What the Bird Flu Can Teach Us About Data Security
Doesn’t it sound familiar? Emerging from a country or countries where the conditions of human life are more desperate, the virus propagates throughout the globe despite local efforts to contain it, and despite efforts in as-yet-unaffected areas to put up barriers to stop it.
As the years pass, it becomes ever more clear that our collective instinct to anthromorphize electronic networks and their “afflictions” is entirely appropriate in at least the following way: computer viruses and human viruses often bear startling resemblances to each other. None of what we say here is news to anyone involved professionally in data security -- and it may strike some as hopelessly simplistic (it no doubt is) -- but perhaps it will serve as a reminder of the global stakes in this high-tech hot zone.
Of course, both self-propagating computer viruses and human viruses can originate anywhere, and finding “Patient Zero” or the initial computer virus designer requires diligence, resources and luck. But the increasing number of virus-writers and hackers in third-world countries suggests that one lesson we must take from bird flu, ebola and the like is that security in our own back yard has a significant global component that must include support for both prevention (education, financial incentives) and enforcement (working relationships with local authorities, financial and technical support) in other countries.
The inexorable march of bird flu into Europe and beyond, however, demonstrates that with respect to some threats, no amount of local enforcement will likely be sufficient. Efforts must be made to restrict the communication of the threat through global channels, and countries not yet infected must guard their borders at the national and local levels. With respect to Internet-borne threats, this likely means at least limited government surveillance of email and server traffic, at least with respect to threats to national security that might come in the form of electronic attacks. More critically, private companies and individuals take on the role of “local government” with respect to cyber-attacks, by putting in place strong security systems.
Unfortunately, if the experts are correct, bird flu may well be the next human pandemic no matter what measures we put in place to stop it. Or perhaps the next major threat will come out of left field while we’re waiting and watching for avian flu to become easily communicable between humans. Regardless, if the dire predictions are true, all of the security efforts are not about prevention, but about mitigation. That’s okay, as long as we understand this and recognize that every percentage point mitigated means thousands of lives saved.
Hopefully, the stakes with respect to computer viruses are primarily financial rather than personal (although given the critical nature of certain systems this in by no means certain). Yet even in financial terms, mitigation of the problem can save billions of dollars. One challenge in data security is that expenditures by individual companies do not necessarily redound to that company directly, unless the expenditures are solely on internal defense. Assuming that only companies the size of Microsoft can afford to offer global incentives such as the well-publicized bounty for the prosecution of the blaster, Sobig and Mydoom worms, does this mean that there is a need for a global “Center for Disease Control” for data security separate and apart from enforcement by Interpol and the FBI (and other national equivalents)? Or is our patchwork itself strong enough to provide a level of mitigation we can accept?
A parting question. Doesn’t this analogy work both ways? If so, what can our collective experience with data security tell us about the bird flu and other potential human pandemics?