News | Oct. 9, 2015

In Discussion with Philip Quade, Chief of NSA Cyber Task Force

What is resilience/resiliency and what does it have to do with cybersecurity?

Resilience is the ability of a system to recover and resume operations, or to continue to operate, in the face of adversity. A common everyday comparison could be how your body confronts, reacts, responds, and recovers during cold and flu season. If you get sick, the focus becomes quickly you respond and recover from the symptoms and return to normal health. Cyber resilience incorporates the traditional approaches to cybersecurity with a broader emphasis on the prevention of and recovery from malicious attacks.

Many chief technology officers and chief information officers continuously measure the resilience of their organization's systems. If a system is compromised, they want to know how quickly it can respond, evolve, and recover operations. Asking the question: "What would you do differently today if you knew that your system was going to be compromised?" is a good way to start the dialogue about resilience and the next step - regeneration.

Why does it matter to cybersecurity?

The internet and the systems that connect it have become an important part of our American way of life. Everyone should pursue resilience strategically and with automation, given the speed of communication and the growth of malicious cyber events in number, size, and impact. No matter how good our defenses are, we must assume that some attempts to penetrate our networks will be successful.

To secure the nation, we all must assess and improve our systems' resilience. We must use tools that deter and resist malicious cyber activities, and if necessary, help to quickly regenerate back to a resilient state after an attack. The ability to auto-regenerate to a trusted level enables networks to continue functioning to support required operations, whether we are talking about defense, corporate, academic, or critical infrastructure networks and systems.

How do resilience and risk management work together to create a comprehensive cybersecurity plan?

During cold and flu season, you can reduce your risks by getting a vaccination, increasing your intake of vitamins, washing your hands, and cleaning surfaces. And sometimes, you still catch a bug. Similarly, not all malicious cyber risks can be avoided, but planning for a system's automated resilience will directly impact the ability to minimize critical operational impacts.

Everyone needs a comprehensive cybersecurity plan, focused on building, maintaining, and constantly adjusting systems to be resilient. Resilience is achieved through a combination of risk management actions with continuous evaluation of threat, vulnerability, and impact. To manage risk, automated decision-making systems must be informed by more timely and diverse forms of possible factors. In this way, we can measurably improve our confidence in understanding the state of our systems and more effectively manage risk, which is essential for true cyber resilience.

How does NSA contribute to nationwide efforts toward establishing cyber resilience standards?

NSA contributes its intelligence, information assurance, and research expertise to help discover and identify foreign threat actors (assessing their capabilities and intentions), and understand technologies so that we can defend against vulnerabilities. We support Department of Defense and other strategies to deter adversaries by increasing the costs of their malicious endeavors that would otherwise attempt to exploit or harm our vital interests. This helps improve the overall resilience of our networks and systems.

As Admiral Rogers publicly advocates, the key to our future success depends on our partnerships and relationships. No one organization has the resources to do the job alone. The foreign threat to our nation in cyberspace can be addressed only through unity of vision and purpose, and that's why NSA has established strong partnerships throughout the U.S. government. For example, together, we are advancing the vision for information sharing architectures that will create real-time shared situational awareness based on machine-to-machine information sharing. This shared situational cyber awareness supports both individual and integrated response actions to prevent malicious cyber activity and to protect and recover quickly from malicious cyber actions.

What does NSA do to help build resilience into national security systems?

NSA/CSS' information assurance mission is to protect classified national security systems. Developing cyber resilience contributes to that mission.

Cyber resilience, as an enterprise capability, will not be realized through one vendor or product. It will be achieved through leveraging diverse technologies and products that enable a deep understanding of the environment for complex real-time decision making. NSA is collaborating with industry, academia, and other U.S. government research departments to develop cyber technologies that embrace interoperability, open or standards-driven interfaces, data and state sharing, and designs that facilitate integration of the network-owners' unique cyber-defense analytics.

Other than national security systems, where else is resilience important for cybersecurity?

Cyber resilience is a critical business and social issue for our nation. America's national security and economic prosperity are increasingly dependent upon critical communications infrastructures that are at risk from a variety of hazards, including cyber-attacks. These infrastructures are the backbone of our nation's economy, security, and health and requires a unified whole-of-nation, whole-of-community effort to maintain secure, functioning, and resilient critical infrastructures. Safeguarding the physical and cyber aspects of critical infrastructures is a national priority that requires information sharing and partnerships at all levels of government and industry. While the majority of our nation's critical infrastructure is privately owned and operated, both the government and the private sector have a shared interest to prevent and reduce the risks of disruptions to critical infrastructures. The need to prepare for all types of events shifts the focus from asset protection to one of overarching system resilience.

How can the development and implementation of resilient systems protect Americans from big corporate hacks or leaks of personal data?

As I mentioned earlier, CTOs and CIOs should consider in advance, "What would I do differently if I knew I was going to be compromised?" Then, they should consider, "What are the bad consequences I need to avoid or minimize?" Finally, they should actively work backwards from there to mitigate them. This means that if you create valuable intellectual property, possess personal/private information, or provide essential services to the public, you would plan not only for deterring and resisting being "hacked" but also for your ability to resist and prevent the identified "bad consequences" while under duress. You may be hacked; resilient systems will not prevent that. But resilient systems would enable the owner of the system to minimize the consequences and recover quickly.

What can a non-government entity do to make its systems and its cybersecurity more effective?

Non-government entities can access many resources to help improve their cyber security. NSA provides information assurance (IA) guidance to include the top 10 IA Mitigation Strategies and Security Configuration Guides for a wide variety of software, both open source and proprietary. The National Institute of Standards and Technology published the cybersecurity framework that consists of standards, guidelines, and practices to promote the protection of critical infrastructure; information on the National Initiative Cybersecurity Education; the National Vulnerability database; and other useful and educational information.

The U.S. Computer Emergency Readiness Team, part of the Department of Homeland Security, also has resources for businesses and individual users on cybersecurity.

The good news is that it's rare for an outsider to know a system owner's mission, or the system itself, better than the mission owner. However, each owner needs to capitalize ahead of time from that starting-from-a-position-of-strength posture. Once compromised, you've lost that advantage.

What is the next step required to advance the concept of resilience?

The concept of resilience has been around for a long time. However, auto-resilience, and auto-regeneration, can be thought of as "the next big thing" in achieving resilient systems. We need to make sure that we are thinking several steps ahead to what it's really going to take to have auto-resilient networks and platform capabilities. Fortunately, academic and government researchers have focused recently on the science of auto-resilience; and it will be a relatively short time before network architects and computer scientists can turn the research into practical use.

As the research emerges, it will be important to ensure that context is understood for the wide variety of resilience work already underway. For example, we need to understand the dependencies between physical and cyber resilience, and among mission, IT, and security resilience.

Automation - specifically, real-time orchestration and integration of a variety of security products - is an approach starting to be leveraged in cybersecurity efforts to auto-harden and auto-defend our networks. Even with that in place, it is inevitable that our networks will be attacked. So, auto-resilience is the next logical step to enabling speed in systems recovery and maintenance of functionality.