2

HARD TO BREAK

Resilience—A Winning Strategy in a Losing War

Seventy-six percent of respondents to the 2016 Cyberthreat Defense Report from CyberEdge Group reported having been compromised by a successful cyberattack within the previous twelve months. This was up from 71 percent in 2015 and 62 percent in 2014. Moreover, 62 percent of respondents reported believing that they would suffer a successful cyberattack in the coming year (up from 52 percent in 2015 and 38 percent in 2014).¹ The average consolidated total cost of a data breach in 2016 was $4 million, up from $3.8 million the year before.² No wonder one digital security firm recently described its industry as continuing “to fight a losing war against cyberattackers” and doing so “even as data breaches and security compromises have become unfortunate realities of transacting in today’s digitized economies.”³ Even Kaspersky Lab, a maker of popular antivirus and security programs, disclosed on its blog the discovery of “an advanced attack” on its own internal networks. Kaspersky called the exploit Duqu 2.0, a malware program that acts “as a backdoor into the system and facilitates the theft of private information.”⁴

I invite you to unpack the information you just read. First: More than three-quarters of organizations surveyed reported having been exploited by at least one successful cyberattack in a year. Second: On average, successful cyberattacks are very costly. Third: A major cybersecurity firm describes the war that it and its colleagues and competitors are prosecuting as “a losing war.” Fourth: The “losing war” poses an existential threat to everyone “transacting in today’s digitized economies” precisely because everyone does business in these economies. Fifth: Even an extraordinarily high level of sophistication in matters of digital security will not save your enterprise from attack; Kaspersky is an established cybersecurity firm. “From a threat actor point of view,” Kaspersky Lab’s Global Research & Analysis Team (GReAT) wrote, “the decision to target a world-class security company must be quite difficult.” This decision suggests that the attackers are “either . . . very confident they won’t get caught, or perhaps they don’t care much if they are discovered and exposed.”⁵ So, sixth: Everyone is vulnerable, especially since (at least some) highly skilled attackers are willing to go for broke in attacking the hardest of hard targets.

Kaspersky hasn’t found the silver bullet of cybersecurity because cybersecurity will never be sufficient. That is why digital resilience is necessary. Of course, digital resilience is no silver bullet, either. It will not resolve all vulnerabilities. It will not eliminate all faults. It will allow you to survive an attack, identify a breach, and contain it as quickly as possible—while, in the meantime, continuing to remain connected and doing business.

FIGHTING A LOSING WAR: WE ALREADY KNOW HOW

Intensively networked business—a brave new world? More like a grave new world. Except that there is really nothing new about it. To live is to fight a losing war—not 76 percent of the time, but 100 percent of the time. Hard-edged Darwinism turns out not to be a case of survival of the fittest, but survival of the most resilient. The people, organisms, organizations, nations, machines, and systems that most thoroughly achieve resilience survive not only the longest but also the most productively. Being alive, at work, and out and about in the world means that you will suffer attack. Perhaps it will come in the form of a mugger in a dark alley, an unwelcome letter from the IRS in your mailbox, an infection by an antibiotic-resistant strain of microbe in your lung, or a really wicked hangover. Whatever form the attack may take, nobody escapes forever. You can’t be strong enough, smart enough, or fast enough to evade every assault. Resilience is real. The resilient have the best chance not only of survival but of prospering after—even under—an attack.

This has always been the case. And as Rockefeller Foundation president Judith Rodin observed in her 2014 The Resilience Dividend: Being Strong in a World Where Things Go Wrong, it has never been more urgently the case than it is today:

Disruption, Rodin observes, is something “the world has always known . . . but there are three disruptive phenomena that are distinctly modern: urbanization, climate change, and globalization.”⁷ The first and third of these have a critically important digital dimension, namely the pervasive connectivity of the digital network, which is both a driver of contemporary civilization and a threat to it. The point is that resilience is not a “bonus feature” of, or an “optional accessory” to, every productive activity and enterprise in the twenty-first century. It must be at their core, a necessity to them. Resilience has always been important, just never more urgently indispensable. Moreover, today’s intensive and ubiquitous connectivity has made resilience the table stakes for any enterprise interested in survival. If you want more than survival, you need to think of resilience as both a baseline requirement and a means of gaining competitive advantage.

HOW MUCH RESILIENCE IS ENOUGH RESILIENCE?

Let’s start at the baseline. Let’s say your expectations are modest. Let’s say you run a business that is only minimally connected, at least by comparison, say, with a 100 percent online merchant like Amazon. How much resilience do you really need, even in today’s world?

Dyn is an Internet performance management company. Among other things, Dyn products control much of the Internet’s domain name system (DNS) infrastructure. The DNS has been a feature of the Internet since its invention and is at the very core of Internet functionality. IP addresses are as necessary to locating and identifying services and devices on the Internet as street addresses are necessary to locating and identifying homes and businesses and people in a city, town, village, or country lane. The DNS translates human-understandable names of places on the Internet into numerical IP addresses such as 199.181.131.249. If these numbers mean something to you, congratulations, you are a prodigious Internet geek with too much time on your hands. For everyone else, however, they form a meaningless sequence of numbers. Thanks to DNS, however, Disney.com becomes 199.181.131.249, and your browser goes there.

“On Friday October 21, 2016 from approximately 11:10 UTC to 13:20 UTC and then again from 15:50 UTC until 17:00 UTC, Dyn came under attack by two large and complex Distributed Denial of Service (DDoS) attacks against our Managed DNS infrastructure.” The good news, as reported by Dyn’s own analysis, is that the “attacks were successfully mitigated by Dyn’s Engineering and Operations teams.” The bad news: “but not before significant impact was felt by our customers and their end users.”⁸ Those customers included websites belonging to “Twitter, the Guardian, Netflix, Reddit, CNN, and many others in Europe and the U.S.,” according to The Guardian, making the attack the largest of its kind—ever.⁹

Now, in addition to good news and bad news, The Guardian also pointed to what it called some “interesting” news. Distributed denial of service is a common type of attack, which, typically, is not particularly sophisticated. The objective of a DDoS exploit is to bombard the servers of a targeted network with so many requests that the network collapses under the strain, becoming impossible to contact. Because it is usually impractical for an attacker to organize enough confederates to launch a coordinated attack, DDoS exploits are usually mounted by infecting as many computers as possible with a type of malware that transforms each infected computer into a bot, as in robot. The bot can be made to do things like send repeated requests to a targeted system. The bot can also propagate itself, infecting other computers, thereby creating a botnet, a network of coordinated bots, which collectively bombard a targeted system with connection requests. A large botnet can quickly overwhelm and disable even websites built to handle huge volumes of traffic.

But this is not the “interesting” part of what happened on October 21, 2016. In fact, it is routine. No, what makes the attack on Dyn “interesting is that [it] was orchestrated using a weapon called the Mirai botnet. Unlike other botnets, which are typically made up of computers, the Mirai botnet is largely made up of so-called “Internet of Things” (IoT) devices such as digital cameras and DVR players.”¹⁰ Actually The Guardian is being very modest in citing just two examples of nodes on the IoT. The variety is much, much greater—and growing. “For many years, the only important computing device in a typical home or business was the personal computer (PC), first on the desktop and then on the laptop,” the authors of Trillions: Thriving in the Emerging Information Technology write. They point out that in “the past few years,” these computing form factors have been eclipsed by smartphones and tablets. They go on to use the phrase “pervasive computing,” which they define in reference “to the assumption . . . that this transition” from desktop to smartphone, “dramatic though it is, is just the first step in a far more fundamental change. Rather than moving computation out of one kind of box into other—smaller and more portable—boxes, by the end of this transition computing will for all practical purposes be confined to no box at all. Computation (and thus data) will all but literally have escaped into the ambient environment.”¹¹

Pause here for two observations. First, the “all but literally” is an important modification of “have escaped.” The fact is that computing devices are indeed escaping confinement to boxes, but they are not escaping connection to the Internet. They are connected. Second, much of the “transition” the Trillions authors describe is well under way—and has made tremendous progress since 2012, when the book was published. Even back then, the authors conceded that we “already put microprocessors into nearly every significant thing that we manufacture, and we are quickly figuring out how to make those processors usefully communicate with each other, and with us. . . . We are . . . well on our way to a world with trillions of computers.”¹²

What will these trillions of unboxed, ambient computers add up to? They “will quickly coalesce into something new and disruptive: an environment of computation. Not computation that we use, but computation that we live in . . . houses [that] cater to our whims; power grids [that] become intelligent; and tractors [that] drive themselves through fields sown not just with seeds, but also with millions of ‘smart dust’ moisture and nutrient sensors.”¹³ We are moving toward this computation environment rapidly. For instance, right now, in 2016, the “average car . . . can have between 25 and 50 central processing units (CPUs),” which are, in fact, unboxed computers. Many, not all, of these automotive CPUs are networked.¹⁴

So, back to that Mirai botnet The Guardian found so “interesting.” The Internet of Things is much bigger—has many more nodes—than the Internet that is populated with desktops, laptops, smartphones, and tablets. “Because it has so many internet-connected devices to choose from, attacks from Mirai are much larger than what most DDoS attacks could previously achieve. Dyn estimated that the attack had involved ‘100,000 malicious endpoints,’ and the company . . . said there had been reports of an extraordinary attack strength of 1.2Tbps”—1.2 trillion bytes per second! “One trillion . . . bytes per second,” according to the online PC Magazine Encyclopedia, “is a measurement that prior to the twenty-first century was unthinkable.”¹⁵ In terms of a volume of data, consider that 1,428 CD-ROMS are required to store 1 terabyte. So, Dyn servers had the equivalent of 1,428 CD-ROMS thrown at them every second during the attack. If the reports are true and accurate, they reveal an attack that was “roughly twice as powerful as any similar attack on record.” The evidence points to the October 2016 attack, massive as it was, as having been mounted by a non-state group. David Fidler, adjunct senior fellow for cybersecurity at the Council on Foreign Relations, asks us to “imagine what a well-resourced state actor could do with insecure IoT devices.”¹⁶

Before the advent of the computer, let alone the networked computer, the world was a hazardous place from which no one escaped some harm before suffering the ultimate harm, namely death. Because evasion of harm is inefficient and, in the long run, impossible, resilience has always been a must—at least for those who wish to survive, let alone thrive. Historically, digital networks have conveyed attacks against mainframes, desktops, and laptops. These digital networks thus added another threat to a physical world that was already threatening even in the pre-digital days. The Internet of Things does not merely heap more digital threats on top of the physical world. Because the IoT is part of the physical world, the threats it harbors are not compartmentalized in a strictly digital realm. They are threats in the world. Period. An unboxed “computation environment” is part of “the environment.”

How much resilience is enough for the most modestly connected of enterprises? The answer is about as much as the most intensively connected. In a digital environment of trillions of connections, we are all far more thoroughly networked than we know.

DIGITAL RESILIENCE IS RESILIENCE. PERIOD.

Thanks to the trillions of interconnected nodes of the rapidly evolving IoT, the concept of resilience can no longer be thought of as a figure of speech, a metaphor borrowed from the analog world of nature and nations. Digital resilience is very rapidly becoming as important as the physical resilience of organisms, people, corporations, commercial aircraft, governments, and ecosystems because the IoT is evolving into a bionic system thoroughly embedded in our world and lives. We don’t need technologists and tech journalists to tell us this. We all feel it. Back in the 1980s, the most complex piece of electronics most ordinary consumers had to deal with was a VCR. The result was that we became a planet of VCRs perpetually flashing 12:00 because many human beings could not, or stubbornly refused to, master the simple task of setting the digital clock on their machines. Today, we have all been pressed into service as our own personal “IT departments,” exercising considerable technical expertise to set up our new smartphones, deal with a plethora of passwords and PINs, figure out whether to answer the ads pleading with us to switch from copper to fiber, sort out why our Internet connection is so slow, even install our own routers and RAM.

Some of us enjoy getting under the hood with our technology. But some of us resent having to make so many banal technical choices. Nevertheless, as Joshua Cooper Ramo writes in The Seventh Sense: Power, Fortune, and Survival in the Age of Networks, “Banal technical choices will reverberate through our future with the same influence that the Bill of Rights, the Magna Carta, the Analects of Confucius, and the Koran retain long after they were first written down.” Why? Because “many of the technical choices we’re about to make will be strikingly political.” They will determine who “has access to what data” or where the line is drawn between “human choice and machine intelligence.”¹⁷

This sounds hyperbolic. But give it a chance. “The real contests ahead will concern networks,” Ramo writes, “but this means, in fact, a deeper conflict over values.” Why? Because networks are not just silicon, wire, and fiber. They “are like churches or schools or congresses; they reflect the aims and ethics of the people who build them.” They are contiguous and intertwined extensions of human and social and economic values. Ramo quotes the French philosopher Bruno Latour, who writes that modern societies “cannot be described without recognizing them as having a fibrous, threadlike, wiry, stringy, ropy, capillary character that is never captured by the notions of levels, layers, territories, spheres, categories structure, systems.” We are already well aware that (as Ramo summarizes) “borders, like the ones dividing science and politics or military power and civilian safety, begin to erode when everything is linked. Computing machines and networks were once locked

into usefully narrow silos, unconnected: An ATM. A heart monitor. A power grid. But now they overlap and inform one another.”¹⁸

Here Ramo is describing the rapid evolution of the IoT, yet the phenomenon underlying that digital evolution is not exclusively the product of digital networks. True, the explosive new direction of digital networks, the growth from millions to billions to trillions of interconnected nodes on a global network, accelerates the destruction of borders and the replacement of levels, layers, and the rest with networks.

But relationships, specifically networks of relationships, have always shaped the real world. Ramo cites Conway’s Law, a principle articulated by a computer programmer named Melvin Conway in 1967 (and given its status as “law” by others, the following year): “Organizations which design systems . . . are constrained to produce designs which are copies of the communication structures of these organizations.”¹⁹ Conway noted that designing software required collaboration among the authors of that software and that, therefore, the software interfaces that structure a system reflect the social boundaries, the social networks, the social structures, of the organization or organizations whose personnel produced the software. As such, Conway’s Law is the inverse of what we have just been talking about. Yes, digital networks (structures with software at their core) shape the “real” (non-digital) world; however, the social aspects of that real, physical world shape software design and, ultimately, digital networks. Put another way: If virtual reality shapes and reshapes the physical world, the physical world shapes and reshapes virtual reality. The relationship between digital networks and the non-digital networks that make up the physical world—and that existed long before computers and computer networks—is truly and intensively interactive and intertwined. This being the case, where resilience is concerned, digital networks should be at least as resilient as the non-digital networks they connect with, amplify, and extend.

DIGITAL RESILIENCE: LEARNING FROM THE ANALOG WORLD

I hold this truth to be self-evident, that the resilience of digital networks should model the resilience of the most resilient organisms, ecosystems, organizations, infrastructures, nations, and people that we know. Back in 1974, Jimmy Treybig founded Tandem Computers, Inc., a company that designed and produced “fault-tolerant” computers for what was then the emerging technology of online transaction processing (OLTP) systems for ATM networks and other banking applications, stock exchanges, commercial transaction processing, and so on. Advertising their products as “NonStop Systems,” Tandem incorporated a high-speed “failover” approach to computer design, using multiple processors, redundant storage devices and controllers, and backup power systems. The machines were built not in a fruitless effort to avoid or prevent failure, but to be fault-tolerant—that is, to be sufficiently resilient to operate in cases of inevitable failure, whether caused accidentally or nefariously.²⁰ This was the 1970s and 1980s, and, as I will point out in Chapter 4, even the early Internet incorporated key aspects of resilient design. Nevertheless, deep into the second decade of the twenty-first century, we have yet to apply to our digital networks anything approaching the level of resilience we have long applied to everything from folding ladders to advanced aircraft—and even to at least some computer systems. We need to get at least as serious about digital resilience as we have been about resilience in other, non-digital systems.

Now, precisely because the relationship between our digital and non-digital networks is interactive—runs two ways—we must acknowledge that the resilience approach can be especially challenging. Even before digital networks became globally pervasive, changes in network design could still create profound changes in “real-life economic patterns.” As an instance of this, Ramo cites the expansion of airline routes to Indonesia in the early 1980s, such as those from Hong Kong to Bali, which “brought manufacturing, investment, tipsy expatriates, and then surfers.” He goes on to predict that, in our connected age, “the design of research studies, voter databases, genetic-information sharing networks, financial webs . . . will change many usual patterns even as they establish some completely new ones.” Ramo quotes investor Paul Graham: “When you decide what infrastructure to use for a project, you’re not just making a technical decision. You’re also making a social decision, and this may be the more important of the two.”

Yet at least equally important are the effects that lie outside of the designers’ vision and contemplation. Ramo notes that “networks will be used in ways their designers never imagined—Twitter turned to terror recruitment, Bitcoin as an alternative to central banks.”²¹ Digital networks can, may, and do reshape the physical world in ways that are not only unintended, unforeseen, and perhaps even unwanted, but they can do this in ways that challenge both the resilience of digital networks and the resilience of aspects of the physical world. A digital network, the Internet, becomes an enabler of the popular and political networks that wrought positive, democratic transformations of the Arab Spring (the Tunisian Revolution was branded the “Twitter Revolution”) as well as the terrorist networks that have spawned and nurtured ISIS.

Or, as we saw in Chapter 1, the very digital network that was instrumental in the success of retail giant Target threatened that success by serving as a royal road to attack Target and its customers. The twelve months that followed the December 2013 attack “were tumultuous for the retailer and many of its peers,” and the attack proved to be “just the beginning of a series of massive retail data assaults that would expose critical weaknesses in enterprise data security and payment systems.” Nevertheless, a ZDNet article published at the end of November 2015 observes, “Target has largely recovered from the breach in terms both of consumer trust and financial impact.”²² The recovery is a testament to the resilience of Target as well as the resilience of its customers and modern consumers in general. The question remains, will retailers and others be motivated to emulate and embody this instance of physical-world resilience in the design, operation, and maintenance of their digital networks?

“The concept of resilience is a powerful lens through which we can view major issues afresh,” the authors of Resilience: Why Things Bounce Back tell us. They cite everything “from business planning (how do we hedge our corporate strategy to deal with unforeseen circumstances?) to social development (how do we improve the resilience of a community at risk?) to urban planning (how do we ensure the continuity of urban services in the face of a disaster?) to national energy security (how do we achieve the right mix of energy sources and infrastructure to contend with inevitable shocks to the system?).”²³ Since we live in a world in which digital and non-digital networks interconnect, in which virtual reality and physical reality exist in an interactive relationship with one another, studying resilience in the physical world can be helpful in improving the resilience in our digital networks.

Indeed, innovative thinkers such as Joshua Cooper Ramo treat networks as structures that transcend the categories, compartments, or silos in which we traditionally put fields of inquiry and endeavor. Looking at the examples in the preceding paragraph, Ramo would certainly argue that the relevant discussions are not about business planning, social development, urban planning, and national energy security. In fact, there should be no discussions—only a single discussion about the single relevant topic, namely networks.

In February 2008, the journal Nature published a “News & Views” item titled “Ecology for Bankers,” which discussed a “high-level conference” sponsored two years earlier by two apparently disparate organizations, the U.S. National Academies/National Research Council and the Federal Reserve Bank of New York. The objective of this out-of-the-box, almost random-seeming collaboration was to “stimulate fresh thinking on systemic risk” by “bringing together experts from various backgrounds to explore parallels between systemic risk in the financial sector and in selected domains in engineering, ecology, and other fields of science.” In other words, these experts in apparently unrelated fields gathered to discuss the one relevant topic they shared: networks. They held in common the thesis that “catastrophic changes in the overall state of a system can ultimately derive from how it is organized”—how it is interconnected, or networked, including “feedback mechanisms within [the network], and from linkages that are latent and often unrecognized.” A catastrophic change in a system “may be initiated by some obvious external event, such as a war, but is more usually triggered by a seemingly minor happenstance or even an unsubstantial rumor. Once set in motion, however, such changes can become explosive and afterward will typically exhibit some form of hysteresis, such that recovery is much slower than the collapse. In extreme cases, the changes may be irreversible.”²⁴ (In this case, “hysteresis” takes the form of echoes or repetitions of the original trigger event. A financial panic, for instance, tends to feed off of itself, long after the trigger event has ended.)

The potential for such catastrophic network failures “is widely applicable: for global climate change, as the greenhouse blanket thickens; for ‘ecosystem services,’ as species are removed; for fisheries, as stocks are overexploited; and for electrical grids or the Internet, as increasing demands are placed on both.” For anyone who runs a business, among the most pertinent questions raised by this exuberantly interdisciplinary conference concern risk-management priorities: “First, how much money is spent on studying systemic risk as compared with that spent on conventional risk management in individual firms? Second, how expensive is a systemic-risk event to a national or global economy (examples being the stock market crash of 1987, or the turmoil of 1998 associated with the Russian loan default, and the subsequent collapse of the hedge fund Long-Term Capital Management)? The answer to the first question is ‘comparatively very little’; to the second, ‘hugely expensive.’”²⁵

These questions remain just as pertinent but even more interesting when we learn that an “analogous situation exists within fisheries management,” a field apparently remote from the concerns of most businesspeople:

So “to what extent can study of ecosystems inform the design of financial networks in, for instance, their robustness against perturbation?” The conference experts concluded: “Identifying structural attributes shared by these diverse systems that have survived rare systemic events, or have indeed been shaped by them, could provide clues about which characteristics of complex systems correlate with a high degree of robustness.”²⁷

DIGITAL RESILIENCE: BORROWING KEY CHARACTERISTICS FROM THE PHYSICAL WORLD

While “robustness” is not a synonym for resilience, it comes close, and the conference experts pointed to “work on the network structure of communities of pollinators and the plants they pollinate.” Those who studied these biological communities described them as “networks [that] are disassortative,” a term that describes a network in which “highly connected ‘large’ nodes tend to have their connections disproportionately with ‘small’ nodes; conversely, small nodes connect with disproportionately few large ones.” From this observation, the experts concluded that “disassortative networks tend to confer a significant degree of stability against disturbance.” That is, the quality of being disassortive—disproportionately connecting big nodes to many small nodes and small nodes to few big ones—enhances the resilience of a network. Additionally, “ecologists and others have long suggested that modularity—the degree to which the nodes of a system can be decoupled into relatively discrete components—can promote robustness.” This observation prompted some conference experts to point out that “a basic principle in the management of forest fires and epidemics is that if there is strong interconnection among all elements, a perturbation will encounter nothing to stop it from spreading. But once the system is appropriately compartmentalized—by firebreaks, or vaccination of ‘superspreaders’—disturbance or risk is more easily countered.”²⁸

Digital network architects should find abundant food for thought in this discussion of network architecture across multiple fields. The conference participants warned, however, that neither disassortativeness nor modularity were the silver bullets of robustness or resilience because “modularity will often involve a trade-off between local and systemic risk.” With regard specifically to financial markets, “the wrong compartmentalization . . . could preclude stabilizing feedbacks, such as mechanisms for maintaining liquidity of cash flows through the financial system, where fragmentation leading to illiquidity could actually increase systemic risk (as in the bank runs leading to the Great Depression).” The larger point, however, is that there is much to be learned about creating resilient networks from the “topology of financial networks,” specifically the “interplay between network topology and random or targeted ‘attack,’” which provides “insights for the control of infectious diseases and the defence of networks such as the Internet.”²⁹

The authors of Resilience argue that many resilient systems are diverse at their edges but simple at the core, citing “DNA in a cell, or the communications protocols governing the Internet,” both of which are “specialized languages [that] encode a vast menagerie of inputs and outputs, yet as protocols, they remain utterly basic, evolving slowly, if at all.”³⁰ Still, it is often difficult to design networks that are resilient both against known or anticipated threats and in the face of unknown, unrecognized, or unanticipated threats. For instance, an arborist might design a tree farm with roads strategically placed as fire breaks in anticipation of the well-known threat of forest fires, yet those same roads make possible the unintentional importation of an invasive beetle, an entirely unanticipated hazard that may end up destroying all the trees on the farm. The problem with designing for resilience is the possibility of creating so-called robust-yet-fragile (RYF) systems. The RYF problem typifies the trade-offs designers of networks may have to make “between efficiency and fragility on the one hand and inefficiency and robustness on the other.” The most efficient tree farm would be very densely planted. Yet such a tree farm would also be the most vulnerable to the known hazard of a calamitous forest fire. Plant your tree farm sparsely to include numerous fire breaks, and you increase resilience, but at the expense of efficiency. A very sparsely planted tree farm is virtually immune to mass damage from forest fires, but it is too inefficient to be profitably productive. The objective is to find a midpoint between the extremes, whether the network in question is physical or digital.³¹

Beyond this, the most resilient networks are those that possess the ability to reconfigure themselves to adapt to changing circumstances and, when subjected to truly overwhelming stress or attack, “fail gracefully,” employing “strategies for avoiding dangerous circumstances, detecting intrusions, minimizing and isolating component damage, diversifying the resources they consume, operating in a reduced state if necessary, and self-organizing to heal in the wake of a breach.” The objective in designing resilience is not to achieve perfection. “A seemingly perfect system is often the most fragile, while a dynamic system, subject to occasional failure, can be the most robust. Resilience is, like life itself, messy, imperfect, and inefficient. But it survives.”³²

The most optimistic current statistics predict that at least 76 percent of organizations will suffer a cyberattack in a given year. Over several years, this makes cyberattacks inevitable for virtually every organization. But, as the authors of Resilience counsel, this is not a reason to despair. Instead, it should prompt engaging in an effort that complements mitigation. Whatever the network in question, whether physical, social, institutional, or digital, we need to innovate in ways that enable us all to “be prepared and cope with surprises and disruptions, even as we work to fend them off.”³³ Resilient networks allow us to survive and to continue to operate as we identify and contain a threat or breach. At the same time, we can also learn from the event, so that we may take steps to defeat or diminish the effect of future attacks. Our networks will never be unbreakable, but they can be made very hard to break.