In late March, Canada's Communications Security Establishment (CSE) warned researchers across the country to secure their COVID-19 data because "sophisticated threat actors" — read state-sponsored hackers — were exploiting the chaos of the pandemic in an effort to steal critical vaccine research, some of which is now ongoing in Halifax.
In mid-April, Google's threat analysis group announced that it blocked almost 18 million COVID-related malware and phishing emails ... per day. On May 13, the FBI and U.S. Cybersecurity and Infrastructure Security Agency warned that Chinese hackers were attempting to steal data from a number of organizations conducting coronavirus research.
So it should not have come as much surprise when the Trump administration recently charged two Chinese nationals with cyber-crimes and also ordered the country to close its consulate in Houston. It also shouldn't have shocked observers when the CSE, in a July statement with its U.S. and U.K. counterparts, determined that a well-known Russian hacker group known as APT29, "the Dukes" or "Cozy Bear," was behind a number of recent digital attacks aimed at stealing information and intellectual property from Canadian labs working on pandemic-related research.
The Great Cyber Game is afoot. From Russia targeting the 2016 U.S. election (and apparently the U.K., too, if its recently released parliamentary intelligence and security committee report is to be believed) to China's penetration of the U.S. National Security Agency and the ongoing digital disruption of Iranian weapons programs, there is no denying the strategic importance of the 21st century's virtual battlefield.
What is shocking is how slow Western democracies have been at fully appreciating the way in which COVID-19 has expanded the cybersecurity theatre to include global public health, despite months of warnings. Canada's leaders — national, provincial and local — need to start taking these attacks seriously.
Instead of awarding multi-million-dollar security contracts to deploy IT systems across all Canadian embassies — made by the Chinese state-owned "Huawei of airport security" (yes, that just happened) — our country's political, law enforcement and national security leadership should be communicating and implementing a multi-pronged plan to deal with digital threats to Canada's COVID-19 research.
For example, Canada has a National Cyber Security Strategy. It is only 40 pages long and it was written in 2018. Of course, it does not mention COVID-19. It ought to. The prime minister should prioritize an immediate rethink and revitalization of this plan. All parties should pressure the government to have it updated in the face of how dramatically the playing field has shifted as a result of the pandemic.
Demands for actual engagement of local and provincial resources to implement such a strategy at the ground level should also be front and centre. This type of local, provincial, and federal co-operation is critical — especially in the Atlantic region — given the extremely important COVID-19 research happening here in Nova Scotia.
For example, the federal government announced in May that the Canadian Center for Vaccinology — a joint centre led by Dalhousie University, the IWK Health Centre and the Nova Scotia Health Authority — would lead the first Canadian clinical trials for a coronavirus vaccine. This is a remarkable opportunity, which must be protected with robust cybersecurity resources. We know state-based hackers in Russia, China and other countries are mounting a full-court press to steal or disrupt public health efforts aimed at finding a vaccine.
However, there has been little to no discussion beyond the CSE's repeated warnings as to just what is being done to protect the important work of our local health and science experts.
Since Canada's new federal rules for data breach reporting went into effect in November 2018, privacy commissioners across the country have pushed for public- and private-sector leaders to appreciate the risks associated with collecting, using and disclosing personal information without having a data breach plan and cybersecurity measures in place.
The same advice ought to apply to our local researchers, government agencies and burgeoning health and technology sectors. Engage your IT security leaders to understand the risks. Investigate and assess internal cybersecurity measures presently in place (or which need to be implemented) to ensure programs and patches are up-to-date. Review your insurance policies and question if data breaches are covered. Consider speaking with privacy experts to help build internal policies and plans for when a breach happens.
Because the hacks will come, if they haven't already. After months of warnings, local, provincial and federal leaders will have no excuse if our hard work and research aimed at beating COVID-19 is stolen. Sophisticated threat actors are already making global public health another victim of 21st-century cyber-attacks. We must be ready.
Originally printed in The Chronicle Herald, July 30, 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.