Cyber resilience in a pandemic
Hannan Hussain

Editor's note: Hannan Hussain is a security analyst at the London School of Economics - South Asia Centre, and an author. The article reflects the author's opinions, not necessarily the views of CGTN.

On Tuesday, Reuters revealed that the World Health Organization (WHO) was the subject of multiple cyber attacks this month, with some agency officials putting the increase in agency targeting at "over two-fold." The latest attempted break-in – flagged by the New York-based Blackstone Law Group in early March – was aimed at maliciously replicating WHO's internal mailing system.

Though the activity proved short of successful, WHO's extensive involvement in COVID-19 inter-governmental coordination gives cyber attackers an opportunity to target the data streams driving global engagement. Moreover, as nations scramble to break-ground on disease prevention and test conduction research, it is important than ever for countries to erect a united front against digital espionage, and safeguard highly sensitive information from criminal precision.

The first step is to constitute a real-time update of the most pertinent, transformative cybersecurity attacks currently tied to critical health infrastructure: suspicious internet domain registration, malware samples, email scams, etc. A case in point is UK's National Crime Agency (NCA). Its extreme public precaution and round-the-clock monitoring of COVID-19 themed cyber operations, have led to the generation of numerous intelligence assessments, each open to external intel. 

Similarly, low-level cyber penetrations into the U.S. Health and Human Services Department, as well as attacks on key European hospitals that are at the forefront of COVID-19 surgical treatments – indicate a universal need for cyber resilience.

Therefore, constituting a real-time update of pertinent attacks is the need of the hour, accessible to governments' intelligence arms and health organizations including the WHO. It brings with it the pace, detail and collective response capabilities best suited to countering digital espionage.

A crucial attribute of the attack directed towards the WHO, is its focus on acquiring "staff authentication." Flavio Aggio, the agency's Chief Information Security Officer, confirmed that the attack was an attempt to "steal passwords from multiple agency staffers" – a possibility partly overturned by WHO's complex authentication standards.

A laptop displays a message after being infected by a ransomware as part of a worldwide cyberattack on June 27, 2017, in Geldrop, Netherlands. /AFP Photo

A laptop displays a message after being infected by a ransomware as part of a worldwide cyberattack on June 27, 2017, in Geldrop, Netherlands. /AFP Photo

Intelligence-grade multi-factor authentication may not be available to health facilities operating at the city and county-levels across countries, and it is the interest of intergovernmental alliances (such as the EU and the G20), to contemplate availability of those authentication algorithms.

As Brenda Sharton, a leading expert on cybersecurity and data breaches, points out in the Harvard Business Review, "enabling multi-factor authentication on whatever accounts you control will thwart all but the most sophisticated actors." From a health practitioner's point of view, limited effectiveness against "sophisticated actors" is a reasonable trade-off, given that protection against basic actors requires immediate attention.

There is always the question of nations that are not part of any prominent EU or G20 body, and yet remain actively involved with the WHO's COVID-19 efforts. How do they ramp up cyber resilience on an equal footing?

The answer is to agree upon a framework for Mutually Tolerated Vulnerabilities (MTVs).

Nations must at least document the norms of appropriate cyber behavior, including a set threshold for potential attacks likely on critical health infrastructure. Developed nations, that follow existing criteria for cyber vulnerability assessments, can introduce these to their more modest counterparts. Hence, measurable distinctions between active and dormant cyber attacks can further prospect of a stronger, more cohesive real-time response to cyber attacks during the pandemic.

Interestingly, cyber attacks have gotten more sophisticated with the pandemic, especially for the common public. Consider the fact that "social engineering methods," such as the disguising of malware in widely circulated COVID-19 graphics, have become gateways to obtaining personal passwords, network and data access. 

Experts approximate that the use of social engineering in malware is about 98 percent, with more than half of recent data breaches traced to internal sources. All the more reason to step-up cyber resilience within and across some 180 COVID-19 affected countries.

It is also important to note that key intergovernmental blocs – from the G20 to the European Union – are unequivocally preoccupied with the handling of the COVID-19 pandemic itself. EU's internal estimates show that each of the 27 countries needs "10 times" more COVID-19 equipment than what conventional supply chains can offer. 

Similarly, the G20 has its eyes set on an emergency virtual summit, aimed at devising a joint COVID-19 action plan. For them to attach the same degree of priority to cyber resilience is understandably ambitious, and not the prescription here.

Rather, the goal is to enable these bodies to give formal recognition to the discussed measures: intelligence-grade multi-factor authentication, and mutually tolerated vulnerabilities. As for implementation, there are numerous pre-existing templates which can be modified to suit a cyber resilience front during the pandemic. One such template is the 2020 European Union Digital Services Act.

Despite being e-commerce specific, a reformed version of the act – proposed by the Center for Data Innovation this year – entails all major parameters: clarifying definitions of illegal information and activity, harmonizing the scope of covered online services, increasing online platform transparency, harmonizing rules at the EU level to create regulatory consistency, and pursuing non-regulatory solutions.

Not only is the entire list applicable to a united COVID-19 cyber resilience front, it is thoroughly consistent with the World Health Organization's own cyber alert published last month.

The need to act is now.

(If you want to contribute and have specific expertise, please contact us at opinions@cgtn.com.)