In 1983 computer science Ph.D. student Fred Cohen developed a novel software program that would surreptitiously install itself on host computers and quietly surrender all rights, privileges, and data to Cohen. Upon seeing the extraordinary success of the software after it was tested on university computers, Professor Len Adelman commented to Cohen that the behavior of the software reminded him of research he was conducting into HIV infections — and thus was born the term “computer virus.”
The history of Cohen and Adelman’s neologism is more than an interesting anecdote — it illustrates that computer experts recognized from the start the value of using medical models as a way to understand what is now known as cybersecurity. Examples of that abound: Cybersecurity experts have adopted nearly wholesale the tools used in epidemiology for use when fighting cyberattacks, and genetic researchers have helped cyber professionals use statistical models designed to study mutations to speed up analyses of cyberattacks.
That brings us to the big disease story of 2020, the Coronavirus or “COVID-19” outbreak. Cyber experts across the globe should take note that COVID-19 is causing the same severe disruptions and tangible financial harm to manufacturing and transportation sectors predicted to accompany a large scale cyberattack.
When (and hopefully not if) tactics are devised to minimize the impact of such COVID-19-induced disruptions and financial losses, Washington’s cyber planners would do well to try to adopt them into the emerging cyber mitigation strategies.
A quick review of the disruptions caused COVID-19 amply demonstrates how it is causing the same problems anticipated to result from a hard hitting cyberattack. For instance COVID-19 has forced a string of firms ranging from airplane manufacturer Airbus to car makers like Tesla and G.M. to shutter their production facilities. Those closures are directly resulting in the kind of harm hackers are aiming for, namely hits to the bottom line of American companies. Apple recently announced that it will likely miss its quarterly revenue guidance due in part to the COVID-19-related manufacturing plant closings.
Biological and computer viruses can cause financial blows by disrupting the movement of goods and people. Just look at the problems caused by the restrictions on travel to China. Companies are barring their employees from traveling to Asia for work, resulting in a shortage of workers essential to trade with Beijing. One particularly startling example here is the FDA’s decision to pull its inspectors out of China. Without those inspectors, Chinese-made “critical medical products” cannot get the approvals needed before they can be shipped to the U.S., a situation the FDA warns could lead to shortages of vital medical devices.
The mirrored harms by the two types of viruses is more than just speculation. Consider that the 2017 “NotPetya” ransomware virus caused global economic disruptions of types eerily similar to what COVID-19 has wrought: temporary shortages of needed vaccines and halts to global movement of cargo both happened due to NotPetya. Even Nabisco parent Mondelez suffered its own internal NotPetya-induced delivery disruptions, leading to brief but terrifying worries that the global Oreo supply would dramatically tighten.
While the NotPetya wildfire was contained before it spread too widely, cyber experts have sounded the alarm that even more destructive viruses are waiting in the wings. Attacks are now popping up that use ransomware designed specifically to freeze industrial control systems, while the Department of Homeland Security for instance has recently warned about the growing threat of viruses designed specifically to destroy the data on infected computers.
The costs of such attacks have been projected by Lloyds of London to be upwards of $200 billion. As staggering as that that figure is, more worrisome is the observation by Lloyds’ that perhaps just 10 percent of those losses would be covered by insurance, leaving the remainder to be absorbed by the injured businesses.
Thanks to their costly experience with the 2003 SARS epidemic, insurance carriers have largely stopped issuing insurance policies that cover epidemics, virtually guaranteeing that COVID-19-related losses will be similarly underinsured. When combined with current projections that COVID-19 will generate losses similar to those projected in the Lloyd’s scenario, it’s a fair assumption that governments will be forced to help companies manage those losses, lest they lead to a global slowdown.
Cyber thinkers in Washington then would do well then to carefully study any successful measures used to mitigate the financial impact caused by COVID-19. Doing so will help prevent unnecessary scrambling and jury-rigged solutions when the inevitable cyber pandemic arrives.
When it comes to studying who, what, where, and when of viruses, there is a striking amount of overlap between the real and cyber worlds. And especially in the relatively uncharted world of massive cyberattacks, we would do well to learn as much as we can from the medical textbook so that the financial recovery chapter of the cyber playbook is as close to finished as possible.
Brian Finch is a cybersecurity attorney with Pillsbury law firm based in Washington D.C.