The claim that any Western information technology dependent society could be brought down by a 15-minute cyber attack has recently provoked intense discussion.
In reality, a well-prepared cyber attack does not need to last for 15 minutes to succeed. After preparations it takes only seconds to conduct the attack, which may hit targets next door as well as those on the other side of the world.
It is the society's capability to withstand the attack that determines whether or not it will lead to all-round chaos ‒ and in what time. As a general rule, it takes a lot longer than 15 minutes for all consequences to manifest themselves and for the society to absorb and react to them. Re-establishing the equilibrium that existed in the society before the attack may take years.
There is no such thing as absolute security; neither in the physical nor in the virtual world. While technology entails a promise to eliminate human error from the threat catalogue through automation, it brings novel and constantly evolving threats.
Information technology vows to enhance situational awareness necessary to the production of security, yet carries even unknown vulnerabilities with it. Incomplete security is nothing new in itself, but the enmeshment of physical and virtual worlds creates new kinds of security opportunities and needs that societies have to address.
Today's overall threat catalogue is versatile and in constant change. As it includes both un-emerged and just gradually appearing threats, it forces societies to plan and prepare also for the unknown. Preparing for the unknown can only take place through strengthening the society's resilience.
Resilience stands for the continuation of operations even when the society faces a severe disturbance in its security environment, the capability to recover from the shock quickly, and the ability to either remount the temporarily halted functions or re-engineer them.
Resilience is a multidimensional phenomenon. It affects societies at present, yet even more their futures. It is required from both physical and virtual systems, and from their intermingled reality. Resilience is not only a headache of the decision-makers trying to secure the functions vital to society at any time, but also a feature of states, organisations and corporations, as well as that of individuals.
The society's overall resilience builds upon the capabilities of its constituting parts to prevent and resist exceptions from the ‘business as usual' ‒ as well as to adapt to them rapidly and flexibly.
The Cabinet Office in the UK categorises resilience into ‘infrastructure resilience', ‘community resilience' and ‘business continuity', and ‘corporate resilience'. All of these are deemed important for the survival of the society in the contemporary security environment. Resilience is not only a physical but to a large extent a mental feature.
Hence it also entails, for instance, the capability to make justifiable decisions and act upon them under distress. Tolerance for crisis should be seen as a function vital to society.
The Western societies are used to the prevailing state of peace and have managed to construct well-functioning societal operations based on the utilisation of technology.
As a drawback to this state, which in itself is worth pursuing, they have lost some of their capability to survive. Especially, their mental ability to deal with distress is declining for the lulling belief that no major things can go wrong. This can lead to a situation in that the physical features of the society recover from an attack relatively quickly, but the poor mental tolerance keeps the society from re-balancing itself for years or decades.
Developing and maintaining resilience is a central demand presented by the contemporary security thinking. Its importance will only become highlighted in the future as the world becomes ever more interconnected, threats more complex and addressing the complicated security questions requires cooperation.
Resilience enables both efficient operating in times of distress or conflict and smooth functioning of society or any of its constituting parts anytime ‒ as well as people's trust on the aforementioned.
The intertwined nature of physical and virtual worlds requires that preparation, action and education take place in the intermingled reality. This enables the utilisation of opportunities that information technology and cyber space create without exposing oneself to unnecessary risk.
Even the virtual world, that relies heavily on automation, does not always function. Minor disturbances in it, such as temporal interruptions in communications networks or defunct ATMs, are only beneficial, because we tend to trust too much on the operability of bytes. If bytes do not function, we become helpless.
Temporal cyber disturbances and shocks will always happen. This is important, because they keep societies alert and able to both react and pro-act. As a result, building resilient societies is vital for anyone's survival for the future ‒ that is a fact.
It depends on the success of this building project whether cyber attacks can or cannot bring societies to their knees in indefinable time.
Jarno Limnéll is director of cyber security at Stonesoft