A tiny little organism has shaken the world and our well-established systems in unexpected ways. It has altered everything we’re acquainted with.
Regardless of where the outbreak started and what the origin of COVID-19 is, this tiny virus, said to be 80 to 120 nm in diameter, seems to be smart, tenacious, quick to spread and somehow unpredictable. So far, it’s difficult to clearly outline what life will look like in the future.
Predicting the human body’s reaction after infection remains challenging. We haven’t got to the point yet where we fully understand how COVID-19 behaves. Every human immune system faces the virus differently, it doesn’t have an identical defence approach.
We all know that governments, public institutions, education centres and businesses have taken precautionary actions to control and limit the spread of the virus. Will anyone ever forget the draconian lockdowns in entire cities at the beginning of the health crisis, which are now becoming more localised confinements in certain neighborhoods?
To that, one can add restrictions on free movement, full or partial closing of schools, commercial areas, restaurants and bars, the use of masks—increasingly obligatory, the 1.5 to two metres distance, etc. We aren’t listing anything that you aren’t aware of or haven’t experienced.
In response to that, many companies shifted urgently to a remote work solution, fully digital, aiming at keeping the business running while staff was in confinement. Operational effectiveness was the focus, putting security somewhere on the lower part of the priority list. However, as weeks or even months have gone by, the cyber debate is resurfacing because of increased cyber threats.
In this article, we draw a parallel between cyber attacks and COVID-19, and the lessons people managing the crises that these trigger can learn.
About cyberattacks and viruses
Cyberattacks
Large-scale cyber attacks spread fast, in multiple countries or continents either simultaneously or following shortly upon each other.
In such cases, nations need to look inward to protect critical infrastructure and coordinate to stop it at different Internet boundaries. It challenges incident management and coordination mechanisms and, in most cases, government control is limited.
Despite the seriousness of these incidents, the solution is already available or will be available within due time in many cases. Detection and response work, but are costly. On the other hand, prevention is, in many cases, available as well.
Pandemic pathogens
A simple—or even simplistic—definition of a pandemic is an epidemic that spreads over multiple countries or continents.
As is the case with cyber attacks, nations are required to look inward to manage the crisis. In parallel, they need cross-border alignment to mitigate the spread. Pandemics challenge previously applied incident management and coordination mechanisms.
There is no immediate therapy, vaccines or medication available to treat the threat. Detection and response is at first the only working strategy.
How pandemic pathogens and cyber viruses behave similarly
Digital and human viruses don’t know about geopolitics, cultural backgrounds, language semantics, religious preferences or any other demographic characteristic. Multiplying themselves and creating havoc is the goal.
To fight them, international alignment and cooperation are required. That means putting transparency on statistics, and the sharing of research data and results on actions, to the front, so the world can get a sound solution as fast as possible.
Containment and patch work (updates, mask wearing, social distancing) are the only working solutions in the beginning. In both cases, direct costs of prevention are cheaper that the indirect costs of response.
Giving up privacy for health
The world is nervously searching for strategies to limit the further spread of COVID-19, the virus with a crown but without a throne, whose realm is the globe.
The world is talking about second and third infection waves, and we’re all worried about what autumn and winter—the flu seasons—may bring.
While we must keep options open, each and all of the strategies require vigilance and careful assessment. It’s important to consider all the implications and impacts of any chosen solution; we don’t need a sledgehammer to crack a nut after all.
Until now, the focus to face the pandemic has been on using soft techniques for prevention. As an irrefutable proof of that, gels, masks and social distancing are common nouns in our daily conversations.
Besides, governments and businesses are putting tremendous effort in the detection and tracing of infected (or potentially infected) individuals. In this type of detection technique, dedicated agents interview COVID-19 infected humans to track back any contact with other individuals. This is followed by establishing contact with the latter, potentially exposed to the virus too.
Whilst the need for tracing is undeniable, this technique can easily cross the thin and oftentimes fragile boundary of personal privacy and, to many, it’s intrusive. But there is more. The results it delivers are subjective or incomplete.
Just try to recall who you’ve met a week ago until today. The exercise is anything but easy.
Teaming up with technology for tracing effectiveness
Successful virus spread tracing requires technology; in turn, for that technology to work and help accomplish the goal, one needs people’s goodwill, the involvement of a large percentage of the population, to be precise.
In a society that values individuals’ privacy and aspires to a citizenship based on institutional trust, any tracing action appears to be difficult if not impossible, not to mention the interoperability required to support cross-border detection.
Although Europe, to the eyes of the rest of the world, might be seen as one community—and, in certain ways, it definitely is—each country has its own sovereign approach to these types of subjects.
The pandemic clearly made obvious the cultural differences around the world. In Italy, the outbreak showed how fast the virus can spread and how difficult it is to track patient zero. There was a tremendous number of infections in a very short time during the holiday season peak.
In many Asian countries, while they couldn’t stop the infections going up in big cities, they were able to contain them in closely monitored cities or regions.
Thinking figuratively, we monitor the gates or the otherwise named perimeter, in cybersecurity and related fields. See it like customs at an airport, a central point where everyone is subject to the same set of controls when passing through.
Let’s recall Italy and Asian countries once again. From the former we learnt that the set of controls of the central gateways wasn’t enough to identify patient zero, leading to an almost uncontrollable outbreak. Whereas in Asia, far more enforced controls on the individual led to a more effective containment of the outbreak.
Today, several western countries claim to have behavioural monitoring in the cyberworld, but it is not even close to what we see in some Asian countries. Needless to say, it isn’t because of technology but due to resistance, legal implications—privacy laws, for instance—or just because of the unwillingness of people to accept tracing-based measures.
What pandemic mitigation can learn from cybersecurity
Similarities in both events are a given, but there are some nuances to consider. First off, can we (re)use what we do in one field and make it work for another? Sure thing, but it requires a switch of mindset.
Let’s start with the goals. In both cases—the cyberattack and the pandemic events—the objective is to stop contamination and get the situation under control and eventually back to normal.
Even if governments count on the good faith of citizens, monitoring controls are equally required to detect any defiance to security measures. In cybersecurity, on the other hand, the focus is on prevention, with technical measures to detect anomalies if the protection is flawed.
A common denominator is that decision cycles must be short and fast and panic is a bad instigator. Another issue, especially when it comes to public scrutiny, is that the decisions might seem legitimate and necessary at the very moment they are taken, but wrong when looking back.
This should be accepted and be considered as lessons learnt. Not taking any decision is far worse than deciding the wrong thing and correcting afterwards.
| Cyber Crisis Incident Management | Health Crisis Incident Management |
|---|---|
| Experts submit actions to take; actions taken by mid/senior management | Experts advise country leadership team, actions decided by country leadership team. |
| Low level of communication noise, avoid press coverage and public statements | High volume of communication with a lot of noise, press coverage and public statements. |
| Focus on the damage done and root cause. | Focus on remediation and prevention. |
| Short term strategy to eradicate threat. | Long term strategy to eradicate threat. |
| Early communication is not required but has a positive influence on reputational damage and/or stock market price. | Early communication might cause panic unless clear guidance is provided from the beginning. |