Building cyber resilience through a discursive approach to “big cyber” threat landscapes

Abstract

Cyber safety, security and resilience of Critical Infrastructures (CI) and critical societal functions is a contemporary challenge. To understand the bigger picture, we may build composite threat landscapes in which vulnerabilities and threats combine and travel across distinct domains between which expertise, competence, experience and knowledge horizon related to safety, security and risk may differ substantially. Additional sensitization towards emerging cyber threats is however needed. Inspired by the post-normal “science of what-if”, the “BigCyber” model advance threat landscapes further into sensitivity to hidden, dynamic and emergent vulnerabilities. The approach is exemplified in terms of smart metering of household electricity consumption. The need for discursive support for different stakeholders relating to threat landscapes is identified, and a discursive framework for stepwise nurturing of polycentric governance is outlined. The framework can also be used to elaborate and support the idea of resilience landscapes of autonomous entities, facilitating a polycentric approach to cyber resilience. collecting extensive information from installations without the customer's consent, could be coined as the "industrial Big Other" In the 1990's, the prospect of "trusted" computer systems prevailed. Today, few if any ICT systems are delivered with assurances that support this. Practically no ICT system, including CI, may preclude the possibility of intrusion, disturbance and hacking. Big-scale consumer innovations, e.g. autonomous cars and home appliances, are seemingly always lagging in computer security. Some voices even claim that "computer security is broken from top to bottom" (Economist, 2017). Potential countermeasures are often invasive, e.g. on privacy, often unduly playing on strings of fear and anxiety. Public initiatives, e.g. from the EU (Galbusera and Giannopoulos, 2016) aiming for public, semantic web descriptions of critical infrastructures may also be exploited to enable sophisticated attacks. We cannot expect of holistic, cross-nation, crosssector approaches to these challenges. The obstacle is not just the tremendous information coordination challenge, but also the incommensurate and diverse motives and objectives across boundaries of private vs public, classified vs unclassified, national vs international. Information cannot be shared, nor trusted, in one "heap". Motives and objectives are incommensurate, increasingly located in an atmosphere of post-fact attitudes, fake news, and information warfare targeting societal trust, in which even security agencies may find it difficult to navigate.