What will cyber resilience mean in the future?

Add to my custom PDF

The Future of Cyber Resilience in an Age of Global Complexity

Cybersecurity is of high strategic importance but perhaps the landscape has not been laid properly to ensure resilience. Systems for governance of cyber-defence are inadequate, with many of the functions that contribute to resilience under private ownership.

An increase in the critical national infrastructure that is privately controlled reinforces the tension between working collaboratively and confidentiality. Governments are, at once, trying to increase secrecy while also encouraging cooperation and accountability. This is paradoxical for many types of relationships - within government, such as between departments or agencies, as well as in public-private partnerships and across state borders. Although often viewed positively, collaboration is related to the diffusion of responsibility for cyber-defence. For example, the European Network and Information Security Agency (ENISA), which encourages convergence and co-ordinates regulation among European states, is one example of a regional alliance for cyber-security.

The government itself has limited in-house expertise. In the case of the United Kingdom, as much as 80% of critical national infrastructure is privately owned. In effect, Herrington and Aldrich argue, the operational capacity for surveillance and cyber- defence action rests in the telecom industry. In encouraging partnership, government has fostered private ownership of resilience. However, should something go wrong, the public will nonetheless look to government; “[t]he public are unlikely to blame the telecoms and specialist Internet providers they have barely heard of, still less fellow citizens with a relaxed approach to anti-virus protection. When the digital tsunami occurs, citizens will hold government to account for the failure of an infrastructure they no longer own or control – and which ministers do not fully understand.” (p303)

There is a certain inevitability to further exponential increase in the available data and in integration of technologies providing that data. This ‘connectedness’ will present greater risks to privacy and security, but also holds the potential for greater transparency; publics can learn more about their government and private industry providers, information which can be used for holding service providers to account. In the face of increased private ownership of resilience, robust security requires legislating duties for service providers. Governments can leverage other actors who hold the operational capacity to promote and increase resilience. Solid defence also includes systems diversity, that is a mix of analog or manual checks and balances in addition to digital safeguards.

Convergence of technology and diffusion of responsibility and expertise creates issues for the resilience of cyberspace. Government may be expected to provide cyber safety regardless of who owns and operates the infrastructure.