How to repel cyber-attacks on the COVID-19 vaccine supply chain

microscopic image of COVID19 cellWith COVID-19 vaccines finally being rolled out to a relieved world, the focus for cybersecurity experts has evolved from attacks on pharma companies that make the stuff to the companies that distribute it. Already, IBM has observed a major nation state phishing campaign targeting various supply chain organisations.

I recently spoke to a few experts for an upcoming Infosecurity Magazine feature to better understand the threats facing these organisations, and what they can do about the situation.

It’s a sabotage

The main threats they highlighted revolved around potential sabotage of distribution pipelines and/or misinformation campaigns designed to discourage users from getting inoculated. Both could be the result of hostile nations like Russia calculating they could gain an economic and geopolitical advantage by getting back to “business as usual” and economic stability before their rivals. There are also opportunities here for more financially minded cyber-criminals.

“It is clear that cyber-criminals will stop at nothing. Whether the motivation is financial gain, disruption, or because they’re on the payroll of a nation-state; not even a pandemic is beyond cyber exploitation,” Nominet’s government cybersecurity expert, Steve Forbes, told me. “Now as the vaccine moves to the transportation phase, there have been more attacks on the vaccine cold chain, the temperature-controlled environment needed to transport and store the vaccine, and the manufacturers of cold chain equipment.”

Unfortunately, there are many points of weakness in supply chains which could be exploited to devastating effect, according to Lux Research senior research associated, Lewie Roberts.

“Attackers are going to look for the easiest way in to a network, which is typically some kind of human error. People are statistically bound to make mistakes sometimes, especially as you increase the number of targets,” he told me. “Stuff like confidential customer information or trade secrets are the types of items that get more focus in the IT world. But as you get closer to physical industries, you’re protecting different types of things. False data on cold chains can result in tons of spoiled products. Attacks on operational tech can pose real safety threats to workers.”

Spreading confusion

Two former UK intelligence experts had some interesting things to say about the threat of misinformation.

“The overwhelming majority of activity will be criminal attacks for money. However, we have also seen nation states spreading confusion and undermining confidence, as well as stealing vaccine IP,” former GCHQ boss, Robert Hannigan told me. “Hacktivists and hostile nation states will amplify anti-vax messages for the same reasons: to sow division and polarise societies in the West.”

Former British army electronic warfare operator, Martyn Gill, who is now global managing partner at Wembley Partners, had more.

“Political hacktivists look to spread disinformation and noise through such channels as social media, as per the state-sponsored aim of increasing the lack of confidence in what the broad message may be around the vaccine. In many cases these actors are driven by their ideological and political beliefs, however, there remains a subset of actors who seek to cause disruption primarily as a means of entertainment,” he told me.

“Since the UK announced it was rolling out a COVID-19 vaccine, we have seen an increase in related phishing domains set up looking to target this new opportunity, as the general populace looks to understand what this means for them.”

Taking action

So what happens next? For Gill, information sharing is crucial.

“Strong communication and agreed intelligence sharing around trusted eco-systems will support a broad range of businesses to help them understand new threats whilst being able to share indicators of ongoing campaigns,” he explained. “Micro, small and medium businesses who don’t have big security budgets or security teams to monitor networks, implement vulnerability management and threat intelligence programs can look open source platforms like IBM X-Force, Alien Vault OTX but also trusted individuals who deliver awesome advice through social media.”

According to Lux Research’s Roberts, the right response should focus on people as much as technology.  

“Mapping data flows and endpoints, evaluating vendors, and having plans for breaches are all important and deep topics,” he argued.

“But moving away from the technology and towards the organization side, businesses need to hire experts and give them the influence and resources necessary to do the job. Safety and security aren’t often glamorous, but winning players recognise their importance before a problem arises.”


Asia tech in 2021: this way to the next normal

singapore at night These are perilous times to be making predictions about the future. The bolt-out-of-the-blue that was COVID-19 rendered many forecasts this time last year almost immediately worthless by March. Governments and businesses in APAC, as in the rest of the world, have spent most of 2020 first in fire-fighting mode, reacting to stem the immediate public health and economic damage from the pandemic. More recently, there’s been a concerted attempt by larger organisations to adapt, and even thrive in the new conditions. This will continue into 2021.

In many ways, APAC is one of the regions best equipped to do so. Many countries such as China, Vietnam and South Korea have seen their public policies pay dividends through declining infection rates and a recovering economy. However, there are two important caveats: Asia Pacific is a huge region with much diversity, making it difficult to draw simple conclusions. There’s also the small matter of US-China relations, which are more than likely to continue in a downward trajectory, even with Joe Biden in the White House.

US-Sino tensions set to continue

There are many officials in both governments who may hope that the Biden era will signify a new thawing of relations with China. After all, as Veep under Barack Obama, Biden pursued a far more conciliatory approach to the Middle Kingdom. However, things have changed a lot since then, with strong bipartisan opposition to China hardening in Congress and among most Americans.

In fact, Biden has already pledged to restrict imports from China deemed a national security threat, and to hit back at any countries that try to undercut US manufacturing using state subsidies, according to The Economist. This would seem to suggest his first term could pick up from where 2020 left off, although with more clarity of messaging and unity of purpose than we’ve seen in the past four years. Expect the US to engage internationally to form a coalition of nations pushing back against Chinese geopolitical bullying, state subsidised tech exports and cyber-espionage.

For those businesses stuck in the middle of the escalating trade war, including many technology firms, this could make for another challenging year ahead. Those with manufacturing plants and suppliers in China may want to continue moving operations out to nearby countries such as Vietnam and Malaysia, that can offer what they’re looking for at the right price. An additional factor is the growing disquiet over China’s treatment of Uyghurs: as Apple found out this year, suppliers may be blacklisted by the US over alleged forced labour abuses.

It’s not just the impact of the trade war, Uyghur oppression and US national security concerns that are forcing the hand of business leaders here, it’s also the lessons learned by COVID-19 and the huge impact it had on supply chains. Diversity of suppliers and geographies will be key to spreading risk in 2021 and beyond.

China goes it alone

In response, China will increasingly look to drive self-sufficiency in tech via massive state subsidies, global espionage and huge R&D spending. It’s unlikely that it will produce a domestic operating system to rival Windows, Android or iOS in 2021, but don’t rule it out happening in the next few years. Other areas China will be looking to reduce its reliance on the US include chip-making, where Huawei’s HiSilicon has already broken into the global top 10, and artificial intelligence. In fact, China is so fixed on becoming the world leader in AI that it recently labelled it a matter of “national economic security”. The missive was intended to signal in no uncertain terms that ByteDance would not be able to sell its prized “recommends” algorithm to a US firm.

As China’s global tech swagger grows it’s also likely to be more brazen in efforts to punish US firms operating in the country, and to institute strict controls over private business. Xi Jinping has already signalled his intent to tighten the Communist Party’s grip over domestic enterprises, which could make it harder for firms like ByteDance and Huawei to claim autonomy from government and geopolitical matters in the face of US hostility. The last minute suspension of fintech giant Ant Group’s $37 billion IPO is a clear signal that no company can be above the Party.

Digital growth will help APAC bounce back

Away from China, the big story in APAC as a whole next year will be increased spending on digital transformation to drive post-pandemic growth. As we revealed earlier in the year, IDC estimates that APAC spending in public cloud will reach $34.5bn in 2020 — up from $26bn in 2019. Forrester reckons it will grow another 35% in 2021 as businesses double down on the computing model that helped to save operations during the darker days of the pandemic. This will be good news for US tech giants AWS and Microsoft Azure, although the analysts predicted Alibaba will take the number three spot revenue-wise globally thanks to its anticipated gains in 2021, pushing Google Cloud out.

However, Google will be making some notable gains in specific geographies like Indonesia, where it beat its US and Chinese rivals by launching a cloud datacentre last year. Expect these investments in various APAC countries to support a new wave of digital disruption as businesses look to meet customer and employee demand for seamless app-driven experiences. 

In migrating to these new environments, the region’s businesses must ensure that cybersecurity and data protection are designed into new technologies from the outset. In fact, cybersecurity was highlighted by over half of respondents to 2020 IDG Connect poll as the biggest IT challenge of the pandemic. Local organisations must tackle not only cybercrime attacks but also the increasingly aggressive behaviour of state-backed operatives in China and elsewhere. A recent report revealed yet another Beijing-backed APT has been targeting multiple southeast Asian governments over the past two years.

Ultimately, APAC will thrive in 2021. The World Bank predicts that growth will soar from -0.5% in 2020 to hit 6.9% as economic activity normalises once again. The trends for digital transformation present before the pandemic will gain extra urgency, and budget, over the year ahead, expanding corporate attack surfaces but also driving profits—especially those of Western tech firms. However, deteriorating China-US relations could result in a few surprises along the way: perhaps not the fireworks of previous years, but enough to make boardrooms continue to rethink their options in APAC.

This was my latest for IDG Connect, published here earlier this month.