To prepare effectively for the future, Dr. David Bray believes it's worth reminding everyone of the sheer exponential scale of technology growth. Bray, former FCC CIO and now executive director for the People-Centered Internet coalition, recently attended the World Economic Forum’s annual Global Futures Summit to discuss the opportunities and challenges associated with increasing the cyber-resiliency of the world’s digital economies. Cyber-resilience, he says, represents an increasingly important capability for organizations given the inevitable risks and vulnerabilities they’re facing in this digital era. We asked Dr. Bray to share some key insights on this topic.
The Enterprisers Project (TEP): Why is cyber-resiliency so important now?
Dr. Bray: We are experiencing unprecedented exponential change. Consider these stats: In 2013, there were 7 billion network devices relative to 7.1 billion people on the planet. By comparison, estimates for 2025 project there will be 100 billion or more network devices relative to 8 billion people on the planet. In 2013, the amount of digital data on the planet amounted to 4 billion terabytes. By 2025, that number is projected to soar to 200+ billion terabytes. In 2013, approximately 3 billion people were connected to the internet. By 2025, ideally 7 billion people will be connected to the internet. Changes on this scale will dramatically impact how people will interact and thrive in the global digital economy. And that means organizations need to focus on more than cybersecurity. They also need plans to be more resilient in the face of all the challenges that will continue to grow.
TEP: What is the difference between cybersecurity and cyber resilience?
Dr. Bray: Cyber-resiliency is more than just cybersecurity. While it does include the usual “organizational hygiene” steps such as prevention, early detection, and rapid mitigation – resiliency also includes other organizational activities focused on adapting quickly and overcoming unforeseen events. Exponential changes require organizations intentionally to design how they operate to decrease the time required to bounce back from unforeseen events. Cyber-resiliency includes streamlining the business processes in an organization and evaluating how the applications of an organization could be misused in unintended ways to cause confusion or spread misinformation. As such, increasing resiliency needs to be more than just the responsibility of Chief Information Security Officers and Chief Information Officers. This is only possible if the entire organization, city, or nation evaluates where existing processes, data collection efforts, and identity authentication practices slow the organization’s response time to the unexpected.
TEP: What is a recent example of where outdated processes, amid exponential change, can harm an organization’s cyber-resiliency?
Dr. Bray: Consider the exponential changes associated with ransomware, estimated to have resulted in $325 million in damages globally for 2015 and projected to result in $5 billion in damages for 2017. In Q1 of 2017, some estimates suggested there was a 430 percent increase in new ransomware variants from the year before – and every two minutes a business was attacked. Six months later, for Q3 2017, that ransomware attack statistic became every 40 seconds for a business and every 10 seconds for an individual. An estimated 70 percent of companies targeted by ransomware attacks have been infected. More than 70 percent of infected business lost access to data for two days or more. These exponential changes demonstrate that prevention is important as is updating organizational business, data, and authentication processes to be more resilient.
TEP: What are some steps organizations can take to increase their cyber-resiliency?
Dr. Bray: I often stress “simplify, simplify, simplify” what you must maintain in terms of code and systems. Streamline your business processes. Embrace cloud-based SaaS solutions with strong security controls wherever possible. If your legacy systems provide system-wide access instead of more granular data access rights, either move to a new cloud-based system or limit data rights to specific digital identities. Automate wherever you can. In particular, automate any required patching and image rebuilds, as well as the monitoring of both identity access and data flow behavior patterns. To view behaviors across systems, implement digital identity controls. Use automation to establish “patterns of life” for how systems should operate. If non-normal trends are spotted, trigger interventions to adapt and respond. Most importantly, regularly re-verify whatever you trust to include making sure both humans and technologies are operating as intended. Ideally, you’ll confirm this through independent testing.
TEP: What future challenges do you see on the horizon that demand improved cyber-resiliency?
Dr. Bray: Organizations need to be prepared to respond quickly to a variety of surprise events that may not typically fall under the domain of security, yet still require a prompt response. Smart algorithms can be fooled when noise is added to data. Image recognition programs can be altered in a way that does not change the appearance of the image to the human eye, yet triggers the “smart” algorithm to confuse – for example – what clearly is an image of a building with a peacock. Systems can operate as designed yet be used in ways never originally intended, such as use of targeted social media to mislead people. Automated chatbots can be fooled to share sexist, racist, or other objectionable content if bad data is provided to the bot. Such unfortunate challenges go beyond the traditional domain of cybersecurity, and illustrate exactly why organizations must increase their cyber-resilience capability to both prevent events and decrease the time required to bounce back from unforeseen events.
thank you for a thought provoking q&a, particularly about the concerns that aren't typically security yet still require a prompt response. concerns about chatbots, social media, and algorithms being given bad data should be discussed more fully so we can understand their potential impacts.
thanks for the post, resilience to integrity attacks is not new but you will be hard pressed to find much in the traditional cyber security mitigation frameworks to cover its impact in the business sense, moving above network driven security to data/information/knowledge/intelligence driven integrity security of content. It is still cyber security.