What the multi-layered pandemic response can teach about combatting cyberattacks.
COVID-19 and cybersecurity – you may wonder what these two seemingly very different topics have in common. I would list two:
Since the outbreak of the COVID-19 pandemic, I have been surprised to hear the word “exponential” increasingly appear in common news coverage. This term used to be reserved for scientists and engineers: in our field, for example, to reason about algorithmic complexity. Nevertheless, knowingly or not, “exponential” plays a key role in many aspects of our modern life such as compound interests for loans, spread of popular information on social networks, or for the given topic, the impact of viral transmission and cyberattacks.
We as society seem to have difficulties grasping the nature of exponential growth. I am sure many of you heard one of the variations of the “Rice and Chessboard Problem” sometimes also told in terms of wheat kernels. The common storyline goes that a smart servant asked his ruler for a payment scheme using a 64-square chessboard. He asked for one grain of rice on the first square and then doubling that amount for each subsequent square. The ruler immediately accepted on his impulse that it appeared very cheap, not noticing that all the rice in his empire was not enough to pay off the servant. We all seem to have similar difficulties when quickly judging exponential phenomena. The underlying reason might be that all our natural experiences are linear – we need twice as long to walk double the distance, we can purchase twice as much grocery for double the money. To overcome our quick emotional response to exponential growth, we need to stop for a moment and actually do the math!
While exponential growth is about multiplying the base value every so often, it is its time constant that determines the speed of growth (or decay). For a viral transmission, you might have heard about the reproduction number R which determines the growth (or shrinkage) of the outbreak. When we learn that some virus variant is 50% more infectious, we could shrug it off as it seems like a relatively small increment. However, after only five more transmissions, this 50% could lead to a 11-fold increase of people being infected – explaining why new COVID variants can become dominant quickly, but also illustrating how easy it is for us to underestimate the impact of “exponential.”
The situation is similar in the cybersecurity area. You may remember the early IBM PC days when the first computer viruses appeared (my mother asked me whether she could get infected by such a computer virus – I am sure she was not the only one with that concern). The initial propagation was via floppy disk – showing an exponential growth similar to its biological cousin. However, once PCs became networked and connected to the internet, the time constant shrunk dramatically, leading to much faster spread and much bigger impact. Since then, cyberattacks have become significantly more sophisticated, exploiting a wide spectrum of vulnerabilities such as weaknesses in hardware or software designs, or simply mistakes in how we organize and operate our digital infrastructure. The recent SolarWinds fiasco demonstrated a highly sophisticated attack that exploited the SW supply chain to gain fast and deep proliferation. Similarly, the just published weaponized Spectre exploit has the potential of massive attacks taking advantage of a vulnerability in widely used semiconductor chips.
Whether reacting to a pandemic or improving our cybersecurity posture, the response does not need to be perfect, but requires a consistent and sustained multi-layered approach – all aimed at slowing (and eventually reversing) the growth. For the Coronavirus, we all have acquired new habits such as mask wearing, social distancing, hand washing, reduced travel, etc., which are combined with a broad medical response such as contract tracing, PPEs, a massive vaccination campaign and more. All of them are important, as their combination can dramatically reduce the spread with the goal to reduce the pandemic to manageable levels, if not eradicate it completely.
It is unlikely that we will ever be able to eliminate cyberattacks. But to limit their impact, we need to drastically slow their spread and once encountered, respond as thoroughly and quickly as possible. Similar to a pandemic response, combatting cyberattacks requires a combination of adjusting our behavior with a comprehensive technical response. The former starts with simple means such as maintaining secure passwords and resisting socially engineered cyberattacks to truly embracing security processes and standards for product development and system operation. Technically, we need to ensure that security is a key business requirement across the entire system stack from semiconductor chips, firmware, operating system, application software, communication networks, to datacenter, cloud infrastructure, etc. Too often, we observe a siloed approach to these diverse domains, which is highly visible at vendor exhibitions of cyber conferences such as RSA or BlackHat. These disconnects allow attackers to breach a system by weaving together vulnerabilities from different domains into a comprehensive exploit.
COVID-19 has valuable lessons for cybersecurity: Among many, take exponential growth seriously and develop a comprehensive multi-layered strategy to combat it.
Leave a Reply