Firsthand experiences of COVID in the cybersecurity industry
This is continued from Part one: The infuriating, avoidable, destructive disaster of COVID and the cybersecurity industry, Part two: COVID if it was a cyber threat, a timeline of events, and Part three: COVID myths versus facts.
I interviewed a few people in the cybersecurity industry who have been greatly harmed in the COVID pandemic.
Frank Barton is a cybersecurity-minded sysadmin in the higher education sector. He has been very lucky to avoid COVID so far. But his family wasn’t lucky. And he lives with them! I cannot fathom the guilty feelings and worries he must have.
Crawley: How did your family members catch COVID?
Barton: “No way of knowing, but I’m assuming that it was at school. The first time it was through pool testing that the 12-year old found out (he was 11 at the time, and this was just before he could be vaccinated.)
He then tested positive with the antigen test, and then the 7-year old tested positive with PCR. This was right before Thanksgiving 2021.”
Crawley: “Terrifying. I’m so angry at how the powers-that-be have let so many children get COVID.”
Barton: “My wife tested negative while the kids were home, and I worked remotely. Then, after the kids were able to go back to school (she works at their school) we got PCR tested again, and she was positive.”
Crawley: “Damn. How did you manage to be an attentive father and husband and avoid COVID at the same time?”
Barton: “I understand the push to get the schools open. From a purely economic perspective. I worked remotely from March 13, 2020 until January 2021. Like I said, I’m not sure that I did manage to avoid it. I however tested negative multiple times through the process.
I got ‘yelled at’ by the MA at the urgent care facility when I presented with respiratory symptoms while my wife was positive, because I wasn’t having her and the two out of three boys isolate.”
Crawley: “Holy shit.”
Barton: “At a certain point, given the size of the house, and a seven year old… whoever said that isolating a seven year old was possible needs to show me themselves.
The second time through, when I took her in for the monoclonal antibody infusion, I asked if I could go in with her. They looked at me funny and asked ‘you know you’re going into a confirmed COVID treatment facility, right?’ ‘I’ve been caring for her and my son at home for the past two weeks, and I just drove her here!’”
Crawley: “Yeah. It’s unrealistic.”
Barton: “I was talking with a friend who works for Regeneron (and works on the antibody infusion line) and I guess there is some correlation between ‘testing positive’ and blood type.”
Crawley: “Weird.”
Barton: “The studies haven’t found a causal link, and it may be that type-Os don’t test well.”
Crawley: “How did you feel when you learned how many people got COVID at RSAC?”
Barton: “I wish I could say ‘surprised.’ But I can’t.
In some ways, I think disappointed is the best way of putting it. We look at risks for a living, and we talk about mitigation like it’s a second language. But having an in-person conference right now seems foolish. In some ways I am glad that I have been told to not expect travel for conferences for two years.
I also get that online conferences aren’t the same.
I participated in the EDUCAUSE CPPC online conference, which was held the week after the In person conference… the sessions weren’t the same, you don’t get the hallway interactions… but I also didn’t get COVID, which I know a number of people did. A large number…
The last conference I went to was October 2019. I met so many other folks there… in the hallway, at lunch, at dinner, at presentations… you don’t get that online, and you lose so much. But right now I’m not sure it is worth the risk.
Maine gave school employees fifteen days of COVID PTO in case they got sick, or they had to isolate or quarantine because of family members… but that has expired now, and in a family, fifteen days isn’t enough if it spreads through the family, or… heaven forbid… again.”
Crawley: “Seeing photos of all of those maskless people at RSAC angered me. Like, how shitty is their risk analysis?”
Barton: “Exactly, it makes you question other things. But part of it comes down to information. We have not been given good or consistent information over the course of the pandemic, and without good information, we cannot make good decisions.
I run the local Cub Scout pack, and one of ‘my’ parents is an ER doctor. She was appalled at some of the news coming out. While we did meet in person, we met outside, distanced, when possible… masked all the time. If there was any question about folks being sick, either they stayed home, or we cancelled meetings.”
Crawley: “I think the CDC was deliberately reckless.”
Barton: “I think the CDC was trying to play a balancing game (and failing.)
The political aspect wasn’t helping, and they had to ‘play along’ enough so that they didn’t get replaced with folks that were worse.Do I think they made the right choices… no. In some ways do I understand where they are coming from? Yeah… I don’t like it, but I get it.
Stay and water down recommendations? Or leave and have the recommendations be blown away entirely? Classic rock and a hard place.
It also comes down to terminology. We talk about patches, mitigations, work-arounds. When they talk about ‘vaccine,’ people thing ‘prevention’ or ‘patching’, not mitigation.”
Crawley: “What kind of work do you do in infosec? What impact do you think this will have on our industry?”
Barton: “I am the IT systems and infosec admin for a small private, not-for-profit, university.
In some ways COVID will have a net positive impact, but in others, it hurts.
Let’s start positive. It has shown us that the ‘perimeter defense’ model is permanently broken. We had to struggle to make accommodations for remote work in a very short time (and to be honest, we’re still learning and adjusting).
It has also opened the door to more remote work, which means that we can work from anywhere
The downside of that is there can now be the expectation of working from anywhere. Work-life balance will never be the same
Our visibility into events, logs, and so on needs to change, and in some cases is gone. I monitor and filter DNS on campus for example, but when folks are remote, I not only don’t get that same visibility, but they are outside my bubble.
When I am working remotely, I don’t have the same screen real-estate that I do in the office, when I’m forced remote because of sick family members, I know that I’m not able to give the same level of attention to tasks. The question a previous manager asked was ‘is 70% of Frank better than 0% of Frank?’
Even when I am at work, I know that there are things going on that worry me, and I’m not 100% there.”
Crawley: “So there are infosec roles that will have to be performed on site?”
Barton: “Yes, many of the on-site infosec duties can be delegated or shared, but sometimes, you have to go get hands on a laptop right now!
Offline backup is arguably an infosec duty, or at least a related duty. If the tapes are in the robot, they can be compromised. When they’re locked in the fire-proof shoebox, I have yet to see the malicious actor that can access them.
And one of the biggest parts of infosec isn’t technical at all… it’s cultural, and that’s much harder to do remotely when you don’t see folks as much.
The other thing is that everybody is tired, and tired people make mistakes.”
Crawley: “I think that millions of people will be out of the workforce due to Long COVID.
Do you have anything else to share?”
Barton: “If I look at conferences, I am disappointed in my colleagues, and angry at the organizers.”
Crawley: “I get nervous seeing people I’ve worked with directly maskless at RSAC.”
Joe Behymer has a CISSP and he works from home. He has had COVID twice so far!
Crawley: “What did you understand about COVID before you got it?”
Behymer: “I got it originally in 2020, so we didn’t know much about it. I hadn’t done anything in months but my brother works blue collar jobs and he not his coworkers we’re masking at the time kwe didn’t know). He brought it to the small Thanksgiving dinner we had and 11 out of 13 of us got it.”
Crawley: “Your brother was masking, but his coworkers weren’t?”
Behymer: “Unfortunately none were, including him.”
Crawley: “Damn it! At the beginning, the CDC misled people by saying that masks weren’t necessary.
What was your first experience of COVID like?”
Behymer: “It was like a nasty flu. I was completely in and out for about three days. Moderate fever. Never in danger, but probably the worst I’ve ever felt. I was out of breath from walking around the room I was in. Could barely walk the dogs for 90 days without being out of breath for 20–30 minutes.”
Crawley: “Did you seem to recover after those 90 days?”
Behymer: “Never fully. I had a terrible cough that’s only now getting better most of the time. I still get tired easily and sweat like crazy from doing almost nothing.
CDC definitely dropped the ball. I live in Ohio and we reacted hard in the beginning, until people showed up and threatened the director of health, and then we did nothing. I never felt back to normal. The biggest difference is smell and taste that have never improved.”
Crawley: “The CDC failed everyone. It started with them saying that people didn’t need masks, back in March 2020.”
Behymer: “Yep. Then ‘you don’t need good masks, just cloth.’
Then at the end of 2021, Delta Airlines getting the CDC to cut quarantine to 5 days (even though people are contagious for an average of ten days).”
Crawley: “And the CDC colluding with the airline industry to drop masks. No one should trust the CDC.”
Behymer: “Pretty much, unfortunately.”
Crawley: “Was there a shortage of employed cybersecurity people before COVID?”
Behymer: “In my area, there isn’t a lot of tech so it always seemed to be the other way around. But I wasn’t looking at cybersecurity positions until after COVID started, and I decided the CISO I worked under was so bad at his job I could do it better. That definitely sounds like an interesting angle!”
Crawley: “What do you do in your role?”
Behymer: “I do mostly automation around building cyber range style training labs. A lot of customized training content. We build it, hack it, and present it for players to go through the DFIR parts.”
Crawley: “Do you have anything else to add? Maybe, how do you think Long COVID will impact our industry?”
Behymer: “I think eventually we are going to end up with a large swath of newly disabled people who have high debt, and end up losing their income. I think it will exacerbate the shortage of qualified personnel in the industry and drive up the bargaining price for people who can still work. Ultimately, I’ve lost hope that things will significantly improve any time soon and we will see more and more people struggling and society will do what it does best — trample on them to fuel the engine of capitalism until we crash the system. Bleak, but it’s kind of how I see it going. Hopefully I’m wrong.”
Bob Applegate is a network security engineer who has had COVID at least twice.
Crawley: “What did you know about COVID before you got it?”
Applegate: “Where to start? That it was in the air, preventable by masks, has a longer than usual incubation period, can be asymptomatic. Probably some other things that I can’t think of. To be fair, I didn’t know I had it, I have MS (multiple sclerosis) and my MS doctor wanted me to get my antibodies checked, and I almost maxed out the number.”
Crawley: “Damn it.”
Applegate: “So I’m married and I have one kid, my son is two. My son actually got MISC, and was in the hospital for a week. MISC is a rash and fever that presents in children a month after they’ve had COVID. They took our DNA and we’re going to be part of a study to find a cause.”
Crawley: “When did you get COVID?”
Applegate: “According to my test results, some time during the 2021 Christmas holidays. All three of us got it around that time.”
Crawley: “Damn… What was your COVID experience like?”
Applegate: “Didn’t even know I had it, other than a slight burning when I breathed. Didn’t think it was anything.”
Crawley: “What prompted you to get tested?”
Applegate: “At home test. The burning felt kinda weird, and my wife is a teacher, so better safe than sorry.
Wait, I’m confusing myself, I had it twice.”
Crawley: “Fuck. What was your second time like?”
Applegate: “Second time was April 7th, I tested positive with a home test. That was the burning. My son has MISC back in… January? February? I was okay, only sick for.. Two days? My wife was wiped out, was out for a few more days.”
Crawley: “It must be terrifying, worrying about your family with COVID.”
Applegate: “Well, since we were vaccinated, and my wife got the antibody injection, it was more of a ‘wait it out’ kind of feeling. At least for the more recent bout. My son in the hospital though? Never again.
It was January 19th. Just looked it up.”
Crawley: “I’m so sorry.”
Applegate: “Thank you.”
Crawley: “I’m a big fan of vaccination. But not vaccinating enough people quickly enough last year gave the virus too many chances to mutate. Based on the medical research I’ve read, we’re only updated with 2020’s signatures. It makes me so angry.”
Applegate: “I’m a fan too, but I lost my card, and they couldn’t find a record of it in whatever system New Jersey uses, so I got lazy on the second booster. Then I got sick, but I found my card. I think vaccines are great, but if we can’t hit the numbers we need, then it’s just feels so… Fruitless, you know? Good for us, but the population gets fucked.”
Crawley: “And it’s only now that last year’s vaccines are approved for kids under 6. That’s way, way too late. Millions of kids are getting COVID again and again. Parents were lied to. ‘Children don’t get sick from COVID.’ ‘School is the safest place for kids.’ ‘Masks traumatize kids.’”
Applegate: “Well, you have to look at the sources of who’s saying that. I don’t think there were any reputable doctors saying that BS, but it all gets muddled up in the same message through the same medium. Decision makers aren’t listening to the voices of experience and knowledge, they’re just listening to the loudest.”
Crawley: “No one should trust the CDC.”
Applegate: “I do think that the CDC is messing up hard core in by constantly changing their message to placate the idiots. Haha, yeah, to put it more bluntly, yes.”
Crawley: “That’s why I try to get news directly from virologists and epidemiologists outside of government agencies.
Are you concerned about Long COVID?”
Applegate: “Yes, I am, mostly because I don’t know what will be considered a long COVID symptom and what would be my MS. I think I might be better off than some, since I get annual MRIs of my brain and spine, but having a job that relies solely on your brain functioning properly, and getting two diseases or disorders that messes with that, is really scary.”
Crawley: “I’m disabled too. The disability rights community has had a lot of insight.”
It seems like millions of people are already out of the workforce due to Long COVID.
So I wanted to explore the impact this will have on the cybersecurity industry.”
Applegate: “I still don’t feel 100% confident with calling myself disabled. I haven’t researched if I’m technically or legally considered that. I don’t have special accommodations or anything, and haven’t asked for any, because I’m not 100% sure I need it. My mother also has MS, but she was misdiagnosed for seven years, so she’s worse than me.”
Crawley: “Struggling with identification with being disabled is common. Internalized ableism is a struggle.”
Applegate: “Good to know. It’s something I try not to think about.”
Crawley: “Do you think there was a shortage of cybersecurity talent in the workforce before the pandemic?”
Applegate: “There’s a shortage of IT talent in general, and has been for a while. For cybersecuity specifically, it’s hard for me to say, since I was more on the pure network administration and engineering side until shortly before the pandemic started. Depends on how we’re classifying infosec.
Well, I guess it doesn’t, if there’s a shortage either way.”
Crawley: “With Long COVID removing lots of people from the workforce, will this make industries less secure from cyber attacks?”
Applegate: “Hard to answer. Yes? But it’s a combination of the talent pool as well as budgetary constraints. Lots of things had to get shuffled with moving operations to a Work From Home situation which companies weren’t prepared for, if they made that move. I don’t know of anyone who’s been completely taken out of the workforce because of long COVID, due to work from home capabilities.
But I also don’t think I know anyone with long COVID, so take that as you will.”
Crawley: “Do you have anything else to add before we go? About COVID, cybersecurity, or both?”
Applegate: “Um, nothing I can think of? I would like to thank you for following me! Not sure why you did, but I bought your book as soon as I noticed, haha. I hope I was helpful.”
I was so delighted to meet a fan that I forgot to ask him which book he bought. But you can buy 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business and The Pentester Blueprint (with Phillip Wylie) from Amazon in multiple formats.
