How to build information systems that can withstand a crisis

A solidly built wall can withstand attack for a long time, but when it falls, it falls hard. Bricks tumble, rebar sticks out, dust rises. From protection, it suddenly becomes something in the way, a broken obstacle that can even hurt you if you are not careful.

"Our whole society is now built around various forms of digital, networked information systems," says Carl Heath, senior researcher and focus leader for digital resilience at RISE.

"They started to develop in the 1990s, in the years after the fall of the Berlin Wall, when the security situation looked quite optimistic. But since February 2022, the situation is completely different. We need to evolve our way of thinking about security and think more about resilience in addition to robustness."

The blade of grass bends with the wind, but rises again

A resilient system is like a wall. It can withstand a lot, but if it falls, it falls hard, is useless, and is difficult to repair.

"A resilient system, on the other hand, should be able to withstand and recover from disruptions, crises and threats while maintaining its function, availability and integrity. It can be compared to a blade of grass that bends with the wind – no matter how hard the wind blows and storms, it will rise again."

And the importance of this becomes clear when Carl Heath starts to list all the interconnected information systems that a society today consists of and depends on: telecommunications, energy supply, traffic lights, or even something as simple as a single car. Digitalisation offers enormous opportunities to achieve the social, environmental and economic goals of our time, but it also makes us enormously vulnerable.

"In other words, when we talk about the security of information systems, we are talking about the resilience of society as a whole to attack. Everything from ransomware against individual companies to large-scale hybrid attacks by state actors."

In such a situation, a resilient system, unlike a robust system, will not break down and become unusable.

"Instead, it will adapt. It may have a built-in way of rerouting information so that key functions can still be used, but without moving into the damaged area so that it can be repaired. "

So what makes an information system resilient?  

The technology has to work, of course, but the more interconnected we become, the more obvious it becomes that it also has to be organised.

Carl Heath uses the energy system as an example: "It exists at several different organisational levels (from the Swedish national grid to the solar panels on your summer cottage, and from the national Svenska Kraftnät to a municipal energy company), all of which must be able to interact with each other in a secure way."

"The regulatory framework for these systems must allow them to talk to each other so that the information that needs to be shared can be shared, but also so that the information that should be kept secret remains secret. This is complex because it means that different actors with very different requirements have to work together, otherwise there will be gaps."

Achieving resilience requires a vision

But how do you get there? First, you need a vision, a picture of how this digital world built in peace can withstand serious threats, even war.  

"You have to ask yourself what you want to achieve, what levels are reasonable, what are our commitments. It is very important that these questions are part of the strategic development process."

Secondly, we need to know what systems we have today and what risks and threats they face. An important part of this is the exercise.

"We can identify different events and situations in theory, but to really understand them and know how to deal with them, we need to practice. Through practice we can also discover the risks and gaps we hadn't thought of before."

One such exercise is Nordic Pine, a NATO exercise on the sustainability of the Nordic energy sector, in which RISE is a key partner.

"RISE is made up of 3000 nerds who have cutting-edge expertise in a wide range of areas. We know about technology development and we can do exercises, we can contribute with a knowledge map and we can create meeting places. Building resilient information systems involves technology, organisation and people, and requires the ability to manage all three."