Risk – in cyber and pandemic.
I cannot dismiss the similarities between the current COVID-19 threat to human life and the threat of damage from cyber actors that businesses face every day – and have since they plugged into the Internet. Of course, it must be understood the stakes are much higher when humanity is facing down a deadly virus as the ultimate end can be death, not the loss of money, data, or reputation.
In the debate of when to “re-open” our now closed lives and return to “normalcy”, the news reporters and pundits often lament on the aspect of risk. But they rarely get it right.
SANS Institute defines Risk as, “the potential harm that may arise from some current process or future event”. In the situation at hand, the threat and risk are fairly clear and without much debate: The threat is Covid-19 and the risk is a serious illness or ultimately death.
Why does a risk exist? Because of a vulnerability, or a flaw or weakness in a system. Again, with the current situation, the vulnerability is human immunity and the potential inability to fight off a biological attacker.
So what are our choices? We as a society, and as individuals, must manage and mitigate the risks. Just as businesses do every single day when dealing with the dangers of being connected to the Internet.
Risk can be managed in a variety of ways but in the information security realm, there are four acknowledged methods: acceptance, transference, avoidance, and mitigation or reduction.
The easiest and least responsible way to handle risk is to just accept it. The business owners recognize the risk, understand the potential damage that could result, and decide to play the odds the threat will not exploit their vulnerability. And if it does, they'll deal with it when the time comes. The common line is, “it's just the cost of doing business”. It is one this to roll the dice when dealing with money or reputation but completely different when considering human lives. In the current crisis, understanding the risk and doing absolutely nothing is not a realistic option. For a society to make no changes and undertake no efforts to deter this disease is unacceptably reckless. Dying from a communicable disease should not be the cost of living.
One of the quickest ways to deal with risk is to transfer it somewhere else. This is easy when dealing with financial losses but much more tricky when the ultimate loss is human life. It is fairly simple for a business to make a phone call and purchase some insurance. The CEO washes his hands and the insurance company assumes the risk. If the business sustains a loss the insurance company writes a check to repair the damage. However, once you become infected with a virus, you can't just pull it out of your body and transfer it to someone else. And an insurance payout will not do you any good when you are dead. Your family might be happy with the insurance check, but you still ultimately assumed 100 percent of the risk.
Currently, our elected officials have chosen to deal with risk through avoidance. This is being carried out through business closures, stay at home orders, and the potential of criminal law punishment for violation. The threat is known, the vulnerabilities are recognized, and the risk is being controlled by doing everything possible to avoid having threat and vulnerability come together in time and space. This would be equal to a business manager watching a webinar on malicious websites and then prohibiting his employees from accessing the Internet, completely. Forget firewalls, VPN's, and web filters, they are just shutting it down. And don't even think about cellular LTE, they installed wire mesh over the windows. Or even to the extreme that our elected leaders have gone, every time a CEO is told of an ongoing malicious campaign against his business, he orders everyone to shut down their computers and go home for the day. No work will be conducted until the threat attackers are defeated. If the attack goes on for a week then the business remains offline for a week! This is not an effective strategy if the goal of the business is to remain profitable.
The final method to deal with risk is reducing it to a level where business can still be conducted with some form of normalcy. This is achieved through reasonable proactive mitigation efforts. A business may not allow employees to utilize remote desktop services or connect their own devices to the enterprise network. Behaviors that are known to be risky are eliminated to reduce the attack surface. In the fight against disease, this is akin to the mandatory wearing of face masks, practicing good handwashing hygiene, and altering personal greetings such as no longer shaking hands or hugging. Life goes on but we reduce the risk by avoiding behaviors that may open us to infection.
The similarities between the government and business end there. The government has chosen to accept zero risks as evidence by their attempt to deal with the threat through complete avoidance. Shut the business down. This would never work for an enterprise, well at least not if they wanted to keep the doors open long term. Business leaders have a much better understanding of the threat and vulnerability relationship and the realities of dealing with that risk while maintaining a successful existence.
At the time of this writing, Pennsylvania has had 41,165 confirmed infections of COVID-19 with 1,150 of those infections resulting in death. The population of Pennsylvania is ~12,800,000. Those numbers work out to be a .321 percent infection rate and a .012 percent death rate based on the total population. The occurrence of death to those who are infected is 3.7 percent.
A cyber threat that has a .3 percent chance of effecting a business and only a 3.7 percent chance of catastrophic failure if infected is barely even going to raise the eyebrow of a security team. Simple mitigation's to avoid the risk may be enacted but there is no way the business leaders are going to opt for complete avoidance and shut the business down based on a threat that has a .321% chance of adversely effecting an unprotected business.
COVID-19, however, attacks humans. Our leaders have chosen to assume no risk and have shut the business down. Only time will tell if their assessment was correct.