There are a number of confusing differences of opinion with respect to handling the COVID-19 pandemic. Some of the confusion seems to center around a common misunderstanding of the roles of various mitigation approaches. Perhaps this is a case where those managing the pandemic could benefit from the experiences of cybersecurity and business-continuity professionals as well as vice versa.
The principle behind avoidance is not allowing an exploit, which has evolved from a threat and is now “in the wild,” from locating a receptive victim who would be vulnerable to the exploit’s particular attack. There are a number of ways to address this situation.
For humankind, it is a matter of staying out of range of the virus or destroying it if you happen to touch it. For individuals, this might be achieved through physical (social) distancing, isolation, and quarantining as well as proper frequent hand-washing. For communities, it may be a matter of closing down (or limiting access to) recreational facilities, such as restaurants, theaters, stadiums, etc., and permitting access only to essential facilities such as food providers, hospitals, medical offices, etc. subject to stringent rules for protecting customers and servers.
For computer systems, avoidance may be achieved through isolating systems by means of air gaps (e.g., not providing any accesses other than via dedicated networks or via direct connections) and/or by isolating systems and networks physically in secured facilities. However, this is seldom viable for all but the most critical and secure of systems and, even then, there are no guarantees, as illustrated by the success of Stuxnet in gaining access to isolated systems at Iran’s weapons-grade-nuclear-fuel processing plants.
Another option is to shut down systems when they are not needed or when they might be subject to known attacks. We did a fair amount of this over theY2K weekend and it was very effective. But that was two decades ago and the cyber world was very different then. Today the dependence on the Internet is ubiquitous and many organizations and individuals need 24-7 access to survive.
Furthermore, it has become common for individuals to be reachable at any time of the day or night via their mobile devices. In a February 24, 2020 pre-pandemic article, “Can Germans’ right to switch off survive the digital age?” Josie Le Blond describes how mandatory work and rest periods, introduced in the European Union in 2003, are breaking down as a result of the always-on aspect of mobile phones, laptops, etc. The Germans instituted an 11-hour uninterrupted break from work, whereby, if a break were interrupted, the clock would be restarted. The article is available at https://www.bbc.com/worklife/article/20200218-can-germans-right-to-switch-off-survive-the-digital-age  The COVID-19 pandemic will surely have cut more deeply into such uninterrupted down time with extended time off being even less workable than before for many industries.
Yes, it is not feasible to keep operations going without systems being available full time for practically all of today’s businesses. But there is a trade-off involved. Lack of availability because of a controlled shutdown is usually more tolerable than forced shutdowns from cyberattacks. And, as we did for Y2K, it is extremely valuable to have manual (yes, manual) backup systems in readiness even though that might mean greatly reduced throughput—but something is better than nothing.
Avoidance alone is not sufficient, however. Most essential activities must continue even under risky circumstances. In future columns we will discuss the roles of prevention and protection in mitigating cybersecurity risks and what responses to the pandemic might teach us.