By Daniele Catteddu, Chief Technology Office, Cloud Security Alliance
Ironically, 2020 was supposed to be the year in which our luminous predictions of wealth and development would materialize. The advent of the Zeta-bytes word, trillions of smart devices in our all-encompassing smart environments, the maturation of AI and Quantum Computing, etc. Instead, we got infected by a nasty virus, and not even a malware, a real one. And despite the fact that our intelligence was able to build a machine that beat GO-masters and Poker champions, we are struggling to produce enough protective masks to reduce virus spread.
COVID-19 will likely result in the biggest societal shock since WWII. The short-term impact of this pandemic is unfortunately already very clear today, with nearly two hundred thousand casualties, healthcare systems close to collapse, and economies stalling out and forecasting the biggest depression since 1929. What we haven't accounted for yet is the medium/long-term impact of this calamity. The more optimistic among us see the tragedy as an opportunity for a new start, a boost to our capabilities, the chance to be better as a human race. Others, perhaps more realistically, foresee a long, slow and hard process that will eventually get us back to the same levels of wealth we had at the beginning of this outbreak.
We can safely state that something went wrong with our predictions. Someone could say that COVID-19 is a black swan and by definition it could not have been foreseen. Others might argue that this is a pandemic and that in the history of our humanity there were plenty of those. The last one, not long ago, was SARS in 2003. Maybe it's a bit too early to start drawing conclusions, but it doesn't seem too hazardous to say that we haven't done a great job with our pandemic preparedness and response plans. Being Italian, I found particularly interesting this article in the Harvard Business Review: "Lessons from Italy's Response to Coronavirus" where the authors describe how Italy first, and then the rest of the EU Countries and then the US, showed a "…systematic failure to absorb and act upon existing information rapidly and effectively…".
What is not reported in the article is that the Italian influenza pandemic preparedness plan was updated in 2010 and as far as I've read in the news during these days, never tested. Italy, unfortunately, is not a black sheep in the EU, since the only countries with plans more than 5 years old are Germany and Lithuania, while all the others have plans that are 7 to 15 years old.
I know nothing about the specifics of national pandemic preparedness and response plans, so I'll leave it to the experts to do their jobs.
What's interesting to me is to draw a parallel between COVID-19 and a cybersecurity preparedness and response plan. I believe that a number of similarities can be found and several lessons could be learned in order to avoid a cyber-pandemic in the near future.
The importance of establishing and testing your plans
The Cloud Security Alliance is currently undergoing the review of the Cloud Control Matrix (CCM) version 4. Several controls objectives will be changed, but there are some core controls that will not. One of them is about establishing, enforcing, testing and maintaining your incident management and response plan. This is clearly one of the foundational best practices in cybersecurity, but sadly one of most disregarded too. According to the 4th annual study "Cyber Resilient Organization" by IBM and Ponemon Institute, 77% of companies surveyed still do not have a cybersecurity incident response plan applied consistently across the enterprise and 54% of the organizations that do have a plan in place, do not test their plans regularly. In essence the attitude is, "let's put our conscience at ease with a fancy policy, but let's not spend too much money in enforcing and testing something that's too unlikely to happen. And if it happens, we'll surely find a creative solution on the fly." Bravo! That's the right attitude...
Information sharing is key
The COVID19 emergency tells us that following the telltale signs, the first indicators that something anomalous was happening in various countries across the globe (substantial increase of the number of cases of aggressive pneumonia) and transparently sharing those early warning signs across the global community, could have greatly improved our preparedness, response capabilities and coordination. Does this sound familiar to anyone involved in cybersecurity? In total fairness, our industry is getting better and better in intelligence sharing. Besides the well known voluntary Information Sharing and Analysis Centers (ISACs), there's also a stronger emphasis given by regulators on incident reporting. What we are still missing, perhaps, is a stronger cooperation and coordination between the public and private sector on preparedness, threat intelligence sharing and incident response.
Do not reinvent the wheel
In absence of a coherent and coordinated plan for preparedness or of proper training for those involved on the front line, the most likely scenario when a crisis hits is a series of random actions based on the gut-feelings of those in the chain of control. The most likely output of this scenario is at best a partially ineffective response, or at worst a total failure. An example? The medical and paramedical personnel on the front line in Italy were sent to 'war' understaffed, under-equipped and under-trained to deal with the pandemic. Result? A lot of them contracted the virus, several died, and the quality and speed of the response was undermined.
What does this mean for the IT community? DO NOT reinvent the wheel, STOP following your personal gut-feelings, and START following standards and best practices. It means stop making assumptions on the readiness of your staff and train them with both theory and practice (organize table-top exercises). Invest in preparedness; thinking short term doesn't pay off.
Be ready for more frequent low probability / high impact scenarios
I mentioned in the beginning that it is debatable if COVID-19 can be considered a black swan or not. Regardless, we are certain in the presence of low probability/high impact scenarios. One of those cases is that during a risk management approach, many leaders tend to disregard since they prefer to spend their limited resources in mitigating risk scenarios that appear to be more likely to happen.
The calculation of risk assumes the availability of reliable historical data and a clear understanding of the phenomenon under analysis. In the cybersecurity space we seem to fall short on both accounts. With the historical data, our best effort is possibly represented by the Verizon annual Data Breach Investigation Report. This year, the report included about 40K incidents. The report was first published in 2008 and has since been collecting an average of 60K incidents per year from a number of sources. A good base, but unfortunately it might be just the tip of the iceberg since most incidents and breaches are not reported. In addition, we need to factor the rate of 'asymptomatic patients' into our analysis. In other terms, the fact that it takes months, if not years, to realize that a breach has occurred.
We have several limitations from the understanding of the phenomenon perspective too, since our IT environments are becoming more interdependent and complex (complex supply chains, shared responsibilities, exponential number of devices and data to manage, new technologies – IoT, AI, etc.) and we don't seem to score highly when building models for measuring systemic correlated risks. As Dan Geer says in "A Rubicon," "Our concern is unacknowledged correlated risk, the unacknowledged correlated risk of cyberspace is why cyberspace is capable of black swan behavior. Unacknowledged correlations contribute, by definition, to heavy tails in the probability distribution of possible events." In other words, we should expect that using the pareto principle in evaluating and managing risks might not be the recommended choice. Companies should be resilient to unexpected events. And in order to accomplish this, they must establish, enforce, test and maintain their preparedness and response plans.
NOTE: There are daily news on Italian online newspapers on this matter.