Michael Kushin is senior vice president at CACI International Inc. He has more than 25 years of experience developing secure solutions for the Defense Department and the Intelligence Community, and is responsible for delivering cybersecurity solutions at CACI. ()
As government and industry continue to develop new capabilities to defend and counter persistent threats against information systems, weapons systems, and critical infrastructure, the need to develop resilience, both technically and procedurally, has become a necessity. Organizations have long implemented redundant capabilities, from backup data centers to independent communications paths, but the need to include cyber resilience has come of age.
The concept of cyber resilience is not new. However, implementations are few and far between, with most efforts concentrated on defending networks or forensically remediating attacks that have already taken place. With the increased complexity of systems we rely on—using interconnected components and embedded processors—along with supply chain concerns and the move to the cloud, the risks have never been greater. Do we as a nation have the means to continue functioning while components of a network are offline or navigation systems are interrupted?
Cyber resilience is the acceptance that cyber attacks will continue and be successful, therefore organizations must adjust to continue to function during the attack. This includes identifying risks to the organization and prioritizing the protection of systems and data critical to operations, documenting processes necessary to continue business operations during an attack, and having an effective remediation plan.
Federal agencies have begun the effort to introduce resiliency into their platforms as well as support other organizations in assessing their posture. The Department of Homeland Security’s U.S. Computer Emergency Readiness Team has introduced a Cyber Resilience Review that enables organizations to evaluate their operational resilience and cybersecurity practices. Additionally, cybersecurity companies provide consulting across a wide spectrum of platforms. However, to achieve resilience, not only today but in the future, three important things must happen:
1) The idea of resilient platforms must be implemented at the design phase, incorporating technology, process, and/or training,
2) Resilient platforms must be adaptable to keep up with constantly changing threats with increasing levels of sophistication and innovation, and
3) Until cyber defense is able to thwart all attacks and provide a truly trusted environment (which may never happen), organizations must develop processes to operate at a degraded state, focusing protection on critical mission functions.
Incorporating cyber resilience into our fabric requires investment, but it is not as costly as the inability to conduct critical business functions that everyday Americans expect and rely on (i.e. defense, health services, etc.). Therefore, cyber resiliency, and the means to test and validate it, must become a core requirement of all future systems and platforms.