Cyberresilience in a Societal Context

Cyberresilience in a Societal Context
Author: Steven J. Ross, CISA, CDPSE, AFBCI, MBCP
Date Published: 5 May 2021

In this century, especially in the previous few years, several factors have placed enormous stress on the resilience of businesses—and by extension, of their suppliers, customers and employees—around the world. The first among these was the global financial crisis that began in 2007. It cut the availability of credit for enterprises large and small and created great losses of both market value and employment. Since then, many governments have put measures in place to reinforce the financial well-being of their companies, especially their banks and other financial institutions.1

The economic consequences of the second of these factors, the COVID-19 pandemic, have forced many large enterprises to develop new strategies for working accommodations and has driven many smaller companies into extreme financial danger and even failure. Of course, well beyond the effects of recession, companies everywhere have been rocked by the health and mortality consequences of the pandemic.2 The resilience of companies and government agencies has been tested sorely by this disease, more so than at any time in human history in terms of the sheer scale of global commerce. One of the major factors that has allowed some organizations to come through the pandemic unscathed (or at least acceptably scathed) is that IT has enabled some personnel to continue working safely by working remotely.

The Limitations of Recoverability

Up to this point, the focus of much of the planning for business continuity has been on recovery after a negative event. However, planning to recover implicitly accepts the possibility of disruption, whereas resilience implies either uninterruptability or at least fault tolerance. Recoverability offers the promise of a return to normal or acceptably abnormal working conditions if premises, personnel or other resources are destroyed or become unavailable. The inherent assumption is that if normal activities are brought down by the loss of critical resources, there will be plans and preparations in place to resume those activities within an acceptable timeframe. Generally speaking, business impact analyses are used to determine a priori what the limits of acceptability might be.

THE INTENT IS NO LONGER TO RESTORE THE WORKPLACE BUT RATHER TO MAKE THE WORKPLACE IRRELEVANT TO THE CONTINUITY OF BUSINESS OPERATIONS.

Pandemics turn this assumption on its head; the physical resources are unaffected, but management or the workers themselves are unwilling to work under normal circumstances. Work from home (WFH) has revolutionized the preparations enterprises can or must make to be recoverable. The intent is no longer to restore the workplace but rather to make the workplace irrelevant to the continuity of business operations. It is not that the physical workplace is unavailable to workers. Rather, it is fellow workers who pose a threat to health and safety. The office is still available, but the physical presence of colleagues is unnecessary. What had been little recognized, even in prior pandemic planning, was that absenteeism was not as great a threat to business resilience as was workers’ fear of becoming ill.

Note that this aspect of resilience applies only to those whose job functions primarily call for them to interact with information. Those who deal directly with customers (e.g., surgeons, retail salespeople, waiters) or products (e.g., factory workers, bus drivers) cannot avail themselves of WFH. They are left with the wretched choice of unemployment or disease.

Remote Working and Cybersecurity

Remote working, by itself, was not new3 at the time of the COVID-19 outbreak. What changed was that in company after company, agency after agency, country after country,4 WFH became the norm. Various aspects of IT—portable devices, the Internet, applications, infrastructure, telecommunications, the cloud—came together to make common working premises unnecessary. In retrospect, the technical developments came rather quickly. As little as 15 to 20 years ago, the current scale of remote technology would not have been possible. Personnel did not have the bandwidth, computing power or access to data that enable WFH.

At the same time, all of that technology, and, thus, the enterprises that rely on it, is under threat itself. The effect takes different forms, from the inability to use the systems to theft of critical information. We have taken to addressing them all under the rubric of cyberattacks. These, too, are not new or at least not novel at the time of the COVID-19 pandemic. There is plentiful evidence that the increase in the number of potential targets has indeed led to substantial growth in the sheer number of attacks. INTERPOL, for example, has stated that

Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.5

There are various claimants for the first cyberattack; the one most frequently cited is the Morris Worm, which brought down thousands of computers in 1988 and brought the reality of hacking to widespread public consciousness.6 To be fair to Mr. Morris, who may or may not have had evil intent, the worm he unleashed was not aimed at any one organization and thus was not a cyberattack as we have come to know them today. In the current context, a cyberattack is a deliberate, targeted attempt to harm a particular organization or person.

And thus, for a society that relies on IT to enable withstanding a disruption as fundamental as the pandemic has proven to be, cyberattacks on our organizations and institutions are the dark specter that haunts resilience.

The Resilience Triad

So where does this leave us? It is hardly an original observation that the health of the economy and that of the populace are closely interlinked. The COVID-19 pandemic has spanned the earth, “bringing economic activity to a near-standstill, as countries imposed tight restrictions on movement to halt the spread of the virus,” as stated by the World Bank. “As the health and human toll grows, the economic damage is already evident and represents the largest economic shock the world has experienced in decades.”7

Figure 1Although the relationship between the economy and a healthy population may seem obvious, it is not as clear that the resilience of both the economy and our ability to withstand a global pandemic are reliant on the resilience of the world’s IT infrastructure, taken as a whole. As illustrated in figure 1, the relationships among the economy, the population and IT form a mutually reinforcing triad of interdependencies.

Worldwide commerce in the 21st century is impossible without IT. What has become evident since COVID-19 spread is that maintaining the health of the population, at least as healthy as possible under the circumstances, is dependent on IT as well. Even those who cannot work remotely can order food and other necessities, communicate and be entertained without face-to-face contact.

The economy needs workers to function. This concept, as elementary as it may seem, is being challenged by robotics, artificial intelligence (AI), the Internet of Things (IoT) and automation more generally. Perhaps in the future, we humans will enjoy a lifetime of leisure, with machines doing all the work, but this will not happen any time soon. For as far out as foreseeable, businesses will need people (if only to oil the machines), those people will need to be healthy in order to work, and information systems will be enablers of their health and welfare.

Economists from Adam Smith to Karl Marx to John Maynard Keynes have recognized that work creates wealth. They have differed as to how that wealth is created, where it goes and who gets to keep it, but there is a general understanding that all of us (or perhaps just most of us) need to work in order to live. What we have observed in this sad period of pandemic is that people’s health—or more properly, their fear of disease—can disrupt the relationship between the populace and the economy.

WHAT HAS BECOME EVIDENT SINCE COVID-19 SPREAD IS THAT MAINTAINING THE HEALTH OF THE POPULATION, AT LEAST AS HEALTHY AS POSSIBLE UNDER THE CIRCUMSTANCES, IS DEPENDENT ON IT AS WELL.

The same may be said of IT. The systems must be up, running and working properly for them to enable the economy to function. And we have seen that those who can utilize WFH to continue working are reliant on systems as well. Thus, resilience, in general across society, is dependent on the interlocked health of the economy, the populace and the technology.

Which brings us back to cybersecurity.

Cybersecurity as an Aspect of Resilience

Since cyberattacks have been recognized as an advanced persistent threat (APT) to society, much has been done to rein in, if not totally eliminate, the potential for or the impact of targeted attacks on information systems. But, unfortunately, we must admit that these measures have, in the aggregate, been insufficient. Until and unless we can make information systems resistant to cyberattacks, we cannot consider the society supported by IT to be resilient.

Using the US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)8 to categorize the functions required to counter these attacks and two well-respected annual surveys9, 10 to provide metrics, we see that the progress made toward resilience against attacks has been, at best, spotty.

As shown in figure 2, the fairly consistent decline in the number of security incidents does indicate that there has been improvement in the Identify function. It shows that organizations have gained an understanding of the need to “manage cybersecurity risk to systems, people, assets, data, and capabilities.”11 That would be an encouraging trend if it were supported by progress in the other functions.

Figure 2
Source: IBM Security/Ponemon Institute, Cost of a Data Breach, 2015-2020

However, the consistency in the annual number of actual breaches (plus the sharp uptick shown in the most recent Verizon report) does not indicate much progress in the Protect function. We have not, as a society, developed and implemented appropriate and effective safeguards to ensure delivery of critical services.12 Whatever security measures enterprises are putting in place are not eliminating severe and costly13 breaches.

Perhaps even more disconcerting are the results shown in figure 3. Over at least six years, it has taken, on average, more than six months for those who have experienced data breaches to even recognize that they had been attacked. Six months! And then it took them more than two months, again on average, to contain the attacks. No one can feel comfortable with our overall ability to Respond, Detect or Recover from cyberattacks, given these numbers.

Figure 3
Source: IBM Security/Ponemon Institute, Cost of a Data Breach, 2015-2020

Taken together, these lugubrious statistics lead to one conclusion: Whatever we have been doing is not working. If we cannot stop cyberattacks from happening and we cannot deal with attacks in a timely manner when they do occur, then we must accept that IT needs to become resilient if it is going to fulfill its role in the triad of economic, health and technology resilience.

Toward Resilient IT

How can we do that? Here are a few suggestions:

  • Change the response paradigm—Even without being attacked, systems sometimes fail, either crashing altogether or providing erroneous results. Software is, after all, created by people and people are fallible. These failures, in most cases, are treated as benign events and addressed as cyberattacks only if malign intent becomes apparent. Some incidents, such as distributed denial-of-service (DDoS) attacks, are immediately recognizable as hostile, but an average mean time to identification of 207 days shows that too many organizations are too complacent.

    If it were assumed that all downtime and bugs were caused by cyberattacks until proven otherwise, the length of time to detect a secreted infection could be radically reduced. This requires more of a change in attitude than in the actual amount of work involved. Technicians would still need to restore and eliminate bugs, but they would be looking for threats from the outset instead of letting malicious software continue unabated.
  • Utilize AI and machine learning (ML)—Part of the problem of detecting incursions into information systems is that they are so well hidden. AI and ML can and should be detective weapons in the arsenal of system protectors. Increasingly, we are reading that they are in the tool kits of the attackers,14 so it behooves the IT community to use AI as a method of diagnosing unexplained anomalies that have snuck into the systems.

    At this point in the development of AI cybersecurity tools, a heuristic approach might be warranted. AI and ML can search for anything unexpected, such as unusual patterns of access or data traffic from unexpected sources. Most telling might be detection of any use of privileged access at odd hours or for unusual purposes. The AI and ML tools would then alert their human masters to investigate further. At first, there may be an excessive number of false positives that must be resolved by actual people. But, given time, as the tools learn more about normal and abnormal patterns of activity, they will improve and might even be released to take action by themselves.
  • Migrate to the public cloud or a managed security provider—It is not that cloud service providers (CSPs) are more immune to cyberattacks than are those with their own data centers. In fact, there are reports that attacks on cloud implementations are increasing.15 But just as CSPs and managed security providers (MSPs) have a commercial interest in selling services, so they have an interest in being seen as secure (and, of course, actually being secure). The commercial CSPs make it clear that security is a shared responsibility, but when things do go wrong, they have (or should have) more personnel to focus on the problem than does any individual customer.
  • Patch, patch, patch—Because software is full of holes, that’s why.
  • Assign personnel to proactively search for software incursions—In large measure, the failure to identify that an attack has occurred stems from organizations not looking for them. It becomes apparent that data have leaked when a credit card is misused or when a ransom demand arrives. Enterprises need a staff that I have previously referred to as a CyberCERT to regularly and routinely validate that software is uninfected and unchanged except for authorized maintenance.16
  • Ensure that software vendors screen their software for embedded malware—Recent events have highlighted the threat of cyberattacks arriving in third-party software.17 Software vendors bear the risk of product liability lawsuits, which they attempt to manage contractually. Customers have the risk of opening the door for a so-called “welcome intruder” in the form of software delivered with malicious code included. For the most part, customers have no way of detecting what should not be there because they do not know what should.18

    Their recourse is to insist that their software vendors warrant that they have scanned the products they ship for injected malicious code. Note that this is not the same as warranting that the software is error free. It implies an effective system of internal control of software from development to testing, through quality assurance to digitally signing their products19 prior to shipment. Such processes are auditable and, thus, can give customers a reasonable level of assurance if they are followed.
  • Make resilience a strategic design requirement—There are some systems on which lives depend—in the military, in hospitals and in air traffic control, to cite a few examples. They are designed not to fail, and the public is rightly incensed when they do.20 If IT is to be resilient, then all systems should be designed, implemented and maintained to achieve that goal. If this increases budget for redundant systems, more technical personnel, external services and more testing, so be it. Resilience does not come cheap. But neither does downtime.
  • Address the problem of cybersecurity holistically—With more people accessing more data from more places, we have passed the point where we can secure IT components on an item-by-item basis. It is insufficient to secure individually the servers, the storage, the network, the infrastructure and the applications and conclude that if all the pieces are safe, then the totality must be secure as well. It is time to get serious about enterprise information security architecture and to plan, design and implement systems with an in-depth configuration management database (CMDB) to know where everything is once they are implemented.
IN LARGE MEASURE, THE FAILURE TO IDENTIFY THAT AN ATTACK HAS OCCURRED STEMS FROM ORGANIZATIONS NOT LOOKING FOR THEM.

IT is critical for the health of the economy and the populace. But that statement by itself is overly simplistic. IT is part of a broader infrastructure, and, for that matter, the economy and the population have many components as well. As we have learned in this pandemic, IT cannot be disentangled from the power supply, the roads, public transport, the media and many other aspects that we group under “infrastructure.” We just live our lives on the assumption that when we flip the switch, the lights will come on. And the population at large simply assumes that their technology will just be there without consideration of the enormous effort and investment that goes into making sure that the Internet, telecommunications, software, cell phones, personal computers and their applications are there (almost) all the time.

We in the IT community are aware of how much work it has taken to make all those things work at all, much less work together without fail. And we recognize their fragility because we anticipate the risk and fix things when they break. Amazingly, we are at a point at which we might, just might, be able to achieve resilience in IT, at least against cyberattackers. We may not make it 100 percent, but it is worth the effort to try.

Endnotes

1 In the United States, the Dodd-Frank Wall Street Reform and Consumer Protection Act placed greater capitalization requirements on US banks, http://www.govinfo.gov/content/pkg/PLAW-111publ203/pdf/PLAW-111publ203.pdf. In the European Union, the European Systemic Risk Board (ESRB) was created for monitoring macroprudential risk. See, European Commission, “Regulatory process in financial services,” Belgium, http://ec.europa.eu/info/business-economy-euro/banking-and-finance/regulatory-process-financial-services/regulatory-process-financial-services_en. The Basel 2.5 and later Basel 3 frameworks that strengthened capital requirements and oversight were adopted in many countries, including Japan. See Harada, K., et al.; “Japan’s Financial Regulatory Responses to the Global Financial Crisis,” Emerald Insight, 9 December 2014, www.ayakoyasuda.com/papers/2017/Paper11_jfep.pdf.
2 Globally, nearly 70 million people infected and more than 1.5 million dead at the time of writing, sure to be substantially higher at the time of reading.
3 Forbes magazine reported that 20 percent of the US workforce was working remotely in 2013. Rapoza, K.; “One in Five Americans Work From Home, Numbers Seen Rising Over 60%,” Forbes, 18 February 2013, http://www.forbes.com/sites/kenrapoza/2013/02/18/one-in-five-americans-work-from-home-numbers-seen-rising-over-60/?sh= 2d830c9425c1
4 For Europe, see European Commission, “Telework in the EU Before and After the COVID-19: Where We Were, Where We Head To,” Italy, 2020, http://ec.europa.eu/jrc/sites/jrcsh/files/jrc120945_policy_brief_-_covid_and_telework_final.pdf. For North America, see Wong, M.; “Stanford Research Provides a Snapshot of a New Working-From-Home Economy,” Stanford, 29 June 2020, http://news.stanford.edu/2020/06/29/snapshot-new-working-home-economy/.
5 INTERPOL, “INTERPOL Report Shows Alarming Rate of Cyberattacks During COVID-19,” 4 August 2020, http://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19
6 Shackleford, S.; “30 Years Ago, the World’s First Cyberattack Set the Stage for Modern Cybersecurity Challenges,” The Conversation, 1 November 2018, http://theconversation.com/30-years-ago-the-worlds-first-cyberattack-set-the-stage-for-modern-cybersecurity-challenges-105449
7 The World Bank, “The Global Economic Outlook During the COVID-19 Pandemic: A Changed World,” 8 June 2020, http://www.worldbank.org/en/news/feature/2020/06/08/the-global-economic-outlook-during-the-covid-19-pandemic-a-changed-world
8 National Institute of Standards and Technology (NIST), Cybersecurity Framework, The Five Functions, version 1.1, USA, 16 April 2018, p. 7–8. The five functions are Identify, Protect, Detect, Respond and Recover.
9 Verizon, 2015–2020 Data Breach Investigations Report, USA, 2015–2020, http://enterprise.verizon.com/resources/reports/dbir/. Note that this is an international study.
10 IBM Security, Ponemon Institute, Cost of a Data Breach Report 2015–2020, USA, 2015–2020, http://www.ibm.com/security/data-breach. Note that this is an international study.
11 Op cit National Institute of Standards and Technology
12 Ibid. Author’s italicized amendment.
13 Op cit IBM and Ponemon Institute. The Cost of a Data Breach Report 2020 states that the average cost of a data breach is US$3.86 million.
14 There is a great deal of both academic and popular literature on this subject. See, for example, Durbin, S.; “How Criminals Use Artificial Intelligence to Fuel Cyber Attacks,” Forbes, 13 October 2020, http://www.forbes.com/sites/forbesbusinesscouncil/2020/10/13/how-criminals-use-artificial-intelligence-to-fuel-cyber-attacks/?sh=7de5523e5012
15 Thomas, B.; “Report Shows Cyber Attacks on Cloud Services Have Doubled,” BitSight, 15 May 2020, http://www.bitsight.com/blog/report-shows-cyber-attacks-on-cloud-services-have-doubled
16 Ross, S.; “CyberCERT,” ISACA® Journal, vol. 5, 2014, http://h04.v6pu.com/archives
17 Westby, J.; “SolarWinds Cyber Attacks Raise Questions About the Company’s Security Practices and Liability,” Forbes, 16 December 2020, http://www.forbes.com/sites/jodywestby/2020/12/16/solarwinds-cyber-attacks-raise-questions-about-the-companys-security-practices-and-liability/?sh=43f9e6b6711d
18 The exception is open-source commercial software, but there are only a limited number of such products.
19 Op cit Westby
20 The WannaCry attack on Great Britain’s National Health Service (NHS) in 2017 is perhaps the most flagrant recent example. It exposed that the NHS was running on outdated software that left it vulnerable to subversion. It demonstrated the link between IT and the people’s health in vivid fashion. See National Audit Office, Investigation: WannaCry Cyber Attack and the NHS, United Kingdom, 25 April 2018, http://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf

Steven J. Ross, CISA, CDPSE, AFBCI, CISSP, MBCP

Is executive principal of Risk Masters International LLC. Ross has been writing one of the Journal’s most popular columns since 1998. He can be reached at stross@riskmastersintl.com.