Four lessons from the pandemic.

While the pandemic and its effects are far from over, its consequences for cybersecurity now seem clear enough for us to suggest some lessons we might draw from the experience. And it also seems to be the right time to roll our coverage of COVID-19-related news into our ordinary coverage of cybersecurity: we conclude this series with today's story. 

Improvisation under pressure is difficult. Better to plan.

If there's one overarching observation to be made about the pandemic and its effects on cybersecurity, it's that improvisation under pressure creates unexpected challenges, risks, and opportunities.

We’ve seen that improvisation in organizations’ scramble to come up with ways of continuing to do business under conditions of lockdown and social isolation. We’ve also seen it in the need to protect the rapidly expanded attack surface remote work presents. The companies that provide the services and platforms necessary for remote work were also caught off-guard: Zoom’s very fast, very large success brought the company security and reputational problems it hadn’t prepared itself to answer. 

We’ve also seen improvisation at national levels as public health authorities in many country’s tried, with decidedly mixed results, to develop and deploy technologies that could trace contacts and monitor the spread of infection.

The US Cyberspace Solarium Commission argued that the principal lesson should be the value of preparedness, of sound advance planning and swift effective execution in the moment of crisis. The Commission’s co-chairs, Senator Angus King (Independent of Maine) and Representative Mike Gallagher (Republican, Wisconsin 8th) told the Washington Post they hope the US Congress draws the lesson that it’s important to prepare for a disaster before it hits. The Commissioners intend to issue an appendix tomorrow, June 2nd, they hope gives Congress an after action review of cybersecurity and the pandemic that will nudge lawmakers in the right direction. And that may represent an unexpected opportunity to avoid being caught short by failures to plan or simply by failures of imagination.

Crises are opportunities for disinformation, and for spontaneously arising misinformation.

Both constructive disinformation, propaganda that seeks to convince, and disruptive disinformation, propaganda that seeks merely to confuse, were on display during the pandemic. The former is much more in the Chinese, the latter the Russian, style.

Misinformation was also common, as the spontaneously generated craziness that saw 5G and its electromagnetic fields prompted cell-tower vandalism and spawned a small industry of crank products designed to ward off infection with wearable Faraday cages. These have a life of their own, as resistant to rational correction as delusions about chemtrails. They also afford useful opportunities for disinformation campaigns, especially the disruptive kind.

No one has any good ways of handling either disinformation or misinformation. Social media companies seem to have settled into some version of a marketplace of ideas to fight lies and delusions. It’s seemed unsatisfying, but it’s hard to see how they could do much better, especially at the scales on which they operate.

Crises force start-ups to grow up.

Whatever insulation from business reality plentiful venture capital and easy exits may have provided, the pandemic-induced downturn forced more start-ups to start acting like businesses.

And espionage doesn’t stop for crises.

Your crisis is the spy’s opportunity, and the spies know it.