What if We Dealt With Cybersecurity Like We Deal With Pandemics?

The novel Coronavirus (COVID-19) pandemic has motivated governments around the world to implement a variety of measures, including shuttering “non-essential” businesses, restricting how far individuals are allowed to travel from their homes, limiting or eliminating travel to their countries, imposing curfews, forcing people into quarantine when visiting their jurisdictions, imposing requirements to wear face masks, and so forth.

In almost all cases, the original goal of these measures was to limit the spread of the SARS-CoV-2 virus so that hospitals and other healthcare providers would not be overwhelmed. This so-called “flattening the curve” worked well by dramatically reducing the number of people visiting healthcare facilities so that those who contracted COVID-19 would be able to find treatment. In fact, “flattening the curve” worked so well that governments overshot their goal – tens of thousands of healthcare workers were laid off for lack of work because so many hospitals were operating far below capacity.

What if government took the same approach to cybersecurity in an attempt to stop ransomware, data breaches, credential theft, account takeovers, and other types of security problems? Here’s how it might play out:

  • Your state’s governor, your country’s prime minister, or your government’s CIO would determine who should be classified as an “essential” or “non-essential” user of communication and information services. Those deemed non-essential would be prohibited from sending or receiving email, using the web for any purpose, or using a mobile device.
  • Government would establish which websites, web services, email providers, social media providers, etc. are essential or non-essential and order those in the latter category to be shut down for an indeterminate period. In some jurisdictions, operators that defied these orders and remained open would have their electricity and Internet connectivity cut off. Owners who persisted in their defiance and found other ways to remain in operation could be jailed.
  • No computer or mobile device connected to the Internet could be used between the hours of 8:00pm and 5:00am.
  • Corporate help desks would stop dealing with all user issues except those with a specific type of the newest cyberthreat. Other issues would be dealt with at a later, yet-to-be determined time. The goal would be to prevent security analysts from being overwhelmed with too many requests for help.
  • Government would determine from which states, provinces or countries email could be received. Emails from non-approved countries would be placed into a spam folder or sandbox for two weeks before they could be read.
  • As cybersecurity attacks hopefully lessened, government would permit providers of email and web services to once again start their operations, but with only 25 percent the number of users they had prior to the cybersecurity pandemic. More gracious governments would increase that figure to 50 percent.
  • Long after the cybersecurity pandemic had started and after the worst of the problems had eased, government would require that every user sending or receiving an email, visiting a web site, or posting to social media via the public Internet would be required to send all communication through a client-side, multi-layer filtering solution. Even though there was little or no evidence that the solution would do anything to prevent or limit cyberattacks, it would make citizens and governments feel better because they were “doing something” to prevent the spread of threats. Even so, those not complying with this order could be fined heavily and would be publicly shamed.
  • Any entity that promoted an inexpensive, yet effective, cybersecurity solution instead of the extremely expensive solutions offered by a limited number of government-approved providers would be prevented from discussing their approach to cybersecurity on social media.

No doubt that these measures would work to prevent cyberthreats and make us all safer. Or maybe not.

The Coming Great US Economic Migration

A “great migration” is generally considered to be a migration of people that has an important impact on the course of history. These types of great migrations – often the result of economic drivers – have occurred throughout human history. Over the past 200 years or so, these migrations have included, among many others, the migration of up to two million Irish citizens to other countries (mostly to the United States) as a result of the potato famine between 1845 and 1850, the California Gold Rush from 1848 to 1850 that brought roughly 300,000 fortune-seekers to California (more than tripling the state’s population), and the Dust Bowl that brought up to 400,000 people to California.

In the United States, we will be seeing another economic migration, this time driven in large part by the wide variety of different governments’ responses to the COVID-19 pandemic. For example, the response to the COVID-19 crisis in Kentucky was a stay-at-home order issued on March 26th, while South Dakota never issued one and imposed significantly fewer restrictions on economic activity than most other states. Not coincidentally, South Dakota has had a dramatically lower rate of unemployment through April compared to Kentucky and most other states (and a much lower death rate from COVID-19 as of this writing).

The variety and severity of responses to the COVID-19 crisis are undoubtedly being followed closely by many business decision makers as they make longer term plans for the expansion of their companies – and possibly a move of their companies to states that have responded with less-stringent measures to address the pandemic. And it makes sense for them to do so – if, during the next pandemic, a company will be locked down for four months in their current location or for two months in another, why wouldn’t they include that as a decision point in determining where to expand their operations?

The first major shot across the bow in this regard came from Tesla CEO Elon Musk who tweeted on May 9th, “Tesla will now move its HQ and future programs to Texas/Nevada immediately. If we even retain Fremont manufacturing activity at all, it will be dependen [sic] on how Tesla is treated in the future. Tesla is the last carmaker left in CA.” While that may have been an off-the-cuff response from a CEO who has a reputation for being a bit brash at times, it’s likely indicative of how many business leaders are feeling these days.

That said, it would be inaccurate to believe that the pandemic alone will motivate companies to seek greener economic pastures. The migration of companies to more economically advantageous locations has been happening for some time as business leaders seek lower taxes, less regulation, less unionization, a lower cost of living for their employees, and easier building permitting. For example, JP Morgan is considering moving its headquarters out of New York City, Honeywell moved its headquarters from New Jersey to North Carolina, and General Electric moved out of Connecticut. In just 2016, 1,800 businesses left California for other states.

However, what makes the response to the COVID-19 pandemic a key factor in future migrations is that many of the states that businesses were already considering leaving are those that have imposed some of the most stringent restrictions on business activity in response to the pandemic. California, for example, was the first state to impose a stay-at-home order and it shows little sign of letting up anytime soon: Los Angeles County, with roughly one-quarter of California’s population, will be shut down through at least July. The continuation of strict stay-at-home, shelter-in-place and similar types of orders will likely be important, motivating factors for thousands of businesses large and small to seek locations where the next pandemic may be met with fewer restrictions on their business activity.

In short, the SARS-CoV-2 virus will have important long-term impacts on business activity, and the economic health of different states, long after it has faded into obscurity.

How Will the Current Lockdown End?

Here is my two cents on what I see as the development of the six stages of the COVID-19 lockdown in the United States. (Please note that I am not advocating rebellion against government, just commenting on what I believe will transpire):

  • Stage 1 (through March)
    The vast majority of people readily accept what they’re told despite the economic hardship and inconvenience it causes to them personally. They comply with stay-at-home, shelter-in-place, and similar types of orders.
  • Stage 2 (early April)
    Most people continue to comply, but some will quietly violate stay-at-home and shelter-at-home orders, such as walking on closed trails or taking drives, in an effort to regain some sense of normalcy.
  • Stage 3: (mid-April to early May)
    Many start to consider that maybe some governments have been too draconian and capricious in their lockdown orders, and that models upon which government decision makers have relied have been too aggressive in predicting the number of deaths. They wonder why, like in Michigan, they can still go out to buy lottery tickets, but cannot purchase plants for their garden. We see the first inklings of rebellion as we saw with yesterday’s lockdown protest in Vancouver and Vernon, BC. A few state governments begin to re-open schools and allow previously “non-essential” businesses to reopen, albeit with restrictions.
  • Stage 4: (mid-May to early June)
    A large percentage of people, many small businesses, and some local governments defy lockdown orders in an attempt to return to semi-normalcy. An “underground” economy of previously legal activities like hair styling, residential construction, and nail salons emerges quietly.
  • Stage 5: (mid-June)
    The state and local governments still enforcing lockdowns choose either a) to back off and start to allow things to re-open slowly, or b) they ratchet up enforcement through more aggressive levying of fines and arrests, and in rare cases resort to violence to keep people and small businesses in line.
  • Stage 6: (late summer 2020 through mid-2021)
    Businesses do a post-mortem on how the state and local governments under which they operate reacted to the COVID-19 crisis. Business leaders make decisions about which jurisdictions struck the right balance between safety and the economy and begin to move operations to those locations in preparation for the next, similar crisis.

Obviously, there are lots of unknowns at this point and predictions are often and notoriously wrong. A case in point are the estimates of deaths resulting from COVID-19 published by the Institute for Health Metrics and Evaluation (IHME) at the University of Washington. On April 2nd, IMHE published their best guess of 93,531 death through early August, revised it to 81,766 deaths on April 5th, and revised it again to 60,415 deaths on April 8th. That’s not a slam against IMHE, whose scientists and modelers are no doubt very well-intentioned, but rather an example of the perils that exist in modeling just about anything, particularly in the relatively early stages of a crisis.

Lessons Learned from the COVID-19 Panic-Demic

Here are a few idle thoughts and personal takeaways about the impact of the COVID-19 pandemic and the ensuing panic among the public, in the financial markets, etc.:

  • Supply chains that are built around the concept of enabling sellers to provide products at the lowest possible price don’t weather pandemics very well. Depending so heavily on a single country for manufacturing is clearly susceptible to a Black Swan event like the one in which we’re currently embroiled. As investors are almost always advised to diversify their portfolios, manufacturers should diversify their supply chains to weather disruptive events more effectively.
  • Nation-state actors and cyber terrorists have been provided with an excellent example of how they might be able to severely disrupt life in developed countries, particularly the United States. While COVID-19 is a certainly a serious issue that requires the appropriate level of response, the panic buying of toilet paper, flour, sugar, milk, eggs, cake mixes, baby formula, diapers, cat litter (yes, cat litter!), etc. is clearly an overresponse when food-related supply chains, at least in the United States and many other developed nations, are still largely intact.
  • To the point above, imagine if a nation-state actor or terrorist organization were successful in taking a handful of power plants off-line with the threatening message that more would be taken off-line in the near future. As demonstrated with the COVID-19 panic, there would be a huge run on not only basic necessities, but also on things like batteries, generators, flashlights, and hundreds of other items. It wouldn’t just be grocery stores and Costco stores with thousand-foot lines, but also Home Depot, Lowes and lots of hardware stores.
  • Our residential broadband infrastructure seems to be holding up quite well with the addition of several million home-workers now suddenly added to the traffic burden. While I’m sure there are instances of poor broadband services for residential workers because of the additional load, they seem to be few and far between.
  • One of the positives that may come out of this crisis is the realization by many decision-makers that lots of in-person meetings that incur significant travel costs can be easily replaced with on-line meetings. While not good for the already decimated travel and hospitality industries, we might experience a new wave of meeting efficiency that we hadn’t anticipated.
  • There is likely to be a major increase, at least temporarily, in the number of victims of cybercrime and data breaches. As employees use their home computers – with inadequate endpoint protection and networks that incorporate hackable routers – to access corporate email and data assets on the corporate network, the security defenses that normally defend sensitive data resources will be bypassed in many cases. Expect a major uptick in security problems until organizations adapt to the new, hopefully temporary, reality of most or all of their workforce working remotely.
  • Similarly, expect a major increase in social media-related cybercrime because people are hungry for information about COVID-19, and they’ll click on links that purport to offer information about it. As noted by Brian Krebs six days ago, a live Coronavirus map developed by Johns Hopkins University is being exploited as part of an infection kit that uses the tool as a component of a Java-based malware deployment plot.

In short, lots of problems to be expected in the near- to mid-term until a combination of decreasing infection rates and whatever new crisis is in the offing move our attention to some different topic.

Coronavirus Taking Its Toll on Industry Conferences

Here’s a partial list of the impact that the Coronavirus, known officially as COVID-19, is having on tech industry conferences worldwide as of Friday afternoon, February 21st:

  • RSA Conference, San Francisco
    Verizon today pulled out of next week’s event. They were preceded by AT&T Cybersecurity yesterday and IBM on February 14th. In addition, 10 other exhibitors — three from the United States, six from China, and one from Canada — have pulled out of the conference. Of the nine exhibitors from China that were scheduled for RSA, six have pulled out; the three remaining will be staffing their booths with individuals from the United States. RSA is expected to draw up to 45,000 attendees this year.
  • Mobile World Congress, Barcelona
    This conference, scheduled for February 24-27 and which normally draws about 100,000 attendees, was cancelled on February 12th. The announcement followed LG, Google, AT&T, Airbus, Sony, Cisco, Facebook, Nvidia, Amazon and several other exhibitors announcing that they were pulling out of the show.
  • DEF-CON China, Beijing
    This conference, scheduled for April 17-19, has been put on hold for six months because “China has announced a six-month hold on events like ours as part of the effort to combat the coronavirus outbreak”.
  • Facebook Global Marketing Summit, San Francisco
    The March 9-12 summit, expected to draw 4,000 participants, was cancelled by Facebook’s management “out of an abundance of caution.”
  • PAX East 2020, Boston
    Sony Playstation pulled out of this major video game conference because of fears over the virus.

In addition to these, more than two dozen trade shows in Asia have been cancelled because of the Coronavirus outbreak.