Move our pandemic, cybersecurity strategies from ‘panic and neglect’ to ‘prepare and prevent’  

Last month, I joined a panel at the University College Dublin brainstorming applications of emergent AI capabilities in responding to future pandemics. The technological potential is wildly exciting, especially with memories of COVID-19 still fresh. 

But there is a distinct danger in thinking we can just innovate our way out of problems. After all, in a report released mere months before the outbreak of COVID-19, Johns Hopkins and the Nuclear Threat Initiative rated the U.S. as the most prepared country in the world to cope with a global pandemic. For all our economic might and scientific resources, that prediction didn’t bear out. 

AI could analyze vast volumes of data to track disease spread in real time. It could recommend customized treatments for patients based on patterns humans can’t identify and speed the development of therapeutics and vaccines. It is therefore tempting to envision a different trajectory in 2020 — to think that next time, armed with AI, we’ll be ready and better prepared.  

But preparation requires preventive, anticipatory work. For pandemic preparedness, that entails developing cross-organization and cross-border data sharing agreements and data standardization, so that we have high quality data ready to feed into AI tools when the need arises. It requires investing in healthcare infrastructure and professionals. (Recall all the warnings in 2020 about overburdening the system.) 

It calls for investing in manufacturing and logistics capacities to rapidly manufacture and distribute AI-informed medication and vaccines. It requires difficult negotiation at the multilateral level to reduce the incentives that drove global vaccine inequity.

And it is in precisely these areas that we have historically fallen short. This has been referred to as the “panic and neglect” cycle, wherein our attention turns elsewhere soon after a crisis ends and the ink dries on the “lessons learned” reports, leaving us unprepared for the next crisis. And it’s not just in systemic public health preparedness that we see the detrimental consequences of short-term thinking.  

We have come to accept cybersecurity hacks as being as inevitable as the common cold, even as they affect everything from local water authorities to the ancestry company 23AndMe to the U.S. Cybersecurity and Infrastructure Security Agency itself. And the effects of cyberattacks are far more pernicious than the common cold. 

This is spelled out in the joint U.S. and United Kingdom sanctions announced in late March against China-linked hackers targeting critical infrastructure. The attacks targeted “the Defense Industrial Base, information technology and energy sectors,” placing malware that undermines U.S. national security. Like a dormant virus, that malware lies in wait, ready to be activated should geopolitics deteriorate. 

The cyber-campaign on which the sanctions are based spanned 14 years — so this was hardly a surprise, overnight attack. Indeed, we had a preview of this case a decade ago, when I led the U.S. Attorney’s Office for the Western District of Pennsylvania in indicting Chinese military hackers engaged in large-scale corporate espionage. And yet we have repeatedly underinvested in cybersecurity, leaving local and state governments and public authorities, in particular, with outdated, unpatched IT infrastructure that is highly vulnerable to exploitation. 

What can explain such negligence? The payoff of investing in cybersecurity comes in crises avoided and personal and sensitive data not exposed. Preventative action is, without a doubt, the responsible choice. But faced with spending cuts, continuing resolutions and the need to show quick, visible wins, it rarely gets the attention it should. 

There are exceptions to this: Following the 2016 election, federal and state governments have invested significant resources to increase the security and resilience of our election infrastructure. While continuing investments and efforts will be required, sustained attention to the security of our voting systems and related infrastructure has paid dividends. We are in a far better place than we were eight years ago and should be confident in the security of our votes.  

The meaningful progress made in securing our election infrastructure demonstrates that we are not doomed to repeat the panic and neglect cycle, but escaping it requires grappling with the incentives driving our political system.

From cybersecurity to public health preparedness, we urgently need to shift from a reactionary mindset to one of preparedness. That may lead to criticism that government and private sector entities are devoting resources to head off potential problems that may not materialize. But just as we proactively invest in U.S. military capabilities, so too can we argue in favor of preparedness to deter and minimize harms. 

It’s time we shift the paradigm from panic and neglect to prepare and prevent. 

David Hickton is the founding director of the University of Pittsburgh’s Institute for Cyber Law, Policy, and Security. He was the U.S. Attorney for the Western District of Pennsylvania from 2010-2016.