Security as a Public Health Issue

Cory Doctorow argues that computer security is analogous to public health:

I think there's a good case to be made for security as an exercise in public health. It sounds weird at first, but the parallels are fascinating and deep and instructive.

Last year, when I finished that talk in Seattle, a talk about all the ways that insecure computers put us all at risk, a woman in the audience put up her hand and said, "Well, you've scared the hell out of me. Now what do I do? How do I make my computers secure?"

And I had to answer: "You can't. No one of us can. I was a systems administrator 15 years ago. That means that I'm barely qualified to plug in a WiFi router today. I can't make my devices secure and neither can you. Not when our governments are buying up information about flaws in our computers and weaponising them as part of their crime-fighting and anti-terrorism strategies. Not when it is illegal to tell people if there are flaws in their computers, where such a disclosure might compromise someone's anti-copying strategy.

But: If I had just stood here and spent an hour telling you about water-borne parasites; if I had told you about how inadequate water-treatment would put you and everyone you love at risk of horrifying illness and terrible, painful death; if I had explained that our very civilisation was at risk because the intelligence services were pursuing a strategy of keeping information about pathogens secret so they can weaponise them, knowing that no one is working on a cure; you would not ask me 'How can I purify the water coming out of my tap?'"

Because when it comes to public health, individual action only gets you so far. It doesn't matter how good your water is, if your neighbour's water gives him cholera, there's a good chance you'll get cholera, too. And even if you stay healthy, you're not going to have a very good time of it when everyone else in your country is stricken and has taken to their beds.

If you discovered that your government was hoarding information about water-borne parasites instead of trying to eradicate them; if you discovered that they were more interested in weaponising typhus than they were in curing it, you would demand that your government treat your water-supply with the gravitas and seriousness that it is due.

Posted on March 14, 2014 at 6:01 AM • 18 Comments


WmMarch 14, 2014 6:46 AM

" Not when our governments are buying up information about flaws in our computers and weaponising them as part of their crime-fighting and anti-terrorism strategies."

Need to add: ...crime-fighting, anti-terrorism, and deliberate evil communist/Marxist style private citizen data gathering strategies.

AlanSMarch 14, 2014 8:13 AM

The relevance of public health to security came up about a year ago in the Security Awareness discussion, which included a discussion of HIV prevention. See my comments here and here.

Doctorow writes: "Public health isn’t just about pathogens, either – its thorniest problems are about human behaviour and social policy. HIV is a blood-borne disease, but disrupting its spread requires changes to our attitudes about sex, pharmaceutical patents, drugs policy and harm minimisation. Almost everything interesting about HIV is too big to fit on a microscope slide." [Emphasis added]

But a lot of security is fixated on pure technical solutions (i.e. the equivalent of the pharmaceutical fix for pathogens) in disregard of the social, or worse, in explicit denial of the social. Creating changes in attitudes and behavior is hard work. It's easier to turn a buck being the security equivalent of a pill pusher.

AndrewMarch 14, 2014 8:58 AM


rabbitsMarch 14, 2014 9:33 AM

"But a lot of security is fixated on pure technical solutions .. in disregard of the social, or worse, in explicit denial of the social"

Yes, however, there is an immediate need to stop the disease transmitting. When it is stopped we have more time to tackle the social. If we tackle the social aspects first our adversary is overwhelming us and the infection spreads quicker than we can modify social attitudes and behavior. Then we are irrevocably lost. However the people who are best suited to tackling the technical issues are not the best to work on the behavioral and social, and vice versa. There must be two responses operating in parallel.

"It's easier to turn a buck being the security equivalent of a pill pusher."

There are always those seeking a quick profit and operating purely from self-serving motives (snake-oil peddlers) both in the technical and social/behavioral arenas. Rather unfair to castigate everyone working on the technical challenges as being in that boat, same as supposing that all politicians are venal wretches (maybe maybe there is one who isn't?).

anti-concepualismMarch 14, 2014 10:28 AM

A few words on Doctorow's analogic method.

Mathematicians are adept at taking a difficult problem in one domain and solving it by transposing it into a simpler form. For example, finding periodic changes in a time series is easier in the frequency domain than in the time domain, the Fourier transform being the operation used to pass from one domain to the other.

This works in mathematics because the units are convertable from one to the other via an operation or operations.

But there is no operation that converts the massive theft of information into a disease epidemic. There is no logical common denominator. Instead there is an equation of similarities in non-essential features of these two problems.

The net result is a complex confusion masked by apparent simplification.

Instead asking how we can confuse the massive infringement of individual rights with the problem of a widespread disease, we should be attempting to identify the nature of the aggressor so we can stop him.

In other words, what is the actual nature of our problem, not what is it like.

The world is drowning in metaphorical nonsense, propagated by the iconism of graphical user interfaces among other things.

A little common sense would go a long way.

JohnMarch 14, 2014 10:51 AM

Cory Doctorow right again as usual. Little Brother is still at the top of my top ten list.

pMarch 14, 2014 12:49 PM

So in other words, we are all part of some gigantic Tuskegee Experiment, where the NSA will eventually find out what they already knew and then finally "let" us have secure communications tools?

CarpeMarch 14, 2014 1:15 PM

"you would demand that your government treat your water-supply with the gravitas and seriousness that it is due."

And what would you do when the response was to f-off?

webcatMarch 14, 2014 1:18 PM

“anti-concepualism” makes a valid point, imho.

But there is an even broader context: we need to reset the relationship betweenm ourselves and government...see Grace Lee Boggs' "The Next American Revolution.

Grace Lee Boggs,, Detroit-based radical organizer and philosopher. Born to Chinese immigrant parents in 1915 [in their apartment over the family’s restaurant], Now 98 she has been involved in nearly every major activist movement of the past eighty years, including labor, civil rights, black power, women’s rights, and environmental justice movements.


Her views on rebellion and revolution represent a paradigm shift we need

jonMarch 14, 2014 3:04 PM

Fort Dietrich, MD continues to do research into biological warfare agents. It's all considered health research and to counter others' CW & BW abilities. And I'm pretty sure there are substantial stocks of CW & BW artillery shells in stock, and yet to be destroyed.

AlanSMarch 14, 2014 3:16 PM


I didn't intend to "castigate everyone working on the technical challenges", far from it. Apologies if it came off that way.

With regard to your first response: you assume the social and technical can be separated. They are inextricable. That was the point. Technical solutions are embedded in social relationships. And social relationships are mediated by technologies.

Take HIV prevention as an example. Developing an anti-retroviral agent is a 'technical' solution  but success, getting it from bench to bedside, and effect use, depends on numerous social networks and relationships. A 'public health initiative', say increasing condom use, is primarily a problem of 'changing attitudes and behavior' but the social is also technical. It involves a technology to start with and quite possibly changing the relationships may also involve rethinking condom design, packaging, etc.  and also figuring out how to use media technologies effectively in different contexts for different populations.

NE PatriotMarch 15, 2014 12:21 PM

Slight difference: you can live perfectly well without internet. Millions of people in America do exactly this every day. You don't have to live in middle of nowhere West Virginia or Louisiana to do this: it happens even in hip and trendy places like New York City and San Francisco.

Go a few days without water? Now you're talking about life and death in an incredibly real sense.

M.March 15, 2014 8:15 PM


Medicine and public health also works by domain transposition. Why do you think we spend so much time playing with rats?

It seems like most fields work this way. But what constitutes a valid domain transposition seems to be very discipline-specific. That is, medicine and public health takes the rat-to-human transposition for granted, but vets and ecologists don't. We all agree that we're very closely related in evolutionary terms, but we disagree about what that means for pharmaceutical development. Meanwhile, computer scientists take the macro-to-micro jump for granted, while medicine and public health don't.

1) I think he's missing the more accurate transposition that would resonate with most Americans: how people have historically acted when governments abuse health information. Whether you're talking about people in developing or developed nations, Western or non-Western ones, the same pattern tends to emerge: people stop getting testing and/or treatment, endemics and preventable and/or treatable diseases subsequently get worse, and the GDP ultimately plummets. HIV/AIDS is really the poster child for this, but it's been the case with a plethora of other screening and treatment programmes.

If you do a macro-to-macro transposition with today's security issues and the American IT sector...Well, Dr. Schneier has covered that end result in quite some detail already.

2) People in my former home town ask about water purification all.the.time. It's really the only question left when you're the victim of corporate gerrymandering and regulatory capture.

By the same token, I think the only questions worth asking in the wake of the disclosures are (1) how to make end-user encryption easy and transparent and (2) if readers from oligarchial police states have any survival tips they'd like to share.

3) That said, I think Doctorow's totally right about the inevitability -- and costs -- of FPs. That's the part really worth emphasizing.

4) Why doesn't the computer security industry use the immune system as a model for security development?

yesmeMarch 16, 2014 8:04 AM


4) Why doesn't the computer security industry use the immune system as a model for security development?

Brilliant idea!

But thinking about it... You mean actively infecting systems with virusses or malfunctions with the idea that the computer could find a cure. Right?

It could be very dangerous. Are we bright enough to control this?

But that said, the idea itself is brilliant.

libre fanMarch 16, 2014 1:44 PM

How do I make my computers secure?"

And I had to answer: "You can't. No one of us can… I can't make my devices secure and neither can you.

I don't quite agree with Cory Doctorow on his comparison nor on his answer.

If people stopped using M$ Windows and software, Apple an' stuffz, any Google services, Facebook, Yahoo services, and started using encryption, (and then Tor or Tails) that would be a step forward. Saying there's nothing we can do is encouraging people to use Skype and other monsters that make NSA spying so easy.

AutolykosMarch 17, 2014 8:02 AM

@libre fan: Well, that depends on whether you define "secure" as relative or absolute. You can probably become good enough to evade most of the non-targeted measures. But what about the people on the other end of the line? Are they able to pull it off? Do they even care?
And once they decide to target you (for any reason, or no reason at all), you're screwed no matter what.

AnuraMarch 18, 2014 12:14 PM


Whether or not you are screwed depends on the resources of the attacker. If you are targeted by the NSA, an air gapped system in an EM shielded room booby-trapped with incidiary devices to protect against physical intrusion is about all you can do. Most attackers, however, don't have the resources of the NSA, and most people don't have data sensitive enough to warrant those kind of measures.

Keeping your software up to date, running a decent router and not exposing services, running tools like noscript, https everywhere, using strong passwords, and understanding social engineering will be enough to protect your home systems and major accounts from the vast majority of remote attackers, even if you are targeted.

For protection against physical attackers, any machine with sensitive data should have the data encrypted with a strong password, possibly combined with a symmetric key on a keychain thumb drive, and powered off when you are away from it. After this, it's a question of attackers being able to install malware onto your system, which is pretty difficult to protect against if they have physical access, and at this point it's a matter of detecting it before you are compromised. This really comes down to home security: locks, alarms, dogs.

Most people don't have data sensitive enough to warrant an attacker taking the risk of breaking into their home and installing malware on their systems in the first place. For most people, theft of their computers is going to be far more likely. If you have data sensitive enough that they might actually use violence to obtain your keys, then hire armed guards.

A single home network is a lot harder to attack than a large organization, and large organizations can still protect themselves from targeted attacks. Educating employees on social engineering, up to date software, strong access controls, physical building security, general security principles. You aren't going to make a system that is completely hacker proof, but you can make it secure enough so that attackers are unable to locate those holes.

Security is not about being able to protect against every single possible threats, it's about recoginizing the likely threats; a super-advanced team of hackers with submachineguns, tactical turtlenecks, hearbeat sensors, and submarines is probably not going to waste their time trying to get the $500 out of your savings account.

Dave HarmonMarch 21, 2014 8:23 PM

anti-concepualism: The analogy is based on the structural characteristics of the challenges, and those are a close match -- we have a public good for which each of private and public efforts are necessary but not sufficient.

AlanS/rabbits: The first analysis of a cholera epidemic pre-dated the pharmaceutical option! The initial public-effort response was to remove the handle from a particular water pump. This might correspond to blocking an aggressive IP....

M. #1: Trust is easily lost and hardly regained -- the Tuskegee experiment is still interfering with health-care efforts for American blacks. Unfortunately, effectively dealing with these problems demands a good deal of trust between the populace and their government.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.