A decade ago, Stuxnet pulled me into the accelerating, widening gyre of cybersecurity. I began to devote less time to global health, a topic on which I spent the previous decade developing familiarity and producing a large carbon footprint. I would frown when cybersecurity analysis borrowed concepts from public health, thinking, “if they only knew the life-and-death troubles that health practitioners face implementing those concepts.” Cybersecurity and public health are different challenges. Yet, the COVID-19 pandemic has cybersecurity relevance because it has generated sobering reminders of long-standing problems, unresolved controversies, and unheeded warnings that continue to characterize U.S. cybersecurity.
COVID-19 has forced me, and everyone else, to become more dependent on the internet as desperate measures, such as social distancing, disrupt economic activity and everyday life. In cyberspace, dependence creates vulnerability, and malicious attempts to exploit this sudden, unplanned societal shift online have proliferated. Law enforcement officials report that criminals are, among other things, selling fake COVID-19 cures online, posing as intergovernmental or governmental health organizations in phishing emails, and inserting malware into online resources tracking the pandemic. This COVID-19-related spike underscores that policy efforts to “flatten the curve” on cybercrime have not succeeded.
Vulnerabilities in the Private Sector and Critical Infrastructure
COVID-19 is a crisis that, as my CFR colleague Robert Knake identified, highlights once more the cybersecurity vulnerabilities in health care, a significant private-sector activity and prominent component of critical infrastructure. Word that cybercriminals would suspend attacks against health care institutions during the COVID-19 pandemic provides cold comfort. Being at the mercy of “honor among thieves” simply deepens awareness that this part of U.S. critical infrastructure is cyber insecure at an unprecedented and dire moment in the life of the nation.
Government Surveillance and Privacy
Success in some countries, such as Taiwan and South Korea, at integrating smartphones and big data in the fight against COVID-19 encouraged other governments, such as the United Kingdom, to explore this strategy. This development connects to ongoing legal, ethical, and technological concerns about the cybersecurity of government databases and the privacy protections needed when governments collect and use personal information to monitor behavior. Post-pandemic reviews of COVID-19 will, in all likelihood, evaluate whether and how synergies created by more integration of big data and digital technologies should inform strategies for the next generation of disease surveillance and intervention policies. The damage done by COVID-19 might provide incentives for governments and public health experts to overlook cybersecurity and privacy concerns in favor of technological capabilities that promise results in preventing and controlling life-and-death emergencies.
Cyber Espionage by States
The disruption of government and private-sector activities created by responses to COVID-19 also create incentives for states to intensify cyber espionage. Despite efforts at establishing norms against economic cyber espionage, this practice was alive and well before COVID-19 struck. Social distancing by employees and government orders restricting business activities adversely affect the ability of companies to keep their computer systems and networks secure from infiltration, especially if conducted by sophisticated state actors. The global scramble and competition to develop treatments and a vaccine for COVID-19 make the public and non-governmental actors involved in such research targets for cyber espionage by governments that want access to the cutting-edge of this crucial pharmaceutical endeavor.
Preparedness for Cybersecurity Threats
The ways that COVID-19 highlights many cybersecurity problems invites re-consideration of cybersecurity strategies and policies. A prominent effort to re-assess cybersecurity in the United States, the Cyberspace Solarium Commission, issued its report on March 10, just as the COVID-19 pandemic exploded beyond China. The commission concluded that—despite twenty years of policy concerns and action—public and private-sector cybersecurity in the United States remains inadequate. The commission advocated for a strategy of layered deterrence involving deterrence by norms, denial, and punishment. According to the commission, implementing this strategy requires a resilient economy, government reforms for better cybersecurity preparedness, and private-sector actions to strengthen its cybersecurity posture.
Reading the commission’s report fired the synapse between my cybersecurity and global health neurons. Prior to the COVID-19 outbreak, governmental officials and public health experts were aware that the United States was not prepared to handle a pandemic, despite twenty years of preparedness strategies, legislation, and policies. These preparedness efforts repeatedly emphasized the need for government reforms, a resilient economy and society, and private-sector readiness. This lack of pandemic preparedness contributed to the political, economic, and social nightmare that COVID-19 has produced in the United States. Two decades of warnings about not being ready for pandemics and calls to action to remedy the lack of preparedness failed.
Public health and cybersecurity are different problems, but the COVID-19 nightmare should inform how we read the commission’s report and respond to its version of yet another “urgent call to action” on American cybersecurity.