JUST a few weeks ago there was a warning about another pandemic. That it probably escaped the notice of most of us is hardly surprising. To begin with the world had more than enough to contend with in the shape of Covid-19.
Also it wasn’t a new alert. In fact, experts have issued it countless times for many years now. Had most of us been aware of this other threat, the chances are we would have dismissed it anyway as something unlikely to impact on our lives directly. In that assumption we would have been dangerously wrong.
As experts at the Geneva-based World Economic Forum (WEF) pointed out earlier this month, Covid-19 is not the only risk with the ability to quickly and exponentially disrupt the way we all live. Or, as they more succinctly described it, our “new normal” isn’t Covid-19 itself, it’s Covid-like incidents.
What these experts are referring to is the inevitability of a global cyber pandemic, one that would spread faster and further than any biological virus, impacting upon, and potentially devastating, many aspects of our lives.
Sounds far-fetched and too sci-fi to be believable? Then think again. Just check the news from Australia this weekend where the prime minister, Scott Morrison, has confirmed that a state-sponsored cyber attack is currently under way, targeting Australian government, business, education and political organisations. While experts say this latest attack in Australia is not particularly sophisticated, they have been so persistent there that the government felt now was the time to speak out. The same experts warned that the current hacking should serve as a wake-up call to the overall massive rise in cyber attacks and their potential to wreak havoc in the future with the outbreak of an online pandemic.
One of those experts, Dan Lohrmann, writing recently for the US magazine Government Technology, detailed through the prism of the American experience the duration over which such warnings have been given and their significance.
“For more than a decade, security leaders predicted that a 'Cyber Pearl Harbour' or 'Cyber 9/11' was coming that would dramatically change society as we know it,” said Lohrmann.
In his assessment, he cites Janet Napolitano, former US Secretary of Homeland Security, who as far back as 2013 warned that America “ will, at some point, face a major cyber event that will have a serious effect on our lives, our economy and the everyday functioning of our society”.
But as Covid-19 has revealed, such attacks were never only going to be limited to the US. Right now evidence is mounting daily that state-backed hackers are seizing on the Covid-19 pandemic to lead cyber espionage transnationally at a time when home working and anxiety about infection are making populations more vulnerable to online hacking.
“Attacks have always been socially engineered to prey on people’s fears, habits, and ultimately, their bank accounts, but the exploitation in the Covid-19 era is nothing short of sinister,” warned Christopher Gerg, an information security expert writing in Security magazine last month.
Just how sinister is borne out by the extent to which hackers have been exploiting employees whose working environment has radically changed as a result of Covid-19.
“Work from home is a goldmine for spies,” James Lewis, cyber security expert at the Washington-based Centre for Strategic and International Studies, told the Financial Times recently
“The Chinese in particular benefit because it gives them more and easier targets to go after and they have the resources to take advantage of a surge in easier targets.”
In April, a rare joint assessment released by Britain’s National Cyber Security Centre (NCSC) – a branch of signals intelligence agency GCHQ – and the US’ Cybersecurity and Infrastructure Security Agency (CISA) – part of the Department of Homeland Security – highlighted the “growing use” of Covid-19 in state-sponsored cyber attacks.
In the parlance of what security experts call “Advanced Persistent Threat” groups, hackers working on behalf of nation states such as China, Russia and Iran among many nations are making the most of the outbreak to spy on their adversaries, according to NCSC and CISA.
It would be naive to imagine, of course, that both those same UK and US intelligence communities are not themselves doing likewise. Various reports have already surfaced over the extent to which numerous Chinese organisations or institutions, for example, have been the subject of scrutiny by the US, UK and others.
Evidence presented in the recent US-UK joint assessment of cyber security breaches here in Britain give some idea of how the coronavirus has upped the ante of such activity on all sides.
“APT groups are using the Covid-19 pandemic as part of their cyber operations,” the US version of the report reads. “Their goals and targets are consistent with longstanding priorities such as espionage and ‘hack-and-leak’ operations.”
Underlining the scale of the threat from state entities, the Reuters news agency last month reported that hackers linked to Iran targeted Gilead, the US-based pharmaceutical company that makes the anti-Covid drug Remdesivir.
According to experts who reviewed web archives for Reuters, the hacking infrastructure used in the attempt to compromise the email account of an executive at Gilead had previously been used in cyber attacks by a group of suspected Iranian hackers known by the bizarre name “Charming Kitten”. Such colourful or quaint code names are not uncommon in the cyber world and often veil the seriousness of such a group’s impact.
“Access to even just the email of staff at a cutting-edge Western pharmaceutical company could give ... the Iranian government an advantage in developing treatments and countering the disease,” said Priscilla Moriuchi, a director with US cyber security firm Recorded Future, and former analyst with the US National Security Agency.
Responding to the hacking claims, Iran’s mission to the United Nations denied any involvement in the attacks.
“The Iranian government does not engage in cyber warfare,” spokesman Alireza Miryousefi told the news agency. “Cyber activities Iran engages in are purely defensive and to protect against further attacks on Iranian infrastructure,” the spokesman added.
Just as in the Gilead case, other state-backed hackers are using similar email “lures” to entice government officials, academics and employees at public health bodies into clicking on links that give access to their organisations’ networks.
The World Health Organisation (WHO) is another recent example, reporting that it has experienced a fivefold increase in cyber attacks compared to this time last year. Some were clearly motivated by profit as much as intelligence gathering.
Many of these attacks on the global health watchdog were targeted at the general public with emails that spoofed WHO employees’ emails asking for donations. Common “phishing” scams include emails claiming to come from the director-general of the WHO, and others claiming to offer thermometers and face masks.
“The virus crisis has brought new intelligence requirements: countries now want to know what other governments are doing about the virus, they want to find out details about vaccines, to make sure they’re aware of the latest developments,” the Financial Times cited one security official as saying a few months ago.
“So as well as all the usual intelligence sources they’re now focusing on academic organisations that might be doing modelling, people working on public policy responses, scientists who are advising government,” the official added.
“Nation states are asking for new types of intelligence so hackers are pivoting to answer those questions.”
But it is attacks on the health institutions and related services at the height of the global pandemic that have both alarmed and outraged cyber security experts and others.
Many point to the fact that hospitals and public-sector organisations that deal with health and social care can be particularly vulnerable to cyberattacks.
There are historical precedents here, of course, in the shape of the devastating global cyber attack in 2017 that crippled computers in hospitals across the UK and cost the NHS around £100 million.
The so called WannaCry hack, which shut down hundreds of thousands of computers around the world with messages from hackers demanding ransom payments, hit a third of hospital trusts and 8% of GP practices. Around 1% of all NHS care was disrupted over the course of a week.
The hack caused more than 19,000 appointments to be cancelled, costing the NHS £20 million between May 12 and May 19 of that year, and £72m in the subsequent clean-up and upgrades to its information technology systems.
The WannaCry hack caused 200,000 computers to lock out users with red-lettered error messages demanding the cryptocurrency Bitcoin. According to investigators, those responsible for the global attack were North Korean hackers known as Lazarus, an elite group. While the attack didn’t specifically target the NHS, it spread over the internet using a leaked hacking tool developed by the US spy agency the NSA.
And here lies the obvious parallel with Covid-19, a cyber attack that creates an infection, but one that would spread faster and further than any biological virus. Over these past months many of us have become familiar with what is known as the R number or reproduction value by which a disease’s ability to spread is rated.
Should the reproductive rate – or R0 – of Covid-19 be on average around two without any social distancing, then each infected person passes the virus to a couple of other people.
By contrast, as cyber security experts at the World Economic Forum have recently pointed out, estimates of R0 of cyber attacks are 27 and above. One of the fastest worms – as they are known – in history was the 2003 Slammer/Sapphire worm, which doubled in size approximately every 8.5 seconds, spreading to over 75,000 infected devices in 10 minutes and 10.8 million devices in 24 hours.
To give some sense of scale as to what this means, a virus with a reproductive rate of 20 may take only five days to infect over one billion devices.
The economic impact of such a global virus and subsequent digital shutdown would, say WEF experts, be of the same magnitude or greater than what we are currently seeing as a result of Covid-19.
“The only way to stop the exponential propagation of cyber-Covid would be to fully disconnect all vulnerable devices from one another and the internet to avoid infection,” say Professor Nicholas Davis and Algirde Pipikate, the cybersecurity experts who complied the WEF assessment.
To put this in some kind of context the end result would mean millions of devices would be taken offline in a matter of days.
A single day without the internet would cost the world more than $50 billion, while a 21-day global cyber lockdown could cost over $1 trillion.
“The whole world could experience cyber lockdown until a digital vaccine was developed. All business communication and data transfers would be blocked. Social contact would be reduced to people contactable by in-person visits, copper landline, snail mail or short-wave radio,” the experts added, describing a nightmarish scenario that more than mirrors Covid-19 and the impact it has had on all our lives economically in the past few months.
Just as warnings have existed for many years over a global biological pandemic so likewise they have existed regarding a cyber pandemic. The systemic cyber attacks that we are currently witnessing have shown themselves to be both easily deployed and dangerous.
The point now, say those best able to judge the sale of the threat, is to fully anticipate them and have the necessary degree of preparedness. If Covid-19 has taught the world anything it’s that even a short delay in responding can cause colossal damage.
As we tentatively begin to surface from these recent dark and devastating times, it might be hard to even contemplate more potential disaster.
But as we now know from painful experience, fully recognising the extent of any threat and having the measures in place to cope must be a priority. After all, just as with a biological pandemic so with a cyber equivalent, we now know it’s not a question of if it will happen, but when.
Our columns are a platform for writers to express their opinions. They do not necessarily represent the views of The Herald
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel