ArchiveCyberHealth & EnvironmentalOODA Original

A Perfect Storm forms as COVID-19 Meets Cyberspace

On Sunday, the US Department of Health and Human Services was hit by a cyber attack intended to disrupt its response to the COVID-19 virus. The ‘disruption and disinformation’ attack has illustrated an intent to target a renewed dependency on IT systems during this pandemic. Businesses, universities, and governments around the world are rapidly deploying remote capabilities to allow work from home during self-isolation to flatten the curve. This solution however, has hyperextended existing IT infrastructure and while defenders struggle to adapt to this new perimeter, adversaries are sure to discover more points of impact. Time will tell if this hastily implemented productivity solution to the long-term pandemic will result in the foothold for the next cyber crisis.

Within a corporate setting, cybersecurity and IT teams monitor threats and secure networks. Malicious links are blocked, traffic is monitored, and vulnerability patches are quietly conducted in the background. All of this enables individuals to work safely and securely. Once one leaves the office however, these protections quickly wear off. These new remote capabilities have exchanged sound cybersecurity for immediate productivity.

In the wild, individuals must rely on their own personal cybersecurity practices. Even tech-savvy millennials are susceptible to phishing as they may not be cybersecurity-savvy. Many corporate Virtual Proxy Networks (VPNs) and teleconference clients have high-bandwidth requirements, these barriers may force users to seek out stronger public networks. This can increase their odds of being compromised as they connect to unsecured public networks. Additionally, smaller companies might expect employees to work from their home computers, which may be riddled with unauthorized downloads, previous or recently identified vulnerabilities, and used by multiple family members – expanding the number of attack vectors for adversaries.

Several million users will log in expecting to be greeted with the same connectivity they experienced previously, oblivious of ongoing network challenges. More than 300 million students are unable to attend physical classes, and many are expected to log in for teleconferenced classes. Prior to the pandemic, video already made up 70% of Internet traffic, and the increased traffic brought about by mandatory lockdowns will add more stress to the Internet’s infrastructure. For companies where remote work has always been possible through VPNs, a different problem exists, “if Amazon’s 750,000 employees all simultaneously connect” says Matias Katz of Byos Endpoint Security, “it will likely crash.” These systems, quite simply, are not ready.

Infrastructure stress will likely be solved as IT teams adapt to the new normal. Additional servers will be purchased to prevent downtimes and delays, while requisitions for 5G infrastructure improvements will be swiftly approved to cope with the strain. Alternatively, perhaps network providers will throttle Internet connections to ensure their services don’t fail entirely – emulating Californian utility companies – potentially contradicting the ‘Keep Americans Connected Pledge’.

The looming threat, however, comes from malicious actors taking advantage of this expanded attack surface and our renewed reliance on it. The Internet was almost taken offline in 2016 after a rampant botnet, known as Mirai, enslaved thousands of unsecured IoT devices to conduct DDoS attacks. The infamous NotPetya malware released by Sandworm – a Russian APT group – in 2017, resulted in close to $10 billion in damages as it virulently infected and permanently disabled computers. If any one of those incidents took place today, the effect would be catastrophic.

Part of the response strategy for both incidents, was for defenders to coordinate and collaborate. Defenders actively shared information and worked remotely with corporate counterparts to counter Mirai. Maersk employees were physically placed in the same office, with newly purchased electronics, in order to restart the business after the NotPetya devastation. Neither situation could effectively happen during this pandemic where key defenders are away from their stations, the Internet is overburdened, most stores are closed, and supply chains are disrupted. Indeed, the very key to Maersk’s recovery was a device located in another country – and with travel restrictions implemented as part of quarantine, a similar scenario would be far more challenging.

It need not be a devastating cyber weapon. In its 2020 Global Threat Report, cybersecurity firm Crowdstrike highlighted the continued threat that ransomware will pose, not just to governments and corporations, but to educational institutions, city governments, and other public institutions. As unsuspecting targets with poorer defenses, these institutions are most vulnerable to attacks. Attempts are already being reported with a wave of COVID-19 related phishing emails, academic maps of the pandemic being shared with malware, and a Chinese APT group that targeted public officials in Mongolia using mentions of the virus.

This hyperextended IT infrastructure cannot be pulled back at this time, so it falls on cybersecurity defenders to provide support for the remote worker. Corporate CISO’s and their teams must exercise their cyber response plans and actively adjust them to account for the new attack surface. A step would be implementing multi-factor authentication for all remote workers, while more experienced cybersecurity departments should build towards a Zero Trust model. Initiatives like the two no-cost program from Crowdstrike will also help fill the gap.

A nation-state/net-state grouping, similar to the collection of 35 nations that worked with Microsoft to take down a criminal botnet last week, will help ensure there is active monitoring of the potential threats to the Internet’s infrastructure. Through rotations and isolated rooms, defenders can ensure they are able to access critical systems in the event a response is required.

For the vulnerable citizen, steps should be taken to coordinate volunteer activities that can implement simple cybersecurity best-practices to reduce the number of available attack points. Organizations like I Am The Cavalry, or the newly formed CyberPeace Institute can provide institutional legitimacy to make this happen.

The global pandemic of COVID-19 may slow economies, but conventional conflicts have not stopped and will continue. With much of the world’s attention focused firmly on the pandemic and developing technological workarounds for productivity – it is critical that it doesn’t sail into a perfect storm.

Virpratap Vikram Singh

Virpratap Vikram Singh

Virpratap Vikram Singh is a Master’s Candidate at Columbia University’s School of International and Public Affairs and a 2020 RSA Security Scholar. His areas of focus include cybersecurity risk, information warfare, and technology policy. He previously worked for a foreign policy think tank in India, and holds a B.A. degree from the Symbiosis School for Liberal Arts. Find him on Twitter and LinkedIn.