Cyberimmunity: Staying healthy enough to recover

Recent government analyses focused on the costs of cybercrime, such as this estimate by the U.K. National Audit Office that cybercrime is currently costing that nation between £18 billion and £27 billion, continue to emphasize the role of cyber resilience as a critical economic enabler.

One can make an analogy of cyber resilience to the human body: It’s implausible to create an environment in which you never get sick. No one is going to live in a bubble, nor will companies or societies; it’s a big dirty world. So, the question to ask is: “How do we keep ourselves from contracting a deadly disease, while still understanding that occasionally we do fall sick? How do we stay healthy enough to recover quickly?”

In cyber, you can’t operate inside a hermitically sealed environment. For one thing, you don’t even control that environment. For example, some enterprises share information environments with suppliers, vendors, subcontractors, distributors, designers and customers. The real issue is: Will you be able to successfully carry on your work as a government, as a company or as a department despite the fact you have to live in an environment where there’s always some menace.

In the end, resiliency may be more important in some ways than other aspects of cybersecurity. Some view cybersecurity as a world in which we keep all threats out, whereas resiliency says, “I can keep going in the presence of these threats.”

However, you have to be careful to keep from extending this analogy further. It’s one thing if you are afflicted with malware and can get yourself back on your feet, but if at the same time you lose essential information, such as critical intellectual property, or if your infrastructure is damaged, you may find it harder to recover. For example, what some cyberterrorists do is damage your information — not so that they can steal it, but so that you can’t use it. Or, in the case of a computer network attack, before you can recover, a power grid could be damaged, or the centrifuges that make highly enriched uranium could burn out.

The fact that you have resiliency doesn’t remove the need to be as secure as possible, particularly in regard to critical assets, which can’t be risked. To get back to the human body analogy, in the end you can recover from a lot of things, but there’s a point beyond which if you suffer a rise in temperature, for example, you will have brain damage and you won’t recover.

Resiliency is important, and is frequently overlooked, because mostly it’s about continuing to operate. However, you have to be careful that the resiliency issue isn’t extended beyond the point of making good sense.