Cyber Resilience versus Cybersecurity as Legal Aspiration

In recent years, 'cyber resilience' has sailed up as a supplement to the more traditional discourse on 'cybersecurity'. It even threatens to take over the latter as an engineering and regulatory goal. Some policy entrepreneurs believe that `cyber resilience' rather than 'cybersecurity' ought to be a primary aim of information systems development. In their view, the quest for cybersecurity downplays or overlooks the fact that insecurity is a fundamental, inescapable element of the digital world, whereas the premise of cyber resilience is that cyber threats are the rule, not the exception; cyber resilience thereby allegedly embraces a perspective offering a more realistic approach to threat management. Proponents of cyber resilience as an overarching goal also see it as offering greater flexibility and pragmatism than the traditional concern for cybersecurity-characteristics that are especially important in a fast-changing threat environment. Yet in terms of methodology, operationalization and legal norms, to what degree does focusing on cyber resilience actually differ from cybersecurity-focused discourse? Are the differences more cosmetic than substantial? And to what degree is an overriding concern for resilience compatible with legal requirements, particularly those recognized in human rights jurisprudence? It is with such questions that this paper is concerned. The paper's underlying message is that cyber resilience ought not to take priority over cybersecurity as a public policy goal; rather, both goals ought to be met. This message is buttressed by four basic points. First, the interrelationship of cyber resilience and cybersecurity as conceptual constructs and public policy goals is marked by ambiguity and normative muddle, and this state of affairs has helped allow misleading characterizations of their differences to proliferate. Second, existing law significantly restricts the degree to which a quest for cyber resilience may replace the quest for cybersecurity. Third, contemporary security engineering methods together with recent legislative reforms have injected greater flexibility and threat awareness into cybersecurity thinking. Fourth, operationalization of cyber resilience is achievable within an appropriately comprehensive 'security-by-design' framework, such as that required under EU law.