Dr. Luis Kun was the chief editor of these sessions.  For the next year, discussions were held among members of a team, culminating in the publication of The Internet Health Model for Cybersecurity, an EWI report which examines the possibility of applying a public health model to cyberspace.

Dr. Kun is currently Professor of National Security Affairs at the Center for Hemispheric Defense Studies (CHDS) of the National Defense University. He spoke with EWI’s Thomas Lynch about his role in shaping the EWI report on the Internet health model and what conclusions can be drawn from that process. Excerpts:

How did you become involved originally with EWI’s cybersecurity work?

EWI’s chief technology officer Karl Rauscher has known me from many years from the IEEE.  I happened to be a biomedical engineer who worked about 14 years with IBM, so I was very much involved right after finishing my career with UCLA in medical or public health informatics.  I work at the intersection of these two powerful fields: cyberspace, in which pretty much every sector of the world economy is involved, and then healthcare and public health, which is one of those major sectors. I put together several special issues of the IEEE Engineering in Medicine and Biology Society that dealt with three major topics: Bioterrorism (Jan./ Feb. 2002) , Homeland Security (Sept./Oct. 2004) and Protection of the Healthcare and Public Health critical infrastructure (Nov./Dec. 2008).

What insights have you gained from this background in cybersecurity and public health?

In critical infrastructure protection, all sectors are interdependent. If something happens for example to the water, the food, or the agriculture, public health will suffer the consequences.  It’s very important to understand all of these interdependencies because, for example, if you don’t have electricity or telecommunications, the healthcare of the public could be at stake as well.

The healthcare system through the years has developed ways of dealing with global health problems.  Although any health crisis is local for someone, it also has  (or will have) a global impact; global crises on the other hand have a local impact as well, so it goes both ways (from local to global or from global to local).  And in so many ways there is a resemblance to cyberspace, where many times different sectors have solutions that other sectors are completely unaware of. This leads to wasting a lot of time reinventing the wheel, spending resources, when some of these same solutions could be applied.

What’s the principle purpose of the paper then? To outline solutions to cyberspace challenges in the existing public health model?

Right. It’s pretty much thinking from a public health perspective, how could we solve cybersecurity problems with the rubric of a public health system. You have organizations like the World Health Organization that collect, analyze and disseminate information, making sure that the silos of excellence that we have all over the world are interconnected.  And then there were different pieces that I used from that model, performing functions similar to epidemiology and medical surveillance. Cybersecurity has many parallels: monitoring sick people, education, immunization, quarantining, incident response, etc. 

After the SARS public health crisis of 2003 we learned that Public Health (PH) needed an Information Network (PHIN) to face a “New Normal.”  The 3 main ideas behind it were globalization, connectivity and speed.  The response requirements for the PHIN called for: fast detection, fast science, fast and effective communications, fast and effective integration and fast and effective action

The paper goes over a lot of ways that the public health model applies to the Internet and cybersecurity.  What are the limits to that and what are the major differences between the public health system and ensuring security in cyberspace?

There was a wide variety of people involved in the paper and different individuals had different views of what the real problem was. I tend to look at all problems in a holistic way.  For example, when you talk about threats for the policemen they tend to be guns and knives, for the fireman they tend to be smoke and fire, for physicians they tend to be bacteria and viruses.

So when you use that construct you start realizing that, depending on who you’re talking to, you’re going to have very different threats in mind. In our case some only see certain sectors. For example, many see network security as posing the greatest threat. Although networks are important, from my perspective the critical infrastructures of the different sectors are much more important than networks per se. All sectors use cyberspace, but they use it differently. So a bank will not use it in the same way as a hospital, or the people controlling the gates of a dam, or those who are producing hydroelectric power.

A cyber attack can come from anywhere in the world including from within an organization or a country.  Usually when you get sick you start showing certain symptoms that sometimes are miss-read.  In some instances you may already have some disease for which you have not developed yet any symptoms.  This could be similar to a computer that already has a virus which has not been activated….yet.   In terms of limits with a disease the best way to prevent someone from becoming infected is physical isolation.  In the case of a computer system, you may be by yourself at home but your system may already have a program that could be activated at a certain time of a certain day; if you happen to be connected to others with whom you may be sharing files or certain types of information you can be unknowingly passing the problem to others around the world.

So in a health system everyone is more or less on the same page in terms of what the challenges to that system are?

To a certain extent, but the problem is that 85 to 90 percent of the critical infrastructure in the United States belongs to the private sector, and yet those that protect tend to be the public sector. So if these two sectors don’t communicate you’re going to have a problem.

When you look at that same issue in public health, you have the World Health Organization. They advise every country about what’s going on. And to a certain extent this is what we need in cybersecurity.  We need some sort of WHO, not just for the Internet, but also for IT and for cyberspace. We tend to focus more on Internet than anything else, but the Internet is not the only network that exists. 

What’s an example of how the public health model can lead to new kinds of thinking in cybersecurity?

In the case of some of the big problems, like the 2009 H1N1 influenza pandemic, you need to start thinking about who is going to do what if the people who deliver solutions start getting sick.  The issue is not just for a mother to come home with her children vaccinated, but rather, once you get home, how do you assure yourself that your children and your whole family will have electricity, water, food, etc?  In order to do that you have to vaccinate not only the children but those that provide you with the essential services, which in some ways is a continuity of operations and of services that are needed for the nation to function as such.

Ultimately, this paper emphasizes the issue of looking at a problem holistically and through the lenses of multiple disciplines—as a system and not as independent boxes. 

For further information on how the global community can co-create solutions to these challenges, visit the website for the EastWest Institute’s 3rd Worldwide Cybersecurity Summit in New Delhi, to be held on October 30-31, 2012.