The benefits of good personal hygiene, like washing your hands, have been taught to all of us since we were in kindergarten.
Over the past two decades, the cybersecurity industry has often proclaimed the benefits of good “cyberhygiene.” Borrowing ideas from doctor’s office posters and public health announcements, the information security community frequently offers helpful tips to protect ourselves online and tries to present security materials in ways that audiences will pay attention and take action.
From National Cyber Security Awareness Month (NCSAM) led by my friend Kelvin Coleman, executive director at the National Cyber Security Alliance (NCSA), at www.staysafe.org to public- and private-sector organization security awareness campaigns (like this one from Lear Corp.) to new telework training for staff working from home, most small, medium and large businesses are taking action to protect their data and staff in cyberspace.
In addition, global leaders talk about this ongoing pandemic as a “war against the virus.” As Queen Elizabeth II remembered Victory in Europe (VE) Day (from World War II) 75 years ago, she shared thoughts from that previous war: “Never give up, never despair — that was the message of VE Day. …” Acknowledging the impact on modern British life of the coronavirus pandemic, which has forced this year’s public commemorations to be cancelled, she also drew parallels between the UK’s wartime generation and their modern compatriots.
So what can the worldwide cybersecurity industry learn from what been happening with COVID-19 global pandemic efforts? How can success stories and problems translate in the cyberattack battles we face in the everyday world?
To answer these questions and several more, I turned to someone who has excelled in both of these worlds.
Dr. Wendy Ng is Experian’s DevSecOps security managing advisor, where she is a subject matter expert (SME) for the company’s global DevSecOps transformation initiative. Ng has honed her technical consulting skills through a number of industries, including aerospace, health care, financial services, telecommunications, transport logistics, and critical national infrastructure. Having started her career as a technical consultant at Cisco, she also worked at PwC and Deloitte.
She completed her doctoral studies at the University of Oxford and has contributed to the scientific community through peer-reviewed publications. She has been sharing her experience and expertise, addressing key challenges, in her blogs and public presentations since 2016.
I first met Ng several years ago, and we collaborate on several professional cybersecurity initiatives together. Her impressive background speaks for itself. I must admit that I was initially surprised that someone with a Ph.D. from Oxford in medical genetics decided to focus her career on cybersecurity; however, her perspectives are refreshing. As a cyber career advisor and mentor to Ng, I have benefited greatly from her perspectives and scientific insights. I am delighted to bring you this exclusive interview.
Interview Between Wendy Ng and Dan Lohrmann
Dan Lohrmann (DL): You have an amazing background in medical genetics and bioinformatics, what led you to move into the field of cybersecurity?
Wendy Ng (WN): I was fortunate to have studied in a high school which embraced STEM related subjects, including computer science. I was particularly interested in how powerful computers are at analyzing huge volumes of data and generating insights — a very useful analytics tool. I studied genetics at university, leading me to a doctorate in medical genetics. This sparked an interest in complex traits, which relies heavily on statistical analyses and machine learning techniques.
Before my journey into IT and security, I had actually spent time working with viruses in a biosafety level 3 laboratory within the John Radcliffe Hospital in Oxford. The extensive decontamination routine (which included hand-washing) induced a bout of severe eczema on my hands, which made laboratory-based aspects of research difficult. However, research which involves statistical and computational based analytics is highly transferable. In today’s information-driven world, where we are flooded with an often overwhelming amount of information, the ability to critically review and interpret is a good life skill. This also includes the ability to understand large volumes of technical, often incomplete information; being comfortable with novelty; and using logic and evidence at hand to determine the best course of action.
As luck will have it, I started my commercial career with Cisco, which provided a fantastic foundation for what lay ahead. In fact, it was at Cisco that I realized connectivity is a major path for security issues. Furthermore, given the number of connected devices, I expected big data analytics and machine learning methodologies will form a key part of organizations’ cybersecurity defense strategy in the future. These concepts, plus the analogies in behaviors of biological and electronic infections meant cybersecurity had a natural appeal.
DL: How is our current situation with the coronavirus similar to the challenges we have with cyberdefense and protecting enterprises from cyberattacks?
WN: There are many parallels between the current pandemic and cybersecurity. Twenty years ago, if an organization had Internet connectivity, antivirus software and firewalls would provide adequate service. You were unlikely to require a plethora of modern analytics tools, including Intrusion Detection Systems, Intrusion Prevention Systems, Web Application Firewalls, and machine learning algorithms to detect unauthorized activities. The tens of billions of connected devices (a number which is growing exponentially) has resulted in proportional increase in the attack surface, as well as greater opportunities for infection.
Modern networked systems require significant cybersecurity investment — electronic health care, if you will — to protect assets from infections and attacks. In addition to active “real-time” protection, targeted training for individuals, and many organizations have ramped up their readiness for responses to cyberbreaches and attacks. These will include operational resilience and the use of backup facilities, as well as simulated cyberattacks or data breaches, so that responses can be refined and choreographed through playbooks. As the human population grows and connectivity increases, it could be time to take a page out of cybersecurity guidebooks in order to prepare for future pandemics.
DL: What unique cybersecurity challenges do you see emerging from the global pandemic?
WN: To keep employees safe, many organizations are mandating working from home, which is absolutely the right thing to do. However, that means employees are accessing systems through home networks, which are often less secure than corporate networks.
There have also been numerous reports of phishing attacks with COVID-19 themes. Phishing and spearphishing attempts are most effective when targets have an expectation of receiving information of interest. At the moment, there is nothing more topical than COVID-19, nor is there a more captive audience. In the biggest pandemic for 100 years, citizens are primed to receive (and conditioned to act on) information sent from multiple outlets, including central government, local councils, health-care providers, work and social communities. Scammers are constantly using our concerns, anxieties and desires against us.
DL: What (positive and negative) lessons can white hat hackers and other cybersecurity professionals learn from the medical community and how the world is addressing COVID-19?
WN: The COVID-19 pandemic revealed large variations in the national strategies deployed to control and mitigate the effects. We are all learning about the new virus and its effects, including how contagious it is, and why certain regions and perhaps populations (even when located within the same country) experience such different outcomes. There is no perfect information, and we shouldn’t expect it, especially for a new pathogen. Everyone is constantly consuming and reacting to new data, however, we have to act with the best intentions in mind. What the pandemic shows is that bold and fast reactions have yielded the best outcomes, which is consistent with past experiences of infectious disease control. No man or woman is an island. A collaborative approach in the past helped us to identify therapeutics and vaccines for disease outbreaks, and we should do the same for COVID-19.
I have always been a huge proponent of collaboration. This is perhaps one of the traits I’ve ported over from academia. Part of the reason that I’ve been consistently blogging in the last few years is to share knowledge and experience with the industry. Years of cyberattacks and data breaches suggest attackers have been extremely successful. Could it be a coincidence that they are also highly collaborative?
Attackers, or black hats, do have the advantage that they only need to be successful once, whereas large enterprises have to protect themselves constantly against sophisticated attacks. However, comparatively, black hats are more receptive to collaborative relationships with other attackers, from methodology to data share than white hats. Similarly, we achieved better outcomes through responsive interventions which leveraged local data, as well as the world’s collective knowledge and experience. Perhaps white hats need to take notes!
DL: How do you think the technology world will change over the next few years as a result of the pandemic? Can we learn anything from previous pandemics or health emergencies?
WN: The pandemic is having profound, tragic consequences on people’s lives and the global economy. However, as Louis Pasteur said, “Fortune favors the prepared mind.” Past pandemics and health emergencies showed preparedness is critical. Whilst data will still need to be analyzed, the initial picture is that locations with better readiness had significantly better health outcomes.
We’ve seen a similar narrative for organizations, many of whom had to react quickly to the pandemic, often relying on technical solutions. Organizations that are experienced in — and comfortable with — technological solutions were able to realign their operations relatively easily. The speed at which this occurred (despite severe restrictions on our movements and physical interactions) demonstrated how embedded technology is already in our daily life. We are more prepared than at any time in history for the scenario we find ourselves in.
Unprecedented and disruptive events often act as catalysts for change. Technology is playing a central role in mitigating some of the effects of the current pandemic. Organizations which already had good technical foundations had more favorable reactions. The majority of organizations exponentially increased their reliance on technology and invested more. With these investments — and as the world adapt to the “new normal” — the pandemic is likely to bring about long-term behavioral change and force a revaluation of traditionally accepted ways of working.
DL: Is there anything else you’d like to add?
WN: We are sociable creatures, and the desire to interact with others is natural. Humans are always in the company of microbes, so we are not alone in these interactions. Fortunately, our immune systems provide fantastic protection, however it will not be successful at every occasion. This is not the first pandemic in history, and it will not be the last. However, humans are resourceful and ingenious. We will always be stronger when we work together.
DL: I want to thank Dr. Ng for sharing her thoughts with us on this important global topic.
There have been several others who have recently offered lessons learned for cybersecurity from the coronavirus. Some of these include:
- Security Round Table: Cybersecurity Lessons From the Covid-19 Pandemic
- Dark Reading: 4 Cybersecurity Lessons From the Pandemic
- Lifars: 7 Cybersecurity Lessons We learned From the Covid-19 Outbreak
And yet, I want to reiterate Ng’s final point that we must learn from history, because this will not be our last pandemic. And there may still be a second wave coming with COVID-19, and we will be stronger when we work together. The same is true for cybersecurity collaborative efforts.