Apology on Behalf of Cyber Security – An Integral Part of Societal Resilience

When it comes to cybersecurity, resilience is usually either defined otherwise or sometimes left completely undefined, assuming that the audience knows what is meant with the concept.

Student blog by Roope Rannikko*

It is unfortunate that literature and lectures dealing with resilience politics often do not even mention cybersecurity or cyber resilience as a factor that has significantly contributed to the overall progress in resilience thinking. A good illustration of my thought is Philippe Bourbeau’s (2018, 35) multidirectional reading of resilience’s genealogy. As informed as it is, it doesn’t include cybersecurity as one of its genealogical branches that have affected later development of resilience politics. His book strives to investigate the genealogical process through which resilience politics has emerged in world politics, yet it fails to mention information security and cybersecurity in its index. This seems to be a bit of an odd exclusion as other scholars have argued that cybersecurity and its driving forces have been vital for bringing resilience thinking into the forefront in societal security strategies (see Dunn Cavelty & Wenger, 2019, 10).

There is also a difference when speaking about cybersecurity politics (a strategical issue) and, on the other hand, the politics of cybersecurity (politics in general terms pertaining to control cyber domain and actors who operate on it) (idem, 8). Besides, the practitioners of cybersecurity seem to have a somewhat different understanding of what is meant by resilience than the more traditional academic or scientific way to comprehend the concept. In this blog, I aim to give cyber resilience the foothold which it should have in literature dealing with resilience politics. Moreover, I argue that cyber resilience should be seen as its own cyber-physical domain alongside psychology, social work, engineering and ecology (Bourbeau, 2018, 35).

In strategic parlance, resilience is generally understood as one style or way to assure society’s total defence. Resilience has described as a buzzword and empty signifier (Juntunen, 2020), but it has also very close links to the practices and policies of societal security (Rhinard, 2020, 36) with unclear conceptual boundaries. In International Relations (IR) and Security Studies (SS) resilience politics is usually comprehended as a specific or emerging security mentality, referring perhaps to the state of any given society’s “mind”, alongside other security mentalities like that of defence, protection or prevention, which guide authorities’ cognitions in security politics (Juntunen & Virta, 2019, 67).

Shortly put, resilience is usually defined as the capability of individuals and groups to (1) tolerate significant disruptions, (2) retain operational performance during an emergency and (3) to recover from a shock while with the help of exposed experience, growing their ability to perform in the future (idem, 72). When it comes to cybersecurity, resilience is usually either defined otherwise or sometimes left completely undefined, assuming that the audience knows what is meant with the concept. Herrington and Aldrich (2013, 308) determine cyber resilience to denote “durability” and “survivability” measured in respect of efficiency and continuous availability, but also suggesting both trust and integrity. In this sense, cyber resilience comes closer to engineering sciences or safety and crisis management studies than the understanding prevailing in the social scientific literature. Still, these fields perceive resilience generally in relation to systems’ total defence and preventive measures (see Panda & Bower, 2020, 507). I don’t suggest here that crisis management and engineering sciences would not underline the importance of critical infrastructure to be able to recover from disturbances or the system’s faculty to sustain its operational performance during crises same way as social sciences understand resilience.

Quite the opposite, safety sciences too have started to highlight the need for models that approach cyber resilience as a complicated matter and to detect its cascading effects comprehensively (ibid). In IR and SS, it is nowadays common to speak the existence of cyber warfare and cyberattacks against states, even causing potential sci-fi fantasy reminiscent dystopias that threaten the existence of entire societies. In the earlier phase of research, several studies in IR and SS seemed to have dealt with cybersecurity in the context of an almost doomsday-like scenarios (see Dunn Cavelty & Wenger, 2019, 15), something that might have resembled more popular literature than rigorous research on the real options to use cyberspace for operational purposes. Fortunately, the trend has been reversed recently, as there has been an increasing number of plausible research focusing on lower-level cyber operations, which also promise better policy recommendations for practitioners (idem, 16).

There have been three dimensions for promoting the progress of cyber resilience. At first, technology is only one aspect that affects cybersecurity’s relevance in societies’ resilience politics. The two other dimensions are politics and science, which have brought cybersecurity to the forefront in societal discussions and institutionalized it as a distinctive scientific field (Dunn Cavelty & Wagner, 2019, 5, 10). It can be argue that, from the viewpoint of resilience, cybersecurity creates tremendous challenges for the governance of society’s resilience. It is mainly because of the vast numbers of private actors and entrepreneurs who operate and enable the existence of cyberspace, which do not, of course, have the same status for legitimate security political actions as state owned operators would have.

As a result, in a surprising cyber incident, the citizens would probably blame the authorities for the accidents and inadequate preparations. Neither it would be very likely that officials could hide behind private companies or accuse individuals from unsafe behaviour if authorities have failed to preserve the right level of cyber resilience. There are many rising concerns on the technological advancements that are happening in the interface between human brains and artificial intelligence, causing new types of information security issues (Herrington & Aldrich, 2013, 303–304, 307–309). How should states organize their cyber resilience politics if these situations actualize in the future?  These remarks show that it is reasonable to demand IR and SS to study the cybersecurity-resilience–nexus as a separate cyber-physical domain alongside the more recognized fields of resilience politics stemming from the fields such as psychology, social work, engineering and ecology.

 

*This student blog post has been done as part of the course SAFS01 Societal Security: Contemporary Challenges in the Masters Degree Programme in Security and Safety Management (SAFER) in fall 2020.

 

References

Bourbeau, P. (2018). On resilience : genealogy, logics, and world politics. Cambridge, United Kingdom: Cambridge University Press

Dunn Cavelty, W. (2019). Cyber security meets security politics: Complex technology, fragmented politics, and networked science. Contemporary Security Policy, 41(1), 5–32.

Herrington, A. (2013). The Future of Cyber-Resilience in an Age of Global Complexity. Politics, 33(4), 299–310.

Juntunen, T. (2020): Lecture on resilience as a societal security mentality during a course “Societal Security: Contemporary Challenges”, October 27th 2020. Tampere University.

Juntunen, T., & Virta, S. (2019). Security Dynamics: Multilayered Security Governance in an Age of Complexity, Uncertainty, and Resilience. In Leading Change in a Complex World: Transdisciplinary Perspectives. Tampere University Press, 67-84.

Panda, B. (2020). Cyber security and the disaster resilience framework. International Journal of Disaster Resilience in the Built Environment, 11(4), 507–518.

Rhinard, M. (2020). Societal security in theory and practice. In S. Larsson & M. Rhinard (eds.), Nordic Societal Security: Convergence and Divergence (first edition). London & NY, Taylor & Francis, 22–43.