The coronavirus (COVID-19) pandemic has thrown the average American’s way of life into chaos: “Flattening the curve” has led to panic buying, mandatory work from home policies, and other issues leaving both individuals and businesses vulnerable. In the cybersecurity space specifically, this pandemic has both aggravated old issues plaguing the United States, as well as surfacing some new ones.
For one, the long-standing cyber insecurity of the healthcare industry puts patient safety at risk, now more than ever. A place where Internet-of-Things devices and Windows XP legacy systems live side by side, the increased strain and attention on hospitals has left healthcare organizations vulnerable to internet scams and cyberattacks. Interpol released a warning that cyber criminals are targeting hospitals with ransomware, and a study done by RiskIQ suggested that small-to-medium sized providers are more likely to be targeted. With hospitals nationwide struggling to keep up with new cases, a disruptive cyberattack could leave hospitals unable to access patient records or key services. As organizations race to find a COVID-19 vaccine, a disruption may even cause key delays similar to the worldwide NotPetya campaign, which disrupted vaccine production at a US pharmaceutical company in 2017.
In addition, the panic caused by this crisis has created a ripe environment for rumors and disinformation. On the internet, especially when information is lacking, rumors can become viral and take root before reputable sources can spread genuine information. While the Federal Emergency Management Agency (FEMA) has created an entire portal dedicated to tracking and countering rumors, most of these having already reached a large portion of the US population, and been taken advantage of by cyber criminals seeking to monetize COVID-19 related scams. In addition, the lack of credible information or source promotion has allowed conspiracy theories to permeate celebrity twitter accounts and even reputable news sources (some of which have since taken the stories down). These conspiracy theories, ranging from bioweaponry labs and 5G connectivity, to Bill Gates and bat soup, have resulted in real world actions by panic-stricken individuals. Some of which are relatively benign, like mass-purchasing toilet paper. Others, like burning down UK 5G cell towers, are far more dangerous.
The crisis has also brought along new privacy issues. By attempting to do work while sheltering-in-place, US companies and individuals are handing over Health Insurance Portability and Accountability Act (HIPAA) and other sensitive information to organizations that do not have a good track record with privacy. The COVID-19 pandemic has caused the Department of Health and Human Services to waive certain HIPAA restrictions. This allows doctors to use technologies like Zoom or Skype to talk to patients remotely. While this enables doctors to help more patients without repercussion, conversations over video conferencing technologies are not necessarily private. Zoom-bombing, the act of an unwanted guest harassing a zoom conference call that is not password protected, has impacted multiple sensitive calls, including a US House Oversight Committee meeting in April. Uninvited guests on conference calls can result in unwanted leaks of sensitive information, be it related to US government actions, or personal health data. It is notable, however, that most US solutions to either continue work during the pandemic or combat COVID-19’s spread have emerged from the private sector. Many government-originated initiatives to do so in other countries have resulted in flagrant violations of personal privacy.
Underpinning all of this is a fundamental issue within the cybersecurity field––the availability of the internet itself. During a crisis that requires physical isolation, the internet is the primary method through which Americans go to work, continue their education, or communicate with others. This effectively keeps businesses and academic institutions afloat while providing the fundamental human need of social contact. However, 42 million Americans (approximately 12.7% of the population) do not have access to high speed internet, and the US networks are seeing a massive and sustained surge of internet traffic from shelter-in-place policies. This is exacerbated as more businesses and institutions are moving to online video conferencing platforms, which require high levels of upload speeds to function effectively. Surges in traffic and poor connectivity will likely cause internet outages and delays at the detriment of the US economy, as American workers and students will be unable to work productively or at all. To make matters worse, additional infrastructure loads may cause internet service providers (ISPs) to take advantage of the lack of US net neutrality regulation. This would allow the ISPs to prioritize traffic from certain services over others, effectively allowing them to choose what parts of the US economy can function.
Since COVID-19 began to spread within the United States in January of this year, the United States has been concentrating its efforts on mitigating the crisis at both a state and federal level. However, all efforts at containing the growing cybersecurity problems have been surface level and reactive at best. Instead of having FEMA create a rumor debunking portal for rumors that have already gotten out of hand, the government should actively engage with the public on social media and partner with social media firms already working to promote factual content on their platforms to drown out the noise. Instead of relying on private sector streaming services lowering their streaming quality or hoping that ISPs will not use the lack of net neutrality laws in their favor, reinstituting net neutrality during the crisis and issuing contracts for new internet infrastructure construction would be far more beneficial for Americans struggling to work remotely. Proactively disseminating a “best practice” list for video conferencing security among government employees and healthcare professionals, if not publicly, would help prevent Zoom bombing. Finally, updating data backup methods in hospitals within high-risk cities would ensure that data does not get lost during an attack, rather than hoping that an attack will not occur. With each crisis comes new risks—if the difference between proactive solutions and reactive stop-gaps could prevent panic, keep the economy running, ensure American privacy and save lives, proactive action is a no-brainer.
Derek Bernsen is a naval officer with expertise in cyberspace operations.
New Atlanticist May 19, 2020
Seven perspectives on securing the global IoT supply chain
By Trey Herr
Many IoT devices are manufactured abroad and many of these are extremely low cost with little consideration made for security. There is nothing inherently untrustworthy or insecure about foreign manufacturing, and individual firm and product lines are much more fruitful levels of analysis in establishing good security practices from bad. Importantly however—the United States has limited means to enforce its standards in foreign jurisdictions, like China, where the bulk of IoT products are manufactured.
New Atlanticist Apr 21, 2020
The 5×5—On viral infections online and in the real world
By Simon Handler
Cybersecurity often gets reduced to breaches and hacking, but the world has witnessed multiple pandemics in cyberspace and could learn more about response to exponential events.
Elections 2020 Apr 27, 2020
Infrastructure interdependence a threat to upcoming elections
By Nicholas Cunningham
Recent developments indicate that Russia could exploit the interdependent nature of our critical infrastructure to disrupt our elections via well-timed cyberattacks. How prepared are we to address election interference that goes beyond information operations?