COVID-19, Cybersecurity, and Epidemiology

NINGHUI LI

PURDUE UNIVERSITY

Damages due to Covid-19

• Direct human cost (https://www.worldometers.info/coronavirus/)
• Over 500,000 recorded deaths
• True number is likely significantly higher
• See, e.g., (https://ourworldindata.org/excess-mortality-covid)
• Over 10 million confirmed cases worldwide
• True infection number likely between 80 and 200 million (1% to 2.5% of population)
• Based on estimation of 0.5% to 1% infection fatality rate
• Health damages after recovery
• Indirect human cost from disruption of economic and social activities
• Financial hardship, delayed medical procedures, global famine, …

Financial Cost of Coronavirus

• $347 Billion March 6 by Asian Development Bank
• $1 trillion March 17 by World Economic Forum
• $4.1 trillion April 3 by Asian Development Bank
• $8.8 Trillion May 15 by Asian Development Bank

​

​

​

​

What made SARS-CoV-2 so damaging?

Fatality Rate of COVID-19

Fatality Data from Germany (RKI)

• Tests 5.4 million Confirmed: 194,689 Test Positive Rate 3.6%
• Deaths 9,026 Recovered: 177,500 Death/(Death + Recovered) 4.84%
• Active 8,163 (Data as of 6/27/2020)

​

Case Fatality Rate Data from Korea CDC (6/28/20)

• Tests 1.2 million
• Confirmed 12,653
• Positive Rate ~ 1%
• Deaths 282
• Recovered 11,317
• Active 1,054
• Death/(Death + Recovered) 2.4%

Data from Australia

• Tests 2.3 million
• Confirmed 7,641
• Positive Rate ~ 0.32%
• Deaths 104
• Recovered 6,979
• Active 556
• Death/(Death + Recovered) 1.5%

Observations

• CFR decreases as the test positive rate decreases
• Suggesting that infection fatality rates is around 1%
• The 1% rate is broadly consistent with data from various anti-body studies
• Every increase in 10 years of age increases IFR by about 3 times.
• Fatality rate in a population is greatly influenced by its age structure
• For age groups under 80, male fatality rates about twice as female.
• My formula for Covid-19 Infection Fatality Rate (age 20 to 80)
• 60-year old male 1% 3-fold change for every 10 years change in age
• Half for female, further adjustment based on relative health within group

Reichert et al. The age distribution of mortality due to influenza: pandemic and peri-pandemic. BMC Medicine

https://bmcmedicine.biomedcentral.com/articles/10.1186/1741-7015-10-162

Comparing Infection Fatality Rate with All-cause Mortality Rate

• COVID-19 Infection Fatality Rate (IFR) is similar to one-year all-cause mortality rate for all age groups
• However, with 1% IFR, between 10% and 20% need hospital care, and around 5% needs ICU
• When hospital care cannot be provided, fatality rate could be several times higher

Year-to-Year Mortality Numbers in 113 towns in Bergamo, Italy

What about the Flu?

• Flu fatality has similar age distribution.
• In the age range of 50+, one-year flu mortality rates is about 1% to 2% of total one-year mortality rate

A semi-log plot of excess all-cause mortality variation with age for epidemic seasons during the era of circulation of influenza A(H2N2) viruses in Canada.

​

From Reichert et al. The age distribution of mortality due to influenza: pandemic and peri-pandemic. BMC Medicine

https://bmcmedicine.biomedcentral.com/articles/10.1186/1741-7015-10-162

​

Where is Flu’s 0.1% Fatality Rate From?

• Flu’s mortality rate is around 0.012%.
• The often quoted 0.1% case fatality rate is based on assuming that around 12% of population get flu in one year.

From US CDC: Disease Burden of Influenza

Speed of Transmission

Early US Case Data

By Micheletb - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=88350269

In March, US case numbers grows by more than 1000 times from less than 100 to more than 100, 000.

Exponential Growth: Executive Summary and Prediction from My March 9 Open Letter

• Once community spread takes hold in a country or region (which happened in US by late February the latest), the number of cases starts exponential growth, doubling every 3 days or less, until aggressive social distancing practiced are enforced to curb or at least slow its spread.  
• Prediction: Without new decisive containment efforts, the number of confirmed cases in US will increase at least 10 folds in 10 days, to 4000 or more (and possibly as high as 10,000) by Mar 17. 

Familiarity of Exponential Growth from Internet Worms

From https://www.caida.org/research/security/code-red/coderedv2_analysis.xml

Cyber-Security Experiences

• In security one does not just look at what has happened and is happening, but constantly need to think about what will happen under different adversarial capabilities.
• When security is done right, what one sees is that nothing happens, because the bad things are prevented.
• When the situation is not dire, many people just instinctively feel that the worst-case scenario won't happen, even if there is no evidence to support that.  Security leaves little room for wishful thinking regarding threats.  

How should the Society Fight COVID-19 or Similar Virus?

Deal with Covid-19: Strategy One: Crash the Curve

• Crash the curve, then return to normal
• Take action early, test thoroughly, lockdown and/or quarantine plus drastically reduce contact between individuals.
• Pre-requisite
• Central authority of enforcing measures and border control
• Generally co-operating population and/or enforcing mechanism for quarantine and social distancing measures
• Downside
• Even if successful to contain covid-19 within, cases can come from outside
• Lockdown cannot sustain long period of time

Deal with Covid-19: Strategy Two: Fast Herd Immunity

• Drastically reduce contact between vulnerable group and less vulnerable group
• Get less vulnerable group infected with COVID-19 (and gain immunity) as quickly as possible, so long as within hospital capacity
• Downside:
• Physically separating vulnerable group from less vulnerable group appear impossible
• Unethical to artificially speed up infection.
• Takes an impossibly long time without speeding up

​

​

Deal with Covid-19: Strategy Three: Waiting for Vaccine

• Shutdown when new cases is high
• Reopen when new cases is lower
• Identify the value and amount of contact for different activities. Choose activities under limited contact budget.
• Need to reduce people eating/drinking/close-range sporting together (facemask cannot help here)

Contact Tracing

Case investigation and Contact Tracing (CDC guidelines)

• In  case investigation, public health staff work with a patient to help them recall everyone with whom they have had close contact during the timeframe while they may have been infectious.
• Public health staff then begin contact tracing by warning these exposed individuals (contacts) of their potential exposure as rapidly and sensitively as possible.
• To protect patient privacy, contacts are only informed that they may have been exposed to a patient with the infection. They are not told the identity of the patient who may have exposed them.

https://www.cdc.gov/coronavirus/2019-ncov/php/principles-contact-tracing.html

How Can Technologies Help? The South Korea experience.

• Coronavirus 119 app
• Patients can input symptoms and get connected to a doctor by phone if needed
• Self-quarantining apps
• Positive cases and their close contacts are encouraged to download. Apps monitor symptom status and set off an alarm on the phone when they ventured out from a designated quarantine area
• For case investigation, in addition to interviews, also GPS phone tracking, payment records, and video surveillance
• Widespread usage of mobile payment and video cameras in public places

https://www.businessinsider.com/how-south-korea-controlled-its-coronavirus-outbreak-2020-4

​

Design Space for Contact Tracing Apps

• Location-based
• Design A: data stays on phone, memory aid for manual tracing
• Design B: uploading to server for matching to detect contact
• Adjacency-based
• Assumption: when a mobile phone broadcasts information, nearby phones can receive and estimate distance to the phone.
• Could use Bluetooth and/or ultrasonic
• Most designs have one phone broadcasts a pseudo-random token, which can be stored by other apps, and can change periodically.
• Each phone broadcasts token, and store tokens of sustained contact

​

Understanding the Privacy Threat

• Whose information: users of the app, confirmed patients.
• What information: unidentified movement traces, covid-19 status.
• Against what adversary: central server, users of the app, contact of cases, local surveillance?

​

Some Decentralized and Centralized Designs

• Each user has self tokens and collected tokens.
• Decentralized design
• Confirmed cases upload self tokens to the server.
• Every user downloads from server and compare with collected tokens.
• Every user sees tokens of confirmed cases. Privacy of non-patients is better.
• Centralized design 1
• Every user upload self tokens to the server.
• Confirmed cases upload collected tokens to the server.
• Server matches and informs users in contact.

Limitation of Contact Tracing Apps

• Without mandatory deployment, the role of contact tracing app appears limited.
• Given adoption rate of x, the probability that a specific contact is recorded is x*x.
• Users who are conscientious regarding covid-19 can benefit little from contact tracing apps.
• Users who can benefit the most from contact tracing apps are probably less likely to download the app
• Propagation of asymptomatic cases is not covered.

Symptom Surveillance by Local Differential Privacy

Symptom Surveillance Apps?

• Testing remains bottleneck in US, and testing results are probably several days after development of symptoms
• Symptom surveillance may be able to discover local hotspots and outbreaks earlier
• Health authority can distribute information from symptoms surveillance to the public
• Even a low adoption rate can provide useful information
• Can provide direct value proposition of providing partial diagnosis of symptoms
• Even adding noises to the report can provide useful information

Frequency Oracle Protocols under Local Differential Privacy

32

Random Response (Warner’65)

33

6/29/2020

Provide deniability:

Seeing answer, not certain about the secret.

What can we do to help deal with the next virus?

Quickly and Accurately Assess and Communicate the Danger of a New Virus

• Danger of a virus depends on
• speed of transmission, and
• fatality / medical burden.
• The most dangerous virus are the ones like SARS-CoV2, which has a high (but not extremely high) fatality rate.
• Had SARS-CoV2 been 10 times more deadly, it would have already been eradicated.
• Had SARS-CoV2 been 10 times less deadly, treating it as a particularly nasty flu is probably okay.

Estimate and Correctedly Communicate Critical Information?

• Speed of transmission
• Should not focus on Base Reproduction Number (R0)
• R0: the expected number of cases directly generated by one case in a population where all individuals are susceptible to infection.
• R0 does not have time element
• E.g., HIV/AIDS has higher R0 than SARS-CoV-2, but spread much slower
• R0 requires more understanding of disease to estimate
• Propose to use Base Doubling Period and/or Base Tenfold Period
• Fatality rate
• Estimation
• Communication

​

Summary on What Security Community Can Help.

• Transfer knowledge on internet worms and adversarial analysis mentality to other fields and the public.
• Understand how to design effective contact tracing technology.
• Develop technology that helps identify new virus and assess its transmission speed and true fatality rate.