Public health, one of the great 20th century ideas, has many instructive lessons for cyber security in the 21st. Let’s recap. Public health was defined by Charles-Edward Winslow in 1920 as:
“Public health is the Science and Art of preventing disease, prolonging life, and promoting health and efficiency through organized community effort for sanitation of the environment, the control of communicable disease, the education of the individual in personal hygiene, the organization of medical and nursing services for early diagnosis and preventive treatment of disease, and the development of the social machinery to insure everyone a standard of living adequate for maintenance of health, so organizing these benefits as to enable every citizen to realize his birthright of health and longevity”
While a lot has changed since 1920, including the use of the singular they, these statements still resonate today. The first statement mentions the interdisciplinary nature of the field. Cyber security truly is both an art and a science, which we will return to at the end of this blog. Let’s break down the key parts of Winslow’s definition:
This mission statement is comprehensive. It mentions both a preventative goal and a longevity goal: we need cyber security to not only be about preventing things but also encouraging the beneficial side effects of security for individuals, communities and marketplaces. The explicit reference to an organized community underlines the need for collective action. No matter how secure you may be as an organization or an individual, we work and play in a shared space. If that space resembles more the “Wild West” rather than an organized society, your experience will suffer irrespective of your own security posture. Winslow goes on to detail what needs to be done:
1. Sanitation of the environment
- Security Engineering, especially the definition and application of Secure Development Lifecycles to reduce software maintenance costs and increase reliability of software concerning software security related bugs.
- Community action, sharing of security-related information, timely action on take down requests, appropriate ingress and egress filtering to prevent malicious traffic.
2. Control of communicable disease
Hardening of systems to make the initial infection as difficult as possible (e.g., disallowing Macros, DDE-enabled documents, etc.) and in the eventual case of infection, to contain the spread as much as possible through segmenting the networks of key systems and monitoring for security events such as credential reuse.
3. Education of the individual in personal hygiene
People are often the weakest link in security, not only the individual who clicks on a phishing email, but the system admin who is responsible for patching and secure configuration of systems. Training and education which is essential for individuals to use the Internet safely – both at work and at home – is essential.
4. Organization of medical services for early diagnoses and preventative treatment of disease
The public and private sector need to work together in order for early signs of infection, e.g., destructive outbreaks like WannaCry or NonPetya, to be picked up and shared. The more collaboration there is, the better place we all are to limit the damage incurred by such incidents. Some public-sector organizations already provided comprehensive alerts, such as US-CERT.
Public health covers many different disciplines, just like cyber security. This stems from the important realization that there is not just one single focus area that is sufficient to improve public health. The success of vaccination programs, for example, depend on a wide range of disciplines. Cyber security, similarly, requires improvements not just in technical fields, although they are sorely needed! Politics, legal issues, regulations, economics, social organization all have a part to play. While we wrestle with the details in our daily work, it’s good to keep in mind the big picture.
Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows (now ReliaQuest).