With COVID-19 vaccines finally being rolled out to a relieved world, the focus for cybersecurity experts has evolved from attacks on pharma companies that make the stuff to the companies that distribute it. Already, IBM has observed a major nation state phishing campaign targeting various supply chain organisations.
I recently spoke to a few experts for an upcoming Infosecurity Magazine feature to better understand the threats facing these organisations, and what they can do about the situation.
It’s a sabotage
The main threats they highlighted revolved around potential sabotage of distribution pipelines and/or misinformation campaigns designed to discourage users from getting inoculated. Both could be the result of hostile nations like Russia calculating they could gain an economic and geopolitical advantage by getting back to “business as usual” and economic stability before their rivals. There are also opportunities here for more financially minded cyber-criminals.
“It is clear that cyber-criminals will stop at nothing. Whether the motivation is financial gain, disruption, or because they’re on the payroll of a nation-state; not even a pandemic is beyond cyber exploitation,” Nominet’s government cybersecurity expert, Steve Forbes, told me. “Now as the vaccine moves to the transportation phase, there have been more attacks on the vaccine cold chain, the temperature-controlled environment needed to transport and store the vaccine, and the manufacturers of cold chain equipment.”
Unfortunately, there are many points of weakness in supply chains which could be exploited to devastating effect, according to Lux Research senior research associated, Lewie Roberts.
“Attackers are going to look for the easiest way in to a network, which is typically some kind of human error. People are statistically bound to make mistakes sometimes, especially as you increase the number of targets,” he told me. “Stuff like confidential customer information or trade secrets are the types of items that get more focus in the IT world. But as you get closer to physical industries, you’re protecting different types of things. False data on cold chains can result in tons of spoiled products. Attacks on operational tech can pose real safety threats to workers.”
Two former UK intelligence experts had some interesting things to say about the threat of misinformation.
“The overwhelming majority of activity will be criminal attacks for money. However, we have also seen nation states spreading confusion and undermining confidence, as well as stealing vaccine IP,” former GCHQ boss, Robert Hannigan told me. “Hacktivists and hostile nation states will amplify anti-vax messages for the same reasons: to sow division and polarise societies in the West.”
Former British army electronic warfare operator, Martyn Gill, who is now global managing partner at Wembley Partners, had more.
“Political hacktivists look to spread disinformation and noise through such channels as social media, as per the state-sponsored aim of increasing the lack of confidence in what the broad message may be around the vaccine. In many cases these actors are driven by their ideological and political beliefs, however, there remains a subset of actors who seek to cause disruption primarily as a means of entertainment,” he told me.
“Since the UK announced it was rolling out a COVID-19 vaccine, we have seen an increase in related phishing domains set up looking to target this new opportunity, as the general populace looks to understand what this means for them.”
So what happens next? For Gill, information sharing is crucial.
“Strong communication and agreed intelligence sharing around trusted eco-systems will support a broad range of businesses to help them understand new threats whilst being able to share indicators of ongoing campaigns,” he explained. “Micro, small and medium businesses who don’t have big security budgets or security teams to monitor networks, implement vulnerability management and threat intelligence programs can look open source platforms like IBM X-Force, Alien Vault OTX but also trusted individuals who deliver awesome advice through social media.”
According to Lux Research’s Roberts, the right response should focus on people as much as technology.
“Mapping data flows and endpoints, evaluating vendors, and having plans for breaches are all important and deep topics,” he argued.
“But moving away from the technology and towards the organization side, businesses need to hire experts and give them the influence and resources necessary to do the job. Safety and security aren’t often glamorous, but winning players recognise their importance before a problem arises.”
As many countries enter their second full month of Covid-19 lockdown, its impact on the threat landscape and enterprise cybersecurity is starting to become clear. I spoke to several experts a few weeks back for an Infosecurity Magazine news feature on the topic.
Some of the key challenges facing organisations are in enabling secure remote working en masse without impacting productivity.
“The fact that employees are transitioning to working from home is the key risk. All these employees are now working in new environments using technology and processes they are not used to, something bad guys will take advantage of,” SANS Institute director of security awareness, Lance Spitzner told me.
“All of this change creates an environment where it is very simple for bad guys to take advantage of and trick people working from home for the first time. They don’t have all the security technology protecting them at home that they normally would at work.”
The SANS guide to secure home working advises users to: be suspicious of any emails trying to create a sense of urgency to click through or enter info; take steps to protect home Wi-Fi (change default passwords and restrict access); create strong passwords on any websites; ensure all devices are running the latest software; and don’t let family and friends use work devices.
Proofpoint’s senior director of threat research and detection, Sherrod DeGrippo, agreed that users are at the frontline when it comes to tackling Covid-19 cyber-threats.
“We recommend that organisations prioritise a people-centric approach to security that protects all parties (their employees, customers, and business partners) against these threats, including layered defences at the network edge, email gateway, in the cloud, and at the endpoint, along with strong user education,” he told me.
“Users should be encouraged to approach all unsolicited emails with caution, especially ones that request the user to act, like downloading/opening an attachment, clicking a link, or entering credentials.”
Restricting users according to least privilege policies is also a must-follow best practice, as hackers go after VPN log-ins to directly access data and applications, DeGrippo added. In fact, there have been widespread reports of cyber-criminals targeting remote access infrastructure; not only via phishing emails and brute forcing but also exploiting unpatched vulnerabilities. Microsoft has warned of APT-like behaviour from many well-known ransomware groups, which are targeting hospitals.
Time to automate?
However, aside from the uptick in Covid-themed phishing, which is delivering crypto-jacking malware, ransomware, info-stealers and more, the pandemic has forced IT security teams to work in different ways. Michael Armistead, co-founder and CEO of Respond Software, argued that SOCs and security departments are faced with both minor and meta challenges.
“Making sure practitioners can perform their jobs remotely with adequate bandwidth and communication platforms, and have the ability to act on security incidents will be a challenging undertaking for many firms,” he told me.
“I believe many of those tools and platforms are in place … but you just never know how well they will work in practice if an organisation is now distributed for the first time. Still, I’d count these very real and very practical issues as minor because they can be solved in relatively short order.”
In fact, research emerging suggests that security teams are struggling. A global poll by industry body ISACA found that only around half (59%) of members feel their cybersecurity team has the right tools and resources at home to perform their job effectively. Tellingly, just 51% are highly confident that these teams are ready and able to detect and respond to rising volumes of threats. A separate study from (ISC)² revealed that nearly half (47%) of global security professionals have been taken off some or all of their typical tasks to support other IT-related jobs, like WFH. A third report, from Barracuda Networks, ominously suggested that 41% of firms have actually cut IT security budgets to save money during the crisis.
In fact, investments in specific technologies could be a smarter way of reducing costs and improving security outcomes during the crisis, according to Armistead.
“The situation screams out for automation to relieve the pressure on people to sift through mountains of data and to act quickly,” he said. “SOCs and IT security teams need to look at their processes and procedures in light of the distributed workforce. Do they make sense and how quickly can issues be resolved?”
The immediate future remains uncertain, but if remote working is to become more widespread as the pandemic recedes, IT and security leaders better adapt to the new reality fast.
Here’s an article I wrote the other week for IDG Connect. The situation is rapidly evolving, but most of the commentary is still bang on:
As the world’s IT manufacturing centre and a huge market in its own right, anything that happens in the China can have a significant impact on the tech industry. So the boardrooms of multi-national IT players everywhere will once again be on high alert as the new coronavirus brings factories to a halt in the Middle Kingdom.
As if the persistent threat posed by Donald Trump’s protectionist trade war wasn’t enough to contend with, the newly named Covid-19 is already having a chilling effect on key supply chains and components. It may further accelerate plans for manufacturers to move facilities out of China and could even impact 5G deployments, according to analysts.
Bigger and badder than SARS
First reported to the World Health Organisation (WHO) on December 31, Covid-19 has now claimed over 1,000 victims and infected nearly 43,000, mainly in China. As such, it’s now more deadly than the SARS epidemic of 2002-3, which had a major impact on the Chinese and global economy at the start of the century.
It’s impact on tech is two-fold: in closing down factories in quarantined areas and preventing workers from travelling to facilities; and in subduing the usual sales bonanza in China around the Lunar New Year holidays at the end of January. In many cases, it appears as if workers have been stranded in their home towns, unable to travel back to the regions in which they usually live and work.
The annual Mobile World Congress (MWC) event in Barcelona has even been cancelled after big-name Asian firms pulled out. This is not insignificant, according to Forrester analyst, Alla Valente.
“For the thousands, if not millions of meetings, conversations and deals that would have taken place, this has long-term implications for vendors, suppliers and customers,” she tells me by email.
Huawei also postponed its annual developer conference in Shenzhen this week. Analysts tell me that tech giants including Dell, HP, Apple, Samsung, Qualcomm, Microsoft, Google, Intel, Sony, LG and even Facebooks’ Oculus brand are in the firing line. But some sectors are more exposed than others.
Where is Covid-19 hitting hardest?
Displays: With five large display factories located in the Covid-19 ground zero of Wuhan, it’s perhaps not surprising that this sector is impacted. According to analyst Omdia, utilisation rates at Chinese display fabs will drop by 20-25% in February with total production/output set to fall by 40-50%. Producers are hit by both component and labour shortages thanks to quarantining efforts by the Chinese government.
LCD polarisers and LCD module printed circuit boards (PCBs) are in particularly short supply due to logistics issues, even as most facilities resume production. This could apparently affect 5G smartphone production as well as other products: China reportedly makes around half the world’s supply of TVs, laptops, and PC monitors.
Smartphones: Along with the problems in LCD displays, many of the world’s biggest producers of smartphones including Apple have major production facilities in China. Two major Foxconn facilities used by the iPhone-maker were reportedly given the green light to reopen this week, but only 10% of workers had so far been able to return. Foxconn shares slumped 11% since markets reopened following the New Year break. Analyst Trendforce reportedly cut its forecast for iPhone production in the first quarter of 2020 by around 10% to 41 million handsets.
It’s not just production of smartphones that’s at stake. Although the giant Chinese market was set to rebound in 2020, this now seems unlikely, in the short term at least. IDC expects China’s smartphone shipments to slump more than 30% year-on-year in Q1 2020, and warned of “uncertainty in product launch plans, the supply chain, and distribution channels, in the mid and long term.”
Servers: According to reports from Taiwan, server shipments grew by over 13% in Q4 2019 but are expected to be affected by Covid-19 in the first three months of 2020. Although demand from large datacentres remains strong, the virus outbreak has impacted the upstream supply chain, which will cause shipments to decline 9.8% from the previous quarter, versus a previous estimate of 1.2% growth.
What happens next?
Although some reports from China claim hopefully that the disease appears to be slowing, it took five months before the SARS outbreak was officially recognised by the WHO as contained. As such, it’s still far from certain when travel restrictions will be relaxed by Beijing so that workers can return to production plants. The longer the current situation continues, the bigger the potential impact on supply chains.
Omdia claims, for example, that while currently global semiconductor supply appears unaffected, this could change if the public health situation worsens. Meanwhile, IDC analysts warned in an emailed note: “Since a large amount of the surface mount technology (SMT) and PCB manufacturing factories for both consumer goods and datacentre products are produced in China, and even in Wuhan in some cases, much of the supply chain is at the mercy of the government closure of critical infrastructure.”
For Forrester’s Valente, Covid-19 has the potential to disrupt not just 5G rollouts but the wider global economy.
“It will delay product launches – if they’re lucky. With so many supply chains adopting the Just-In-Time approach to inventory and manufacturing, some launches may need to be cancelled outright,” she argues.
“As the pandemic impacts more supply chains, what happened when products, parts, resources run out? Will all the business depending on them experience disruption? The long-term impact is greater than the economy of China or the region. We’re living in an interconnected business economy, and Covid-19 could impact the global economy.”
The future: diversify
In the meantime, the best thing organisations can do to mitigate the risks posed by the next Covid-19 is to revise and update business impact analyses (BIAs), according to Forrester. This should include four main steps:
- Classify business processes according to criticality
- Improve supply chain resilience by diversifying with multiple suppliers and geographies
- Identify which customers should receive priority treatment
- Provide extra resources and enhance automation to take the strain off your reduced workforce
The analyst warned that climate change will make pandemics like this more common in the future. As the tech industry picks up the pieces once Covid-19 has blown over, the lasting impact may be an acceleration of a trend already begun thanks to the US trade war. Namely, moving tech production out of China.