For almost everyone alive, the coronavirus is an unprecedented global challenge. Healthcare systems in every country are either stretched to their limit or preparing for that scenario.
In response, governments, development banks and companies are all asking how every aspect of their work can be used to help mitigate the crisis. You see this in the questions they ask their programme managers. And you see it in the emails we’ve all received from every company we’ve ever dealt with – and some we’re sure we haven’t – telling us how they are stepping up to the challenge.
So can the international cybersecurity community help?
The answer, of course, is yes. It must. Healthcare systems around the world are experiencing a spike in cybersecurity risk, just as we need them to be at their most resilient.
This post looks at the reasons why and starts to consider what a policing, foreign policy and capacity building response might look like.
The increased cybersecurity risk to healthcare
The cyber security risk to healthcare systems around the world is rising rapidly because all three components of the risk equation are changing for the worse.
(Cyber) Risk = Threat x Vulnerability x Impact
Cybersecurity Threats are spiking for several reasons. Hospitals have long been a prime ransomware targets. However, since the emergence of coronavirus, criminals have even greater incentives to target them, because they think they are more likely to quickly pay a ransom demand to avoid making a bad crisis worse. Some groups have promised not to target hospitals, but it’s hard to place confidence in the public relations arm of an international criminal organisation.
For more sophisticated actors, targets like the WHO, government health ministries and research companies have valuable information on new drugs and testing kits in the pipeline. Health sectors are also gathering and connecting valuable personal data about health, taxes, insurance details and mobile phone geolocation. The more personal data is in one place the more attractive a target it becomes, especially when it is being moved and processed in a hurry.
From the Threat perspective, we are also seeing the increasing relevance of disinformation opportunities. A global pandemic creates the perfect conditions to turn people against their neighbours and sow the seeds of distrust in governments and political systems.
Turning to Vulnerability, hospital and health care IT staff will be reduced in number due to illness or care giving and distracted by the need to shift to remote working. That remote working in turn creates a greater attack surface to strike against. Even better, for the attacker, many of the staff using either their old or new remote working systems will likely be struggling to implement new security protocols, looking for corners they can cut to save time and very distracted. What better time to send an email pretending to carry some vital piece of information about Zoom or the virus.
Last, but of course not least, we come to Impact. Any disruption could be deadly when there is zero slack in the system. Any staff or wards taken out of action for a day could cost lives. Something on the scale of the Wannacry attack on the NHS would have consequences that are hard to think about, although we must.
Their risk is our risk
We are facing the potential collision of two similar challenges. Global viruses compounding global viruses. Interconnected health systems threatened by interconnected IT systems. Although before being too bleak, we also need to acknowledge that those interconnected IT systems are currently enabling the solutions too: everything from the search for tests and treatments to the complex logistical feats needed to cope with this crisis.
In international cyber capacity building we often talk about why a risk to another countries’ systems is a risk to our own. In this case, that narrative applies to our respective healthcare systems. If a cybersecurity attack was to disrupt the healthcare system of any country it would prolong the global spread of the virus and delay the point at which our own countries can return to normal. Furthermore, when that other countries’ health system is disrupted by the attack, the number of patients will rise and they will need more vital resources – testing kits, PPE, ventilators – to cope. That in turn will increase the cost, and reduce the available supply, for the rest of us. We are all in it together, for better or for worse.
What options do we have?
If their health system risk is our risk, and their risk is going up, then there are really only three main options:
- Accept the risk.
- Reduce our interconnectedness.
- Encourage and help other countries to reduce their risk.
Accepting the risk is always an attractive option. Until the risk is realised and then it very quickly becomes unattractive.
Countries are already pulling hard on the levers that reduce international connections. Travel is discouraged. Domestic production has been retooled to produce face masks and ventilators, so there will be less reliance on imports of these scarce resources. And yet, as things stand today, the scenario I described above, in which a deepening of the crisis in one country would delay recovery for everyone, holds true.
And that brings us to the third option: encouraging and helping other countries to reduce the risk their healthcare systems face as a result of cybersecurity threats. The ways we can do this aren’t just cybersecurity capacity building, but yes that’s coming. Let’s first look at some of the other tools we can deploy.
Reducing the Threat: Foreign Policy and Policing
To work out how to reduce the risk we need only go back to our risk equation. We would need to reduce the Threat, the Vulnerability or the Impact.
If we are to start with the tools we have that aren’t capacity building then the most obvious thing to do is to bring down the Threat.
Many (but not all) attackers are motivated by money or political gain. They are demotivated by disruption to their ‘business’ or political harm. Right now we need those attackers to be as demotivated as they can be. The tools we have in our arsenal to do that include policing and foreign policy.
Many police forces are tied up dealing with public order, but there are still cyber crime units that can make life for international criminals especially uncomfortable right now.
To deter politically motivated actors we need a foreign policy toolbox. Fortunately, the international community has been gradually building one over the past decade. We have established that international law applies online as it does offline. Furthermore, we have agreed at the UN a norm of responsible government behaviour that you don’t target hospitals. Just as the police can make life uncomfortable for criminals, so our politicians and policy makers can make life uncomfortable for those who disrupt the healthcare response for political gain.
A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operations of critical infrastructure to provide services to the public
UN Group of Government Experts report (2015)
Reducing Vulnerability and Impact: Cyber Capacity Building
Reducing vulnerability and impact is where international cyber capacity comes in.
It is never too late to start improving a healthcare system’s cyber readiness and reducing its vulnerabilities. The sort of activities that are needed include identifying critical systems, assessing the current protective measures and processes, exercising what you would do if the national hospital IT system was attacked, patching, patching, patching etc.
Admittedly now is a terrible time to choose to start doing these things, because they all require staff availability and right now healthcare systems around the world are desperately short of that. But, if an attack could be just around the corner, then there will never be a better time to start. Now is the time.
Of course it’s easy to say “now is the time” from the comfort of my self isolation in London. I’m not in a health ministry in Mexico or a hospital in Hanoi having worked 48 hours without rest. However, I think I can conceive of the scale of the challenge and I know that things on this scale have been done before.
It’s been done before
In the midst of the 2014 ebola crisis in Liberia, USAID and Department of Defence built out an internet network across Liberia and Sierra Leone in 3 months. A secure, reliable internet network was considered mission critical and they made it happen.
By its own assessment, the Ebola Connectivity Response Initiative (ECRI) had significant shortcomings and there have been criticisms of how personal citizen data was managed and used (which are relevant again today). However, that does not alter the fact that in the face of a viral health threat, the international community mobilised a rapid deployment of ICT assistance, supporting overworked local staff in crisis conditions. And that was in response to an African epidemic, not a pandemic, that resulted in 2 deaths in the US.
The need then was for international ICT assistance to build out an internet network. The need now is for international ICT assistance to secure the world’s most critical health care system networks, where we can see they have obvious vulnerabilities and weak recovery mechanisms.
For some this will be a health challenge. For some a development challenge. For some a national security challenge. For some it will be a policing challenge. For some it will be a human rights challenge. Let’s not let those distinctions get in the way. Instead it can be an opportunity to draw on the resources and experience of all of these communities.
Tough but doable
I am under no illusions as to how big the challenge is. Nor how comparatively small the budgets are that we are used to working with.
Furthermore, the pool of experts we can deploy is constrained. And it will be hard to use the most commonly played card in our deck – flying out international experts to provide advice and training – when airports are closed.
Nonetheless, I think we could scale up and find new solutions if there is the will to do so. The question is what: priority will this be given, especially when the immediate domestic challenges are so pressing?
Even if we don’t commit to pre-emptive capacity building, I suggest we still think about how we would collectively respond to a major incident affecting a critical countries’ healthcare system. At that point the priority would be incident response, but even in the midst of that there will still be the need for capacity building.