Published by The Lawfare Institute
in Cooperation With
The novel coronavirus poses a grave threat to national economies, human society and our globalized international order that will not go away soon. It’s obviously essential to focus on managing the outbreak and restarting the global economy.
But at the same time, we ought to start thinking about some broader strategic lessons to draw from the pandemic. One of the most striking is how vulnerable our tightly intertwined and interdependent international system is. The world has quickly and extensively become addicted to huge benefits and conveniences associated with a global, generally open system. The system allows for the relatively free flow of goods and services, specialization, and decentralization. But this reliance carries important downsides; the coronavirus spread across the globe, and its impact unraveled important supply chains.
This carries an important lesson for the cyber domain. Our goal here is to draw an analogy between pandemics and cyberattacks to highlight some insights from the current crisis about cyber risks as well as potential remedies for these vulnerabilities.
Biological viruses and computer malware differ in important respects—for example, the immediate human toll of biological viruses is obviously more amplified—yet they have much in common. Both have stealthy qualities that make them difficult to detect and measure. Both are constantly evolving, finding new ways to penetrate a target’s vital systems, corrupt their functioning, and then move on to similarly affect others. They have considerable potential to spread widely, invading, disrupting and destroying their targets. And in both cases the target's welfare and even outright survival depends on a combination of controls (the skin, and mask wearing and social distancing, in the biological case; perimeter defense mechanisms, such as firewalls and passwords, in the other), defensive mechanisms (such as antibodies, vaccines and antivirus software), and resilience that enables one to survive an attack and then recover from it.
The dangers of the interconnectedness exposed by the virus are even more prevalent in the digital world. Global human travel allowed for a contagious virus to spread rapidly from Wuhan to New York and everywhere in between. In a similar fashion, digital interconnectedness leaves us vulnerable to massive cyber collapse. And the digital world, where massive amounts of information flow globally at near-instantaneous speed, is far more interconnected than its physical analogue and has far fewer buffers to protect us once it is incapacitated.
This interdependence impacts not just people’s digital lives but also global production, manufacturing and distribution flows. Global supply chains of almost everything, from food to automotive parts to protective masks, make us heavily dependent on developments in other parts of the world. At the same time, many countries—including the U.S. and China—depend on a handful of common platforms to serve almost all critical functions. Boeing 737s and Airbus 320s dominate aviation. Windows dominates the computer operating system world. Most cellular phones run on either Android or iOS. Amazon Web Services, Azure and Google Cloud have the lion’s share of the cloud computing market. General Electric, Mitsubishi Hitachi Power Systems and Siemens dominate the gas turbine market. A world so interconnected, yet reliant on a relatively small number of major platforms, is particularly susceptible to malicious cyberattacks.
The coronavirus has wreaked havoc on an interconnected cluster of people and systems, and effective malware could mirror that damage in the connective tissues of the digital world on an unprecedented scale. So, what can we learn about the pandemic that we can apply to secure our cyberspace?
The first and most critical lesson is that the current international system makes people, material, and digital objects and processes highly susceptible to cascading catastrophes. Disruptions that start as small localized events among human populations and computer networks spread quickly far and wide. WannaCry malware, for example, “spread like wildfire” and encrypted hundreds of thousands of computers in more than 150 countries in a matter of hours.
It is also instructive to observe how the psychological effects of these attacks often dwarf the direct physical damage they inflict. Both simultaneously surprise, unnerve and threaten not only their immediate targets but also their environment. They shake the population’s confidence in their situational awareness, not only about their own physical or digital health condition (“Did I contract the virus?”/“Does my computer have malware?”) but also about the severity of the impact, and most acutely about how to distinguish who or what exactly poses a threat. In both cases, victims can themselves unknowingly become a source of further infection, sowing broad distrust in anyone and anything that’s nearby. In pandemics, a large proportion of transmissions occur through physical contact with one’s intimate family and friends and the surfaces they touch. Similarly, in the digital environment, people often inadvertently forward malware to family and friends, and in the corporate environment the insider threat looms even larger.
These psychological effects are exacerbated by the rapid dissemination of deeply worrisome information, which platforms struggle to contain and bad actors easily amplify by microtargeting especially susceptible audiences. Take, for example, the wide circulation of the images of panic buying of toilet paper and dry foods triggered by the
coronavirus pandemic. Similar anguish and mayhem has been apparent in response to news about a two-day denial-of-service attack on Lloyds Banking Group in January 2017 and a similar attack on banking systems in 2015. Bigger and more enduring cyber events such as those targeting or otherwise affecting the food supply or critical infrastructure could undoubtedly prove even more unsettling. And they are bound to prove more difficult to localize as we become more interconnected, interdependent and reliant on digital systems in practically every sphere of life.
A second lesson is the human and political instinct to respond to the onset of a systemic crisis by operating unilaterally, often at the expense of others. Information and resource sharing are both indispensable for generating effective responses to an impending or unfolding disaster, especially one that does not respect national borders—a feature that cyberattacks and pandemics have in common. Yet at the outset of the coronavirus outbreak, states responded to the burgeoning pandemic by holding on to information: details about the onset, trigger, and causes and manifestations of the crisis; data and counsel on the techniques that have proved most conducive to defusing it; and materials to mitigate its effects. Such policies have deprived others of precious time, knowledge and resources that could make a big difference. China delayed reporting the outbreak and then shared information with the World Health Organization and others only sparingly. It also held on to essential medical equipment (from masks to ventilators) notwithstanding the fact that it had become the global manufacturing hub for many types of essential medical supplies. Subsequently, the Trump administration has acted selfishly. Most egregiously, the U.S. diverted critical medical supplies from reaching their anxious original customers. Even multilaterally oriented states like Germany and France have adopted unilateral measures, such as imposing travel and entry bans and restricting or banning outright export of essential medical equipment.
It typically takes leaders a while to forge efficient cooperation with internal stakeholders even after they (and others) realize the seriousness of a crisis. Weeks passed before the Trump administration undertook aggressive actions to confront the risks presented by the coronavirus notwithstanding abundant early warning they received from both the intelligence community and credible epidemiological experts. It took even longer to work out partial domestic burden-sharing arrangements between U.S. states and the federal government. During crises, soliciting assistance from foreign countries is even more politically charged because it may make national leadership appear weak, both internally and externally. Even when leaders overcome these inhibitions, international assistance may not be forthcoming—countries face competition over scarce resources to defeat the challenge and quickly recover from it. These sentiments, namely the fear of looking weak and the competition over resources, are often accompanied by distrust of and even disdain toward others, as has been the case not only between the U.S. and China but also between the U.S. and the World Health Organization.
Just as with pandemics, when serious trouble takes place in cyberspace, the roadblocks to sharing and pooling resources are multifaceted: flawed situational awareness because of uncertainty about the existence let alone the nature of a problem (and, in the case of cyberattacks, the identity and intentions of the perpetrator), embarrassment to admit one fell victim to it, and the shortcomings of (and painful trade-offs associated with) the available response options. In addition, apprehension that divulging detection of an attack and attributing it to a state perpetrator or sponsor could compromise sensitive sources and methods—and fear that doing so could expose vulnerability or unleash escalation—further incentivizes holding back (or at least significantly delaying) a public acknowledgement of a major cyber incident. Consequently, victims (whether companies or states) are commonly reluctant to voluntarily acknowledge publicly (and often even internally) when they fall prey to cyberattacks. Subsequently, those targeted with cyberattacks tend to be reluctant even to go beyond complying with mandatory reporting requirements to share with others detailed information on the attacks and insights learned in confronting them. The FBI’s Internet Crime Complaint Center estimated that in 2016 only 15 percent of U.S. fraud victims reported the crimes to law enforcement.
In the cyber domain, political considerations add a significant layer of complication. Politics sometimes incentivizes leaders to dismiss evidence that would force them to confront unpalatable choices and own up to the consequences that flow from acknowledging them. The so-called normalcy bias, preoccupation, and wishful thinking reinforce political instincts to incentivize procrastination until leaders (and individuals) have no choice but to act. A telling example in cyberspace is the delayed and truncated U.S. government response to Russian interference in the 2016 presidential election. As pointed out by a bipartisan report from the Senate Intelligence Committee in February, the response was tempered “over concerns about appearing to act politically on behalf of one candidate, undermining public confidence in the election, and provoking additional Russian actions.” The cost of acting late is much greater, but months removed from the event, fewer observers dispute the need to bear the costs of taking the necessary action.
A third insight is that societies and their institutions struggle to plan and prepare for cascading disasters. The coronavirus has shown that large-scale disasters trigger chain reactions that reveal the criticality of previously underappreciated factors. First-order effects (direct casualties and damages) of pandemics have long been anticipated, and partially addressed. But the disruption wrought by the coronavirus has spread far deeper and faster. It has severely undermined manufacturing and even food processing supply chains, idled national portions of national economies, and forced extreme lockdowns and social distancing. Global supply chains have unraveled and with them so has the trust in their long-term viability. The outbreak has also exposed limits of common “just-in-time” ordering practices but also the practical challenges associated with sustaining, maintaining, regularly refreshing, and as needs evolve updating over extended periods of time large stockpiles of emergency supplies. The virus has also revealed the contemporary challenges (political as well as practical) inherent in invoking the likes of the Defense Production Act to reconfigure industries to address crisis needs.
During the pandemic, we have largely taken for granted the functioning of the digital world: Many people can still work and study from home and shop online, thanks to the application of information and communications technologies. But, in the event of a large-scale malware attack, these conveniences disappear. Cyber infrastructure underpinning such activities is hardly impenetrable. Imagine a cyberattack affecting, for example, the power supply—a system that is notoriously vulnerable in such situations. Even a major cyber accident could deny us this backup. It could produce cascading effects that undermine the functionality of the numerous systems that depend on it, from critical infrastructure onward. It could paralyze almost all services and manufacturing even if hospitals and certain other public services could still draw on backup generators to sustain some functionality.
Where does this depressing analogy leave us? The pandemic has instilled in us the conviction that we must urgently rethink the overall strategy for enhancing resilience against cyberattacks. It also encourages us to develop a strategy that combines a reinvigorated domestic component to offset short-term destruction and disruption and an ambitious multi-stakeholder international collaboration. In the current political environment, the latter would entail no less than a revitalization of multilateralism in order to be prepared for possible mega cyber incidents. Such international cooperation is invaluable not only to diminish the prospects of catastrophic cyberattacks but also to allow the world to effectively manage severe incidents when they inevitably occur and to rebound quickly from their adverse consequences. This is absolutely essential if we wish to retain and even expand the huge benefits we reap from the digital (and digitally enabled) world.
Thankfully, it’s not like we have to create the necessary international institutions from scratch. Some existing bodies are suited to address the normative side of cyber behavior, such as the U.N.’s Group of Governmental Experts and Open-Ended Working Group. And the Forum of Incident Response and Security Teams and the institutionalized channels of communications between the various national computer emergency response teams (CERTs) can be the best entities to facilitate technical and operational exchanges on cyber events. The latter could help detect trouble early, share diagnostic indicators with others, and help develop and coordinate a response. Naturally, though, a modicum of trust between the parties is necessary.
But then there is the challenge presented by the corrosive deterioration in great power relations and the retreat of the U.S. from its post-WWII leadership role in the international system. Earlier efforts to address other acute challenges, terrorism post-9/11, the financial crisis in 2008, and piracy off the Somali coast more recently have amply demonstrated the indispensable role of great power leadership and cooperation as well as cooperation with other stakeholders to mitigate and rebound from crises.
Herein lies the critical role of China and the U.S., hopefully working together, but certainly not at cross purposes, let alone against each other. Both share the duty to put their heads together to overcome deeply felt mistrust and resist conspiracy theories and myopic political instincts. Otherwise, any future global crises will be greeted with a similarly disjointed response. Health, climate and the cyber dimensions of the digital economy stand out as the most critical areas for such bilateral collaboration.
Yet the coronavirus pandemic has both illustrated and further set back the prospects for such collaboration. Given the current tensions in the U.S.-China relationship, it seems almost utopian to conceive now of a new bilateral agreement in cyberspace that goes beyond the one worked out between presidents Obama and Xi in 2015. But we hope that absorbing the hard lessons learned in confronting the pandemic will prompt a new appreciation of the costs and risks associated with unilateral actions and will propel both to embark on urgent course correction. And the current crisis may also highlight the importance of finding a more constructive way to manage their competition in general, and over the digital economy in particular. If the countries undertake the hard work to repair some of the cracks in the relationship, this will naturally pave the way for recruiting others (such as other members of the G-20) to deal with similar catastrophes in the future and to do the hard work needed to prepare for the next crisis, cyber or otherwise.
Whenever disaster strikes next, cooperation will be required to aid developing countries and to redress future supply-chain disruptions and their economic and social consequences. Countries can overcome these difficult challenges most effectively by tapping the ingenuity and resources that only cooperation between governments, multinational corporations, academia and civil society can yield.