While there has already been quite a bit written comparing biological viruses to the cyber malware industry, they have largely been clickbait knee-jerk pieces that offer some but not much value to the reader. In this piece, I draw similarities between COVID-19 and WannaCry (for sake of being a well-known example). The comparisons I’ll draw won’t be all-inclusive, but rather those that point to a lesson that defenders (and victims) of either type of threat can benefit from.
The Calm Before the Storm?
Actually, there is no calm before the storm. What there is, is a fast-paced, just-in-time world of businesses operating at breakneck speeds, with SecOps staff in short supply, with hospitals at near-full capacity, and with everything in our lives in the year 2020 built by algorithms for maximum efficiency. Black Swan events like WannaCry (and now, the Coronavirus) are never truly anticipated or prepared for. They make their way as a line-item in a risk register at best, with an assigned value, and a notion of what ‘acceptable risk’ the organization associates with such an event.
Before a Black Swan type event hits, we also have a skewed set of priorities. We value perfect visibility in cyber security more than we value actions that can be taken from that visibility. We value threat attribution more than we value creating and practicing playbooks designed to quickly contain a threat that is emerging. This is much akin to academic, yet often esoteric, research in the biological threat landscape. “The most important thing”, in other words, is rarely “the thing we are actually doing right now”. A certain luxury of prioritization creeps into organizations that have not yet been tested.
Much as in the world of cyber security, far too much emphasis is placed on likelihood rather than on raw impact when it comes to assessing risk. Likelihood is hard to gauge when it comes to cyber risk because there is simply not enough resources, expertise or raw intelligence to ever actually be able to gauge it in a meaningful amount of time to make a difference to the mission. Instead, we should shift the risk effort onto impact to mission. Impact, it turns out, is relatively easier to solve for.
So right now, instead of trying to gauge whether COVID-19 is coming to a neighborhood near you…spend your cycles assuming it will, and act now, accordingly. Remember, time is on the adversary’s side…unless you claim it and take it back to your own. So get ahead of the threat now, while you still have time.
The Storm Hits – Weathering It Is Not Enough
When an attack happens, it is not enough to merely weather the storm. Instead we must actively adapt, and boldly fight tooth and nail at every level. As Darwin surmised, those who survive “are not the strongest or the most intelligent, but the most adaptable to change.” This is true in biology, but it is also true in cyber security.
During WannaCry, businesses quickly realized that the preparations they had made for cyber events were simply not enough. What mattered was an organization’s ability to quickly adapt, and quickly make top-down decisions even in the absence of perfect information. During the Coronavirus’ initial outbreak in the US, we saw some of the economy’s best Risk Managers quickly make high-impact decisions; like Amazon and Google restricting flights for their employees. At a family level, some families made early decisions to cancel vacations, and stock up on basic supplies.
And others? They just carried on as they were. Judging the likelihood instead of assessing the impact, until pandemonium sets in. On the heels of WannaCry came NotPetya…yet only those companies that had been directly impacted by WannaCry were any better prepared. Why? What did they know that everybody else didn’t? It’s not as if WannaCry was not endlessly reflected on at the time.
There’s no true knowledge without experience. An organization that has been through something like WannaCry simply does not look at cyber risk the same way ever again. Prior to such an event, measuring risk was often an abstracted, best-guess exercise, with a notional set of risk-offset controls assigned notional offset dollar amounts, and a degree of notional risk-transference woven in vis-a-vis cyber insurance policies. But gone are those days for organizations that have felt the full impact of a destructive threat. Gone, too, are the strategies of merely trying to “stop a breach”; as if cyber impact could ever be defined and constrained by mere breach-related fines, or the impact of a competitor or nation state learning secrets.
The one aspect of this shift that is still challenging for us all: Getting organizations that simply have not gone through a major cyber crisis to still act, prioritize, staff, resource and practice like those that have.
This sounds a bit like what we are seeing with the Coronavirus, doesn’t it? Has the US paid heed to those countries that are just ahead of the virus’s impact curve? Have we preemptively adopted those controls that we know worked in China, South Korea, and those that are underway in Italy? Much like many destructive cyber threats, this virus does not discriminate in terms of who it targets, or what nation it finds itself within. Watching events unfold in Italy should be just as insightful as reading an after-the-fact report on the impact NotPetya had on Maersk. There are lessons everywhere. There are imperatives for action to be learned.
Yet we continue on, refusing to act like the countries that have already been impacted. Thinking we are different. Thinking we still understand real-world risk and, in particular, the impact of this threat. It doesn’t have to be this way. The crucial lesson extraordinary events like WannaCry and Coronavirus must teach us is this: Act and prepare for an event as if you’ve already been through it.
After the Storm Comes the Flood
On the heels of WannaCry, enterprise security spend went up as much as 10x, and operational/production spend even higher. Some CISO’s had the challenge of being able to spend the budget (and more specifically staff for it) fast enough. We know this story by now in the world of cyber: never let an event go to waste, use it to secure funding, teams and positions in the organization.
But, when it comes to this coronavirus, the question is: what are we going to do differently next time? Lessons-learned, hindsight…none of it matters if we don’t do something with that hard-earned information. Now is the time as a nation, and as communities and businesses, to think about what we will do differently in the future to better prevent, and prepare for, such a pandemic. The number one change I saw in organizations impacted by WannaCry and NotPetya was, in a word, prevention.
While industry will try to tell you the lesson is one of restoration, end user training and awareness, and generally, “resilience”, the real answer of what changes after you go through something like this is: you never want to go through it again, and it becomes an intolerable component of risk management overall. CISO’s will go through 100-day plans, 200-day plans and beyond after an event like this. At the top of the list are those fundamental practices, technologies, and broader supply-chain and vendor management business practices that prevent, not just react to, the next big event.
Learning from Cyber and Biological Crisis Events
Time is the invisible instrument of advantage in an adversarial context. Those individuals, organizations, communities, and indeed nations that respond with decisive action, and do so as early as humanly possible, stand the greatest chance of mitigating the impact of both cyber and biological events. Hard decisions that carry certain risk must be made in the absence of perfect visibility, data or analysis. There isn’t time to wait to “understand this virus” before we act.
As with risk management in general: prepare for the worst, but also strive to act as though the worst might unfold. There is a cost and risk to doing this. There is a level of discomfort. But regardless of how we feel about these things as humans, the truth is, we are living in a hyper-velocity era, and our decision making must keep up, such that actions that matter can happen in time to matter, too. The adversary normally has time on its side, but it doesn’t have to be this way.
Let me conclude with a small example of an organization doing it right. MIT’s President L. Rafael Reif wrote in this notice to students:
“State and federal public health officials advise that to slow a spreading virus like COVID-19, the right time for decisive action is before it is established on our campus.”
A large part of acting quickly is the courage and wisdom to act well before there is even an event. Prepare, and stay safe.