It’s been a privilege to work with CyberGreen as we develop a science and discipline of Cyber Public Health. Today, I want to start with the why, explain how I’m thinking about it, and then talk a little about why I think public health will be a more important model than some of the alternatives. I’ll close with a little on where we’re going but, as they say, watch this space.

Why Public Health?

So, why Cyber Public Health? Well, the frame has been tremendously good for humanity. Over the last 150 years, our lifespans have doubled. It’s certainly complex to unwrap all the factors that contribute to that, but it’s hard to dispute that public health’s focus on measuring how long people live has made a large difference. Public health doesn’t stop there. It assesses what leads to a low-quality life: chronic diseases and ailments. It is foolish of us to not ask “what can we learn from those successes?”

Of course, we’ve been using health metaphors for a long time to talk about information computer cybersecurity. We talk about computer viruses and cyber-hygiene, without carefully exploring what’s there. For example, actual hygiene – keeping things clean- is a simple model. We have germ theory to explain why it works, it’s relatively easy to do, and people still have a hard time maintaining discipline to wash their hands with soap for 30 seconds. We know that because scientists in public health study it, rather than simply exhorting people to “be hygienic” and stopping there.

Understanding Public Health

My work in Cyber Public Health started over a dozen years ago. I was inspired by Steven Johnson’s book The Ghost Map, and named a project “Broad Street” in its honor. That project switched off the Autorun feature on hundreds of millions of Windows XP machines, and reduced the rate of malware spread by something around 1/4 to 1/3 of the malware. Our predictions about cleaning rates held for about a year, and then deviated. After that, I was inspired by the pandemic to delve back in.

More recently, in looking at Internet Infrastructure Health Metrics, we realized that there was a need for a framework and systematic analysis of what we might take from public health. To start that, we used a popular public health textbook as a framing device and asked “what can we learn from this?” and we learned a tremendous amount. 

I see this as a starting point — people in public health have been generous with their time, especially as they are somewhat distracted with the pandemic as we’re doing this work.

As we did that work, I was struck by how, well…vital… vital statistics are to public health’s conceptualization of problems. Vital statistics include births, deaths, marriages, and other facts about a population, and enable us to calculate information like prevalence and incidence of a condition. Prevalence is the fraction of a population with a condition at some point in time, and incidence the number of new cases. Measuring such things in information technology is hard. How many Android phones were built, sold, or activated last year? How long is one used? Without such numbers, our ability to assess priority for problems is limited, and scientific papers in leading security conferences will frequently cite analyst firms as justification for their work being important. It’s about the best we can currently do, but it’s not a good situation.

Another tool we’re investigating is the Health Belief Model. This model looks at why people take action for health reasons, and the various complex influences, including their perception of risk (seriousness and likelihood of disease), their perception of how difficult or risky a treatment might be, and other factors which help predict people’s choices. We’re working to adapt it to cyber, because we observe that many things that are “obvious” from a security perspective don’t result in people fixing them, from multi-factor authentication to keeping your enterprise patched.

Public Health versus…

There are a lot of metaphors in security. Many people look to military or criminological models, arguing that because we have active, (and sometimes intelligent) adversaries, those models make the most sense. This is wrong. There are many places where people compete in zero-sum games, and there’s no reason to think that either military or criminological models will work well. More importantly, computers have functions outside the realm of conflict, and the engineering, economic and other choices we make as we build and deploy systems are fundamentally driven by those needs. If we design our computers like we design tanks, we’ll get things as expensive and unwieldy as tanks, and maybe as effective when we get to conflict as tanks are proving to be in Ukraine.

Public Health as a Future path

As a frame, public health offers great promise. It is reasonable to ask about its strengths and weaknesses, its limits and differences. We are early, but in a world in which ransomware is on the rise and breaches are a daily occurrence, we have little to lose and much to gain by exploring new frames for our work.