What if We Dealt With Cybersecurity Like We Deal With Pandemics?

The novel Coronavirus (COVID-19) pandemic has motivated governments around the world to implement a variety of measures, including shuttering “non-essential” businesses, restricting how far individuals are allowed to travel from their homes, limiting or eliminating travel to their countries, imposing curfews, forcing people into quarantine when visiting their jurisdictions, imposing requirements to wear face masks, and so forth.

In almost all cases, the original goal of these measures was to limit the spread of the SARS-CoV-2 virus so that hospitals and other healthcare providers would not be overwhelmed. This so-called “flattening the curve” worked well by dramatically reducing the number of people visiting healthcare facilities so that those who contracted COVID-19 would be able to find treatment. In fact, “flattening the curve” worked so well that governments overshot their goal – tens of thousands of healthcare workers were laid off for lack of work because so many hospitals were operating far below capacity.

What if government took the same approach to cybersecurity in an attempt to stop ransomware, data breaches, credential theft, account takeovers, and other types of security problems? Here’s how it might play out:

  • Your state’s governor, your country’s prime minister, or your government’s CIO would determine who should be classified as an “essential” or “non-essential” user of communication and information services. Those deemed non-essential would be prohibited from sending or receiving email, using the web for any purpose, or using a mobile device.
  • Government would establish which websites, web services, email providers, social media providers, etc. are essential or non-essential and order those in the latter category to be shut down for an indeterminate period. In some jurisdictions, operators that defied these orders and remained open would have their electricity and Internet connectivity cut off. Owners who persisted in their defiance and found other ways to remain in operation could be jailed.
  • No computer or mobile device connected to the Internet could be used between the hours of 8:00pm and 5:00am.
  • Corporate help desks would stop dealing with all user issues except those with a specific type of the newest cyberthreat. Other issues would be dealt with at a later, yet-to-be determined time. The goal would be to prevent security analysts from being overwhelmed with too many requests for help.
  • Government would determine from which states, provinces or countries email could be received. Emails from non-approved countries would be placed into a spam folder or sandbox for two weeks before they could be read.
  • As cybersecurity attacks hopefully lessened, government would permit providers of email and web services to once again start their operations, but with only 25 percent the number of users they had prior to the cybersecurity pandemic. More gracious governments would increase that figure to 50 percent.
  • Long after the cybersecurity pandemic had started and after the worst of the problems had eased, government would require that every user sending or receiving an email, visiting a web site, or posting to social media via the public Internet would be required to send all communication through a client-side, multi-layer filtering solution. Even though there was little or no evidence that the solution would do anything to prevent or limit cyberattacks, it would make citizens and governments feel better because they were “doing something” to prevent the spread of threats. Even so, those not complying with this order could be fined heavily and would be publicly shamed.
  • Any entity that promoted an inexpensive, yet effective, cybersecurity solution instead of the extremely expensive solutions offered by a limited number of government-approved providers would be prevented from discussing their approach to cybersecurity on social media.

No doubt that these measures would work to prevent cyberthreats and make us all safer. Or maybe not.

What if North Korea had…

The recent cyberattack on Sony Pictures has been definitively linked to the government of North Korea, presumably in response to Sony’s upcoming release of the comedy The Interview. The US government said that North Korea was “centrally involved” in the attack, which has resulted in the leakage of several pre-release films, lots of embarrassing emails, and a variety of other content that Sony Pictures would rather not have had released – in total, up to 100 terabytes of data. North Korea upped the stakes following this cyberattack, threatening to create what amounted to another 9/11 if theatres showed the film. Clearly, Kim Jong-un does not have a sense of humor (or a good hair stylist).

The most recent result of this cyberattack, other than lots of apologies and hand-wringing from Sony executives, was the announcement by several major US theatre chains that they would not show The Interview, followed shortly thereafter by Sony’s cancellation of the $42 million film.

An attack on any major company is bad enough, even if the primary result is the cancellation of something as innocuous as a film. But what if North Korea had decided its target was the IT infrastructure of a major US utility, including its nuclear facilities? Black & Veatch published a report this year indicating that fewer than one-third of the electric utilities it surveyed have appropriate security systems with the “proper segmentation, monitoring and redundancies” necessary to deal with cybersecurity threats. How about if North Korea had decided to attack a major hospital network? One of the largest US hospital groups, Community Health Systems, was the victim of a Chinese cyberattack earlier this year, resulting in “only” the loss of data on 4.5 million patients. What about a North Korean cyberattack on the military? An investigation by the US Senate revealed that there were 50 successful hacking attempts against the US Transportation Command between May 2012 and May 2013. Serious and debilitating cyberattacks on utilities, healthcare providers and the military could make us long for “the good old days” when the result of a cyberattack was just the cancellation of a film.

What if it was your company? Have you taken precautions to prevent ransomware from infecting your users? 500,000 victims of Cryptolocker weren’t so lucky. Are your users trained to detect phishing attempts and take appropriate action when they encounter them? Is your security infrastructure sufficient to detect and weed out malware, phishing attempts and other threats that could make you a Sony-like victim? Is your vendor’s threat intelligence protecting your organization sufficiently?

We have done a lot of research on security issues and will be launching another major survey just after the first of the year to find out just how prepared organizations really are.