Without belaboring the point, there are many similarities between the COVID-19 pandemic and cybersecurity. We can take lessons from the response to the COVID pandemic and apply them to cybersecurity.
1. We Know It Is Coming
For decades, public health planners have been warning that there would be a novel (no-immunity) disease that would spread across the globe and cause damage and destruction. The same is true for cybersecurity professionals. Whether it is warnings about potential zero-day attacks, a cyber “Pearl Harbor,” massive cyber warfare, cyber-terrorism or similar attack, we know that we are vulnerable, and we have (to some extent) mapped out the most likely scenarios and defenses to them.
2. We Planned For This
In both biological and cyber terms, we have contingency plans. We have table topped, war gamed, red teamed, and mapped each likely scenario, the critical dependencies, the probable responses, etc. We have done this on a national level, on a state level, and to a greater or lesser extent, on a corporate preparedness level. The problem is, we have not heeded the lessons we have war-gamed. The contingency plans we have developed all too often sit in a binder on a shelf, and even when they are needed, they are not referenced. In a crisis situation, we end up re-inventing the crisis response. To some extent this is inevitable – every scenario is different, and plans for one type of crisis may not by fully applicable to another – but we should heed the plans.
3. We Stopped Dedicating Resources
In the public health/pandemic preparedness planning mode, we knew we would need PPE, respirators and ventilators, and trained staff. We knew we would need the ability to rapidly expand hospital and ICU capabilities during a time that supply chains would be stretched and tested. We simply stopped dedicating resources to this effort and focused (understandably) on more immediate needs. The same is true for cybersecurity. We may have mapped out critical vulnerabilities and dependencies, but our disaster recovery and business continuity plans tend to focus on the short term and the most likely scenarios, not the most devastating and impactful ones. There’s a sense in both scenarios that when “the big one” comes, someone else (e.g., the government — some government) will take care of it.
4. We Lack Coordination
In the event of a massively impactful cyber-attack, it will be important to be able to coordinate responses. If the attack is a computer virus, worm, or other malware, it will need to be isolated, analyzed and remediated – hopefully in a coordinated manner. In the early days of such viruses and worms (e.g., the 1988 Morris worm) we had no effective way of communicating about such malware. Things have gotten better, and worse. For the better, we have organizations dedicated to coordinating responses. US-CERT, CMU, ISAC’s, DHS, IC3 and others. For the worse, we have organizations dedicated to coordinating responses. Thousands of them. Private companies that collect and disseminate threat information. Federal agencies including law enforcement, defense, intelligence, civilian and others that do the same thing. Sectoral Information Security and Analysis Centers. Managed security services. Anti-malware companies. Cloud providers. Software providers. Standards setters. What we don’t have is “one ring to rule them all, and in the darkness bind them.” Also worse, we are much more dependent on the proper operation of the infrastructure (which is vulnerable to attack) as part of the response to the attack. Most incident response plans rely on things like e-mail chains and access to documents on networks or devices, the exact things that would not be accessible during a massive cyber incident. If you needed to contact a vendor or supplier, or figure out how to update a system, or install patches, or validate certificates, could you do that if you were not able to get online?
5. We Are Irrational When It Comes to “Risk”
In both the COVID and cyber arenas, humans are irrational when it comes to measuring, appreciating and mitigating risk. Part of it is the reptilian brain, flight or fight. As we have seen with the COVID response, when we do a good job (e.g., social distancing, coordination, etc.) nothing happens (no disease spread, fewer deaths, fewer infections). Our natural response is to think that the efforts were wasted and the resources improperly allocated. The same is true with cybersecurity. Conventional wisdom is that we should spend about 10% of our IT budget on “security” related items. If we do a great job, it appears to the outside world that this money was “wasted” because “nothing” happened. We don’t know if the same “nothing” would have happened if we had not spent the money. We also don’t know if we need to spend more money next year to ensure that the same nothing will continue to happen. Thus, we respond mostly when “something” happens. A pandemic or a data breach. That gets our attention. And then we spend time and resources to prevent the exact kind of pandemic or breach, rather than taking a step back and figuring out what is most likely to be impactful. Fear of this incident drives our spending and resource allocation. If we have a reportable data breach involving credit card data, we naturally strengthen our PCI-DSS protection and responses. However, in doing so, we may ignore our ransomware protection or data classification. We favor the immediate over the long-term, the public over the covert, the sexy over the mundane. We are impulse driven rather than metrics driven. We can’t help it. We’re only human – well – partly reptilian.
So, knowing this, what can and should we be doing differently in the area of cyber-risk reduction? A lot. From a corporate standpoint, we can expect resources to be strained. Many companies will be struggling just to get back on their feet, and there may be an impulse to cut back on things like information security which “don’t add to the bottom line.” Resist this impulse. What we saw during the COVID pandemic is that cyber-resilience (and security) are critical to continued operations. Don’t skimp on it. It’s NOT a cost. It’s a feature. Recognize that, when nothing happens that’s a good thing. Take credit for that. Pat yourself on the back. Make sure that MORE nothing happens. Reevaluate your incident response and disaster recovery plans in light of new information, and don’t let them sit on the shelf. Make it part of your daily life. In Japan, earthquake drills are part of everyday life. Do that for cyber security. And know what’s important. Map out dependencies. And have a list (on paper) of critical people to contact. For example, once a year I take everything out of my wallet, and copy it with a copy machine, and tape it to a secret location. If I lose my wallet, I have to call the credit card company and give them the number and CVV of the lost card — information available mostly on the card itself — the very thing that is lost. The copy gives me ready access to the phone number and card number. Finally, understand that our responses to risk are irrational, and try (mostly unsuccessfully) to measure risk appropriately, and dedicate resources appropriately. Which is a greater risk — the theft of thousands of historical credit card numbers which you might have to report publicly or the destruction of your supply chain? Which is most impactful? For which do you have a response plan? Resilience in cybersecurity, like resilience in a pandemic, allows you to survive and lessens the impact and duration of the crisis. And for God’s sake, wash your hands!
If you have any questions about cybersecurity and how to prepare for a cybsercurity crisis, feel free to contact Mark Rasch at mdr@kjk.com or 301.547.6925, Brett Krantz at bk@kjk.com or 216.736.7238 or any of our Cybersecurity professionals.
KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.