COVID-19, CyberSecurity, and Epidemiology

Ninghui Li

COVID-19 is shaping up to be among the biggest disasters for humanity since World War 2.  Hundreds of thousands (if not millions) will die from it, and the financial damage is going to be trillions of dollars.  Like the SARS coronavirus of 2003 and Middle East Respiratory Syndrome coronavirus of 2012, COVID-19 was believed to have originated from coronavirus in Bats. Clearly, this is not going to be the last time such a pathogen spillover event occurs, and we need to learn from the experiences with COVID-19 in order to be better prepared for the inevitable future spillover events.

My March 8 Open Letter

On March 8, I wrote my first open letter on COVID-19, arguing for the urgent need for the United States Governments and the public to immediately adopt aggressive social distancing policies to contain the spreading of COVID-19.  In the letter, I noted that COVID-19 is extremely contagious.  From data reported by China, S. Korea, Italy, Germany, Spain, which were the countries that had the most confirmed cases at that time, one can see that once community spread takes hold, the number of cases starts exponential growth, doubling roughly every 3 days, until aggressive social distancing and other containment efforts were able to slow it down.  On March 7, there were 435 confirmed cases in the US.  Twenty days later, on Mar 27, that number surpassed 100,000.  In twenty days, the number of confirmed cases in the US grows 240 times, or doubles roughly 8 times.  In the March 8 letter, I predicted that "the number of confirmed cases in US will increase at least 10 folds in 10 days, to 4000 or more (and possibly as high as 10,000) by Mar 17."  The actual number was 6344.  The main uncertainty I had when making the prediction was to what extent the US testing capacity would pick up during the 10 days period.

On March 12, I added an executive summary to the open letter, concluding that: "COVID-19 is 20 times as deadly as flu, and will result in a very high hospitalization rate.  Even if just 0.1% of the population (330,000 in the US) are infected, the health care system will be collapsing.  When spreading reaches that point, society and governments will have no choice but to enforce drastic social distancing practices to curb its spread. This is inevitable.  Acting earlier rather than later will lead to much smaller disruption and economic cost, shorter duration of drastic social distancing, and saving the life of thousands or more people."

In the letter, I laid out three scenarios.  Scenario A is that "The US government takes decisive and proactive actions today and leads all countries fighting the potential devastation by COVID-19 in a coordinated effort to enforce aggressive social distancing measures to contain the spread.  Looking at situations in China, this should be able to contain the virus in 4 to 6 weeks. Life should be able to return to normal by June or July.   Total number of cases in the US may be in the tens of thousands, with hundreds of deaths. There will be economic and other kinds of pains and suffering, but these are unavoidable."

Scenario B is that by March 22, the number of confirmed cases will top 10 thousands.  Health care systems in states starting with Washington, California, New York will be strained like Northern Italy today.  US government may have to adopt drastic social distancing measures similar to locking down entire cities.  The best case scenario is that the spreading can still be contained by these measures to be about 10 to 50 times the size as under Scenario A, i.e., with hundreds of thousands or a few millions of people infected, and thousands or more deaths. It will take longer for the lockdown effort to be effective because of the scale of spreading. It may be August or September before life can return to normal. And the economic damage will be a lot higher than Scenario A.  

Scenario C, the worst-case scenario, is that spreading cannot be contained, and we are looking at situations predicted by some experts, with up to 70% of the population infected [1].  Local communities will still try any conceivable containment method.  Economic and social activities will be greatly disrupted. At least 20% of the population over the age of 70, as well as significant fractions of other age groups, will die while waiting for medical care, with family members desperately looking on.  The situation looks to be at least as bad as the Spanish flu. We may be looking at the worst humanity and economic disaster since World War 2.  The remaining hope after the devastation is that either virus mutates to a milder form, or effective vaccines can be developed before the next wave hits.

In the early morning of March 9, I sent the letter to the Purdue University administration, Senators from Indiana, the congressman representing my district, and the white house website, hoping against hope that it would be able to wake up the government to the rapidly approaching disaster.  Later I sent the letter to local news outlets and leading newspapers in the nation.  I was happy and emotional when on March 13 I saw the news conference where a national emergency in the United States was declared and leaders of the healthcare industry and government officials came together to unite to fight COVID-19.  However, my optimism was short lived.  I gradually realized that actions taken by governments at all levels and the society as a whole were still too little, too late.  

My March 14 Open Letter.

By Mar 12, many people are sounding the alarm for immediate action.  For example, on Mar 10, Tomas Pueyo wrote an excellent article titled “Coronavirus: Why You Must Act Now”.  At the same time, the United Kingdom and Germany appeared to be adopting the Herd Immunity approach of letting the virus spread.  (They changed course a few days later.)  I had also received some questions and feedback from readers of my first letter.  I therefore wrote a second open letter on Mar 14, aiming to convince the public that it is the duty and responsibility for every one of us to conduct the most aggressive social distancing measures we can afford.

In the letter I claimed that COVID-19 “Must and Will Be Eradicated Like SARS of 2003”.  I wrote that “Letting COVID-19 spread will overwhelm the healthcare system and lead to devastation humanity cannot afford. COVID-19 must be eliminated.  In my opinion, this deadly combination of extreme contagiousness and heavy burden on the medical system also means that COVID-19 will be eliminated, for the reason that humanity simply cannot let COVID-19 continue to exist.”

To illustrate these points, I introduced a simplified, generational model to analyze the spreading of COVID-19.  This model assumes that patients come in generations.  There are three key parameters, with any two determining the third.  

Using this simplified model for COVID-19, starting with X patients in Generation 0, then we have X*B number of patients 14 days later (Generation 1), and X*B*B patients 28 days later.  Clearly, if B>1, we have an exponential growth, and if B<1, we have exponential decay.  For COVID-19 to double every 3 days under this model, we need DTR of , or about 1.8.   A more realistic model should consider the dynamics of daily patient population and the changes of infectivity over the period one is infected.  However, that would be more complex and difficult to explain.  The message is the same whichever model we use.  

If the society can reduce DTR to 0.02.  After one cycle of 14 days, the patient population size is 0.02*14=0.28 that of the original.  Even starting from an infected population of 3.3 million, exponential decay can bring the number down pretty quickly.


Day 0

Day 14

Day 28

Day 42

Day 56

Day 70

Day 84

Day 96

Infected popul. size









Somewhere around Day 60, when there are less than 20000 patients, if people at risk are thoroughly tested so that the public can clearly identify almost all patients, then only the patients need to be isolated, the rest of the public can go back to normal life.  After Day 96, it would take 3 more cycles for the number of patients to be in single digits.  But very few people’s life needs to be affected in that phase.  

Another observation from this simple model is that, due to the rapid exponential growth, the only rational choice is to apply all feasible ASD measures at once.  No matter how much ASD effort we have already taken, any additional measure that has reasonable cost will pay for itself, because it will greatly shorten the time it takes to contain and eradicate COVID-19.  If the measures already taken are unable to reduce the DTR to less than 0.075, we will still see exponential growth, just at a slower rate.  Below that, reducing DTR further will greatly shorten the time it takes to eradicate it. The following table shows the effect of different DTR in the generational model.









#cycles to half population size








Reducing DTR from 0.06 to 0.05 shortens the time it takes to contain COVID-19 by half.  Reducing DTR to 0.04, further shortens it by 40%.  

Reducing Daily Transmission Rate (DTR) is something every one of us can contribute to.  By reducing DTR, we help the society to contain and eradicate COVID-19 faster, reducing the total cost caused by ASD measures. Any action that risks transmission of COVID-19 adds cost to the society, because it extends the time it takes to contain the virus.  The letter thus calls for everyone to practice the most aggressive social distancing measure one can afford, and convince more people to do the same.

This analysis also illustrates the difficulty of the (natural) herd immunity approach, i.e., let the virus spread with a low level of intervention.  COVID-19 has a DTR of 1.8 (based on 14 days generation and doubling every 3 days).  If we want  to flatten the curve to the extent that the number of cases doubles every 30 days instead of every 3 days, we need to reduce DTR from 1.8 to 214/30 (about 0.1).  This requires a very high reduction of the level of human contact, and can be achieved only with very high societal cost.  If the society is able to reduce it from 1.8 to 0.1, then a further reduction to 0.03 or lower will lead to rapid exponential decay of the number of cases.  Furthermore, no one knows the exact degree of effectiveness of the different social distancing measures.  If society is already paying the huge financial and societal cost of shutting down most of the business and other activities, the rational choice is to apply the most stringent ASD measures, in order to shorten the period of suffering.

As of the end of March, my prediction that COVID-19 will be eradicated appears to be wrong.  In my opinion, this is because COVID-19 is not deadly enough for society to  quickly mobilize and act decisively to eradicate it.  Somewhat ironically, had COVID-19 been 5 times more deadly, it probably would have been fully contained by now, because we would have acted earlier and more decisively.  Had COVID-19 been 10 times less deadly, letting it spread to gain natural herd immunity is perhaps the right approach.  Either situation would have resulted in much less cost to humanity than COVID-19 does now.

If COVID-19 cannot be eradicated, it appears that the most likely outcome is that aggressive social distancing mechanisms will bring it under control, followed by vigilant containment effort to keep it under control, until effective vaccines are developed and widely administered.  That is, humanity will eventually gain herd immunity, with a small percentage gaining immunity through exposure, and the vast majority through vaccines. While experts insist that at minimum it takes between 12 and 18 months to deploy vaccines, I want to note that while the 2009 pandemic HIN1 flu virus was identified in April 2009, vaccines for it were widely administered by November 2009.

Cybersecurity Knowledge for Analyzing Pandemics

My research interests are in cybersecurity and data privacy.  While I was aware of the impact of the COVID-19 in China, I started examining COVID-19 numbers carefully only on Feb 27.  My son signed up for his high school orchestra's Spring break (Mar 14 to 21) trip to Orlando, FL, and I needed to decide whether he could go.  He had been looking forward to the trip for a year, so I needed solid reasons if I decided that he could not go.  The case numbers in the US were low then.  On Feb 29, CDC reported there were 22 domesticate cases and 47 cases from evacuees from Wuhan and the Diamond Princess cruise ship.  However, the numbers from other countries where COVID-19 started spreading earlier showed a clear exponential growth.  Each day the number of total cases is about 4 times the number of new cases for that day, meaning approximately 33% daily growth rate.  This pattern eerily held for every European country with significant number of cases every day.  The growth reminded me of the early phases of internet worms spreading.  When I saw the US case number started this trend on Mar 1, and the trend continued the next day, I immediately knew that the situation will be dire unless drastic actions are taken.  While I easily convinced my son that he should not go (he understands the power of exponential growth), I was hooked to looking at the numbers every day.  

I started engaging others in the discussions on COVID-19 on March 3, mostly on wechat groups, with my former classmates from high school and college, and other professional groups and alumni groups.  I found that few people saw the same things as I did.  I had resigned to simply sit back and watch the situation develop.  However, after reading Testimony of a Surgeon working in Bergamo on Mar 8, I was deeply touched.  The doctor’s first-person account turned the abstract numbers in my mind into vivid human suffering.  I felt anxious and frustrated.  I told my friends: “I am watching a train wreck going to happen, yet can do nothing to help.”  After sending that message, I began to think maybe there is something I could do. I could share my observations and analysis and try to influence the situation.  

Later I reflected on why so many people did not see the danger.  Most people I interacted with about COVID-19 are highly educated and highly intelligent.  Many have PhDs, and the majority of others are successful professionals in high tech companies. Gradually I realized that my professional experiences of learning, teaching and conducting research on cybersecurity does provide some perspectives that are not widely shared.

Perhaps the most important factor is my experiences teaching the spreading of internet worms such as the Morris Worm, the Code Red worm, Nimda, the SQL Slammer, etc. That was one of my favorite topics to teach in courses on security. These provide vivid examples of pandemic.  All follow the same trend of rapid exponential growth until saturation. For example, the CodeRed worm infected more than 359,000 computers in less than 14 hours, and SQL Slammer, which targets Microsoft's SQL Server and Desktop Engine database products, was able to infect most of the 75,000 vulnerable targets on the internet in mere 10 minutes.  Having these concrete examples helps me see the inevitability and danger of exponential spreading.  Without concrete examples, even if one intellectually knows that exponential growth is occurring, one may not share the same conviction and sense of urgency.  In addition, the main damages of these internet worms are in the form of resource exhaustion.  For COVID-19, the critical resource is health care capacity.  Once I saw the account from the Italian doctor, I knew the situation is only going to get worse, and is going to happen everywhere if COVID-19 is not controlled.

There are other more subtle, but perhaps equally important influences from my cybersecurity experiences.  First, in security one does not just look at what has happened and is happening, but constantly need to think about what will happen under different adversarial capabilities and defense mechanisms.  Indeed, when security is done right, what one sees is that nothing happens, because the bad things are prevented. On the contrary, many people just look at what is happening now.  This is amply reflected in the vast majority of journalistic reports on COVID-19.  Second, when the situation is not dire, many people just instinctively feel that the worst-case scenario won't happen, even if there is no evidence to support that.  However, the more experiences one has in security, the less room one has for wishful thinking regarding threats.  When I taught cryptography, I often told students that one of the goals of the course is to scare them enough so that they will not develop a cipher themselves and think it is secure, and will assume any algorithm that has not been subjected to rigorous scrutiny and cryptanalysis is insecure.  Similarly in software security, many vulnerabilities appear extremely difficult to be exploited, yet inevitably people find out ways to exploit them.

Suggestions for the Fields of Epidemiology and Infectious Diseases

In my opinion, many (perhaps most) experts in the fields of epidemiology and infectious diseases have underestimated the danger of  COVID-19, at least until COVID-19 hits their respective countries and regions hard.  The same is true for the general public and many politicians.  In my opinion, one reason is that the main terminology and concepts that are used in these fields hide rather than illustrate the danger of fast-spreading viruses like COVID-19.  These terminologies and concepts also permeate reporting and public discussions on COVID-19, obscuring the true danger of COVID-19.  Below I list three suggestions for these fields.  

Suggestion 1. Use the concept of Base Doubling Period for measuring the contagious diseases.  

By Base Doubling Period, I mean the number of days it takes for the number of cases to double without intervention.  It is analogous to the notion of half-life for radioactive decay.  Currently, the main measure of disease contagiousness is the base reproduction number R0, which is the average number of people who will catch a disease from one contagious person.  While R0 is important, it fails to capture the time aspect of transmission, i.e., how long does it take for new patients to be infected.  For example, HIV has an estimated R0 of 2-5, which is actually higher than the estimation of COVID-19 (1.4 to 3.9) [5].  However, transmitting HIV to 2-5 patients may happen over years, and the COVID-19 transmissions take days or a few weeks at the most.

Had the experts focused their attention on estimating the Base Doubling Period instead of R0, the world likely would have realized earlier that the Base Doubling Period of COVID-19 is between 2 and 3 days.  For the public and government officials, something that doubles every 3 days is clearly an urgent matter that needs to be dealt with promptly.  Something that has an R0 of 3, on the hand, is unlikely to induce urgency, especially since many diseases have much higher R0 (e.g., measles has R0 between 12 and 18).

Suggestion 2. Use Cumulative Fatality Rate instead of Case Fatality Rate for diseases that are actively spreading.  

Case fatality rate is computed by the number of deaths divided by the total number of confirmed cases.  I have seen countless news articles discussing the case fatality rates of this and that nations.  For example, one article on March 5 marvelled at the fact that S. Korea's death rate is just 0.6%, far lower than in China.  However, the total number of confirmed cases is the sum of three numbers: death, recovered, and active.  Since the active cases will result in either death or recovery in the future, dividing by the total number gives a distorted and falsely optimistic picture of fatality.  By Cumulative Fatality Rate, I mean the number of deaths divided by the sum of the number of deaths and the number of recovered.  The following table gives a snapshot as of Mar 29, from  I added the two fatality rates.


Total Cases

Total Deaths

Total Recovered

Active Cases

Case Fatality R

Cumulative Fatality R


















































S. Korea







For a nation where most of the cases have been resolved (such as China), the two rates are very similar.  Of course, both rates will be distorted by how many people are tested; Cumulative Fatality Rate, however, does not artificially bias the number by implicitly assuming that all active cases will live.  An unusually high Cumulative Fatality Rate can be caused by three factors: (1) under testing so that many mild or asymptomatic cases are not discovered; (2) a population with high percentage of older people; and (3) hospital systems overwhelmed so that many patients that could have been saved are not.  In my opinion, the above numbers from the USA and UK are primarily influenced by under testing, and the degree of under testing is much worse in the UK than the USA.  Italy is affected by all three factors.  China locked down Wuhan and other cities in the Hubei province on January 23, forbidding people to leave the cities.  At the same time, most other provinces are enforcing versions of Stay at Home, with various other containment mechanisms.  While these actions have huge costs, both economically and in terms of personal liberty, they resulted in low numbers of cases in other provinces.  As a result, while hospitals in Wuhan were overwhelmed in late January, China was able to mobilize 42,600 doctors and nurses from around the country to move to Hubei to treat the 67,000 patients there.  

S. Korea conducted the most thorough testing. From daily reports from Korea CDC, in the 3 weeks from Mar 8 to Mar 29, S. Korea conducted around 205,600 tests, with 2449 positive cases, for a 1.2% positive rate.  As of Mar 29, S. Korea conducted 379,113 tests, with 9,583 positive cases, for a 2.5% positive rate.  The low positive rates and the fact the number of new cases increases very slowly in S. Korea both suggest that few cases are missed.  Thus S. Korea data provides a good source for estimating the eventual case fatality rate, which will be between 1.6% and 2.9%.  My estimation is that it is likely to be close to 2.5% at the end.

Some researchers use the number of deaths divided by the number of confirmed cases on a day in the past (e.g., 14 days in the past) to deal with the problem of incorrect estimation.  That approach, however, requires additional assumptions regarding the average length from detection of a case to outcome (either death or recovered).  It can result in fatality rate of higher than 100% when there were severe under testing at earlier stage.  The cumulative fatality rate is both easy to understand and easy for anyone to compute based on one day's data.  It also avoids the needs for estimating other parameters.

Suggestion 3.  Use mortality rate instead of case fatality rate when comparing a new virus (such as COVID-19) with existing diseases such as the seasonal flu.

According to Encyclopaedia Britannica, mortality rate is computed by dividing the number of deaths by the population at risk during a certain time frame. Many experts have used 0.1% as the fatality rate for seasonal flu when comparing with COVID-19, and I did the same in my first open letter.  CDC’s estimation of 0.1% was obtained by using estimated death due to flu for one year (averaging between 30,000 and 40,000) divided by the estimated number of flu cases, which is around 10% of the population. That is, the 0.1% rate is based on the assumption that about 90% of the population do not get the flu in one year.  In other words, the mortality rate of flu in one year is 0.01%.  I also want to note that CDC’s estimation of fatality rate for the 2009 pandemic H1N1 virus in the United States is 0.02%, based on the assumption that 60 million people are infected.  

If one understands that the mortality rate of flu is 0.01%, one would not consider a fatality rate of between 1% or 2% to be low.  When letting COVID-19 spread for one year, it is reasonable to expect that at least 50% of the population will be infected since people have no immunity and COVID-19 spreads very fast.  The WHO estimates a case fatality rate of 3.4%, and China’s CDCP estimated numbers are 2.3%. These are broadly consistent with what one can infer using data from S. Korea.  Using a 2% case fatality rate on 50% of the population yields 1% mortality rate, which is 100 times that of flu.  Comparing COVID-19’s 2% case fatality rate with the 0.02% case fatality rate of 2009 H1N1 virus also yields a difference of 100 times.  

If one assumes that even S. Korea's rigorous testing regime misses many asymptomatic cases, one can further adjust that using the data point from the Diamond Princess Cruise Ship, where everyone was tested.  Among the 712 persons who were tested positive, 331, or 46.5% were asymptomatic.  As of March 31, a total of 12 patients died, including 1 who died after returning to Australia.   Another 10 patients are still being treated on ventilators.  Even if one estimates 50% of infected have symptoms, and fatality rate of symptomatic cases is 2%, that yields an infection fatality rate of 1%, that still makes COVID-19 50 times more deadly than the seasonal flu.  

Why COVID-19 is so Dangerous?

COVID-19 is so dangerous because it is about 50 to 100 times more deadly than the seasonal flu, and has a Base Doubling Period of slightly less than 3 days.  If we let COVID-19 spread without control, it would result in at least 25% of the population being infected all at around the same time after it spreads for a few months, because most patients are infected near the end of the exponential growth.  Using CDC's study from early COVID-19 cases in the US [8], for every death, about 4 patients need ICU, and 11 need hospitalization.  Even using a conservative 1% infection fatality rate, that means for every 1000 people, 27.5 need hospital beds and 10 need ICU.  US has 2.9 hospital beds per 1000 people, and the number of adult intensive care beds is about 10% of that.  This means that the vast majority of patients cannot get hospital care.

Estimating the fatality rate for COVID-19 patients when they do not receive hospital care is difficult.  My estimation is that it is at least 5 times the normal fatality rate, i.e., 5 times of the normal rate, based on comparing fatality data from Hubei province and other provinces in China, and on the assumption that almost all patients who need ICU care without receiving it are likely to die, and otherwise hospitalized patients will have worse outcomes when not receiving hospitalization care.  Assuming that 50% to 70% of the population will be infected, and using a conservative 1% infection fatality rate, we are looking between 2.5% and 3.5% of the population dying from COVID-19, which is similar to the estimated mortality rate of the 1918 Spanish Flu.  

Is The Cost of Fighting COVID-19 Worse Than the Effect of COVID-19?

I was pointed to a webpage in which several experts argue that the actions of governments and society are overreacting.  I listened to the interview with the first expert, Dr. Sucharit Bhakdi, who according to the webpage, is a professor at the Johannes Gutenberg University in Mainz and head of the Institute for Medical Microbiology and Hygiene and one of the most cited research scientists in German history.  He claimed that "[The German government's anti-COVID19 measures] are grotesque, absurd and very dangerous", and "All these measures are leading to self-destruction and collective suicide based on nothing but a spook."  

Dr. Bhakdi's main arguments are as follows.  As of the time of the interview (around Mar 17-18), there were about 10,000 cases in Germany and 30 deaths.  Therefore, in the worst case, there will be 1 million infections and 3000 deaths over 100 days, for an average of 30 deaths per day.  The high death rates in China and Italy were because those places have horrific air pollution, and the population there have damaged lungs, making them more vulnerable.  

I hope that the errors in the above analysis are obvious by now.  As of Mar 30, Germany has 645 total deaths, and the daily number of deaths is 108 on Mar 29 and 104 on Mar 30, surpassing the above "worst-case estimates" of 30 deaths per day.  This is after Germany took a series of increasingly aggressive social distancing actions from March 13 to March 22, culminating with forbidding the gatherings of more than two people in public starting March 22.  Allowing COVID-19 to spread at its native speed of doubling every 3 days would likely lead to 20 million infections in Germany by late April and tens of thousands of deaths due to COVID-19 each day throughout May.  Germany's aggregative social distancing policies, however, appear to be working now, as the numbers of new cases each day have dropped from the peak on March 29 and 30.

What blinded such an acclaimed scientist and expert to make such mistakes?  First, he was looking at static data on one particular day, ignoring the exponential growth.  Second, he used naive case fatality rate, which means nothing for a fast spreading pathogen like COVID-19 when it is spreading.  In my opinion, textbooks in the field of Epidemiology and Infectious Diseases need to be revised so that the next generation of scientists in the field will not make the same mistakes.

Many experts have correctly pointed out that the social and economical costs of the current measures are astronomical, and question whether it is worth it.  Yes, diseases that are more deadly have hit humanity before (though not in the last century ), without the world mobilized to the extent we are seeing now.  Yes, most deaths from COVID-19 are from older people and people with other underlying diseases.  The question is whether our modern society can knowingly choose to let 3% or more of its population die from COVID-19 when there is an alternative.  


COVID-19 combines a mortality rate that is 50 to 100 times higher than the seasonal flu, with a Base Doubling Period of slightly less than 3 days.  At the same time, many experts in the field and the public were too late to see its danger, leading to slow and failing responses.   The cost is very high, but humanity will recover from it.  I hope that next time a similar virus hits us, we will be able to correctly assess its danger, and respond based on its transmission speed and mortality, instead of the number of cases and the misleading naive case fatality rate one sees at the moment.