|By Larry Clinton
I’m not saying cybersecurity and the coronavirus are exactly the same. The defining characteristic of the cyber threat is that we have conscious and deliberate actor’s carefully crafting attacks. The coronavirus has no conscience, no plan. At the same time, notwithstanding differences, these domains are both attacks on our cultures, and when you think about it, the number of similarities in the two worldwide crises is pretty striking.
Maybe we can learn lessons from one that might help us address the other because one of the biggest similarities is that, while we all hope we are about to turn the corner, the reality is that so far, we seem to be on the losing end of both fights.
Here is a quick list of some of the similarities:
1. These are both novel problems. A majority of the current population are digital immigrants who weren’t born into the digital age they currently live in. Ironically this includes most of the individuals charged with managing the 21st century digital transformation, including cybersecurity. One of the quite understandable reasons why we have not managed the security problem particularly well is that this whole thing has come upon us so quickly and so easily that we were unprepared. Similarly, COVID-19 is often referred to clinically as a “novel” virus. We have had viruses forever, but this one and its jump to the human population has happened suddenly, and we were generally ill-prepared to address its uniqueness including not having a standard testing procedure or a vaccine to cure affected individuals.
2. We are all vulnerable. Americans are no more immune to the virus attacks than are Chinese, or Italians, or men vs women, etc. If you are part of society, you are vulnerable to this fast-spreading disease which can cause very serious harm. We are all in this together. It’s basically the same with cyber. The Internet is vulnerable. It was built as an open system meaning it’s inherently vulnerable and actually becoming more vulnerable all the time. if you are part of digital society and use the Internet you are vulnerable to potentially serious attack. We are all in this together.
3. Basic hygiene is a very effective defensive strategy. If you are interacting with anyone and want protection from the virus probably the best thing you can do is simply wash your hands constantly. Of course, in the real-world handwashing is a necessary but not sufficient defense. There was an interesting article in the Washington Post last week about the special challenges to dating created by the virus. Apparently, some dates go beyond holding hands. We will let the imagination wander at this point. Similarly, basic cyber hygiene, i.e., following well-established basic security protocols, can protect a system from the majority of attacks and serve as the foundation for more sophisticated defense. As with the virus, however, cyber hygiene is insufficient to protect against more sophisticated attacks.
4. We have largely moved beyond perimeter security. Maybe at one point a containment strategy against the virus might have proved sufficient, but at this stage we need to do much more than defend our borders (although that is a good thing). The borders have been compromised and there is no going back. We now need to add in a mitigation strategy, which will be more complicated. The history of the Internet is similar. Maybe once upon a time if we had stepped in and said “hey, let’s not use this open internet and we will create one with security borders,” it might have worked, but no more. Modern cyber-attacks compromise virtually all perimeter defense and so a risk-management strategy recognizing the reality of compromise is what we have to turn our attention to, just like with the virus.
5. Both are multi-dimensional issues. Depending on which network you watch, you will be told that the virus problem really needs to be addressed economically. Others will say no, it’s a medical problem. Obviously, it’s both. And not only that, but the aspects are interconnected and synergistic – in a bad way. The medical issues will cause economic issues which will exacerbate the health issues and likely cause societal issues etc., etc., etc. The same is true in the cybersecurity world. Whereas cyber was originally thought of as an “IT” issue. We are increasingly learning its actually much broader. It’s an enterprise-wide risk management issue with economic, social, government, and governance components. Unfortunately, neither of these problems are as simple as we wish they were and will require complicated coordinated action, which we largely have not yet engaged.
6. We don’t have enough resources. One of the great ironies of cybersecurity is that despite the fact that we have known about our insecurity for more than 2 decades, we have not built up a workforce or designed adequate materials to address the problem. The problem is exacerbated by the fact that we waste much of our resources with an uncoordinated government response. As much as 40 percent of cybersecurity resources are wasted with largely redundant compliance requirements. The analogy to the coronavirus experience is very similar. Not only do we lack enough tests to properly assess the situation, we lack the trained personnel to use what we do have. In addition, if, as expected, the number of serious cases increase on current trajectory we won’t have enough hospital beds, ventilators, respirators, personnel, and even masks and gowns for the specialists, we do have to effectively use the materials that are available.
7. Government has been too slow to truly work with the private sector. The United States and South Korea announced their first coronavirus case on the same day. The South Koreans have tested 10,000 people a day. The U.S. does less than 1 percent of that. Yesterday, seven weeks into the crisis, Dr. Fauci said that this coming week we will see a major escalation in testing. That will happen “once we get the private industry involved.” That’s seven weeks after the virus hit our shores – and in a situation like this, every day counts. Ironically, it is largely the private sector that has led the way in terms of voluntarily shutting down and enforcing community separation in the workplace. On cybersecurity, in addition to the government-caused waste discussed above, government has failed to sincerely engage with the private sector. Many aspects of government (and still in Europe) have mostly focused on blaming companies for being hacked – while not demonstrating notably better security on their own non-military systems. And despite rhetoric about partnerships, government has engaged with the private sector largely just around one operational tactic, information sharing — in models that virtually everyone says don’t really work while doing virtually nothing to adjust the underlying economics of the cyber threat. This is puzzling because on both issues we hear the” we are in this together” rhetoric. One speculation is many in government don’t really understand leadership, mistaking leadership for “being in charge.” Great leaders have always known that leadership is finding the resources/people who can best assist you in achieving your goals and engaging them in common cause. On both these issues, government has been slow to truly engage in a true leadership model.
8. Both are international problems. Some initial reports on the coronavirus labeled it a Chinese disease or a foreign disease. Aside from that inaccurate label we have been resistant to leverage international knowledge and assistance. The World Health Organization had a test we could have used months ago so that by now we would at least have a clear assessment of the degree and location of the problem. Even looking at this from an economic perspective, while immediate aid needs to go to disadvantaged American workers, the longer-term economics, given the immense interconnection of our economies, may require a U.S. supported international effort similar to the Marshall Fund after World War II. Cybercrime is an international business generating possibly trillions of dollars a year. Yet problems in terms of international law make it exceedingly difficult to successfully prosecute cyber criminals — we successfully prosecute perhaps 1 percent of cyber criminals. Both issues would be far better dealt with in a truly international model.
9. We didn’t move fast enough. As in the case with both cyber threats and the coronavirus, experts and policy makers knew what we all know now well ahead of general public consciousness. Yet due to an inability to understand the threat, or a fear of public reaction or just the wishful thinking that there would be some magical medical or technological fix, our initial response was more inaction than action. In fact, we have been dismantling the apparatus we previously had in place. We used to have a cybersecurity coordinator/“czar” in the White House. That position was eliminated a few years ago. We used to have a pandemic threat team at the White House that too was disbanded. The delays have been tremendously costly in multiple ways. It may be hard to realize the extent of, and implications of, delayed action because now virtually every aspect of government now wants to be the cyber cop, and we are in a state of 24/7 coronavirus awareness. But we could have been in a much better readiness state, had our experts and policy makers done contingency planning and been more forthright with themselves and the rest of us.
10. We didn’t – still aren’t – investing enough. According to the World Economic Forum cybercrime cost us about $2 trillion last year – growing to $8 trillion in a few years. DHS’ cyber budget to protect all civilian agencies and the private sector is about $1 billion. Fox News reported Sunday that largely due to coronavirus the stock market has lost $8 trillion in value (how’s that for symmetry?) – not to mention the enormous additional downstream costs in jobs, salaries, retirement plans, etc. The total CDC budget is about $1 billion, and the Administration’s pending budget proposal calls for that budget to be cut further. These ratios have been largely the same across administrations. Even in light of the impacts of the current cyber and public health attacks, while we may see some (quite possibly short-term) spending increases they will likely be incremental and leave us still massively underfunded to deal with the systemic risks we face in both domains. Perhaps more importantly the entire paradigm of the digital economy, and its dark underside of insecurity, needs to be recalibrated. A similar rethinking of the economic superstructure to address the impact of environmental/health threats may also be required.
One thing both cyber and coronavirus are may be telling us is that we live in a different world and need to think and structure differently to adapt to it. Are we really listening?