ArchiveOODA Original

COVID-19 and Why Cybersecurity Can’t Wait

Malicious cyber activity has dramatically increased over the last few weeks as bad actors rush to exploit the COVID-19 crisis. Criminal groups have wasted no time, publishing fake websites and apps riddled with ransomware to steal personal information from individuals seeking updates on the pandemic.

U.S. decision-makers, rightfully prioritizing the global health emergency, may get the urge to treat this spike in cyberattacks as run-of-the-mill activity surrounding a crisis. Inconvenient, but an unavoidable side-effect of operating in a 21st century ecosystem. However, now is not the time for cyber amnesia.

Experts are predicting permanent shifts in our political and economic structures—actions typically reserved for the aftermath of major international conflict. But, discussions about our future institutions need to also address how governments handle clashes in cyberspace.

Attacks on our personal data and critical infrastructure, in a time of worldwide crisis, should be a line in the sand for policymakers. Yet, hackers continue to unabashedly target government health agencies, hospitals, and distributors of medical equipment as the coronavirus spreads.

A recent report from the Cyberspace Solarium Commission claims that “cyber actors feel undeterred, if not emboldened” to target our essential systems. The report goes on to assert that although deterrence is possible in cyberspace, America has historically shown an inability or unwillingness to identify and punish cyber adversaries.

Take for example, the U.S.’s public reaction to NotPetya, a devastating cyberattack that caused more than $10 billion in damage. Eight months after the incident, the White House released a short statement attributing the activity to Russia and announced there would be international consequences. Unfortunately, it is not clear whether the U.S. kept that promise. Thomas Rid, professor at Johns Hopkins’ School of Advanced International Studies noted, “The lack of a proper response has been almost an invitation to escalate more.”

Effective signaling requires clarity and consistency from the U.S. and our partners. A lackluster response to cyberattacks on critical infrastructure, as we collectively navigate COVID-19, would result in a missed opportunity to advance meaningful dialogue around acceptable behavior in cyberspace. Inaction at this time would further weaken the legitimacy of cyber norms.

This is especially important as predictions are surfacing around a second wave of cyberattacks. Nation state actors may seek to capitalize on the expanded attack surface with millions of individuals now working from home. Some actors have been systematically compromising information technology systems for years, embracing the perception that cyber operations are non-escalatory in nature.

China remains a primary concern, consistently employing major espionage campaigns against global targets. For instance, in 2018, the Department of Justice indicted two Chinese hackers associated with the Ministry of State Security who “engaged in global computer intrusions for more than a decade…including thefts from managed service providers and more than 45 technology companies.”

Administrative credentials and certificates were stolen from major institutions, such as Hewlett Packard Enterprise and IBM, making it likely that unauthorized access still exists—even to this day. With the surge to an online workforce, we should expect China to strike while the iron is hot. Though IT teams are going to be stretched thin during this time, we cannot allow our reliance on remote capabilities to be a foothold for the next cyber crisis.

Iranian hackers have also remained active, as state-sponsored groups conducted what seems to be Iran’s most continuous and comprehensive espionage campaign to date. A 2020 report by ClearSky Cyber Security unveiled Iran’s multi-year year effort to compromise Virtual Private Networks and set up backdoors in IT, defense, electricity, oil and gas and aviation companies in 14 countries.

While ClearSky did not detect distribution of destructive payloads onto the compromised networks (yet), Iran has previously demonstrated a willingness to activate wiper malware against American businesses. Escalating tensions between the U.S. and Iran, exacerbated by Washington’s refusal to ease its maximum pressure campaign in the midst of COVID-19, may cause Iran to retaliate against perceived harm.

In this unprecedented time, U.S. officials need to take a leading role to promote stability in cyberspace. This can be accomplished by strengthening our non-military tools, such as law enforcement actions, diplomacy, and information sharing, to encourage a rules-based order.

To that end, the Justice Department should consider sending a stronger message to those who target the healthcare sector with cyberattacks, akin to their guidance on imposing terrorism-related charges on individuals who knowingly spread the coronavirus. (Notably: Cybercrime gangs who vowed not to attack critical facilities wound up deploying ransomware against a coronavirus vaccine center.) The State Department should advance the concept of responsible state behavior in cyberspace during a global crisis, utilizing the ongoing United Nations information and communications technologies experts working group. The Department of Homeland Security should amplify actionable information, allowing critical infrastructure partners to detect and mitigate cyber and physical threats.

Moving the conversation forward on cyber norms, in times of stability or otherwise, has always been an uphill battle. However, the global and indiscriminate spread of the coronavirus presents a unique opportunity. The affront from a common enemy should compel leaders to band together, not only to condemn cyberattacks on critical infrastructure, but commit resources to go after individuals within their borders who violate this principle.

Although it is impossible to predict the long-term effects of the coronavirus on our institutions, it is clear that governments are under pressure to reshape how they respond to crisis. With the global consciousness focused on the pandemic, we cannot forget about the many enduring national security challenges that continue to threaten our way of life. Cyberattacks are becoming more destructive. If we continue to let them go unpunished, especially when the attacks aim to disrupt lifesaving resources, more aggressive campaigns will follow. If change is to happen, the time to act is now.


For more OODA resources on COVID-19, check out the OODA Member Resources page.

Cindy Martinez

Cindy Martinez

Cindy Martinez has spent her career focusing on cutting edge and complex issues at the forefront of national security. She served 5 years at the Department of Homeland Security where she advised senior leadership on cybersecurity and emerging technology trends. She also negotiated policies and recommended solutions in order to create new Federal initiatives and evaluate the U.S. Government’s effectiveness in areas such as artificial intelligence, offensive cyber operations, vulnerability disclosure, and the national security space domain. She is an analyst with OODA LLC , which publishes and