ALAMO ACE — Do you know what “resilience” means when it comes to networks and IT systems? According to the Air Force’s chief information security officer, you probably think it means relying on redundancy and recovery to restore networks and information technology when they go down. That’s only partially correct.
Those are two elements of resiliency, but they’re both what operators do after a system crashes or is compromised. To be truly resilient, the goal is to prevent networks from going down in the first place.
“Everyone thinks they know what [resilience] means, and I would venture to say most people get it wrong,” Air Force CISO Aaron Bishop told the audience at Alamo ACE in San Antonio. “People tend to look at it from an operational lens: Can I continue my fight?”
For Bishop, true resilience is protecting the network starting at the component level and below. “Zero Trust is about resilience at a micro-component level. Each of the components of the system has its own protection, and you build on that.”
In other words, resilience doesn’t just happen when networks or IT systems come under attack. It’s engineered in advance, as each layer of a system – from hardware to software to command interfaces – gains its own protective shell, so to speak.
“If you think of it that way, it naturally flows into all forms of information technology,” he said. “Anything of a digital zero and one should incorporate Zero Trust concepts.”
Resilience requires more than simply hardening systems against intrusion. It’s achieved by anticipating failure and designing recovery into the fabric of operations.
“To get there requires lots of things to happen,” said Bishop. “You’ve got supply chain issues you’ve got to get right, you’ve got engineering and design you’ve got to get right. Then you’ve got to be able to monitor to know that something’s not the norm and then how do you react to that?”
Knowing what’s anomalous is the job of continuous monitoring through automation, something the Air Force needs to do more of.
Bishop argued that static, compliance-driven processes like the Risk Management Framework have created “a false sense of security.” What’s needed instead is an agile, automated, risk-informed approach that responds to real-time data and feeds lessons directly back into engineering and design.
“By focusing on ‘What are we monitoring? What are we sensing? What do we make of that information on a regular basis?’ versus the anomaly we see, and then how do we react, we improve our cycle time to react and become more resilient,” he said. “If we could get better at continuous monitoring, we would be much improved in our ability to monitor and be resilient in our capabilities.”
Building resilience also means changing how the Air Force CIO enterprise itself works, according to Keith Hardiman, director of enterprise information technology, Office of the Chief Information Officer for the Air Force.
“This is our current landscape: it’s contested, it’s complex, it’s continued to accelerate, and it’s why resilience is not optional, It’s foundational,” said Hardiman, also speaking at Alamo ACE.
He noted that he’s working with the Air Force A6 office of the Deputy Chief of Staff for Warfighter Communications and Cyber Systems and others “to talk about how do we reorganize, regroup, and redo ourselves to make sure we’re a lot more effective and we’re enabling them to go do the things they need to do from an execution operation standpoint.”