COVID-19 + Cybersecurity: Parallels and Lessons from a Pandemic

The following is a conversation between Dr. Mike Lloyd, an epidemiologist-turned-Chief Technology Officer of RedSeal, and Ray Rothrock, member of the NTI Board of Directors and its Science and Technology Advisory Group, and author of “Digital Resilience: Is Your Company Ready for the Next Cyber Threat.”

Ray: Mike, you’re a rare guy: you have both a PhD in epidemic modeling, and a long career in cybersecurity. Now both of your careers are relevant. Does this pandemic have anything to teach cybersecurity and technology?

Mike: My career has been all about modeling complex systems: I started with epidemiology and shifted to computer networks. COVID-19 brings the similarities between the two to light in a way that’s widely relatable. There are four central lessons cybersecurity can learn from this pandemic, which can also be applied to reducing risk from nuclear, biological, and chemical weapons.

First: Understanding Lateral Movement. Our lives are globally interconnected, and we spread disease as we connect with each other. The fact that this disease started in one country and has spread laterally to even small, remote island communities is the first example in our lifetime that makes this point on a global scale.

Similarly, digital attackers only need to breach one target to start their infiltration. And despite security teams’ best efforts, it is impossible to protect all our networks down to every endpoint. They succeed by finding one hole in the system to “get in,” and then it usually takes just a few lateral moves to get from one place to anywhere else on the network.

Ray: In that analogy, when we stay home, we reduce the corona virus’ lateral movement.

Mike: Exactly. And this leads to the second lesson: Know Where the Problems Are. This is why testing for coronavirus is so important. We’re seeing that some countries – or even cities – have better success in fighting this virus because they can identify where the disease really is and get ahead of it.

Ray: Digital security is the same. Teams struggle to know where their network is infected, and then response teams are forced to scramble to quarantine or block the intruders. When they’re able to quickly know where the problem is, they can respond more effectively and efficiently to prevent its spread.

Mike: Now countries and communities are using contact tracing to identify who is a carrier, quickly track down their contacts, test them, and quarantine them, as necessary. Unfortunately, the online version of this is much harder because computers communicate across a network in many different and shifting directions. It is as if contract tracers had to deal with every person on earth flying to at least one country every day.

Plus, in a cyber crisis there is no simple answer to the question, "how did this infection get here, and where is it going next?" The best course of action is to map out a network well ahead of an attack, so security teams can understand all the access pathways and normal information flows for the organization ahead of time. Thankfully, we are getting better at automation and algorithms to analyze questions like this. We humans can’t process all the data quickly enough to be useful.

Ray: Makes sense. What’s next?

Mike: The third important step is to Slow It Down. By sheltering in place, we impede the coronavirus’ ability to move laterally around the population. As a result, this global effort to stay home and "flatten the curve" reduces strain on our taxed medical systems. Similarly, when digital defenders wall data into distinct areas, they are able to slow down attackers from expanding their intrusion. We can’t stop every determined attacker or nation-state, but slowing them down buys time to detect digital intruders so you can respond to block or quarantine them. You can also see this in traditional safes, which are rated based on how long they can resist a determined thief.

The fourth step is basic hygiene.

Ray: How does hygiene relate to cybersecurity and technology?

Mike: We know our first line of defense to battle COVID-19 comes down to individuals and their consistent use of basic hygiene: hand washing, not touching their faces, and covering their mouths, especially if coughing or sneezing, 100% of the time. Similarly, basic cyber hygiene comes down to consistency across an entire network and its component parts. People not practicing basic hygiene endanger us all eventually. Likewise, people not practicing basic cyber hygiene endanger their organizations. Device hardening, dual factor authentication and other practices are critical to tamping down the threats and reducing the attack surface. These may be even more important than the best technology defense.

You must know what devices are on – and can connect to – your network; you also want to make sure those devices are securely configured. You need to confirm the network is set up as intended, and when something changes, you need confirmation your network’s security isn’t affected. None of which is easy to do consistently or at the scale required of most organizations.

Real-world networks are riddled with unintentional hygiene failures. As with fighting this pandemic, even 95% compliance with basic hygiene standards is not enough. It only takes one unintentional exposure, and it is the same for cyber as well. Perform the basics well, everywhere, every time. And wash your hands.