How avian flu could threaten IT security

Experts say a potential bird flu pandemic could have a disastrous effect on IT infrastructures. But if companies plan well, those infrastructures could also help minimize chaos.

Not all the viruses that threaten computer networks come from cyberspace. Health and information security experts say if avian flu ever becomes a human pandemic, it could have a disastrous impact on IT infrastructures.

"In the event of a widespread outbreak, the economic effects could be severe, affecting just about every sector and region," said Sherry Cooper, a global economic strategist for Canadian financial services firm BMO Nesbitt Burns Inc. The information security community is as threatened as everyone else, said Cooper, who last week issued a report (pdf) on the potential economic ramifications of a global outbreak.

Forced destruction

Known as H5N1, avian flu has killed at least 65 people in four Asian countries since 2003. It has also killed or forced the destruction of tens of millions of poultry.

Today, it's mainly a bird killer and can't easily be passed between people. Those infected so far have been poultry workers and those living among infected farm birds.

But health experts fear the virus is mutating and will someday gain the ability to pass easily from person to person. When that happens, a deadly pandemic could be at hand. If the disease ever spreads through the U.S. population, the government estimates up to 2 million Americans could die while millions more would be hospitalized, according to a report last week in The New York Times.

Governments around the world also worry a pandemic would spark civil unrest as people fight to get their hands on antiviral drugs like Tamiflu -- which is in short supply -- and a vaccine, which probably wouldn't be available until months into an outbreak. From there food, water, goods and services could stop flowing. That includes Internet services, Cooper said.

Out sick

In a worst-case scenario, computer networks would grind to a halt as countless IT personnel succumb to illness. As a result, the human intervention needed to keep computer hardware and software running smoothly may be unavailable, causing systems to fall offline, or even fall prey to malicious attackers.

But Cooper and others also agree on this: If businesses take the threat seriously now and develop plans to keep their systems running in the face of quarantines, office closures and illness among large portions of the workforce, that IT infrastructure could also be harnessed to minimize the chaos.

"It would be wise for companies to convene councils and discuss what they would do in a pandemic," said Paul Kurtz, executive director of the Cyber Security Industry Alliance. "Teleworking [working remotely] is certainly an option they should be discussing."

Keep communities functioning

Most of the international focus is on developing a vaccine and stockpiling antiviral drugs. Preparations must be broader than that, said Jennifer Nuzzo, an analyst with the Center for Biosecurity in Baltimore, Md.

"The best thing to do is prepare people. Get them to have plans in place to care for sick family members and neighbors," she said. "Get them to work on ways to work from home and keep communities functioning."

Nuzzo said that means businesses must be thinking about who could work from home, how much technology would be needed to pull it off, who would be required to be in the office and how antiviral medicines and vaccine could be distributed to protect them. From there, companies must try to predict where supply chain breakdowns could occur and what to do about them.

"If businesses really plan this out, today's IT could be used in a robust way to really keep things moving," Nuzzo said. "But it is going to take planning. It can't just happen in government. The private sector will really have a lot of the answers to the questions. The private sector has a lot of the expertise and resources."

Kurtz agreed. When it comes to teleworking, a concept he has vigorously advocated, government agencies haven't thought creatively enough on how to use it.

For more information

For more on disaster preparedness, read our recent series: "The merging physical-cyber threat"

Part 1: The threat with the most disaster potential

Part 2: Why the catastrophic cyberattack may never cone

Part 3: Who best to avert disaster?

Part 4: Home is where the heart (and disaster back-up plan) is

Part 5: Cybersecurity czar: DHS overhaul will improve preparedness

"There's not necessarily an incentive for agencies to look at teleworking as an option," he said in an earlier interview. "There's not as much thought on how to do things in an interconnected society. There's no immediate return, no immediate reward for promoting telework."

A call to action

In a follow-up interview Thursday, Kurtz said the fallout from Hurricane Katrina and increased media attention on avian flu could encourage governments to actively support teleworking.

"My hope is that as the government discusses what to do if there's a quarantine, where whole cities could be blocked off, that they'll be looking more closely at the use of teleworking."

When he looks at the potential damage avian flu could inflict on society, Kurtz is reminded of the SARS outbreak that spread to several countries two years ago. Toronto was particularly hard-hit. More than 40 people there died and the city's economy hemorrhaged more than a billion dollars. Kurtz said companies there have taken a hard look at what happened and have learned lessons that could be applied to a bird-flu pandemic.

"I was in Toronto about six months ago for a discussion with business leaders on Sarbanes-Oxley and somewhere in the conversation one company brought up SARS," Kurtz said. "They've given a lot of thought to how to deploy workers in the computer operations centers so they are in different locations. That includes deciding which workers can operate from home.

"And for those who are needed in the office," he added, "they're thinking about how to get them there and keep them healthy. This extends to people running power plants and other infrastructure."

While the Avian flu presents a particularly ominous threat, Kurtz said government and the private sector should use the same guidelines to plan for any potential disasters. "A lot of the same lessons and solutions apply whether we're talking about a pandemic, major storms or terrorist attacks," he said. "The common issue is how you get people to work when they can't get to the physical office space."

Roadblocks and opportunities

Despite his faith in teleworking, Kurtz said he has no illusions that it would be the silver bullet in a pandemic. "There's no cookie-cutter approach to this," he said. "Restaurants and movie theaters couldn't make it work. They'd probably have to close. But if your business is based online, if you're in the banking and finance or services sector, there may be more options for teleworking."

Cooper said businesses should look at telework as part of a broader plan. Additionally, workers must be cross trained so they could do the job of someone who falls ill. An organization must look carefully at its supply lines and examine where those lines could break down.

"The most important first step is that businesses should ensure all employees have access to the network and all data from home," she said. "A lot of people will want to stay home and the more you can isolate them the better. There's also an opportunity for schools to have remote learning so kids aren't missing as much school."

But implementing these options would be expensive, and Copper worries that poorer communities would be left out. "Would there be enough money in the communities and in the business world to give everyone the home computer equipment they need?" she asked. "That would be an issue. The good news is that a lot of businesses are already geared for remote working, with people traveling and working from laptops in the airport, for example."

The threat of a pandemic also presents an opportunity for tech companies, she said. "This is a real opportunity for them because there will be a surge in demand for things like video conferencing. That demand won't be rolled back."

This article originally appeared on SearchSecurity.com.

Read more on IT risk management