Businesses must "embrace chaos" to improve cyber resilience

It is no longer enough to "be resilient" when it comes to cyber security, the CEO of the RSA said on Monday.

On the first day of the organisation's annual conference, RSA 2021, Rohit Ghai said that companies must become "good" at resilience by "embracing chaos".

Ghai highlighted the importance of strong cyber resilience, citing recent attacks, their unlikely origins and their tragic consequences. For example, 2020 saw the first death as a result of ransomware after hackers shut down a hospital in Berlin, along with a massive scale Twitter hack that affected CEOs, celebrities and even former US presidents that was orchestrated by a 17-year-old.

Last year also saw more and more people tune into services like Netflix for lockdown entertainment, with 34 million people watching Tiger King in its first 10 days on the platform. But how Netflix maintains a resilient IT network and avoids downtime is a good example of "embracing chaos", according to Ghai.

"In 2011, Netflix was preparing to move its content from the data centre to the cloud," Ghai said. "They knew availability and performance were critical to user experience and they had to design a fault-tolerant architecture within an environment they didn't fully control. So they invented something called 'Chaos Monkey."

This is an automated system that randomly terminates instances or computers on the Netflix network to test how resilient they are. By regularly "killing" random software services, Netflix suggests it is possible to test a redundant architecture and verify whether a server failure would noticeably impact customer experience.

"By bringing in and building in chaos, this tool accounted for a common type of failure and ensure graceful degradation and survival without any impact, in fact, simulating creation of the Netflix, simian army, a collection of tools to help prepare for chaos," Ghai added.

Another area of chaos to embrace is through recruitment, according to Ghai. For the security industry to grow its community in a way that improves resilience, he "implored" the consideration that organisations employ hackers from 'chaotic' backgrounds, such as WannaCry hero, Marcus Hutchins.

"When he was nine, Marcus took apart his family's computer and the code that operated it," Ghai said. "At 14 he created a password stealer. At 15, he ran a botnet of more than 8000 hacked computers. And then in 2017, he was the individual that found the kill switch for the WannaCry worm, saving the internet.

"It wasn't a straight and narrow path for Marcus. Though he eventually worked his way into a legitimate cybersecurity career, he was on the dark side but became a grey hat. In 2017. He was arrested and faced trial for his past mistakes. The judges lenient sentence acknowledged his remarkable contribution."

Ghai called it an "act of inclusion and profound wisdom" which showed that the industry needed to find ways to included bright minds and attract them into the security community.