Recently we spoke to James Seligman, CIO at the Centers for Disease Control and Prevention, on H1N1 flu preparedness. We also discussed the parallels and differences between human and computer viral infections, which Seligman knows well: CIO since 1999, he originally joined the CDC as a quarantine inspector in 1977.
As CIO of the CDC, you consider both the viruses that infect computers and the viruses that infect humans. Do you have any insights you could share on the relationship between the two?
Seligman: There are similarities, although in the human virus cases -- at least so far -- they haven't been purposeful or manmade. So the intentionality of computer viruses makes them, in some ways, more difficult because they are cleverly engineered for nondetection, for rapid spreads, for spear phishing to entice someone to click on a link that automatically downloads malware.
What do you find more frightening, then -- the swine flu or Conficker?
Seligman: My personal opinion is swine flu, or H1N1, or any other pandemic influenza or serious human virus because, quite frankly, it can kill people. But the devastation of a computer virus can be very serious as well, whether it is disruption of the Internet or communications capability or malware creating a denial-of-service attack on really critical infrastructure of the country or the world.
What interesting parallels are there between computer and human viruses?
Seligman: First is the speed of transmission. In the case of computer viruses, it can happen in milliseconds and infect thousands or even millions of computers and servers around the globe, in just hours. Human viruses don't spread quite that rapidly, but the spread of H1N1 in the grand scheme of things has been quite rapid, such that many, many thousands, if not millions, of people have become infected in a relatively short period of time.
There are also parallels regarding detection and prevention and mitigation strategies. In the human virus world, particularly around influenza, we talk about wearing protective devices such as respirators, doing frequent hand washing and social distancing. In computer virus terms, unplugging your computer from the Internet is usually one of the first and best temporary courses of action; [then] inoculating the machine with the latest update of detection or prevention software. But just like immunization for influenza, it is not perfect. You can have zero-day viruses, viruses that have just been engineered and released into the wild, for which there is no pattern recognition or prevention software out there.
Do you think that being part of an institution that focuses on potential disasters -- in this case, caused by diseases -- makes your job easier or harder?
Seligman: In one regard I would say it is easier, and that is in communicating to our workforce around this issue, since they are all sensitized or very knowledgeable to the main mission of CDC and the lingo and parallelism of spread, protection, epidemiology, case investigation and so forth.
In the case of computers, forensic examination of computers is quite analogous, or similar sounding to them. I imagine it is more difficult if you are working in a manufacturing company, for example, for people to really understand what the threat is, why you have to make investments in this area to prevent the introduction and spread and detection of computer viruses.
Seligman: We are constantly probed and scanned to the tune of hundreds of times per second, 24 hours a day, 365 days a year. And that speaks to the quality of our prevention program and the walls we put up.
Yes, our website has been attacked and occasionally -- rarely -- successfully. We had way back when, quite a number of years ago, some website defacement episodes. More recently, a couple of years ago, we had a cross-site scripting malware problem, where they inserted some bad code in our website to infect people who visited it; it was a very limited portion of our website, readily recognized and we shut it down immediately and cleaned up.
You are situated in Georgia, so hurricanes are a threat. Is the kind of planning for a disaster such as a hurricane completely different from an infection like H1N1 or, for that matter, Conficker?
Seligman: In the IT world, not completely different. We have been doing continuity of operations planning and disaster recovery planning and real exercising and occasionally some implementation -- and I can give you an illustration of that,, which was 9/11, where we had to evacuate this main campus.
But the bottom line is, regardless of the threat vehicle, whether it is a hurricane or a tornado or theoretical terrorist attack or computer virus introduction that was major and caused systems to shut down or caused us to disconnect from the Internet or whatever -- all of these scenarios are planned for and considered in our continuity of operations and disaster recovery capabilities.
So our mission-critical systems are replicated to a disaster recovery site that is distant from our main data centers. We have real-time replication of data going to those centers, just like Wall Street does or the airline industry does for their reservation systems.
Let us know what you think about the story; email: Linda Tucci, Senior News Writer