As we can consider cybersecurity issues essentially being environmental health issues concerning the health of critical digital systems and all biological lifeforms, we need to discuss what a proper cybersecurity healthcare infrastructure might look like. I have discussed cybersecurity health infrastructure in part previously, so let’s revisit it now that I have had some time to ponder it and blog about relevant topics leading to this. We can also think about it from an environmental safety perspective.

I can recall a conversation I had with an emergency room physician while on a plane ride, and we began discussing some of my work in medical device security. Pacemakers have vulnerabilities. I asked him how he would be able to determine if the cause of death of a person with a pacemaker was or was not due to the pacemaker being wirelessly hacked. He stared at me with a dumbfounded look and simply stated he would have no idea how to make that determination. How many physicians would?

I asked the doctor if he felt that, as a medical professional, it would be a good idea to have the requisite knowledge to, at the very least, know how to go about performing proper forensics. He wholeheartedly agreed, which led to a discussion about how it would be necessary for forensic pathologists to participate in training programs that, along with a discussion of biological pathogens, include extensive discussions on digital pathogens.

Approaching topics like this is hard because it requires extensive planning and infrastructure. Creating an infrastructure for managing digital diseases and environmental disasters seems daunting. Getting enough people to agree on the criteria and parameters is time-consuming. Then you must overcome the politics and red tape of making it happen.

However, if we were to extend the purview of existing environmental health systems and other health systems to include digital health as a new discipline, it could work. It could be a shortcut, and we know this has been done before.  

As newer toxins and pollutants are discovered and proliferated, environmental protection agencies make necessary changes to the associated infrastructure to address such issues.  That approach also holds for the medical healthcare space, which trains medical professionals to deal with various healthcare issues as they arise. 

Agencies such as the Environmental Protection Agency (EPA) in the US work with the scientific community to develop and utilize tools and procedures to monitor factors such as Air Quality Index (AQI), which are implemented at Federal, State, and Municipal levels. The same holds for other nations. You can open the weather app on your smartphone and view this information in real time. 

Besides AQI, there are many other environmental health indicators that these agencies monitor utilizing multiple methods. One approach is a direct scientific analysis of the environment at a general level (e.g., the air we breathe). Another involves periodic checking of organizations that produce products that could be potential toxins. An inspector will go onsite to check records and take samples for analysis. Perhaps the most controversial would be direct reporting by people inside the organization, often called “whistleblowers.”  

For each of these methods, we would need a very objective method for assessing both the presence of these digital “toxins” (or perhaps potential digital toxins) and the environmental impact of a failure.

This is intersting topic as Arctic Security is one of the companies that provides tools to facilitate cybersecurity related environmental monitoring at a “public” level. Environmental monitoring agencies could indeed use such information to alert the general public of potential issues without publicly shaming offending agencies, which may be unaware they are putting the networked world at risk. 

As an environmental protection agency, the information gathered about specific organizations could be privately shared with the organization. Depending on the level of risk, they could present and implement a remediation plan. The environmental agency could follow up with a more thorough internal inspection. 

In some cases, the agency may need to call for an immediate cessation of network operations to prevent a very high-risk or imminent digital disaster. Additionally, the agency could use its tools to check a whistleblower report's validity objectively. Organizations could (and should) use such tools to monitor to be more proactive.

It is essential to have well-vetted tools to capture the information and adequately vetted environmental impact studies to determine the validity of any claims. Otherwise, such a system could be manipulated by adversaries. In the end, public opinion is a significant asset for most companies and should be considered when implementing environmental management procedures.

This is just one example, but you get the point. In a future posting, we could talk about some additional examples. Stay tuned.