The claim that any Western, information technology dependent society could be brought down by a fifteen-minute cyber attack has recently provoked intense discussion.
In reality, a well-prepared cyber attack does not need to last for 15 minutes to succeed. It takes only seconds to conduct an attack that could hit targets next door or on the other side of the world.
Society’s capability to withstand the attack determines whether or not it will lead to chaos – and in what time. As a general rule, it takes a lot longer than 15 minutes for all consequences to manifest themselves and for Society to absorb and react to them. Re-establishing the equilibrium that existed before the attack may take years.
There is no such thing as absolute security; neither in the physical nor in the virtual world. While technology could eliminate human error from the threat catalogue through automation, with it brings novel and constantly evolving threats. Information technology vows to enhance situational awareness for security, yet carries unknown vulnerabilities with it. Incomplete security is nothing new in itself, but the enmeshment of physical and virtual worlds creates new kinds of security opportunities and needs to address.
Today’s overall threat catalogue is versatile and in constant change. As it includes both unemerged and just gradually appearing threats, it forces Society to plan and prepare for the unknown. Preparing for the unknown can only take place through strengthened resilience. Resilience refers to the continuation of operations even when Society faces a severe disturbance in its security, the capability to recover from the shock quickly, and the ability to either remount the temporarily halted functions or re-engineer them.
Resilience is a multidimensional phenomenon. It affects Society at present, but will affect its future even more . Resilience is not only a headache for the decision-makers, but also a feature of states, organizations, corporations, and individuals. Society’s overall resilience builds upon the capabilities of its parts to prevent and resist exceptions from the usual and adapt to them rapidly.
Resilience can be categorized as “infrastructure resilience,” “community resilience,” “business continuity” and “corporate resilience.” All of these are important for the survival of Society in a contemporary security environment. Resilience is not only physical – it is mental as well. Hence it also includes, for instance, the capability to make justifiable decisions and act upon them under distress. Tolerance for crisis should be seen as a function vital to society.
Western societies are used to a prevailing state of peace and have managed to construct well-functioning societal operations based on the utilisation of technology. As a drawback to this state, however, they have lost some important survival capabilities. Their mental ability to deal with distress is especially declining because of the lulling belief that nothing can go too wrong. This belief can lead to a situation in which the physical features of Society recover from an attack relatively quickly, but poor mental tolerance keeps it from re-balancing itself for years or decades.
Developing and maintaining resilience is a central demand presented by contemporary security thinking. Its importance will only heighten in the future as the world becomes more interconnected, threats become more complex and cooperation becomes a necessity to address complicated security questions. Resilience enables both efficient operating in times of distress and smooth societal functioning. The intertwinedness of physical and virtual worlds requires that preparation, acting, and learning take place in the intermingled reality . This enables the utilisation of opportunities information technology and cyberspace create without exposing oneself to unnecessary risk.
Even the virtual world breaks sometimes. But minor disturbances, like temporal interruptions in communications networks or defunct ATMs, are only beneficial because we tend to trust the operability of bytes too much. If bytes do not function, we become helpless.
Temporal cyber disturbances and shocks will always happen. This could save us, because they keep us alert. Our future depends upon our resilience and our resilience depends on Society’s ability to protect itself from cyber attacks.