by Veronica Maiello
While the global physical threat represented by the COVID-19 pandemic seems to be widely acknowledged, another, unphysical, threat rises on the horizon of our vulnerabilities – and it proceeds from the new routines we have been forced to adopt to respond and contain the current epidemiological crisis. This threat is indeed unlikely to unfold in the cyberspace. While policymakers are understandably focused on the sanitary emergency that is posing serious problems both in terms of human health and socio-economic sustainability, cybersecurity cannot be overlooked.
As many states around the world, like China, Japan, Italy, France and Spain proceed with extreme measures to the extent of locking down citizens in their houses, shutting down shops and firms, calling for social distancing as well as interrupting regular movements, we observe more and more businesses and industries adopting digital tools that allow many tasks to be carried out remotely. A shift that entails connecting a massive amount of new, personal devices to networks and systems whilst most importantly, sharing a huge quantity of sensible and private data. Hence, companies will eventually have to worry about the proper functioning of these networks with little or no trained personnel in IT.
This accelerated digitalization will not give all involved (private and public) actors enough time to adapt their cyberinfrastructure to newer and stronger risk models required for the high-intensity data sharing that the COVID-19 emergency imposes on them. Assessing and understanding the risk related to the new working solutions is one thing; providing the right level of cybersecurity is another. Against this worrisome context, it is worth recalling that, even in non-emergency times, from a strictly technical point of view, there is no secure system from any vulnerabilities. In other words, being better equipped and more prepared to face a sophisticated attack, does not entail complete safety. Suffice it to remember that, less than a month ago, the digital industry had to recover from a very rough time period, where many enterprises operating different VPN products (like Pulse Secure, Fortinet, Palo Alto, and Citrix) were cyberattacked. Furthermore, just a few days ago, Bloomberg reported that the US Health and Human Services Department was victim of a cyberattack which was probably the consequence of a “significant increase in activity on HHS cyber infrastructure”. Even though the latter has remained completely operational and did not report any substantial damage, it has certainly proved to be vulnerable. Unfortunately, the more devices are connected to a network, the more they become vulnerable, despite the increased protection that administrators would usually implement in case of an intensification of workload. Such considerations are amplified by the sanitary emergency: every hospital consists of a vast ecosystem, often comprising networks of devices, equipment and systems which are connected to external servers, thus their monitoring and prevention are not easy tasks, as both ENISA and CISA underlines.
In the current circumstances, considering the outbreak of the coronavirus and all its implications in terms of accelerated digitalization, there are three main sources of multi-level threats (which of course existed before as well, but are clearly accentuated during this period): (1) unlimited and unmonitored remote access; (2) phishing; and (3) ‘infodemic’ (as mentioned by the WHO).
Many users are use RDP (Remote Desktop Protocol) to connect to a remote workstation and perform specific tasks from home. Malicious actors have always used RDP vulnerabilities in ransomware campaigns; in 2019 RDP was even considered the preferred method to carry out a cyberattack especially as it is inexpensive and only requires a low-skilled hacker: RDP exploits are sold for just 20$ in the dark web.
The coronavirus emergency opens up vast new prairies for phishing, given the widespread anxiety and the continuous need for updated news it has generated over the past few weeks. For example, the majority of phishing campaigns are luring people with links or infected material with the promise of updates on the virus or breaking news.
Last, but not least, “infodemic” is a dangerous issue to cope with during these insecure times. Fake news are proliferating fast and according to the American Global Engagement Center some Russian actors, in connection with the central government through state proxy websites, for instance, have been using swarms of online and false personas to spread misinformation about the new coronavirus online.
A sort of infodemic effect happened on April 1st, when Italy's National Institute for Social Security (INPS) started receiving applications for COVID-19-related subsidies. In ambiguous communications, the management seemed to suggest that only the first applications were going to receive money given the limited budget. Quite unsurprisingly, this started a run on the servers that slowed down to a crawl, and then behaved erratically. When trying to log into their online accounts, thousands of users found themselves on the personal profile of a few random citizens and had access to their sensitive data such as social security numbers, addresses, payrolls, taxing documents etc. Unfortunately, it was not a Fools' Day trick. The institute's managers were quick to blame a “hacker attack” to explain away the disaster. But the reality is probably more prosaic: the INPS website infrastructure had not been prepared to sustain the likely increase in traffic. The wrong message about the first-come-first-served just made things worse.
In conclusion, it can be said that the COVID-19 pandemic is posing a major risk to cybersecurity for all countries and for the world’s population. Hackers or malicious actors will particularly target businesses, companies and service providers which are consistently using new digital tools and are increasing their dependence from them. They will try to exploit their RDP vulnerabilities through weak passwords and open connections and create multiple phishing emails or links in order to easily gain credentials or steal money.
Hence, it is paramount at the national level to maintain a high level of cyber hygiene and provide people with the right data regarding the emergency by promoting the role of the WHO and national broadcasting companies as the main sources of information.
About the author
Veronica Maiello is a second year Master student in European and International Studies at the University of Trento. She is particularly interested in the international governance of the cyber domain and cybersecurity.