Coronavirus, Cybersecurity and Capacity Building

Healthcare systems face increasing cybersecurity risk, just as we need them to be at their most resilient. International cyber capacity building can help.

For almost everyone alive, the coronavirus is an unprecedented global challenge. Healthcare systems in every country are either stretched to their limit or preparing for that scenario.

In response, governments, development banks and companies are all asking how every aspect of their work can be used to help mitigate the crisis. You see this in the questions they ask their programme managers. And you see it in the emails we’ve all received from every company we’ve ever dealt with – and some we’re sure we haven’t – telling us how they are stepping up to the challenge.

So can the international cybersecurity community help?

The answer, of course, is yes. It must. Healthcare systems around the world are experiencing a spike in cybersecurity risk, just as we need them to be at their most resilient.

This post looks at the reasons why and starts to consider what a policing, foreign policy and capacity building response might look like.

The increased cybersecurity risk to healthcare

The cyber security risk to healthcare systems around the world is rising rapidly because all three components of the risk equation are changing for the worse.

(Cyber) Risk = Threat x Vulnerability x Impact

Cybersecurity Threats are spiking for several reasons. Hospitals have long been a prime ransomware targets. However, since the emergence of coronavirus, criminals have even greater incentives to target them, because they think they are more likely to quickly pay a ransom demand to avoid making a bad crisis worse. Some groups have promised not to target hospitals, but it’s hard to place confidence in the public relations arm of an international criminal organisation.

For more sophisticated actors, targets like the WHO, government health ministries and research companies have valuable information on new drugs and testing kits in the pipeline. Health sectors are also gathering and connecting valuable personal data about health, taxes, insurance details and mobile phone geolocation. The more personal data is in one place the more attractive a target it becomes, especially when it is being moved and processed in a hurry.

From the Threat perspective, we are also seeing the increasing relevance of disinformation opportunities. A global pandemic creates the perfect conditions to turn people against their neighbours and sow the seeds of distrust in governments and political systems.

Turning to Vulnerability, hospital and health care IT staff will be reduced in number due to illness or care giving and distracted by the need to shift to remote working. That remote working in turn creates a greater attack surface to strike against. Even better, for the attacker, many of the staff using either their old or new remote working systems will likely be struggling to implement new security protocols, looking for corners they can cut to save time and very distracted. What better time to send an email pretending to carry some vital piece of information about Zoom or the virus.

Last, but of course not least, we come to Impact. Any disruption could be deadly when there is zero slack in the system. Any staff or wards taken out of action for a day could cost lives. Something on the scale of the Wannacry attack on the NHS would have consequences that are hard to think about, although we must.

Their risk is our risk

We are facing the potential collision of two similar challenges. Global viruses compounding global viruses. Interconnected health systems threatened by interconnected IT systems. Although before being too bleak, we also need to acknowledge that those interconnected IT systems are currently enabling the solutions too: everything from the search for tests and treatments to the complex logistical feats needed to cope with this crisis.

In international cyber capacity building we often talk about why a risk to another countries’ systems is a risk to our own. In this case, that narrative applies to our respective healthcare systems. If a cybersecurity attack was to disrupt the healthcare system of any country it would prolong the global spread of the virus and delay the point at which our own countries can return to normal. Furthermore, when that other countries’ health system is disrupted by the attack, the number of patients will rise and they will need more vital resources – testing kits, PPE, ventilators – to cope. That in turn will increase the cost, and reduce the available supply, for the rest of us. We are all in it together, for better or for worse.

What options do we have?

If their health system risk is our risk, and their risk is going up, then there are really only three main options:

  1. Accept the risk.
  2. Reduce our interconnectedness.
  3. Encourage and help other countries to reduce their risk.

Accepting the risk is always an attractive option. Until the risk is realised and then it very quickly becomes unattractive.

Countries are already pulling hard on the levers that reduce international connections. Travel is discouraged. Domestic production has been retooled to produce face masks and ventilators, so there will be less reliance on imports of these scarce resources. And yet, as things stand today, the scenario I described above, in which a deepening of the crisis in one country would delay recovery for everyone, holds true.

And that brings us to the third option: encouraging and helping other countries to reduce the risk their healthcare systems face as a result of cybersecurity threats. The ways we can do this aren’t just cybersecurity capacity building, but yes that’s coming. Let’s first look at some of the other tools we can deploy.

Reducing the Threat: Foreign Policy and Policing

To work out how to reduce the risk we need only go back to our risk equation. We would need to reduce the Threat, the Vulnerability or the Impact.

If we are to start with the tools we have that aren’t capacity building then the most obvious thing to do is to bring down the Threat.

Many (but not all) attackers are motivated by money or political gain. They are demotivated by disruption to their ‘business’ or political harm. Right now we need those attackers to be as demotivated as they can be. The tools we have in our arsenal to do that include policing and foreign policy.

Many police forces are tied up dealing with public order, but there are still cyber crime units that can make life for international criminals especially uncomfortable right now.

To deter politically motivated actors we need a foreign policy toolbox. Fortunately, the international community has been gradually building one over the past decade. We have established that international law applies online as it does offline. Furthermore, we have agreed at the UN a norm of responsible government behaviour that you don’t target hospitals. Just as the police can make life uncomfortable for criminals, so our politicians and policy makers can make life uncomfortable for those who disrupt the healthcare response for political gain.

A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operations of critical infrastructure to provide services to the public

UN Group of Government Experts report (2015)

Reducing Vulnerability and Impact: Cyber Capacity Building

Reducing vulnerability and impact is where international cyber capacity comes in.

It is never too late to start improving a healthcare system’s cyber readiness and reducing its vulnerabilities. The sort of activities that are needed include identifying critical systems, assessing the current protective measures and processes, exercising what you would do if the national hospital IT system was attacked, patching, patching, patching etc.

Admittedly now is a terrible time to choose to start doing these things, because they all require staff availability and right now healthcare systems around the world are desperately short of that. But, if an attack could be just around the corner, then there will never be a better time to start. Now is the time.

Of course it’s easy to say “now is the time” from the comfort of my self isolation in London. I’m not in a health ministry in Mexico or a hospital in Hanoi having worked 48 hours without rest. However, I think I can conceive of the scale of the challenge and I know that things on this scale have been done before.

It’s been done before

In the midst of the 2014 ebola crisis in Liberia, USAID and Department of Defence built out an internet network across Liberia and Sierra Leone in 3 months. A secure, reliable internet network was considered mission critical and they made it happen.

By its own assessment, the Ebola Connectivity Response Initiative (ECRI) had significant shortcomings and there have been criticisms of how personal citizen data was managed and used (which are relevant again today). However, that does not alter the fact that in the face of a viral health threat, the international community mobilised a rapid deployment of ICT assistance, supporting overworked local staff in crisis conditions. And that was in response to an African epidemic, not a pandemic, that resulted in 2 deaths in the US.

The need then was for international ICT assistance to build out an internet network. The need now is for international ICT assistance to secure the world’s most critical health care system networks, where we can see they have obvious vulnerabilities and weak recovery mechanisms.

For some this will be a health challenge. For some a development challenge. For some a national security challenge. For some it will be a policing challenge. For some it will be a human rights challenge. Let’s not let those distinctions get in the way. Instead it can be an opportunity to draw on the resources and experience of all of these communities.

Tough but doable

I am under no illusions as to how big the challenge is. Nor how comparatively small the budgets are that we are used to working with.

Furthermore, the pool of experts we can deploy is constrained. And it will be hard to use the most commonly played card in our deck – flying out international experts to provide advice and training – when airports are closed.

Nonetheless, I think we could scale up and find new solutions if there is the will to do so. The question is what: priority will this be given, especially when the immediate domestic challenges are so pressing?

Even if we don’t commit to pre-emptive capacity building, I suggest we still think about how we would collectively respond to a major incident affecting a critical countries’ healthcare system. At that point the priority would be incident response, but even in the midst of that there will still be the need for capacity building.

Income Gap. Digital Divide. Cyber Security Canyon?

A look at the evidence for global inequalities in cyber security.

In my last post, I looked at the global Income Gap and Digital Divide. I asked why there are, proportionally, more billionaires in San Francisco than people with fixed broadband access in South Sudan.

In this post I’ll ask whether, in addition to an Income Gap and Digital Divide between countries, there is also a Cyber Security Canyon.

How to spot a Cyber Security Canyon

Before we search for a Cyber Security Canyon we should decide what we are looking for.  I propose that it would show up in the data as a significant inequality in the level of cyber security between countries.  By significant, I mean it would be on a similar, or greater, scale, to the inequality of the Digital Divide, where the top countries have internet access rates 5 times better than the lowest ranked countries. 

The chart below illustrates the size of the Digital Divide, using median household income data from Gallup, for the 131 countries they survey, and the corresponding internet access data from the ITU. Liberia is on the far left, with the lowest household income, and Norway is on the far right, with the highest.

If a Cyber Security Canyon exists, the countries on either side of it need not necessarily be the same as those on either side of the Income Gap and Digital Divide.  But it wouldn’t be a surprise if they were. 

The case for a Canyon

So, what evidence for a Canyon can we find?

I think the search gets off to a fruitful start if we begin by considering countries’ cyber security capacity and vulnerabilities. In the next chart, I’ve plotted an indicator of national cyber capacity in green and an indicator of national vulnerability in red. The trend lines are shown with dashes.  The capacity indicator is the ITU’s Global Cybersecurity Index score. For vulnerability, I use the Microsoft malware encounter rate – the percentage of PCs in a country on which Microsoft detects malware in a given time period (Q1 2017 in this case).

Looking first at the national capacity indicator, the lowest income countries have a Global Cybersecurity Index score of around 0.2-0.3. ITU use an ordinal scoring system in which a country with a score of 0.2-0.3 has very basic capacity in some dimensions of cyber security and no capacity at all in others.  By contrast the highest income countries have GCI scores around 0.8-0.9, which equates to having advanced levels of cyber capacity in almost all dimensions. 

When we turn to the malware encounter rate we see the mirror relationship.  In low income countries Microsoft finds malware on around 20-25% of PCs, compared with around 5% in the high income countries. 

The malware infection rates in the lowest income countries are 4 to 5 times worse than those in the highest income countries. The ITU capacity scores for the highest income countries are more than 4 times better than those of the lowest income countries (although that could of course change if ITU changed their scoring system).

This is beginning to look like a Canyon. Because of the main indicator, I’ll call it a Cyber Capacity Canyon.

This is not the Canyon you are looking for

Wouldn’t it be useful if we could neatly conclude that cyber security is four times better in the highest income countries than the lowest?  Of course, life is never that simple.

Most importantly, we still haven’t defined what we mean by better cyber security.  I suggest that in most cases when we dig into what ‘good cyber security’ means we get down to the underlying, and more concrete, concepts of cyber risk and cyber harm. 

Bear with me here…. A country or organisation achieves good (or adequate) cyber security when its control measures are sufficient to reduce its cyber risk exposure to the level of its risk appetite.  Once a country achieves good cyber security it should find in the future that the cyber harm it actually experiences is at or below the level of harm it was willing to accept as the price of being digitally connected.

So, if we are talking about cyber risk or cyber harm when we talk about ‘good cyber security’, then what can our two indicators tell us about them?  Unfortunately, on their own, not as much as we’d like. 

The malware encounter rate can be an indicator of cyber harm, but we would need to find some method of translating infection rates to dollar cyber harm values in a way that works whether the PCs are in Canada or Cameroon.  I’m not aware of such a method.

As for cyber risk, both indicators can tell us something about that, but they are only part of the equation. I’ll explore competing interpretations of cyber risk in a future blog, but for now let’s use a basic formula from many management textbooks:

(Cyber) Risk  =  Threat  x  Vulnerability  x  Impact

Both the Microsoft malware encounter rate and the ITU GCI score are national indicators for the middle term: vulnerability.  They tell us almost nothing about threat or impact and therefore can give us only a very incomplete picture of cyber risk.

When we gather data for cyber risk and cyber harm we may find that there is no Cyber Security Canyon, or that it looks quite different to the Cyber Capacity Canyon we’ve seen so far.  I can only speculate.

Cartoon illustration of what a cyber security canyon between poor and rich countries might look like. Links to the global Income Gap and Digital Divide inequalities.

Can we rely on our indicators?

We need more cyber indicators to capture risk and harm, but can we even be sure the indicators we already have are reliable? 

What I find most striking about the two cyber indicators I’ve used in this blog is the difference in their deviation around the trend line.  The Microsoft encounter rate sticks pretty closely to its trend line, but the ITU’s GCI score deviates noticeably.  In the GCI data we see countries with near identical low incomes where one has almost zero cyber security capacity and the other has a capacity level just short of the most advanced cyber nations.  We don’t find that pattern in the ITU’s internet access data.

Suffice to say the lower deviation in the Microsoft data means it’s the cyber indicator in which I have greater confidence.  However, I appreciate the effort that has gone into producing both data sets over several years and I expect the trend line in the ITU’s data will be confirmed by other capacity review studies.

The need for further research and cyber security capacity building

I feel fairly confident we have found a Cyber Capacity Canyon, but more is needed to explore its geography.  By augmenting ITU’s capacity data with other sources we could be more confident that it is as wide as it looks. By adding other indicators, for example covering threat and impact, we could see if it extends into the territory of cyber risk and cyber harm – meaning we’ve found a Cyber Security Canyon.

Should we wait for this further research before acting?  I think that would be a mistake. We have enough data to know that poorer countries are being left behind in terms of their capacity to protect themselves and their populations.  That alone is enough reason to act now: for their sake and for the sake of the global systems that are connected to them.

Now is the time for international cyber security capacity building.

Income gap. Digital divide.

Why is it easier to find a billionaire in San Francisco than a fixed broadband connection in South Sudan?

Proportionally, more people are billionaires in San Francisco (1 in 11,600) than have fixed line broadband in South Sudan or the Democratic Republic of the Congo.

How did we get here? And what does it mean for cyber security capacity building? Part one of a two part blog.

It now matters where you live: income inequality between countries

It seems obvious today that the country we live in makes a big difference to how much we earn. But that’s a relatively new development. 

Two hundred years ago, where you lived made little difference to your income.  Pretty much everyone lived in what we call extreme poverty and had a life expectancy of around 30 years.  In 1820, a building labourer in Africa could use their daily wage to buy food with enough calories to last them 3 days.  In Western Europe, the daily wage for the same job bought you 12 days of food. Both situations were pretty precarious. What mattered to your income was not where you lived, but what you did: beggar, building labourer or banker.

Jump back to the present and it’s where you live that is the greater determinant of your income.  A building labourer in Africa can now buy 18 days of calories with a daily wage, while their counterpart in Western European (or San Francisco) can buy 163. The former’s life expectancy at birth is 61 and the latter’s is 80.

The recent importance of where you live on your income is shown in the chart below by Our World In Data. Total global income inequality is the top line in green. Its component parts are: income inequality between countries (red); and income inequality within countries (blue). As you can see, around 1930 the country you live in overtook the work you do as the key driver of income.

Global inequality between world citizens and its components 1820-1992

So, the first part of the answer to “how did we got here?” is that geography has started to really matter. Why is that?

The Great Divergence and The Great Convergence

As we saw, in the early 1800s every country was in a similar position in terms of per capita income. Then from the mid to late 1800s Europe, North America and Australia began to experience unprecedented growth and, for a time, left the other regions behind. This has been called the Great Divergence.

The Great Divergence (source: The Economist)

This explosive growth has been accounted for with competing theories ranging from the shameful (slavery) to the inspiring (two industrial revolutions) to the accidental (having coal reserves near major cities).

By 1975 its impact on global income distribution was a divided world. The ‘West’ were earning around $15 a day (in 2011 prices), while ‘The Rest’ were distributed tightly around $0.8 a day – well below the poverty line.

The Great Divergence

All this changed again after 1980. The Great Divergence was followed by the Great Convergence, as India, China and others rapidly narrowed the gap. The animation below shows this catch up until 2011, but it is a trend that continues today. The country we live in is still important for our income, but it is beginning to matter less than it did at its 1980 peak.

Global Income Distribution 1988 to 2011

However, even after the Great Convergence, there remain deep pockets of poverty, especially in Sub Saharan Africa.

The situation in which some countries find themselves – blessed by rich natural resources and cursed by conflicts or weak governance – has been called a poverty trap. South Sudan and DRC exemplify these conditions and it is in these that we find the greatest contrast with San Francisco in terms of both income and internet access.

What you do always mattered: income inequality within countries

Turning now just to America, I’ll admit that the prevalence of billionaires in San Francisco took me by surprise, but the reasons for it are familiar.  America benefitted most from the Great Divergence and invested some of its wealth in world class tech research institutions on its west coast. Those institutions helped start a third (digital) industrial revolution and tech firms clustered around their talent. And a decade of acquisitions by the largest tech players has created some very rich people. 

The world’s c.2,600 billionaires make up about 0.000002% of its population.  Over the past four decades, despite the 2008 recession, they’ve achieved greater proportional income and wealth growth than any other group.

World Inequality Report 2018 – The “Loch Ness Monster” chart

The rapidly rising income of the billionaires is the extreme point in a wider trend: since 1980 income inequality within countries has been rising, both in America and globally (see the blue line on the first chart). This comes after a period of falling inequality from 1910 to 1950.  The better off are once again pulling away from the lowest and middle earners.

‘I know my place’ sketch on The Frost Report, 1966

The digital divide

That was a lot of economics for a cyber blog, but here’s the crunch.  How your country – and even your city – fared in the last two centuries of the Great Divergence and the Great Convergence will significantly influence both your ability to pay for internet access and the price you pay for it.

An assistant professor in Juba, South Sudan, earns $54 a month and would be charged $200 a month for home broadband.  One in San Francisco makes $7,400 and pays $50.  Unsurprisingly, internet penetration in South Sudan is 17% (thanks to mobile) compared with 89% in the US.

As a rule of thumb: the higher a country’s median income, the more people it has online

To compare the US and South Sudan is to look at the extremes, but, as with income, the picture looks a lot more positive in the middle.  There are now over 3 billion people online, 2 billion of them in low and middle-income countries. In 1820, there were only 1 billion people on the planet.

The ITU estimate 48% of the world’s population were online by 2017:

Internet users per 100 people 1996-2017 (source: ITU)

The percentage of a population online – internet penetration – is a crude measure of access.  It ignores the price you pay, the speed of your connection, what proportion of online sites and services you can access, whether you trust them enough to use them, whether there is content in your language and many other potential barriers to benefitting fully from the web.  It also ignores the other ways the internets (plural) might be introducing benefits and risks into your life.  These range from how your military and emergency services communicate, to how money gets transferred, to how your nearest power station produces electricity.

Nonetheless, internet penetration is a good enough indicator to see that participation in the digital era is spreading like the economic waves that lifted first Europe and America and then Asia and Latin America.  Only this time the process is on fast forward and there’s no hitting pause on the remote.

The implications for cyber security capacity building

Thanks for sticking with me through part one of this blog post. In part two I’ll look at whether, in addition to a Income Gap and Digital Divide, there is also a Cyber Canyon.