Resilience better than deterrence in managing cyber incidents—new SIPRI report
The study team analysed the response to nine cyber incidents (events that adversely affected the security of a network or information system) in Estonia, Finland, Japan, Singapore, South Korea and the United Kingdom. In particular they looked for practical lessons on how states and national crisis-management agencies can prevent cyber incidents from escalating into crises.
Cyber security tends to be dominated by defence and intelligence thinking. However, strategies based on deterring cyberattacks do little to prevent cyber incidents caused by system failures, human error or physical accidents. The strategies should be broader and should focus on building robustness and resilience, the authors argue.
‘In the cyber domain, network segmentation, back-ups and redundancy systems are all examples of measures that may mitigate the risks of both cyberattacks and IT-management mistakes,’ says lead author Johan Turell, Senior Analyst at the Swedish Civil Contingencies Agency (Myndighet for Samhällsskydd och Beredskap).
‘In short, we need to think of cyber incident management in terms of building protections against a broad range of threats, only some of them antagonistic. We should focus on making sure that critical infrastructure can withstand pressure, no matter what causes it. Likewise, when critical infrastructure fails in its function, the top priority is to get the lost functionality back; it often matters less whether the failure was caused by an attack or a mistake,’ he adds.
Also important is quick, clear and consistent communication during and after a cyber incident. Between agencies and decision-makers, good communication can help to ensure an efficient and coherent response and to verify information about the incident. Externally, it can help prevent unhelpful speculation about the incident’s origins and scale.