Is it time for a U.S. (cyber) health service?
- By Paul McCloskey
- Apr 11, 2017
Today’s cyber security challenges are becoming so complex that government IT managers and policy makers are beginning to look at public health for new ways of thinking about protecting agency networks.
The public health and cybersecurity communities now share many common strategies, according to security experts, including spreading risk across large populations of people, the need to change end-user behaviors and the use of a common language to help ensure safety across overlapping groups.
These tactics are helping IT managers improve data security in a manner that is similar to how the health care community now pursues epidemiological problems.
“If you think about how cybersecurity has been addressed in the past, you heard a lot of biological references to viruses and anti-viruses,” said Elizabeth Lawler, CEO of Conjur Inc., which offers a secure document and access management platform.
Lawler spent 15 years working as a public health researcher at the Department of Veterans Affairs, but it wasn’t until this year that she began thinking about cybersecurity as a public health problem.
“In those days, you installed anti-virus software, and that was sufficient,” she said. “Today networks are much more complex, much more interrelated.” Internet-connected vehicles and pacemakers are changing the conversation on responsibilities for cybersecurity.
Imagine I have an internal, connected medical device that I didn’t want to use, but “my doctor decided to turn it on," she asked. "Who’s then controlling the device?” Should each and every end user be able to make decisions about compliance – whether that applies to vaccinations or firewalls?
“I think the actual context for public health as a cybersecurity problem has become a real one,” Lawler said.
The relationship between health care and security is also revealing new ways of thinking about meeting the challenges of these disciplines, according to government security managers.
“If we dig into malware and look at its ancestry or its history or the chromosomes and DNA that make it up, we learn about what are the other types of damage it can do, how does this thing behave,” Phyllis Schneck, former deputy under secretary for cybersecurity at the Department of Homeland Security, told the iSMG Security Report.
“We are going from a typical intrusion-detection scenario where you need to have a vaccine,” Schneck said, to automated, self-healing cyber networks that can recognize “something is probably bad and study it or attack it on their own.”
For Lawler, containing security threats requires the same strategies needed to contain an outbreak of disease. When scientists are working to contain the spread of a disease, for example, they must first identify where the outbreak started, how it’s spreading, how to treat the patients infected and how to stop its continued movement. Those are the same questions cybersecurity experts must answer about breaches and how to prevent further data loss.
A shared tenet of both the healthcare and cybersecurity communities is the mission to influence end-user behavior.
Even Federal Risk and Authorization Management Program, the federal government’s omnibus solution for cloud security, has epidemiological significance, said Lawler, who called it “an excellent example of trying to standardize a minimum set of requirements in order to be able to take on certain levels of sensitivity of data.”
As with other control systems, however, success depends on the implementation and consistency of the program, which can drop off prematurely.
“You have this point in time where everything is static and perfect, and then entropy takes over after that,” she said. “I don’t know if FedRAMP uses the notion of checkups; but it’s never going to be as good as the first year you went through it.”
Lawler also said she believes cybersecurity practitioners often get caught up in choices about ‘perfect security’ versus security that’s ‘good enough.’ “What we end up with is disparities in systems,” she said.
“Some are extremely well protected and guarded, and some systems are not,” she said. “Not because there are not enough resources put toward that, but because everything is now interconnected in this web, the exploits can quickly move from one point to another.”
“We really don’t use the same kind of behavior modification methods that public health typically uses in improving cybersecurity,” she said. “That’s another area in which certainly cybersecurity folks could learn from public health people, who’ve been able to make modifications both through legislation but also education.”
Ultimately, Lawler advocates investment in public resources to promote healthy cybersecurity practices and technologies, much like the U.S. Public Health Service was put in place to address acute events like natural disasters as well as chronic events like improving public health from heart disease or smoking.
“I think we need something similar to set the bar for cybersecurity because otherwise you see free market sources often push cybersecurity off to the end,” she said.
Paul McCloskey is senior editor of GCN. A former editor-in-chief of both GCN and FCW, McCloskey was part of Federal Computer Week's founding editorial staff.