TechRepublic’s Karen Roby spoke with Marc Rogers, executive director for cybersecurity at Okta, about vaccine passports. The following is an edited transcript of their conversation.

Karen Roby: Marc, obviously, we’ve talked to you many times in the past regarding ransomware and pretty much every other security issue. Today, though, a hot topic really with these passports. What’s at the heart of the problem here?

SEE: The CIO’s guide to quantum computing (free PDF) (TechRepublic)

Marc Rogers: There’s two kind of pillars that we should be fixed on. The first one is we know that the pandemic is not over. We’re seeing variants pop up all over the place. And so we know that we need to control travel carefully, and ensuring that the people who are traveling are vaccinated and monitoring what tests they’ve had, et cetera, are a key part of that. That’s where vaccine passports come in. But we also know for vaccine passports to be effective, they have to be trustworthy and they have to be understandable, and so they have to be consistent.

Somebody coming from Germany and flying to, I don’t know, Israel, Israel needs to be able to look at the possible and go, “I understand what this means. I’m going to use it.” But the problem we’ve got is, everyone has come up with their own different solutions. And while many of these solutions are excellent, I mean, Israel, in particular, has an excellent solution in place. Europe has a solution that covers all of the European member countries, which is great. They’re not joined up, and this means there’s sort of concern about trust and understanding. And this has really come to light if you look at the British situation.

SEE: The best luggage for business trips as offices reopen and travel picks up (TechRepublic)

Marc Rogers: Britain has updated its rules now to say that if you are fully vaccinated and you’re coming from an ambulous country, which is a country that is considered to be of medium risk, you don’t have to quarantine. But because they’ve got no consistency in terms of what vaccine passports are accepted, the only one they’re trusting is their own, which is the NHS app. So suddenly, all of these vaccinated travelers coming from the U.S., Coming from Europe even, can’t go to the UK and bypass quarantine, as intended, because their app hasn’t been trusted, yet they’ve been given the same vaccine. They were given Pfizer in Germany, so why can’t they be let into the U.K.? It boils down to this fundamental problem. We, globally, and we, nationally, have to agree on common standards on how vaccine passports work so that they’re consistent, so that they’re secure and so they’re widely available.

Karen Roby: What a travel nightmare this is and is going to create for people as they’re trying to come and go. It’s going to get really messy.

Marc Rogers: Someone actually used, and it’s quite a strong term, but I actually kind of agree with. Someone used the term “medical apartheid,” because there are countries which cannot afford to produce these highly technical digital passports that we’re seeing in some places without help. And so, they’re either not producing vaccine passports at all or they’re producing letters or they’re producing cards, which are not then being accepted. And so suddenly, you’ve got this situation where if you’re a member of the European Union and you’re a European member state and you’ve got the digital passport, you can travel freely within all of these countries and it’s all good.

But if you’re coming from slightly outside and you’re from a poorer country that doesn’t have that kind of mechanism, you’re shut out, even though you’ve been vaccinated. And that’s a problem because when you create a scenario like this where you have people who feel that they should be able to travel because they’ve done everything necessary to be safe and are being blocked, what we see in the security world is they work their way around the problem. They either ignore the rules or they come up with workarounds to get passports. From a medical perspective, that’s a disaster, because suddenly you’re actually no longer tracking these people properly, and people are sort of traveling into your country and then disappearing. And so, if they then bring an infection, like a new variant, for example, that slipped past the vaccine, slipped past other things, you’ve got no accurate way to track them.

So, it’s in all of our best interests to make sure that we’re doing this correctly. And it doesn’t actually have to be a massive privacy problem because you’re really talking about a binary condition here. You don’t need to put massively sensitive data into a vaccine passport. Just a one or a zero: vaccinated; not vaccinated.

SEE: Digital nomad starter kit: 11 essentials for remote workers on the open road (TechRepublic)

Karen Roby: Yeah. It really does seem like it should be that simple.

Marc Rogers: Yep, it is. But it’s the problem is consistency. We’ve been saying a while, my CEO, Todd, went on record to talk about this not too long ago. What he said is, “We should absolutely let the states have their own ability to implement what they want, but what we need is guidance from the top to drive consistency.” And I think that also applies globally. We need a global set of stakeholders to say, “These are the broad mechanisms we’re going to use that when you see them, you can recognize them and understand that this passport is genuine. And therefore, the person who’s using it is genuinely vaccinated.” And then you can leave the rest of it up to the states, the countries, whoever to implement. So long as they meet those top level standards, you know that the finished product is going to meet your needs.

Karen Roby: Yeah. And a lot of implications here, Marc, if we can’t get this worked out between countries, with trade issues will be threatened and things like that because it sounds like the countries will only create more pressure between them and leading to a lot of problems.

Marc Rogers: And I think they are already starting to, because why should one country allow people to come in from another country if that country isn’t going to recognize its vaccinated people and allow them in? Now, this for business is terrible because we are a globalized society. Our businesses are global. We have workers who are distributed all over the world, and we need to be able to move around for all kinds of industries. We’re already feeling the pain across many industries from this shutdown. The travel industry itself is absolutely on its knees right now, and it needs the chance to open up. We know that we can open up relatively safely with the right controls, but those controls have to be consistent and have to work for that to work.

TechRepublic’s Karen Roby spoke with Marc Rogers, executive director for cybersecurity at Okta, about vaccine passports.
Image: Mackenzie Burke

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays