Vaccine supply chains and other potential vulnerabilities created by the Covid-19 pandemic are top targets for cybercriminals aiming to steal data or plant ransomware.
The vaccine supply chain is among the top data breach risks of 2021, said Meredith McDowell, head of corporate functions and strategic risk at TD Ameritrade. Thieves aren’t only targeting vaccine makers, but those companies that provide “everything that goes into creating the vaccine”, she said during a panel discussion at the RIMS Canada 2021 Virtual Conference.
Makers of vaccine components from raw goods to needles are at risk, McDowell claimed. And the thieves aren’t just run-of-the-mill hackers looking to make fast money.
Countries that are able to recover quickest from the pandemic by vaccinating their populations and other methods to reduce Covid-19 “will win globally and economically” McDowell said. “Nation-state threat actors” want the information that will help them do that, and are probing along the supply chain for assets as varied as medical studies on vaccines to details on how to disrupt other countries’ shipments of supplies, she added.
“It’s a different kind of warfare,” McDowell said.
There are other vulnerabilities on McDowell’s list of top data breach risks, some of which are also pandemic-related. She said these were created by:
- The mass transition to remote work
- Covid-19 contact tracing apps
- The introduction of 5G internet technology
- A rush to adopt digital and telehealth medical services.
The sudden introduction of remote work around the world meant that “we all of a sudden increased our attack surface area”, said McDowell. “It provided hackers with a wealth of network targets through many, many more connected household devices.”
“Attackers are getting smarter and more dangerous,” at a time when households are busy managing work and home life at the same location, she added. In some cases, children are connecting with classrooms through potentially vulnerable computer systems that were “cobbled together” at the last minute by schools, McDowell remarked.
Contact-tracing apps were “developed to do good” but many were developed quickly and their ability to share data creates an opportunity for hackers looking for personal and location information, she said.
Meanwhile, the development of 5G internet technology will create faster networks that are connected in myriad ways, while creating new opportunities for cybercriminals, McDowell pointed out. “There are going to be so many breakthroughs in terms of what we’ll be able to do with faster networks… but it’s also going to introduce a huge amount of risk because we’re going to have billions more devices connected to the network.”
From cellphones to vehicles, “everything is going to be connected to this network”, she said. The ramifications of such a vast exposure have to be thought through, along with plans for “really locking down security on all of the end devices,” McDowell urged. “Things you’re not even going to think about being connected could be the vector that a threat actor could gain access through,” she said.
Ondrej Krehel, CEO of LIFARS, a cyber incident response and forensics firm, agreed that while 5G technology brings efficiencies to communications and connectivity, it also opens a broad front for bad actors, which he said is already happening in military settings. “We’ve seen the Chinese government pinpointing the location of various Afghan sources and military personnel and providing it to the Taliban… 5G provides geolocation of those individuals and tells you how many of them are in a group in one location,” said Krehel.
Vulnerabilities have also been created by medical professionals struggling to adapt to a new way of providing care remotely, according to McDowell. As the pandemic took hold, many rushed to adopt digital and telehealth services. “Probably, some vendors that didn’t have best practices were hired because there was a lot of work to be done” in the transition to remote medicine, said McDowell.
“There are a lot of holes in these systems” that could lead to the theft of medical records or denial-of-service attacks… This is a really big risk,” she added.
When a breach occurs, businesses shouldn’t have to scramble to respond, according to Layna Rush, shareholder in the law firm Baker, Donelson, Bearman, Caldwell & Berkowitz PC. They should be well advised to prepare for an incident ahead of time and have competent legal counsel ready to help, she said.
“It’s very important to get your counsel onboard early,” advised Rush. While in-house counsel understand the organisation’s business and operations, they generally are not as familiar with cyber regulations, privacy and security issues, Rush said. “You really need attorneys that know the landscape, who work routinely with incidents and know the law that applies to you.”