WASHINGTON - The race to slow the spread of the coronavirus in the United States is placing an unprecedented burden on the country’s cyber infrastructure, potentially making it as vulnerable as it has ever been.
At issue are the U.S. government agencies, thousands of businesses and millions of Americans, who suddenly have been forced to telework and rely on the security of their internet connections and good cyber hygiene, to keep businesses and services running.
The result, some officials warn, is an opening for anyone who would like to strike a virtual blow.
“We’re mindful that our adversaries often see opportunity in situations like these,” a U.S. official told VOA on the condition of anonymity, given the sensitive nature of the subject.
Both the FBI and private cybersecurity firms warn the assault is already well underway.
“We're seeing a significant amount of threat in email, leveraging social engineering at scale to do a variety of attacks,” said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.
Watch out for emails claiming to be from the @CDCgov or others saying they have information about the virus, and don't click on links you don't recognize. For the most up-to-date information about #COVID19, visit the CDC’s website at https://t.co/VAxaOUzfeu.— FBI Washington Field (@FBIWFO) March 16, 2020
Some of the emails are designed to look like they are coming from legitimate agencies such as the U.S. Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO), using fear of the coronavirus to get a recipient to click on a malicious attachment or link.
DeGrippo says the largest attack involved about 300,000 emails, and that new variations are coming in constantly.
“We’re just seeing this being used across every potential attack style that you can possibly do,” she said. “It's incredibly widespread.”
So far, almost all the attacks Proofpoint has documented have come from cybercriminals. But the potential for damage is significant.
Teleworking and the cyberthreat
Some attacks are focused on phishing, looking to steal user IDs and passwords. Others involve installing malware (malicious coding) designed to steal data or to access financial accounts and steal money.
And while those sorts of attacks are not new, many of the individuals being targeted are inexperienced.
"We are now in the situation of 100% work from home for a huge number of employees in corporate America,” DeGrippo said. “They don't have the same technological protections and control at their home that they did have in their office.”
“You really completely shifted the attack surface,” she added.
For years, cybersecurity experts in government and the private sector have warned that the networks Americans rely on are not secure and that many may have already been compromised.
Last week, a bipartisan report by lawmakers and experts warned the United States is still not prepared.
“The status quo in cyberspace is unacceptable,” according to the intergovernmental U.S. Cyberspace Solarium Commission. “The current state of affairs invites aggression and establishes a dangerous pattern of actors attacking the United States without fear of reprisal.”
Cyberattack amid a pandemic
Those fears were front and center Monday when officials confirmed there had been a “cyber incident” involving networks belonging to the U.S. Department of Health and Human Services (HHS), which has been playing a key role in the government’s coronavirus response.
HHS officials say despite the attack, none of their systems have been penetrated and that no information was compromised.
Security officials have yet to assign any responsibility for the attack, though they are looking at whether a state actor may be to blame.
In the meantime, there is concern that additional attacks, whether targeting the country’s cyber infrastructure, government health agencies or even medical manufacturers, are likely.
“Supply chains are global. So, if you somehow can interfere or affect those supply chains, that causes some issues that we haven't had to deal with before,” said Stuart Brotman, a fellow in the Science and Technology Innovation Program at The Wilson Center in Washington.
“That would have a major impact on being able to confront the virus,” he added.
U.S. officials and independent experts admit that for most state actors, such an attack would come with substantial risk, as many countries are also battling the coronavirus pandemic.
Rogue actors, like criminal syndicates or North Korea, which has shown a willingness to attack companies like Sony and banks around the world, might be tempted, they say.
The bigger concern, though, is that some U.S. adversaries may see this as a chance to ramp up other cyber campaigns, like attempts to meddle in the upcoming presidential election, while U.S. officials focus on stopping the virus’s spread.
“Clearly, we are in this critical electoral moment which happens to overlap with COVID-19,” said Brotman. “So, now if you were on the other side trying to figure out how do we create some immediate pain, you would want to take both of those elements and put them together.”
Despite the myriad vulnerabilities, U.S. officials are not giving up, encouraging government agencies and the private sector to do what they can to improve their cybersecurity posture.
As the #COVID19 situation evolves, many organizations are exploring telework options for staff. Here’s some guidance to help organizations take appropriate #cybersecurity measures: https://t.co/6GboT4YlSp #CoronaVirus pic.twitter.com/NB2xKzDTBG— Cybersecurity and Infrastructure Security Agency (@CISAgov) March 18, 2020
“In this kind of condition, where you’re expanding your network, relying more and more on digital connectivity, it’s never too late,” Mark Montgomery, executive director of the U.S. Cyberspace Solarium Commission, told VOA.
“The consequences are higher now,” he said. "If they take action now, they still have time to make an impact."