It is everywhere, it is hot, and we have a lot to contribute
In a 2018 special issue of the Harvard Business Review, provocatively entitled “The end of cybersecurity”, Andy Bochman, expert cybersecurity strategist from the Idaho National Lab, warned: “No amount of spending on defenses will shield you completely from hackers. It’s time for another approach”. To that end, many experts emphasize that it is not possible for large (e.g., industrial) systems to be entirely protected—particularly due to their scale and dynamic nature. In addition to developing and implementing protective measures, it is therefore necessary to assume attacks will sometimes succeed in bypassing defenses, and to build the capacity to manage cyber events.
Regularly, real world events remind us about this point. Less than a month ago, on the evening of Friday Nov. 15th, a cyber-attack in the university hospital in Rouen, France, led to the decision to shut down all networks and assets in the hospital and its subsidiaries, following a protective cyber protocol. The cyber event occurred in spite of the numerous security systems in place, and, for several days, these medical facilities operated on pen and paper while patients with non-urgent conditions were directed to other facilities. The hospital’s management ensured that patient safety was not compromised during this event. Reports indicate the hospital was the target of ransomware, the impact of which was limited thanks to the intervention of the national cybersecurity agency. Drastic measures such as ‘unplugging everything’ might be the only course of action in such an event as too much uncertainty exists around the potential impact and extent of the attack. Identifying, making sense of on-going events, understanding potential impact on critical services, managing trade-offs in response are all highly challenging and primarily human activities. A key question remains how to improve the tools and ways of building expertise for cyber defense.
Human-centered research focused on cyber defense and the management of cyber events is still lacking; most of the research on cybersecurity focuses on protection measures and technical aspects (necessary, but insufficient by themselves). Numerous topics of investigation could benefit from a ‘resilience-inspired’ perspective, including:
- decision-making during the management of events (e.g., ambiguity of events, management of uncertainty, collaborative work),
- cyber defense practices, strategies and tactics (e.g., recognizing cybersecurity as a co-adaptive process between attack and defense),
- approaches to understand the impact, in real-time or hypothetical, of events on network assets and, as a result, on system performance (e.g., on safety in critical settings),
- organizational aspects, e.g., management of production vs. security trade-offs, and development and maintenance of ways of functioning in degraded modes,
- technological means to support decision-making relative to the points above,
- training methods to improve resilience in cyber defense.
With the participation of cybersecurity operational experts and industrial sectors, Resilience Engineering concepts, methods and focus can help develop the necessary body of knowledge and solutions in this multidisciplinary research topic. In the context of ubiquitous digitalization and greater connectivity, such research is needed to avoid or limit the extent of perturbation cyber events may generate for professional and societal systems.
For more information: matthieu.branlat@sintef.no