Resilience in a Digital World

Matthew J. Butkovic,
Risk and Resilience Technical Director, CERT Division
Software Engineering Institute, CMU

Systems essential to sustaining a modern society are digital, interconnected, and subject to attack. A cybersecurity hub, Pittsburgh has been in the vanguard of defending these systems since the dawn of the Internet. The Software Engineering Institute (SEI) at Carnegie Mellon University (CMU) established its CERT Division in 1988 in response to the first significant network malware, the Morris Worm. The product of a misguided Cornell University graduate student, the episode had limited consequences. Compare this to the chaos and physical danger created when sophisticated international attackers managed to impair operation of the Colonial Pipeline in spring 2021. Unfortunately, examples abound of weaponized cyberspace endangering national security, economic prosperity, and ultimately human life. CERT evolved as cyber threats and their consequences evolved. More than 30 years after our founding, we remain committed to developing and transitioning tools to reduce cyber risk.

The Russian invasion of Ukraine is unfolding with tragic loss. It may also destabilize cyberspace. Nations are turning to cyber as the new asymmetric method of projecting power and harming adversaries. Because every citizen and every organization are potential targets in this domain, it is essential to take steps to reduce the likelihood of being successfully attacked. A key CERT partner and valuable security resource toward this end is the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security. CISA offers tangible guidance on how to best ensure that your defenses, and those of your organization, are prepared to thwart cyberattacks. CISA’s Shields Up website is an excellent source of free expert guidance. And, the agency’s critical infrastructure sector web pages provide detailed profiles of and plans for protecting the 16 sectors of the U.S. economy identified in Presidential Policy Directive 21 as essential and vital for national security and public safety.

Strive for Cyber Resilience

Resilience is the emergent property of returning to an intended state after a disruptive event. Organizations and individuals will experience cyberattacks and disruption of key activities, because there is simply no way to comprehensively mitigate all cyber risk. Striking a balance between investing in capabilities to defend and investing in capabilities to recover from disruptive cyber events is a key decision. The Cyber Risk and Resilience Directorate of the SEI’s CERT Division focuses on two essential tasks: assisting organizations in improving their cyber defenses, while preparing them for the worst-case scenario. Together, these help transcend cybersecurity and strive for cyber resilience.

The Colonial Pipeline was attacked for reasons of extortion in the form of ransomware. What happens when the attacker isn’t seeking money but, rather, wants to fundamentally degrade its adversary? Ukraine experienced this scenario in the winter of 2015 when a Russian cyberattack on the power grid left 230,000 consumers in the dark. A year later, another Russian cyberattack plunged one-fifth of Kyiv into darkness. These incidents highlight the importance of proactively updating software to mitigate vulnerabilities, while also establishing a plan to recover from a disruptive event. The worst time to contemplate recovery is at the time of need. Individuals and organizations alike need to identify critical data and systems and ensure that they have a viable recovery method. Resilience is weathering the unavoidable storm and requires prioritizing and planning.

The proto-Internet of 1988 connected 500,000 users–an astonishing number at the time–in new and novels ways. The Internet of 2022 connects 4.95 billion people: 62.5% of the world population. The Internet is now ubiquitous and has reshaped our lives and economies. But vigilance is required to safely use the Internet. Resilience is necessary to prevent our dependence on technology from becoming a weakness exploited by adversaries. The CERT Division of the Software Engineering Institute will continue to lead efforts to enhance the resilience of critical infrastructure and reduce the risk of a catastrophic cyberattack.