According to the National Institute of Standards and Technology (NIST), cyber resilience is “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Resilience focuses on reducing the consequences that could be caused by a cyber incident. The more resilient an organization is, the greater its ability to bounce back after a cyber incident or maintain mission-essential functions in a degraded environment.
Resilience denies an adversary the benefits they seek, potentially serving as a deterrent by altering their cost-benefit analysis. For a municipality or business, for example, resilience in the face of a ransomware attack provides more time and options in deciding how to respond to the attacker’s demand.
To truly strengthen cyber resiliency, the federal government, state and local governments, quasi-governmental entities, and the private sector must work closely together, particularly to understand changing vectors for disruption and the potential cascading effects that a single entity may not be able to anticipate or mitigate.
As with any type of relationship, sharing information and insights is a significant component of this collaboration. Assessing and prioritizing consequences to critical infrastructure requires input from businesses and governments, particularly when trying to understand the full impact of a cyber incident.
Creating a Culture of Transparency
Although sharing information is key, creating a culture of transparency isn’t always easy. Private sector organizations are often reluctant to share information about the impact of cyberattacks because they are concerned about optics, potential liability and regulatory action, and the implications for their bottom line. In some cases, organizations may have lingering concerns about the government’s ability to protect their information despite the government’s excellent track record of doing so. Many companies look at these costs and believe they outweigh any expected benefits they may get from sharing information.
In the face of these costs, information sharing will be more likely if seen as furthering operational collaboration and resilience. Entities like the Cyber Threat Alliance, which Fortinet helped establish, has already demonstrated that sharing threat intelligence and working with private or public threat intelligence organizations can improve protections for organizations of all sizes and across all industries, enhancing the effectiveness of the entire cybersecurity industry. This same collaborative spirit must be brought to the mission of building resilience. Everyone must work together to disrupt adversaries’ efforts at as many points as possible. Every individual and organization in the industry has a role to play.
A good example of this type of collaboration is the Joint Cyber Defense Collaborative (JCDC). In 2021, the Cybersecurity and Infrastructure Security Agency (CISA) established JCDC to bring together public and private entities to further operational collaboration by gathering, analyzing, and sharing actionable information to proactively protect and defend against cyberthreats. Fortinet is a member of the JCDC, and this collaboration is an example of how the public and private sectors can work together to improve our nation’s cyber resiliency. So are the information-sharing models established between the government and sector-specific Information Sharing and Analysis Centers (ISACs).
Developing the Cyber Workforce to Build Resiliency
Staying vigilant against cyber risk is a lot of work, and security staff burnout is a key concern. This problem highlights a critical piece of enhancing cyber resilience. A fully staffed and prepared workforce is essential to continue operations at high levels through a prolonged crisis and in the face of increasingly sophisticated threats. And preparedness needs to go beyond IT staff. At a minimum, all employees must be trained to follow basic cyber-hygiene protocols. This training is important not only to help with prevention but also to help with the situation once an incident occurs. A disciplined workforce can take steps to help contain the situation.
The next step is training the workforce in continuity of operations. This type of training and associated exercises should always include an element of cyber disruption so workers are prepared. They need to be able to manage smaller cyber disruptions, not just larger cyber incidents. Backed-up data is only useful if the staff knows how to access and work with that data. Similarly, plans to move to analog processes must be exercised to ensure a smoother transition in the event of disruptions to the network. A well-trained workforce can keep the lights on and be better able to come up with innovative ways to build greater resilience in the future.
One example of efforts to address this issue is the White House’s National Cyber Workforce and Education Strategy (NCWES), developed by the Office of the National Cyber Director as part of the 2023 National Cybersecurity Strategy to expand the national cyber workforce, increase its diversity, and expand access to cyber education and training. Implementation of the NCWES will expand opportunities nationwide for good-paying, middle-class jobs in cyber with commitments made from public and private sector organizations, including Fortinet. A robust and diverse workforce strengthens resiliency, allowing innovation and promoting continuity.
Fortinet is supporting the NCWES, and tied to this initiative is also deploying its information security awareness and training service customized for the education sector. A continuation of Fortinet’s 2022 commitment to close the cyber skills gap, this training is available at no cost to K-12 school districts and systems across the United States. This initiative further contributes to Fortinet’s pledge to train 1 million people in cybersecurity by 2026.
Building toward Resilience
Cyber resiliency is a challenge that crosses political, geographic, and technological borders. Protecting the ever-expanding attack surface and building toward true cyber resilience will require an integrated response involving both government and the private sector.
Suzanne Spaulding is a member of the Fortinet Strategic Advisory Council, former undersecretary for the Department of Homeland Security (DHS), and director of the Defending Democratic Institutions project at the Center for Strategic and International Studies (CSIS).
Learn more about the Fortinet Strategic Advisory Council.