Computer experts and designers have often used biological and public-health-related metaphors to describe various functions of, and threats to, computers and computer networks. Computer systems are often vied in terms of “wellness,” with assessments about the “health” of the system being of important consideration. Malicious attacks on computers and networks often take the form of “viruses” and “worms;” computers which are affected by such malicious agents are considered to be “infected.”
Human populations on the large scale are often considered in terms of “public health,” and there innumerable public and private organizations devoted to ensuring the stability of the public health. There is a wealth of regulatory oversight and legislative power that affects the domain of public health, and state and federal governments often have the authority to compel individuals or groups of people to submit to certain treatments or inoculations, or in extreme cases submit to quarantine, in the event of a public health crisis such as an outbreak of a communicable disease.
The applicability of biological models and public-health metaphors to the domain of computers and computer networks raises the question of just how far the comparison goes. Can the same approaches used in the domain of public health be used to prevent or respond to malicious attacks on computers and network systems? This paper argues that, while many of the comparisons are apt, they are not direct correlates. There are some aspects of public health regulation and law that have parallels in the realm of cyberspace and cybersecurity; overall, however, the two domains are dissimilar enough that each requires its own regulatory and legislative structure.
In March 2013 South Korea suffered a massive cyber attack. The nation experienced a wide range of issues related to the attack; the most severe effects were on banking and other economic-rated systems. ATMs froze up, online accounts were frozen, and networked point-of-sale systems were rendered inoperable. The culprit behind these attacks has not yet been identified, but some cybersecurity experts are pointing fingers at the nation of North Korea, which has been accused of mounting such attacks on South Korea in the past. This attack highlights once again the seriousness of cybersecurity and the threats posed by such attacks. Cybersecurity experts charged with preventing these and other types of attacks have often framed the issue in the same context as that used for biological emergencies, and use much of the same language to discuss the nature of, and responses to, such attacks. Terms such as “virus,” “worm,” and “symptom” are in many ways as applicable to cybersceurity as they are to issues related to public health emergencies. This paper will examine this conceptual framework, and discuss the ways that the same sorts of regulatory and legal structures that are used in dealing with public health emergencies can be used to frame discourse related to cybersecurity.
- The Applicability of Biological Metaphors to the Issue of Cybersecurity
Computer systems have always been vulnerable to a variety of problems. The term “cybersecurity” conjures up images of malicious attacks from outside sources, but computers are also vulnerable to flaws in their design, faulty software, and other issues that do not have a malicious origin. Where the threats against computer systems from outside sources are concerned, however, it has long been common among those in the field to use biological and public-health-related metaphors to discuss these threats. Health-related and biological metaphors are apt not only in terms of security against outside attacks, but also in terms of considering the “wellness” or proper functioning of a computer system, just as “wellness” is apt for consideration of the functions of a biological system. There are other metaphorical frameworks that can be used to discuss computer systems and cybersecurity, and some of them will be discussed in the context of the larger discussion about biological metaphors as they relate to computer systems.
In order to properly discuss the issue of cybersecurity, it is first necessary to define the potential threats to computer systems that cybersecurity is ostensibly intended to avoid. Sandia National Laboratories, which is a primary contractor to the U.S Nuclear regulatory Agency, offers three primary areas in computer systems that must be protected against attack:
- Confidentiality—privacy of information and communications. In government this
might mean, for example, assuring access to classified information only by
authorized individuals. In commerce, it might mean the protection of proprietary
- Integrity—assurance that information or computing processes have not been
tampered with or destroyed. In the case of critical infrastructures (say, for example,
the power grid), loss of data integrity could take the form of destructive instructions
to the system resulting in financial, material, or human losses.
- Availability—assurance that information or services are there when needed. Denial
of service attacks, which overload system servers and shut down websites, are
examples of interfering with availability.
(Karas, Moore, and Parrott, 2008, p26)
After consideration of the main functions of computer systems in terms of vulnerability, the next step is to consider the specific ways that computers are targeted. It is in this context that the biological metaphors for computer attacks are most apt, as many of the primary types of attacks have been framed in a biological context. One of the most common ways in which computers are attacked is with computer viruses, which are self-replicating programs that attach themselves to other programs within a system and typically cause some form of damage to the system (Mishra and Na, 2010, n.p.). Viruses are particularly troublesome for personal computers, many of which do not have adequate protection against such intrusion. PC-based computers have been particularly vulnerable largely due to their sheer ubiquity. Marchette (p215) refers to the idea of “death by monoculture,” noting that “the homogeneous environments are particularly susceptible to infection.” This concept too has a parallel to the biological realm, where heterogeneity and genetic diversity are key components of ensuring the health of a given population.
Computer worms are another means by which computer systems can be attacked, and another form of attack that has a biological name. Worms are similar to viruses; the most significant difference is that viruses typically affix themselves to other programs, whereas worms are generally standalone, self-replicating programs (Mishra and Pandey, 2011, n.p.). In either instance, and in the case of a number of other ways that computer systems are vulnerable, the biological metaphor provides a readily-understandable means of framing the way that these attacks function, and the way that the computer systems respond to such attacks.
Because viruses and worms are typically spread from one computer to another, the use of biological metaphors continues to be appropriate. Cybersecurity experts consider the spread of a computer virus in the context of epidemiology, and consider the ways to contain the spread in ways that are quite similar, in conceptual terms, to the methods used to contain an outbreak of disease in a human population (Saini, 2011, n.p.). In this context, computers that are targeted by a virus are considered to be infected, and the computers functions as host environments for the virus. Computers that are not adequately protected against attack are considered to be susceptible, and as is the case with a biological virus, computer viruses need adequate contact with a host in order to attach themselves to that host and begin to replicate and spread. The rate at which computer viruses spread is referred to as the birth rate, and once a computer is rid of a virus it is considered to be cured.
The biological metaphor extends beyond the computer systems to the larger environments in which these systems function. Cybersecurity experts consider the overall wellness of individual computers and the networks in which they operate (Karas, Moore, and Parrott, p26). Protecting these computers and networks against attack is, conceptually speaking, not unlike protecting human populations against attack from disease or other biological agent. Such attacks can occur naturally, or they can take the form of a terrorism-related attack, wherein the harmful agent is introduced into the human population purposefully. This latter scenario may have more direct parallels with the arena of cybersecurity, as the term “cybersecurity” typically refers to the functions related to protecting computers and networks against purposeful attacks (Mulligan and Schneider, n.d, n.p.).
- Structural Response to Public Health Threats
The United States has a number of governmental and public-sector organizations and agencies whose responsibility it is to monitor and respond to potential public health risks. Among these are such agencies as the U.S. Department of Health and Human Services (DHHS) and organizations such as the Centers for Disease Control and Prevention (CDC). Such organizations are charged with a variety of tasks related to public health issues. The DHHS, for example, has oversight for a number of areas, including the provision of health-care related services for millions of Americans. The DHHS also collects a range of data about health-related issues, from chronic illnesses to communicable diseases.
The CDC operates in some overlapping areas with the DHHS; one of its primary responsibilities is to monitor the nation for outbreaks of various diseases, with an eye towards understanding when such outbreaks threaten to become epidemic and spread to large numbers of people (DHHS, n.d.). The CDC is further responsible for keeping the public informed about the possibility of epidemics or smaller-scale outbreaks of disease, and for disseminating the necessary information to the public regarding the provision of medical aid in such instances. In circumstances where a disease threatens to, or does, spread to large numbers of people, the CDC is one of the organizations that help to coordinate the response to such an outbreak, including the treatment or quarantining of the affected population.
One of the first lines of defense in public health is comprised of the various systems used to provide monitoring and surveillance of public health, and to watch for unusual occurrences of disease or other health-related issues. Included in this surveillance system are those components that guard against other potential threats to public health, such as terrorist attacks. In cases related to disease, the surveillance and monitoring is generally based on the “syndromic surveillance” model (DHHS). Syndromic surveillance involves a wide range of actors within the public health system. Such surveillance includes the tracking of data related to patterns of disease on the large scale, as well as monitoring data involving specific incidents of disease that are outside the statistical norm for their type. The increasing use of electronic storage and transfer of health-related data has made this task more efficient and effective in recent years, a trend that is likely to continue in the future.
The Public Health Emergency Response Guide published by the DHSS offers a discussion about how syndromic surveillance works in real-world terms. An outbreak of West Nile Virus occurred in the United States in 1999; this was the first time the virus had been identified in the Western Hemisphere. Routine syndromic surveillance conducted in and among several health-care-related organizations in New York State quickly discerned that the virus was present by identifying statistical data that was outside the norm. The rapid identification and subsequent response to the outbreak allowed public health organizations to respond to the problem before it could develop into a full-blown epidemic. Through a concerted effort that involved medical responses as well as a public awareness campaign, the potentially epidemic outbreak was quickly contained and the negative effects of the virus were, at least for the time, minimized.
The CDC participates in a number of public-health surveillance programs, such as the Early Warning Infectious Disease Surveillance Project (EWIDS). The EWIDS project focuses specifically on the national borders between the U.S. and Canada and the U.S. and Mexico. The EWIDS project is designed to monitor the border regions of the U.S. for indications of infectious diseases that are naturally occurring as well as those that may be related to acts of bioterrorism. While the specific details of disease outbreaks may differ between those that are naturally occurring and those that are caused by a purposeful terror attack, but the need to monitor for such outbreaks as well as the potential responses to outbreaks of either sort would likely share many similarities. In either case, the CDC’s primary responsibilities would be to contain the possible spread of any such infectious disease and to treat those members of the public who were affected by it.
Once an outbreak –or potential outbreak- is identified, it is the role of epidemiologists to tackle the issue. After the outbreak has been identified, epidemiologists begin an in-depth investigation of the problem. This investigation includes efforts to assess the extent to which the disease has spread, not only in terms of the number of people affected, but also in terms of the geographical area affected by the disease. The investigation involves a number of different disciplinary approaches, from those who are tasked with conducting interviews with affected populations to health-care and medial practitioners who coordinate and provide treatment to those who are affected. It is at this stage that law enforcement agencies often become involved, especially if a terrorist attack is suspected. Even in instances where the outbreak is believed to be from natural causes, there are a variety of legal and regulatory implications involved in dealing with the circumstances of the outbreak of a disease.
- Legal and Regulatory Frameworks for Threats to Public Health
There is a broad range of regulatory and legal guidelines and restrictions that affect the domain of public health. Just as there are agencies and organizations that are designed to respond to outbreaks of disease and other public health crises, there are also organizations and agencies whose role it is to promote public health through prevention and wellness initiatives. There is a clear public interest in the promotion of a healthy population; at the same time, there are a number of significant factors to consider about the role of government and regulatory bodies in the promotion of public health. Any effort to compel members of the public to comply with certain restrictions or requirements must be balanced with a sense of social justice and an acknowledgement of the rights of individuals to make their own choices about health care and medical treatments. This is, by its nature, a subject that is fraught with controversy and disagreement, and many programs and initiatives intended to promote or ensure public health are often met with opposition.
The power of the state to enforce public health initiatives has been upheld and expanded considerably over the last century (Kinney, 2002, n.p.). The contemporary structure of public health regulations have their basis in the changes brought about by the Industrial revolution. Rapid urbanization and technological advances brought people together in large numbers, a situation that served to promote the spread of disease while also leading to discoveries about how to treat and cure many communicable diseases. As the understanding of germ theory, vaccinations, and methods to prevent and treat disease were developed, so too did efforts develop to require the public to participate in public-health initiatives. By the second half of the 20th century the federal government had developed programs such as Medicare and Medicaid that provided health care to many citizens; this meant an increasing role for the federal government in promoting and maintaining public health.
Concurrent with the expansion of the government’s role in promoting health care, new regulatory agencies and organizations were developed to oversee health and safety in the workplace, to control and contain environmental damage caused by industry. The 20th century also saw the advent of local, regional, and state health departments that coordinate health care among many members of the population, and the development of regulations that compelled most members of the population to undergo compulsory vaccinations and inoculations against certain common diseases (Kinney). Other laws and regulations developed during the 20th century gave the federal governments –and by extension, the states- to enforce mandatory quarantines and take other measures in cases where outbreaks of disease present threats to the public.
The amount of legislation at the state and federal levels that deals with issues about public health is staggering. It is beyond the scope of this discussion to detail them at any length here, though it will be helpful to briefly discuss some key ways in which the government asserts its influence over the public health. The state has the authority to prohibit, limit, or control the use of certain substances (illicit drugs, alcohol, tobacco, etc.) that are considered to be harmful or potentially harmful. The government can and does compel most citizens to submit to prophylactic inoculation against a number of communicable diseases; the courts have decided that the individual right to decline such inoculations is outweighed by the public interest in avoiding the spread of such diseases (Kiney). In extreme cases the government has the legal authority to quarantine individuals or groups of people who have been exposed to communicable disease, or are otherwise considered to pose potential threats to the rest of the population (NCSL, 2010, n.p.). In 2010 the law granting the power to quarantine citizens was amended: the DHHS had been the department vested with such authority; it was changed to grant such power to the Department of Community Health (DCH) (NCSL, n.p.).
Though there are myriad ways in which the federal, state, and local governments can and do involve themselves in the promotion and maintenance of public health, there are several key areas in which this legal oversight may be suitable for providing a contextual framework in which an issue such as cybersecurity might best be discussed. If one of the primary concerns related to cybersecurity is the issue of attacks by outside forces that are designed to introduce a malicious agent –such as a computer virus- into a computer system, it could be argued that this has a fairly direct correlation to a terrorist attack that uses a biological agent as a weapon. The targets are either people or computer systems, depending on the circumstances, but the overall functions are quite similar. Like the issue of protecting a computer system against such attacks, public health officials are tasked with not just responding to, but hopefully preventing (at least in as many cases as possible) such attacks on the population.
The prevention of disease and the response to disease after an outbreak, then, are the two areas in which the role of public health organizations most directly corresponds to the roles of those who are responsible for preventing and responding to computer attacks. In the realm of public health, the government has broad latitude to compel individuals to submit to vaccinations and inoculations. In the instance of disease outbreaks, the government has similar latitude where the enforcement of quarantines is concerned. If consideration is to be given to the idea that regulations and responses to disease in the human population can or should have direct parallels in the realm of computer systems and cybersecurity, many of the same issues and questions that underpinned the development of government’s role in public health must be considered and asked before similar approaches can be applied to the realm of cybersecurity.
- Applicability of Public Health Framework to Cybersecurity
Cybersecurity and Cyberterrorism are considered to pose significant challenges to computer experts in the coming years (Mulligan and Schneider). The recent attacks on South Korea’s computer networks, as well as a recent DDS attack against a private website that resulted in slowdowns for Internet users around the world, clearly demonstrate the vulnerability of the world’s computer systems and networks. The U.S. Department of Homeland Security (DHS) is rightly concerned about the threat of computer-related terrorist attacks, and cybersecurity is one of the areas in which the DHS exerts its authority. If biological models and public health serve as functional metaphors for understanding how computer systems operate and the ways in which they are vulnerable to attack, it seems reasonable to consider whether the same sorts of structural, regulatory, and legal constructs that are applied to the arena of public health can serve as appropriate frameworks in which to address issues related to cybersecurity.
As it stands now, the rules and regulations governing cyberspace are different from one country to the next, with some nations enforcing strict and tight controls over their nation’s access to the Internet and others allowing relatively unrestricted freedom of access (Andreasson, 2012, n.p.). In the United Sates, the prevailing sets of laws and regulations that govern the use of and access to the Internet have largely been developed by building upon existing legal frameworks, such as those pertaining to telecommunications, interstate and intrastate commerce, and other such areas (Andreasson). A 2010 conference at the United Nations highlighted the difficulties inherent in developing regulatory and legislative systems to deal with the Internet and cybersecurity; the Internet is not a singular entity that can be easily controlled; it is a combination of hardware and software functions the purview of which lies both in public and private hands (Andreasson). Even if the nations of the world were to all agree on a consistent set of standards for regulating the Internet, it would not be possible for government alone to enforce such regulations.
There is a conundrum at work in this dynamic; both the public and private sectors have a shared vested interest in addressing issues related to cybersecurity. Concurrent with that shared interest, however, is a mutual distrust. Private industries, for example, have an interest in ensuring that trade secrets related to their uses of technology or their products and services remain protected, and are naturally suspicious of any regulatory measures that could threaten such secrets. Governments, by contrast, may be concerned about the manner in which this or that industry sector or individual business is utilizing technology, especially if those concerns, rightly or no, are connected to issues of cybersecurity. This tension between the shared interests and the opposing interests of the public and private sector create an environment in which the application of consistent, effective, and reasonable regulatory measures may be difficult or even impossible to construct.
Just as there are a number of biological metaphors that are applicable to the understanding of computer systems and how they can be attacked, so too do biological metaphors serve to describe the prevention of or responses to such computer attacks. Computer systems can be inoculated against attacks from computer viruses through the use of virus-protection software. Once a computer or a network has been attacked, the first order of business is to quarantine the affected computer or other parts of the network. Such quarantining is done to contain the virus or other malicious agent and attempt to stop it from spreading. Once a computer has been infected it must be treated to remove the malicious agent, just as a human patient would receive medical treatment after contracting an infectious disease.
According to Bayuk(2012, p8), U.S. “cybersecurity policy includes strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement…(related to) diplomacy, military operations, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure.” This policy outline does not contain a set of across-the-board regulations, however, and merely expresses the policy position of the U.S. government. The government has established a clear interest in ensuring the stability and safety of the infrastructure of the Internet, but the laws that govern activities on the Internet, and that potentially prevent or respond to cyberattacks, are still rather ad hoc.
The problem with attempting to apply the same sort of structure that is used to deal with public health issues to the Internet is that there are real and significant differences between a human population and a computer system. The decision to quarantine a person or group of people to contain a biological threat is within the purview of government authority, but is not a decision that is made lightly. Studies have shown, however, that a majority of citizens have expressed their willingness to submit to voluntary quarantine in the event of a biological outbreak. In issues relating to cybersecurity, it would likely be in the best interest of those who control affected systems to submit to voluntary quarantines or other measures to protect their own systems from further harm and to prevent the spread of infection to other systems.
The Internet, and the threats posed to those who use it, is not easily regulated or controlled. Any efforts to shut all or part of it down for any reason, including in the event of an attack, would likely have significant economic consequences and cause other problems, as Internet communication is now a fundamental component of business activity. It may be possible to frame the discussion about cybersecurity in terms of biological models and public health, but extending the same regulatory and legislative oversight to the Internet will likely be a difficult, or even impossible, proposition. The sheer scope of the Internet would make it enormously difficult to truly isolate and quarantine systems effectively enough without disrupting the entire system. Enforcing the inoculation of private systems is largely unnecessary, as those with an interest in protecting their systems would undertake such inoculation voluntarily. To the extent that the Internet is akin to a living organism, it is an organism that has quickly outgrown the confines of its creators, and regulations and laws pertaining to it will, at best, be struggling to keep pace with it for the foreseeable future.
Andreasson, K. J. (2012). Cybersecurity: Public sector threats and responses. Boca Raton, FL: CRC Press.
Bayuk, J. L. (2012). Cyber security policy guidebook. Hoboken, N.J: Wiley.
Centers for Disease Control and Prevention (CDC) (2001). THE PUBLIC HEALTH RESPONSE TO BIOLOGICAL AND CHEMICAL TERRORISM: INTERIM PLANNING GUIDANCE FOR STATE PUBLIC HEALTH OFFICIALS. Retrieved from http://emergency.cdc.gov/Documents/Planning/PlanningGuidance.PDF
Cerf, V. G. (2011). Safety in Cyberspace. Daedalus, 140(4), 59-69.
Gross, D. (2013, March 27). Massive cyberattack hits Internet users – CNN.com. Retrieved from http://www.cnn.com/2013/03/27/tech/massive-internet-attack
Karas, T. H., Moore, J. H., & Parrott, L. K. (2008). Metaphors for Cyber Security. Retrieved from Sandia National Laboratories website: http://www.evolutionofcomputing.org/Multicellular/Cyberfest%20Report.pdf
Kinney, E. (2002, November 30). The Evolution of Public Health Regulation. Retrieved from http://academic.udayton.edu/health/syllabi/bioterrorism/4phealthlaw/PHLaw00k.htm
Lawson, S. (2012). Putting the War in Cyberwar: Metaphor, Analogy, and Cybersecurity Discourse in the United States. Retrieved from First Monday website: http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/3848/3270
Lowenstein, D., & Na, R. (2011, June 21). Cyber security: Wicked problems, messes and metaphors | ZDNet. Retrieved from http://www.zdnet.com/news/cyber-security-wicked-problems-messes-and-metaphors/6250342
Marchette, D. J. (2001). Computer intrusion detection and network monitoring: A statistical viewpoint. New York, NY: Springer.
Mishra, B. K., & Jha, N. (2010). SEIQRS model for the transmission of malicious objects in computer network. Applied Mathematical Modelling , 34(3), 710–715.
Mishra, B. K., & Pandey, S. K. (2011). Dynamic model of worms with vertical transmission in computer network. Applied Mathematics and Computation , 217(21), 8438–8446.
Mishra, B. K., & Pandey, S. K. (2012). Effect of anti-virus software on infectious nodes in computer network: A mathematical model. Physics Letters A, 376(35), 2389–2393.
Mishra, B. K., & Pandey, S. K. (2010). Fuzzy epidemic model for the transmission of worms in computer network. Nonlinear Analysis: Real World Applications , 11(5), 4335–4341.
Mulligan, D. K., & Schneider, F. B. (n.d.). Doctrine for Cybersecurity. Daedalus, 140(4), 70.
National Conference of State Legislatures (NCSL)(2010, August). State Quarantine and Isolation Statutes. Retrieved from http://www.ncsl.org/issues-research/health/state-quarantine-and-isolation-statutes.aspx
Saini, D. K. (2011). A mathematical model for the effect of malicious object on computer network immune system. Applied Mathematical Modelling , 35(8), 3777–3787.
U.S. Department of Health and Human Services (2007). Public Health Response. Retrieved from http://www.phe.gov/emergency/communication/guides/leaders/Documents/freo_section02.pdf