There is an analogy to be found between the Ebola virus and the ILOVEYOU computer worm, between new strains of tuberculosis and new variations of Michelangelo, between viruses that hide in jungles or slums or hospitals throughout the world and viruses that prowl cyberspace.

Jeff Williams, an Internet security expert at Exodus Communications, expounded on these similarities and vulnerabilities in a paper titled "Just Sick About Security" (Proceedings of the New Security Paradigms Workshop, 1996). Like computers, he wrote, people are "made up of many distinct but tightly integrated systems." Like computers, "real human interfaces cover a wide range of signals" and, like computers, "people's internal interfaces also have protection mechanisms."

"One of the most telling similarities between human health and computer security," Williams wrote, "is the impossibility of accurate measurements. How do you ever know that you are healthy? Or secure?"

Williams concluded that both humans and computers need regular "intrusion detection" checkups to combat threats from viruses and parasites, from credit-card and bank-transfer cyberheists, from the theft of priceless proprietary files or from distributed denial-of-service attacks.

Indeed, Williams said, we need a veritable computer health-care system, and he argued that we can learn what steps to take or avoid in developing such a system by studying how well or how poorly human health-care systems function.

In the Real World

Everywhere, the forces of corruption, ignorance and economic duress conspire to gut any chance that beleaguered and ill-conceived health-care systems might have against all the threats to public health.

If we accept Williams' parallels between health care and computer security, it should be obvious that governments must develop and maintain well-functioning public systems to protect both. It's only when computer systems fail that we understand that bits and chips are as much the stuff of modern life as blood and bone.

According to Laurie Garrett, author of Betrayal of Trust - the Collapse of Global Public Health, a bioterrorism attack may be the most useful and instructive medical analogy in examining the spread of a computer virus, since both are deliberate attacks against humans. But what that analogy suggests is not cause for optimism. Huge federal expenditures allocated to combat bioterrorism over the last four years appear to have been spent unwisely. Of the $8.4 billion budgeted for bioterrorism in fiscal year 2000, for example, only 3.7 percent, or $315 million, is devoted to the people and institutions that will actually confront the crisis: nurses, doctors, public health clinics and hospitals. According to Garrett, most dollars spent to defend against bioterrorism have been absorbed by Department of Defense programs, the National Guard and law enforcement.

"The concept of protection against bioterrorism has tilted toward a model that will never work," Garrett said. "Law enforcement is institutionally paranoid because that's their job - be paranoid, to constantly see the potential of crime. When a crime occurs, law enforcement marches in, clears the area, sets up a crime investigation scene and tries to track down the perpetrator."

Which, in the case of bioterrorism, is exactly the wrong thing to do.

"Public health, when such a disaster occurs, does the exact reverse" of law enforcement, Garrett said. "It marches into the area of contamination, quarantines it off, identifies everyone who is potentially infected and does everything in its power to stop the epidemic, first and foremost. To hell with evidence. If the evidence is destroyed in the process, who cares? You've saved hundreds, thousands, maybe millions of lives."

The Core Problem

Public health, when it is functioning well, is invisible. It becomes visible only when it ceases to function well, when there is an epidemic or an outbreak of meningitis. Only then does the public get a glimpse of how fragile the system really is and why it needs to be continually supported and maintained to ensure that health crises don't crop up. The same is true of computer health and security infrastructures. You wouldn't know it was working well as long as viruses, intrusions and computer thefts were rare, not commonplace.

Today's computer health-care system doesn't work in the public's best interests. When some people can buy bottled water, they can opt out of the community water system. When some people or businesses can purchase their own computer security, they're complacent about others' lack of security. But this is the kind of thinking that would have kept us from stamping out polio, a disease from which no one was safe - even President Franklin D. Roosevelt. No one could truly be safe from the disease until government resolved to protect everyone.

The same is true with computer security: The very nature of the network, from a three-node Ethernet to the global Internet, dictates that there is no security for one without security for all.