Cybersecurity Lessons from the Pandemic: Plans, Exercises and Warnings

Like many others during this stay-at-home period, I have been sorting through old articles and reports, culling out those that are no longer of value. But, in the process, I came across a number of documents relevant to the current pandemic. One such document was “Scenario Update 3” of a pandemic flu exercise for the U.S. financial sector that has the title “FBIIC/FSSCC Pandemic Flu Exercise of 2007.” This component of the exercise covers weeks 7 through 10 of a simulated pandemic. In some respects, the assumptions used in the exercise were prescient, whereas others have proved to have been overly optimistic when compared to our actual experience with COVID-19. For example, a predicted spike in oil prices went the other way and the abandoning of public transit was much greater in reality than anticipated. However, the overall exercise provided greater awareness of what needed to be done in preparation.

Around the same time, a couple of reports on pandemic preparedness were issued by the U.S. General Accountability Office (GAO). The GAO is “… an independent, nonpartisan agency that works for Congress. Often called the “congressional watchdog,” GAO examines how taxpayer dollars are spent and provides Congress and federal agencies with objective, reliable information to help the government save money and work more efficiently.”

In August 2007, the GAO published report GAO-07-781 with the title “Influenza Pandemic: Further Efforts Are Needed to Ensure Clearer Federal Leadership Roles and an Effective National Strategy.” The GAO recommended that:

  1. DHS [Department of Homeland Security] and HHS [Department of Health and Human Services] develop rigorous testing, training, and exercises … to ensure that federal leadership roles and responsibilities are clearly defined, understood, and work effectively
  2. The HSC [Homeland Security Council] set a timeframe to update plans [National Strategy for Pandemic Influenza (2005) and Implementation Plan (2006)], involve key nonfederal stakeholders, and more fully address the characteristics of an effective national strategy

In March 2007, the GAO published report GAO-07-399 with the title “Financial Market Preparedness: Significant Progress Has Been Made, but Pandemic Planning and Other Challenges Remain.” The GAO recommended improvement of “… the readiness of the securities markets to withstand potential disease pandemics …” The financial services industry has run a series of exercises, hosted by SIFMA, covering a wide variety of catastrophic situations under the moniker Quantum Dawn.

There were a couple of pandemic exercises in 2019. One was “Crimson Contagion 2019,” which is described at Another was “Event 201,” hosted by Johns Hopkins Center for Health Security, which uncovered a “massive preparedness gap.” This is   described at

In 2009, I published a chapter, “Responsibilities and Liabilities with Respect to Catastrophes,” in the Handbook of Research on Social and Organizational Liabilities in Information Security, which wasedited by Manish Gupta and Raj Sharman (IGI Global). The chapter looked into security and privacy issues related to catastrophic events and suggested who should be responsible for preparing and executing catastrophe contingency plans, which (I noted) are vastly different from regular contingency plans.

So, where does that leave us with respect preparing for, and responding to, a possible cyberpandemic? The lack of preparation and ignoring of recommendations from disease pandemic exercises does not portend well for cyberspace—to say the very least. Most researchers look to major cyberattacks rather than an actual cyberpandemic, where cyberattacks emanate from intentional attacks by and on adversaries, whereas a cyberpandemic, by my definition, is a collapse of the Internet and telecommunications due to a natural event, accidental release of rogue software that takes out the entire Internet, or an unintended nuclear explosion destroying electronic circuits via electromagnetic pulse (EMP).

By the way, there is a new series on PBS (in the New York area) with the title “COBRA,” which is well worth seeing. It is set in the U.K. and the premise is that a major plasma cloud (a.k.a. natural EMP), which exploded from the sun, is heading towards Earth with the prospect of knocking out GPS and other satellites, and power grids. Already, in the first episode, we witness a plane crash due to loss of controls, and power failures spreading across London. Hints of consequent dystopian scenes and the ineptitude of politicians and their inability to deal with the catastrophe have been teased.

Perhaps we can learn from the COVID-19 pandemic and apply those lessons to cyberspace. The areas of impact are very different between the two. The COVID-19 pandemic has affected the state of public health, the capacity of hospitals, the availability of health workers, and bandwidth of vaccine researchers and manufacturers, and will have major ongoing economic impact, especially in the face-to-face service industries, such as travel, entertainment, and education. Greater economic impact has been averted because of the ability to work from home and communicate with others as well as government funding. It is virtually unthinkable to consider what dire straits we would be in if the Internet and other forms of telecommunications were rendered unavailable for extended periods of time. So where are our plans and strategies for such cyberpandemic eventualities? I don’t see any. It is extremely urgent that we start developing them as quickly as possible.

*** This is a Security Bloggers Network syndicated blog from authored by C. Warren Axelrod. Read the original post at: