Cyberspace Resiliency: Springing Back with the Bamboo

Rigid cyberspace defenses are proving unable to meet advanced and modern cyberspace threats. As a result, there has been increasing focus and interest in cyber resiliency; but what will it take to be resilient in future cyber combat? We can glean some useful concepts from the ancient Japanese proverb about the resiliency of bamboo in a storm. In comparison with the massive oak, which relies on structural strength, three characteristics enable the bamboo’s greater resiliency. Bamboo has the ability to accept deformation without failure, a significantly reduced attack surface, and dynamically reacts to the wind in a way that minimizes the impact of future gusts. Defenders of cyberspace should look to add similar characteristics to their cyberspace systems. First, cyberspace defenders should maximize the flexibility of their systems by deliberately building in “inefficient” excess capacity, planning for and expecting failure, and creating personnel flexibility through training and exercises. Second, defenders should reduce their attack surface by eliminating unnecessary capability in both hardware and software, resist users’ desire for continual rapid improvements in capability without adequate security testing, and segment their networks and systems into separate defended enclaves. Finally, cyber defenders should position themselves to dynamically respond to attacks through improved situational awareness, effective cyberspace command and control, and active defenses. Combining these approaches will enable the defenders of cyberspace systems to weather cyberspace attacks and spring upright after the passage of the storm.