hacker during coronavirus pandemic
In recent years, cybercrimes and hacks have increased dramatically. Every few weeks, we hear of another data breach, phishing scam or social media hack impacting millions of people. It is estimated that a cybercrime is committed every 39 seconds somewhere in the world to the tune of an estimated $6 trillion by 2021. And those assessments were done before tens of millions of people were abruptly compelled to work from home with no time for proper cybersecurity planning.
But the cybercrime risks faced by Americans working from home are just the tip of a very dangerous cyberattack iceberg. Strong evidence indicates that Russia, China and potentially other adversaries have been attempting to hack universities and research institution’s databases to steal potentially lifesaving Covid-19-related intellectual property. Pharmaceutical companies too have seen a barrage of hacking attempts. And just days ago, the European Union’s top court ruled that U.S. privacy protections are inadequate for sharing personal and other sensitive information – potentially threatening our ability to work with E.U. countries on vaccines and treatments.
With millions of lives and trillions of dollars at stake, the U.S. is in a dangerous place when it comes to vulnerabilities associated with the pandemic – one of which is cybersecurity. To understand just what we’re facing, I asked Bryan Cunningham, long-time cybersecurity and privacy lawyer and Founding Executive Director of the University of California, Irvine Cybersecurity Policy & Research Institute, exactly what’s going on, what the focus should be, and what precautions Americans should be taking.
Nicole F. Roberts: While the world is focused on the health and economic threats posed by Covid-19, cybercriminals around the world are capitalizing on this crisis. Most people don't know all the ways cybersecurity can be threatened, nor what the implications are. So how can (or are) cybercriminals using the pandemic to their advantage?
Bryan Cunningham: Much like politicians, bad cyber actors never let a crisis go to waste. Within days of Johns Hopkins posting their widely-cited Covid-19 statistics map, cyber attackers had posted a near replica that – if clicked on – would launch a cyber attack against your device. In addition to the plethora of phony tests and cures being peddled on the internet (a tale as old as time), professional nation-state hackers, particularly in Russia and China, are launching massive attacks against Covid-19 researchers in the West, trying to steal IP that can accelerate treatments, vaccines and the like.
Roberts: That sounds like espionage. Is that what we’re really talking about? We hear so much about Russia and China hacking U.S. data. But how does that play out in the science and medical communities?
Cunningham: The U.S. Director of National Intelligence a few years ago testified before Congress that Chinese IP theft against the United States amounted to the greatest transfer of wealth in human history. Even in normal times, the People’s Republic of China, the Russian Federation, and other nation states concentrate massive intelligence resources on stealing western intellectual property, whether related to medical, defense, or other advanced technologies. Recent reports have – predictably – validated significant efforts, particularly by Russian intelligence, to steal any and all research being conducted in the west targeted towards vaccines or treatments for Covid-19. Hopefully the U.S. and allied governments are taking measures to combat these significant threats, but academics, public-health scientists, and other researchers also must be vigilant by: not clicking on links they are not certain are from trusted colleagues; using multifactor authentication, Virtual Private Networks (VPN), and strong passwords; and using common sense before sharing information with anyone.
Roberts: Let's talk more about international issues. What's going on in Europe with this Schrems II decision? My understanding is that is says American data and privacy protections don't meet European standards. So, essentially, without significant intelligence, surveillance, and privacy reform in the United States, we could lose access to the health and science data coming out of Europe that might help us fight coronavirus?
Cunningham: The Court of Justice of the European Union (CJEU) this week struck down the “Privacy Shield” agreement between the U.S. and Europe that had enabled U.S. companies to transfer personal data of E.U. citizens to the United States, holding that U.S. privacy protections are inadequate under applicable European law. As with its prior decision striking down the U.S. “Safe Harbor” agreement, the Court found that American intelligence and surveillance laws do not provide adequate privacy protections to non-U.S. Persons and that they discriminate against non-Americans. The Privacy Shield agreement made possible transatlantic data transfers by more than 5,000 U.S. and E.U. companies, enabling approximately 1/3rd of all global trade flows.
Unlike the U.S., the European Union has comprehensive privacy protections for its citizens, enshrined in the E.U. Charter of Fundamental Rights and the recently enacted General Data Protection Regulation (GDPR). These protections include limitations on government surveillance and meaningful mechanisms for redress for individuals improperly surveilled. In 2015, the CJEU invalidated the prior “Safe Harbor” agreement with the U.S. which enabled US companies to transfer protected data of E.U. citizens to the U.S. despite the fact that the E.U. does not consider U.S. privacy protections adequate. The Court was particularly troubled by the lack of a legal mechanism for E.U. citizens to determine if they have been surveilled by U.S. authorities and gain meaningful redress for any unlawful invasions of their privacy.
Roberts: So, what does that mean for health care and Covid-19?
Cunningham: Without meaningful intelligence and privacy law reforms in the U.S., this decision, and others sure to follow, could significantly threaten not only the trans-Atlantic economy, but also our ability to work with E.U. countries on vaccines and treatments. Such reforms will be difficult, if possible at all, and take quite a long time. In the meantime, our ability to exchange vital Covid-19 information with Europe will depend upon the enforcement priorities of EU data protection officials.
Roberts: That’s not encouraging. OK, so right now, what can people be doing to protect themselves? It’s estimated that at least 42% of the American labor force is working from home full-time. Especially for small and medium-sized companies in the U.S., what are the primary issues with employees working from home - and what can employers and employees be doing to protect themselves?
Cunningham: With cybersecurity, as with all things, a chain is only as strong as its weakest link. Bad cyber actors will scour the internet for newly-minted workers from home who get frustrated with, for example, the VPN they are supposed to be using and who, as a result, cut corners – weakening their own and their employer’s security. This is equally true for our largest companies as well as for small and medium-sized enterprises. Even with limited budgets, small and medium-sized companies can do a few simple things to significantly shore up their security and that of their employees: First, and most importantly, require multi-factor authentication not only on business accounts and applications but on employees’ personal devices and accounts that connect to the company’s infrastructure. Second, do not allow access to the company’s infrastructure except through a VPN. Finally, training, training, training. No other measure will protect against risky cyber behavior by employees. Train and test your employees never to click untrusted links or transfer funds without a telephone authorization from someone they know, and not to go to dangerous or suspect websites (like porn or gaming sites) on any device connected to the company’s infrastructure.
