Cyber: Building National Cyber Resilience | ADM May 2012

Australian Governments, industry sectors, and communities recognise cyber-space as an essential and non-negotiable enabler of national power, economic prosperity and social amenity. However, the use of cyberspace is at a cross-road- the gap between our nation’s collective cyber defences and the capabilities of cyber-adversaries is enduring and widening.

Almost every major organisation with a cyber-presence has likely been compromised – the majority unknowingly. Cyber espionage, fraud, theft and sabotage are rife, with increasingly catastrophic impact, exposing national secrets, ruining corporations, or threatening citizens safety. Being “owned” is likely not a matter of if, but when. The ‘thousand cuts’ inflicted by cyber-adversaries has the potential to erode our global competitiveness and economic wellbeing.

However, we have options. We can continue to try match individual cyber-security capabilities against resourceful, agile and persistent threats that can defeat even the strongest defences. Or, we can change the game in two ways – by becoming individually cyber-resilient as opposed to merely cyber-secure, and by harnessing the power of communities to strengthen collective cyber-resilience.

At the individual or institutional level, cyber-resilience involves thinking through how we create value through a cyber-presence, the threats we face, and how we can rapidly deter, detect, mitigate, respond to and recover from inevitable cyber events. Captured in a cyber-resilience strategy, such thinking should tightly integrate cyber security measures with enterprise risk, response, and continuity management to maximise their collective benefit before, during and after a cyber event.

At the sectoral level, organisations have the opportunity to overcome their individual limitations by leveraging collective best practice, resources and shared capabilities. This involves participants building a high-trust collaborative network of fellows (that may include competitors), and embracing collective resilience objectives.

Neutral parties, such as governments, can operate as catalysts – to inform, facilitate and broker a collective cyber resilience strategy, overcoming such inhibitors as competitive pressures or legal barriers to information-sharing.

At a national level, resources are limited and hard choices are needed between competing institutional and sectoral priorities. An effective national cyber resilience strategy requires a “megacommunity” of government, industry and civil society organisations thinking through and negotiating the priority of national assets, threats and investments, with the assistance of enablers such as a nationally consistent cyber impact assessment methodology.

Through collective cyber resilience at the institutional, sectoral, and national levels, we have the opportunity to change the way the game is played with our cyber adversaries, including the cost of attack while reducing the likelihood of compromise – and simultaneously reducing their impact on everyone.