Resilience better than deterrence in managing cyber incidents: SIPRI
We should focus on making sure that critical infrastructure can withstand pressure, no matter what causes it. Likewise, when critical infrastructure fails in its function, the top priority is to get the lost functionality back;
Stockholm, 28 September 2020: Cyber incident management strategies should prioritize making systems—and societies—more robust and resilient to a broad range of cyber risks, rather focus narrowly on preventing and responding to cyberattacks, argues a new SIPRI Policy Paper released today. Download the SIPRI Policy Paper. The study team analysed the response to nine cyber incidents (events that adversely affected the security of a network or information system) in Estonia, Finland, Japan, Singapore, South Korea and the United Kingdom. In particular they looked for practical lessons on how states and national crisis-management agencies can prevent cyber incidents from escalating into crises. ‘Uncertainty about the cause of an incident and about what is being done to remedy it often leads to public speculation that it is a cyberattack. This in turn can put pressure on governments to respond in ways that could create political tension between countries,’ says Dr Vincent Boulanin, SIPRI Senior Researcher and co-author of the report. Cyber security tends to be dominated by defence and intelligence thinking. However, strategies based on deterring cyberattacks do little to prevent cyber incidents caused by system failures, human error or physical accidents. The strategies should be broader and should focus on building robustness and resilience, the authors argue. ‘In the cyber domain, network segmentation, back-ups and redundancy systems are all examples of measures that may mitigate the risks of both cyberattacks and IT-management mistakes,’ says lead author Johan Turell, Senior Analyst at the Swedish Civil Contingencies Agency (Myndigheten för samhällsskydd och beredskap). ‘In short, we need to think of cyber incident management in terms of building protections against a broad range of threats, only some of them antagonistic. We should focus on making sure that critical infrastructure can withstand pressure, no matter what causes it. Likewise, when critical infrastructure fails in its function, the top priority is to get the lost functionality back; it often matters less whether the failure was caused by an attack or a mistake,’ he adds. Also important is quick, clear and consistent communication during and after a cyber incident. Between agencies and decision-makers, good communication can help to ensure an efficient and coherent response and to verify information about the incident. Externally, it can help prevent unhelpful speculation about the incident’s origins and scale. ‘A lesson from our case studies is that well-thought-out mechanisms for handling communication are critical to successfully manage the societal and political impacts of a cyber-incident,’ says Fei Su, SIPRI Researcher and co-author.