Lessons cyberdefense may be able to teach us about managing Ebola

David Gewirtz presents lessons taken from the world of cybersecurity and cyberwarfare that may be food for thought for those attempting to prevent the Ebola outbreak from spreading in the United States.

lessons-cyberdefense-may-be-able-to-teach-us-about-managing-ebola-v1
If cyberdefense tells us anything, it's that the best way to keep infections out is to prevent them from getting in.

We in the computer world are all too familiar with what we've long called "viruses," the malware that infects our machines and networks. Thirty years ago, Fred Cohen, then a student at USC, noticed how self-replicating computer programs resembled the behavior of biological viruses, and the name "virus" was forever linked with computer malware.

Ebola, on the other hand, is the real deal. Ebola virus disease, as it's officially designated, spreads from animals to humans and then from humans to humans. It's brutal. The World Health Organization says the average fatality rate is 1 out of every 2 who have been exposed to the virus. Some outbreaks have killed as many of 90 percent of those infected.

According to the WHO, "The current outbreak in west Africa, (first cases notified in March 2014), is the largest and most complex Ebola outbreak since the Ebola virus was first discovered in 1976. There have been more cases and deaths in this outbreak than all others combined."

And now it's reached the United States.

Depending on who you listen to (and, of course, it splits on party lines), Ebola will be easily controlled in the US or Ebola will get totally out of control, and we're all doomed.

In all likelihood, the first assessment is probably true, since the US has managed infectious diseases before and even though government being government, screw-ups happen, there's a big difference in terms of health and infrastructure in Dallas compared to those in Guinea, Sierra Leone and Liberia — the countries currently most affected by the outbreak.

We work off a zero-tolerance policy for malware: it's bad. It must not be allowed to get in. Period.

This is where the cyberdefense lessons may prove useful. In cybersecurity, we are constantly faced with millions of attacks, coming in from millions of different vectors, and if even one gets through, it could cause millions of dollars in damage.

We work off a zero-tolerance policy for malware: it's bad. It must not be allowed to get in. Period.

Unfortunately, when it comes to computer viruses, we're actually dealing with engineered pathogens. There are very smart humans out there constantly trying to overcome our defenses and find new ways inside our networks.

And they do. According to the 2012 Verizon Data Breach Investigations Report, once a virus gets inside a network, it stays there for a very, very long time — most often, months — before being discovered.

Obviously, computer viruses aren't designed to cause external bleeding and oozing, as Ebola does, but even so, computer viruses cause damage, steal information, and steal money.

Because a computer virus that makes it into a network can live there for so long, spying and otherwise doing damage, the key is to prevent the virus from ever getting inside. It is here that we can draw some parallels to the Ebola outbreak and America's borders.

Looking at defending against computer viruses, we have to be aware that the infections can come from many different sources. It can arrive via a click on a corrupted web site, when a trusted insider opens a spear-phishing email, via USB-to-USB transmission, and via the new vulnerabilities that we're constantly discovering.

The challenge is that we need to be able to keep the network running while keeping out the digital infections. That means we need to allow your grandmother to send you a nice note, unless it turns out your grandmother's computer has been infected or some bad guy in Belarus is pretending to be dear ol' Granny.

Special Feature

Why business leaders must be security leaders

Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? We offer guidance on how to close the IT security governance gap.

Read More

One way we can tell where a transmitted message originated from is the metadata attached to each message. Unfortunately, that metadata can be incorrect, especially if a criminal has spoofed the metadata specifically to get it past firewalls and other safeguards.

This is a problem we're having now with preventing those infected from Ebola from entering the country. There are no direct flights between the United States and Guinea, Sierra Leone or Liberia. Most passengers coming to the US from one of these nations needs to fly through an intermediate nation. It's up to the passport to provide the passenger's travel history (his or her metadata), which is then reviewed on arrival in America.

Of course, those passports can be altered or can contain misleading information. Even more to the point, there's nothing saying that a passenger from Liberia might have flown to Brussels, somehow shared bodily fluids with someone there, and then that new passenger (who was never in Liberia and is now infected with Ebola) would then fly into JFK.

There would be no metadata (no passport record) showing that a potential carrier was even in a known place of risk — because he wasn't.

There is some theory that this scenario couldn't have happened because the passenger would have been screened in Liberia and never allowed to leave. Of course, as we know from the disturbing Thomas Duncan story, such source-side screenings are never a guarantee — especially when we're relying on nations already devastated by internal strife and then again by Ebola.

In cybersecurity, the one thing we know is that we don't know. We can never just trust the source metadata. Every packet must be inspected.

Next up: What could happen...

By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.

Here, we can make some clear analogies between cyberdefense and Ebola defense. In the digital world, the moving objects are packets. In the physical world, they're people. The objects (packets or people) travel from all over the world, with a history that's murky at best and quite possibly misrepresented.

If the government is to take any lesson from cyberdefense, it's that the screenings for incoming passengers must be as rigorous as possible. 

Finally, we can also draw a parallel between the borders of the United States and the perimeters of our protected organizations. And yes, both are dangerously porous.

In the Ebola crisis, there has been some discussion about whether there should be a travel ban put into place. But, as discussed above, since we don't have direct flights to the Ebola-stricken countries, we effectively already have a travel ban with them. But what about banning travel beyond that?

Here's another parallel. There is no doubt that the  Chinese government conducts cyberespionage  operations against Americans. In theory, an easy way to shut that down would be to pull the Internet plug between China and the US. But, of course, that would be both stupid and useless.

First, of course, China is a major trading partner. We must keep those lines open. Second, the nature of the Internet is that if one barrier is put up, it will be bypassed quite quickly. So, even if we were to try to do something as foolish as "close the Internet" between America and China, it really wouldn't have the theoretical benefits that might have been originally postulated.

The same is true with flights and Ebola. We can't close our borders to Europe and Africa. The reason is simple: People will find a way to route around the barriers. People always do.

That's why, for example, to prevent malware in your organization, you can't simply yank out the Internet connection. First, these days there's no way to do that, with everyone carrying phones with a good 4G connection. But, financially and practically, who can conduct business without the Internet?

Instead, we build rings of protection. Packets traveling through service providers are often inspected for the most obvious of malware packets. Firewalls block entrance into our corporate networks. Intrusion detection systems monitor traffic inside our network, for those packets that made it past the firewalls. And endpoint protection (antivirus software) on individual machines keeps an eye out for infections as they reach individual computers.

Even with all these rings of protection, breaches and infections make it through our networks every single day. You can't go  a week without reading  about some new, overwhelming breach or password theft — and almost all of those originate with getting a virus infection inside a network.

The front lines of digital defense are firewalls. But even firewalls have needed to evolve. As recently as a few years ago, firewalls would just protect against port and visible traffic. But now, firewalls need to look inside encrypted packets, determine the context of the communication links, and even run dynamic simulations in quarantine-like sandboxes before allowing packets to pass through.

There are a number of possible lessons here for those attempting to prevent the Ebola outbreak from spreading in the United States.

First, our borders are our best defense. The Washinton Post reports that President Obama promised increased passenger screenings, but the details remain sketchy.

If the government is to take any lesson from cyberdefense, it's that the screenings for incoming passengers must be as rigorous as possible. While that's sure to inconvenience passengers and cost more money, it will be far, far easier to prevent infection spread if we can catch carriers before they become loose within our borders.

By the way, this is also not the sort of thing you can either cheap out on or use the lowest bidder on. The TSA certainly hasn't redeemed itself over the years and our terrorism-defense screenings are silly to the point of ludicrousness.

The cyberdefense lesson here is a firewall isn't a joke and it's not a political statement. It is your single most valuable first line of defense. If taken from the digital realm to the biological, this means that port screening and border security must be taken far, far more seriously than they have before, with far more professionalism than we've seen.

If this fails, cybersecurity provides us a scenario as well. To prevent malware from spreading inside the network, we have intrusion detection systems which monitor the flow of network traffic and endpoint protection systems, which watch each computer.

Can you imagine the equivalent in the real world? It's not pretty. You're looking at border security at each state crossing. You're looking at inspections coming into and out of public facilities (hospitals, maybe even schools and malls). You're looking at the potential for armed vigilantes at the borders of towns.

You're looking at the worst of the exodus from Katrina.

Now, like I said, there's no need for hysteria, because the US is unlikely to experience Ebola the way Africa has. We have far better infrastructure.

But if cyberdefense tells us anything, it's that the best way to keep infections out is to prevent them from getting in. Translated into the real world, that means that it is time (and so, so overdue) for America to take border security seriously and professionally, to do what needs to be done, and leave the politics at the door.

By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All