Covid in an Era of Cyber Insecurity

12/3 Update: The attacks on health care entities attempting to address the Covid pandemic continue, with the latest hacker target–the cold chain necessary to distribute vaccines.

Since 2014, the United States has faced an increasing number of well-publicized cyber attacks. Although some have been severe, none have crossed the “traditional threshold of war,” as described by Garrett M. Graff in a November 2020 Wired article. To recap a few of these: In 2014, there was China’s theft of government personnel records and North Korea’s suspected hack of Sony; in 2016, Russia attempted to manipulate the presidential election; and more recently, we’ve seen numerous ransomware attacks on institutions and municipal governments, both large (Atlanta, Baltimore) and small.

In response to such threats, New York City created a citywide cyber command (the NYCCC) in July 2017. This centralized organization works across NYC agencies and offices “to prevent, detect, respond, and recover from cyber threats.” Geoff Brown, head of the NYCCC, described its challenges in a recent online briefing moderated by Cipher Brief founder Suzanne Kelly. A consolidated approach certainly has face validity, compared to asking a hundred different entities with personnel of varying training, skill, and interest to cobble together their own separate, inevitably not interoperable security plans. As Brown said, “We can’t predict what’s coming around the curve, but if we build resilient systems overall, we can respond well.”

Over the last year, in the face of Covid, the NYCCC has used its technical environment to “defend the defenders.” When city agencies moved to remote operations, that process also was aided by the NYCCC’s work. Not surprisingly, cyber adversaries took advantage of concerns about Covid to expand their intrusion attempts, knowing people would more quickly respond to queries and data requests that appeared to be Covid-related and ignore potential red flags.

It was incredibly sobering, Brown said, to reflect on how, in the middle of a life-threatening crisis, the health network itself became so vulnerable. As a result, NYCCC has worked with both the public and the private hearth care sectors to increase awareness of cyber vulnerabilities and strengthen their defenses. Never forget, he warned, that without extreme vigilance, the consequences can be deadly. He cited how a ransomware attack led to the recent death of a German man.

Understandably, health care systems have a fundamental concern about patient privacy, although even that makes the system subject to attack. Clearly, such attacks are corrosive, with damage beyond their initial impact, by damaging citizens’ all-important trust in governmental, public health, and social institutions.

The Perfect Weapon

The Perfect Weapon, HBO, David Sanger

In mid-October, HBO released its documentary, The Perfect Weapon, about growing cyber security risks (trailer). A recent Cipher Brief webinar featured David Sanger, national security correspondent for The New York Times, who wrote the book on which the documentary was based, and Mary Brooks, who contributed to both his book and the documentary, and was moderated by Cipher Brief founder Suzanne Kelly.

Creating a documentary based on a detailed, fascinating, and chilling 340-page book is a challenge. It had to be more interesting than 000s and 111s scrolling down the screen. There was a history to lay out. Director John Maggio decided to render the technology aspects of earlier cyberattacks in broad strokes and to humanize the story by focusing on the victims. This approach not only revealed how many sectors of society are vulnerable to cyber criminals, but also how diverse are the sources of these attacks.

The first cyber attack receiving much play in the United States was North Korea’s 2014 takedown of Sony in response to a movie it didn’t like. For that segment, Maggio’s team could interview actors and executives. It was harder to get the story of the next significant attack—this one by the Iranians on the Sands Casino in Las Vegas—because the casino executives don’t want to publicize it.

Since then, attacks have continued, most recently with ransomware attacks on US hospitals already stretched thin by the coronavirus, and on local governments in Florida, for example—after crippling attacks on Baltimore and Atlanta.

Though costly and significant, these episodes have not been serious enough to trigger retribution by the US government. “They are short of war operations,” Sanger said, “and deliberately calculated to be so.” The potential for much more consequential acts definitely exists. It is known, for example, that malware has been placed in the US power grid, where it sits. Officials don’t want to talk about it, or remove it, ironically, because they don’t want the bad actors to understand our detection capabilities.

Of course, the United States isn’t inactive in this arena. In 2010, our government. and Israel used the malicious computer worm Stuxnet to disable Iran’s nuclear program, an action US officials won’t admit to even now, Sanger said. Unfortunately, the destructive Stuxnet code escaped into the wild and is now available to many black-hat hackers. Stuxnet “didn’t start the fire,” he said, “but it was an accelerant.”

Who is behind an attack can be murky. For various reason, organized crime has increasingly muscled its way into the cyber-threat business. Governments hire hackers or external organizations to create havoc, because it gives them deniability. “Not us,” they say.

The US Cyber Command’s goal is to “defend and advance national interests.” However, the job of preventing attacks is difficult. It’s a challenge that requires considerable imagination, given an environment where the risks are escalating rapidly, the technology is improving constantly, and the targets have no boundaries. You may have read about recent threats to COVID vaccine research.

What exactly are the “national interests,” when American businesses have suppliers, clients, and customers all over the world? Companies don’t want to be perceived as working against those relationships. Google, for example, declined to participate in a military program to make drone attacks more accurate. Similarly, though Microsoft and the Cyber Command were both attempting to disable TrickBot in the last few weeks, their efforts were independent and uncoordinated.

Thomas Donahue, Senior Analyst at the Center for Cyber Intelligence has said, “We cannot afford to protect everything to the maximum degree, so we’d better figure out what cannot fail,”

The documentary—and the book—lay out what’s at stake for all of us. Past posts on this topic:
* Our Biggest Threats Keep Growing
* Cyberthreats: Coming to a Company Near You

The Woman Is a Spy

Three women who’ve made outstanding careers for themselves in the intelligence community were featured in a Cipher Brief webinar last Friday, moderated by the organization’s founder, Suzanne Kelly, former CNN Intelligence Correspondent. As a writer interested in that world, I was eager to hear the women’s perspectives.

The women were:

Over the course of these women’s careers, the attitude toward women working in intelligence has evolved, just as it has throughout American society. When they started out in the early 80s or so, the intelligence community was an old boys’ club, and most women were relegated to support staff and administrative positions. The diversity of job opportunities for women is much greater now—after all, CIA Director Gina Haspell is a woman—but vestiges of old attitudes remain.

Thus, the era in which a story is set makes a great deal of difference as to how female characters would be treated. Perhaps engineering backgrounds gave two of these women added insight or practice in breaching institutional gender barriers.

The panelists had all worked in a variety of settings—for both government and the private sector. They change jobs and vacuum up new knowledge and skills. So, if your character needs a particular expertise, it certainly would be realistic to create a previous position where she could have gained it, inside government or not. Or, even in her own security services company.

Savvy women in the intelligence community work hard to develop a network of women in their and other intelligence agencies for all the familiar advice-seeking, moral-support reasons we know. From the perspective of these women, a more diverse workforce—in terms of gender, cultural background, type of education, analytic style, and where people have lived —produces better intelligence outcomes, as intelligence community employers have come to appreciate.

Suggested reading:
American Spy by Lauren Wilkinson
Bloodmoney by David Ignatius
Madame Fourcade’s Secret War by Lynn Olson