By Molly Wood
At a moment when you would strongly prefer it to stay healthy, the U.S. office of Health and Human Services was the target of a cyberattack. Reports say the agency’s servers were hit this week with what’s known as a distributed denial of service attack, where hackers overwhelm the system with millions of simultaneous hits.
Bloomberg reported that U.S. officials believe a foreign state was behind the cyberattack, but haven’t confirmed which one. Meanwhile, an Illinois public health department website was also hit, and scammers are trying to spread fake information posing as the Centers for Disease Control and Prevention and the World Health Organization.
I asked Mark Rasch, who runs a cybersecurity consulting company and is a former prosecutor at the Department of Justice if dealing with the coronavirus makes us more vulnerable to these kinds of hacks.
Mark Rasch: We’re much more dependent now on the government’s continuing to function because it’s doing critical things. So HHS in particular, [the Department of Homeland Security], the Department of Defense, all these critical infrastructures become much more critical when we become more dependent upon them. Even in the commercial sector, we are now having a lot of people working from home, which means that those people now have to have ubiquitous online connections to secure networks. So we’ve now created a lot of vulnerabilities, and we really need to secure them.
Molly Wood: Does the federal government have the capability to do that hardening right now? Do we have the people and the talent in place?
Rasch: The federal government’s always had a problem with getting enough resources to do the kind of security that they need to do. Partly it has to do with the pay structure, partly it has to do with their ability to recruit individuals to do it, and a lot of it has to do with the kind of resources, and how they dedicate those resources. Now even more than ever, when people are working from home, they have fewer resources stretched thinner, which makes them even more vulnerable. You know, most of these government agencies go through these annual reviews against a set of government standards, and they get a scorecard, and they’re lucky if they get a B+. But when you really need to rely on critical infrastructure, that’s like getting on an airplane where the inspection said, well, you got a B+. That’s not good enough. You really need them to have a much better and more robust infrastructure. One of the things that HHS did is, while they were being attacked, or in anticipation of the attack, they did beef up their security.
Wood: What’s the kind of worst case? I mean, are we at a position where a hack like this on Health and Human Services or another agency could meaningfully impact our response to the coronavirus outbreak?
Rasch: Yeah, absolutely. Every scenario that we’ve written for a cyberwar — and I’m not suggesting that this is a cyberwar — a cyberwar would involve an attacker who would attack us at a time when we are most vulnerable and most dependent upon the infrastructure. So there’s always this idea of a cyberwar, connected with a kinetic war, meaning bombs and guns. But you could also have a cyberwar connected with some other national crisis. Now, I’m not suggesting that this is what’s going on, but it’s at the times of national crises that you are the most vulnerable.
Rasch also told me that this is a time when hackers will also try to take advantage of all kinds of chaos, in terms of tricking people into clicking links or opening programs that plant malware, and because many people may be working from home on insecure systems, they could become vectors for digital infection as well.
One intelligence firm said hackers were posing as officials from WHO to steal personal information and bank details from people, and that state-sponsored hackers in North Korea, China and Russia would use the cover of coronavirus to target other governments, like Italy, the U.S. and Japan.
Basically, at this moment in time, in addition to washing your hands and staying 6 feet away from everyone who isn’t family, it’s time to step up your digital hygiene, too. Don’t click anything that you haven’t verified, and if anyone calls you asking for personal information or bank details, including family, don’t tell them.
Good thing about tech companies working with each other and the government: A bunch of them have teamed up to try to defeat misinformation online about COVID-19 and coronavirus. Now we find out what actually can be done at scale.
Bad thing about tech companies working with each other and the government: Previously in China, now in Israel, where it’s happening, and possibly here, where it’s being discussed, governments are hoping to use location data from cellphones to try to map the spread of coronavirus, potentially determine whether people are staying away from each other like they’re supposed to and predict future outbreaks. According to the Washington Post, multiple sources stressed that they for sure would not use this information to build a government database of people’s sensitive information about where they go and when.
That sound you hear is security researchers and privacy advocates around the world shouting out with one voice: “We Told You This Would Happen Eventually.”
Today’s do’s and don’ts for remote working
DO compile an audio supercut of all the times that barking dogs pop up in radio shows and on podcasts over the next few months.
DO over-communicate confirming that you have received an email.
DO give an ETA for whatever you’re working on. No one can stop by your office and see you. You have to type all the words out loud.
DON’T forget to mute your mics during conference calls. And bonus tip: If you’re the meeting host on Zoom, you can mute everyone yourself. Use this power wisely, friends.
Credit: Marketplace Tech, Minnesota Public Radio