Steve Hill, Managing Director, Global Head of Operational Resilience at Credit Suisse, and Visiting Senior Research Fellow at King’s College London, together with Sadie Creese, Professor of Cybersecurity at the Department of Computer Science at University of Oxford, consider how key stakeholders could improve collaboration to enhance cyber resilience.
Earlier this year we argued that government cabinet ministers and company board members needed to drive a new approach towards enhancing cyber resilience.[i] Both sets of leaders needed to be ready to adapt to new risks, pioneer new controls and invest in the capacity to ensure continued operational resilience. As lessons from the global pandemic become clearer, and the cyber threat landscape continues to worsen, the National Preparedness Commission is an opportunity to address how different key stakeholders might work together to meet this challenge.
An uber threat
Cyber resilience is the most critical facet of operational resilience in our increasingly digitised post-Covid world. The shift to working from home, the arrival of 5G and the increasing ubiquity of the ‘Internet of Things’ will only accelerate this reality. The last decades have been dominated by headlines of data loss but failures of operating technology and attacks targeting supply chains, as seen in the Colonial Pipeline attack in the US, may represent a more existential societal threat.
Our planning assumption must be that things will go wrong: cybersecurity is the pursuit of resilience in the face of insecurity. Complexity and external dependencies, many of them unsuspected or hidden, are likely to grow. This will result in an increased potential for harm as threats propagate throughout our systems and infrastructures. We will be faced by the continued industrialisation of cybercrime. Organised criminal groups, often operating from safe havens beyond the reach of Western law enforcement, will continue to demonstrate enviable innovation and agility. The cybersecurity industry is already recognising the limits of prevention: capabilities in response, recover and anticipation are critical to limiting the impact and risk from cyber intrusions and technology failures.
National infrastructure largely comprises of private enterprises, each with a responsibility to increase shareholder value. Their IT infrastructures are typically a kludge of legacy systems and external third-party dependencies organically grown through acquisition and evolution. In challenging economic times, investing against possible but unlikely high-impact risk events has not been a priority.
The pressure to increase efficiencies by reducing costs will not dissipate. Business continuity functions, many shaped by two decades of increased post-9/11 physical threat and worsening climate events, may not have prioritised data recovery and the resilience of their technology platforms. Those who have invested in third-party cloud services as part of business continuity strategy will often not have been able to obtain the integration of cybersecurity functionality with their local teams that is necessary to underpin optimal detection and recovery from attacks.
Lessons from the past
Two lessons from the global response to Covid-19 in terms of risk management have been: (i) the degree to which both governments and enterprises were unprepared for such an extreme tail-end risk, and (ii) the speed with which many of them compensated for this lack of preparation. But good crisis response should not be mistaken for sufficient planning. Covid-19 was no black swan but, like cyber-attacks, it was a risk that was overshadowed by others that were determined to be more likely, where the return on mitigation investment will be easier to evidence. All too often, risk management is overly anchored in recent events that have a direct impact rather than a more strategic historic perspective or sufficiently imaginative and reasoned foresight.
The majority of corporate boards, supported by increasingly experienced chief information security officers and chief information officers, understand current cybersecurity and resilience challenges. They feature prominently on risk registers and there may even be a strategic plan to improve controls and mitigate the risk. Yet, we should all be judged by practical actions and, as with global climate change, these may not suffice in terms of ambition or pace. Institutional inertia and complacency must be faced down and assumptions of continued operational contexts challenged.
Moving forward
Governments and regulators are in some industries already seeking to force the pace. In the financial services industry, regulators have imposed greater financial resilience following the financial crash of 2008. As Paul Williams from the PRA highlighted in his article, the focus has now shifted to operational resilience. [ii]
From 2022 there will be a regulatory expectation of a degree of operational resilience for the important business services provided by the financial services sector on which citizens increasingly depend, especially as financial institutions shift from bricks and mortar to online digital services. Financial institutions are currently in the process of identifying which of their business services are critical to their clients or to the wider financial system. They are embarking on extensive exercises to map the business processes and dependencies that underpin each of these services and putting stress-testing programmes into place to assess whether, faced with severe but plausible scenarios, the services can be recovered before creating intolerable external harm. The ‘fix’ phase will need to be completed by 2025.
Key here is the limit to the ambition. It is not that every part of the banks’ functioning should be rendered resilient. That would be ideal but hardly economic. Instead, the focus is on those critical services that have significant external impact. In the same way that cyber-security professionals urge boards to prioritise and focus on the ‘crown jewels’, a new generation of operational resilience experts are focused on which business services should be in scope. This analysis will need to take account of the interdependencies that exist within our systems and processes, and how risks can propagate.
Similarly, we need to prioritise investment in addressing those vulnerabilities that constitute our greatest current attack surface. By and large, our people and our physical infrastructure demonstrated impressive resilience during the pandemic; supply chains less so. But the area of greatest concern for most boards and for our national critical infrastructure was data, technology, digital services and supply chains.
We must find ways to ensure that we can protect the necessary customer data, the critical applications and the underlying digital infrastructure. We should seek to restore integrity, business process and operational capacity before we breach our ‘impact tolerance’ and cause irrevocable harm. Recovery from tape or otherwise of back-up data that may itself have been corrupted by a sophisticated adversary will no longer suffice, even if it could be achieved fast enough.
Resilience by design
These new programmes are major new multi-year undertakings. They will need to build on the lessons learnt during the 2020 response to the global pandemic, just as much as the lessons from recent ransomware and supply-chain attacks. Security and resilience can no longer be traded for efficiency and speed. The new mantra is ‘resilience-by-design’ and this will require solutions embedded into our technology, people and process. There are signs of a greater awareness of the need to build and test long-term cyber resilience. The current response is necessary but not necessarily sufficient. One size will no longer fit all: the best response to a loss of physical premises might very well be exactly the wrong response to a sustained malware attack.
It will need the top leadership from governments, regulators and boards to work together – with a focus on outcomes rather than rules – to drive the practical timely response needed to enhance our resilience. The pace of digital transformation in life in the 21st Century makes this a necessity. Greater sharing of lessons and experiences, between enterprises and between governments, notwithstanding potential reputational consequences, will be critical to collective progress.
[i] CAPCO Institute, Journal of Financial Transformation, May 2021.
[ii] Operational resilience in financial services, National Preparedness Commission, 15 September 2021.