Perspectives

Transcript of “Fighting viruses”

Speakers: Lucien Engelen (CEO for Transform), Sir Rob Wainwright (Partner at Deloitte)

On 16 April 2020, Deloitte hosted the second in the series of ‘A cyber perspective on a changing world’, hosted by Partner Stephen Bonner with guest speakers Lucien Engelen, CEO for Transform, and Sir Rob Wainwright of Deloitte.

The session focused on the similarities that we can draw between cyber viruses and the COVID-19 pandemic, and how we can learn from the responses to each to work more collaboratively and ultimately flatten the curve.

What are the similarities between fighting a health virus and fighting a cyber virus?

Rob:
“Well, the obvious first similarity is the terminology. We see a parallel in terms of the language used, such as ‘viruses’, ‘spread’ etc., in both the pandemic and cyber risks. As cyber as a concept developed over the 80s and 90s, this terminology was effectively borrowed from health care.

In both sectors, we have been faced with the same challenges; how to deal with viruses which can grow and spread around the world very quickly. In a world that is becoming increasingly more interconnected (physically and technologically), how do we control the spread? Consider how COVID-19 has been helped by this connectivity through transport in commuting and international travel and similarly, how WannaCry benefitted from interconnected networks to spread to around 150 networks, in just one weekend.

WannaCry is not the perfect analogy as there was a patch which could have prevented it that hadn’t been effectively implemented. The closest we have to COVID-19 is probably a Zero-Day Threat.”

Lucien:
“Yes, WannaCry is a strong analogy. The WannaCry incident mostly affected the health sector and there was a patch which could have been implemented. The problem with COVID-19 is that there isn’t a patch or vaccine. It will take us 12-18 months to get that up into society.

I agree, the language is also similar: ‘isolation’, ‘social distance’, ‘tracking’ etc. One of the main aspects now is how do we track and trace those people who have got the virus and how do we contain it? A parallel which can be applied to cyber viruses too.”
 

The internet was designed for connectivity and fast sharing of data. How has this impacted our response to cyber threats and has there been any impact on globalisation?

Rob:
“I was lucky enough to speak to some of the godfathers of the internet who made the point that security wasn’t on their minds when they worked on the early infrastructure. Their focus was to maximise utility and connect people as quickly and easily as possible. We have been playing catch up ever since. Security isn’t built into the internet structure and the lack of ‘Security by Design’ still causes major culture issues. We always want to be the first to market, rather than the most secure.”

Lucien:
“One of the things we are seeing right now in the COVID-19 pandemic is a sudden boost in the use of digital technology. We are seeing remote monitoring and other digital assets being used as there’s no other option. These technologies carry a range of associated risks. We have also observed how people use these technologies. We have been talking about the implementation for years and suddenly it’s here and it’s a new concept. Many people want to help, and whilst some are working within their regions and industries, the COVID-19 pandemic is global, and we have seen global collaboration.”
 

Technology is changing dramatically, and this situation is accelerating the use of mobile connectivity particularly through increased work from home. Will the 5G speed and capability enhancement increase cyber risk?

Rob:
“There are already concerns about inherent security issues associated with the 5G network. However, in the UK, the authorities have researched these risks extensively and have been providing advice as appropriate. Whilst cyber risks are already present, it’s likely that the implementation of 5G will accelerate the scale and pace of communication and data sharing, thus increasing the bandwidth of risk and opportunity from the bad guys. These criminals will see it as a great opportunity to capitalise on new vulnerabilities.”

Lucien:
“We had crooks in the middle ages and we will have them in the future. We are always anxious about threats associated with new technology. It was the same with TV, radio, etc. 5G does however, bring great opportunities, for example, specialist cross-geography surgery where one split second of lag could result in damage to the wrong blood vessel.

Advancement doesn’t stop at 5G. One of the other developments we are seeing right now is companies developing sub-orbital internet by satellite which allows full globe internet coverage. This will allow five billion people access to the internet but again, the risks will increase.”
 

You mentioned surgeons using 5G to perform surgery, what cyber security considerations would they need to make?

Lucien:
“I don’t think they would consider cyber security. They would assume the solution architects would have thought about it. The surgeon relies on the anaesthesiologist to help them perform surgery. In cyber, it’s as important that there are specialists supporting each other to deliver a full service. Everyone has a specialism and we should use that.”
 

We are seeing social distancing as a COVID-19 response. Does this have any similarities to how we deal with computer viruses?

Rob:
“Yes, absolutely. We need segmentation of the most vulnerable network areas. Pandemics come rarely (unlike computer challenges), and so the segmentation of computer networks has been established as good practice. This is the equivalent of isolating the most vulnerable. When considering society however, it’s not a viable action in the long term.”

Lucien:
“Yes I agree, it’s not possible in the long term. This will become a regional challenge and we have to break this down into manageable portions. For example, there is a large group of people infected with COVID-19 in the Northern Netherlands. As the South is not infected, we wouldn’t put the whole country on lockdown. Whilst pandemics are rarer than cyber crime, we knew they were possible, just not when or how serious they would be.”

Rob:
“In addition to this, in the Netherlands, because people are self-isolating, we have implemented ‘intelligent lockdown’. It allows businesses to stay open and people to exercise more than once a day. ‘Intelligent’ creates an interesting link as it leads us to think investment in further cyber intelligence capabilities will help us to precisely target which networks to segment in order to identify the more vulnerable and important parts of our networks. Ultimately, we need to get better at understanding what will happen and when, and plan for it.”
 

With the downturn in global markets, do you think we will see reduced investment in cyber and if so, what effect will this have?

Rob:
“This economic downturn will hopefully be short-lived but will, of course, have an impact on cyber security investment. More specifically, we are seeing companies who have to quickly become more agile with increased work from home infrastructures. The priority has been to put the infrastructure into place quickly, however, corners may have been cut concerning security. I’d like to think that cyber security becomes a fundamental pillar which no longer needs specific investment, even as budgets are squeezed. We’re not there yet, but I’d like to see it.”

Lucien:
“The health sector is in the same position. 96% of healthcare issues are caused by DNA, lifestyle, and behaviour. Healthcare needs to focus on prevention. We know that preventing health issues would be better than fixing them. The challenge may ultimately be how cyber risk and health care sectors can collaborate to learn from each other and ultimately, that these are the things that should be high on the agenda for the next learning stages.”
 

We never expected a single health pandemic to affect the world in this way, is there anything to suggest a cyber incident could have the same effect?

Rob:
“I think the effects of a pandemic have been expected and predicted. If we look at WannaCry and NotPetya, where localised infections in one part of Europe proceeded to paralyse the operations of many companies. These are great examples of how single incidents can have a devastating effect. We should take that as a learning lesson. We now operate in an interconnected digital system and a local incident can quickly become a global and widespread issue.”

Lucien:
“A pandemic and its effects have been expected for some time, the question has always just been when and how. We did prepare on some levels but this is a completely new situation. We know that right now, the pandemic is at the forefront of our minds, but once it is over, people will start shaking their hands and touching their faces again and returning to normal. We need to make sure we are teaching people best practice in the long term in both human hygiene and cyber hygiene to encourage change it for the better.”
 

The COVID-19 pandemic demonstrated a need for clear communication, but with the proliferation of fake news and sensationalism, what do you think we should be doing to inform the public correctly?

Rob:
“WannaCry also grabbed the attention of the media, however it wasn’t too sensationalist. I think it was a fairly mature debate, but that’s not always the case. If there is suspected malicious state activity, this foreign enemy sells. I don’t know if cyber security is hot enough for the media to help most of the time. In the industry, we can use certain networks to help, but mainstream? It’s tough.”

Lucien:
“It’s a real problem during a health crisis. Media reporting no longer seems to be about the virus itself, but about politics. One thing we see is the use of fake news websites to target users and ultimately undertake a cyber attack. People are less conscious of other risks when sensationalist news is available.”
 

We are being taught a lot about basic hygiene to protect ourselves during COVID-19. Are there parallels in computer hygiene we should also be doing to protect our networks?

Rob:
“Computer hygiene isn’t a new principle. We have been telling users to not click links for years. Not everyone will follow the health advice around handwashing, and in the same way, not everyone will stop clicking links. We need to try and drive down the click rate and ensure a capability is in place to reduce the damage if someone does click on them.”

Lucien:
“This is the same in health care. If you look after your body, you don’t need to fix something. Look at prevention rather than cure (i.e. patching, security, and good practice) but be ready to respond if it goes wrong.”
 

It is clear that we will beat COVID-19 with time and collaboration. How can we influence culture to further collaborate to support both health and cyber risks?

Rob:
“We must ensure we’re focusing on being more connected and more global. We must increase the ability to share information and the power of data analytics to give better insight into problems and how we can intersect things like terrorism. The more we do that, the more successful we become. It’s also vital to get industries and government more connected, to help issues like culture and regulation. One roadblock is that there isn’t a global regulation for the internet, and we must battle that.”

Lucien:
“There isn’t a global infrastructure or a common goal for healthcare either. There’s no core guidance on how to treat patients, for example. This pandemic has forced countries to work together. We have a long way to go on the global response and with so many people wanting to help, we have seen bureaucracy diminish. What do we take away from the experience? Computer viruses show no boundaries, and nor does the pandemic.”

Did you find this useful?