Distributed and centralized cyber resilience
Resilience is, according to a US Presidential Policy Directive issued in 2011, ‘the ability to adapt to changing conditions and withstand and rapidly recover from disruption’.5 The most precise statement of resilience in GCC national cybersecurity strategies follows this definition closely, stating that resilience is ‘the ability to prepare for, adapt to, withstand, and rapidly recover from disruptions resulting from deliberate attacks, accidents, or naturally occurring threats or incidents’.6 Resilience and security have subtly different objectives: security seeks to avoid and respond to failure and disruption, while resilience aims to sustain holistic function and increase capacity for its continuation in any eventuality.7 There are nonetheless many overlaps between cybersecurity and cyber resilience, both conceptually and in terms of relevant practices. This paper draws on many indicators of cybersecurity and cyber risk. The concept of resilience can be applied at many levels, from individual organisms to whole societies and ecosystems.8
Security seeks to avoid and respond to failure and disruption, while resilience aims to sustain holistic function and increase capacity for its continuation in any eventuality
Resilience is an important property of information and communications systems. In the early twentieth century, the field of cybernetics sought to create resilient systems that would self-adjust based on environmental feedback.9 A more direct lineage of resilience comes from packet-switching, proposed in the 1960s as a way for US military communications to be more resilient in the event of a Soviet nuclear strike, and then incorporated into the Internet Protocol (IP) as the standard for the US Department of Defence’s ARPANET in the 1970s.10 Two of the three core concepts of information security – integrity and availability – are directly related to resilience, ensuring that information flows remain trusted and continuous despite attacks.11 Cyber resilience, then, is at base the resilience of digital information systems.12
Cyber resilience, however, does not apply to information systems only in the narrow terms above, describing digital networks of hardware and software. As Schneier and Farrell argue in their analysis of US election interference, whole states can be modelled as information systems, drawing on a wider scholarship of globalization and information flows.13 Cyber resilience, in this view, also includes the broader ability of states to withstand strategic influence operations aimed at disrupting or manipulating information flows between citizens, politicians and other domestic actors. A comprehensive approach to cyber resilience includes both resilience to ‘traditional’ cyberattacks and to strategic attempts to influence the information environment of a state.14
Like security, resilience is relative to threat.15 A system that is resilient to one set of threats may not be resilient to others, and, more problematically, steps taken to increase resilience in some ways may decrease resilience in others.16 It is therefore necessary to consider the resilience of different types of systems. Specifically, the paper identifies centralized systems, in which a single node entirely controls the processes of other nodes, and distributed systems, in which tasks are completed asynchronously, independently and concurrently.17 This is a spectrum rather than a binary division, with decentralization a mid-point between the two.18
Distributed systems are widely thought to be more resilient than centralized systems, largely because they do not have a single point of failure.19 However, for some threats and tasks, distribution can be less resilient than centralization.20 In particular, strategic threats requiring coordinated responses as a whole may be better countered in a centralized system, while lower-level threats impacting part of a system would be better countered in a distributed system.21 For example, the definition of cyberthreats to the US has expanded following Russian influence operations in the 2016 US presidential election, and disparate private-sector responses have been replaced by calls for a ‘whole-of-nation’ response: in short, moving from a distributed to a centralized approach to cyber resilience.22
This shift in the US demonstrates that the distinction between distributed and centralized systems is not exactly equivalent to that between democratic and authoritarian political systems.23 Recent scholarship on information operations in the US focuses on ‘democracy’s dilemma’: the idea that improving democratic resilience to foreign influence operations could damage the practice of democracy itself.24 This dilemma is drawn from parallels to Samuel Huntingdon’s ‘King’s Dilemma’, in which autocratic leaders face a choice between stability and modernization. The King’s Dilemma has been applied often to the autocratic monarchal systems of the GCC states.25 In contrast, the distributed/centralized distinction allows us to move away from distinctive democratic/autocratic dilemmas towards a cyber resilience framework that can be applied across states, while avoiding what Schneier and Farrell call an ‘easy equivalence’ between democracies and autocracies.26