Author: Rudolf Schreiner, CEO, ObjectSecurity OSA GmbH,
Editor: Ulrich Lang, CEO, ObjectSecurity LLC
“Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning.”
— Winston S. Churchill
For many weeks, even for months, I have been talking about the risks of this new virus originating from China. I said it will swap over to other countries, including the US and Europe. I said it will become a pandemic, a huge challenge for our societies and economies. Nobody wanted to listen. Look, just 10 people infected, no problem at all, it’s harmless, in spring it will disappear, it’s just like a flu. Please, stop talking about Corona, we can’t hear it anymore, my wife said.
Why was I able, like many of my cybersecurity colleagues, but in contrast to most of the political decision makers, to predict the pandemic so early? Because the focus of our work at ObjectSecurity is risks in complex systems. In our case security risks in complex IT systems. But it is not that difficult to transfer the expertise and experience from IT systems to economic systems and societies, they share many similarities.
Weak signals
The first aspect here is detecting very weak signals or indications of problems, because this allows you to act as early as possible. The earlier you respond, the easier, the lower the overall impact. We know that in a highly interconnected world an event in a remote country can have a huge impact on your business activities and your life. A flood in Thailand? Who cares! Remember the hard disk shortage in 2012? A strange new virus in China? Well, yes, happens, they have these strange culinary habits. When I read about this new virus, now called COVID-19, I got nervous. I thought about supply chains and globalization, I thought about travel and spread all over the world. And I thought about SARS in 2003. OK, but SARS had a limited impact, only 774 deaths, even with a really high fatality rate of about 10%. So COVID-19 won’t be that bad, more like a flu. Wrong! The good thing, well, kind of, with SARS was the fact that you very quickly felt very sick. So, it was easy and quickly to detect, with a low dark figure. COVID-19, on the other hand, is often asymptomatic or has symptoms similar to a simple cold or what we call a flu, a simple viral infection. COVID-19 can spread without much notice, and can only be detected with a specific test (PCR). All this is very familiar to cybersecurity people. Trojan and viruses, signature-based malware and intrusion detection, and its limitations, behavior-based detection, forensics and so on. This helps us to understand the compartmental models in epidemiology, e.g. SIR and its elaborations, and to embedded them in the broader context of risk management.
Risk analysis, risk management, risk mitigation
This brings us to the second main aspect: Risk analysis, risk management, risk mitigation. But what is the risk of COVID-19? Deaths, obviously. But it is not so easy. A risk has a probability and an impact. The probability to get infected and then the course of the sickness. That’s it! Then the response to COVID-19 is clear: Reduce infections, because life is the highest value at all. Complete lock down! That’s what many political decision makers are executing now.
But risk management professionals like us know that it’s much, much more complex. Most people don’t understand risks, and are not able to assess risks, At ObjectSecurity, we are working on risks in complex IT systems for many years. We have learned how to model systems, and how to automatically assess and mitigate cybersecurity risks. We have learned how to analyze risks in complex supply chains. If I now apply the lessons, we have learned to the current COVID-19 crisis, I get very nervous. First of all, we have learned that risk assessment has to be based on facts, not on rumors or opinions or more or less educated guesses. There is often a huge gap between what people think about their systems and the reality. You only see a problem if you look for it. In the COVID-19 case, this means that testing is most important. You need to know all the data for epidemic modeling, like incidence and incidence rate, basic reproduction number or lethality. You also need a lot of fine-grained data of your health system, e.g. numbers of ICU, respirators, ECMO units and so on. Single figures, like the number of infections, are meaningless if not set in context. Based on these numbers, we could make realistic epidemiological predictions, e.g. using the SEIR model.
Systematic overall risk assessment
These predictions have to be the input to an overall risk assessment. Cybersecurity experts know that security is never the highest priority. It is one aspect, among others, e.g. meeting operational or business needs. Building a secure system with no or very limited functionality is of little use, and you need a cost-benefit analysis. That’s a very important aspect which also applies in the COVID-19 response, and which political decision makers often don’t understand. Initially, COVID-19 was ignored. Large sport events took place, pubs and restaurants were open, because decision makers did not anticipate the upcoming crisis. This was a good opportunity for some super-spreaders. In IT security, we have seen this ignoring of risks so often. Nothing will happen, so let’s carry on!
Then we got the reports from Italy, which is several weeks ahead of us. Politicians got the message. Now, in many countries, there are very serious and far going restrictions on the political and economic life, in order to stop the spread of COVID-19. Everything else is secondary. The Italian prime minister Conti now ordered a complete stop of all non-essential economic activities. Except food production and critical infrastructures, all factories have to be closed. In most countries, we now have a more or less complete curfew. There is no systematic assessment of such actions. What is the benefit in terms of reduction of the reproduction number, what are the economic and social costs? How many companies will go bankrupt? How many people will lose their jobs? What are the psychological consequences, for adults and especially for kids? How long can you keep children in isolation, without producing a high rate of Post Traumatic Stress Disorder (PTSD)?
Impact analysis
It seems, for decision makers it is often more important to demonstrate ability to act, than to really find appropriate and proportional actions. What is appropriate in a large city with a high incidence might be completely over the top in a rural district with almost zero incidence. What we need now is a clear risk mitigation strategy, based on concrete models and expert advice. It is not about “you have to stay at home for two weeks”, as many people still think. We have to balance fighting the spread of COVID-19, and the economic, political and societal impact, over a long term, in the range of one or two years. Otherwise, we will have an enormous damage.
For example, a strict long-term lock down will most likely reduce the amount of direct fatalities in the high-risk groups, e.g. elder people. But it also will have a very serious impact on economy, leading to more unemployed and poor people. We know that in all countries poorer people are less healthy then wealthier people, quantitatively depending on the country’s welfare and health system. This means that even if a lock down reduces short term fatalities, the overall fatalities balance might be negative, because of the higher impact on long term fatality caused by unemployment and poverty. As alternative, it might be necessary to specifically support poorer families.
All this is extremely difficult to comprehend, as we have seen in our comparatively much simpler IT security work. Therefore, we need to apply state of the art modeling and simulation techniques, in order to support political decision makers.
The road ahead..
There is also a lesson for the future. COVID-19 is not the only risk. And, maybe not even the most serious one. This includes major natural disasters, major terror attacks (e.g. with biological and chemical weapons) or warfare of different intensity, including cyber warfare.
Therefore, we urgently need a more resilient society. We need to assess potential risks, and we need to prepare. During the last decades, since the end of the Cold War, the level of preparation dropped a lot. During the 80s and 90s of the last century, I was a civil defense officer. At this time, our country was quite well prepared. We had, for example, huge emergency hospitals for 1000s of casualties, well sheltered and with enormous supplies. And now we don’t even have enough basic protection equipment, like masks. Recently, there was a study that Germany shall reduce the number of ICU beds by 50%, because the current number is not economic. Never heard about backups? We also need to consider economic and political aspects, e.g. reduction of dependence on not 100% trustworthy countries. Who is producing most of the drugs today? Where do most supply chains end? We need a detailed analysis of vulnerabilities, what we are already doing for IT systems, but now for our complete societies and economies, including a focus on supply chain risks.
COVID-19 & cybersecurity
Finally, what does COVID-19 now directly mean for cybersecurity? First of all, it means SCAM. But COVID-19 doesn’t mean that the usual suspects, from greedy cyber criminals spreading ransomware up to our political “friends” Putin and Xi suddenly turn into decent persons. They most likely will exploit the situation, e.g. shortage of skilled staff or limited access to systems. We are already seeing the first signs of this, ranging from misinformation and phishing all the way to fake test kits.
We are living in interesting times…stay safe (and stay at home if you can).