What if We Dealt With Cybersecurity Like We Deal With Pandemics?

The novel Coronavirus (COVID-19) pandemic has motivated governments around the world to implement a variety of measures, including shuttering “non-essential” businesses, restricting how far individuals are allowed to travel from their homes, limiting or eliminating travel to their countries, imposing curfews, forcing people into quarantine when visiting their jurisdictions, imposing requirements to wear face masks, and so forth.

In almost all cases, the original goal of these measures was to limit the spread of the SARS-CoV-2 virus so that hospitals and other healthcare providers would not be overwhelmed. This so-called “flattening the curve” worked well by dramatically reducing the number of people visiting healthcare facilities so that those who contracted COVID-19 would be able to find treatment. In fact, “flattening the curve” worked so well that governments overshot their goal – tens of thousands of healthcare workers were laid off for lack of work because so many hospitals were operating far below capacity.

What if government took the same approach to cybersecurity in an attempt to stop ransomware, data breaches, credential theft, account takeovers, and other types of security problems? Here’s how it might play out:

  • Your state’s governor, your country’s prime minister, or your government’s CIO would determine who should be classified as an “essential” or “non-essential” user of communication and information services. Those deemed non-essential would be prohibited from sending or receiving email, using the web for any purpose, or using a mobile device.
  • Government would establish which websites, web services, email providers, social media providers, etc. are essential or non-essential and order those in the latter category to be shut down for an indeterminate period. In some jurisdictions, operators that defied these orders and remained open would have their electricity and Internet connectivity cut off. Owners who persisted in their defiance and found other ways to remain in operation could be jailed.
  • No computer or mobile device connected to the Internet could be used between the hours of 8:00pm and 5:00am.
  • Corporate help desks would stop dealing with all user issues except those with a specific type of the newest cyberthreat. Other issues would be dealt with at a later, yet-to-be determined time. The goal would be to prevent security analysts from being overwhelmed with too many requests for help.
  • Government would determine from which states, provinces or countries email could be received. Emails from non-approved countries would be placed into a spam folder or sandbox for two weeks before they could be read.
  • As cybersecurity attacks hopefully lessened, government would permit providers of email and web services to once again start their operations, but with only 25 percent the number of users they had prior to the cybersecurity pandemic. More gracious governments would increase that figure to 50 percent.
  • Long after the cybersecurity pandemic had started and after the worst of the problems had eased, government would require that every user sending or receiving an email, visiting a web site, or posting to social media via the public Internet would be required to send all communication through a client-side, multi-layer filtering solution. Even though there was little or no evidence that the solution would do anything to prevent or limit cyberattacks, it would make citizens and governments feel better because they were “doing something” to prevent the spread of threats. Even so, those not complying with this order could be fined heavily and would be publicly shamed.
  • Any entity that promoted an inexpensive, yet effective, cybersecurity solution instead of the extremely expensive solutions offered by a limited number of government-approved providers would be prevented from discussing their approach to cybersecurity on social media.

No doubt that these measures would work to prevent cyberthreats and make us all safer. Or maybe not.