• resilience;
  • security;
  • surveillance;
  • cyber-war;
  • Stuxnet

This article seeks to discuss two key challenges in the area of cyber-resilience. First, it asks: who owns UK cyber-resilience? Some 80 per cent of the UK's critical national infrastructure is in private hands and the last decade has seen efforts to legislate away some of the problem of resilience by creating legal duties for service providers. This has contributed to a new ecology for intelligence, security and resilience consisting of complex state–private citizen partnerships. However, it is unlikely that populations will accept this approach to risk-shifting when systems fail. Second, it considers what constitutes genuinely robust cyber-defence after the Stuxnet event of 2010. Arguably, any system that depends on information technology, however well protected, is now vulnerable. There is a dawning realisation that the best technical solutions offer only partial assurance. Paradoxically, in an era when the Internet seems ubiquitous, a mixture of analogue and manual systems – often called systems diversity – offers a solution. However, mixed or diverse systems are a declining legacy and not the result of design. We close by discussing the immense challenges that the growing prevalence of electronic systems will bring.