Resilience Reset
Scenarios, trust & environment

(building on previous policy and resilience forums originally published for the Global Finance Sector, Architects of Positive Futures and IBM Design Institute)

 

3 Lenses of Digital Resilience

Just as the economic concept of digital spillover extends way beyond  online or mobile interaction, the concept of digital resilience expands beyond the traditional views for operational risk, IT infrastructure, cyber risk and recovery. Digital resilience encompasses the full scope of private and public sector functions, opportunity risk and competitive stance.

 

While less than half of all enterprises today, still maintain a strategy based on traditional IT infrastructure, a significantly larger percentage have yet to create suitable environments for new scenario planning, as the shift to cloud and networked processes accelerates. In the aftermath of the pandemic, enterprises with high levels of legacy IT, high technical debt, or poor interrelationships across digital, business and IT, are facing a full-scale reset, and a prolific expansion of scope in digital resilience.

 

Digital resilience is ultimately viewed through three lenses: stability, looking at new approaches in scenario immersion, security, looking at new approaches in trust architecture, and sustainability, looking at new approaches in extended environments.

1) Scenario Immersion: Stability

Networked processes

As enterprises and institutions evolve toward open, decentralized models, the profile of governance, technology and risk management has taken on great significance. Today, there exists a complex and unclear view in the overall stability and exposure faced across an extended digital environment, including the complexity, strategic control and opportunity risks associated with tightly coupled processes and networks.

Web-scale operators, who are often providers and competitors in these hyper-networked services have built low cost, low risk, high performant architectures, while rapidly expanding their focus and capacity to disintermediate all manner of service sectors.

In the global finance sector alone, during 2010-2020, institutions have collectively seen over half a trillion in operational risk losses. The shift to a more balanced approach across financial and non-financial risk has seen regulators intensify demand for transparency and pervasive controls for systemic risk stability and resilience. Enterprises are subsequently designing new control functions, to understand the true extent and scope of risk events, while building in flexibility to capture new opportunities.

 

Increased granularity in metrics and telemetry, site reliability to support multi-cloud operations, and embedded architectural governance, are some of the contemporary techniques deployed to provide assurance in regulation, transformation and expansion.

Expansive Scenarios

Strategies are shifting the focus toward high-touch communications for digital service design, outcomes for the wider market structure and resilience testing across a far broader range of future scenarios.

4 contemporary scenarios:

• Remote working disruptions: Workforces unable to commute for prolonged periods, caused by inaccessibility or server lockdown in-transit.
  
  
• Large scale data compromises: Unauthorized access and/or loss of public and non-public data and all associated risks once data is compromised.
  
  
• Public health crises: Pandemic outbreak of contagious of communicable diseases with threats to all or specific groups of people.
  
  
• Borderless ransomware: A large scale distributed denial of service, withheld data and extortion

 

Shoring up for digital resilience doesn’t stop here. The combination of VUCA ecosystems (Volatile, Uncertain, Complex and Ambiguous) and the transformative powers of well funded, well implemented emerging technologies, including on-demand, darknet cybercrime services, throws an alarming array of participants, with  new and unprecedented scenarios, into the arena.

Stability and resilience models for prevention, containment, response and absolute end-to-end recovery, require intensified review, collaboration and immersive preparation for plausible future scenarios.

Wind Tunneling

The concept of a wind tunnel is a considerable extrapolation of the historical policy stress test. The wind tunnel immerses the entire enterprise and/or institution, with all its supporting functions, as well as current as future strategies, through a series of simulated environmental shocks, both practical and far-reaching in scope. It mirrors the extremities of aerospace wind-tunneling with zero fault tolerance and zero trust design and engineering.

Wind-tunneling goes beyond the stability and resilience of the current state, to model out plausible future scenarios and stress the viability of both enterprise and competitor strategies in such events. The technique is further elaborated by modelling different objectives against these scenarios, whereby one objective may perform well in one scenario while a different objective performs less well. 

By looking into compelling, plausible futures such as competitor advantages, connectivity outages, cybercrime attacks, geopolitical shocks and more, early warning signals and metrics can be defined and monitored, to determine how these scenarios may actually be coming to pass. While this type of embedded adaptive resilience is not entirely new in economics and military strategy, extended enterprises now find themselves in this mindset, as they interact with an extended, high-tech ecosystems and either consciously or inadvertently become systemically important to that ecosystem.

In turn, this shifts the enterprise or institution toward more sophisticated adaptive and active policy implementation. In a study of globally and domestically systemic financial institutions, more than half of these still had a high degree of passive policy implementation, using basic frameworks and operating procedures, which, while satisfying legacy compliance obligations, did not support adaptive capacity for resilience, transformation and organic expansion.

Artificial and synthetic intelligence, together with extended reality systems, will evolve to play an increased role in advanced signal analytics. They will work 24-7 to collect, curate and visualize expansive data from the ecosystem. Innovation in all areas of resilience, will develop new themes of interpretation, as diverse inter-agent teams are brought together to make sense of information abstractions and join forces in immersive simulations.

2) Trust Architecture: Security

Exploding Cyberthreat

All emerging technologies, while presenting transformative innovation and opportunity, are accompanied by new security threats and an increased attack surface. From a proliferation of cloud connectivity, to AI and XR, from sensor, nano and biotechnology, to new interfaces, spectral transmission and quantum computing, an expanding, decentralized attack surface comes with expansive cybercrime syndication and increased requirements for collaborative defense across public and private domains.

The full scope of cybercrime is a multi-trillion-dollar concern, affecting enterprises, society and states, and yet, historically, defense has lacked effective coordination. Cybersecurity for example, has been largely regarded as a discipline distinct from money laundering or violent crime, diamond smuggling as distinct from terrorism, market abuse as distinct from espionage. As virtually everything becomes connected to cloud environments, physical, biological and digital assets alike, bad actors will continuously update their techniques and offer low barriers to entry to extend syndicated participants. They will deploy their own enterprise-level intelligent systems, optimized attack life-cycles and international networks. Private and public domains should therefore increase efforts to go beyond basic coalitions and build hi-tech ecosystems that will dismantle illicit infrastructure.

 

While masterminds of cybercrime certainly exist, many threats are simply unsecured networks and devices, and exposed sensitive data. Notwithstanding, hyper-networked enterprise and techno-social processes increasingly operate in extended perimeters, with invisibility and high-frequency. While decentralized economics, innovation and data sharing brings positive disruption and opportunity to the private sectors, it also places any participant in scope for cybercrime attack and defense.

 

Regulators are increasing their guidance in cybercrime capabilities, now with the same level of oversight and focus applied to economic risk and to operational and physical-security risks. However, economic flows are really a function of information flows, such as acquiring, exchanging, processing, storing and deciding upon information, and information technology enablement is advancing faster than effective regulatory innovation. Large volumes, complexities and fragmentation of multi-jurisdictional and interlinked regulation can hinder the abilities to effectively to share high-quality information where its needed and create as many governance issues as they aim to solve.

The investment and cost drivers associated with cybercrime compliance and control are distributed deep and wide throughout enterprise and societal processes. Process inefficiencies are prevalent in interpreting and enforcing rules, scenario planning, reporting and investigative functions. IT inefficiencies in duplicative effort, operational rework and legacy infrastructure, all contribute to an expansive compliance “bulk.” Effective compliance operations are dependent on complex information supply chains involving large-scale data processing, evolving standards, and surveillance, increasingly powered by advanced, immersive analytics and artificial intelligence. Trends suggest the multi-billion dollar market for AI cybercrime technologies will see a tenfold increase throughout 2022-2030.

Designing for cyber defense targets the expanse of effort required to protect institutions, markets, enterprise and individuals. The 4Ps of People, Product, Process and Permissions represent key dimensions, shifting from perimeter and network firewalls and controls, to whole system monitoring of decentralized environments, across partner systems and myriad home and mobile devices.

 

Mitigating risk is fundamental to realizing innovation. Public and private sectors alike, increasingly rely on each other to gain cybercrime intelligence and capability, protecting individuals, enterprises and international security. Well-constructed, interactive human, data and technology architectures actually enable, rather hinder agility, enabling more accessible and expansive economic and techno-social systems.

As public and private domains work toward zero-trust architectures, top of mind in cybercrime alliance, are concepts of Decentralized Collaboration, Cyber AI and Secure-by-Design.

 

Decentralized Collaboration

Specialized cloud platforms cannot only reduce costs and shift operations toward a variable cost structure, they can also increase capacity, improve controls, and help to better predict drivers over time, moving toward higher value intelligence operations, supporting growth and keeping pace with regulatory change. The global complexities of information sharing can be more effectively managed through coordinated approaches to critical data assets, data quality, lineage and security.

A cloud platform-based approach to cybercrime enables the pooling and enhancement of functions, data and technologies, lowering the costs of ownership and continuous management across infrastructure, software, and hosting. High-performance processing and mining engines can perform analytics at a fraction of the cost of relational database processing. Real-time workflows and dynamic monitoring capabilities can be supported through improved interfaces and visualization. Coordinated platform implementations support improved information security and collaboration, and lay the foundation for driving further economies of scale through innovations in blockchain and decentralized collaborations.

However, decentralized cloud environments demand increasing sophistication in data protection, ciphers and analytics. These can include more granular access rights, implemented via policy-as-code; enhanced analytics for early warnings across the dimensions of the 4Ps; 3D secure for orchestrating dynamic authentication; tokenization methods to facilitate privacy by design; elastic log monitoring for expansive data sets; and continuous encryption innovation powered by high-performance computing, multivariate cryptography and post-quantum ciphers.

In transition design, a holistic view of security consolidation across multiple cybercrime disciplines and supporting mesh architectures helps to establish aligned governance through permanent nodes, while dedicated task cells can continuously update and enhance practices, protocols and technologies.

Ultimately, everything in cyber-defense depends on awareness of assets, attack vectors and the overall attack surface. New zero-trust architecture capabilities are being deployed, as the defence focus shifts to as-a-service cloud capabilities and expansive data. The technological response and overall architecture must be as distributed and decentralized as the digital economies and techno-social processes themselves.

Cyber AI

As has been seen in the intense, automated-decision worlds of high-frequency trading, machine learning algorithms can examine the vast amount of contextual data moving across networks in real-time, far more effectively than humans ever could. Cyber AI, however, is far from a tool, but an orchestration of all its capabilities; ML, NLP, reinforcement, autonomics and robotics all composed to achieve scale, focus and cyber resilience.

In recent times,  the most direct benefits from the group of technologies comprising Cyber AI, have been in granular signal threat detection, asset transparency, alerting, analysis and investigation processes. In cybercrime operations, manual activities associated with communications, multi-channel research, data capture, identity management, case management, records updating, system health checks, ranking, routing and reporting, have increasingly been automated to free up capacity, while improving speed and accuracy. Automation and Cyber AI combined, enable the determination and packaging of insights for intelligence teams supporting the end-to-end lifecycle of scenario planning, detection, containment and response.

While machine teaching has been a persistent bottleneck, this is steadily diminishing, particularly with low/no-code inputs from more open networks. More efficient transitions from supervised to unsupervised machine learning  overcome the challenges associated with availability of historical data for teaching algorithms. Cyber AI techniques can then be deployed to more accurately tune and model risk, reducing the overload of false alerts generated from outdated processes, and drawing attention to risks previously unidentifiable by other means.

To counter more sophisticated cybercrime, Cyber AI defensive capabilities can span security operations and interactive monitoring, as well as automated countermeasures and administration. Cyber AI can use machine learning to continuously adapt, defend and mitigate changing attack patterns, from signal jamming to DDoS ransomware, to fraud and economic crime, to autonomous controls in an expanding API architecture.

 

Ultimately, the combination of granular risk analytics and Cyber AI, create a powerful force multiplier, providing a real-time understanding of the expanding attack surface, ensuring that new vulnerabilities do not manifest, and driving real-time predictive and preventative capabilities.

 

Secure-by-Design

Embedding cyber-defense within the software lifecycle, requires well designed development practices, cloud governance and deep understanding of service architecture.

In development practices, enabling an agile flow of security specialists to specific service and cloud native development teams ensures on-demand expertise. More specialized developers can incorporate dynamic modeling, testing and scanning in-flow, while codified security and policy is implemented into the design workflow.

 

In establishing multi-cloud governance, webscalers handle many security concerns directly. Combined with codified infrastructure, well governed auto-scaling, mesh architecture, rapid provisioning and whole system monitoring, exposure can be limited to an absolute minimum.

Nested inventories of components are best made transparent, through end-to-end visibility of service-chains and interacting layers, combining all aspects of IT architecture, IT service, API and microservices data in an overarching view of service architecture.

Clearly, the picture for Secure-by-Design is a real shift from centralized tick-box compliance, to interacting technology and culture for decentralized resilience.

3) Extended Environments: Sustainability

 

An integrated approach

Extended environments, comprise of interconnected human and digital resources. Beyond traditional value-chains, sustainability strategies shift the focus to toward net positive outcomes and responsible communications across a wider ecosystem.

The challenge is in integrating sustainable resilience into risk management processes, experience design, purpose statements, and long-term strategies.

While Environmental, Social and Governance regulation and incentivization is intensifying, in reality, exposure calculation is complex. There is a distinct lack of standard practices, and limited agreement on common calculations and core metrics to track progress. There are common themes across operational risk, digital resilience and sustainability, yet these disciplines remain largely disconnected.

Well intentioned mandates in both public and private sectors can have severe downstream impacts on economics and social processes, and detailed analysis and holistic views incorporate and secure the benefits of digitization, ensuring value is tangible and preserved into the future.

An integrated ESGD (Environmental, Social, Governance and Digitization) approach is evolving, and will undoubtedly evolve with new monikers. Far from media platitudes, digitization and emerging technologies can be seen as the most important drivers of sustainable resilience and circularity, and private and public domains are gradually evolving to interconnect ESGD goals. Interdisciplinary, holistic and technocratic approaches, not only protect against ill-conceived policy, but create an art of the possible arena for positive transformation.

Passive to Active Mode

 

By connecting ESGD goals, Sustainability objectives shift from an all too common passive policy implementation to an active policy implementation.

In passive mode, the focus is on awareness and adoption, with well-intentioned procedural guidelines and playbooks, and yet a lack of clear taxonomy, with specified control metrics and definitions that can be evidenced and objectively compared to standards and corrections. Values, policies and plans are defined, independent of economic impact; Reference libraries of measures comprise of non-standardized guidelines; and the overall sustainability operating model, operates in parallel to the public or private enterprise operating model.

In active mode, the focus is on taxonomy and measurement, integrated in real, networked operational settings and collaborative governance forums. Sustainability is aligned with operational settings; metrics are embedded and linked with economic impact and resilience; the overall sustainability operating model is tightly integrated with the public or private enterprise operating model, and in agile and holacratic settings.

By shifting to active policy mode, the power of digitization to support sustainability objectives is illuminated, exposing a raft of measures and impacts that can be effectively traced, tracked and predicted through analytics and scenarios.

 

Codifying Measures

Some reports suggest that sustainability represents a greater transformation than digitization; they are of course, highly interconnected. There is. however, an important difference between sustainable technology and sustainability through technology.

Taking as an example, the earth's glacier behavior. There is no shortage in commentary advocating quite dramatic public and private sectors changes to tackle the threat from diminishing glaciers, based on their role in the stability of earth’s habitable environment. There is less active engagement in the technologies that continuously examine and mitigate against this. These include remote sensing through GIS and autonomous drones, laser techniques that measure photonic changes within glaciers, AI capabilities that can model glacier behavior and scenarios, and terraforming techniques to preserve, modify and even create glaciers. This abstract, yet topical example is of course, the tip of the iceberg! As we drill down to many other areas of concern in sustainability, a comparable pattern emerges, with digitization and advanced information technologies  providing insight and resolution.

Questions for Policy in the Extended Environment :

• How is sustainability built into risk models and advanced analytics ?
• What is expected of services, investments and assets, and how will reputation be affected ?
• How is IT capacity and energy consumption correlated in a multi-cloud environment ?
• How well do we understand the lifecycle of digital artifacts and information production ?
• How is information used in long-range decision making ?
• Are we optimizing re-use in all processes ?
• Are we innovating responsibly and ethically ?
• How are all physical materials we interact with sourced and engineered ?
• Are we connected with the right communities to support continuous iteration ?

 

A resilience movement

The scope of the so-called great reset, is a story of a new movement in digital resilience. Stability, through immersion in unprecedented scenarios. Security, with breakthroughs in trust design and build; and Sustainability, in environments extending way beyond the familiar zones of yesterday.

It is a story of careful curation and cultivation of all these elements, with global infrastructure as the medium of polity, impacting all aspects of human and technological life.

Author: Ivan Sean, c. 2018-2022 | USA
© 10 Sensor Foresight

Period: 2016-2022 | Language: English
Core Concepts: Scenario Immersion; Trust Architecture; Extended Environment
AI-Usage: Non-generative digital platforms, output validation
Conflict of Interest: None
References: 'Scenario Immersion', Global Finance Working Group, Canada, 2018 | 'Resilience Reset', Architects of Positive Futures Key Note Talk, Asia-Pacific, 2019 | 'Designing for Resilience', expansion of research originally published by IBM Institute, 2018 |