Co3 Systems Changes Its Name to Resilient Systems

Today my company, Co3 Systems, is changing its name to Resilient Systems. The new name better reflects who we are and what we do. Plus, the old name was kind of dumb.

I have long liked the term "resilience." If you look around, you'll see it a lot. It's used in human psychology, in organizational theory, in disaster recovery, in ecological systems, in materials science, and in systems engineering. Here's a definition from 1991, in a book by Aaron Wildavsky called Searching for Safety: "Resilience is the capacity to cope with unanticipated dangers after they have become manifest, learning to bounce back."

The concept of resilience has been used in IT systems for a long time.

I have been talking about resilience in IT security -- and security in general -- for at least 15 years. I gave a talk at an ICANN meeting in 2001 titled "Resilient Security and the Internet." At the 2001 Black Hat, I said: "Strong countermeasures combine protection, detection, and response. The way to build resilient security is with vigilant, adaptive, relentless defense by experts (people, not products). There are no magic preventive countermeasures against crime in the real world, yet we are all reasonably safe, nevertheless. We need to bring that same thinking to the Internet."

In Beyond Fear (2003), I spend pages on resilience: "Good security systems are resilient. They can withstand failures; a single failure doesn't cause a cascade of other failures. They can withstand attacks, including attackers who cheat. They can withstand new advances in technology. They can fail and recover from failure." We can defend against some attacks, but we have to detect and respond to the rest of them. That process is how we achieve resilience. It was true fifteen years ago and, if anything, it is even more true today.

So that's the new name, Resilient Systems. We provide an Incident Response Platform, empowering organizations to thrive in the face of cyberattacks and business crises. Our collaborative platform arms incident response teams with workflows, intelligence, and deep-data analytics to react faster, coordinate better, and respond smarter.

And that's the deal. Our Incident Response Platform produces and manages instant incident response plans. Together with our Security and Privacy modules, it provides IR teams with best-practice action plans and flexible workflows. It's also agile, allowing teams to modify their response to suit organizational needs, and continues to adapt in real time as incidents evolve.

Resilience is a lot bigger than IT. It's a lot bigger than technology. In my latest book, Data and Goliath, I write: "I am advocating for several flavors of resilience for both our systems of surveillance and our systems that control surveillance: resilience to hardware and software failure, resilience to technological innovation, resilience to political change, and resilience to coercion. An architecture of security provides resilience to changing political whims that might legitimize political surveillance. Multiple overlapping authorities provide resilience to coercive pressures. Properly written laws provide resilience to changing technological capabilities. Liberty provides resilience to authoritarianism. Of course, full resilience against any of these things, let alone all of them, is impossible. But we must do as well as we can, even to the point of assuming imperfections in our resilience."

I wrote those words before we even considered a name change.

Same company, new name (and new website). Check us out.

Posted on February 17, 2015 at 6:53 AM • 19 Comments


jbmooreFebruary 17, 2015 8:19 AM

Yeah, but IT systems have a long way to go before they will be as resilient as the simplest biological systems. There are layers of redundancy built into every cell whether it is the simplest bacterium or a human cell. And, they are capable of self-repair, even if it is error-prone. A damaged, but working system after repair, is better than a dead system. IT systems are still quite brittle when seen in that light. FPGAs could possibly change that with the right programming if my recollection is correct.

NateFebruary 17, 2015 2:43 PM

Well, crud. Where am I going to get my carbon trioxide from now?

Resilient is a much better name, yes.

Nick PFebruary 17, 2015 3:03 PM

Bruce posting a bunch of good papers for me to enjoy? I like the role reversal! Haha. Nice name change, too.

I've been using the term Robustness that NSA etc use for damage prevention/containment. Maybe we'll keep that and use Resilience for damage recovery. Then add Reality for the fact that organizations need to aim to have both properties in critical systems. Three R's should help the PowerPoint addicts, too.

Nick PFebruary 17, 2015 3:44 PM

@ kazoonga

Maybe it's the Schneier-Slashdot effect we used to hear about so much. Bet that brings back memories to some long-time readers.

@ all

re papers Bruce posted

I'll have to get the ACM and IEEE papers later when I can access their site. The best ones in PDF for practical benefit are these:

1. Toward Exascale Resilience by Cappello et al.

2. Dependability and Resilience of Computing Systems by Laprie

3. The Architecture of a Resilience Infrastructure for Computing and Communication Systems by Avizienis

Personally, I think 3 might be overdone given the reliability achieved by SOI fabs and Nonstop Architecture. My proposal was to combine those two technologies with a clean-slate secure processor (eg SAFE) and low defect software development methods. Hard to see that failing or easily code injected except through the most unlikely situations. Could always include a few hardwired boxes to watch for *that* failure and safely restart the whole thing like Avizienis does. Yet, they could be simple microcontrollers, PLC's, or rad-hard chips. Cheap stuff (cept rad-hard maybe). To prevent *them* from wrongly restarting system, those boxes themselves would run in a redundant, voting configuration. Further, NonStop's original architecture is linearly scalable and should be patent free by now.

I keep hinting for people to steal NonStop architecture particularly for high availability in a new product or OS. So far, though, no low to mid cost vendors have straight up copied it. I still think it's the best route interim given *it worked for three decades*. I understand the need to investigate new methods. Yet, I think for availability, the situation in mainstream hardware is due to my standard meme: "a failure to learn from and apply the lessons of the past."

Clive RobinsonFebruary 17, 2015 3:47 PM

@ Bruce,

There you were the other day complaining about the leaking of information about Co3's new EU office....

Well you kind of leaked the name change here by changing the name/logo at the bottom of the blog pages before making the anouncment...

You realy should remember some of us notice these things ;-)

Clive RobinsonFebruary 17, 2015 4:37 PM

@ Bruce,

I forgot to ask as your EU office is in Reading UK does that mean you will be back over here more often?

Oh and can we expect to see you at "The Reading Festival" ;-) where this year you can hear "Mumford and sons" or "Bastille" [1]

Or maybe if you find yourself in Reading with nothing better to do you might want to tick off a few of their 27 item "bucket list"...

[1] My other half works with the sister of one of Bastille's members, and she has promised her we will get along and see/meet them, and I've been told I should be getting my finger out to get tickets... the trouble is I'm a tads to old to be sleeping in a tent...

Nick PFebruary 17, 2015 6:57 PM

@ Bruce

Do you have any idea why I can't download this article using my ACM account? Every now and then, all I get through Google on a good paper is an ACM citation with no download option. You've published plenty of papers so I figure you might know why that happens.

@ Any interested in paywalled papers

Good news is I found an external link for the above ACM paper. Shaeffer-Filho's IEEE paper can be substituted with this paper. Maruyama's paper has a public copy here.

KeithFebruary 18, 2015 3:21 AM

@ Clive
Get yourself booked into a hotel nearby. Then you can walk into the the festival daily, clean and well rested!

TomFebruary 18, 2015 4:15 AM

Resilience works! Just have a look on the various ways the NSA can use to monitor everyone. Change a law and they hardly need to adept at all. Put them under public pressure by leaking tons of their documents and they continue as before.

Trying to be anonymousFebruary 18, 2015 1:06 PM

Speaking of the new book...

Will you be making autographed copies available?
Are you taking any pre-orders, ahead of the listed publication date?

Can I go buy it at my local big-box book store with cash, so I don't leave yet another purchase history at Amazon?

WmFebruary 18, 2015 1:23 PM

Much better. I thought Co3 Systems was some kind of distributor of industrial, medical, and specialty gases, a competitor of Airgas.

ModeratorFebruary 18, 2015 4:42 PM

ACM Digital Library catalogs both material to which ACM holds copyright, and material from other publishers. Computer Networks is an Elsevier journal, and is available via ScienceDirect. You can get to that via the DOI link in the ACM Digital Library entry.

NystagmusEMarch 6, 2017 4:30 PM

Honorable Mr. Schneier, Thanks for your article(s) and commentaries and essays.
The re-quotes from your books make a lot of sense and are encouraging. Resilience is a term that I can relate to and value for a variety of personal reasons also.

The concepts of which you wrote about back in mid February 2017 seems exceedingly important these days and into the future (March 2017).

I feel also that there need to be more bridgings between technological prosilience/resilience and non-technologicals. There's a modern day US cultural bromance with recent technologies, however it's the human-based, anthropological social interpersonal sophistications that are the glues that hold civilizations together. And those are much older than our digital electronic trends, despite AI hype and non-hype.

Diplomacy and Peace Literacy are not meaningless topics.
Conflict-Resolution and Mediation are not meaningless topics.
Ecologically-Sustainable Permaculture and Natural Controls are not meaningless topics.
Civic Engineering is not a meaningless topic.

There seems to exist a massive cacophony and chaos of interactions amongst those who can afford WMD's, and yet basic common sense about simply not risking death of the entire is not available to their brains.

People's priorities of money-grabbing and thrill-seeking and intimidation/violence/hostility over sustainable peacefulness and decent coexistence is completely illogical. There is such a massive set of logical fallacies and contradictions and fractures involved in the behaviors of those who affect so many of us.

And meanwhile, many of us are woefully conditioned to accept the injustices and geocidal/suicidal insanity and risks and threats of imbeciles. This is why I say, "Do we really need to be waiting for permission to do the correct things? Do we really need to ask sociopaths for permission to dissent and deviate from their reign of terror, destruction, mayhem, malevolence, and poisonous foolishness?"

Anyhow, your thoughts in this area are very important. It's these areas and the areas you wrote about in "Liars and Outliars" which I believe ultimately supercede the tech talks in terms of importance and potential for problem solving. Please continue to nurture this exploration and development of good knowlege.


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.