Jack Sussmilch 16 Aug. 2021
Cybersecurity
Just over 18 months into the pandemic, Australia is in an interesting, albeit perturbing, situation with the “management” of COVID19.
A mix of good management at the state levels and more than a spoonful of good luck, meant Australia – like New Zealand – initially enjoyed the status that came with the elimination of the Virus within our communities. Continued outbreaks, however, are making containment increasingly difficult as the virus mutates its way around our defences.
With 100% of the COVID cases in Australia being traced to the arrival of people from overseas, you could argue that, in Australia at least, the COVID19 pandemic is, in fact, a security issue.
So, what insights do we uncover by applying a cybersecurity lens to the pandemic response in the Australian context? Well, it results in some interesting findings.
Below you will see some of the broader, most common controls being used to mitigate the COVID19 threat in an effort to limit its risk of exploiting our vulnerabilities.
Each of these controls are categorised under the following five functions of the NIST security framework:
To employ an effective defence to a threat in cybersecurity, each of these five pillars are essential. No single control can be 100% effective in the long term, and it is the efficacy of the combination of these controls which dictates an organisations’ security posture.
Without going into too much detail, let’s just say that whilst Australia’s’ Protection controls have bought us valuable time as an effective stopgap measure, the vaccination rollout has been too slow to have much of an effect on the exploit (i.e., COVID-19 virus variants). Fortunately, the International Quarantine controls have been relatively successful compared to many locations across the rest of the world, especially considering Australia’s reliance on using hotels in large urban centres (instead of remote purpose-built quarantine facilities) to quarantine international arrivals from countries suffering large COVID outbreaks.
Some other controls, like state lockdowns, have proven to be extremely effective, albeit more difficult with the Delta Variant. One state has even beaten back five outbreaks to reach zero cases per day using lockdowns.
This cursory exercise now complete, we can make four interesting observations common to many organisations:
One more observation is we currently have leaders announcing protective controls, like vaccines, are the way out of what is currently a responsive situation. We often see this confusion between protective and reactive controls during cybersecurity assessments of organisations, due to the often event-driven nature of many protective controls.
With respect to a bad COVID19 outbreak in the state of New South Wales, we currently have both the State Premier and Federal Government stating, “vaccines are the path out of lockdown”. While vaccines are crucially important for their contribution to the overall security posture, there are very real limits to what vaccines can achieve – particularly with an estimated 20-30% of the global population being hesitant to get the jab. The real crux of the road out of lockdown is a protective control in the form of purpose built quarantine facilities for the infected and international arrivals as an essential component of having defence in depth.
This overfocus on vaccines, at the expense of other controls, appears to be an instance of a protective control being confused with and misapplied as a reactive control. Not that protective controls cannot assist in the response to a realised threat – they most definitely help contain the damage. However, their ability to “put the cat back in the bag” is extremely limited. To push vaccines as the sole means of reaching the recovery stage seems disingenuous.
If a building were on fire and someone suggested installing a sprinkler system to put out the flames, surely the obvious response would be to say “yes, it would be effective if it had been installed before the fire, but first we need the fire brigade to put the fire out.”
What is also interesting is when we reach the recovery phase we have a tendency of easing the protective controls (mask wearing, social distancing). This is similar to disabling the endpoint protection once you’ve cleaned up a computer virus outbreak.
With many people prepared to criticise the current approach to the crisis without also suggesting how else the situation could be managed, I’d like to recommend taking a cybersecurity approach to the COVID19 pandemic in Australia and suggest the following measures be taken:
This exercise has led me to conclude that our national COVID19 response suffers from very similar maladies to those organisations endure with respect to cybersecurity. Of particular interest are the similarities in human behaviours with respect to conflating reactive and protective security controls.
This suggests we might all benefit from a Human Centric Cybersecurity Assessment of Australia’s COVID19 response strategy and epidemiological controls. After all, the very nature of pandemics requires extensive interdisciplinary collaboration.
As organisations around the world work to accommodate for problems for the crisis at hand, the need for higher degrees of collaboration, communication and innovation have become a burning requirement for many.