Hack the vaccine27 July 2021
While some speculated that health services would remain off limits as a target for cyber warfare during the Covid-19 pandemic, time has proven that not to be the case as nation states and affiliated groups have sought to gain the edge in vaccine development. Robert Morgus, senior director for the US Cyberspace Solarium Commission, explains to Abi Millar how future cyberattacks could attempt to interfere with vaccine distribution and the steps being taken to prevent them.
In December, the technology company IBM revealed a disturbing finding: a series of cyberattacks had been detected against the Covid-19 vaccine cold chain. The attackers, believed to be a nation state, were working to understand how the international vaccine supply chain operated. They had targeted the companies and government agencies involved in distribution – though whether they were looking to steal the technology or sabotage the rollout wasn’t clear.
“There is no intelligence advantage in spying on a refrigerator,” James Lewis, senior vice-president and the director of the technology and public policy programme at the Center for Strategic and International Studies (CSIS), told the New York Times. “My suspicion is that they are setting up for a ransomware play. But we won’t know how these stolen credentials will be used until after the vaccine distribution begins.”
It was just one example of what has proven to be a much larger problem. As well as compromising the vaccine rollout, malicious actors could render the vaccines unusable, steal trade secrets or embark on a targeted campaign of disinformation. They could also steal data from poorly designed contact-tracing apps, or jeopardise government lists of who has and has not been vaccinated.
The presumed motives are often financial, with criminals looking to sell data for monetary gain. In other cases, the hackers might be looking to steal information to advance their own country’s vaccine rollout, or to undermine the target country’s efforts.
Pharma under fire
These risks are top of mind for the pharmaceutical and healthcare sectors, along with their cybersecurity partners. Vaccine manufacturers Pfizer and BioNTech have said some of their documents were hacked from the European Medicines Agency (EMA), while Indian pharma company Dr Reddy’s was forced to shut all its production facilities in the wake of a cyberattack. The UK’s National Cyber Security Centre (NCSC) has reported on over 200 attacks related to the Covid-19 pandemic – including an attack on vaccine research “almost certainly” from Russian intelligence services. Also attributed to Russia was the SolarWinds hack, a colossal data breach affecting US federal agencies and private companies.
While cybersecurity is always important, the current vaccine rollout brings an extra dimension of precarity. Perhaps not surprisingly, the US Food and Drug Administration (FDA) requires vaccine data to be physically delivered by FBI agents, as opposed to submitted electronically.
“Critical infrastructure of any kind becomes more vulnerable in a crisis,” says Robert Morgus, senior director for the US Cyberspace Solarium Commission (CSC). “There have been state-sponsored hacks against US healthcare infrastructure, as well as against institutions that are conducting Covid-19 vaccine and treatment research. These exploits have primarily been attempts to gather information on medical data. However, the potential expansion of such attacks could strain scarce resources.”
In March 2020, right at the start of the pandemic, the CSC released a lengthy report urging the US government and private sector to adopt a “new, strategic approach to cybersecurity”. Sombrely titled ‘A Warning for Tomorrow’, the report included more than 80 recommendations to Congress around improving “cyber deterrence”. It was later updated in light of the Covid-19 pandemic, to reflect the additional risks that had emerged. The so-called ‘Pannex’ included four new recommendations: urging Congress to pass an internet of things security law; increasing support to cybersecurity non-profits; support for establishing a Social Media Data and Threat Analysis Center; and increasing non-governmental capacity to identify and counter foreign influence campaigns. The white paper also highlighted some of the original recommendations, such as building societal resilience to disinformation.
“The Covid-19 pandemic has caused a major disruption to the economy and day-to-day life,” says Morgus. “As a result, it has illustrated the challenges with building and maintaining a resilient cyber ecosystem in a modern, connected world. While criminal tactics and targets haven’t changed, cyberthreat actors are able to take greater advantage of increasingly vulnerable businesses, governments and individuals.”
A newfound insecurity
Part of the issue is that people are working from home more, in less secure digital environments. This has led to a surge in fraud and malicious activity. The cybersecurity company McAfee has estimated that cybercrime costs surpassed $1trn in 2020, 50% higher than in 2018 and accounting for more than 1% of global GDP.
Within the healthcare sector specifically, the stats are galling. Cloud provider VMware Carbon Black said that its healthcare customers experienced 239.4 million attempted cyberattacks in 2020, or an average 816 attempted attacks per endpoint. This was an astonishing 9,851% increase on 2019.
“Necessary social distancing has created a newfound reliance on cloud services and other technologies that allow for remote work and school,” says Morgus. “This reinforces the importance of secure cloud platforms and digitisation more broadly. Businesses are more reliant on the security of cyber infrastructure, as they have far less ability to shield devices from compromise or disruption.”
He points out that criminals, like nation states, often seek out soft targets, or those that are less mature in terms of cyberposture.
“This has led to criminals targeting small and medium-sized businesses and state and local governments in the US with ransomware campaigns,” he says. “Outsourcing IT and security to managed service providers, including mainstream cloud service providers, is often the best way for these entities to mature their cybersecurity posture while keeping costs manageable.”
Cost of cybercrime in 2020.
The number of attempted cyberattacks on VMware Carbon Black’s healthcare customers in 2020.
VMware Carbon Black
The proposed investment in US cybersecurity by the Biden administration.
Anti-vaxxers going viral
In many cases, the target is not an organisation at all. Some malicious actors have sought to disrupt vaccine rollout by disseminating false information about the virus or the vaccine.
In the UK, the British Army’s 77th Brigade information warfare unit is helping officials detect anti-vaxxer messages of this kind. It is trying to determine whether foreign states are driving anti-vaccine sentiment in the country as a means of undermining trust in the government and sowing division. According to the Centre for Countering Digital Hate, around 50 million people follow anti-vaccine groups on social media, which creates a large base of susceptibility to disinformation campaigns. The campaign group has called Covid a ‘growth opportunity’ for anti-vaxxers.
“In the case of the Covid-19 pandemic, the population’s ability to separate fact from fiction has the potential to save lives,” says Morgus. “Disinformation operations can enable adversaries to create discord, which jeopardises our ability to effectively manage a crisis like Covid-19.”
He thinks public education initiatives can build resilience to disinformation, describing them as the most effective and sustainable way to defeat these campaigns over the long term.
“It’s further crucial that the US and other governments facilitate an ecosystem of nongovernmental organisations that can help identify disinformation and bring it to light,” he says.
On the flip side, many pro-vaccine individuals have been targeted by vaccine-related phishing campaigns. In these instances, scammers send texts and emails promising information on the Covid vaccine, or inviting people to receive the vaccine in return for their personal and financial information.
One such email, purporting to be from the NHS, asks the recipient to click on a link, and then asks for their bank card details. The health service has teamed up with law enforcement and security agencies to remind the public that the vaccine is only available for free on the NHS, and that anyone asking for payment is committing fraud.
A shot in the arm
Vaccine-related cybercrime, then, represents something of a moving target – and for institutions that stand to be affected, flexibility and responsiveness are key. Governments, meanwhile, are harnessing all the intelligence at their disposal.
The Biden administration has said it is looking to “counter any threat to the vaccine programme”, notably by assessing “ongoing cyberthreats and foreign interference campaigns”. President Biden has proposed a $9bn investment in cybersecurity, as well as tapping a number of former national security officials for his cybersecurity team.
Similarly, the UK’s new Integrated Review, unveiled in March, places cybersecurity front and centre, even classifying ‘cyber’ as an emerging military domain. The government is also creating a National Cyber Force, including personnel from the military, GCHQ and intelligence services.
Morgus says the CSC will primarily be focusing on implementing its existing set of recommendations. “While we were able to make significant progress on this, with 27 recommendations implemented in provisions of the FY21 National Defense Authorization Act, there is still significant work to be done,” he says. “We particularly need to focus on enhancing cyber resilience, building a more secure overarching cyber ecosystem, and helping individuals and small businesses cope with cybercrime.”
Really, anyone involved with the vaccine rollout – whether organisation, governmental body or individual – can’t be careful enough about cybersecurity. With public health in contention, there’s even more than usual at stake.