Cybersecurity Through the Lens of COVID

Reflecting on the past 18 months and the impact of the coronavirus pandemic, perhaps we can learn something by imagining a more resilient world and asking how we might have responded more effectively. Let's start by acknowledging we will never drive the risk of a pandemic to zero. There will always be new pathogens that evolve unexpectedly to threaten human health. But we can certainly build better defensive systems for responding to new diseases, and we don't need breakthrough technologies for that. We do need thoughtful investments and better coordination across basic and applied research, public policy, and medical delivery.

If we had developed and properly funded systems resilient for pandemic response over the past decade, then 2020 might have unfolded very differently.

Now… what do these musings have to do with cybersecurity? There are several useful parallels between public health and infosec. It's easy to find shared vocabulary — virus, infection, hygiene, prevention — but the more interesting similarities are a bit deeper. In particular, the most resilient public health and infosec institutions tend to make three similar assumptions.

1. Prevention and Detection Inevitably Fail
As much as we'd like to believe that a healthy diet, regular exercise, and good hygiene will keep us from getting sick, we know that isn't true. Prevention is important, we can't abandon good habits, but it's not enough. If our public health system depended only on prevention as a strategy, it would offer nothing to people who get sick despite their good habits. That's true in the world of infosec, also. Prevention (including patching, asset management, and other basic blocking and tackling) is necessary but not sufficient.

When prevention fails in public health, we turn to detection. Consider the abundance of lab tests available for identifying common and rare diseases. Or the dazzling range of imaging technologies doctors use to distinguish between a stress headache, a migraine, and a brain tumor. Technology for diagnosis and detection has evolved dramatically in our lifetimes, but even detection as a strategy is not always enough. Sometimes a rare but serious disease frustrates all attempts at prevention and detection, or — as happened last year — a new pathogen emerges and leaves a huge imprint on our history.

In cybersecurity, the most stealthy and sophisticated attacks are carefully engineered — not by nature, but by humans — to evade existing systems for prevention and detection. The motivation might be criminal or it might be political. But the impact is not all that different from a new, threatening pathogen like COVID-19. In both cases, existing defenses don't work very well, and we confront the limits of prevention and detection as strategies.

2. High-Quality Data is Foundational
So, what do we do when prevention and detection fail? In public health, we turn to the machinery of science (e.g., data collection, structured experiments, trials of proposed solutions, analysis of efficacy). In infosec, the most mature organizations hire investigation and research teams that follow many of the same structured scientific procedures. They collect data, analyze it, try to understand the mechanism of a novel attack, and build and deploy mitigations. Two vital ingredients in both contexts are human ingenuity and high-quality evidence. Both are required when the attack is new and subtle. The cat-and-mouse loop of novel attack leading to novel defense also connects the worlds of public health and security operations. In each context, the best institutions focus on process, data, and the capability to adapt.

3. Continuous Monitoring and Adaptation are Essential
If detection and prevention fail and high-quality data is essential in adapting to novel attacks, then it stands to reason that mature organizations need a strategy for continuous monitoring and data collection. It's impossible to predict when a deadly mutation or a debilitating piece of malware will strike. Once it happens, it's too late to collect evidence. That's why it's important to start collecting evidence today.

Some of the most advanced cybersecurity teams in the world have adopted this data-centric approach that embraces ongoing evidence collection. In most cases, an organization needs only a few sources of evidence: data from networks (for breadth), data from computer systems (for depth), and data from intelligence sources (for context).

Building Resilient Systems
The first step towards building more resilient systems in public health and cybersecurity is to acknowledge these principles and collect high-quality evidence and make it actionable.

No metaphor is perfect, but we must remain hopeful that the catastrophe of COVID and the ongoing litany of damaging security compromises will ultimately lead to more capable, alert- and evidence-driven systems for defense.