Mar 19, 2020

Analysis | The Cybersecurity 202: Coronavirus pandemic makes U.S. more vulnerable to serious cyberattack, lawmakers warn

By Joseph Marks

A hospitalization service for future patients with coronavirus. (Jack Guez/AFP/Getty Images)
The United States is increasingly vulnerable to a cyberattack targeting hospitals, food supplies or other vital functions during the coronavirus pandemic, lawmakers and experts say. They're calling on the Trump administration to take bold action to keep adversaries at bay. 
Already during the outbreak, unidentified adversaries launched what appears to be an unsuccessful digital attack aimed at overwhelming computer networks at the Health and Human Services Department. A separate effort spread misleading claims that President Trump planned to impose a nationwide lockdown over text message, encrypted apps and social media platforms.
“There are actors out there in cyberspace that think we’re vulnerable,” Rep. Mike Gallagher (R- Wis.), who co-chaired the recent Cyber Solarium Commission on the future of U.S. cybersecurity, told me. “At a minimum, we need to impose costs on whoever did this. We don’t want the signal to be that now is a good time to take advantage of the U.S.” 
The pandemic has heightened concerns among cyber hawks that the United States hasn’t done enough to deter digital attacks from adversaries such as Russia and China. And they worry a lack of serious consequences now could embolden adversaries to target vital services such as medical care or food supplies and cost people's lives.
The warning also comes as huge portions of the nation's workers are suddenly working from home on unfamiliar or even un-vetted equipment, raising the likelihood of digital vulnerabilities that hackers could exploit.
Sen. Angus King (I-Maine), the commission's other co-chair, warned that the virus “underlines our overall vulnerabilities [to cyberattacks] and the absolute unscrupulousness of our adversaries.” 
Attorney General William Barr has already warned there will be “severe” consequences if the HHS attack or disinformation campaign are traced to an adversary government. He has also urged the Justice Department to prioritize prosecuting any cyber criminals who seek to profit from the pandemic. But he hasn’t described any specific responses yet.
King stressed that if the HHS attack goes unpunished, even though it didn’t result in any serious disruption to government operations, those promises won't deter more devastating attacks. King pointed to an example of what he wants to avoid: A ransomware attack last week at the Brno University Hospital in the Czech Republic locked up the hospital’s computer server as doctors were dealing with a coronavirus outbreak.
And to put it in perspective: The misinformation effort last weekend – the source of which an interagency effort including the FBI and intelligence agencies are now investigating – seemed designed to get people to overrun stores to buy supplies before new restrictions took hold. A more damaging attack, for instance, could target data used by grocery stores or agricultural firms to impede the flow of food to market.
“Until people fear some response, they’re going to keep doing these things,” King said. “Not responding is inviting further attacks, which will continue to escalate. 
With Russia in particular, the United States has responded to digital aggression in the past with sanctions and indictments — including following Russian interference in the 2016 election — but never with a response so muscular that it has actually deterred further attacks.
“It’s the right message to send, but there needs to be follow-through,” Chris Painter, the State Department’s top cybersecurity diplomat during the Obama administration, told me. “We’ve had really bad attacks before, including on our democracy, and we’ve not been good at following through with consequences.” 
If cyberattacks do impede the U.S. response to the pandemic, Washington could join with its allies to impose more punishing economic consequences or targeted retaliatory cyberattacks, Painter said. “You don’t want to escalate out of control, but you want to send a message that these things are off-limits,” he said. “You can take far more serious actions than we’ve done.”
Robert Knake, a former director for cybersecurity policy at the National Security Council during the Obama administration, went a step further in a blog post. He urged serious actions even against nations whose governments aren’t directly responsible for cyberattacks targeting U.S. hospitals – if they refuse to cooperate with U.S. investigations or to hand over cyber criminals responsible for attacks that originate inside their borders.
“We should be treating cyber criminals who target critical infrastructure during this crisis the way we treat terrorists, not as regular criminals,” Knake told me.  
The Trump administration administration should explain clearly what sorts of attacks will elicit retaliation, what that might look like, and how adversaries can keep the situation from escalating out of control, lawmakers and experts said. But they were skeptical that Russia and other adversaries would rein in their actions without follow through.
“It’s hard to say that comments alone will move the needle,” said Jon Bateman, a former Defense Intelligence Agency analyst and now a cybersecurity fellow for the Carnegie Endowment for International Peace.
It is possible, however, that a strategy to publicly shame adversaries might be more effective than usual during a pandemic because people across the world see the virus as a global challenge, Bateman said.
A State Department official declined to comment on strategies under discussion, but told me in an email that the department is committed to “promoting responsible state behavior in cyberspace” as well as “to holding states accountable for destructive, disruptive, or otherwise destabilizing malicious cyber activity.”
There’s a separate danger, however, that the Trump administration could overreact to these or future attacks amid the sense of urgency created by the pandemic – and end up embroiling the U.S. in an escalating tit-for-tat hacking conflict.
"I think it’s a bad idea in general to change risk calculus in response to a crisis,” Betsy Cooper, director of the Aspen Institute’s Tech Policy Hub and a former Homeland Security Department cybersecurity official, told me.
You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.
Not a regular subscriber?


Sundar Pichai, chief executive of Google, speaks during a House Judiciary Committee hearing. (Andrew Harrer/Bloomberg News)
PINGED: Senate Democrats worry that Google's health division won’t do enough to protect patient data collected through its new tool to scan for coronavirus symptoms, my colleague Tony Romm reports
The data the tool collects would be highly valuable to potential hackers, foreign state and nonstate actors with nefarious intent, and other criminal enterprises,” the group, led by New Jersey Sens. Bob Menendez and Cory Booker, said in a letter to Google CEO Sundar Pichai.
They want to know what the White House and Google have done to vet the project for cybersecurity and privacy problems that could damage the security and privacy of  millions of Americans. 
“If Google and its subsidiaries fail to establish sufficient privacy safeguards, Americans who use the site will be more susceptible to identity theft, negative credit decisions, and employment discrimination, the group wrote. The letter cited recent data breaches, including those at medical companies Quest Diagnostics and LabCorp.
Google and the White House did not immediately respond to requests for comment from Tony. Patients must use or create Google accounts to use the free tool. But Verily, the Alphabet subsidiary running the project said in a blog post that data from the site will not be combined with an individual's other Google account information an issue that sparked early privacy concerns. Right now, the tool is available only in California, and Verily has not announced a nationwide launch date.

HHS Secretary Alex Azar. (Michael Reynolds/EPA-EFE/Shutterstock)
PATCHED: Sen. Michael Bennet (D-Colo.) is calling for a major review of cybersecurity protections at HHS, the National Institutes of Health and the Centers for Disease Control and Prevention following the attempted digital attack earlier this week, Maggie Miller at the Hill reports. The Senate Intelligence Committee member wants the Department of Homeland Security's cybersecurity arm to lead the review, making sure the agencies are secure as they grapple with the growing public health crisis posed by the coronavirus pandemic. 
The security of these vital systems is critical to ensuring that our federal agencies responsible for public health can effectively support our response to the pandemic and continue to provide trusted and timely information to the American people,” Bennet wrote in his letter to the agencies. 

Ryan Ball of Washington wears a mask and gloves as he shops at Target. (Carolyn Kaster/AP)
PWNED: Cybercriminals and scammers continue to push an array of attacks aimed at profiting from the coronavirus pandemic. Nearly 20 percent of Web domains related to the virus look like they could be phony sites aimed at infecting visitors with malicious software and about 1 percent of them are definitely malicious, according to a report out this morning from the cybersecurity company Check Point.
Meanwhile, researchers have found phony maps of coronavirus infections that actually carried malware, as CyberScoop reported. And researchers at Sophos Labs have found scammers impersonating the World Health Organization and the COVID-19 Solidarity Response Fund.
Rep. Katie Porter (R-Calif.) even tweeted a coronavirus-related scam texted to her that promised a free iPhone.
As a consumer protection attorney and consumer advocate I have seen corrupt organizations scam those most vulnerable. During this pandemic, it is important to be diligent and on the lookout for people trying to take advantage of these circumstances.
— Katie Porter (@katieporteroc) March 16, 2020
Those sorts of scams are common for opportunistic hackers who frequently piggyback on high profile events ranging from floods and tornadoes to the Super Bowl to infect unsuspecting internet users. Coronavirus scams are likely to be among the most numerous yet, though, Thomas Brewster at Forbes reports.
“The closest analogy is the kind of fraud that we saw relating to Hurricane Katrina,” Scott Brady, U.S. attorney for the Western District of Pennsylvania, told Thomas. “I think we are really going to see an unprecedented wave of cyberattacks and cyber fraud. And that's what we're trying to prepare our partners and the public for.”


— Cybersecurity news from the public sector:

Field operations for the 2020 U.S. Census were suspended on Wednesday until April 1 because of the coronavirus, fueling concerns the pandemic could threaten the accuracy of the tally used to determine political representation and federal aid.

Russia is deploying a misinformation campaign in Western countries designed to sow discord and concern around the spread of coronavirus, according to the European Union (EU). 
The Hill

Industry association pushes for the administration to issue guidance for flexibility and greater use of contractors during the coronavirus pandemic.


— Cybersecurity news from the private sector:

As people disperse to their homes to work and study because of the coronavirus pandemic, taking their laptops and company data with them, cyber security experts say hackers will follow, seeking to take advantage and infiltrate corporations.

Venture capital investment in security startups in the first two months of this year is down from years past, according to DataTribe.

BARCELONA (Thomson Reuters Foundation) - More people could fall prey to online s...

Kaspersky Lab on Monday explained that the “MonitorMinor” app bypasses so many controls meant to protect user information that it qualifies as stalkerware.

Facebook’s new portal aims to be a one-stop shop for its more than 2.5 billion users to find news and resources about the pandemic.
Elizabeth Dwoskin

The security researcher who found the card stealing malware said hackers still have access to Nutribullet's infrastructure.


— Cybersecurity news from abroad:

Hanwang says its technology has reached 95% accuracy in identifying mask wearers.
Ars Technica


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Latest Post Published

From The Desk of Fernando Guzmán Cavero: Notification

Dear Friends:  Soon I'll be back with you with my selected financial daily News. Please, stay tuned                                     ...