We must treat this supply chain like a piece of our nation’s critical infrastructure, just like the electrical grid or air traffic control system.
I’ve sat in front of computer screens for over 15 years in the intelligence community and private sector, facing off against foreign adversaries that I’ll never get to look in the eye. But one thing I know to be true of an adversary is that no opportunity is missed — nor is any crisis off-limits.
During the past decade, cyber warfare has taken on many forms, from attempting to influence politics to disrupting critical infrastructure and targeting national defenses — and now, there is plenty of evidence that the historic race toward a cure for the novel coronavirus is being targeted by state-sponsored adversaries.
The COVID-19 vaccine supply chain is already under siege, and the more components of the supply chain that are activated, the more organizations that don’t normally think about cybersecurity issues at this scale will find themselves at the epicenter of adversaries’ interest. It’s critical that we treat this supply chain as a piece of our nation’s critical infrastructure, just like the electrical grid or air traffic control system.
You may be thinking, ‘Why would a nation-state attempt to disrupt this supply chain? Every country needs a vaccine.’
Well, state-sponsored attacks serve geopolitical objectives — objectives that have evolved from collecting information about weapons, troops, and spies to the aggressive pursuit of economic interests and tech supremacy. These objectives are often carried out through cyber espionage, collecting information to provide host nations with a competitive edge — or, in the case of COVID-19, to help them achieve a first-to-market vaccine advantage.
Why does that matter? Because it would influence the next day of the global economy. Also, it would inadvertently dictate who the global suppliers of the COVID-19 vaccine are, and which nations get access to it — and which do not.
Since the pandemic’s onset, pharmaceutical companies, medical manufacturers, and suppliers of ingredients used in COVID-19 vaccine research trials have been subject to cyberattacks — and that’s not all. My team at IBM Security X-Force uncovered in October 2020 a global phishing campaign targeting the COVID-19 cold chain, a component of a vaccine supply chain charged with ensuring that vaccines are stored and transported in temperature-controlled environments to guarantee their safe preservation. We also uncovered earlier this summer more than 40 companies worldwide being targeted in a precision operation aimed at compromising a global COVID-19 supply chain in efforts to gain competitive insight on national strategies and resources to support COVID-19 response efforts.
While governments take steps that further underscore the need for mobilization to safeguard the COVID-19 vaccine supply chain, it’s essential that organizations and defenders take proactive measures to defend the race for a cure. Just recently, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued a report raising awareness on security risks within the COVID-19 supply chain. It’s critical that organizations that are part of this supply chain assess their third-party ecosystem and the risks introduced by their partners, and have actionable incident response plans in place to prevent, react to, and recover from a cyber event.
The Chain Is Only as Strong as Its Weakest Link
A vaccine’s supply chain doesn’t stop with the scientists, pharmaceutical companies, and manufacturers developing it. The chain encompasses suppliers, distributors, and storage facilities; it includes the research centers overseeing clinical trials; and it includes those tasked with building the equipment to administer the vaccine or creating the appropriate packaging and technologies required to store it or transport it. And, of course, the hospitals and medical centers that will administer the medicine are at the end of that supply chain.
Imagine a supply chain management company, one that manages the vaccine’s deployment, experiencing a ransomware attack, rendering its logistic systems inoperable. Or a freight transportation company tasked with transporting the vaccine suffering a destructive attack.
These are not outlandish scenarios. These industries have been at the target of both nation-state adversaries and financially motivated cybercriminals in the past — I know this because my team has seen them and responded to them. We’ve already seen adversaries attempt to compromise organizations supplying the vaccine’s cold chain — we mustn’t let them succeed.
A Collective Response Is Mission-Critical
In all the years I’ve been briefing government officials and intelligence agencies about national security threats, both cyber and physical, I’ve learned there are two vital components to defending diverse targets of international significance. First: preparedness to collectively respond. And second: intelligence sharing.
The same must apply to the COVID-19 vaccine supply chain. A collective response to help this ecosystem of organizations prepare for cyber threats is mission critical.
This is why my team created early on a task force dedicated specifically to tracking down COVID-19 threats against organizations that are keeping the vaccine supply chain moving — a task force charged with finding the threats, before the threats reach their targets. We’ve been feeding this threat intelligence into the COVID-19 threat-sharing enclave that IBM, at the onset of the pandemic, made accessible to any organization in need of more eyes on cyber threats.
But this undertaking is far larger than a single team’s resources. Warding off threats to a vaccine’s supply chain and its various disparate parts requires a collective approach to threat intelligence sharing.
Why? Because threat sharing enables a coordinated defense strategy — and in the case of the COVID-19 vaccine supply chain, the collective experience and visibility of threat sharing will reduce risk, making it harder for adversaries to find a way in.
We in cybersecurity say that “it takes a village.” Information sharing is that village.
We all have roles to play in the timely and successful delivery of a COVID-19 vaccine, and for the cross-sector threat intelligence community that role is clear: defend one of the most important supply chains of the century.
Nick Rossmann leads the threat intelligence teams that support clients and incident response at IBM. Prior to IBM, he held various roles in the private and public sectors, such as FireEye, where he managed its threat intelligence production, as well as the US … View Full Bio