In our much-hyped age of big data and analytics, one might expect to find a plethora of useful virus tracking tools to help us all stay safe. Do you know which global map this one is from?

Now that the deaths in Seattle officially are more than Beijing, and it’s believed virus carriers moved about Washington State for six weeks undetected and untested (450 total Americans have been tested, versus 10,000 Koreans tested per day)… visualizations of a pandemic in the US are extremely important for any safety operations center hoping to update executive management.

Instead of many, there are but a handful of options so far and some major differences. The CDC (American federal agency) for example is by far the worst of all. So let’s start there:

1) CDC is literally a state-level yes/no, is updated only once a day and appears very far behind current news. It’s essentially useless, which coincides with emerging reports of incompetence, corruption and unpreparedness.

The federal government’s anti-science faith-based response right now reminds me very much of IT executives who used to say they don’t need anti-virus software (test kits to show evidence of viruses) because they have not yet seen evidence of viruses.

True story: one time I stepped in to help a giant global company that refused to pay for anti-virus. Their faith-based management style couldn’t accept they had viruses (despite mounting numbers of computers going offline, costing them many thousands in downtime and help-desk hours).

Using basic statistics I convinced them I could bring costs down (music to their ears, despite refusing to hear that they had viruses).

Deploying anti-virus agents ($8/system in those days) meant I quickly was able to both prove there were large infections and explain exactly why they were happening (staff ran unpatched windows systems to secretly browse gambling and sports websites — get-rich-quick schemes).

Support costs plummeted from that tiny investment in science, company productivity and up-time returned, and security looked like a hero (because money was saved, not because basic science was proven to work).

That’s what I think of when I read American news stories like this one about Woz:

We have not been able to get tested [for coronavirus] in this country’…[The co-founder of Apple] said he reached out to the CDC, but received a form letter reminding the couple to wash their hands.

2) For comparison Avi Schiffmann, high schooler in Washington State, has created the best map nCoV2019.live from multiple feeds and levels of classification (reported, tested, positive, negative)

It keeps up with the rocketing death tallies in Seattle.

It shows the 2 cases in NYC.

3) The NBC map is pretty good, although not interactive, staying up to date and showing case numbers (9 dead in Seattle, 2 under treatment in NYC)

4) A Johns Hopkins map uses CDC and WHO data, although unlike nCoV2019 I had a hard time getting it to reflect current news (e.g. two cases in NYC sparking intensive searches, yet none show on the map)

5) HealthMap has more details and it’s news driven only. So those Texas dots actually represent stories that mention quarantine going well, not more important stories like the CDC “mistakenly” released virus carriers from quarantine into a busy shopping mall, let alone the numbers affected. It is basically impossible to see from the dots what’s going on in Seattle.

6) CoronaVirus.app is a weird one as it puts the Princess cruise ship dot in the middle of the US, as if it docked on the border of Kansas and Nebraska

7) University of Washington is missing a lot of data, although it does show the rapid rise of deaths in Seattle

8) The NYT map has very up to date numbers, and like NBC isn’t interactive at all. Unlike NBC, there are no fatalities shown by NYT. It’s mostly eye-candy for a story that follows as you scroll, which reveals that community spread is known to be happening all over the West Coast of the US even though testing has barely started.

In terms of raw statistics, and given that preliminary data says 3.4% of Covid-19 cases have been fatal (far higher than flu), JAMANetwork and Stat both provide the following:

• 87% of China cases were in people ages 30 to 79
• 8.1% of cases were 20-somethings, 1.2% were teens, and 0.9% were 9 or younger
• 2.3% of confirmed China cases died with fatality rate of 14.8% in people 80 or older
• 1.3% China fatality rate in 50-somethings, 0.4% in 40-somethings, and 0.2% in people 10 to 39
• About half of the 109 Covid-19 patients (ages 22 to 94) treated at Central Hospital of Wuhan developed acute respiratory distress syndrome (ARDS), in which fluid builds up in the small air sacs of the lungs.
• Half of ARDS patients died, compared to 9% of patients who did not develop the syndrome.
• ARDS patients had an average age of 61, compared to an average age of 49 for those who did not develop ARDS
• China fatality rates are 1.7% for women and 2.8% for men
• High fatality rate of Covid-19 in already-sick people might result not from the virus but from an exacerbation of existing disease. About 60% of U.S. adults have at least one underlying health condition

If you know of any others feel free to add in the comments or send to me and I’ll add them here.

---

Update March 4th: CDC has improved their map from binary yes/no to reflect number of cases per state. It’s still far behind other maps in accuracy and timeliness. Texas is set on the map to “none” for example despite multiple news sources publicly discussing CDC mismanagement of its own cases in Texas (at least six under quarantine at Lackland Air Force Base, one released into Texas prematurely).

Update March 5th: Singapore has an amazing dashboard at co.vid19.sg, better than everything else I’ve seen so far and more what one should expect from a government.

Update March 10: It’s been many days of errors and yet CDC maps still are broken; aren’t showing Alaska as part of the United States.

The 1point3acres “real-time” update map is good, making state tallies easy to see and clickable to see latest reports.

I find an “Unsettled Question of Offense vs Defense in Cyberwarfare” article quite misleading. For example it frames the problem state as this:

…there is the belief that cyber weapons are different in that they favor the offense. Cited for advancing this argument are the plethora of computer vulnerabilities, the low financial cost of hacking, and the lack of penalties for discovered attacks.

Simply turn that around and the attackers are riddled with vulnerabilities, are inexpensive to counter-attack, and penalties are minimal if discovered.

Ok, so the last point may not be true, which is why defensive teams tend to never talk about defensive measures used to counter-attack and “destroy” attackers (where disclosure can sometimes mean destruction of the defensive tactic).

More to the point, it hasn’t been proven beneficial for defensive teams to expose counter-attack methods, and that gives the impression of a debate being unsettled.

While some might say there’s a deterrence possibility for exposing defensive capabilities, a much larger issue is counter-attacks are rendered less-effective when known beforehand. Also any counter-attacks given widespread exposure, or self-defense methods if you will, can get mired in legal and regulatory channels that take a very long time to resolve.

We’ve written about strategic advantages of active defense for almost a decade on this site, so hopefully it’s not news to anyone.

Also I find the article’s cyberwar definition a bit wobbly:

Cyberwar, like its regular counterpart, requires material damage such as destroying assets, disabling weapons that rely on digital components, and disabling the critical infrastructures that power the machinery of war. It is these physical effects, and how they complement military actions, which determine whether a weapon is defensive or offensive in nature.

Physical effects don’t determine defense or offense. Cyberwar doesn’t require material damage any more than a tradewar does.

And I disagree here too:

If the offense has the advantage in penetrating systems, the defense has an offsetting advantage in understanding their own complex systems.

As I said above while the defense may have the advantage in penetrating attacker systems, an attacker also may understand defensive systems better than the defense.

I’ve seen many defensive teams mostly unaware of how their own environment works, while attackers (or auditors for that matter) spend significant time documenting things carefully to prepare their best entry point and cascading damage. Heartland is a great example of this. The exfiltration of cardholder data was masterfully baked into existing business processes and therefore undetected.

Here again, I disagree:

Not only do cyber weapons require specialized skills to deploy, but the operator must also understand the targeted analog system to achieve their desired effect.

Many weapons are commodity based now and used blindly. Metasploit brought the skill level down dramatically, for example. Load a new module to the running platform, fire and forget. Some weapons are so unskilled and untargeted they’re running all the time all over the Internet just hoping someone, like an oil platform or a factory, becomes a victim.

Finally, on this next point I agree somewhat:

…we do not know what effect cyber weapons will have on mechanical military systems, their tactical or strategic value in war, or how lasting those effects will be…

Hard to predict the future, yes. However we have a pretty good idea that any system lacking basic controls by default (e.g. authentication) will be devastated by simple attacks as well as hard to defend against (e.g. people grabbing weak templates and deploying faster than fixes or configurations can be updated).

The chance of widespread outage on weak systems makes cyberweapons of strategic value, both for attackers and defenders. Although I believe we will continue to hear a lot of news about attackers exploiting vulnerabilities, and little to nothing about defenders doing the same.

Case in point, there’s a very recent BBC story in India:

fraudsters had the tables turned on them as YouTuber Jim Browning was able to hack into the call centre and access recordings of scam phone calls and even watch live CCTV footage exposing the criminals at work… Indian police raided the premises of Faremart Travel Private Limited in Gurugram, within hours of the videos being released.

Further back in 2013, there’s a story that nobody reported about the giant PR campaign “skyjack” being vulnerable on launch. Skyjack very proudly accumulated press names like a tin-pot dictator in a polyester suit covered with shiny badges:

Press: Ars Technica TechCrunch BBC NBC Huffington Post VICE Mashable Gizmodo Engadget Gizmag NewScientist The Escapist Tom’s Guide Popular Mechanics Discovery Entrepreneur Washington Times eWeek Hack-a-Day ThreatPost RT PC Mag Slashdot ComputerWorld Mother Jones

That’s a ridiculous amount of air time for a broken perl script.

Likewise, the skyjack videos start with the camera pointed at the author’s face and mostly are him being a talking head. Social entry feels like an understatement for attacker motivation here.

In any case within hours or release, he was forced to update the code when Afan Ottenheimer spotted bugs in the code and easily knocked skyjack out.

I tweeted about it December 4 of 2013 and while that led to a fix and initial credit, the author then removed credit to others and covered up that flaws were reported by defenders publishing the incredibly stupid class of bugs in skyjack:

As I said before, attackers are riddled with vulnerabilities, are inexpensive to counter-attack, and penalties…well, they may be minimal if discovered but you can be sure attackers also don’t give anyone else the kind of credit they crave.

Update March 4th: A defense analysis article called Error 404 reminds us of a 2007 infiltration of computer systems to disguise kinetic measures.

A cyber attack was delivered into the Syrian IADS which presented a false live recognised air picture to Syrian air defenders which masked the radar tracks of the incoming Israeli jets.