Our mission to improve business is fueled by readers like you. To enjoy unlimited access to our journalism, subscribe today.
American armed marshals This week, many of Pfizer’s early coronavirus vaccine shipments saved thieves and saboteurs, but experts warn less visible threats to the vaccine lurk in cyberspace.
“There is no doubt that vaccine production, and everything vaccine-related, will become a vector for cyberattacks,” says Jonathan Reiber, who served as the Defense Department’s cyberstrategy chief under President Obama and is now Chief strategist of cybersecurity firm AttackIQ.
These attacks, according to Reiber and other experts, could take at least three forms: attacks on the integrity of the vaccine supply chain; theft of vaccine-related trade secrets; and online disinformation campaigns aimed at eroding confidence in the vaccine.
Here’s what these attacks might look like – or are already happening.
Break the cold chain
Pfizer’s coronavirus vaccine has a unique vulnerability: it should be stored at extremely cold temperature of –70 degrees Celsius. Other candidate vaccines have less stringent requirements but still need to be refrigerated.
The good news is that a cyberattack that interferes with cold storage of vaccines is unlikely, according to Vinny Troia, a former Defense Department contractor and founder of cybersecurity firm NightLion. The main challenge of such an attack would be to use compromised digital systems to manipulate physical equipment.
“By the time it would take to develop and deploy something like this, by the time that happens, we’ll probably be done with the vaccine,” says Troia. He compares it to the effort behind Stuxnet, a virus said to have been developed by the United States and Israel to physically interfere with targets, including Iranian nuclear facilities. Information on Stuxnet is still secret, but development reportedly took at least four years, from 2005 to 2009.
But hackers wouldn’t have to shut down freezers to meddle in the vaccine cold chain. They would only have to falsify the data.
Bill Brooks, a logistics expert at consulting firm Capgemini, is concerned that hackers may attempt to alter shipping records to show the vaccine was exposed to inappropriate temperatures. This could render the vaccine unusable – whether it is indeed compromised or not.
Malicious actors “want to sow doubt,” says Brooks. “[They] want to create chaos in the market, so that people don’t know what they are getting. “
There are several levels of protection against such an attack. Most modern cold chain monitoring systems have some redundancy, such as data transmission from monitoring devices to a central database or paper backups. All healthcare logistics must also comply with an FDA standard that guarantees the traceability of every attempt to access or modify tracking data. Because of these checks, Reiber describes such a data-centric attack as “plausible” but difficult.
“We constantly see people trying to get it wrong with our system, and we spot it very quickly,” says Mark Sawicki, CEO of sanitary logistics company Cryoport Systems, which provides cold storage and distribution services for 26 applicants. different COVID vaccines still in trial stages. “Honestly, that doesn’t really concern me.”
In response to inquiries about cybersecurity risks, Pfizer said it was closely monitoring and responding to threats. “For our COVID-19 vaccine, we have developed detailed logistics plans and tools to support the transportation, storage and continuous temperature monitoring of the vaccines.”
Controlant, which provides the surveillance technology for the distribution of Pfizer’s vaccine, also expressed confidence. “Our established safety program meets industry standards and pharmaceutical industry best practices.”
But Troia says procedural controls such as FDA requirements are not guaranteed protection against determined and well-funded hackers. It highlights recent revelations of a foreign cyberattack that compromised widely used computer software SolarWinds, giving attackers deep access to systems, including the US Treasury. More … than 80% of Fortune 500 companies are SolarWinds customers, although it is currently unclear how many, if any, were compromised in the attack.
An attack on tracking data can be very damaging, even if it is only successful on a very small scale.
“Is it enough to do it once?” asks Reiber, the former head of cyber policy at the Defense Ministry. “Is it enough to help you achieve your strategic goal of sowing mistrust?” It could be. “
Steal the plans
“We saw state actors trying to steal the intellectual property of vaccines early on in the pandemic,” says Reiber, using a shortcut to intellectual property. This included suspected attempts by state-sponsored hackers from China, Russia, Iran, and North Korea to steal research or production techniques for coronavirus vaccines.
Another common tactic, according to Troia, the other former Defense Department official, is to simply scan software developer accounts on sites like GitHub, where many engineers store or share software code – and sometimes, carelessly, passwords.
Once hackers gain access to a GitHub or similar account, Troia explains, they search for both sensitive data and credentials to gain access to other systems, such as Amazon Web Services cloud storage. “It’s like the holy grail right now. When they connect to the Amazon bucket, it’s all there on a silver platter.
Even if a digital IP theft were successful, it would not be inherently harmful to vaccine delivery. In fact, the ultimate goal of such a hack would be to produce more vaccines at a time when many countries are facing a difficult battle and in some cases even calling for emergency catering intellectual property protections for COVID vaccines.
Troia believes the most likely tactic for a hostile agent hoping to disrupt the distribution of the vaccine in the United States would not be targeting the vaccine itself, but public perception.
“It’s more likely that if you’re trying to cause disruption, you’ll choose to misinformation. It’s easier to inject a narrative into a society, especially if there’s a predisposition to be suspicious of something, ”he says.
This predisposition is widespread in America. Currently, about 27% of Americans are reluctant to get vaccinated, according to a survey by the Kaiser Family Foundation, with more than half of those citing distrust of government as a factor.
In 2016, the cyberwar arm of the Russian intelligence agency GRU exploited American mistrust to spread political disinformation. Russian state actors are now reportedly engaged in a similar effort to further undermine confidence in Pfizer and other effective vaccines. They would have found receptive audiences among anti-vaccination groups on social media sites.
Disinformation efforts can be particularly damaging to African Americans, who have been disproportionately injured by the pandemic. Yet 35% of them are reluctant to take a coronavirus vaccine, according to the Kaiser inquiry, far above Americans as a whole. This high mistrust is in part the legacy of abuse of blacks by American medical institutions.
“If I put on my most infamous adversary hat, I’m going to look at American society and say, which populations are suffering the most from COVID-19?” Reiber said. “And I will try to make this situation worse.”
Attacks on public confidence in vaccines, whether through data sabotage or online disinformation, have implications beyond those who may refuse to take the vaccine. Dr Anthony Fauci said 75% to 80% of Americans will need to be vaccinated to end the coronavirus pandemic.
If digital criminals slow the progress towards that threshold, it would be one of the most devastating cyberattacks of all time.
Correction 12.18: This piece previously referred to Vinny Troia as a former Defense Ministry staff member, rather than a former contractor. We regret the error.
More health and Big Pharma coverage of Fortune:
- The deployment of the COVID-19 vaccine is dangerously flawed. Science and data could fix it
- How? ‘Or’ What hackers could undermine successful vaccine deployment
- “There is simply no confidence”: the fight to win vaccine skepticism in the black community
- You can now get custom updates on Zocdoc’s COVID vaccine
- Here is how much Europe will pay for each COVID-19 vaccine