A cybersecurity approach to coronavirus containment
By Zohar Rozenberg
In recent years, some in the cybersecurity world recognized that there is a lot to learn from the biological world when protecting systems against viruses. Now, the coronavirus pandemic presents an opportunity for the medical world to learn something from the cybersecurity world. To analyze the strategies selected by various countries, let’s review it through the lens of cybersecurity strategies — beginning by recognizing that cybersecurity is built in layers. There is no one magic solution or layer which will prevent all the possible attacks.
Furthermore, in the cybersecurity world, it has been realized for some time that it is impossible to protect everything for all eternity. There will be victims. Computers will be attacked, information will be stolen, activity will be interrupted and so on. It has already been accepted in the business world that it is not possible to maintain an extremely high level of protection while at the same time enabling a business to run at its required pace.
A compromise must always be found, and risks managed. Extremely high levels of security are possible, but this will give rise to a situation where work may grind to a halt. Businesses accept that by running freely, they expose themselves to various levels of cyberthreats.
The challenge, which has become the main responsibility of information security managers along with their organizations, is to learn how to live with these day-to-day compromises. To understand the risks they take, they determine what level of risk they can accept and what level of risk is too great.
Just as businesses weigh various protection approaches, we can see several strategies for protection against coronavirus being implemented by various countries. In South Korea and Taiwan, a relatively advanced approach has been adopted of detecting the threat, finding where it is harbored and dealing with it surgically wherever identified. All this is in conjunction with a basic layer of disinfecting large areas.
As in the cybersecurity world, this can be seen in the use of advanced concepts of threat hunting and in extensive investment in detection and incident responses. All this is above and beyond the basic layer of a standard firewall and an end-point protection in order to provide some basic level of protection throughout the whole organization. This approach is a reflection of an understanding that the “point of contact” to the world will be breached, or in the professional slang “the perimeter is dead.” It is not possible to achieve full protection and keep the threat outside the perimeter forever. The threat must be sought out on a targeted basis and dealt with wherever identified without giving up on a basic layer of protection, which will succeed anyway in preventing the simpler threats from penetrating.
Aside from these countries, most in the world, including Israel, Italy and the United States, have adopted approaches that are considered traditional and older, according to the cybersecurity world. Israel began with an approach which derives from the belief that there is indeed a “perimeter” and that the threat can be blocked externally and prevented from getting inside. In the cybersecurity world, this approach is now widely thought to be inherently irrelevant. Subsequently, Israel, like Italy and the U.S., transitioned to taking the approach of an extremely tough and aggressive policy. In the cybersecurity world, such an approach equates to a policy of a strong lock-down of the network, preventing the transmission of information between points in the network. This makes any approach to the resources of the network difficult and, in general terms, attempts to reduce traffic on the network.
Such an approach can indeed succeed in producing achievements in terms of preventing breaches of the network and the endpoints, but it also has the effect of preventing most of the activity on the network and consequently has an adverse effect on the organization’s business activity. Such an approach to protection was previously beneficial at sensitive locations such as defense establishment institutions, but over the years, they have also understood that it is impossible to operate over time with such difficulties piling up over the activity of the organization. In the Israeli Defense Forces, it was realized several years ago that in order to achieve the aims of the organization, it must allow more access to the network, to facilitate more connections and transmission of information between endpoints. In order to reduce potential risk, the organization has sought more advanced protection approaches.
Throughout the industry, it is now difficult to find organizations that still stick with the approach of a tough and aggressive cybersecurity policy. In the last decade, we have witnessed a shift toward more sensible and considered risk management, which attempts to strike a balance between the need to facilitate activity and the desire for protection. Britain attempted to adopt its own unique approach, which by contrast the cybersecurity world finds slightly illogical. In fact, Britain has tried to rely upon the immunity of all its citizens; in cybersecurity terms, it is as if they are content with the installation of antivirus software at all the endpoints. This protection approach has not been relevant in the cyber world for approximately 20 years and there are currently no organizations in existence that use it as their approach for protection, with the possible exception of very small businesses.
It is possible to analyze the operational approaches of the countries from another angle in the cyber world, and that is “threat intelligence.” Some countries have made it a priority to track the virus globally, learning its patterns and understanding what works to combat its spread. At the same time, it shocks some of us in the cybersecurity community to see other countries ignore the risk or deny its potential outcome. Today in the cybersecurity world, there is a growing acknowledgment of how difficult it is to build a layer of protection against cyberthreats without engaging in the acquisition of advanced information related to threats and their nature. Currently the leading organizations worldwide, with their own ability to protect themselves, are widely reliant upon information when addressing cyberthreats.
Another analogy to the cyber world can be analyzed from the public reactions in the various countries. Apparently, in Singapore, Taiwan, South Korea and perhaps other places, the public has strictly complied with governmental directives, understanding the risk and responding well to the threat. On the other end of the spectrum is Italy, which reacted complacently, did not heed governmental instructions and didn’t understand the size of the threat.
Thus, in cyber, the sphere of awareness and training that has been gathering momentum in recent years tries to get the personnel of the organization to appreciate the threat and educate them on proper procedures in the presence of a threat. This is regarded as maintaining “cyberhygiene,” which reminds employees not to open suspicious emails, how to report something suspicious to the organization and the like. Organizations that have invested in educating people regarding awareness and correct actions have reported an improvement in immunity of the organization to cyber threats. In organizations that have not invested in this at all, most people find themselves falling prey to cyberattacks such as email impersonations.
It appears that in the cybersecurity world, more advanced organizations are adopting more innovative approaches and the use of advanced tools such as threat hunting, detection, incident response and employee awareness have produced better results in coping with cyberthreats. Thus, in the physical world, countries that have adopted similar approaches, such as South Korea, Singapore and Germany appear to have succeeded, at least for now, in containing the virus’ threat in terms of a dramatic reduction in the number of cases of infection and are at the point of at least a partial return to routine. Countries viewed as maintaining more traditional approaches and that are attempting to sanctify the perimeter, or apply tough aggressive policies as their major effort, are finding it very difficult to contain the threat. These countries are still seeing a rise in cases, coupled with a widespread paralysis of economic activity and of the economy as a whole.
If countries wish to learn lessons from the world of cybersecurity protection in order to deal with the coronavirus threat, then they must bear in mind that building defenses must consist of several layers. There is no one method that can avoid the threat. Investment efforts must be put toward prevention. It is important to create a basic level of control and monitoring of entrances, but action is also necessary on the level of detection and treatment. This can only be done properly by properly gathering and analyzing the latest data. It is to be hoped that more and more countries will consider adopting more advanced protection approaches, finding ways of applying them in the physical world in order to accelerate the end of the threat and bring about a return to a normal routine.