Cybersecurity Lessons from the Pandemic: Hubris

On Saturday Night Live’s “Weekend Update,”, Kate McKinnon plays Dr. Wayne Wenowdis, the all-knowing physician. In response to COVID-19 and vaccine questions, she says “we know dis,” except when “we don’t know dis.” One of the hilarious Dr. Wenowdis sketches can be viewed at (355) Weekend Update: Dr. Wenowdis on Trump’s Televised Health Exam – SNL – YouTube

Many of the problems encountered with the pandemic emanate from politicians and their followers contradicting scientists and claiming that they know more. Unfortunately, some scientists prematurely publish incomplete results before they have reached sufficient levels of certainty about their assertions in an attempt to get ahead of others who may be taking a more conservative approach.

By the way, if you are interested in reading more about the incongruities of science and scientists, I strongly recommend an excellent article by Peter J. Denning and Jeffrey Johnson on “The Profession of IT—Science Is Not Another Opinion: The issue is not who has the “truth,” but whose claims deserve more credence” in the March 2021 issue of Communications of the ACM. One very salient point comes out in the statement that “[d]ifferent communities can and do evolve different statements of scientific facts based on the same evidence”—and that is the authors’ opinion!

So, what does this have to do with cybersecurity? The answer: everything. Time after time we read that threats are increasing, that such-and-such an exploit is on the rise, that numbers of data breaches are accelerating, etc., etc. Sometimes the statements are unsupported. At other times we are referred to surveys or research reports to back up the numbers. But often, when we link to a referenced report, we find that it is based on a sample of self-selected (or vendor-selected) respondents. Generally, if the statistics are questioned, the answer is “we just know this.” Except that we don’t.

Major cybersecurity decisions—budgets, staffing, expertise—are based on these statistics, which are seldom questioned. Well, it is better to try to base decisions on something—so we work with what we have. And then the SolarWinds cyberattack happens. From the wide and detailed reporting, it appears to be the biggest and most effective cyberattack of all time. Until, along comes a hack on Microsoft Exchange Server purportedly by Chinese actors. Does that mean we should up cybersecurity budgets? And if so, will it happen?

It really depends on whether or not you think that increased expenditures will reduce the risk. But, if you look at the reports of the U.S. government having spent billions of dollars on their Einstein system, which was supposed to catch such breaches of government systems, you really have to question the return on that and other investments.

With COVID-19, it would appear that the billions spent on developing vaccines may well have paid off handsomely with respect to the novel coronavirus and future viruses, but not before a huge amount of avoidable damage has already been done in terms of loss of human life, pain and suffering, economic impact, psychological effects, and the like. That suggests that public health recommendations, such as masks, distancing, and hand washing, might have kept the tragic numbers down until the vaccines had been more fully deployed.

The parallel with cybersecurity is that deterrence, avoidance and prevention should be implemented even if one believes that technological wizardry will eventually result in resolution, which it is unlikely to do.

As a footnote, The New York Times cybersecurity reporter, Nicole Perlroth, published an article, “How the U.S. Lost to Hackers: America’s biggest vulnerability in cyberwarfare is hubris,” on page BU1 of the February 7, 2021 edition. The article recounts the sad failure of the National Security Agency (NSA) to protect vital information from cyberattacks, such as the recent SolarWinds hack that opened up backdoors into the country’s most secret information. Perlroth states that “climbing out of our current mess will entail a grueling choice to stop leaving ourselves vulnerable.”

Her suggestions are as follows:

“For individuals, this means making life less convenient. It’s not ignoring password prompts and software updates, turning on two-factor authentication, not clicking malicious links. For businesses, it requires testing code as engineers write it, not after it has made its way into consumer hands. It requires adding moats around the crown jewels: using hand-marked paper ballots, removing the controls that govern our nuclear plants, medical equipment and air traffic from anything else … For the government, perhaps, an easy place to start is setting clear rules that prevent the N.S.A.’s own …. from doing the dirty work for other governments … And it’s long past the time to shut all the doors and windows that should never have been left open.”

These are long-sought-after goals, which should indeed be pursued. However, I think that, since we are all so gullible when it comes to responding to computer exploits, the system implementors should automatically take care of security “under the covers,” Yes, it is good to not ignore software updates, except that the malware in Orion, the SolarWinds product, was distributed via software updates. Also, suggestions to air-gap critical systems involve huge changes to current system architectures entailing hundreds (not tens) of billions of dollars. All worthwhile, but requiring commitments well beyond what government is currently looking at.

Will such remediation happen? Likely not. As with COVID-19, there is too much resistance to locking down either our economies or our computer systems and networks. And, as with the pandemic, the suffering will be much greater for not having taken the Draconian measures that are urgently needed.

Instead, we hope for miraculous technological fixes for pandemics, climate change, and cyberspace. We could be lucky, as we have been with vaccines, the technology of which was already well advanced when the pandemic struck. But there are no guarantees.

Post a Comment

Your email is never published nor shared. Required fields are marked *