Published on April 12, 2017 by Paul Nicholas
According to Murphy’s Law: If anything can go wrong, it will.
And when we think about how cyberthreats or natural disasters could impact some of our world’s largest cities, it’s important to plan and prepare for the potential worst-case scenarios.
As cities continue to develop resilience capabilities, they are becoming keenly aware that their resilience increasingly depends on the smooth functioning of information and communications technology (ICT). City managers rely on information technology, cloud services and the data they generate to manage and improve day-to-day operations, make decisions, boost efficiency and control costs. Technology is embedded in our urban DNA. However, just as technology helps urban centers thrive, it also brings new risks. Cities are more and more becoming targets of opportunity because of poor cybersecurity practices, and targets of intent for a range of sociopolitical reasons. A city may first begin thinking about ways to improve cybersecurity and then realize that they have an even bigger challenge – cyber resilience.
Many people struggle with the difference between cybersecurity and cyber resilience. My observation based on discussions with customers and policy makers around the world is that cybersecurity can feel like an exclusive issue that can only be addressed by technical experts, while cyber resilience is more inclusive and focused on the outcomes that are needed to create opportunities and options.
That’s why today we are sharing guidance to help cities plan ahead not just for the inevitable crisis, but improve their ability to deliver innovative approaches both in a crisis and after. The white paper titled, "Cyber resilience: Digitally empowering cities" is intended to help cities identify and develop the capabilities they need to help their communities become more cyber resilient.
The paper offers five steps to guide cities through this process:
- Identify key threats and assess their impact on critical cybersystems and functions.
- Classify and prioritize critical services.
- Set cyber resilience goals and objectives.
- Develop cyber resilience outcomes and identify capabilities.
- Determine the resources needed and define roles and responsibilities.
We know that our world is becoming increasingly urban – by 2050 the population in urban centers is expected to grow 66 percent – and by 2025 most of the world's data will move through or be stored in the cloud at some point. And because anyone is susceptible to cyberattacks, city planning for cyber resilience is crucial.
City leaders must plan for cyberthreats such as information theft, integrity breach or disruption of services and should also consider the likelihood of natural disasters in their regions such as earthquakes, floods or hurricanes. Becoming cyber resilient can help lighten the load of uncertainty when one of these unforeseen events happens.
Cyber resilience can best be understood through a city's capacities and capabilities for readiness, response, and reinvention:
- Readiness. To plan for long-term readiness, you must identify assets, assess and manage infrastructure risk, develop capabilities to respond to and recover from disruptions, and invest in research, education and practices that contribute to long-term cyber resilience goals.
- Response. Using the plans and strategies set in place during the readiness phase, resilient entities continue to function during a crisis and regain functionality quickly. A resilient response is also adaptive and flexible. If a city is unable to adapt to unknown variables that may not have been part of its readiness preparation, it will not be able to regain functionality quickly. The responsiveness of a city to a crisis directly impacts and influences the reinvention phase.
- Reinvention. Learning from and improving on existing plans and strategies is essential to cyber resilience. After the crisis has passed, evaluation is key: Identifying what was effective and where the response was problematic; developing a plan for improvement; and then implementing that plan. It is important to think beyond short-term gains, and to constantly look to the vision of the city's resilience for ways to reinvent its approach and innovate.
Cyber resilience is an emerging discipline and one that only a handful of cities have begun to undertake.
As cities begin to consider cyber resilience and create plans, it will be essential that they determine what cyber resilience means for their unique city first and we hope this information will help provide actionable steps for city leaders who want to begin making their cities more cyber resilient.
About the Author
Microsoft Trustworthy Computing Senior Director
Paul Nicholas is a Senior Director for Microsoft's Trustworthy Computing. He leads the Global Security Strategy and Diplomacy Team which focuses on advancing cybersecurity, cloud computing and risk management. Prior to joining Microsoft in 2005, Nicholas spent eight years in the U.S. Government, focusing on emerging threats. During this time, he served as White House Director of Cybersecurity and Critical Infrastructure Protection, a senior policy advisor in the U.S. Senate and a Department of Defense analyst.