COVID19 in Australia is a security issue

Just over 18 months into the pandemic, Australia is in an interesting, albeit perturbing, situation with the “management” of COVID19.

A mix of good management at the state levels and more than a spoonful of good luck, meant Australia – like New Zealand – initially enjoyed the status that came with the elimination of the Virus within our communities. Continued outbreaks, however, are making containment increasingly difficult as the virus mutates its way around our defences.

With 100% of the COVID cases in Australia being traced to the arrival of people from overseas, you could argue that, in Australia at least, the COVID19 pandemic is, in fact, a security issue.

So, what insights do we uncover by applying a cybersecurity lens to the pandemic response in the Australian context? Well, it results in some interesting findings.

Below you will see some of the broader, most common controls being used to mitigate the COVID19 threat in an effort to limit its risk of exploiting our vulnerabilities.

Each of these controls are categorised under the following five functions of the NIST security framework:

• Identify – Identification of Risks, threats, and vulnerabilities
• Protect – Safeguards to protect from exploitation of the vulnerabilities from threats
• Detect – Identification of the exploits in progress
• Respond – Minimisation of the exploit to contain and eliminate it
• Recover – Recovering from the impact of the exploit

To employ an effective defence to a threat in cybersecurity, each of these five pillars are essential. No single control can be 100% effective in the long term, and it is the efficacy of the combination of these controls which dictates an organisations’ security posture.

The following diagram maps the most common controls to the NIST 5 pillars:

What this simple diagram does not illustrate is the effectiveness of each of these controls at any given point in time.

Without going into too much detail, let’s just say that whilst Australia’s’ Protection controls have bought us valuable time as an effective stopgap measure, the vaccination rollout has been too slow to have much of an effect on the exploit (i.e., COVID-19 virus variants). Fortunately, the International Quarantine controls have been relatively successful compared to many locations across the rest of the world, especially considering Australia’s reliance on using hotels in large urban centres (instead of remote purpose-built quarantine facilities) to quarantine international arrivals from countries suffering large COVID outbreaks.

Some other controls, like state lockdowns, have proven to be extremely effective, albeit more difficult with the Delta Variant. One state has even beaten back five outbreaks to reach zero cases per day using lockdowns.

This cursory exercise now complete, we can make four interesting observations common to many organisations:

1. A heavy emphasis is placed on the protection pillar. This is both common and understandable. We’d all like to think if we can just prevent the tough situation from happening 100% of the time, we can avoid the pain of having to employ responsive controls.
2. Very limited and blunt instruments used in the response category. Again, this is understandable from a human perspective; we tend to focus resources more into prevention than cure across many domains.
3. People often focus on one or two controls in the hope of having a single “silver bullet,” rather than viewing the security posture as an integrated set of controls which provide a layered defence.
4. Often when the recovery stage is reached, we have a tendency of turning off some of the protective controls (e.g., relaxing mask mandates and social distancing requirements) even though the risk and threat has not diminished.

One more observation is we currently have leaders announcing protective controls, like vaccines, are the way out of what is currently a responsive situation. We often see this confusion between protective and reactive controls during cybersecurity assessments of organisations, due to the often event-driven nature of many protective controls.

With respect to a bad COVID19 outbreak in the state of New South Wales, we currently have both the State Premier and Federal Government stating, “vaccines are the path out of lockdown”. While vaccines are crucially important for their contribution to the overall security posture, there are very real limits to what vaccines can achieve – particularly with an estimated 20-30% of the global population being hesitant to get the jab. The real crux of the road out of lockdown is a protective control in the form of purpose built quarantine facilities for the infected and international arrivals as an essential component of having defence in depth.

This overfocus on vaccines, at the expense of other controls, appears to be an instance of a protective control being confused with and misapplied as a reactive control. Not that protective controls cannot assist in the response to a realised threat – they most definitely help contain the damage. However, their ability to “put the cat back in the bag” is extremely limited. To push vaccines as the sole means of reaching the recovery stage seems disingenuous.

If a building were on fire and someone suggested installing a sprinkler system to put out the flames, surely the obvious response would be to say “yes, it would be effective if it had been installed before the fire, but first we need the fire brigade to put the fire out.”

What is also interesting is when we reach the recovery phase we have a tendency of easing the protective controls (mask wearing, social distancing). This is similar to disabling the endpoint protection once you’ve cleaned up a computer virus outbreak.

With many people prepared to criticise the current approach to the crisis without also suggesting how else the situation could be managed, I’d like to recommend taking a cybersecurity approach to the COVID19 pandemic in Australia and suggest the following measures be taken:

1. Lockdown strictly. It’s not the harshness of the reactive control which does the most damage, it’s the duration a reactive measure is in effect. Short and sharp is the answer.
2. Encourage Vaccination – not as a way out of the current lockdowns but as a meaningful and effective way of protecting us from future reactive measures. That is what protective controls are for.
3. Harden up the Quarantine facilities for international arrivals. Purpose-built, well-resourced quarantine facilities for international arrivals, located away from major populated areas, will reduce the reliance on the protective and reactive controls by making outbreaks less frequent.
4. Only implement changes to the controls in accordance with the threat and risk profiles. Unfortunately, whilst the protective controls are weak, future lockdowns are inevitable as no control can be 100% effective on its own. If a lockdown is required, make sure it’s done hard and early to reduce the duration. As the protective measures improve and the risk profile changes, the threshold for activating the reactive controls will be increased.
5. When we reach the recovery stages, let’s not ease up on the protective controls until the risk profile of another outbreak is more effectively mitigated.

This exercise has led me to conclude that our national COVID19 response suffers from very similar maladies to those organisations endure with respect to cybersecurity. Of particular interest are the similarities in human behaviours with respect to conflating reactive and protective security controls.

This suggests we might all benefit from a Human Centric Cybersecurity Assessment of Australia’s COVID19 response strategy and epidemiological controls. After all, the very nature of pandemics requires extensive interdisciplinary collaboration.