Combatting COVID and cyber threats: similarities and lessons

Monday, 8 February 2021

Abstract image of a digital cube with a lock symbol

Though this is one of a series of many viruses that has affected humanity over the last two decades (such as SARS, HINI and MERS), Covid-19 has turned out to be a more significant pandemic than others, affecting lives and livelihoods of people all over the world. Though several vaccinations have been approved in various countries including in Australia, at this stage, there is not a clear end in sight to the impact of Covid-19 and to the return of normalcy.

Two things that Covid-19 has clearly reaffirmed are human dependency on the environment and our vulnerability. Various measures announced by different governments worldwide for combatting Covid include restricting people’s behaviour such as enforcing social distancing, quarantining measures segregating people, tracing infected contacts, border controls and wearing masks. As a cyber security person, when I think about many of these measures it became apparent to me that there is a great deal of similarity between the Covid-19 measures and the mechanisms that we use in secure systems to counteract computer viruses. In this article, I try to draw some parallels between the steps taken to control the virus’s propagation in the biological world and the ones we employ in the technological world. It is not that there is an ideal solution in either of these cases but even a simple comparison can help draw some lessons that might be of use in the future.

In fact, at the outset, it is probably fair to say that the cyber security community had borrowed several principles from the biological world of immunology in the past. Even the basic terminology of computer “virus” comes from immunology. Personally, I know that one of the first works connecting the immunology world to the security world was that of Stephanie Forrest et al in the mid-1990s1 on the relevance of self/non-self discrimination to computer security.

In the cyber world, we tend to think of four major dimensions: prevention, detection, containment and recovery. I believe all these four dimensions are also applicable in the biological world.

A fundamental objective in the cyber world is to protect a system or network of systems from perceived threats, both external and internal. A system is taken to be a collection of entities, whether it is a set of machines (physical or virtual), or applications, or processes, or users etc. A basic approach that we use to achieve this is via security or access policies, which define who should have what privileges over what entities, to do what, when, and from where. In the case of a network system, these policies are implemented and enforced using security mechanisms. This is an instance of the prevention strategy. Firewall technology is an example of such a mechanism, which has rules to prevent (certain specific) actions from external malicious or suspicious entities affecting internal entities in the system. With Covid-19, we saw a clear parallel to such a firewall approach with the border controls over the last year. One of the first measures that several countries worldwide resorted to early in the Covid-19 pandemic days was to close their external borders, tightly controlling who can enter their own countries. Some countries then went on to develop a bit more sophisticated rules, which allowed certain people with certain privileges to enter (e.g. returning citizens), while others were not permitted to. In terms of complexity, the rules used in the Covid-19 world are straightforward compared to the rules used in the cyber world which can be fine-grained and complex. In certain countries such as Australia, further internal border controls between states and even between regions within a city were introduced controlling who can cross these borders and when.

These rules were essentially aiming at containment of infection. In the cyber world, we often have quite a sophisticated set of policies and mechanisms enforcing containment in networked systems (and systems of systems). Furthermore, there are also some similarities in terms of the special permissions given to certain people to travel and cross borders, which correspond to different privileges and tokens given to specific applications and users in the cyber world.

Another critical security issue in the cyber world is to determine whether an entity is in a secure state, that is, whether a system or software has been infected by a computer virus or malicious software (malware). This is where we use anti-virus and various other malware detection security tools to detect whether a computer or a mobile device or an application or a file is infected. This security testing process first checks if a system is infected and if so, attempts to clean the system either by quarantining the virus or removing it altogether. We can easily see a direct parallel between this and the one in the Covid-19 world, where citizens are recommended to get themselves tested for Covid-19 as part of the detection strategy. If someone is found to be tested positive, the recommendation is to self-quarantine, thereby reducing the probability of further infection by that person. Also, there have also been mandatory supervised quarantining (e.g. for returning travellers), which is similar to what is being enforced by security tools in computer systems (such as sandbox). Effective quarantining has been difficult to achieve with Covid-19, especially with returning international travellers, people working in quarantine environments such as hotel and other facilities workers. There are several similarities in the challenges involved here in both the cyber and the biological worlds. First, we need to ensure that the sandbox environment is tightly protected in that there is no leakage or propagation of malware from the sandbox. There is a similar requirement in the biological world. However, in the cyber security world, the infected entity is malicious in that it takes deliberate steps to evade the security measures that have been deployed. Second, there must be a well-defined interface through which applications and processes outside the sandbox interact with the entities inside the sandbox. This is exactly the case in the biological world requiring a well-defined protected interface between the workers who come into contact with the people inside the hotel quarantine environment. Furthermore, the workers should be tested to ensure that they are not infected and do not contaminate other people outside the quarantine environment. In fact, it is the weaknesses in this interface which led to major difficulties in the second Covid-19 wave at Melbourne during July/August 2020 in Australia.

In the cyber world, detecting malicious software is not an easy task, as it can dynamically change as well as due to its large scale (associated with many different applications, services, files in networked systems). This is where security technologies that trace the behaviour and movement of malware come into play. Over the last year, in the biological world, contact tracing has been another major mechanism that has been used to detect and contain Covid-19. Different countries have been developing different technological applications such as the CovidSafe app in Australia, which is used to identify people coming into contact with each other and then subsequently alerting a person if one of his/her contacts is found to be infected and asking the person to self-quarantine for a certain period. There has been a lot of discussions on the effectiveness of such contact tracing apps. Many of the technical issues related to these apps fall squarely within the domain of the cyber security community. Several aspects include the effectiveness of the tracing mechanisms, the secure storage of contact data, access and privacy policies associated with the contact data, and the length of its storage2.

One of the lessons that we have learnt in the cyber world over the last 20 years is that perimeter security achieved using external border control (such as firewall technology) is not adequate. A significant problem with this approach arises due to the dynamic changes in the threats (e.g. viruses and malware) and hence the need to dynamically update the security technologies (e.g. policies and rules) that are enforcing the controls. There is also the complexity associated with the dynamic interactions between these rules, which can be sophisticated and difficult to manage as the threats change. We are now beginning to witness this with the Covid-19, as the virus begins to mutate into several variants. This is a natural process in the biological world. In the cyber world, this is often a deliberate process driven by malicious attackers. When this happens, existing solutions may not be adequate. In the biological world, this situation corresponds to the effectiveness of vaccines against the Covid-19 variants. In the cyber world, security tools such as anti-virus and other anti-malware software may not detect the mutated virus (such as a polymorphic and metamorphic virus). As mentioned above, the cyber situation is much worse as the malicious attackers create entirely new malware deliberately, whereas in the biological world, the mutation tends to be more of a natural evolution rather than a deliberate construction.

An interesting issue in the biological world is that after the immune system learns about the infecting virus, it is able to generate its own anti-bodies to counteract them. In fact, this is one of the major aims of any vaccine. In the cyber world, this corresponds to the ability to generate automatically counter measures against the malware. This is one of the areas where cyber security overlaps with machine learning (artificial intelligence, AI). At this stage, I would say such combined cyber security and AI techniques are being developed more in the context of defence; however, we are beginning to see already the attackers using such AI techniques to create more intelligent malware which can bypass the newly created defence mechanisms. Hence once again we witness the race between the defenders and the attackers in the cyber world. In fact, this is also the case in the biological world, where there is a constant race amongst the species, with the fittest and the powerful surviving, as part of natural evolution.

Hence we can clearly see some similarities in the basic principles underlying the measures adopted to counter viruses in biological and the cyber worlds: from the basic approach of having boundary or border controls for preventing the virus from entering the network system or a country, to carrying out continuous testing to detect whether an entity or a person within the system or country is infected, to using tracing techniques to identify the propagation of the infection and malware, to having quarantining for containment and reduction of propagation of infection and malware, to equipping an entity or a person with tools to fight the virus and the infection (such as anti-virus tools and vaccines), to developing countermeasures against virus mutation and potentially new virus and malware. However, in the cyber world, these mutations are often deliberate whereas in the natural biological world, these mutations tend to follow natural evolution.

Let me conclude by briefly mentioning couple of lessons that we have learnt in the cyber world which could be of use to the biological world3.

  • A fundamental tenet in cyber security is that there is no such thing as absolute security. It is always relative to the identified threats. Threats are dynamic and change over time due to changes in technologies, changes in the environment as well as changes in the ability of the attackers and the way the technologies are used. Hence the lesson from the cyber world is we need to be continuously vigilant. Similarly, in the biological world, I believe there is no foolproof way of protecting against viruses at all times, and we will always be prone to one form of virus infection or another. There is always the potential for new viruses and existing viruses can also mutate defeating existing treatment and vaccinations. However not all viruses turn out to be a pandemic, just like not all attacks will turn out to be cyber pearl harbour. In the cyber world, we have learnt having perimeter controls and restricting user activities, security tools for tracing as well as anti-virus and anti-malware are all necessary and will help to reduce the security threats but are not sufficient and will not achieve absolute security as mentioned above. Similarly border controls, lock downs, and contact tracing as well as vaccinations are all necessary tools in combating pandemic such as Covid-19. However, changes in threats and environment have always the potential for introducing new and mutated viruses. Just like anti-virus software needs to be regularly updated, immunities may not last and need to be updated. What is required is the need to assess the risks from the threats continuously and take appropriate and proportionate measures. “It is a continuous process and not an event”. This is something that we are very much used to in the cyber world.
  • This brings us naturally to my next point. Over the last couple of decades, the cyber world has developed security incident response centres in both private and government organizations, which continuously monitor potential malware and security attacks occurring in different parts of the world. Though there are some such centres (such as Centres for Disease Control (CDCs)), it would be beneficial for each country to establish such response centres for continuous monitoring of infections as well as having appropriate coordination facilities (such as via World Health Organization (WHO)), thereby enabling trusted sharing of information which is critical for being responsive and taking timely proactive actions. In this context, it is fair to say, that the cyber world has faced and continues to face significant challenges in achieving effective and trusted sharing of threat information. There are several reasons underlying this including national security, which are beyond the scope of this article.
  • Another lesson is the need to establish clear strategic priorities both at the national and international level to promote and ensure adequate investment is made in these areas. In the case of the cyber world, we have had this issue at least for the last 25 years4 and only in the recent years, there has been some recognition for establishing cyber security strategy and priorities at the highest levels in the government and private organizations. Even now, I feel there is a significant gap between this recognition and actual actions on the ground so to speak. However, the lesson that I believe to be important is that such priority settings can have beneficial side effects and lead to the amplification of investments and their impact. For instance, we are all aware of investments in defence leading to innovations and technologies in the civilian sector and having major impact in the commercial world (e.g. aviation and transport). Similarly, investments in infectious diseases can lead to new discoveries that can help to achieve major breakthroughs in other medical areas such as cancer and diabetes.

    • 1 Stephanie Forrest et al., Self-nonself discrimination in a computer, Proc 1994 IEEE Symposium on Research in Security and Privacy, pp 202-212

    2 I had written a separate article on issues related to the Australian CovidSafe app released in mid-2020, available at https://www.newcastle.edu.au/research/centre/advanced-cyber-security

    3 My research interest is in fact the other way around; that is, what we can learn from the biological world which are relevant to the cyber world, as the biological world and nature is not only highly rich in their complexity and heterogeneity but also have survived over millions of years.

    4 I have been advocating the strategic importance of security for over 30 years since late 1980s in the UK, US and Europe and over the last 20 years in Australia at various government and private organizations.

Professor Vijay Varadharajan
Global Innovation Chair Professor in Cyber Security
The University of Newcastle, Australia

1 Feb 2021

Related news