice and ideas.
Biologists talk about resilience in terms of the reaction of an organism to stressors. This reaction is centred, in mammals at least, around the hypothalamic-pituitary-adrenal (HPA) axis and glucocorticoid feedback mechanisms. Stressors activate the paraventricular nucleus in the hypothalamus to release a hormonal cascade that results in the release of glucocorticoids, which aid immunity, reproduction, growth, digestion and the production of glucose, which for most organisms is energy.
There are 2 type of stressors that provoke this response – reactive stressors, which happen immediately, like surprises, and anticipatory stressors which require cortical and decision making areas of the brain to be engaged. It is no accident that the hypothalamus is in the brain, because even while you are evaluating options in anticipation of an adverse event, your HPA axis is producing the hormones and energy to help you deal with it.
If we extend the idea of stressors to medicine, medics talk about acute and chronic complaints. Acute complaints happen suddenly, like viral diseases (and we’ve all had enough of those) and injuries. Chronic ones are more long term like asthma and arthritis.
Psychologists refer to acute and chronic stressors and their effect on mental health. An acute stressor might be a bereavement, or moving house or job. A chronic stressor is underlying and might be long term sickness, unfulfilling work, or loneliness. In medicine it is generally the chronic complaints that do the most damage, because we can recover more easily from acute stressors.
Acute and chronic stressors are concepts about resilience that we can borrow for cyber security. Are we focusing too much on anticipating acute stressors that may or may not happen and ignoring the chronic stressors that are making our systems less resilient and more brittle?
Another area of study which can inform cyber resilience is Complex Adaptive Systems theory. The Three Mile Island nuclear plant that had a meltdown in 1979 provoked a large amount of research effort into how the accident had happened. Possibly the most influential book of the time is Normal Accidents by Charles Perrow.
Perrow came up with a quadrant chart with the linear to complex along one axis and tight and loose coupling on the other. Generally, a complex system is one where the “behaviour of the ensemble may not be predictable according to the behaviour of the components.”[2] And a tightly coupled system is one where a failure in one component causes the whole system to fail. Perrow asserted that if you have complex, tightly coupled systems then you are going to have incidents whether you like it or not. Now, where would you put most computer and information systems?
The answer is to look at where we can introduce both linearity and loose coupling into our systems. Linearity to make them more predictable and loose coupling to reduce the effects of an adverse event on the whole system.[3]
Adaptability is another key concept in resilience theory. Ecologists talk about resilience in terms of adaptive capacity within ecosystems. This can be as simple as squirrels hoarding food in the winter. It can be the HPA axis or equivalent in other organisms. The idea is that the whole ecosystem has to adapt to an adverse event. To do this it needs the capacity to do so.
In cyber security, all our adaptive capacity is in our people and not in processes or technology. Our processes are not flexible enough to be adaptable and while we can build capacity into the technology we don’t know if it will be adaptive enough or the right kind of capacity.
So we need to stop treating our people as enemies. They are not “threats”. And we should not punish everyone just because of the few, especially when we are not sure that the few even exist. We should not tell people not to click on things, when it is their job to click on hundreds of things every day. If a disgruntled employee turns into a bad actor then we should be asking what made them disgruntled in the first place.
Rather than play a blame game, we should foster a learning culture that engages with adverse events to learn from them. Working habits can be optimised rather than imposed. Then we might be on a better path to true resilience where people can prepare, plan, absorb, recover, and more successfully adapt.
[1] 1 The Nation's Agenda for Disaster Resilience | Disaster Resilience: A National Imperative | The National Academies Press
[3] See Security Chaos Engineering by Kelly Shortridge.
Join us for these events!
Upcoming Cyber Security events
Joint techUK / UKspace Satellite Telecommunications Committee Q2 Meeting 2024
London MeetingCyber Security updates
Sign-up to get the latest updates and opportunities from our Cyber Security programme.
Authors
