10 June 2020

Cybersecurity Lessons From the Pandemic, or Pandemic Lessons From Cybersecurity

By Herb Lin 

Fred Cohen was the first person to introduce the term “computer virus.” In a 1984 paper, he defined it as “a program that can ‘infect’ other programs by modifying them to include a possibly evolved copy of itself. With the infection property, a virus can spread throughout a computer system or network using the authorizations of every user using it to infect their programs. Every program that gets infected may also act as a virus and thus the infection grows.” (The original 1984 paper was eventually published in 1987.) Since then, the security company Kaspersky claims, rightly so, that “when it comes to cybersecurity, there are few terms with more name recognition than ‘computer viruses.’”

This bit of history has taken on new meaning now that the world is in the midst of a global pandemic caused by a biological virus, the novel coronavirus, that induces an unusual and novel disease, COVID-19.

The Cyber Solarium Commission’s release today of its white paper “Cybersecurity Lessons from the Pandemic” is particularly significant against this backdrop. In March, the commission—a bicameral, bipartisan group tasked by Congress to develop pillars of U.S. cyber strategy—released its original report; this white paper is an appendix to that. Below are some of my thoughts on this commission white paper, as well as some thoughts about the pandemic lessons we can draw from cybersecurity.


The stated goal of the white paper is to “collect observations from the pandemic as they relate to the security of cyberspace, in terms of both the cybersecurity challenges it creates and what it can teach the United States about how to prepare for a major cyber disruption.” This goal motivates the title of the paper—“Cybersecurity Lessons from the Pandemic”—and as an analyst and scholar in the cyber field, I wholeheartedly endorse both the analysis and the recommendations set forward in the paper, though there are certain areas (addressed below) where I would have made even stronger statements.

I also believe that there are important pandemic lessons from cybersecurity that would have saved the U.S. much economic and medical heartbreak had those lessons been heeded earlier, even only in the context of cybersecurity. Of course, the Cyber Solarium Commission’s report was released after the coronavirus hit the United States. But many of the commission’s insights and recommendations on cybersecurity echoed guidance that has already been provided publicly to the U.S. government and others in multiple reports over the past three decades.

For instance, here are some of the first words of the chairmen’s letter contained in the original report:

Our country is at risk, not only from a catastrophic cyberattack but from millions of daily intrusions disrupting everything from financial transactions to the inner workings of our electoral system. ... The reality is that we are dangerously insecure in cyber. Your entire life—your paycheck, your health care, your electricity—increasingly relies on networks of digital devices that store, process, and analyze data. These networks are vulnerable, if not already compromised. ... A major cyberattack on the nation’s critical infrastructure and economic system would create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest, and hurricanes in the Southeast.

Those words echo much of the first paragraph from the 1991 National Research Council report “Computers at Risk”:

We are at risk. Increasingly, ... computers ... control power delivery, communications, aviation, and financial services. They are used to store vital information, from medical records to business plans to criminal records. Although we trust them, they are vulnerable—to the effects of poor design and insufficient quality control, to accident, and perhaps most alarmingly, to deliberate attack. The modern thief can steal more with a computer than with a gun. Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb.

The primary significance of the Cyber Solarium Commission’s report is that it compiles in one place much of the cybersecurity wisdom of the past 30 years. (If you can read only one report on cybersecurity, read the commission report!) And it packages that wisdom in a readily actionable form for the U.S. government. That wisdom, had it been followed and implemented, would have better prepared the United States for the pandemic.

So, let’s look at some of the commission white paper’s insights and recommendations from the perspective of what it says about how the nation should have responded to the coronavirus and what steps it can take to course-correct the national response.

The executive summary of the white paper itself makes a good start in this direction, noting that:

The lessons the country is learning from the ongoing pandemic are not perfectly analogous to a significant cyberattack, but they offer many illuminating parallels.

First, both the pandemic and a significant cyberattack can be global in nature, requiring that nations simultaneously look inward to manage a crisis and work across borders to contain its spread.

Second, both the COVID-19 pandemic and a significant cyberattack require a whole-of-nation response effort and are likely to challenge existing incident management doctrine and coordination mechanisms.

Third, when no immediate therapies or vaccines are available, testing and treatments emerge slowly; such circumstances place a premium on building systems that are agile, are resilient, and enable coordination across the government and private sector, much as is necessary in the cyber realm.

Finally, and perhaps most importantly, prevention is far cheaper and preestablished relationships far more effective than a strategy based solely on detection and response.

This is inarguably true. Indeed, had the U.S. government been committed to working cooperatively with other nations to prepare for a cyberattack, institutional mechanisms within the U.S. government would have already been in place to facilitate international cooperation in the event of a pandemic. Effective cybersecurity preparation has benefits that extend far beyond the cyber domain—more deliberate cyber preparation would have left the United States with the interagency capabilities and international partnerships to have mitigated the impact of the pandemic. Had the United States taken the route of international cooperation, the details of the pandemic response would have been different (for example, different people to call, different private-sector companies to approach), but throughout government there would have been decision-makers in place who were receptive to the idea of international cooperation. Trusted liaisons with key private-sector institutions would also have been in place to disseminate reliable and science-based information to facilitate an effective whole-of-society response as well as to enable private-public coordination of responses.

In Section 1 of the white paper, the commission calls special attention to 32 of the commission’s original 75-plus recommendations that it believes deserve special attention in light of the nation’s pandemic response and associated social-distancing protocols. Collectively, this subset of 32 recommendations addresses:

The need to digitize critical services and to do so securely.

The need for a more secure and reliable cyber ecosystem, given the increase in working from home, and the importance of the U.S. government in leading the push for that ecosystem.

The need for capacity to combat opportunistic cybercrime, such as the increases in fraud and other malicious activity that have accompanied the pandemic.

Secure digitization of critical services and a more secure cyber ecosystem would of course have been of great value for the public as it adjusted to the shelter-in-place requirements made necessary by the pandemic. Of particular note is the “working from home” point. Remote work increases the attack surface for corporate environments, as lax home-computing environments are now brought inside what used to be corporate security perimeters. But these work-from-home environments rarely enjoy the more sophisticated security protections afforded by large corporate employers. These steps would have fostered a safer and more secure transition to remote work—yet no matter how secure the home environment, threats evolve rapidly. Individuals working from home will always need corporate-grade security support in the form of help desks and other security management services that are difficult to provide without professional security assistance.

To see the relevance of these requirements for the coronavirus, consider their analogue in the health care sector: the need to upgrade public health services and for the U.S. government to push for increased capacity and robustness in its public health system in order to combat opportunistic disease vectors that may appear anywhere in the world. In addition, there is the need to deal with the various collateral consequences of a pandemic, such as the resulting neglect of other medical or disease issues that continue apace during the pandemic. The coronavirus exposed the antiquated and inadequate bedrock of our health care system, as it did our cybersecurity infrastructure.

Section 2 of the white paper focuses on recommendations intended to ensure that the United States is well positioned to prevent and, if necessary, respond to a crisis induced by a significant cyberattack. The white paper emphasizes these particular recommendations because the current pandemic has highlighted their importance. Section 2 calls out:

Strategic leadership and coordination, both domestically and internationally, and the importance of planning to ensure continuity of the economy.

Preparedness efforts led by the government to ensure the availability of critical resources and a workforce ready to aid in response and recovery efforts.

Prevention and mitigation efforts underpinned by a solid foundation of comprehensive data, a strong understanding of the risks posed by a crisis, and a data-driven approach to risk mitigation.

Response and recovery capability and capacity, including prior planning and frameworks to coordinate policy responses, such as establishing a “Cyber State of Distress” and invoking the Defense Production Act.

Capacity to counter disinformation through societal resilience and organizations that identify, expose and explain malign foreign influence operations.

The first through third items and the fifth item are directly applicable to the national response to COVID-19. The fourth item is directly applicable simply by replacing “Cyber State of Distress” with “Public Health State of Distress.” But these items can and should go further. In particular, these items emphasize the role of the federal government. Given the incompetence and incoherence of the federal response to COVID-19, it would be prudent for state and local governments in the future to anticipate the risks of failure in federal responses—whether to a pandemic or to a significant cyberattack—and to do what they can to mitigate such risks.

The emphasis on malign foreign influence operations is also well taken, but cast as such, it fails to recognize that malign influence operations can be conducted by domestic actors as well—and that such domestic actors may include the nation’s political leaders at all levels of government. Domestic leaders who disregard science-based advice for either pandemics or cyberattacks and who polarize the public for political benefit are themselves conducting malign influence operations. Those who select their advisers on the basis of loyalty rather than competence undermine the ability of the government to defend the nation. As an entity of the U.S. government, the commission’s report cannot be faulted for not making this point, but it is a point that nonetheless needs to be made.

Ultimately, that the United States has not yet implemented the commission’s recommendations despite most of them being available for many years prior cannot be laid exclusively at the feet of the Trump administration—the administrations of Ronald Reagan, George H.W. Bush, Bill Clinton, George W. Bush and Barack Obama also bear some of the responsibility for inaction.

Since many different administrations failed to act decisively on cybersecurity, one might look for a common underlying factor. In my opinion, the common factor can be found in the main commission report, which states:

As more people and devices connect to each other, the power and reach of cyber operations grow. ... Our modern way of life depends on the integrity, confidentiality, and availability of data. From medical records, financial information, and our most personal communications to modern military operations, the individual and the state rely on data. But as we increase our reliance on data, our adversaries have developed new tools that hold data and essential information systems at risk. The entire system through which data flows into products, devices, and services is vulnerable.

This observation is entirely correct, but it should be noticed that the report takes as a given the desirability of increasing our reliance on data. Yes, we obtain many advantages from increasing digitization, in the form of both increased efficiency of existing goods and services and the enabling of entirely new ones.

But increasing digitization inevitably increases vulnerability and risk as well. As one example, prioritization of efficiency has led to an economy that is increasingly tied to just-in-time workflows that minimize waste. Digitization is the key enabler for such workflows, which all are well and good in an environment where supply chains are working as expected. But almost by definition, when supply chains in a just-in-time environment are disrupted, the system grinds to a halt until such chains can be reestablished—as we’ve seen during the coronavirus pandemic. Such an environment is the very antithesis of resilience.

More generally, demands for the advantages afforded by increasing functionality in our digital systems will drive increases in their complexity in the long run. Complexity is the archenemy of security, and it is ever more important today to question whether the advantages of digitization are worth the disadvantages in security. (For more on this point, see this video.) Administrations past and present have answered this question strongly and broadly in the affirmative. Perhaps future administrations will come to somewhat different conclusions.

The white paper is organized around the idea that the pandemic holds many lessons for cybersecurity—and it does. But the reverse is true as well, and the history of cybersecurity suggests its own lessons for dealing with pandemics. In 1984, Cohen concluded that computer viruses were a serious problem for computer security, that “[then-]current systems offer little or no protection from viral attack, and that the only provably ‘safe’ policy as of this time [in 1984] is isolationism.” The term “isolationism” has an eerie resemblance to the principal defense mechanism in today’s pandemic world: social distancing, sheltering-in-place or quarantine. Public officials could do worse than to consult that history—and the Cyber Solarium Commission’s work—as one source of guidance for useful ways to respond to a pandemic.

No comments: