Cyber resilience

Our world increasingly depends on interconnected computers and smart devices. Activities that were once manual or analog—managing the electric grid, controlling the flow of pipelines, operating energy facilities, financial transactions—now occur in the digital world. Computers enable these processes to run more efficiently and to benefit from advances including automation and artificial intelligence. However, they also create the possibility of cyberattacks or other disruptions that pose a threat to national security.

Cyber resilience, which is also sometimes referred to as cyber resiliency, is the ability to weather adverse events in a computing environment. The National Institute of Standards and Technology (NIST) defines cyber resilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Cyber resilience applies to both physical and virtual assets.

Cyber resilience is a broader approach to cybersecurity, the effort to harden and defend cyber systems against possible attacks. While cybersecurity is a critical component of cyber resilience, cyber resilience bolsters the notion of defending systems with the idea that systems should be able to continue operating and/or bounce back quickly if a security breach happens.

“The quest for ‘failure-proof’ systems [in information technology] ultimately—and ironically—failed,” wrote the authors of a 2018 report from the consulting firm Accenture, The Nature of Effective Defense: Shifting from Cybersecurity to Cyber Resilience. “The goal is systems that are highly automated, distributed, over-designed, and redundant. In other words, they’re ready for anything.”

Cyber resilience as a national priority in the United States emerged in early 2013 with the Presidential Policy Directive (PPD-21) on Critical Infrastructure Security and Resilience. The directive laid out a strategy for a national effort to strengthen the security and resilience of essential facilities such as nuclear reactors, wastewater systems, and dams. Identifying 16 critical infrastructure sectors, the PPD-21 tasked the U.S. Department of Homeland Security (DHS) and other national agencies to work together on evaluating and managing cyber risks in these sectors.

“Although PPD-21 launched the topic into highly visible discussions, several organizations had been working on cyber resilience previously,” write the authors of a 2018 paper prepared for the DHS, pointing to Carnegie Mellon University’s Computer Emergency Response Team and the MITRE Corporation as examples of entities that were developing this idea as early as 2010.

Cyber resilience makes it possible for critical services—the open channels on which we depend daily, such as the flow of electricity, water, data, goods, and money—to continue in an emergency. Accordingly, the National Infrastructure Advisory Council has identified five sectors that must be part of cyber resilience planning: electricity, water, transportation, communications, and financial services.

Any one of these sectors is important enough on its own, but cyber resilience also recognizes the interdependency of these sectors—water and communications require electricity, and vice versa, and digital financial services and transportation networks demand electricity and communications. Some of the equipment that makes these activities possible, such as high-voltage transformers on the electric grid, would take months or years to replace if irreparably damaged in an attack or disaster. By preventing such damage, cyber resilience assures that expensive, important assets remain in service for as long as possible.

Pacific Northwest