By Joseph Marks
A hospitalization service for future patients with coronavirus. (Jack Guez/AFP/Getty Images)
The United States is increasingly vulnerable to a cyberattack targeting hospitals, food supplies or other vital functions during the coronavirus pandemic, lawmakers and experts say. They're calling on the Trump administration to take bold action to keep adversaries at bay.
Already during the outbreak, unidentified adversaries launched what appears to be an unsuccessful digital attack aimed at overwhelming computer networks at the Health and Human Services Department. A separate effort spread misleading claims that President Trump planned to impose a nationwide lockdown over text message, encrypted apps and social media platforms.
“There are actors out there in cyberspace that think we’re vulnerable,” Rep. Mike Gallagher (R- Wis.), who co-chaired the recent Cyber Solarium Commission on the future of U.S. cybersecurity, told me. “At a minimum, we need to impose costs on whoever did this. We don’t want the signal to be that now is a good time to take advantage of the U.S.”
The pandemic has heightened concerns among cyber hawks that the United States hasn’t done enough to deter digital attacks from adversaries such as Russia and China. And they worry a lack of serious consequences now could embolden adversaries to target vital services such as medical care or food supplies and cost people's lives.
The warning also comes as huge portions of the nation's workers are suddenly working from home on unfamiliar or even un-vetted equipment, raising the likelihood of digital vulnerabilities that hackers could exploit.
Attorney General William Barr has already warned there will be “severe” consequences if the HHS attack or disinformation campaign are traced to an adversary government. He has also urged the Justice Department to prioritize prosecuting any cyber criminals who seek to profit from the pandemic. But he hasn’t described any specific responses yet.
King stressed that if the HHS attack goes unpunished, even though it didn’t result in any serious disruption to government operations, those promises won't deter more devastating attacks. King pointed to an example of what he wants to avoid: A ransomware attack last week at the Brno University Hospital in the Czech Republic locked up the hospital’s computer server as doctors were dealing with a coronavirus outbreak.
And to put it in perspective: The misinformation effort last weekend – the source of which an interagency effort including the FBI and intelligence agencies are now investigating – seemed designed to get people to overrun stores to buy supplies before new restrictions took hold. A more damaging attack, for instance, could target data used by grocery stores or agricultural firms to impede the flow of food to market.
“Until people fear some response, they’re going to keep doing these things,” King said. “Not responding is inviting further attacks, which will continue to escalate.
With Russia in particular, the United States has responded to digital aggression in the past with sanctions and indictments — including following Russian interference in the 2016 election — but never with a response so muscular that it has actually deterred further attacks.
“It’s the right message to send, but there needs to be follow-through,” Chris Painter, the State Department’s top cybersecurity diplomat during the Obama administration, told me. “We’ve had really bad attacks before, including on our democracy, and we’ve not been good at following through with consequences.”
If cyberattacks do impede the U.S. response to the pandemic, Washington could join with its allies to impose more punishing economic consequences or targeted retaliatory cyberattacks, Painter said. “You don’t want to escalate out of control, but you want to send a message that these things are off-limits,” he said. “You can take far more serious actions than we’ve done.”
Robert Knake, a former director for cybersecurity policy at the National Security Council during the Obama administration, went a step further in a blog post. He urged serious actions even against nations whose governments aren’t directly responsible for cyberattacks targeting U.S. hospitals – if they refuse to cooperate with U.S. investigations or to hand over cyber criminals responsible for attacks that originate inside their borders.
“We should be treating cyber criminals who target critical infrastructure during this crisis the way we treat terrorists, not as regular criminals,” Knake told me.
The Trump administration administration should explain clearly what sorts of attacks will elicit retaliation, what that might look like, and how adversaries can keep the situation from escalating out of control, lawmakers and experts said. But they were skeptical that Russia and other adversaries would rein in their actions without follow through.
“It’s hard to say that comments alone will move the needle,” said Jon Bateman, a former Defense Intelligence Agency analyst and now a cybersecurity fellow for the Carnegie Endowment for International Peace.
It is possible, however, that a strategy to publicly shame adversaries might be more effective than usual during a pandemic because people across the world see the virus as a global challenge, Bateman said.
A State Department official declined to comment on strategies under discussion, but told me in an email that the department is committed to “promoting responsible state behavior in cyberspace” as well as “to holding states accountable for destructive, disruptive, or otherwise destabilizing malicious cyber activity.”
There’s a separate danger, however, that the Trump administration could overreact to these or future attacks amid the sense of urgency created by the pandemic – and end up embroiling the U.S. in an escalating tit-for-tat hacking conflict.
"I think it’s a bad idea in general to change risk calculus in response to a crisis,” Betsy Cooper, director of the Aspen Institute’s Tech Policy Hub and a former Homeland Security Department cybersecurity official, told me.
PINGED, PATCHED, PWNED
Sundar Pichai, chief executive of Google, speaks during a House Judiciary Committee hearing. (Andrew Harrer/Bloomberg News)
The data the tool collects would be “highly valuable to potential hackers, foreign state and nonstate actors with nefarious intent, and other criminal enterprises,” the group, led by New Jersey Sens. Bob Menendez and Cory Booker, said in a letter to Google CEO Sundar Pichai.
They want to know what the White House and Google have done to vet the project for cybersecurity and privacy problems that could damage the security and privacy of millions of Americans.
“If Google and its subsidiaries fail to establish sufficient privacy safeguards, Americans who use the site will be more susceptible to identity theft, negative credit decisions, and employment discrimination,” the group wrote. The letter cited recent data breaches, including those at medical companies Quest Diagnostics and LabCorp.
Google and the White House did not immediately respond to requests for comment from Tony. Patients must use or create Google accounts to use the free tool. But Verily, the Alphabet subsidiary running the project said in a blog post that data from the site will not be combined with an individual's other Google account information — an issue that sparked early privacy concerns. Right now, the tool is available only in California, and Verily has not announced a nationwide launch date.
HHS Secretary Alex Azar. (Michael Reynolds/EPA-EFE/Shutterstock)
“The security of these vital systems is critical to ensuring that our federal agencies responsible for public health can effectively support our response to the pandemic and continue to provide trusted and timely information to the American people,” Bennet wrote in his letter to the agencies.
Ryan Ball of Washington wears a mask and gloves as he shops at Target. (Carolyn Kaster/AP)
Meanwhile, researchers have found phony maps of coronavirus infections that actually carried malware, as CyberScoop reported. And researchers at Sophos Labs have found scammers impersonating the World Health Organization and the COVID-19 Solidarity Response Fund.
Rep. Katie Porter (R-Calif.) even tweeted a coronavirus-related scam texted to her that promised a free iPhone.
As a consumer protection attorney and consumer advocate I have seen corrupt organizations scam those most vulnerable. During this pandemic, it is important to be diligent and on the lookout for people trying to take advantage of these circumstances. pic.twitter.com/M7OQ1AjSkX— Katie Porter (@katieporteroc) March 16, 2020
“The closest analogy is the kind of fraud that we saw relating to Hurricane Katrina,” Scott Brady, U.S. attorney for the Western District of Pennsylvania, told Thomas. “I think we are really going to see an unprecedented wave of cyberattacks and cyber fraud. And that's what we're trying to prepare our partners and the public for.”
PUBLIC KEY— Cybersecurity news from the public sector:
PRIVATE KEY— Cybersecurity news from the private sector:
THE NEW WILD WEST— Cybersecurity news from abroad:
- The R Street Institute is hosting a virtual conversation, "Combatting Digital Disinformation During a Global Pandemic," today at noon.