In a last few months, resiliency became most used word in the Governments around the world. Resiliency is important to all of them, and it is kind of a milestone for all of us, finally accepting that things will be broken, no matter how hard we are protecting them.
New way on how Resilient Governments look at the potential problems
And then, it is all about how quickly we can move out of the problem zone and recover and restore everything that was destroyed or changed. Looking at the resiliency models, we have identified four important types: Operational Resiliency, Cyber Resiliency, Natural Disasters Resiliency and finally, but probably most important Geostrategic Resiliency.
And I guess this is type of Resiliency that we are still learning about and our learning are constantly pressured by ever-changing ways of Geostrategic issues, at least the ones that are related to the technology. Not that we changed the technology much (we did, bit that is not really relevant here) but what changed is the way how you combine the technology with other means of geopolitical pressure – I guess you already heard about the term “hybrid war”.
There are a variety of terms used to refer to the hybrid war concept: hybrid war, hybrid threats, hybrid influencing or hybrid adversary (as well as non-linear war, non-traditional war or special war). US military bodies tend to speak in terms of a hybrid threat, while academic literature speaks of a hybrid warfare.
Technology gives you advantage where you can have significant yet remote impact: you don’t have to send your troops into the battle but you can shut down the powerplant or city infrastructure if they are not properly secured. Interestingly enough, this is not the main objective of the attack: the goal is to show that Government is not capable of securing their national critical infrastructure and hence, probably cannot secure the citizens themselves. Good call to go against your own Government and maybe to ask for (or accept) the help of others, and all because some countries build their offensive capabilities in … cyberspace.
Offensive Capabilities
Since 2016, several countries expressed interest in or took explicit steps toward acquiring offensive cyber capabilities.The number of countries taking this initial step has increased significantly in comparison with previous years, while some established players have gone on record to commit further resources to this space.
The number of countries dabbling in this space away from the public eye is likely to be much higher. Many of these countries already have advanced military capabilities and have invested heavily in defensive aspects of cybersecurity, so adding an offensive cyber component may reflect a natural progression. The developing world’s investment in offensive technology, however, is particularly worrisome as it may come at the expense of developing effective defense and cybersecurity risk management practices.
So they are building their capabilities, but what is at stake?
Protecting the Core
Every country have something that they need to protect: combine them and you can call all of the critical components as your own national and critical infrastructure. Well, no wonder that National Critical Infrastructures have multiple components for every country: one can find and energy systems there or water management systems, for example, but also information systems that are core in most of the attacks that happened recently. Actually every single attack that happen lately had one or more “components” of attack that was based on information systems. Cyber capabilities of a specific country play a vital role here, both capability to defend itself but also capability to attack.
Protecting National Critical Infrastructure became one of the most important tasks for the nations recently. This is very visible with the EU and their Directive on security of network and information systems (NIS Directive) from 2016 where EU recognize the importance of the culture of security across sectors which are vital for economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.
Kind of a wrong way to protect your crown jewels: Datacenter in fire
So, basically anything that is important today have a significant component of ICT, and protecting those systems actually also means protecting ICT platforms and components (like identity, data, applications, services, integration layers and infrastructure).
Building Geostrategic Resiliency
Creating a system that supports national geostrategic resiliency is a complex task and requires some kind of innovative thinking. It is not only about backup of the data, it is protecting the environment on many innovative ways: from doing an federated identity which drives identities (and their resiliency) to the clouds of multiple providers, doing a backup of the data to multiple locations, depending on the data classification and governance, making sure that applications and services are redundant in high-availability zones that are deployed around the world etc.
Innovative thinking is important because this needs to be very radical: if you are thinking about such a massive impact like loosing your own country where it will no longer (administratively) exist, you still build for an option of having a country (and administration) that works completely out of the resilient (redundant) environment (maybe the environment in public cloud).
Just researching for these options gives you many learning and cases where you find out how to perform resiliency on the much lower (and less expensive) level, but learning are so important to understand what you can achieve (and under which cost).
Estonian Data Embassy Initiative
Estonia is highly dependent on information technology. Estonian citizens are able to perform nearly every public and private sector transaction in digital form, and a vigorously implemented “paperless” policy means that some essential registries, e.g. the land registry, only exist digitally and only have evidentiary value in digital form.
Three elements of Data Embassy initiative in Estonia
Moreover, its innovative approach to e-identity for non-residents signals the beginning of Estonia’s transformation into a “country without borders.” As a result, Estonia needs to reassure not only its citizens but also its e-residents of the viability and durability of the state itself and of their status within it, even in the face of cyber-attacks, natural disasters and other national or internal emergencies.
Such trust in ICT is not easily won, however, and is even more difficult to maintain. This requires more than just the preservation of critical data sets and ICT services on Estonian physical territory. A solution needs to be developed for situations, admittedly improbable, during which the Estonian state might need to operate some services outside its current borders. This is the Estonian government’s concept of “digital continuity” in the context of the development of e-government. In 2013, the Data Embassy Initiative emerged as a possible answer, with a data embassy being defined as a physical or virtual data center in an allied foreign country that stores data of critical government information systems and mirrors of critical service applications.
If you are interested, you can learn more about Virtual Embassy by reading a whitepaper from Microsoft Services here.
Please connect if you want to know more about what we are doing to support Resiliency in many Government organizations around the world: ramuta@microsoft.com
