1

INTENSIVELY NETWORKED

Why Resilience Is the Only Rational Cybersecurity Choice

November 30, 2013—From offices in Bangalore, India, employees of the Silicon Valley security firm FireEye alerted Minneapolis-based Target that they had detected evidence of a security breach of Target’s digital network. By this time the U.S. retailer, second only to Walmart in size, had been a FireEye client for about six months, having hired the company for $1.6 million to create a state-of-the-art network security system.¹

The 2013 attack against Target was one of more than three thousand that year.² So, cyberattacks are far from unusual. In fact in 2016, the Ponemon Institute, which conducts independent research on privacy, data protection, and information security policy, looked at the “likelihood of a company having one or more data breach occurrences in the next twenty-four months” and concluded that each of the 383 companies it surveyed had a “26 percent probability of a material data breach involving ten thousand lost or stolen records.”³ Put another way, over the long term, the nature of the threat against the digital network of your business is defined by two facts.

Number one, breaches are, by their nature, highly probable occurrences—so probable that, over the long term, they can be deemed inevitable. Breaches will happen. Breaches will happen to you.

Number two, breaches are, by their nature, costly in time, worry, and reputation.

ANSWERING THE CALL TO ACTION

The call to action is clear: We must protect ourselves and our enterprises. The problem is that no means of protection is bulletproof. It is not enough to erect a “firewall” around the firm’s digital infrastructure, issue antimalware software to all hands, pronounce your enterprise “secure,” and walk away. Such passive, static security measures are necessary, but they are not sufficient. In Chapter 3, we will review the most effective and cost-effective strategies and devices for “securing” our networks. We must note now, however, and always bear in mind that security alone offers no silver bullet. All security approaches are inherently and inevitably flawed because the vulnerabilities of digital connection are inherent and inevitable. They are the price of opening ourselves to the opportunities of connection. Once we accept the risk-reward trade-off of digital connectivity, our next step is to survive—and even thrive—under attack. Digital security is an incomplete answer. Digital resilience completes the answer.

As a concept, digital resilience is relatively new—but only because digital technology is relatively new, and networked digital technology is even newer. The fact is that digital resilience is a subset of resilience, which is a characteristic of biological, ecological, social, national, and institutional systems that have survived and thrived, some of them since time immemorial. Whereas digital security is about security, digital resilience is about how you do business in today’s intensively interconnected environment. It is not confined to the realm of IT specialists, but is a whole-business strategy.

THE TARGET ATTACK: WHAT A FAILURE OF RESILIENCE LOOKS LIKE

Only two things make the 2013 attack on Target unusual: its magnitude—70 million customers became victims—and the amount and detail of insight we have gained from it. (While the Equifax data breach, which took place during May–July 2017 but was not reported until September 2017, affected at least twice as many victims—145.5 million American consumers, close to half the U.S. population—we don’t as yet have sufficient information to create a definitively illuminating narrative.) The Target attack reveals the severe limits of conventional digital security. More important, it is a call to move beyond these limits. The numbers make it clear that attack is virtually inevitable. We need something more than the current “state of the art” in digital security.

It is true that most private- and public-sector leaders agree on the necessity of making preparations for survival under cyberat-tack. All sophisticated businesses have active disaster recovery plans (DRP) and business continuity plans (BCP). They understand that having an emergency plan for a crisis is essential. But both DRPs and BCPs are very different from a cyber recovery plan. The purpose of this book is to persuade managers, C-suite executives, and boards of directors that the default environment in which their highly connected businesses, institutions, and government agencies operate is in crisis. Connectivity creates both frictionless business opportunity and frictionless vulnerability to attack. This is today’s default situation. Mere survival is not a sufficiently ambitious objective. Intensively connected enterprises need to thrive in high-risk environments and even under attack.

Thriving under attack is not a radical proposal. It is a function of digital resilience. As defined very ably by Andrew Zolli and Ann Marie Healy, resilience is “the capacity of a system, enterprise, or a person to maintain its core purpose and integrity in the face of dramatically changed circumstances.”⁴ The chapters that follow are about applying the concept and quality of resilience specifically to digital networks. Before we get to these chapters, however, let us take a close-up look at what happened to a network whose operators failed to make it resilient. The Target attack, breach, and data theft, one of about three thousand that year, is representative of today’s digital business environment. It is also an event about which we have an abundance of information.

On March 26, 2014, John Mulligan, executive vice president and chief financial officer of Target Corporation, testified before the Senate Committee on Commerce, Science, & Transportation. His unenviable task was to explain why and how the credit card data of 40 million of his company’s customers had been stolen. “It appears that intruders entered our system on November 12[, 2013],” he testified. “With the benefit of hindsight and new information, we are now asking hard questions regarding the judgments that were made at that time and assessing whether different judgments may have led to different outcomes.”⁵

Without doubt, the first “hard question” is why, having been alerted by Bangalore on November 30, 2013, Target’s Minneapolis-based Security Operations Center did exactly nothing. Nothing. The next question is, why, after a second alert was sent on December 2, they also did nothing.⁶ Target did not even begin an “internal investigation” until December 12, when the retailer was “notified by the Justice Department of suspicious activity involving payment cards used at Target stores.” Target personnel met with the DOJ and the Secret Service on December 13, hired “an outside team of experts to lead a thorough forensic investigation” on December 14, and on December 15 “confirmed that criminals had infiltrated our system, installed malware on our point-of-sale network and potentially stolen guest payment card data. That same day, we removed the malware from virtually all registers in our U.S. stores.”⁷

By this time, records affecting 70 million customers had been stolen: data for 40 million debit and credit cards plus the personally identifiable information (PII) of those customers in addition to 30 million others whose credit card data was not stolen.

For 40 to 70 million Target customers, there were the ugly consequences of identity theft—unauthorized charges to sort out, inability to access credit, endless phone calls to credit reporting agencies, getting blindsided by fraudulent credit and loan applications, and no way to know when and where the ripples created by compromised PII would end.

For Target, the gross expense created by the breach during 2013–2014 was reported as $252 million. Insurance compensation reduced this to $162 million, and tax deductions brought it down to $105 million.⁸ Nevertheless, the company’s profits fell 46 percent in its fourth fiscal quarter of 2013 and were down by more than a third for all of 2013.⁹ More than 140 lawsuits from customers and financial institutions rolled in. In March 2015, Target settled a class-action suit brought by customers for $10 million; in August, Target settled with Visa for $67 million; and in December, the company settled with several banks (whose credit cards were compromised) for $39 million in damages.¹⁰ Both Target CIO Beth Jacob and CEO Gregg Steinhafel resigned following the breach.¹¹ Federal and state authorities have threatened fines and other penalties.¹² Beyond all of this, there was the damage to the Target brand and reputation, a hit difficult to measure.

“We are asking hard questions about whether we could have taken different actions before the breach was discovered that would have resulted in different outcomes,” Mulligan told the senators. “In particular, we are focused on what information we had that could have alerted us to the breach earlier. . . .”¹³

There is an answer to this. An earlier alert would have made no difference. Two reasons: First, Target made no response to the two alerts it did receive. There is no compelling reason to believe it would have responded to an alert received earlier. Second, the November 30 alert came after the network had been infiltrated but before data was being exfiltrated. The theft itself started on December 2, the date of the second alert. Nurtured on pop culture images of “wired-in” cyber prodigies gone over to the dark side, the uninformed picture “hackers” as superhuman geniuses and assume they move with infinite stealth and at great speed. Those who possess even basic knowledge of the complexity of large digital networks, however, know that infiltrating a network, finding what you want to take, and then exfiltrating that material—which typically amounts to huge quantities of data—takes time: days, weeks, sometimes months.

As far as can be determined, exfiltration from Target did not begin until December 2 and continued for nearly two weeks. The process was painstaking: The malware automatically sent data to three different U.S.-based staging points, servers located in Ash-burn, Virginia, Provo, Utah, and Los Angeles, California, active only between 10:00 a.m. and 6:00 p.m. Central Standard Time, probably to reduce the chances that the outflow would be detected by burying it in the massive volume of normal workday traffic. From the U.S. staging points, the data was sent to vpsville.ru, a Moscow-based webhosting service, which operates openly. The company’s spokesman, Alexander Kiva, later unapologetically explained that the company has far too many clients to effectively monitor.¹⁴

ADVANCED PERSISTENT THREAT: THE ENEMY WITHIN

Far from being smash-and-grab affairs, most meaningful breaches take time. Indeed, an entire category of breach is categorized as an “Advanced Persistent Threat” (APT), a network attack in which the intruder not only gains access to the network but remains active in it for a long period of time. To date, the most spectacular documented APT was that of “APT1,” which was exposed in a February 2013 report by the Mandiant security company. “APT1 is believed to be the 2nd Bureau of [China’s] People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department. . . .” Since 2006, APT1 compromised “141 companies spanning 20 major industries,” most of them U.S.-based. It “maintained access to victim networks for an average of 356 days.” The longest span was 1,764 days of continuous network access—four years and ten months.”¹⁵

On the one hand, the persistence of the Advanced Persistent Threat is truly appalling. On the other hand, the takeaway lesson of the APT is that the most serious and destructive attacks provide us with a great deal of time to discover them—if we pay attention and if we know our own networks both comprehensively and intimately. But few enterprises pay enough attention, and even fewer know much of anything about the networks they operate.

APT1 was a highly crafted military operation backed by the resources of the government of the world’s most populous nation. As for the level of skill required to pull off the Target breach, however, Jim Walter, director of threat intelligence operations at the McAfee security firm, called the malware that was used “absolutely unsophisticated and uninteresting.”¹⁶ Two of its main moving parts were off-the-shelf malware, Citadel and Kaptoxa (pronounced kap-TOE-sha), both available for purchase on underground (or undergroundish) websites well known to cybercriminals. The first was used to steal credentials enabling the attackers to enter the Target system. The second was used to steal credit card information of customers who swiped their cards at the stores’ cash registers.¹⁷ Both APT1 and the Target breach were long present in the networks they attacked. The significance of this is that they were discoverable, if the operators of the networks under attack had possessed better, fuller knowledge of those networks.

ANATOMY OF A “RUN-OF-THE-MILL” EXPLOIT

Although spectacularly successful, the Target breach was a run-of-the-mill cyber exploit. That means two things. First, it was containable, if not stoppable—which is true of the vast majority of cyberattacks. Second, it was the kind of attack likely to hit anyone who runs any digitally connected business—in other words, anyone who runs just about any business today. Using research from Aorato Labs and the SANS Institute, we can actually trace the likely steps the attackers took.¹⁸ It is worth tracing because some variation of the Target attack has likely been, is being, or will be aimed at your business.

CYBERCRIME AS CYBERCOMPETITION

The attackers now had the PII of some 70 million customers and the credit card data of 40 million of those customers. What would they do with it? Brian Krebs, one of the nation’s foremost reporters on cybercrime, found out by focusing on the end product of the breach rather than how it began.²⁴

In December 2013, several banks, most of them small, asked Krebs to investigate a sudden off-the-charts spike in fraud rates using credit cards from their institutions. Krebs logged onto a website, well-known in the fraudster community, that sells stolen credit cards. The site announced having received a huge shipment of cards. Krebs quickly matched the bank identification numbers (BINs) of the advertised cards with cards issued by the banks who had engaged him. He took this information to the banks and told them how they could go to the website and use Bitcoins (a currency often used for illicit online transaction because it is both untraceable and unrecoverable) to buy some of the cards back. He then asked the banks to determine if the cards had a common point of purchase. The banks reported that all the cards had been used at Target between Thanksgiving and December 15, 2013.

With this discovery, the plot unraveled. Card shops—also called dumps shops—operate on the web much like any other online business. The biggest difference is that the merchandise they offer is, exclusively, stolen. They present their merchandise in a customer-friendly manner, for example, allowing buyers to select by BIN, type of card (MasterCard, Visa, and so on), expiration date, country, and name of issuing financial institution. They don’t sell cards physically stolen from banks or stores. They sell the data copied from those cards. Theirs is a 100 percent online business. Purchasers click on their desired dumps, download the data from the shop, and then use it either to clone their own physical cards or to make purchases online without a physical card.²⁵

Let’s ponder this a moment.

First: Without question, the attackers are criminals, but they operate like ordinary businesspeople. Most of the tools of their trade are purchased off-the-shelf, and they run their criminal enterprises pretty much as they would run any lawful business.

Second: The attackers are either partners with or wholesalers to online sellers of stolen credit card data. The online storefronts they supply use brand names, create graphical logos, make promises to their customers, and even offer money-back guarantees. They are international criminal enterprises, without question, yet in many ways they behave like legitimate retail businesses. These cybercriminals did not simply rob Target and victimize its customers, they competed with the credit card companies, the banks, and the credit card holders. Target, like other targets of criminal cyber breaches, discovered that it was operating not only in a business environment made hostile by rogue “hackers,” but in a business environment inhabited by particularly aggressive and vicious competitors.

And there is even more. Analysis of the code uploaded to Target’s system turned up the name Rescator, the alias of a hacker who was also the proprietor of a dumps shop operating out of the Black Sea port city of Odessa, Ukraine. Krebs discovered that Rescator had also gone by the name Helkern, which was the alias of an Odessan (twenty-two years old in 2013) named Andrey Khodyrevskiy. While the evidence is strong that Rescator and Helkern/Khodyrevskiy are one and the same person, it is not definitive.²⁶ That Khodyrevskiy is a hacker is certain, and that he operates out of Ukraine is hardly surprising. Both Ukraine and Russia are notorious sources and centers of global cybercrime. As the attacks on the 2015–2016 U.S. presidential campaign and election process, including the hacking of the Democratic National Convention, demonstrate, much of this crime is intimately tied to the Russian government.²⁷

GETTING A HANDLE ON OUR NETWORKS

As individuals and as businesses, we rely on our digital networks to enable and amplify our greatest strengths. Even as they do this, however, they simultaneously enable and amplify our most dangerous vulnerabilities. Digitally enhanced connectivity is the mother of all double-edged swords. It opens us to unprecedented levels of opportunity and exposes us to equally unprecedented levels of risk. Were it not for digital networks, Target Corporation would likely consist of no more than a handful of stores, if it existed at all. A pickpocket might prey on a random customer, once in a while stealing a wallet. A purse snatcher might make off with the occasional purse. A strong-arm robber might force the cashier to empty her till. Whatever mishap occurred, however, would be local and limited. For both merchant and criminal, a non-networked world offers sharply limited opportunity.

Although it had invested handsomely in digital security, Target Corporation came off looking desperately clueless that 2013 holiday season. No offense to Target, but its people were even more in the dark than this step-by-step consideration of the breach suggests. For while Target thought of itself as the victim of a particular criminal attack, it was actually the victim of a global civilization so intensively networked that the most remote lives and destinies, invisible to one another, cross, interact, collide, and embrace every moment of every day. A refrigeration contractor based in Sharpsburg, Pennsylvania, opens an email attachment and infects his computer, which thereby connects the second-largest retailer in America, headquartered in Minneapolis, Minnesota, along with as many as 70 million of its customers, to predatory thieves working out of Odessa, Ukraine, on the other side of the planet. These malefactors may be part of organized crime networks linked to governments in Moscow or Kiev.

The cost to Target, banks, and credit card companies added up to hundreds of millions of dollars. The cost to individual customers? By the time Target issued a press release on December 19, 2013, Kelly Warpechowski, age twenty-three, living in Milwaukee, had already been notified by her bank that “someone in Russia had spent $900 at ‘an oil company’ using her card.” That very night, the Navy Federal Credit Union alerted Jamie Doyle, a sailor from Chesapeake, Virginia, that he was the victim of fraud. He was at sea, deployed on a Navy warship, at the time, but his wife, Tracy, went shopping the next morning only to discover that her debit card had been drained. “We were literally going in to buy our Christmas dinner, and we had no money.” Neither Target, nor Kelly, nor Jamie, nor Tracy saw the connections. How could they have?²⁸

Yet we all need at the very least to recognize that the connections exist. In his 2016 book The Seventh Sense: Power, Fortune, and Survival in the Age of Networks, consultant and author Joshua Cooper Ramo writes of how “linking our bodies, our cities, our ideas—everything, really—together introduces a genuinely new dynamic to our world. It creates hyperdense concentrations of power. It breeds fresh chances for complex and instant chaos. To follow the logic of the French philosopher Paul Virilio for a moment, ‘When you invent the ship, you also invent the shipwreck. When you invent the plane, you also invent the plane crash.’ Surely we can count on the network to invent the network accident—and many of them.” Ramo observes that the “pre-network instinct to fear Chinese! or Fear Spanish! is the wrong one. . . . Fear deflation? Fear ISIS? Fear the RMB [Chinese Yuan]? Such fear reflects a blindness. Finance, terrorism, and currency change when they are connected. It’s the network we should be nervous about.”²⁹

Yes! Target should have been “nervous about” their network. Yet when they were warned, not once but twice, that intruders were in their house, they did nothing. If an intruder had walked in the front door of a Target store, strolled through a checkout lane, and held up a POS, they would at least have called the cops. Why did they ignore alarms that detected a cyberintruder? According to cybersecurity experts The Daily Mail interviewed in 2014, Target is routinely “bombarded with alerts. They get so many that they just don’t respond to everything.” In fact, as The Daily Mail pointed out, the FireEye software Target used “has a function that automatically deletes malicious software, but it had been turned off by Target’s security team before the hackers’ attack.” This is what “the vast majority” of FireEye’s users do because there are so many false positives. An “automated” security system requires “love and care and feeding,” according to the experts the British newspaper talked to. “You have to watch it and monitor it.”³⁰

WATCH AND MONITOR: ARE WE HUMAN BEINGS UP TO THE TASK?

In Resilience: Why Things Bounce Back, Andrew Zolli and Ann Marie Healy write of the “incomprehensible complexity, interconnectivity, and volatility of the modern world—one in which upheavals can appear to be triggered by seemingly harmless events, arrive with little warning, and reveal hidden, almost absurd correlations in their wake.” As for the “contributions of the much-ballyhooed Information Age, just having more data doesn’t automatically help.” Too many alerts are just as bad as too few. Maybe worse, the IT experts told The Daily Mail. “After all,” Zolli and Healy continue, “if we could actually see each of the individual packets of data pulsing through the Internet . . . could we make sense of them?”³¹

The answer—which is no—underscores an ineluctable fact of life in our intensively interconnected environment. When digital networks work well, the result is extraordinary—a nearly frictionless interchange of data, ideas, commerce, and increasingly, control and command of real-world devices that are nodes on the Internet of Things. But when something goes wrong, the result may or may not be catastrophic, but it is quite often both crippling and bewildering. This is true even when the problem is a technical glitch rather than a premeditated attack. In separate incidents, “computer problems” forced Southwest Airlines (July 2016) and Delta Airlines (August 8, 2016) to cancel flights and ground perfectly good aircraft operated and maintained by perfectly able employees. On July 8 of the year before, glitches in routine router upgrades halted trading on the New York Stock Exchange for nearly four hours, forced United Airlines to ground flights, and crashed the servers for WSJ.com.³² And it is also true when bad actors set out to do nefarious things along the network.

The Target breach was, of course, just one of several cyberattacks with impact sufficient to make international headlines. After the Sony Pictures Entertainment breach of November 2014, in which a hacker outfit announcing itself as the Guardians of Peace (GOP) leaked internal emails and PII of company executives and employees—everything from embarrassing gossip and personal sniping to Social Security numbers—U.S. officials accused the North Korean government of launching the attack in retaliation for Sony’s release of the anti-Kim Jong-un satiric comedy The Interview (although a significant number of digital security and forensics experts disagreed with this attribution).³³ Sony responded by pulling the national release of the film, but allowed a handful of independent exhibitors to show the movie at their own risk. For his part, President Barack Obama criticized Sony’s decision, remarking in a December 19, 2014 press conference, “We cannot have a society in which some dictator someplace can start imposing censorship here in the United States.”³⁴ But this sentence from the president’s press conference expresses precisely the lesson of the Sony breach. Global digital interconnectivity has created such a society. Someone someplace can impose a variety of actions on somebody else somewhere else. Just consider those Russian cyber-attacks on the DNC and WikiLeaks’ decision to release the stolen data on July 22, 2016, the weekend before the Democratic National Convention.³⁵

The Target, Sony, and DNC breaches have at least three things in common.

First: All were network attacks. The common term “cyberattack” is misleading because the even more common term “cyberspace” is a figure of speech that has outlived its usefulness. So-called cyber space is not “space” at all. It is a global network of interconnected local networks and the devices on them. It is a physical, real-world complex.

Second: The attacks all had remote—extremely remote—origins. To paraphrase President Obama’s description of North Korea’s presumed role in the Sony breach, all were instances of somebody someplace imposing something on institutions and individuals somewhere else, which, in all three cases, happened to be the United States. Indeed, all the attacks may—may—have been in some measure sanctioned by foreign governments.

Third: All these attacks in so-called cyberspace had serious consequences in so-called realspace. Entities, companies, enterprises, governments, nations, and individuals were victimized by entities, companies, enterprises, governments, and individuals remote from them, with whom they had no formal, familial, political, or business relationship. Thanks to digital networks, isolation was no obstacle to—or defense against—the attacks and their consequences.

Unfair? You bet.

Unfathomable? Pretty much.

A fact of life today? The essence of life today.

RESILIENCE: THE BETTER BOAT WE MUST LEARN TO BUILD

The Identity Theft Research Center reported having identified a total of 584 breaches in the United States during the first seven months of 2016. These exposed a total of 20,525,697 records.³⁶ SecurityWeek reported the online theft (by “hacking”) of 121,199,741 records worldwide in 2015, up from 67,057,537 in 2014 and 48,805,381 in 2013. Compare this to theft of records by “physical loss”—1,100 records reported worldwide in 2015, down from 20,358 in 2014 and 24,533 in 2013. Data thieves have all but stopped carrying off bundles of paper.³⁷ In 2016, the Ponemon Institute surveyed 383 companies in 12 countries and discovered that the average total cost of a data breach is $4 million. Per stolen record, this amounts to an average cost of $158.³⁸

“If we cannot control the volatile tides of change,” the authors of Resilience write, “we can learn to build better boats. We can design—and redesign—organizations, institutions, and systems to better absorb disruption, operate under a wider variety of conditions, and shift more fluidly from one circumstance to the next.”³⁹ Indeed, for years now, engineers, scientists, and policymakers, among others, have been looking at the world and have been asking, “What causes one system to break and another to rebound? How much change can a system absorb and still retain its integrity and purpose? What characteristics make a system adaptive to change?” Most important, they have asked, “In an age of constant disruption, how do we build in better shock absorbers for ourselves, our communities, companies, economies, societies, and the planet?”⁴⁰ Now those who create and manage digital networks and the nodes strung along them must ask and answer these same questions with the object of building better shock absorbers.

Still, as a concept and a value, resilience is not new even to digital systems. The Internet is an American invention, beginning in 1969 as ARPANET with funds from the Department of Defense’s Advanced Research Projects Agency (ARPA, predecessor of DARPA). ARPANET was commissioned by the military to make its defense-related C³ (Command, Control, and Communications) systems more resilient. Defense planners were worried that if an enemy managed to knock out telephone and other conventional communications system, the American military would be effectively decapitated. A network of computers, however, could still function and thus maintain C³. National security expert Richard A.

Clarke has observed that, despite its military pedigree, the Internet was the work of liberal scientists and engineers—hippies, really—who “did not want [the Internet] to be controlled by governments, either singly or collectively, and so they designed a system that placed a higher priority on decentralization than on security.”⁴¹ Actually, this decentralization turned out to be one of the sources of the Internet’s security through resilience. Robert Kahn, among the small group of computer scientists broadly credited with having “invented” the Internet, laid down from the get-go four principles that remain basic to the Internet today:

1.Each network on the Internet must stand on its own and should require no internal changes to connect to the Internet.

2.Communication should be technically forgiving. If a data packet fails to make it to its final destination, it should be rapidly and automatically retransmitted from its source.

3.“Gateways” and “routers” (these terms came later than the concepts behind them) interconnect the networks of the Internet. Their function is to pass data packets; therefore, they should retain no information about the individual packets.

4.There is no global control of the Internet at the operations level. It is a decentralized network.⁴²

Yet it is also true that the essential openness at the heart of the Internet, a structure that welcomes rather than shuns connection, creates its own vulnerabilities. These are potential targets the builders and users of analog communications systems—pre-digital telephone networks and simple radio broadcasting—could not have begun to envision. So, we are left with the question: “If our connections to the world are the sources of both our power and our vulnerability, how do we achieve true digital resilience?”

Answering this question demands that we learn more in six areas, which are the subjects of the chapters that follow:

Resilient and nonresilient systems in our world

The theory of networks

The digital networks to which we are connected

How our digital networks can be visualized, modeled, and dynamically monitored

How the resilience—and nonresilience—of our networks can be measured and scored, so that vulnerabilities can be surfaced and prioritized for modification and remediation

Formulating a resilient response

Nothing we do can purge the many threats from our intensively networked digital environment. Our only choice, then, is to accept our universe of risk and to inform ourselves more fully and purposefully about it, so that we can design into our digital systems the resilience they require not merely to allow us to survive in digital reality, but to thrive in it. This is not as hard as it sounds, but it does take commitment and leadership. And the leadership to implement a digitally resilient standard in one’s network starts in the C-suite, with the CEO.