When we look at the technology industry, and the rise of the increased need for cyber security, companies learned a lot (through trial and error) about how to effectively deal with the cyber threat. Then COVID-19 came along and changed the way business was done.
This introduced a whole new level of risk into the market and changed the game when it comes to cyber security. It was as if we had to hit the reset button and relearn everything that we knew within the frame of a new risk landscape.
Again, we have learned a lot about cyber security during the COVID-19 lockdown period.
A report by the World Economic Forum pointed out that Most of the world is currently experiencing highly atypical living conditions as a result of COVID-19. At the height of the pandemic, more than 2 billion people were under some form of lockdown, and 91% of the world’s population, or 7.1 billion people, live in countries with border controls or travel restrictions due to the virus.
It would be comforting to think this is merely a “blip” interrupting an essentially stable state of affairs, and that the world will return to “normal” once medicine and science have tamed the virus.
Comforting – and wrong.
The report added that COVID-19 is not the only risk with the ability to quickly and exponentially disrupt the way we live. The crisis shows that the world is far more prone to disturbance by pandemics, cyberattacks or environmental tipping points than history indicates.
Our "new normal" isn’t COVID-19 itself – it's COVID-like incidents.
And a cyber pandemic is probably as inevitable as a future disease pandemic. The time to start thinking about the response is – as always – yesterday.
To start that process, it’s important to examine the lessons of the COVID-19 pandemic – and use them to prepare for a future global cyberattack.
Lesson #1: A cyberattack with characteristics similar to the coronavirus would spread faster and further than any biological virus.
The report pointed out that the reproductive rate – or R0 – of COVID-19 is somewhere between two and three without any social distancing, which means every infected person passes the virus to a couple of other people. This number affects how fast a virus can spread; the number of infected people in New York state was doubling every three days before lockdown.
By contrast, estimates of R0 of cyberattacks are 27 and above. One of the fastest worms in history, the 2003 Slammer/Sapphire worm, doubled in size approximately every 8.5 seconds, spreading to over 75,000 infected devices in 10 minutes and 10.8 million devices in 24 hours. The 2017 WannaCry attack exploited a vulnerability in older Windows systems to cripple more than 200,000 computers in 150 countries; it was halted by emergency patches and the accidental discovery of a “kill switch”.
The report adds that the cyber equivalent of COVID-19 would be a self-propagating attack using one or more “zero-day” exploits, techniques for which patches and specific antivirus software signatures are not yet available. Most likely, it would attack all devices running a single, common operating system or application.
The report points out that since zero-day attacks are rarely discovered right away – Stuxnet used four separate zero-day exploits and hid in systems for 18 months before attacking – it would take a while to identify the virus and even longer to stop it from spreading. If the vector were a popular social networking application with, say, 2 billion users, a virus with a reproductive rate of 20 may take five days to infect over 1 billion devices.
The economic impact of a widespread digital shutdown would be of the same magnitude – or greater – than what we’re currently seeing.
If cyber-COVID mirrored the pathology of the novel coronavirus, 30% of infected systems would be asymptomatic and spread the virus, while half would continue functioning with performance severely degraded – the digital equivalent of being in bed for a week. Meanwhile 15% would be “wiped” with total data loss, requiring a complete system reinstall. Finally, 5% would be “bricked” – rendering the device itself inoperable.
The end result: millions of devices would be taken offline in a matter of days.
The report adds that the only way to stop the exponential propagation of cyber-COVID would be to fully disconnect all vulnerable devices from one another and the internet to avoid infection. The whole world could experience cyber lockdown until a digital vaccine was developed. All business communication and data transfers would be blocked. Social contact would be reduced to people contactable by in-person visits, copper landline, snail-mail or short-wave radio.
A single day without the internet would cost the world more than $50 billion. A 21-day global cyber lockdown could cost over $1 trillion.
The report points out that cyber lockdown would also introduce novel challenges for digitally dependent economies. During the 2020 Australian bushfires, power outages and damage to mobile phone infrastructure gave citizens a newfound appreciation for battery-operated FM radios. But if cyber-COVID ravaged a country, which radio stations would still operate without digital recording and transmission systems? Would states like Norway, which has completed its transition to digital radio, be able to roll back?
Lesson #3: Recovery from the widespread destruction of digital systems would be extremely challenging.
The report adds that replacing 5% of the world’s connected devices would require around 71 million new devices. It would be impossible for manufacturers to rapidly scale up production to meet demand, particularly if manufacturing and logistics systems were affected. For systems that survive, there would be a significant bottleneck in patching and reinstallation.
The geographic concentration of electronics manufacturing would create other challenges. In 2018, China produced 90% of mobile phones, 90% of computers and 70% televisions. Finger-pointing about the source and motive of the cyberattack, as well as competition to be first in line for supplies, would inevitably lead to geopolitical tensions.
Another report by the WEF points out that we need to rethink and repurpose cyber security to fit the modern construct.
The report points out that for businesses all over the world, adjusting to the new realities created by COVID-19 has been an incredible challenge. From a technology perspective, the crisis has forced companies to make massive changes - from meeting the needs served by suddenly shuttered workspaces, to scaling the tools required to connect entire workforces now isolated at home.
For IT teams that are already stretched thin, just getting the tactical tools and techniques needed for business continuity up and running has been a massive undertaking complicated by intense time pressures. But all of that was just the beginning. To protect and strengthen those efforts, we must now go beyond initial tactical approaches to adjust underlying security strategies and workplace philosophies as well.
The report adds that, for many companies, the biggest obstacle will not be the technology; it will be the ability to recognize that these short-term disruptions are here for the long-term, if not actually permanent. It is also critical that we begin now to seize the opportunity presented by these cultural and technological shifts to embrace a more strategic approach to security. Just as it has been very difficult for some companies to embrace the principles and practices of working remotely, some organizations may still attempt to cling to a network model that doesn’t really reflect the form or function of how their cloud and networks must now operate.
Adapt and scale.
The report points out that, the fact is, the primary organizing concept in many organizations’ network strategy — that there is a centre, and then there is everything else — is gone. To adjust, the principles and practices we use to secure what we once called the edge must now be adapted to and scaled across the entire network.
For many of us, this is not a new necessity. For years, security professionals have advised companies to adjust their security strategy to secure the remote edge, not just the traditional core network perimeter, and to employ security-driven networking. Even so, nobody could have predicted just how quickly and fundamentally those changes would be forced on us in the wake of COVID-19. We may never entirely go back to what we knew as normal. And perhaps the most dangerous thing we could do now is to leave our expanded edge strategy out on the edge.
The report adds that, moving forward, edge security, cloud security and network security must be synonymous. A security-driven networking strategy that blends the entire distributed network into a single, coherent solution is no longer optional – it will be an imperative. Fusing networking, the cloud and security must be the foundational structure of not only what is done now, but also of any innovations to come.
Seeing designed solutions.
The report points out that we have already begun to see solutions designed to define and secure networks with software, enabling organizations to approach security, the cloud and networking with a single, unified strategy for all edge computing. Many companies that had already invested in integrating their software-defined networking in a wide area network (SD-WAN), next-generation firewall (NGFW) technology and multi-cloud deployments into a unified system were in a much better position to pivot to the demands of a totally restructured workplace. But now that remote networks have taken a primary position, organizations must extend that strategic edge approach throughout the network and out to the cloud to make sure it is consistent, integrated and secure.
These changes may seem painfully sudden and sweeping. But the truth is we were already rapidly running out of runway. It was inevitable that security would have to follow data, and data has been moving to the edge and being distributed across an expanding network for some time now. Even without a global lockdown separating us physically, the proliferation of IoT — which includes billions of highly vulnerable access points with code not developed with security-first in mind — was always going to blow a gaping hole in networks eventually. Suddenly, eventually is now.
The report adds that there is no choice now but to move forward. Though challenging, we are being given an opportunity to create the type of connectivity and security we have long known we would need, but have been avoiding. That may be one bright outcome from this terrible crisis, but only if organizations can focus quickly and execute this strategy thoroughly.
Thankfully, the technology to achieve these solutions is available. Security-driven networking that utilizes AI to drive efficient, integrated solutions that span remote access and across dynamically distributed networking and cloud environments allows companies to maintain the pace of business. But it will also enable IT teams to focus on higher priority challenges, such as segmentation and authentication, to protect organizations as well as prepare for the opportunities of 5G, ultra-rich media and smart solutions, including smart vehicles, buildings and cities.
The report points out that we know that we must rely on digital connections more than ever, it is critical that we ensure that those connections are safe, fast, scalable, and strong throughout our networks. Whether we like it or not, whether we are ready or not, we have been pushed to the edge. The only question now is how quickly organizations can extend their networking strategy so they can remain safe there.
One of the problems with the existing approach to cyber security is that it was done on a piecemeal basis and that each country had their own approach. Perhaps there needs to be a set of best business principles set out that will govern how any country approaches this issue.
This is what the Cybersecurity and Infrastructure Security Agency (CISA) hopes to achieve through their cybersecurity toolkit.
The report on securitymagazine.com points out that, as a follow-up to the November 2019 release of Cyber Essentials, the Cybersecurity and Infrastructure Security Agency (CISA) released the first in a series of six Cyber Essentials Toolkits. This is a starting point for small businesses and government agencies to understand and address cybersecurity risk as they do other risks. CISA’s toolkits will provide greater detail, insight and resources on each of the Cyber Essentials’ six “Essential Elements” of a Culture of Cyber Readiness.
The report adds that The newest list highlights the first “Essential Element: Yourself, The Leader” and will be followed each month by a new toolkit to correspond with each of the six “Essential Elements.” Toolkit 1 focuses on the role of leadership in forging a culture of cyber readiness in their organization with an emphasis on strategy and investment.
“We thank all of our partners in government and the private sector who played an essential role in the development of CISA’s Cyber Essentials Toolkit,” CISA Director Christopher Krebs told Security Magazine. “We hope this toolkit, and the ones we are developing, fills gaps and provides executives the tools they need to raise the cybersecurity baseline of their teams and the organizations they lead.”
The report points out that, developed in collaboration with small businesses and state and local governments, Cyber Essentials aims to equip smaller organizations that historically have not been a part of the national dialogue on cybersecurity with basic steps and resources to improve their cybersecurity. Cyber Essentials includes two parts – guiding principles for leaders to develop a culture of security, and specific actions for leaders and their IT professionals to put that culture into action.
The report adds that each of the six Cyber Essentials includes a list of actionable items anyone can take to reduce cyber risks. These are:
- Drive cybersecurity strategy, investment, and culture;
- Develop heightened level of security awareness and vigilance;
- Protect critical assets and applications;
- Ensure only those who belong on your digital workplace have access;
- Make backups and avoid loss of info critical to operations; and
- Limit damage and restore normal operations quickly.
How can we prepare for cyber-COVID?
We need to remember that COVID-19 has made a lasting impression on the way people work. Remote access will be commonplace in the future.
So, how do we prepare for this construct? The WEF report points out that the COVID-19 pandemic provides insight into how leaders can prepare for such a “fat tail” risk:
- Widespread, systemic cyberattacks are not just possible or plausible; they should be anticipated. As we have seen with COVID-19, even a short delay in the response can cause exponential damage.
- New Zealand’s success in fighting the pandemic proves that early, decisive actions and clear, consistent communication increase resilience. It’s impossible to prepare for every potential risk, but both the public and private sectors should invest in scenario exercises to reduce reaction time and appreciate the range of strategic options in the event an attack occurs.
- COVID-19 has revealed the importance of international, cross-stakeholder coordination. Cooperation between public and private sector leaders is also critical, particularly when it comes to mitigation. The Centre for Cybersecurity at the World Economic Forum is just one example of an organization addressing systemic cybersecurity challenges and improving digital trust across institutions, businesses and individuals.
- Just as COVID-19 has pushed individuals and organizations to look to digital substitutes for physical interactions, government and business leaders should think about the inverse. “Digital roll back” and continuity plans are essential to ensuring organizations can continue to operate in the event of a sudden loss of digital tools and networks, as Maersk learned during the NotPetya cyberattack in 2017, which took out 49,000 laptops and printers and wiped all contacts from their Outlook-synced phones. A necessary part of the digital transformation is having sensitive and important information stored and accessible in physical, printed form.
But perhaps the most important lesson: COVID-19 was a known and anticipated risk. So, too, is the digital equivalent.
Let’s be better prepared for that one.