Traditionally, when we think about security and protecting ourselves, we think in terms of armor or walls. Increasingly, I find myself looking to medicine and thinking about viruses, antibodies. . . . What I spend a lot of time worrying about are things like pandemics. You can’t build walls to prevent the next airborne lethal flu from landing on our shores. Instead, what we need to be able to do is set up systems to create public health systems in all parts of the world, click triggers that tell us when we see something emerging, and make sure we’ve got quick protocols and systems that allow us to make vaccines a lot smarter.
This metaphor lines up with mantras that many security experts have been repeating for a long time: Do everything you can to avoid a breach — but know they are basically inevitable, and be prepared to detect and fight back when they happen. Detect problems as soon as you can, and share the intel so other people can fend off the same sort of attack.
The medical comparison works when you put it in the context of a single person’s immune system and institutional responses to outbreaks; definitely get the vaccine — but know that vaccines sometimes fail, and your immune system can't always fight off everything, so have treatments available; detect outbreaks early so you can treat them, and coordinate to research vaccines to stop the disease from spreading.
However, some experts say that line of thinking isn't a perfect fit.
“The health-care model is always dangerous, because it leaves you passive and reactive,” said James Lewis, a senior fellow focused on cybersecurity at the Center for Strategic and International Studies.
Diseases are a natural phenomenon, but cyberattacks aren’t, he added. “Your opponents are actual people who are nimble and can change tactics to respond to defensive measures much faster than the flu,” Lewis said.