ICI Global Cybersecurity Forum 2015 Keynote: Cyber Resilience

Yesterday I was lucky enough to be given the opportunity to deliver the keynote for the ICI Global Cybersecurity Forum in London. It was a great event with some seriously considered debates, some well run panels and lot of practitioners I hadn’t met before. I’ve decided to publish my speaking notes here, I rambled all across these notes and embellished in many places but these reflect the main body of my speech. I was especially pleased with the level of engagement after I spoke, mostly to prove I wasn’t as bad as I feared, but also it showed I had touched a nerve with many on the room.

I include my speaking notes below, these borrow heavily from a draft whitepaper I have been writing and sharing with clients and other stakeholders for their comments.

 

Introduction

Good afternoon and thank you for the invitation to speak with you today.
I am going to talk to you about my views on the developments of cyber security, especially cyber resilience in the context of the regulatory environment in the UK. I apologise for the parochialism when talking to a global audience but I believe the innovation by the UK regulators in this area is likely to influence regulatory regimes worldwide.

I would like to start with a quote from 2013, somewhat old in Internet terms, from Andy Haldane, the Executive Director of Financial Stability at the Bank of England from 2013:
The focus on credit, market and liquidity risk over the last five years may have distracted attention from operational, and in particular cyber risks, among financial institutions and infrastructures. This is a rapidly rising area of risk with potentially systemic implications.
There are two main takeaways from Mr Haldane’s comment, the Bank of England see’s cyber as a systemic resilience issue and also an issue that regulators need to actively address. I will return to the Bank’s concerns later.
I’m going to tell you two thing that are not news, there are innumerable vendor and government reports supporting my assertions and the Financial Times has done a sterling job disseminating these cyber threat reports at board level:

  • Firstly we are all increasingly digitally-enabled businesses with internet-dependent customers internet-connected supply chains, our exposure grows.
  • Secondly our adversaries have industrialised, automated, outsourced, collaborated and innovated at a rate that we can only dream of in our core businesses, the threat we face grows.

These facts mean we are now exposed to a significantly higher level of cyber risk than ever before.
We have entered a ‘new normal’ where a breach is not a rare event and not unexpected. I spend much more of my time helping businesses, and I mean the wider executive teams outside of security and outside of technology, prepare in advance of cyber incidents now than I used to only a few years ago.
The fact that a breach occurs is for many businesses, especially those in the USA, now less of a reputational risk than how they handle the breach in the public eye.A fudged and poorly thought out public response damaging brand reputation is now the main risk for many large institutions who can easily absorb the costs of most cyber breaches.
The new normal has driven us to advance the art of cyber resistance, the management and minimisation of cyber-attacks. New measurements of key aspects of our performance have emerged such as our Mean-Time To Detect attacks and Mean-Time To Respond to attacks.

Cyber Resistance
We are seeing a number of key characteristics emerge in the development of the art of Cyber Resistance in leading firms including:

  • A mature controls environment – Threat-focused cyber controls, incorporating both technical and business controls in a single controls design as well as more reliable testing of control effectiveness and measuring of control coverage.
  • Good Cyber Risk Decisions – Including a clear, communicated and understood risk appetite, regular communications that address the threats honestly and with direct application to both staff and management decisions.
  • Consciously Secure Designs – Building threat-modelling into the design of new products, new services, new processes and new systems rather than as a reactive bolt-on.
  • Increased Technical Agility and Adaption – The ability of the organisation to change and alter the technology it relies on in response to changing threats and at pace during cyber-attacks.
  • Experiential Learning & Threat Simulation – The use of threat-driven Scenario Planning to develop Table-Top Exercises and Red-teaming in order to develop management ‘muscle-memory’ in advance of a cyber-attack.
  • Situational Awareness – The cyber professionals understanding of the organisations strengths, weaknesses, assets and critical business processes as well as likely adversary tactics, targets and capabilities. The ability to use this understanding to provide context to both internal and external collected cyber-relevant data.

For more advanced firms we are starting to see Cyber Threat Hunting as a distinct, funded and staffed activity. This is extending the concepts and capabilities of Incident Response to proactively hunt for indicators of compromise in advance of the detective controls identifying them.
These leading practices are developing ahead of the standards in the field, which is to be expected, but this is also a developing problem in its own right, we are hard put to measure the current state of the art in each other and in our supply chains. This will improve but points to the fact that current standards are likely to be updated and refined as we progress.

Residual Risks and Big Risks
We have seen large institutions invest in major cyber resistance programs as they inadvertently find themselves on the “leading edge of adversary innovation”.
These programs are necessary but they are not enough, they require extensive, enterprise-wide commitment, skills and funding but still will not mitigate every threat due to constant and rapid organisational change and an aggressive job market for cyber professionals.
The technical solutions we deploy are increasingly specialised to specific threats and as such are fragile to our adversaries changing tactics and innovation.
Cyber Resistance is hard, we are getting better at it but institutions are still left holding residual cyber risks despite their well-funded and resourced efforts.
In addition to residual cyber risks the new normal masks the big risks we tend not to address, the systemic risks that we feel are too big for us to manage, that fall outside our individual organisational boundaries and in some cases the sector-wide risks we assume we will ride out as long as they happen to our peers at the same time. These systemic risks shock an institution from the state of operating normally to a state of being unable to operate and requiring fundamental strategic and tactical business decisions to be taken to ensure some form of survival. These big risks potentially breach our cyber levees and leave us looking for the cyber equivalent of shelters and evacuation plans to allow the institution to survive.

At this point we need to move beyond merely building Cyber Resistance to building Cyber Resilience.

Cyber Resilience
Cyber Resilience is a term that is increasing in usage, especially among the regulators such as Mr Haldane I quoted earlier. The definition hasn’t ‘settled’ yet but I suspect will eventually be driven from the financial resilience model the regulators have been following since 2008. We have been treating resilience as an institutions ability to recover from major shocks that interrupt normal operations as well as the institutions ability to learn from these experiences.
There is much to be learnt from fields including:

  • Resilience Engineering which has decades of safety research behind it
  • Ecosystem Resilience which has practical application of measurement techniques to learn from
  • Catastrophic Disaster Response which is providing plenty of examples of how a lack of resilience plays out in practice as well as some of where unexpected depth of resilience has been found.

There are some characteristics of cyber resilient institutions I think are important that builds on Stroz Friedberg’s extensive experience in managing major cyber breaches, our pro-active strategic consulting as well as our research into the fields mentioned above:

  • Situational Awareness remains a key characteristic but there is a keen need to identify micro and macro feedback loops for the early detection and response to potential shocks and a counter-intuitive need for localised feedback loops leading to faster and smaller localised decisions and actions.
  • Technical Agility and Adaption of the firm is also a key characteristic that resilience shares with resistance where the ability enact some of the fundamental strategic and tactical business decisions in major shocks will be a key factor in the resilience of the business.
    Areas beyond the traditional Cyber Resistance characteristics include:
  • Diversity of Cyber Capacity – The redundancy, the depth but also critically the heterogeneity of an institutions digital and cyber resources. Not just technology but also the staff.
  • The Pace of Decision Making across the firm – the time it takes the board and executive management to convene enterprise wide ad-hoc decision making groups, provide feedback to these groups, for these groups to make decisions.
  • The Organisational Readiness and Business Problem Solving – the ability of the business to mobilise capable resources and adapt business processes and operations to accommodate unexpected events during a crisis across an entire enterprise.
  • The Security Teams Initiative and Problem Solving – the ability of the security team to identify and respond effectively and at a pace to match the pace of events. Key to this is understanding how to help the business fail-safely.

Challenges

The combination of increased technical agility and adaption and increased diversity of cyber capacity is undoubtedly contentious, it challenges the orthodoxy of IT efficiency. It also challenges the orthodoxy of redundancy as a key factor in resilience.
Unfortunately it appears that highly-optimised and efficient organisations are likely to be much more fragile. This will drive increased costs as we look for more resilience and will be one of the most difficult cultural barriers we will face.
It is also the case that a spare of the same system that is already compromised is likely to be compromised in exactly the same way leading to little cyber resilience gain. Straight redundancy isn’t enough anymore and the explaining of this to non-experts who have been told this is the answer to resilience for years is going be interesting.
There is also a real challenge to some sub-sectors such as Financial Markets Infrastructure providers whose resilience focus to date has been on a relentless pursuit of a 2 hour Recovery Time Objective. This no longer makes sense in major cyber events where it can take weeks or months to understand what happened and recover. A new approach is needed.

Regulators
I started this speech with a quote from the regulator worrying about the management of cyber risks.  Since that statement the Bank have gone on to develop an outcomes-focused cyber programme to identify issues in systemically important institutions and set the tone for the rest of the sector.
CBEST is the first example of this new thinking where the Bank has curated a market in red-teaming to develop the capability to measure the effectiveness of organisations cyber resistance rather than review control selection and implementation. While focused on the systemically-important firms CBEST is not only here to stay (The June 2015 Financial Policy Committee minutes [PDF] make this clear) but a mooted ‘CBEST-Lite’ is on the cards for less scrutinised institutions. I advise every financial institution to understand CBEST and conduct a CREST STAR red-teaming exercise or similar as soon as possible.
There remains serious regulatory concern on this issue as the following quote from the Financial Policy Committee in December of 2014 highlights:
There is … “A tendency among firms to view cyber threats as a technical problem, rather than an issue which merits Board-level attention given the evolving nature of cyber threats and the key importance of cyber resilience to continuity of financial services
I highlight the regulatory concern as there is another major risk factor approaching for the people in this room, the potential designation of asset managers as non-bank systemically important financial institutions or non-bank SIFIs. This will not only bring a regulatory focus on capital requirements and resolution plans but ‘bumps’ the designated institutions up the list for attention on cyber security by the regulators and will again set the trickle-down expectations for non-designated asset managers.
The June 2015 Financial Policy Committee minutes have also identified the need to develop individual firm cyber resilience action plans.
This makes a conversation with the regulator on cyber resilience a much more likely outcome for the larger firms in the room and the results of those conversations likely to become de-facto acceptable practices for everyone else.
In our experience when the regulators are engaging with firms on the cyber programs they are considering four key aspects:

  • Effectiveness – of the management of the risk (CBEST)
  • Appropriateness – to the risks the firm faces
  • Proportionality – To the scale and the margins of the firm
  • Feasibility – Of planned improvements in terms of timescales and the capability the firm currently has

I suggest to the room that critically and honestly considering your own cyber resistance and cyber resilience in the light of these four aspects places you in a very strong position when you come to have a conversation with both your regulators and more importantly your boards.

Conclusion
The rapid adoption and development of current cyber resistance practices is here now and there is much to be learnt from the leaders in this space.
I encourage you not only to form your own communities of practice such as the ICI security committees but also to engage with those institutions who have been on the front line and have learnt through bitter experience. Information sharing is not limited to technical Indicators of Compromise and should include sharing of practices and experience.
On the horizon is the development of institutional cyber resilience likely driven by the regulators growing understanding of systemic risks and solutions.  I encourage you to start assessing your Cyber Resilience in the face of a major cyber shock. Building resilience takes time and it’s not a technology game. It requires the institution as a whole to participate.
Thank you for your time, the one resource we cannot buy more of.