Recent high profile cyber-attacks on Australian companies have raised temperatures—again—in the policy debates inside Canberra.  The political imperative, often driven by media reporting, is to be seen to ‘do something’.  Ministers understandably become frustrated at the public service’s apparent inability to deliver.

The risk, of course, is that knee-jerk reactions can exacerbate the problem. And cyber is not something that is susceptible to silver bullets. 

Early on, Minister for Home Affairs and for Cyber Security, Clare O’Neil, sought to establish a more balanced, less agitated approach to cyber, reportedly tasking her department with overhauling the government’s cyber security strategy, aiming to be much more consultative, to generate a whole-of-nation capability, and to build resilience. 

While we’re waiting to be engaged on a new cyber strategy, it’s worth dwelling on that last point—the notion of resilience.

Resilience as a concept has a strong pedigree in a range of disciplines, including social work, adolescent health and psychology, urban studies, and ecology.  It transitioned from the disaster management domain into the ‘all-hazards’ approach popular in national security after the events of 11 September 2001. Since the Inaugural National Security Statement of 4 December 2008, it has cemented its place in the Australian policy lexicon.  With global pandemics, bushfires, floods, supply chain shocks and potential energy crises, the emphasis on resilience is of little surprise. 

But care is needed. Loose concepts invoked excessively become overburdened with implied meaning—‘suitcase words’—and diminish in value. Resilience risks such a fate.

Applied to cyber, resilience can suffer from both category and attribution error.  Resilience at the organisational level is different to resilience at the societal level, and different again at the level of the individual, and small business. Responsibility and agency similarly differ at different levels. 

Let’s start with definitions. Resilience is broadly understood to refer to the ability of an entity to overcome adversity, to adapt and persevere in new, disruptive conditions, while retaining its identity. In cyber, it generally means surviving and recovering from an attack, data breach or ransomware.

Strategies include absorbing a disruptive event, adapting to it, and/or recovering from it. None of those options are cost-free; preparing for any or all requires effort, resourcing and the ability to act. 

Comparatively well-resourced organisations are best placed to make assessments of the relative costs and benefits of adapting a resilience approach to their cyber posture—and to fund changes accordingly. There is no shortage of advice as to how they can adopt best practice, suitable for their specific industry, technology stack and business model.

Resilience is different at a societal level. There, it is an emergent property of the structures, behaviours, actions, and incentives of all the actors in the society and economy—including threat actors. Governments cannot demand or program resilience at this level—indeed, strong societies frequently exist alongside weak states. Look at the South Pacific. Social resilience draws upon different wells than political resilience.

That presents policymakers with several challenges. Patience is one—hard as it is in the noisy, attention-grabbing, and protean cyber world. A second is knowledge. At best, policy models are abstractions, their utility and value limited by their underlying assumptions. Those assumptions may be misaligned, misleading, or even reflect the conditions of past eras—the equivalent of fighting the last war.

So a useful outcome of the strategy would be continual, open-source testing of assumptions and stress testing of systems. After all, one characteristic that has emerged after over 30 years of cyber activities is that democracies are macro-resilient, if micro-vulnerable.

That leads to the third level—the atomised real world, and the often-devastating effects of the micro-vulnerabilities that prevail there.

Those at the small end of the organisational and resource scale—small companies or partnerships with few spare resources, and individuals—are particularly vulnerable and rarely resilient.  They rely on others—for example, availability and security of storage in the cloud—and often enjoy little visibility, control or recourse. In terms of the three strategies sketched above, they have not the wherewithal to absorb, nor the control to adapt, nor their own means to recover. 

Graffiti art, Southwark, London, October 2022

True, trying to ‘solve’ cyber is a fool’s errand. Cyber vulnerabilities are (another) feature, not simply a bug, that cannot be eliminated from the digital systems on which our economy and society depend. A more insidious, unintended consequence of the emphasis on resilience is that it transfers risk, often to those least able to manage it.  Without care, it says ‘we all know we are going to be attacked; you failed to be sufficiently resilient and are therefore the party at fault.’ 

In short, cultivating resilience against inevitable failures still makes sense—even more so, as geopolitical tensions rise. But resilience is not a cost-free nor a one-size-fits-all policy instrument. Minister O’Neil’s desire that a new strategy should ‘deal with cyber shocks in an assured, not anxious way’ would be well served by a nuanced, strategic approach to resilience.