By: Rajiv Dholakia, Chief Product Officer, VERA
A mentor of mine once said “Crisis is a messenger – if you listen carefully.” In the current COVID-19 pandemic, the top Cyber commands across Europe and the U.S. are sending industry a clear message: They warn that the crisis has caused malicious cyber actors to double down their efforts to steal credentials, mount IP theft or launch ransomware attacks.
Even as researchers around the globe race to develop a coronavirus vaccine, U.S. and European authorities including the Federal Bureau of Investigation, the U.S. Director of National Intelligence, and the United Kingdom’s National Cyber Security Centre are warning American and UK firms and research institutions to exercise extreme caution in safeguarding their research against malicious actors out to steal cutting-edge medical technology, in particular.
In an interview with NPR’s national security correspondent Greg Myre, the Director of the National Counterintelligence and Security CenterBill Evanina stated “We are imploring all those research facilities and hospitals and pharmaceutical companies that are doing really great research to do everything in their power to protect it.” A broader warning by the UK National Cyber Security Council notes seeing an increase in attack vectors across all companies using the usual measures (phishing, credential theft, malware, attacks on remote workers), with the ultimate goal of stealing intellectual property.
These espionage threats are not new. Phishing, stealing passwords and using malware to capture keystrokes and screenshots are familiar risks. What is remarkable about these threats in the case of the COVID-19 pandemic and countries’ race for treatments is the potential for intrusions and data theft to jeopardize trust and progress toward a vaccine.
Because so much of the modern healthcare and pharmaceutical world relies on software and Internet-connected production lines, the consequences of network intrusions and disruption can be far-reaching or even unintended beyond attackers’ initial aims. For example, what happens if a reconnaissance break-in at a pharmaceutical company seeking data on how much of a given medicine is in stock accidentally derails computers helping control downstream assembly lines? What if tireless researchers’ months of painstaking treatment research is inadvertently corrupted or deleted in an attack? Even digital break-ins where only theft occurs can be devastating, if the mere fact an intrusion took place forces labs to discard or restart research, fearing an adversary might have tampered with research to introduce defects, setting back a rival business or country’s vaccine progress and sowing distrust in organizations.
Uncertainty is a relentless foe in cyber risk, particularly when it comes to attacker attribution and motives. It is therefore even more important to focus on sealing-off blind spots and infiltration routes any attacker will need to exploit in order to be successful. In my own data protection career at companies like PGP, NokNok Labs and now VERA, I have consistently seen several keys to success. Today I work with many U.S.-headquartered manufacturers adopting these principles, which include:
- Data protection is a team sport. Realistically, there is no single magic bullet that can prevent IP theft; security involves a set of links in the protective chain of approaches. The last decade of migration to our modern computing infrastructure means that data security is no longer a perimeter game.
- Secure your credentials using an asymmetric, key-based, phishing-resistant authentication protocol like FIDO. You may not be able to limit the number of researchers, physicians, data scientists or logisticians who have varying “need to know” access rights to sensitive data. However, you can drive centralization and risk management by making sure you are governing login credentials in uniform fashion allowing you to change permissions, as necessary.
- Patch and harden your systems. Yes, that simplest of things is often neglected. Basic hygiene matters, whether for COVID-19 or other, non-related data theft threats.
- Recognize that data protection in the Cloud & Collaboration Era is different: Medical treatment and vaccine research in the heat of a pandemic is exactly the type of fluid, critical collaboration use case for cloud computing. In efforts like these, there is always an overriding sense of erring on the side of trust and sharing, between clinics, testing centers, laboratories and production experts. Popular cloud platforms these groups rely on are great for synchronizing joint teams but also multiply risk across these and other third-parties.
Risk management becomes about discarding outdated principles and seizing the new data protection high ground. Accept that need-to-share is the norm, but do not settle for relying on everyone’s good faith pledges to configure and share files securely – hard to do in practice, even with the best intentions. Before your databases, documents and plans take off, agree on a single data protection standard that can span your entire set of cloud collaborators so that no one is leading data astray from where it can be visualized, contained and rendered worthless if taken from this environment.
Secure your data with modern data security practices that will allow you to have visibility, accountability and trackability around your data.
The important message from the FBI, DNI and UK NCSC is simple—crises present opportunities for bad actors. An attempt to steal data and compromise your infrastructure is not a matter of if but when. The good news is that with a layered defense strategy and a clear view of the threat models, you can protect yourself.
About the Author
Rajiv Dholakia is a 30+ year veteran of Silicon Valley with global experience in leading public and private companies from ideas to IPO.
Most recently, Rajiv was at NokNok Labs where he led the creation of a world-wide phishing-resistant standard to modernize authentication and replace passwords. Earlier, Rajiv was VP & General Manager at Symantec, responsible for the operations of PGP TrustCenter, a Cloud-based platform for Identity, Encryption & Trust Services for users & devices. He has worked at Taligent, Sun Microsystems &IntelliCorp in senior technical leadership & business roles.
Rajiv is a mentor at UC Berkeley’s SkyDeck accelerator and an invited speaker at conferences on security & entrepreneurship. He also serves on the board of the Northern California Girl Scouts on the strategy & STEM committees.