Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

Diversity Is Continuity in the Cyber Domain

For cyber incidents, the need for a continuity plan is especially critical.
By Paul Rosenzweig
A diverse backup plan for software is needed in government information technology operations to help keep systems secure. Credit: Shutterstock/Maxger
A diverse backup plan for software is needed in government information technology operations to help keep systems secure. Credit: Shutterstock/Maxger

Let us all now praise diversity. This is not a political or cultural statement. Rather, let us praise diversity in the context of government IT operations and the continuity in times of crisis. A diverse backup plan is a secure one, keeping all our systems safe. 

We call the creators of crisis “incidents,” but so anodyne a word obscures their significance—they are destructive moments when governments might break down. The idea behind continuity of operations is to plan for critical services to continue. 

As the Federal Continuity Directive 1 from 2017 makes clear, in the event of an emergency—such as a natural disaster, a pandemic such as COVID-19, or a major cybersecurity or ransomware attack—the government must keep working. That’s why every U.S. government agency is expected to have a Continuity of Operations Plan (COOP) in place. 

For cyber incidents, the need for a continuity plan is especially critical, for unlike a natural disaster or pandemic, the cyber adversary is adaptive and intentional. Imagine a cyber incident involving an intruder moving within your system; exfiltrating your data or compromising administrator accounts. Worse yet, imagine an intrusion disabling or compromising your communications and coordination systems at the very moment they are most essential.  

These are not trivial questions. In fact, we easily can imagine that an adversary, like the Chinese or Russian governments, might target government communications and control systems in a time of crisis precisely because the attack would be a force multiplier. By disrupting how the American government can control its response, an adversary would gain a significant tactical advantage. Continuity and stability are keys to a successful response. Or from the other perspective, as Chad Wolf, former acting secretary of Homeland Security, wrote in at 2021 commentary: “In government, as in business, chaos is the ultimate enemy.” 

This is the reason why backup cyber systems are critical. Electronic command, control and communications are central to government’s continuity of operations. When email, videoconferencing and mobile device messaging are offline, government officials do not want to be reduced to using aging landlines. Leaders still must be able to share documents or direction. As a manager, one still must direct staff and coordinate a response with other leaders of the enterprise.  

The honest answer is that these tasks are impossible without a functioning backup system. Without email, collaborative workspaces and other means of communication, government could grind to a halt. And that, in turn, is why diversity is so important. 

In the current IT environment, governments use monocultures, a dependence on a single IT source for its products—typically using one operating system, one email server, one suite of client management software and so on.  

But in the cyber domain, monocultures are the Achilles heel of continuity. No system is completely secure against malicious intrusion. Even the most experienced U.S. tech companies whose products are at the core of the federal system have suffered the exploitation of significant vulnerabilities.  

During normal times, the benefits of efficiency from an IT monoculture outweigh the potential adverse costs that might arise from exploitation. This is not the case in the context of continuity of operations planning. For a COOP, leaders must know whether backup systems will work when needed. In times of crisis, when the primary operational components are offline, the backup system must function in its stead. 

So, let’s adopt a simple rubric: For continuity planning, diversification of control systems is essential. That simple step advances national security and ensures our ability to respond during time of crisis.

 

Paul Rosenzweig is the founder of Red Branch Consulting, a homeland security and cybersecurity consulting firm. He previously served as eputy ssistant secretary for policy at the Department of Homeland Security.

Authors are entirely responsible for opinions expressed in articles appearing in AFCEA publications, and these opinions are not to be construed as official or reflecting the views of AFCEA International.

Want to Know More?
In a white paper, AFCEA's Homeland Security Committee addresses fortifying emergency preparedness plans for a remote workforce.
Read the White Paper
Enjoying The Cyber Edge?
The Cyber Edge is part of SIGNAL Magazine. Subscribe or join AFCEA to receive SIGNAL and its award winning news.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA

Related Cyber Content