How to repel cyber-attacks on the COVID-19 vaccine supply chain

microscopic image of COVID19 cellWith COVID-19 vaccines finally being rolled out to a relieved world, the focus for cybersecurity experts has evolved from attacks on pharma companies that make the stuff to the companies that distribute it. Already, IBM has observed a major nation state phishing campaign targeting various supply chain organisations.

I recently spoke to a few experts for an upcoming Infosecurity Magazine feature to better understand the threats facing these organisations, and what they can do about the situation.

It’s a sabotage

The main threats they highlighted revolved around potential sabotage of distribution pipelines and/or misinformation campaigns designed to discourage users from getting inoculated. Both could be the result of hostile nations like Russia calculating they could gain an economic and geopolitical advantage by getting back to “business as usual” and economic stability before their rivals. There are also opportunities here for more financially minded cyber-criminals.

“It is clear that cyber-criminals will stop at nothing. Whether the motivation is financial gain, disruption, or because they’re on the payroll of a nation-state; not even a pandemic is beyond cyber exploitation,” Nominet’s government cybersecurity expert, Steve Forbes, told me. “Now as the vaccine moves to the transportation phase, there have been more attacks on the vaccine cold chain, the temperature-controlled environment needed to transport and store the vaccine, and the manufacturers of cold chain equipment.”

Unfortunately, there are many points of weakness in supply chains which could be exploited to devastating effect, according to Lux Research senior research associated, Lewie Roberts.

“Attackers are going to look for the easiest way in to a network, which is typically some kind of human error. People are statistically bound to make mistakes sometimes, especially as you increase the number of targets,” he told me. “Stuff like confidential customer information or trade secrets are the types of items that get more focus in the IT world. But as you get closer to physical industries, you’re protecting different types of things. False data on cold chains can result in tons of spoiled products. Attacks on operational tech can pose real safety threats to workers.”

Spreading confusion

Two former UK intelligence experts had some interesting things to say about the threat of misinformation.

“The overwhelming majority of activity will be criminal attacks for money. However, we have also seen nation states spreading confusion and undermining confidence, as well as stealing vaccine IP,” former GCHQ boss, Robert Hannigan told me. “Hacktivists and hostile nation states will amplify anti-vax messages for the same reasons: to sow division and polarise societies in the West.”

Former British army electronic warfare operator, Martyn Gill, who is now global managing partner at Wembley Partners, had more.

“Political hacktivists look to spread disinformation and noise through such channels as social media, as per the state-sponsored aim of increasing the lack of confidence in what the broad message may be around the vaccine. In many cases these actors are driven by their ideological and political beliefs, however, there remains a subset of actors who seek to cause disruption primarily as a means of entertainment,” he told me.

“Since the UK announced it was rolling out a COVID-19 vaccine, we have seen an increase in related phishing domains set up looking to target this new opportunity, as the general populace looks to understand what this means for them.”

Taking action

So what happens next? For Gill, information sharing is crucial.

“Strong communication and agreed intelligence sharing around trusted eco-systems will support a broad range of businesses to help them understand new threats whilst being able to share indicators of ongoing campaigns,” he explained. “Micro, small and medium businesses who don’t have big security budgets or security teams to monitor networks, implement vulnerability management and threat intelligence programs can look open source platforms like IBM X-Force, Alien Vault OTX but also trusted individuals who deliver awesome advice through social media.”

According to Lux Research’s Roberts, the right response should focus on people as much as technology.  

“Mapping data flows and endpoints, evaluating vendors, and having plans for breaches are all important and deep topics,” he argued.

“But moving away from the technology and towards the organization side, businesses need to hire experts and give them the influence and resources necessary to do the job. Safety and security aren’t often glamorous, but winning players recognise their importance before a problem arises.”


The truth about PRISM (no, honestly)

big dataJust a short post this week because it has quite frankly been a quiet week apart from one massive story that has dominated the headlines worldwide, except quite notably mainland China: PRISM and the IT whistle-blower Edward Snowden.

By far and away the most balanced most informative and least hyperventerlatingly hyperbolic piece was over at El Reg, where Duncan Campbell picked through the actual facts about PRISM so far to conclude that, actually, most of it is legal and definitely not tyrannical.

My key observations from his piece are as follows:

  • Prism is nothing compared to the powers the UK government was asking for in its draft Communications Bill – now shelved for the time being. It is also pretty similar to what goes on in police offices and other agencies all over the country where officers act on RIPA requests to collect comms data.
  • The NSA has numerous other similar schemes including direct Deep Packet Inspection, which have been going on in the background and arguably are more intrusive on personal freedoms.
  • The scheme costs around $20m year and as such is definitely small fry in terms of the extent and type of surveillance involved. NSA’s overall budget is an estimated $10 BILLION.
  • The number of requests disclosed by Microsoft, Google et al via PRISM are even far lower than the government requests they’ve disclosed not associated with the scheme
  • Where Microsoft is concerned, at least, most requests (2%) were for non-content data – ie just account details but not the content of messages. I imagine the same is true of other web service providers.
  • These providers may have said they didn’t known about PRISM because it is just an internal codename used by NSA.

What people should REALLY be worried about here is not PRISM per se but the other Guardian scoop – that Verizon was issued with a secret warrant “requiring wholesale delivery of all call data records from their entire system”. That and the doubtless other similar requests which other comms providers have been issued with are more insidious and certainly warrantless compared with PRISM.

It’ll be interesting to see whether the future “scoops” which The Guardian promises will focus on these. I for one would be interested to see whether UK operators have been subject to similar orders from GCHQ.