Could fighting coronavirus compromise cybersecurity?

The COVID-19 pandemic has become a sobering experience in many ways. We are witnessing firsthand the negative impact that a fragmented national public health system has on our safety, health and economy. 

Social isolation has become a stark reality and necessity for people around the globe, including here in the United States. While social distancing has become the operational approach to slow down the spread of the COVID-19 virus (or at least flatten the infection curve), this isolation has ripple effects across other components of our lives. A vast number of people will telecommute and work from home. Schools at the K-12 and university levels are instructing students to stay away from campus and suspending face-to-face teaching. Faculty are moving all classes online. The entertainment and sports industries are canceling events and premiers, and restaurants and bars are closing. Major studios are rushing to push content to streaming services; the list will continue. 

While these responses are prudent, the result is that more of our daily routines are dependent on the internet, internet technologies and telecommunications. This strategy to move to the online cyber and virtual realm, at least in the interim, is happening with no real thought about the cybersecurity implications.

Historically, cybercriminals have used crises to increase criminal activity and scams related to stealing personally identifiable information, as well as financial and personal health Information to defraud victims. Foreign actors have spread disinformation and attempted to disrupt recovery operations as a means of causing more chaos. The same thing is happening and will continue to happen with the COVID-19 crisis. 

We already see cyberattacks against the U.S. Health and Human Services Department, and similar attacks in Europe. Scammers are sending fake emails and setting up fake COVID-19 health information websites, trying to phish user IDs and passwords. Other scammers are pretending to raise money to assist with replacement lunch programs for students or the isolated elderly. No one should be surprised to see a jump in cyber-criminal activity, as these people are opportunistic. We find ourselves in the perfect storm for cyberattacks.

Increased cyberattacks are not the only ripple effect we could see. The telecommunications and mobile network operators’ critical infrastructure must absorb an exponential increase in demand, with little or no ramp-up time. Similar to the public health system, these industries are fragmented and equally unprepared or capable across companies and regions. Internet and mobile network operators will find their resources pushed to the maximum. 

We need only to look at recent natural disasters such as floods and tornadoes to see how fragile this infrastructure is. The ability to communicate either via email or mobile phone with emergency services, loved ones or the media to get information disseminated is essential during a crisis and the ensuing recovery period. 

Social isolation will put a significant burden on the telecommunications and mobile network infrastructure. We will now have millions of people working from home using local or regional providers to connect to company networks. K-12 and university students are trying to resume their studies online using e-learning, placing more burden on networks and the infrastructure. People will increase their use of streaming media for news and entertainment purposes, including on their mobile devices. 

This increased demand will also not follow the regular demand cycles, at least in the foreseeable future — school time, the typical workday and leisure activities no longer have rigid schedules; they will be somewhat blended together. This lack of regular routines could potentially magnify the demand and further negatively impact bandwidth and availability.

We must understand that with our increased dependence on technology and cyber, there are increased risks that we need to be aware of and plan for. Governments, businesses and schools need to provide some direction and advice to the general public on how to follow not only appropriate “anti-COVID-19 hygiene” but also “cybersecurity hygiene.” 

Since networks will now be extended to homes during this time, similar cybersecurity policies, practices and standards that someone would adhere to if they were physically sitting at work or school need to apply.

We may also need to consider metering our online behavior to essential activities such as those related to our work, education or critical communications, or at the very least following the more regular rhythm of the day — routine work or school hours.

We will learn many lessons from the COVID-19 pandemic, and the cost will be high in terms of lives and the economy. Hopefully, when we come out on the other side of this crisis, we will also have a better understanding of how to protect our critical infrastructures and the real risks of living even deeper in cyberspace.

Dr. Marcus Rogers is a professor and executive director of cybersecurity programs at Purdue University; he has over 25 years of experience in public- and private-sector consulting in the area of information technology security, and has consulted for the military, law enforcement and for some of the largest financial and health care providers in the world.