While the U.S., allies and partners are working diligently to defend against malicious and destabilizing activities in cyberspace, those defenses may not be robust enough and adversaries are taking advantage of that, the deputy assistant secretary of defense for cyber policy said on Thursday.
Speaking remotely to the Aviation Cyber Initiative Summit, Thomas C. Wingfield warned that the risk of a successful cyberattack is growing.
While the importance of the Defense Department's cyber force is indisputable, it is not enough, Wingfield said.
Organizations need to move from a paradigm of cybersecurity, to one of cyber resilience."
Thomas C. Wingfield, Deputy Assistant Secretary of Defense for Cyber Policy
"I have seen very clearly that the single most important component in protecting our shared security, liberty and prosperity are leaders who understand the promise and pitfalls of technology," he said, adding that leaders also need to work with allies, interagency partners and industry to ensure cyber resilience.
"Organizations need to move from a paradigm of cybersecurity, to one of cyber resilience," he said.
The two terms are complementary, but not synonymous, Wingfield said. He noted that the Commerce Department's National Institute for Standards and Technology defines cyber resilience as the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that are used or enabled by cyber resources.
Cyber resilience is necessary for those systems to withstand an attack or to quickly recover from one while continuing to operate effectively to achieve an objective, he said.
"Cyber resilience is, therefore, about more than protection. It is about continuity of operations and mission assurance. Planning for the eventuality of a cyberattack and still fighting through it is to be cyber resilient," he said.
To achieve a measure of cyber resilience, senior leadership must be involved. Personnel up and down the chain of command need to be trained and tested regularly, he said. While cybersecurity may largely be the concern of the information technology or cybersecurity staff, cyber resilience is the responsibility of an entire organization.
"This is not to say that working on greater cybersecurity is a fool's errand. On the contrary, cyber resilience is built on top of cybersecurity. The most important part of both is having a strong cyber immune system in every network on every system," he said.