A year ago, Microsoft and the Rockefeller Foundation announced that we will be partnering on their 100 Resilient Cities challenge, in an effort to help cities address emerging cyber resilience needs. Our particular objective for joining the effort has been to help cities improve their digital resilience, and ensure that they are better able to withstand and recover from the shocks and stresses that are a growing part of life in the 21st century.
Not a day goes by that we do not read about an organization being targeted by a cyberattack. Any organization or individual, of any size or global standing—is susceptible to a cyberattack. While businesses, governments and individuals are rushing to take advantage of the rapidly developing technologies to deliver a wide array of social and economic benefits, digitalization itself introduces a new range of risks. As a result, we have seen cybersecurity grow beyond being just the responsibility of an IT department to being acknowledged as a company or government-wide issue that carries far reaching consequences. Moreover, a new discipline – cyber resilience – has begun to emerge, as organizations slowly begin to make a shift from prevention to resilience, focusing on continuous assessment, preparation for, and response to cyber incidents. The realization that those who survive are not necessarily the strongest or the smartest, but those that can best adapt to new circumstances applies equally well in cyberspace.
While there is no internationally accepted definition of “cyber resilience” there is a growing consensus that cyber resilience can be defined as the ability of complex cyber systems to continuously deliver the intended outcome despite chronic stressors and acute shocks. Resilient cyber systems also exhibit common resilience attributes including (1) aware, (2) diverse, (3) integrated, (4) self-regulating, and (5) adaptive. Additionally, cyber resilience can best be understood and to some degree assessed by understanding capacities and capabilities for readiness, response, and reinvention. Given those attributes it is clear that cyber resilience is not something that an organization – or in this case a city – can purchase from a vendor. It is built through leadership, teamwork, risk taking, trust, flexibility, and commitment to advance and continually reinvent the digital city.
Since the inception of our partnership, my team has worked with individual cities to help them go beyond focusing on developing “safe to fail” approaches, to understanding what are the distributed set of capabilities and capacities that they require to be truly resilient – almost impossible too measure or identify form a strict quantitative perspective.
Through this ongoing work, there is a great opportunity to work with cities across the globe and change the thinking about cyber resilience to be about more than graceful degradation and instead encompass the ability to withstand diminished capacity/capability and to reinvent in the face of prolonged stressors or acute shocks.