The real world is fragile. It is unnerving, to say the least, to see how a virus can cause such massive disruptions across the globe.
The digital world is fragile as well, as rampant cyberattacks have shown us. It is no coincidence that some of the language we use to describe cybersecurity threats is taken from the biological world, specifically terms such as “viruses” and “infections.” The similarities are striking.
Perhaps this is a teachable moment. How do we apply lessons from the coronavirus (COVID-19) pandemic to the world of cybersecurity?
The Virus as Metaphor
Coronavirus, like many computer viruses, was a zero-day attack. There was no forewarning, no minor outbreak where it could be contained before proliferating. Then it spread quickly, with no treatment or mitigation, causing enormous devastation.
It spread surreptitiously, with many individuals being infected before they showed any symptoms. Coronavirus is transmitted by individuals when they interact in person, mimicking the spread of computer viruses within a network. All of these attributes mirror certain types of computer malware.
As my Palo Alto Networks colleague Ryan Olson notes: “The earliest examples of computer viruses would write extra code into another executable file and change the entry point to start execution at their code. This is nearly identical to a biological virus, which can’t live on its own and must attach to a host cell to survive and reproduce.”
Another important similarity is the need for an antivirus vaccine. Classic antivirus computer solutions work in a way that is similar to how our immune systems fend off viruses.
They contain a small piece of the virus and create files to identify virus-infected files. The immune system in the body actually does the same thing by saving a small section of the virus and using that as a way to identify infected cells, which it then destroys.
While it is probably easier and quicker to create mitigation in the cyber world versus the biological world, a computer virus can spread much faster because of ubiquitous digital connectivity. The question is, on a case-by-case basis: Will there be widespread damage, and how destructive is it ultimately?
Prevention and Response
In the real world, we all could have been better prepared for COVID-19—with adequate supplies of critical equipment such as testing kits, masks and ventilators. But few countries were willing to accept a risk model for something that seems abstract. Many voices of warning were ignored because of concerns about costs.
One lesson I hope we can take away is that we have to be prepared for the unimaginable in cybersecurity in the same way we should have been prepared for this pandemic. As former U.S. Department of Health and Human Services Secretary Mike Leavitt said: “Everything we do before a pandemic will seem alarmist. Everything we do after a pandemic will seem inadequate.” Lesson: Worst-case scenario planning can feel unnecessary, but it won’t be wasted in the event of an unforeseeable crisis.
Another lesson is that of mitigation. Adopting a Zero Trust security model is key to prevention and response.
With Zero Trust, you define what is most critical to protect, as you would with a biological virus; i.e., protecting yourself and your family.
In cybersecurity, you can use segmentation to build controls around key assets and use policies to limit the ability of malware or zero-day attacks to enter that environment. You can build in controls that limit the ability of viruses to infect other parts of your environment.
Segmenting keeps sensitive data and assets apart from each other, so an infection won’t spread. The approach is like what we are doing with social distancing. It’s also similar to using masks or self-quarantine to limit the spread. And just as in the biological world, in cyber you can make prevention bidirectional—stopping infections from coming in and going out.
The COVID-19 and cybersecurity metaphor extends even further. With Zero Trust methodologies, you are taking the swabs, doing the testing, isolating and quarantining in real time, before there is any chance the infection will get into your system and infect others. With everything pre-tested and pre-validated, there can be no asymptomatic carriers spreading the infection surreptitiously.
The world is never safe, and the COVID-19 pandemic is devastating. Let’s hope we don’t encounter this type of scenario in the world of cybersecurity. But if there ever comes a day (and experts are predicting it), then the least we can do is to understand the risks and be better prepared in prevention and react quickly in mitigation. We have to make sure our business leaders see the value of taking the right steps before a crisis strikes unexpectedly.