Resiliency, the New Cyber in Washington: Security Needs to be Bottom Up

Brian Donohue reflects on Kaspersky Government Cybersecurity Forum discussions about cyber-resiliency. We all know what resilience means. Technically speaking though, what does it take to be resilient on the network level?

WASHINGTON D.C. – If you had asked me about “cyber-resiliency” six months ago, I would have asked you if resiliency was even a word. Today, resiliency is the latest buzzword in a town and industry that lives for buzzwords; born of a military tradition that emphasizes the ability to remain operable while withstanding damages.

Having first encountered the idea at the Billington Cybersecurity Summit in September, it was the topic of a round-table discussion consisting of high-ranking current and former military and NSA officials at the Department of Defense’s Mark Center on Monday. After attending the Kaspersky Government Cybersecurity Forum on Tuesday, it’s become clear that cyber-resiliency, as Kaspersky Government Security Solutions general manager and president Adam Firestone quite clearly stated, is the future.

Adam Firestone

A security luminary and cybersecurity coordinator for multiple presidential administrations, Howard Schmidt, explained that cyber resiliency is having a contingency plan, knowing how you’ll respond and acting accordingly when bad things happen. However, resilience is not compliance, he said, and compliance is neither a means nor an end. It will not save us. Organizations should not be compliant and assume they are secure. They should be secure and compliant as a result, Schmidt said.

 

It’s one thing to parade military and government and private sector officials around and have them hit their talking points, saying we need our systems to be more resilient. We all know what resilience means. Technically speaking though, what does it take to be resilient on the network level?

According to Firestone and a bevy of speakers at Tuesday’s event, resilience is achieved by building security in, rather than bolting security on. Perhaps more plainly put, the woeful state of security in which we now live is a result of protection coming from the top down. Top-down security means that you fix something when it breaks. Or, if you’re the lucky one, you put a new lock on your door after your neighbor’s home is broken into.

In other words, Firestone argued, current security practices are reactive and reactivity will never put an organization out ahead of the threats.

This, of course, is a backward approach. Security needs to come from the bottom up. Developers need to think and practice secure coding. It’s not just developers either, as Joel Brenner, the former head of U.S. counterintelligence under the Director of National Intelligence, noted in his afternoon keynote. Human resources, the general counsel, public relations, marketing, finance, executives, everyone in the company must understand its importance and collectively share in the burden of security together.

As Karen S. Williams, the national director of the US Cyber Challenge put it: CIOs need to be able to explain security to their C-Level colleagues.

Everyone needs to think secure, somewhat paradoxically, while also understanding systems will be breached, because security is different from almost any other industry, in that failure is assumed.

That’s what bottom up means. However, these failures must be partial and not complete or systemic. Firestone explained that the idea of accepting losses to the nonessential while remaining in motion is not new. In fact, he said, it’s merely an extrapolation of a 100 year old principle known as “all or nothing.” All or nothing is the idea behind a pair of World War One, Pennsylvania-class battleships, which deployed the heaviest armor for the most critical parts of the ship and lighter armor to the parts of the ship that could afford to sustain damage.

“Resilient systems must withstand both coordinated attacks from the outside and threats from the inside,” Firestone said.

Brenner took resilience to the specific level. Industrial control systems, he said, should be built to do one thing well. Cyber resilience means having the most robust back-up plan, not the most modern.

“Connecting the [electric] grid to the Internet may have brought efficiencies but it was foolhardy,” Brenner said. “Resilience means having a broom and a dust pan when the fancy system goes down.”

Tips