A reflection on pandemic mitigation and cybersecurity

A tiny little organism has shaken the world and our well-established systems in unexpected ways. It has altered everything we’re acquainted with. 

Regardless of where the outbreak started and what the origin of COVID-19 is, this tiny virus, said to be 80 to 120 nm in diameter, seems to be smart, tenacious, quick to spread and somehow unpredictable. So far, it’s difficult to clearly outline what life will look like in the future. 

Predicting the human body’s reaction after infection remains challenging. We haven’t got to the point yet where we fully understand how COVID-19 behaves. Every human immune system faces the virus differently, it doesn’t have an identical defence approach.

We all know that governments, public institutions, education centres and businesses have taken precautionary actions to control and limit the spread of the virus. Will anyone ever forget the draconian lockdowns in entire cities at the beginning of the health crisis, which are now becoming more localised confinements in certain neighborhoods? 

To that, one can add restrictions on free movement, full or partial closing of schools, commercial areas, restaurants and bars, the use of masksincreasingly obligatory, the 1.5 to two metres distance, etc. We aren’t listing anything that you aren’t aware of or haven’t experienced.

In response to that, many companies shifted urgently to a remote work solution, fully digital, aiming at keeping the business running while staff was in confinement. Operational effectiveness was the focus, putting security somewhere on the lower part of the priority list. However, as weeks or even months have gone by, the cyber debate is resurfacing because of increased cyber threats.

In this article, we draw a parallel between cyber attacks and COVID-19, and the lessons people managing the crises that these trigger can learn.

About cyberattacks and viruses
Cyberattacks

Large-scale cyber attacks spread fast, in multiple countries or continents either simultaneously or following shortly upon each other.

In such cases, nations need to look inward to protect critical infrastructure and coordinate to stop it at different Internet boundaries. It challenges incident management and coordination mechanisms and, in most cases, government control is limited.

Despite the seriousness of these incidents, the solution is already available or will be available within due time in many cases. Detection and response work, but are costly. On the other hand, prevention is, in many cases, available as well.

Pandemic pathogens

A simpleor even simplisticdefinition of a pandemic is an epidemic that spreads over multiple countries or continents

As is the case with cyber attacks, nations are required to look inward to manage the crisis. In parallel, they need cross-border alignment to mitigate the spread. Pandemics challenge previously applied incident management and coordination mechanisms.

There is no immediate therapy, vaccines or medication available to treat the threat. Detection and response is at first the only working strategy.

How pandemic pathogens and cyber viruses behave similarly

Digital and human viruses don’t know about geopolitics, cultural backgrounds, language semantics, religious preferences or any other demographic characteristic. Multiplying themselves and creating havoc is the goal.

To fight them, international alignment and cooperation are required. That means putting transparency on statistics, and the sharing of research data and results on actions, to the front, so the world can get a sound solution as fast as possible.

Containment and patch work (updates, mask wearing, social distancing) are the only working solutions in the beginning. In both cases, direct costs of prevention are cheaper that the indirect costs of response.

Giving up privacy for health

The world is nervously searching for strategies to limit the further spread of COVID-19, the virus with a crown but without a throne, whose realm is the globe. 

The world is talking about second and third infection waves, and we’re all worried about what autumn and winterthe flu seasonsmay bring. 

While we must keep options open, each and all of the strategies require vigilance and careful assessment. It’s important to consider all the implications and impacts of any chosen solution; we don’t need a sledgehammer to crack a nut after all. 

Until now, the focus to face the pandemic has been on using soft techniques for prevention. As an irrefutable proof of that, gels, masks and social distancing are common nouns in our daily conversations. 

Besides, governments and businesses are putting tremendous effort in the detection and tracing of infected (or potentially infected) individuals. In this type of detection technique, dedicated agents interview COVID-19 infected humans to track back any contact with other individuals. This is followed by establishing contact with the latter, potentially exposed to the virus too. 

Whilst the need for tracing is undeniable, this technique can easily cross the thin and oftentimes fragile boundary of personal privacy and, to many, it’s intrusive. But there is more. The results it delivers are subjective or incomplete. 

Just try to recall who you’ve met a week ago until today. The exercise is anything but easy. 

Teaming up with technology for tracing effectiveness

Successful virus spread tracing requires technology; in turn, for that technology to work and help accomplish the goal, one needs people’s goodwill, the involvement of a large percentage of the population, to be precise.

In a society that values individuals’ privacy and aspires to a citizenship based on institutional trust, any tracing action appears to be difficult if not impossible, not to mention the interoperability required to support cross-border detection. 

Although Europe, to the eyes of the rest of the world, might be seen as one communityand, in certain ways, it definitely iseach country has its own sovereign approach to these types of subjects. 

The pandemic clearly made obvious the cultural differences around the world. In Italy, the outbreak showed how fast the virus can spread and how difficult it is to track patient zero. There was a tremendous number of infections in a very short time during the holiday season peak. 

In many Asian countries, while they couldn’t stop the infections going up in big cities, they were able to contain them in closely monitored cities or regions.

Thinking figuratively, we monitor the gates or the otherwise named perimeter, in cybersecurity and related fields. See it like customs at an airport, a central point where everyone is subject to the same set of controls when passing through. 

Let’s recall Italy and Asian countries once again. From the former we learnt that the set of controls of the central gateways wasn’t enough to identify patient zero, leading to an almost uncontrollable outbreak. Whereas in Asia, far more enforced controls on the individual led to a more effective containment of the outbreak.

Today, several western countries claim to have behavioural monitoring in the cyberworld, but it is not even close to what we see in some Asian countries. Needless to say, it isn’t because of technology but due to resistance, legal implicationsprivacy laws, for instanceor just because of the unwillingness of people to accept tracing-based measures.

What pandemic mitigation can learn from cybersecurity 

Similarities in both events are a given, but there are some nuances to consider. First off, can we (re)use what we do in one field and make it work for another? Sure thing, but it requires a switch of mindset. 

Let’s start with the goals. In both casesthe cyberattack and the pandemic eventsthe objective is to stop contamination and get the situation under control and eventually back to normal. 

Even if governments count on the good faith of citizens, monitoring controls are equally required to detect any defiance to security measures. In cybersecurity, on the other hand, the focus is on prevention, with technical measures to detect anomalies if the protection is flawed. 

A common denominator is that decision cycles must be short and fast and panic is a bad instigator. Another issue, especially when it comes to public scrutiny, is that the decisions might seem legitimate and necessary at the very moment they are taken, but wrong when looking back. 

This should be accepted and be considered as lessons learnt. Not taking any decision is far worse than deciding the wrong thing and correcting afterwards.

Cyber Crisis Incident Management Health Crisis Incident Management
Experts submit actions to take; actions taken by mid/senior management

Experts advise country leadership team, actions decided by country leadership team.
Low level of communication noise, avoid press coverage and public statements

High volume of communication with a lot of noise, press coverage and public statements.
Focus on the damage done and root cause.

Focus on remediation and prevention.
Short term strategy to eradicate threat.

Long term strategy to eradicate threat.
Early communication is not required but has a positive influence on reputational damage and/or stock market price.

Early communication might cause panic unless clear guidance is provided from the beginning.
Final thoughts 

Many organisations feel confident about their security posture, either because they’ve outsourced quite a bit, or because they don’t get the numbers right or the reporting is just wrong. 

Whatever the reason, cybersecurity and information security are not constant— in fact, the only constant they have is constant change.  Risk and risk scenarios might not change that often, but the defence mechanisms required to mitigate the risks often do, as does the exposure factor. 

Working from home on cloud services is different from working from an office where data can only be accessed via a terminal in that geofenced office. Our current way of working—a hybrid between home-based work and office work—requires technical, organisational and, perhaps most importantly, psychological adaptation. Many among us have already navigated a number of these changes. 

However, there is still a need for a full redesign of an organisation’s enterprise architecture, taking into account the weakened state of cybersecurity, especially in the current pandemic context. 

Now that we’re opening Pandora’s box – at least this is how some see cloud computing – we need to be vigilant. Data goes through different gates and resides perhaps not where we expect it to. 

People work from different locations, making them prone to other types of attacks we didn’t expect. Today, it’s time to seize the opportunity to create a culture that will embrace change; one that allows an organisation to quickly adapt to changes in technology or even world events. 

What we don’t need anymore is ad-hoc or reactive-based strategy, but rather to embed the culture of change as a strategic component of an organisation.  Important side note, change is good, adoption is better, but willingness to change is best. 

What we think
Koen Maris, Director and Cybersecurity Leader at PwC Luxembourg
Koen Maris, Director and Cybersecurity Leader at PwC Luxembourg

Now that we’re opening Pandora’s box – at least this is how some see cloud computing – we need to be vigilant […] People work from different locations, making them prone to other types of attacks we didn’t expect. To me, perhaps the next step required in our awareness programmes of any kind is to create and encourage the willingness to change and adapt. This will make you and your employees aware of the existing issues, cybersecurity-related or not, and the ones to come.

Leave a Reply

Your email address will not be published. Required fields are marked *