Without belaboring the point, there are many similarities between the COVID-19 pandemic and cybersecurity. We can learn from the response to the COVID pandemic lessons about cybersecurity.
We Know It Is Coming
For decades, public health planners have been warning that there would be a novel (no-immunity) disease that would spread across the globe and cause damage and destruction. The same is true for cybersecurity professionals. Whether it is warnings about potential zero-day attacks, a cyber “Pearl Harbor,” massive cyber warfare, cyber-terrorism or similar attack, we know that we are vulnerable, and we have (to some extent) mapped out the most likely scenarios and defenses to them.
We Planned for This
In both biological and cyber terms, we have contingency plans. In both cases, we have table-topped, war-gamed, red-teamed and mapped each likely scenario, the critical dependencies, the probable responses and more. We have done this on a national level, on a state level and, to a greater or lesser extent, on a corporate preparedness level. Problem is, we have in both cases not heeded the lessons we have war-gamed. The contingency plans we have developed all too often simply sit in a binder on a shelf, and even when they are needed, they are not referenced. In a crisis situation, we end up re-inventing the crisis response during the crisis. To some extent this is inevitable—every scenario is different and plans for one type of crisis may not be fully applicable to another, but we should heed the plans.
We Stopped Dedicating Resources
In the public health/pandemic preparedness planning mode, we knew (generally) what resources we would need in the event of a global pandemic. We knew we would need PPE, respirators and ventilators, as well as trained staff. We knew we would need the ability to expand hospital and ICU capabilities rapidly, at a time when supply chains would be stretched and tested. We simply stopped dedicating resources to this effort and focused (understandably) on more immediate needs. The same is true for cybersecurity. We may have mapped out critical vulnerabilities and dependencies, but our disaster recovery and business continuity plans tend to focus on the short-term and the most likely scenarios—not the most devastating and impactful ones. There’s a sense in both scenarios that when the “Big One” comes, someone else (e.g., the government—some government) will take care of it.
We Lack Coordination
In the event of a massively impactful cyberattack, it will be important to be able to coordinate responses. If the attack is a computer virus, worm or other malware, it will need to be isolated, analyzed and remediated, hopefully in a coordinated manner. In the early days of such viruses and worms (e.g., the 1988 Morris worm) we had no effective way of communicating about such malware. Things have gotten better—and worse. For the better, we have organizations dedicated to coordinating responses: US-CERT, CMU, ISAC’s, DHS, IC3 and others. For the worse, we have organizations dedicated to coordinating responses—thousands of them: Private companies that collect and disseminate threat information, and federal agencies including law enforcement, defense, intelligence, civilian and others, that do the same thing. Not to mention Sectoral Information Security and Analysis Centers, managed security services, anti-malware companies, cloud providers, software providers and even standards setters. What we don’t have is “one ring to rule them all, and in the darkness bind them.”
Also for worse, we are much more dependent on the proper operation of the infrastructure (which is vulnerable to attack) as part of the response to the attack. Most incident response plans rely on things such as e-mail chains and access to documents on networks or devices—the precise things that would not be accessible during a massive cyber incident. If you needed to contact a vendor or supplier, or figure out how to update a system, or install patches, or validate certificates, could you do that if you were not able to get online?
We Are Irrational When it Comes To ‘Risk’
In both the COVID and cyber arenas, humans are irrational when it comes to measuring, appreciating and mitigating risk. Part of it is the reptilian brain, flight or fight. As we have seen with the COVID-19 response, when we do a good job (e.g., social distancing, coordination, etc.) nothing happens (no disease spread, fewer deaths, fewer infections). Our natural response is to think that the efforts were wasted and the resources improperly allocated. The same is true with cybersecurity: Conventional wisdom is that we should spend about 10% of our IT budget on “security”-related items. If we do a great job, it appears to the outside world that this money was “wasted” because “nothing” happened. We don’t know if the same “nothing” would have happened if we had not spent the money. We also don’t know if we need to spend more money next year to ensure that the same nothing will continue to happen. Thus, we respond mostly when “something” happens. A pandemic or a data breach: That gets our attention. And then we spend time and resources to prevent the exact same kind of pandemic or breach rather than taking a step back and figuring out what is most likely to be impactful. Fear of this incident drives our spending and resource allocation. If we have a reportable data breach involving credit card data, we naturally strengthen our PCI-DSS protection and responses; but in doing so, we may ignore our ransomware protection or data classification. We favor the immediate over the long-term, the public over the covert, the sexy over the mundane. We are impulse-driven rather than metrics-driven. We can’t help it. We’re only human—well, partly: partly reptilian.
So, knowing this, what can and should we be doing differently in the area of cyber-risk reduction? A lot. From a corporate standpoint, we can expect resources to be strained. Many companies will be struggling just to get back on their feet and there may be an impulse to cut back on information security and other things that “add to the bottom line.” Resist this impulse. What we saw during the COVID pandemic is that cyber-resilience (and security) are critical to continued operations. Don’t skimp on it. It’s not a cost. It’s a feature. Recognize that when nothing happens, that’s a good thing. Take credit for that. Pat yourself on the back. Make sure that more nothing happens. Re-evaluate your incident response and disaster recovery plans in light of new information and don’t let them sit on the shelf. Make it part of your daily life. In Japan, earthquake drills are part of everyday life. Do that for cybersecurity.
And know what’s important. Map out dependencies, and have a list (on paper) of critical people to contact. For example, once a year I take everything out of my wallet, make copies of those things with a copy machine and tape them to a secret location. If I lose my wallet, I have to call the credit card company and give them the number and CVV of the lost card—information available mostly on the card itself, the very thing that is lost. The copy gives me ready access to the phone number and card number.
Finally, understand that our responses to risk are irrational, and try (mostly unsuccessfully) to measure risk appropriately and dedicate resources appropriately. Which is a greater risk, the theft of thousands of historical credit card numbers that you might have to report publicly or the destruction of your supply chain? Which is most impactful? For which do you have a response plan? Resilience in cybersecurity, like resilience in a pandemic, allows you to survive and lessens the impact and duration of the crisis.
And for God’s sake, wash your hands!