Now Showing: The Vaxx Security Show

Image credit: iStockphoto/Tetiana Lazunova

Most people appreciate the protection against COVID-19 provided by mRNA vaccine technology. Governments worldwide have responded well to the challenge of mass immunization.

As we move forward and evolve from pandemic to endemic, more situations require proof of individual vaccination. Ensuring public health is common sense and “vaccine passports” are already becoming commonplace.

One problem: there's no global standard for proof of vaccination, and some of the existing forms are easy to forge. Do we need stricter measures to ensure that those who present vaxx proof are actually vaccinated?

Break it to fix it

Security guru Bruce Schneier outlined the issue in a recent Atlantic essay. “After a career spent in cybersecurity, this is just how my mind works: I find vulnerabilities in everything I see,” he writes. “When it comes to the measures intended to keep us safe from COVID, I don’t even have to look very hard” — think of the flimsy, odd-sized paper cards issued by the USA's CDC (Centers for Disease Control).

It's a common trait among security professionals, who spot vulnerabilities in virtually any situation. Naturally, their first instinct is to break perceived security, and that's a useful strategy because the bad guys (online and otherwise) also think this way.

Security theater...absurd?

Schneier coined the term “security theater” in 2003 to describe high-visibility tactics deployed in airports, train stations, and other public areas “to describe measures that look like they’re doing something but aren’t.” One body that came in for its fair share of criticism: the USA's Transport Security Administration (TSA).

We feel comforted by security checkpoints

How effective was this pantomime? “We did a lot of security theater back then,” writes Schneier. “ID checks to get into buildings, even though terrorists have IDs; random bag searches in subway stations, forcing terrorists to walk to the next station; airport bans on containers with more than 3.4 ounces (100ml) of liquid, which can be recombined into larger bottles on the other side of security.”

Security theater is a scenario where it looks as though something effective is being done when it really isn't. It appeals to human nature: if we're concerned that bad guys are smuggling bags full of nasties onto our flight, we feel comforted by security checkpoints with staff wearing official-looking jackets.

Security versus convenience

There's a continuum with security on one end and convenience on the other. If a terminal attached to a network is sealed, for example, that's inconvenient if someone wants to plug in a USB stick and access those files. But if that USB stick has been compromised with malicious intent, then the terminal represents a security measure.

Another key in the security equation is motivation. Cybercriminals drop malware onto stray USB sticks hoping for easy profit. Cyberactivist groups like Anonymous launch DDoS attacks against institutions whose views or actions they oppose.

There's no global standard for proof of vaccination

But most people prefer health over illness. And civic-minded individuals also prefer that their fellow citizens also remain healthy.

That motivates civic hygiene: wearing facemasks in public and social distancing. These minor inconveniences have led to a higher level of public health security.

How effective have these public health measures been? “It's well-known that COVID-19 pandemic restrictions pretty much quashed the 2020-2021 flu season, with influenza cases falling to never-before-seen lows in the United States,” says an October 2021 article on “So little flu circulated, in fact, that some scientists now suspect that one of the major strains of influenza (Influenza B/Yamagata, one of four strains regularly included in annual flu shots) might have gone extinct, for lack of humans to infect.”

If public hygiene is already so efficient that existing flu strains are snuffed out from attrition, should we even bother checking vaxx proof?

Finding balance

Let's first look at the security/convenience continuum and find a proper balance. Schneier: “I design computer security systems for a living. Given the challenge, I could design a system of vaccine and test verification that makes cheating very hard — issue cards that are as unforgeable as passports, or create phone apps that are linked to highly secure centralized databases.”

But the price in terms of system implementation costs and data privacy is too high. “We can get most of the benefits with some pieces of paper and broad, but not universal, compliance with the rules,” writes Schneier. “We’re not looking for perfection. If most everyone follows the rules and doesn’t cheat, we win.”

Viruses don't cheat

NOTA BENE: It's illegal to forge vaccine proof, and relevant law enforcement agencies worldwide take such matters seriously. With vaccines so readily available, it would be foolish to do so, but as Schneier points out: “Many of the people who break the rules are so very bad at it. Every story of someone getting arrested for faking a vaccine card or selling a fake makes it less likely that the next person will cheat.”

High-profile enforcement also serves as good PR. In January of this year, tennis player Novak Djokovic was “set to launch the defense of his Australian Open title in the competition’s opening round, but was instead deported to Serbia,” according to ABC News (). In February, Djokovic confirmed in an MSN story that he remains unvaxxed against COVID-19.

Are vaxx proof measures security theater? Pretty much. Is it good practice? As it's backed by public sentiment, why, yes, it is.

Stefan Hammond is a contributing editor to CDOTrends. Best practices, the IOT, payment gateways, robotics and the ongoing battle against cyberpirates pique his interest. You can reach him at [email protected].

Image credit: iStockphoto/Tetiana Lazunova