SERIES: COVID-19’s Long-Term Policy Implications - Cybersecurity During the COVID-19 Crisis

The COVID-19 pandemic has rightly become the sole focus of the public health policy world, but it is also having far reaching effects into policy landscapes way beyond healthcare. This blog post is the third in a series that will explore how COVID-19 is changing American life, and as a result, impacting various policy areas. This series will explore changing American attitudes, examine new policy ideas, and project on legislative and regulatory activity we may see as a result of the virus in the months ahead.

The COVID-19 pandemic has led to significant changes in everyday routines. As bad actors seek to exploit vulnerabilities and more of us work, learn, and consult healthcare providers from home, cybersecurity has never been more important.

Cyberattacks During COVID-19

As government leaders remain focused on the addressing the public health crisis, an uptick in cyberattacks has led to new questions about U.S. deterrence and strategic leadership in cyberspace.

Many hospitals and healthcare facilities globally are facing cyber threats in the wake of the COVID-19 pandemic, especially as they often lag behind other industries, such as financial services, when it comes to cybersecurity. This makes them especially vulnerable at a time when they are focusing on the virus. For example, a public health district in Illinois was the victim of a ransomware attack last month and was forced to pay $300,000, while a February malware attack on Boston Children’s Hospital’s physician network caused the network of 500 providers, serving 350,000 patients statewide, to be offline for several days.

The challenge of increased cyber vulnerability is not unique to the U.S. Parts of Europe have also been subject to cyberattacks. A hospital providing coronavirus testing in Czech Republic experienced cyber disruptions last month and the Czech Republic’s cybersecurity agency warned of a real threat of serious cyberattacks against its healthcare sector. The U.K. has also experienced ransomware attacks against its healthcare facilities.

Of course, hospitals are not the only targets for malign cyber actors. In mid-March, the U.S. Department of Health and Human Services (HHS) suffered a cyberattack on its computer system in a campaign of disruption and disinformation. While there was no breach or degradation of networks, the attack involved overloading HHS servers with millions of hits over several hours, presumably with the objective of diminishing the agency’s COVID-19 response capabilities.

The World Health Organization (WHO) has also seen an uptick in the number of cyberattacks directed at its staff, as well as email scams that target the public. According to the WHO, the number of cyberattacks is more than five times the number from this period last year. More specifically, in the past week, some 450 active WHO email addresses and passwords were leaked online. While the leaked information was not recent and did not impact current WHO systems, it did affect an older extranet system used by current and retired staff as well as partners. Further, fake WHO emails have increasingly been used to lure the public into donation to a fictitious fund and not the authentic COVID-19 Solidary Response Fund.

Telehealth, Teleworking, and Cybersecurity

More Americans than ever are teleworking since the virus caused major shutdowns in March. This has prompted a steep increase in Americans accessing business information on their personal devices and home networks, as well as the use of virtual meeting platforms with varying levels of cybersecurity.

Despite widespread reporting on teleconferencing tool Zoom’s security limitations, the platform remains popular. Since the early days of the pandemic, the teleconferencing platform Zoom has been criticized for falsely advertising its use of encryption. Unfortunately, Zoom’s security loopholes have been manipulated, resulting in a “zoombooming” phenomenon when an unwanted person joins or hijacks a virtual meeting to broadcast offensive content, such as hate speech or pornography. As a result, Congress, digital rights advocates, and consumer groups have called on Zoom, as well as its competitors, to implement end-to-end encryption on video calls to enhance privacy and cybersecurity.

Major shifts towards telehealth for routine healthcare appointments have also raised new cybersecurity concerns. Telehealth is becoming more accessible since federal and state governments have eased restrictions on sharing patient data. However, in the rush to maintain continuity of some routine healthcare services, providers have turned to common videoconferencing apps, such as Skype and FaceTime, which may not have inherent cybersecurity features to ensure HIPAA compliance.

Fortunately, for some types of healthcare services, such as mental health, many therapists who already had some familiarity with telehealth security issues are promoting the use of platforms such as Doxy and thera-LINK, which have the advantage of being HIPAA-compliant. This could explain why thera-LINK’s parent company Therapy Brands saw more than a 4,000 percent spike in telehealth use the week of March 25 compared to just the previous week.

Government IT Modernization

The federal government was not exempt from the learning everyday Americans have encountered in the transition to teleworking. From being ill-equipped to get staff laptops and remote access credentials, to teaching users to use to properly use virtual private networks (VPNs), government employees have faced their fair share of unique challenges since the start of the pandemic. Consequently, we expect renewed focus on better preparing the public sector workforce to operate from home in the future.

Already, 16 Democratic senators sent a letter to congressional leadership asking for resources, such as the U.S. Digital Service (USDS) and the Technology Transformation Service (TTS), to be made available to overburdened states that have received more than 26 million new unemployment claims over the last five weeks. The dramatic uptick in applicants has caused many outdated unemployment systems to crash, prompting a request that next round of COVID-19 relief legislation include $50 million for USDS to hire additional skilled technologists who could immediately begin to serve their country and $25 million for TTS to support state and local governments.

A coalition of groups representing state and local governments also sent a letter to congressional leaders asking for direct cybersecurity and information technology (IT) infrastructure funding to deal with the impacts of COVID-19 and the increasing risk of vulnerabilities and gaps on state and local workforce, education, unemployment, and health insurance networks.

In the nearer-term, government employees are being asked, and are in some cases required, to be mindful of cybersecurity as they work from home. The Department of Defense (DoD), for example, is asking employees to limit streaming services, such as Pandora, on the DoD network while access to YouTube has been blocked entirely. Despite efforts like these, the Pentagon’s chief management officer is reporting a 240 percent increase in the help-desk requests. DoD and other agencies that routinely handle intelligence are also challenged in their ability to access classified information remotely, as secret and top secret information is not available in a telework environment.

Cyberspace Solarium Commission Recommendations

Prior to the onset of COVID-19, many cybersecurity experts were analyzing the Cyberspace Solarium Commission’s March 11 report and assessing the more than 80 recommendations focusing on reshaping the U.S. Government’s structure and organization for cyberspace, strengthening norms, promoting resilience, reshaping the cyber ecosystem, operationalizing cybersecurity collaboration with the private sector, and employing military instruments of national power.

Although congressional testimony on the Commission’s work has been postponed due to the pandemic, it remains likely Congress will approve many of the Commission's recommendations for boosting the military's cyber operations and protecting national security networks from hackers as part of the Fiscal Year 2021 (FY21) National Defense Authorization Act (NDAA). More specifically, it is expected military-focused recommendations, such as the creation of a military cyber reserve and the establishment of a threat hunting program for the defense industrial base, will be included in NDAA base text.

As the Commission notes in its report, there are numerous congressional committees that have some jurisdiction over cybersecurity. As the annual defense bill is considered “must pass legislation,” the Armed Services Committees are undertaking an effort to secure waivers from other committees to address issues of shared jurisdiction in the NDAA. For example, there is thought to be bipartisan support for the Commission's proposal to create a White House Office of the National Cyber Director, which would revive, expand, and elevate a position the Trump Administration eliminated in 2018.

The Commission’s charter is due to expire in August, but there is some chatter its mandate could be extended, especially as COVID-19 has elevated the importance of cybersecurity. In fact, the Commission staff has recently drafted an addendum to its report, which it is referring to as a “pannex,” to underscore cybersecurity issues prevalent during the  pandemic. This annex is expected to focus on issues like resilience, preparedness, and public private partnerships; lessons learned from the pandemic, for example, the need to counter misinformation; and the need for coordinated, strategic cyber leadership.

Cybersecurity in the Presidential Campaigns

During his first term, President Donald Trump took steps that appeared to convey a strong position on cybersecurity. For example, in September 2018, the Trump Administration unveiled the National Cyber Strategy, which identified decisive priority actions to protect the American people in the digital domain. Additionally, in October 29, President Trump signed an executive order to grow and strengthen the cyber workforce. In particular, this executive order promoted cybersecurity work within the government and encouraged widespread adoption of the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework.

Despite the fact that the president has signed multiple cybersecurity bills, cyber experts observe he may not have made good on his pledge to enact an overarching cybersecurity strategy. This has been evidenced by President Trump allowing former National Security Advisor John Bolton to eliminate the White House cyber coordinator position and former Secretary of State Rex Tillerson to remove the Office of the Coordinator for Cyber Issues.

While former Vice President Joe Biden is not thought to be tech savvy, it seems clear he has an enduring concern for cybersecurity. During his service in the Obama Administration, Vice President Biden was an advocate for beefing up the nation’s cybersecurity infrastructure, including by announcing a $25 million federal grant program for cybersecurity education following the 2015 Sony Pictures hack. More recently, Vice President Biden has spent time on the campaign trail calling for revocation of Section 230 liability protections and advocating for the need to augment NATO capabilities in the cyber domain.

Additionally, the Biden campaign has made clear is not taking any chances in the cyber realm. From day one, campaign staffers have been required to practice good cyber hygiene, for example, by completing mandatory cyber training, enabling two-factor authentication on emails and social media accounts, and using password managers. The campaign has also employed cybersecurity specialists to help to fend off email phishing attacks, similar to those that impacted the Democratic National Committee (DNC) during the 2016 campaign cycle.