Security of Health Information

The world is racing to contain the new COVID-19 virus that is spreading around the globe with alarming speed. Right now, pandemic disease experts at the World Health Organization (WHO), the US Centers for Disease Control and Prevention (CDC), and other public-health agencies are gathering information to learn how and where the virus is spreading. To do so, they are using a variety of digital communications and surveillance systems. Like much of the medical infrastructure, these systems are highly vulnerable to hacking and interference.

That vulnerability should be deeply concerning. Governments and intelligence agencies have long had an interest in manipulating health information, both in their own countries and abroad. They might do so to prevent mass panic, avert damage to their economies, or avoid public discontent (if officials made grave mistakes in containing an outbreak, for example). Outside their borders, states might use disinformation to undermine their adversaries or disrupt an alliance between other nations. A sudden epidemic­—when countries struggle to manage not just the outbreak but its social, economic, and political fallout­—is especially tempting for interference.

In the case of COVID-19, such interference is already well underway. That fact should not come as a surprise. States hostile to the West have a long track record of manipulating information about health issues to sow distrust. In the 1980s, for example, the Soviet Union spread the false story that the US Department of Defense bioengineered HIV in order to kill African Americans. This propaganda was effective: some 20 years after the original Soviet disinformation campaign, a 2005 survey found that 48 percent of African Americans believed HIV was concocted in a laboratory, and 15 percent thought it was a tool of genocide aimed at their communities.

More recently, in 2018, Russia undertook an extensive disinformation campaign to amplify the anti-vaccination movement using social media platforms like Twitter and Facebook. Researchers have confirmed that Russian trolls and bots tweeted anti-vaccination messages at up to 22 times the rate of average users. Exposure to these messages, other researchers found, significantly decreased vaccine uptake, endangering individual lives and public health.

Last week, US officials accused Russia of spreading disinformation about COVID-19 in yet another coordinated campaign. Beginning around the middle of January, thousands of Twitter, Facebook, and Instagram accounts­—many of which had previously been tied to Russia­—had been seen posting nearly identical messages in English, German, French, and other languages, blaming the United States for the outbreak. Some of the messages claimed that the virus is part of a US effort to wage economic war on China, others that it is a biological weapon engineered by the CIA.

As much as this disinformation can sow discord and undermine public trust, the far greater vulnerability lies in the United States’ poorly protected emergency-response infrastructure, including the health surveillance systems used to monitor and track the epidemic. By hacking these systems and corrupting medical data, states with formidable cybercapabilities can change and manipulate data right at the source.

Here is how it would work, and why we should be so concerned. Numerous health surveillance systems are monitoring the spread of COVID-19 cases, including the CDC’s influenza surveillance network. Almost all testing is done at a local or regional level, with public-health agencies like the CDC only compiling and analyzing the data. Only rarely is an actual biological sample sent to a high-level government lab. Many of the clinics and labs providing results to the CDC no longer file reports as in the past, but have several layers of software to store and transmit the data.

Potential vulnerabilities in these systems are legion: hackers exploiting bugs in the software, unauthorized access to a lab’s servers by some other route, or interference with the digital communications between the labs and the CDC. That the software involved in disease tracking sometimes has access to electronic medical records is particularly concerning, because those records are often integrated into a clinic or hospital’s network of digital devices. One such device connected to a single hospital’s network could, in theory, be used to hack into the CDC’s entire COVID-19 database.

In practice, hacking deep into a hospital’s systems can be shockingly easy. As part of a cybersecurity study, Israeli researchers at Ben-Gurion University were able to hack into a hospital’s network via the public Wi-Fi system. Once inside, they could move through most of the hospital’s databases and diagnostic systems. Gaining control of the hospital’s unencrypted image database, the researchers inserted malware that altered healthy patients’ CT scans to show nonexistent tumors. Radiologists reading these images could only distinguish real from altered CTs 60 percent of the time­—and only after being alerted that some of the CTs had been manipulated.

Another study directly relevant to public-health emergencies showed that a critical US biosecurity initiative, the Department of Homeland Security’s BioWatch program, had been left vulnerable to cyberattackers for over a decade. This program monitors more than 30 US jurisdictions and allows health officials to rapidly detect a bioweapons attack. Hacking this program could cover up an attack, or fool authorities into believing one has occurred.

Fortunately, no case of healthcare sabotage by intelligence agencies or hackers has come to light (the closest has been a series of ransomware attacks extorting money from hospitals, causing significant data breaches and interruptions in medical services). But other critical infrastructure has often been a target. The Russians have repeatedly hacked Ukraine’s national power grid, and have been probing US power plants and grid infrastructure as well. The United States and Israel hacked the Iranian nuclear program, while Iran has targeted Saudi Arabia’s oil infrastructure. There is no reason to believe that public-health infrastructure is in any way off limits.

Despite these precedents and proven risks, a detailed assessment of the vulnerability of US health surveillance systems to infiltration and manipulation has yet to be made. With COVID-19 on the verge of becoming a pandemic, the United States is at risk of not having trustworthy data, which in turn could cripple our country’s ability to respond.

Under normal conditions, there is plenty of time for health officials to notice unusual patterns in the data and track down wrong information­—if necessary, using the old-fashioned method of giving the lab a call. But during an epidemic, when there are tens of thousands of cases to track and analyze, it would be easy for exhausted disease experts and public-health officials to be misled by corrupted data. The resulting confusion could lead to misdirected resources, give false reassurance that case numbers are falling, or waste precious time as decision makers try to validate inconsistent data.

In the face of a possible global pandemic, US and international public-health leaders must lose no time assessing and strengthening the security of the country’s digital health systems. They also have an important role to play in the broader debate over cybersecurity. Making America’s health infrastructure safe requires a fundamental reorientation of cybersecurity away from offense and toward defense. The position of many governments, including the United States’, that Internet infrastructure must be kept vulnerable so they can better spy on others, is no longer tenable. A digital arms race, in which more countries acquire ever more sophisticated cyberattack capabilities, only increases US vulnerability in critical areas such as pandemic control. By highlighting the importance of protecting digital health infrastructure, public-health leaders can and should call for a well-defended and peaceful Internet as a foundation for a healthy and secure world.

This essay was co-authored with Margaret Bourdeaux; a slightly different version appeared in Foreign Policy.

EDITED TO ADD: On last week’s squid post, there was a big conversation regarding the COVID-19. Many of the comments straddled the line between what are and aren’t the the core topics. Yesterday I deleted a bunch for being off-topic. Then I reconsidered and republished some of what I deleted.

Going forward, comments about the COVID-19 will be restricted to the security and risk implications of the virus. This includes cybersecurity, security, risk management, surveillance, and containment measures. Comments that stray off those topics will be removed. By clarifying this, I hope to keep the conversation on-topic while also allowing discussion of the security implications of current events.

Thank you for your patience and forbearance on this.

Posted on March 5, 2020 at 6:10 AM64 Comments


Tatütata March 5, 2020 8:52 AM

The above scenario sounds like the attacks theorized on election reporting. But the current main issue in many countries (IR, CN, and apparently even US) is the absence or suppression of reporting, not its hacking.

Some of the messages claimed that the virus is part of a US effort to wage economic war on China, others that it is a biological weapon engineered by the CIA.

Plus ça change… Echoes of Soviet messaging on AIDS in the 1980s. But I’m suddenly thinking of motes and beams…

AlanS March 5, 2020 8:55 AM

The Report (PDF) of World Health Organization-China joint mission on COVID-19 is worth a look. See especially section III. Assessment starting on p16. Also see the presser in Geneva by Dr. Bruce Aylward, International team lead on the joint mission on COVID-19.

It appears that the Chinese political system, their technological and surveillance infrastructures, existing public health infrastructure (which had previously had to deal with SARS etc.), and cultural factors have made it possible for the Chinese to rapidly stomp on the exponential growth of new cases of COVID-19. What’s not clear is whether such an approach is viable elsewhere, regardless of whatever disinformation campaigns might be undertaken. Page 19:

China’s uncompromising and rigorous use of non-pharmaceutical measures to contain transmission of the COVID-19 virus in multiple settings provides vital lessons for the global response. This rather unique and unprecedented public health response in China reversed the escalating cases in both Hubei, where there has been widespread community transmission, and in the importation provinces, where family clusters appear to have driven the outbreak….Much of the global community is not yet ready, in mindset and materially, to implement the measures that have been employed to contain COVID-19 in China. These are the only measures that are currently proven to interrupt or minimize transmission chains in humans. Fundamental to these measures is extremely proactive surveillance to immediately detect cases, very rapid diagnosis and immediate case isolation, rigorous tracking and quarantine of close contacts, and an exceptionally high degree of population understanding and acceptance of these measures.

myliit March 5, 2020 10:32 AM

Governments have a long history with political spin and epidemics or pandemics …This link was posted in the current squid [1] . In other words, besides spooks and hackers, of course, we need to be skeptical of our leaders.

Of course, the Trump administration brings little credibility to the table. For example, “ Trump attempts to blame Obama for the Coronavirus test kit shortage …

The responsibility for the coronavirus test kit shortage appears to lie with the CDC’s choice to develop and distribute its own kit rather than use the one recommended by the World Health Organization, according to ProPublica. But the CDC’s tests didn’t work, falsely flagging harmless samples that contained viruses other than Covid-19.

Moreover, Trump ordered the dissolution of the National Security Council’s global health security unit and reassigned its head. The former national security adviser John Bolton also pressured the team’s counterpart at the Department of Homeland Security to resign. …

“I won’t say [Coronavirus containment is] airtight, but it’s pretty close to airtight,” [director of the National Economic Council] Kudlow told CNBC, swaddling himself in a comforting narrative that was probably destroyed in his first meeting with the task force.

Last week, a senior health department official alleged that she was retaliated against after raising concerns that staff had been sent to assist Americans evacuated from China because of coronavirus without proper training or appropriate protective gear.

“If efforts are being made to muzzle them, to control messaging so that it suits the political needs of the administration,” Michael Carome of Public Citizen, a not-for-profit consumer advocacy organization, said, “that’s ultimately going to endanger the public.”“

[1] Search Coronavirus

sle March 5, 2020 10:55 AM

While I agree with ideas of securing health’s IT, and to not weaken the Internet supporting it. I’m not sure the COVID-19 is the best example to push those ideas.

In occidental countries the global pandemic can’t be stopped unless we adopt the very rude and costly anti-propagation measures of China, which our governments didn’t want.

I have the feeling that most occidental governments just decided a long time ago that this disease didn’t worth an economy stop, nor a temporary liberty suspension. They mostly tried to gain some time, to prepare the medical system and avoid its immediate saturation, no more. They didn’t explain this tradeoff, they just done it.

Therefore, I ‘m not sure our governments are ready to listen soon to the good IT security ideas proposed in blog entry.

Clive Robinson March 5, 2020 11:32 AM

@ AlanS,

Yes the WHO stuff does make sober reading. And like them I suspect that “acceptance” universal or otherwise of what actually needs to be done is not going to happen.

At the end of the day it boils down to one thing,

    Rights of the individual -v-
    The rights of society.

We might joke about “no man is an island” but realisticaly the good of society on which we all depend realy needs us to be “islands” for a while. If we all self issolated for just a month then the virus would not exist any more as it would not come into contact with hosts whilst still viable.

However there is a fly in the ointment,

@ Bruce,

We know you have been brushing up on “supply chain” security, so you might have looked into “military supply lines in war” and realised that logistically there are real resiliance issues with long supply lines (many battles were lost due to the logistics of supply lines).

But it’s not just the length of the supply chain that makes it dangerously fragile, it’s also the issue of “Just in Time” supply can not respond to even quite small changes in demand.

From a security perspective “supply chains” are very much the weakest link.

If as so often happens with IT we make a comparison to biological analogies we should note that after many millennium we see that “optomized” creatures become curiousities by way of fossils.

That is if things in nature become “to efficient” they have no survivability, they are fragile and small changes in the environment remove their viability.

The same is true for “supply chains” that we depend on for Energy Security, Food Security, Medicine Security, and much else besides.

We talk about “going on a war footing” or “Manhatten Project efforts” but realisticaly these days we do not have the resiliance in our supply chains. Because of three reasons,

1, They have no spare capacity.
2, They are far to long.
3, They are controled by others.

Lets look at one type of Security Medicine.

There are in patent drugs and there are generic drugs. One of the worlds largest producers of generic drugs like the antibiotics that stop secondary infection is India half way around the globe from tje US. The Indian government has announced that they are going to stop exporting generics to build up their own stocks of drugs for their own citizens.

China is one of the largest producers of “Personal Protection Equipment” (PPE) or parts used in PPE. China has upped production of face masks and the likes but still has significant shortages it’s self, thus exports would appear to be unlikely currently.

Food is also an issue, few western industrialised nations currently grow enough food for their citizens…

Thus the security of supply chains is essential and we do not have it.

Thus we can not go on a “war footing” these days to fight a pandemic, it’s looking increasingly doubtfull we can do a Manhattan style project on producing a vaccine, for the same supply chain security reasons.

Whilst protection against disinformation might be seen as important, it’s not a security issie as such, and even if it did become one, we already have solutions that we can use that don’t have any dependency on supply chains.

We need to do a propper “Systems analysis” from the hole in the ground right through to keeping people alive and functioning in society. Because if society stops then technology realy does become superfluous rather rapidly. After all a spade, fork, hoe and packets of seed and some land are realy what you need to grow food, computers are kind of not needed especially if there is neither electricity from the grid or gas for your generator… Technology needs a sophisticated society and all that goes with it, society however does not need to be sophisticated, we’ve managed for many millennium with out it, we can do so again. But even a century ago we knew we were “nine meals” from civil unrest. But we had fair warning almostva decade ago to the day,

Sometimes we can be too busy looking at the trees to see the problem the forest has become.

Curious March 5, 2020 12:46 PM

I wonder if there is a concept in medicine for, something like a perpetual virus pandemic with people being re-infected and with a virus that seem to never go away, or, maybe that kind of idea would be considered to be far fetched, or otherwise implausible, if envisioning a pandemic (meaning global) scale virus infection that somehow keeps lingering around in society all over the world. Makes me wonder if “the flu”, which I seem to keep hearing about every year, would basically be such an ongoing pandemic, or if “the flu” sort of disappear in longer periods throughout a year.

Clive Robinsom March 5, 2020 2:48 PM

@ Curious,

I wonder if there is a concept in medicine for, something like a perpetual virus pandemic

It’s called “endemic” and there are many virusess both in the animal kingdom and the subset of primates we call humans that are endemic.

with people being re-infected and with a virus that seem to never go away

In theory you can not be reinfected by the “same” virus as long as your body produces antibodies to it. This however does not mean you have lifelong immunity, just immunity for some period of time, because your body can stop producing antibodies to the particular virus.

Whilst it is possible for someone to be infected with a disease and not have symptoms or their bodies immune system kill it of (Typhoid Mary) thus they remain a perpetual host, this is exceptionaly rare for most Bacterial or viral infections. However some diseases HIV, Herpes simplex, Chicken pox etc do remain behind in the host.

The common cold and flu we get every year are not the same virus but either different viruses with similar pathologies or mutations of them that are sufficiently different that they appear new to our bodies immune system.

There is a catch however look up Degue Feve, it has five basic strains spread by breeding mosquitos, if you get infected by one the strains the symptoms are generaly mild. However if you then get infected by another one of the strains it’s an altogether different story. Put overly simply due to partial recognition the initial stages of the immune response works, then it all goes horribly wrong in that it co-opts the later stage of the immune system into reproducing it instead of destroying it.

Bong-Smoking Primitive Monkey-Brained Spook March 5, 2020 5:21 PM

This may interest some of you…
“An interactive web-based dashboard to track COVID-19 in real time”

Nice graphics! More statistics:
Corona Virus worldometers and General real-time statistics. I believe I just contributed one entry to the “Blog posts written today” field.

@Clive Robinson:

It’s called “endemic”

That’s for carbon units. What expression should we use for silicon units? You know… like a computer virus that spreads at faster than exponential rates – say, Tetrational growth.

Thinking Monkey March 5, 2020 9:12 PM

@Clive Robinson RE: Weak supply chains

I agree that supply chain problems have caused untold numbers of problems on many fronts. However, and I don’t want to sound like I don’t understand the details or that I’m just over-simplifying, but from anywhere to anywhere in the U.S. is absolutely no longer than 5 hours, 20 minutes by air. From the semi-centralized location of Atlanta, if that were the source, cuts that about in half.

So while a “the supply itself” problem may exist, not so much a supply chain problem. Tons of any medical supplies, vaccines, medications, etc. could be flown on a single C-130 flight to anywhere in a few short hours.

So I’d like to respectfully submit that the dire supply chain problem suggested may be too dire.

SpaceLifeForm March 5, 2020 9:45 PM

@ Thinking Monkey

So, Atlanta is where hand sanitizer and face masks are manufactured? Toliet paper too?

@ Clive, Anders

I’m shocked, shocked I tell you!

So many that have been to Egypt, still gambling on that famous river, in their mind.

Clive Robinson March 6, 2020 12:31 AM


like a computer virus that spreads at faster than exponential rates – say, Tetrational growth.

Tetrational numbers appear some what lacking, after all what goes up must conversly go down, yet I don’t see,


In the list.

Any way didn’t Donald Knuth come up with another way to express very very large numbers and growth rates with his “up arrow” system to try and control the “towers of powers” problem…

But the thing is currently “Silicon does not think, at most it calculates” what to do about numbers that you can not calculate with?

Take the simple case of “comparison” that is verifying,

    Is A greater than B

The answer can be expressed in a single bit, but how big do the numbers A and B have to get before you can not compare them?

Whilst the human mind can think and reason about this, computers can not calculate it… You could say they do not have the “bits or reason to do so”.

Some numbers that are usefull are beyond what can be stored by all the atoms in our known physical universe even as positions in it’s volume measured to the the finest granularity we know of… As humans we can not only take that in our stride we can understand them even though Georg Cantor who opened that path did go a bit odd in the end.

Clive Robinson March 6, 2020 12:52 AM

@ Thinking Monkey,

So I’d like to respectfully submit that the dire supply chain problem suggested may be too dire.

You have made the mistake of limiting the scope of your reasoning, thus you have failed to consider why that might invalidate your statment.

You have taken a totally US Centric view, for no apparent reason, even though I gave two examples of supply chains in other nations where labour is considerably cheaper and manufacturing has been outsourced to or US manufacturing has stopped and factories closed and scrapped because it was cheaper to buy from abroad.

Tell me just how long do you think it would take to set up a manufacturing plant to make loop around the ears style face masks for 330million US citizens to have the four to six masks a day they would need?

How long to manufacture the paper and cloth needed to supply that mask factory?

Now tell me why you don’t think that “may be too dire”?

Now add in the rest of the things needed for making the drugs that could well be required and why India decided it needed to keep all it manufactures for it’s citizens needs.

I don’t know what it is you do for a living if anything, but I very much doubt it has anything to do with physical goods manufacturing or even retail supply.

Can I suggest you go and read up on the Berlin air lift before you talk about flying as a means of transporting goods from place to place.

Clive Robinson March 6, 2020 12:58 AM

@ SpaceLifeForm,

I’m shocked, shocked I tell you!

I’ve Nile idea what you are aluding to, it all looks a bit biblical to me 😉

Curious March 6, 2020 4:05 AM

I wonder if such a virus could linger on in food stuff, like frozen food, canned food, or stuff like military rations that I guess are kept on store for some time.

Thessa Arntdwelf March 6, 2020 4:53 AM

@Clive Robinson

Georg Cantor who opened that path did go a bit odd

An attempt to understand and recover from the oddness

“So what are we to make of the contrasting notion of a completed infinity? I confess at the outset to the strong emotions of loathing and feeling of oppression that the contemplation of an actual infinity arouses in me. It is the antithesis of life …

“The belief that exponentiation, superexponentiation, and so forth, applied to numerals yield numerals is just that—a belief. Here we have the third, and most serious, warning sign of trouble in contemporary mathematics.”

And also

But maybe it was actually all said by R L Stevenson in A Child’s Garden of Verses, e.g.,

“The world is so full of a number of things,
I’m sure we should all be as happy as kings.”

Anders March 6, 2020 6:11 AM

@Clive @SpaceLifeForm @ALL

I sadly have to announce that Estonia has now 10 infection cases 🙁

(If things continue in that way i’m afraid that times when toilet
paper was a rare thing will come back…)

Clive Robinson March 6, 2020 7:39 AM

@ Curious,

I wonder if such a virus could linger on in food stuff, like frozen food, canned food, or stuff like military rations that I guess are kept on store for some time.

Military rations are either desicated, or canned[1]. Desicating also known as freeze drying removes moisture from food, the majority of living things need water to little and they die. This includes bacteria, it’s why food is preserved by salt/brine sugar and alcohol they apply osmotic preasure making the environment untenable for bacteria and up creatures. Drying of food also makes the environment untenable for living creatures.

The problem is viruses are not technically living creatures and of the more than 10^31 of them very few have evere been studied. However virii tend, especially RNA viruses to degrade in fairly short periods of time. The environmental concentrations of water and tenprature tend to have a significant impact on the duration of their viability.

Few of lifes building blocks tend to survive much more than body heat, which is why part of the human immune response is to increase the bodies temprature in what we usually call a fever. Further way less pathogens make it past the boiling point of water. As far as I’m aware the previous coronaviruses that have effected human beings have not been in the survive above fever heat, so all cooking should render them non viable. Both Canning and bottling involve heating the food in containers upto boiling temprature at increased preasure (ie above the boiling point of water at sea level).

Thus food wise it is only pre cooked foods that are eaten at room temprature and have been left uncovered before they are eaten that represent a danger. Some have indicated that this might have been the transmission path on the Dimond Princess and in institutions like prisons. But we will have to await scientific tests and analysis before we can be certain if both SARS-CoV-2 S and mutated L can survive standard food preperation and preserving techniques. That is they might survive the “pickling” process, but it would on the face of it to appear unlikely.

[1] It appears that in the US “canning” refers to both what are seperatly called “bottling” and “canning” in other places.

Clive Robinson March 6, 2020 8:00 AM

@ Thessa Arntdwelf,

An attempt to understand and recover from the oddness

I suspect a lot of it was also. to do with the “old guard” in his contempories that bad mouthed his ideas and stopped him moving forward in his career. To them his ideas were heresy and they held court to wisper against him. One even asking him to withdraw a paper that Cantor had submitted for publishing because the ideas were a hundred years before their time… A more ludicrous statment from some one of academic repute you could not imagine. Others were lauded by the entrenched for their ludicrous and easily disproved efforts to discredit Cantor’s ideas…

Now a hundred years after his passing his ideas are not just accepted but taught to all aiming for greater understanding of where numbers can take us, as for the old guard and those they supported, many are but footnotes in history. Which when you think about it is a kindness considering what they tried to do to an individual by way of persecution.

The gift of fundemental understanding is rare, the ability to push it forward into new territory is even more rare, attacking those with such abilities is unfortunately not rare and almost always found in hierarchical systems that again unfortunatly abound in human society. There is a lesson there that mankind could do with not just understanding more but learning from.

Alejandro March 6, 2020 8:57 AM

Any excuse is good enough to increase surveillance of Americans by the military:

“The Armed Forces Health Surveillance Branch (AFHSB) is the central epidemiologic resource for the U.S. Armed Forces, conducting medical surveillance to protect those who serve our nation …” blah, blah, blah.

AFHSB provides timely, relevant, actionable and comprehensive health surveillance information to promote, maintain, and enhance the health of military and military-associated populations.

AFHSB critical functions are:

Acquire, analyze, interpret, disseminate information, and recommend evidence-based policy
Develop, refine, and improve standardized health surveillance methods
Serve as the focal point for sharing health surveillance products expertise and information
Coordinate a global program of military-relevant infectious disease surveillance..."

I suppose you could say USA spies are good guys and the rest are bad guys.

But, I wonder if that’s a false choice. I think it boils down to our formerly inalienable right to left alone from intrusion and interference by the government and/or being treated as presumptive or potential enemy combatants.

AlanS March 6, 2020 9:34 AM


Toilet paper anxieties are apparently a big thing in Australia and COVID-19 has sparked panic buying, a situation that’s being exploited to sell newpapers (given the reputation of Australian news media one can only imagine that they’ve finally found their market ‘niche’). Some families have managed to accumulate enough to forgo Australian newsprint:

The ABC reports that the Janetzki family in Toowoomba mistakenly ordered 80 boxes instead of 48 rolls of “Australia’s most sought-after product,” the ABC reports. Panic buying has left shelves empty of toilet paper across the country, with one supermarket chain imposing rations on customers. “They received 2,304 rolls and were charged $3,264 instead of $68, something that went unnoticed until the two-pallet order showed up on their doorstep days later.”

Clive Robinson March 6, 2020 10:35 AM

@ AlanS,

given the reputation of Australian news media one can only imagine that they’ve finally found their market ‘niche

+1 B-)

Mind you I have to wonder if Australian legal tender could be used instead… As you quote from the article,

    mistakenly ordered 80 boxes instead of 48 rolls… …received 2,304 rolls and were charged $3,264 instead of $68

$1.42 Astralian dollars for a single roll of toilet paper? I did my weekly “panic buy” yesterday and I got 24 rolls for just over £2 UK pounds. Either Aussie’s have very big rolls of toilet paper, or the Aussie dollars “gone down the cr4pp3r”.

AlanS March 6, 2020 11:49 AM


Maybe just a delicate lot with a taste for luxurious padded loo paper.

Given the vast quantities they are buying one might imagine COVID-19 caused a serious case of the runs but there is no evidence of that. I believe the WHO report said that was a symptom in less than 4% of cases.

Clive Robinson March 6, 2020 11:59 AM

@ Anders,

Yes making “bad news”, “incompetent handling”, or “corrupt action” official secret is a major security issue, that usually we don’t get to see the effects of in near real time. But from what I can tell every country is upto it in some way currently.

It can also have some funny side effects.

UK PM Borris Johnson visited the Royal Free issolation unit the other day (he was seen by multiple members of staff from other floors who have confirmed it to others). However it was so hush hush at the time that even Boris’s own press office were not told…

So when he said something that was on the record journalists sort conformation from the press office and much who ibitially denied it… Much “to and frowing” followed but it shows one of the down sides of obsessive secrecy, it can make you look like a lier even when you are not lying.

But the world wide spread is causing not just minor issues like that, it’s causing major social issues which brings us slap bang into the middle of the aptly named “Bio-Security” like ICTsec it has a myriad of concerns happening. However the prediction by the WHO doctor Alywood appears to be comming to pass already,

When you read past the inittial fluff the list of what has happened and has not happened is quite frankly shocking. The expresion about lunitics and asylums comes to mind. Further confirming what the WHO Dr was talking about…

Kronos March 6, 2020 12:12 PM

@ Clive Robinson: But even a century ago we knew we were “nine meals” from civil unrest.

About that time frame, at least some of my ancestors still had most of their food stores ‘on the hoof’ and processed chickens, beef, fish and wild game animals weekly. Of course even then the people living in large cities were much more removed from the source of their daily meals. Today the gap for the average American is, as you point out, even farther removed from the barnyard.

It isn’t surprising for many in the technology field that JIT supply systems, which work very well most of the time, do fail when unforeseen circumstances occur. It can be as serious as a major winter storm or as mild as a rumor that toilet paper is going to be in short supply, such that many storm the local stores until the shelves are bare.

SpaceLifeForm March 6, 2020 5:13 PM

@ Clive, Anders

Truer words could not be spoken.

Worth engraving on the earth side of moon.

“The gift of fundemental understanding is rare, the ability to push it forward into new territory is even more rare, attacking those with such abilities is unfortunately not rare and almost always found in hierarchical systems that again unfortunatly abound in human society. There is a lesson there that mankind could do with not just understanding more but learning from.”

[ we will fix the typo before the engraving of course 😉 ]

Jesse Thompson March 6, 2020 6:13 PM

It occurs to me that perhaps disease prevention would be an ideal analogy to try to convert certain “offence-first” security types. Namely, those rare few who actually reasoned themselves into that position instead of acting from emotion and who aren’t forced into a given perspective by the source of their income.

Namely, digital “infection” is a lot like organic, in that “making people and populations resilient against infection” is about a trillion times more effective at maintaining any semblance of either health or even any chance for political control than either first-striking anything that moves with biogenic weapons, or undermining the immune systems of your own population just to make it ostensibly easier to hit “terrorist”/dissidents with something as ham-fisted as Ebola.

Common sense has a pretty good handle on how impossible it is to “aim” a bio-weapon. Of course that’s going to evade all control. A literally countless number of books and movies use that as their aesop, and if not a pandemic then “bad guy summons a demon/djin/etc and then blithely presumes they can remain in control of that hot mess”.

Well, digital security is more or less exactly like that, and it’s dead simple to pitch it as such. We already use medical jargon like “computer virus”, “infection” etc to talk about various kinds of attacks!

Most nations have no first-line bioweapons (though I’m sure all of them stockpile something back in the nuclear-style arsenal of last resort) because even those in power know that’s a lost cause.

Now we’ve just got to wait for the light bulb to go off that computers and computer networks (and human/computer social networks) are not really any more predictable than how contagious illnesses will leak about carte-blanche in meatspace.

That weakening public infosec will cut one’s own knees out from under them just as fast, and that whoever prioritizes attack over defense and centralized control over edge-intelligence just makes themselves the juiciest target on the battlefield. That the first day you’ll ruin is probably one of your superior’s and that excrement still snowballs downhill back to you.

kiwano March 6, 2020 6:18 PM

I’d like to believe that, contrary to the claim that nothing is putting cyberattacks on health systems off limits, that in fact the Geneva conventions do exactly that.
They already make it either a war crime or a crime against humanity, to launch attacks against medical (and other humanitarian) facilities in physical combat. (They even define protection symbols that can be used to distinguish humanitarian facilities from legitimate targets.) It stands to reason that these norms would extend to cyber operations. Thus anyone who hacks a health system as a form of attack on another country, would be liable for prosecution as a war criminal or a criminal against humanity.

International law is certainly not a reliable mechanism for preventing these sorts of attacks from happening, but it is a definition of what conduct is in or out of bounds. Moreover, it’s a definition which stands a decent chance of placing cyberattacks on health systems squarely out of bounds.

SpaceLifeForm March 6, 2020 6:28 PM


@ Bruce, Clive, Anders, ALL

Ok, one last time to make my point about the planes. Because we are running out of countries.

New countries heard from:

South Africa

I’m telling you all, the planes are infected.

Do not travel !

Clive Robinson March 7, 2020 4:02 AM

@ Alan S,

Maybe just a delicate lot with a taste for luxurious padded loo paper.

I guess even big “rufty tufty outback types” have a soft spot :-S

Also I’m old enough to remember an almost as old euphemism going back in time to when tenement houses had the loo at the bottom of the garden. So saying “He’s outback” ment he had taken the newspaper with him to put it delicately 😉

Anders March 7, 2020 4:04 AM


From your list Vatican City is missing.

And in connection with that i think this is important:

The patient who has tested positive in Vatican City participated in an international conference hosted by the Pontifical Academy of Life last week, a local source has told the Reuters news agency.

Participants at the three-day conference on Artificial Intelligence at a packed theatre close to the Vatican itself included top executives of Microsoft and IBM, Reuters reported.

The academy issued a separate statement saying it was informing all other participants of the development by email but did not say it was the same person whose case was announced earlier by Vatican spokesman Matteo Bruni.”

SpaceLifeForm March 7, 2020 1:50 PM

Security Theatre

Fed quarantines U.S. dollars repatriated from Asia on coronavirus caution


But not bills coming back from Iran or Italy?

Allegedly, the Fed retires damaged bills.

But, I can tell you with certainty, they never deal with Ones or Fives.

I deal with this constantly. Scotch Tape.

SpaceLifeForm March 7, 2020 2:05 PM

@ Clive

So saying “He’s outback” ment he had taken the newspaper with him to put it delicately 😉

I always heard it was the Sears Catalogue.

SpaceLifeForm March 7, 2020 2:47 PM

@ Bruce, Clive, Anders, ALL

Do NOT read this link if you are still gambling on that famous river in Egypt.

Just don’t. It’s about reality.


Clive Robinson March 7, 2020 5:43 PM

@ SpaceLifeForm, Anders, ALL,

Just don’t. It’s about reality.

Well I read it, and appart from the disclaimer at the bottom, I could have written exactly the same myself.

In fact I kind of have over several comments over the past week or two…

Scott March 8, 2020 7:01 AM

Going forward, comments about the COVID-19 will be restricted to the security and risk implications of the virus. This includes cybersecurity, security, risk management, surveillance, and containment measures. Comments that stray off those topics will be removed. By clarifying this, I hope to keep the conversation on-topic while also allowing discussion of the security implications of current events.

OK, I understood. Let’s try this:

Russian vlogger visits Wuhan to do real journalism

myliit March 8, 2020 7:23 AM 18 February, w/chart

“Diseases like covid-19 are deadlier in non-democracies”

“ As Li Yuan wrote of the coronavirus in The Times last month, “As the virus spread, officials in Wuhan and around the country withheld critical information, played down the threat and rebuked doctors who tried to raise the alarm.”

Unfortunately, you could substitute “Washington, D.C.” for “Wuhan” in that sentence and it would be equally true. So far, Donald Trump’s response to the coronavirus combines the worst features of autocracy and of democracy, mixing opacity and propaganda with leaderless inefficiency.”

myliit March 8, 2020 7:41 AM

“Production is ramping up, but [coronavirus, in USA] tests — and the labs and equipment necessary to run them — are still very limited. Even where test kits are available, many states are following strict criteria for who should be tested to avoid overwhelming their labs.

Interviews with a dozen laboratory experts and government health officials reveal a six-week series of glitches, missed opportunities and delays that contributed to the shortage.

“They’ve simply lost time they can’t make up. You can’t get back six weeks of blindness,””

Sam March 8, 2020 12:05 PM

One of the worst essays of Mr Schneier.

COVID-19 does not spread because of hackers or technological weaknesses, it is spreading because of politicians!

Politicians care more about their image, money, prospect of re-election than people lives and they afraid to take harsh measures that are needed. Respect to Italy – containment is one of the rules of SANS incident handling 6 step procedure and that containment, region lockdown had to been done already several days before. Maybe someone will learn from it.

While Mr Schneier is accusing medical infrastructure of it’s vulnerabilities and Russians of their info-ops, non of this is actually important. Real people are dying. That’s important. But locking even comments down here only to security domain shows clearly that Mr Schneier does not see the whole picture clearly. Maybe US info-ops are the reason? Or being inside the cyber world too long makes real world issues go away?

Sancho_P March 8, 2020 5:35 PM

@SpaceLifeForm (@Clive Robinson)
re hxxps://

Thanks for the link, math simply explained, but spot on.
I’m glad my 2nd 1+1 post was deleted, because in the end the better option is:
Business as usual, as then (now) the small virus will save the world.
Happy Greta!

Sed Contra March 8, 2020 8:57 PM

I think @Clive Robinson’s posts over the last few weeks well outlined the math in the local term and also the endemic economic pathology of business practices that is playing a role.

W. Edwards Deming’s writings from over 40 years ago if they had been heeded would have prevented a lot of this, and, forlorn hope, might be applied now to correct things. Even earlier, in the 1920s and 30s, the writings of R. D. Skinner, one of the earliest Wall Street economic analysts, proposed alternatives to the economic strip mining that modern business and industry is highly prone to. One has to think more like a traditional farmer rather than the overlord commanding robots because nature is uncertain and “time and chance happeneth to all things”.

Curious March 11, 2020 4:45 AM

I noticed today that somebody discussed somewhere on the internet, the idea of exponential numbers and in regard to covid-19 virus infection increase, and it gave me an idea.

Given what was heard in the news about stock markets in US falling (and everywhere else presumably), I wonder if the WHO (World Health Organization) have taken into account the following theory:

The idea is that, in a world with exponential growth of virus infections, that type of horrible expponential growth graph can only grow so much before it flattens out given the limit of the human population (for first time infection), so perceptually, somebody might be tempted to speculate in the importance of such a graph, re. issues of there being a pandemic or not, and thus be motivated to manipulate the realities around that type of data by desiring a truncated version of this growth, basically “truncating” the period in which there will be some type of global panic.

Imagine a world that simply can’t realistically detect the spread of virus infections at the start of a pandemic (meaning something global). I can’t help but wonder if a nation state like USA or China, might be tempted to try game the system to simply reduce the lenght of the time period in which a stock market turns into chaos, by simply delaying or avoiding testing people for infections, so as to avoid empirical data of confirmed infections that way. The assumption is ofc that:

a) A nation state did not know about the virus spread in the first place, so there was no reason to panic (also see C below).

b) A nation sate did know about a virus spread, but also knew it was out of control, so
measures to try control it would have some effect, but wouldn’t be optimal.

c) There would be a world where a global virus infection isn’t taken too seriously.

Given this, it makes me wonder if maybe nations states have already tried to game the system in order to limit disturbances to stock markets.

Related to C above, I can’t help but wonder if, there could possibly be an ideological and political resistence in world governments in basically not really wanting to combat global viral diseases on principle, oddly enough because of how such efforts would be costly (I guess) and creating this type of empirical awareness of detecting virus spread locally and more like “in real time”, but I guess also creating this longer time period in which a virus infection spread and I guess disturbs the stock markets.

On youtube there is a recent video of a US economy reporter (who later apologized), that on the stock floor apparently thought it would be best for the world economy if literally ‘everybody’ got infected the quickest. (CNBC Host LOSES It Over Covid-19)

Curious March 11, 2020 5:09 AM


Instead of ‘truncation’, I think a better word would be “squeeze” or a “compression” of a curve on a graph for a longer period of time. I now wonder if maybe ‘truncate’ really means a cut off, of the end of the graph, which wasn’t the point I wanted to make.

A squeeze or compression would be like, when having a curve on a graph graphed, you squish the left side and compress it all to make the width less wide (the time).

Clive Robinson March 11, 2020 6:15 AM

@ Curious,

The idea is that, in a world with exponential growth of virus infections, that type of horrible expponential growth graph can only grow so much before it flattens out given the limit of the human population (for first time infection), so perceptually, somebody might be tempted to speculate in the importance of such a graph

In any such graph the “area under the curve is “the world population”. Thus what ever you do to the graph it’s self the area underneath is a constant.

You can view the hight of the curve at any slice in time as the demand on medical resources, which are finite. Thus at some point demand outstrips supply. When this happens more people die as they can not be medically saved. That is the relationship between demand and deaths is not linear.

So yes people should be acting proactively to “flatten the curve” that is extend the time it takes to go through the finite population. For two good reasons,

1, It reduces demand thus unnecessary deaths due to resource limitations.

2, It increases the length of time to find effective treatment or antivirus so that they can be applied to a greater proportion of the population, increasing the numbers who survive or do not become infected.

As with regards to what the stock market might or might not want at any given time that is generally a “game of idiocy” akin to gambling, in a game rigged by gamblers.

However when you cut through the idiotic throth on top the actual value of the stock market is dependent on two things,

1, The demand in individuals in the population.
2, The size of the population.

If 17% of the population dies due to this infection then the obviously the stockmarket will see a commensurate fall in demand.


On youtube there is a recent video of a US economy reporter (who later apologized), that on the stock floor apparently thought it would be best for the world economy if literally ‘everybody’ got infected the quickest.

Obviously does not know the basics of how economics works, because which ever way you look at it the faster evereybody gets infected then the higher the death rate is going to be, thus the bigger the reduction in deemand thus the worst possible outcome for the world economy thus the stock market.

Any one who thinks otherwise such as politicians are just “pandering to the criminals and crazies” who deliberatly manipulate the economy thus market for their own advantage.

A point citizens should not just note but think about deeply, because it strips away many of the lies we get told by politicians at the promptings of the criminals and crazies. They don’t want citizens seeing the “naked truth” that most “financial services and products” are actually “faux markets” surving no purpose other than being just another way to put in place and enforce rents on the citizens where no rents should exist…

Curious March 11, 2020 11:26 AM

@Clive Robinson who wrote:

“In any such graph the “area under the curve is “the world population”. Thus what ever you do to the graph it’s self the area underneath is a constant.”

I don’t think you understand this idea of mine, of governments “gaming the system” to keep stock market disturbances to a minimum. I can’t prove that this has to be so (and doing that isn’t of interest to me), but it seems obvious to me that a nation state might very well mix intended recklessness with gambling on having the stock markets ending up with as little disturbances as possible. Obviously, it seems like a reasonable problem that by downplaying the risks and damages of an epidemic, they can very well gamble on doing the least, to gain some more optimal miminum damage, with no real concern about the full damage, with deaths and who knows what might arise of complications of a viral infection (physical, and social).

I guess I should perhaps have clarified in advance, but I wanted to refer to a graph that involves time at the bottom and confirmed infections on the left, and appear to have exponential growth based on reported infections. The graph of this, where I live, basically sky rockets every day.

At the risk of repeating myself, it seems obvious to me, that, for any government that eventually will have to do a lot to combat a pandemic, one might as well speculate that nation states are more concerned about the stock market, than the health of ordinary people, assuming that:

1) An epidemic is already out of control, and given that nothing or too little was done, to stop an epidemic from happening in the first place or even detecting it imperically or whatever makes good sense if they had to have known that a new virus infection was spreading.

2) Nation states will benefit from suppressing, or otherwise remaining ignorant about any real trend in viral infection rates, so as to postpone the interpretation and compress that data, in a predictable time frame that as I understand would be a shorter time period, as opposed to tracking a viral epidemic globally, with a global panic that sets in earlier and presumably affects the stock market that way.

I noticed that the WHO in a video recently on youtube, stressed the point along the lines of that the world, or, I guess government must treat every life the same and iirc not stop fighting this pandemic. I would argue that one can easily imagine WHO seeing themselves blind on having nations quarter off regions to try stop the spread of a global viral infection, and thus find that to be something satisfacotry, but also forgetting that nations states should respect human life and treat the problem of a pandemic as seriously as it can.

A point I want to end with, is that I think the pandemic charts play a more important role that what people might otherwise think, and that this type of data can be directly and indirectly manipulated by nation states to manage how society perceives general risks and how stock markets react. Bascially, the idea is to try stave off a panic and a predictable distrubance in the stock market, as long as feasable.

I can clearly see a potential paradox here re. any govenrment’s world view: And one way of thinking of a paradox, is to think of two things that can’t possibly exist at the same time the way one tries to understand something in particular (in such a case, maybe not necessarily something founded on policy in a “logical sense” but something else like culture related issues). And so if the official rhetoric tend towards claiming to want to treat a pandemic very seriously, and if nation states also acknowledge that it is very bad having stock markets experience chaos or the like in a pandemic, anything that indicates a lack of willingness to show that they are serious, would imo turn their understanding of the world into question. Meaning, is it really true nation states care about people such that they treat such pandemics most seriously, or, is it all talk and bs when it really comes to the test? Basically, if they despite promises also knows they doesn’t really care that much about taking a pandemic seriously for preventing it in the first place, that would be a paradox of understanding. A word like ‘hypocricy’ wouldn’t address such a concrete problem if a nation state intend to keep such an attitude secret or otherwise refusing to discuss it, because if people in government in theory knows about a paradoxial understanding of things, but won’t tell or show to the public, whatever goes for being ‘hypocritical’ in public can’t really be solved as a problem unless ofc it is also acknowledged as such by the nation state, or you would end up having a difficult time doing anyting about that I would think if a nation state won’t cooperate with you.

Curious March 11, 2020 12:17 PM

Maybe of interest. A vidoe also video shows somebody arguing that, the covid-19 virus is apparently 10 times more lethal than the occasional flu, which I thought was interesting. Presumably it is true.

(“Exclusive: White House told federal health agency to classify coronavirus deliberations – sources”)

Curious March 13, 2020 6:36 AM

I find it interesting that, even if faced with public advisory on how to best react during a pandemic, I find it troubling that one is perhaps subject to what I think could be called perceptual management, and bad policy up to this point in time.

The basic idea is that a govenment might be tempted to basically exchange stability with public trust, which I think is a serious and a damning issue, if a government uses a “society is still working” argument in pointing out that there is plenty of food in stores, while not having done enough to prevent the spread of a virus and maybe with the hopes of seeing less of people being ill (or maybe the plan is to just wait and see how many becomes ill as opposed to doing testing).

And with testing obviously not being done on the general populace (nose + mouth swab as I understand it, assuming also that the tests actually works satisfacotry) where I live, I would ofc rather try to stay safe out in public, but if nobody cares then I find myself gambling with a potentially life threatening complications if trusting my local food store to be fairly safe to buy food. I think I can avoid touching stuff in the store with my bare fingers/hands that others touch frequenctly, but it seems all too obvious that one ought not travel through a room that may have the virus lingering in the air. And so, with the government not seemingly advocating the use of masks in public, I am very much annoyed at the prospect of not being encouraged to wear a face mask where I guess it would makes sense to use them. As has been pointed out by US medical professionals, they argued that masks can be effective but they must be used correctly. Presumably the mask itself must be treated as a contaminant to avoid the mask itself spreading the virus further. Another issue is improper fit to the face, and then, I guess your eyes are also exposed to a virus to some degree which isn’t covered with a half mask.

If it takes 7, 14, or perhaps even as long as 28 days before getting noticeably ill, it seems all too obvious that a virus could be spreading around for many days, when it probably doesn’t really have to with more appropriate precautions.

I think if ‘health information’ isn’t proper or trustworthy in the first place, I think it isn’t so much causing fear in people (maybe better with being fearful, when also being fully relevant), as it could cause a distrust which a government obiouvlsy can’t rely on for providing the health information in the first place, if ending up trivializing good practice, and replacing such with a “do-as-we-say” approach that also maybe isn’t making good sense. And should there come a time where scare mongering would be required, because somebody just messed things up beyond fixing it, or didn’t care in the first place to run society properly, then having people in society reacting to a pandemic in a trivial way again even though they ought to be scared, seems bad to me. I will argue that wanting to be ‘pragmatic’ for combating a pandemic should never be considered to be an alternative to good planning, or why trust such recklessness in either not doing, or not wanting, to plan ahead of time. And if you decide to keep things secret again, what would be going on would be anyone’s guess. I can also see how people might get ideas of ‘trust’ mixed up with ‘coercion’ if things end up being really dumb where ‘trust’ is basically demanded of you. Trust should imo always be something specific (like knowledge), otherwise it isn’t something personal and you would’t know which if you don’t really understand or approve of something in the first place.

At the risk of being wrong, but being my only comfort, I suspect that the dose of virus exposure is perhaps a factor in who gets noticeably ill among seemingly healthy people, given that this physician assistant in New Jersey become seriously ill, despite age 32, supposedly healthy and also a non smoker. I am ofc assuming that this illness was more of a working hazard, but I honestly woldn’t know for sure, it just seems reasonable for me to suspect this given that he probably interacted with infected people.

I also see a potential problem in how world society responds: If one believes WHO who pointed out that it is the sovereign right of a nation to react the way it wants, who knows how idiosyncratic any nation is in reacting to a pandemic. I find it interesting, in that any experimentation with various types of reactions (western world vs Asia for example), seems unethical if not having the goal of actually protecting people in the first place. I still remember this local news article in norway, where an ambulance driver was supposed to always open an envelope with a message inside that dictated if he was to use a life saving drug or not in that particular instance, only for creating a statistic for figuring out if the drug helped or not. The ambulance driver ended up protesting this and giving the life saving drug anyway as I remember it.

My trust is society is even less now than before, seeing as how they seem to really work against a virus spread in Asia, but over here, it seems all too casual. Any argument about not having enough medical equipment, really seems like bs to me.

Wilson April 7, 2020 2:42 PM

I have been suffering from Herpes for the past 3 years and 8 months, and ever since then i have been taking series of treatment but there was no improvement until i came across testimonies of Robinson buckler on how he has been curing different people from different diseases all over the world, then i contacted him as well. After our conversation he sent me the medicine which i took according to his instructions. When i was done taking the herbal medicine i went for a medical checkup and to my greatest surprise i was cured from Herpes. My heart is so filled with joy. If you are suffering from Herpes or any other disease you can contact Robinson buckler today on this Email address:_________________________Robinsonbucler {@ gmail}. com

From United States

Marylyn Rodriques October 23, 2020 12:56 PM

Its a pleasure for me to write this testimony about how i got my Genital Herpes cured a month ago. i have been reading so many comments of some people who were cured from various diseases by Dr .Ekpen, but i never believed them. I was hurt and depressed so I was too curious and wanted to try Dr. Ekpen, then i contacted him through his email when i contact him, he assured me 100% that he will heal me, i pleaded with him to help me out. My treatment was a great success, he healed me just as he promised. he sent me his medication and ask me to go for check up after one weeks of taking the medication. i agreed with him i took this medication and went for check up a , to my greatest surprise my result was negative after the treatment, i am really happy that i am cured and healthy again. I have waited for 3weeks to be very sure i was completely healed before writing this testimony. I did another blood test one week ago and it was still Herpes negative. so i guess its time i recommend anyone going through Herpes HSV-1 or HSV-2, HIV, HPV, Hepatitis B, Diabetes, Cancer reach him through Email OR add on whatsapp +2349062286491.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.