Just as 2020 ended with the launch of the vaccine campaigns and the hope for a new world, 2021 opened up with a series of challenges in the field of cyberspace brought to the surface by the Covid-19 pandemic.
Cyberattacks on healthcare is not a new phenomenon, but they reached another level in the midst of the pandemic.
In December alone, there were a series of attacks against organisations including the World Health Organization (WHO), GAVI, the Vaccine Alliance, and companies associated with the Covid-19 cold chain. Just a few days later, the European Medicines agency was also subject to a cyber attack.
These, together with the so-called Sunburst hack earlier in the year, the largest hack of a Western government in recent memory targeting strategic US organisations, reveals not only its consequential global risks, including in Switzerland, but also what experts agree on: the number of attacks will increase in 2021, according to the WEF Global risks report 2020.
And the risk of attacks touches upon many more areas than just healthcare, as digital technology and data become ever more integrated into all aspects of everyday life , and working from home is much more widespread.
Cyberthreats in numbers. Last year saw a record number of cyberthreats. The cybersecurity firm, McAfee registered in its global network of more than a billion sensors registered a 605 per cent increase in total Q2 COVID-19-themed threat detections. In Switzerland, the data collected by the National Cyber Security Centre (NCSC) in its latest report published at the end of October last year, in April 2020 only, cases were over 350 per week, well above the norm of 100-150, the NZZ reports in June.
More generally, at Kaspersky Lab, more than 68.7 million cyberattacks are reported the same month.
The phenomenon can be addressed in two different but related ways. First, by preventing future attacks and reinforcing the infrastructures in place. Second, by focusing on digital mediation to contribute to the collective effort in achieving cyber peace. The Geneva-based CyberPeace Institute plays its part in the process as it affirms its belief in a collective ambition for peace and justice in cyberspace. It focuses on holding all actors accountable for their role and responsibilities in cyberspace, including state-actors. After one year of existence, the Institute has launched different initiatives and taken part collective actions, such as the Ransomware task force alongside Microsoft and McAfee, or the Stop Infodemic campaign.
Why this is important. The pandemic has revealed that an increased risk to health is a risk to a secure society. In a webinar co-organised by the institute and the WHO in December, WHO head for security and health security interface, Mathew Lim, poses the problem clearly:
“The Covid-19 pandemic is also unprecedented in that it is the first global public health crisis that is also a global information crisis. Whether it is through the deliberate misuse of information technology to commit cybercrime, cyber sabotage, or cyber espionage, or through the rising tide of misinformation and disinformation, consciously or unconsciously spread through the internet. The global community has discovered that information technology can harm and hinder the response to a global crisis, as well as educate and empower these two fruits of globalisation.”
In other words, Covid-19 is the first pandemic of the digital society. And the harm is important, not only for the general public, but also for health workers and health facilities, slowing down the effectiveness of the measures taken, the mitigation efforts in the case of the pandemic and posing a direct threat on human life when treatment cannot be given properly.
Future challenges. Cyberthreats do not only impact physical structures but the information space at large. Moreover, it is a business. Columbia University, senior research scholar, Wilmot James, explains in the CyberPeace institute webinar:
“People trying to steal information have a business model. And clearly that business model depends on keeping up with a competition, mastering the technology, developing systems to evade security systems. It's very likely that ransomware operators spend more time in the networks of the targets. There's almost like an arms race, Darwinian arms race between developing security systems and mitigation strategies and then business models on the part of people who want to do great harm, keeping up with that process.”
From international organisations to the private sector. The problem is complex and its extent is huge. And coupled to the dis/misinformation issues, it seems difficult to move forward in a constructive way to moderate the threat of information technology to health security. But international organisations can play a role, James continued. The WHO can contribute to define the technical requirements, certification, inspection systems and oversight systems, he said, while the World Economic Forum (WEF) can be efficient when it comes to the boundaries that operate in the commercial sector. The key is to find balance between self governance and regulations.
The NCSC also acknowledges the role of International Geneva in its report, “as Switzerland can provide a trustworthy framework for discussions on cybersecurity and new technologies.”
The private sector has already accelerated its protection plan to prevent future breaches. According to PricewaterhouseCoopers’ (PwC) latest survey on Global Digital Trust Insights, 96 per cent of executives have adapted their cybersecurity strategy due to Covid-19 and 40 per cent of executives say they are accelerating digitisation.
Consultancy firm McKinsey predicts that cybersecurity budgets will grow especially in healthcare systems following the Covid-crisis.
Collective action for a safer future. Microsoft, for example, calls for an effective strategy and collective response, based on the reinforcement of international regulations and clearer nation-state accountabilities. Europe presented its Services Digital Act late last year, while the foundations for a digital home are being defined by the international community.
In other words, to address the issues related to cybersecurity and create a safer environment, cooperation is key. And the pressure will also be on Geneva actors in international governance and digital policymaking to show that they can advance the agenda in this field.