How hackers could undermine a successful vaccine rollout
Our mission to make business better is fueled by readers like you. To enjoy unlimited access to our journalism, subscribe today.
Armed U.S. Marshals kept many of Pfizer’s first coronavirus vaccine shipments safe from thieves and saboteurs this week, but experts warn that less visible threats to the vaccine lurk in cyberspace.
“There is no doubt that vaccine production, and everything about the vaccine, will become a vector of cyberattack,” says Jonathan Reiber, who served as the Defense Department’s cyberstrategy chief under President Obama and is now chief strategist at cybersecurity firm AttackIQ.
Those attacks, according to Reiber and other experts, could take at least three forms: attacks on the integrity of the vaccine supply chain; theft of trade secrets related to the vaccine; and online disinformation campaigns aimed at eroding trust in the vaccine.
Here are what those attacks could look like—or already do.
Break the cold chain
Pfizer’s coronavirus vaccine has a unique vulnerability: It must be stored at the extremely cold temperature of –70 degrees Celsius. Other vaccine candidates have less stringent requirements but must still be refrigerated.
The good news is that a cyberattack that interferes with vaccine cold storage is unlikely, according to Vinny Troia, a former Defense Department contractor and founder of cybersecurity firm NightLion. The main challenge of such an attack would be in using compromised digital systems to manipulate physical equipment.
“The time it would take to develop and deploy something like that, by the time that happens we’ll probably be done distributing vaccine,” says Troia. He compares it to the effort behind Stuxnet, a virus believed to have been developed by the U.S. and Israel to physically interfere with targets including Iranian nuclear facilities. Information about Stuxnet is still secret, but development is believed to have taken at least four years, from 2005 to 2009.
But hackers wouldn’t have to shut down freezers to meddle with the vaccine cold chain. They would only have to tamper with data.
Bill Brooks, a logistics expert with the consulting firm Capgemini, worries that hackers could try to modify shipping records to show that the vaccine was exposed to improper temperatures. That could render the vaccine unusable—whether or not it was actually compromised.
Malicious actors “want to create doubt,” says Brooks. “[They] want to create chaos in the marketplace, so people are unsure what they’re receiving.”
There are multiple levels of protection against such an attack. Most modern cold-chain monitoring systems have some redundancy, such as transmitting data from monitoring devices to a central database, or paper backups. All health care logistics must also comply with an FDA standard that guarantees traceability of every attempt to access or modify tracking data. Because of those controls, Reiber describes such a data-focused attack as “plausible” but difficult.
“We constantly see people who are trying to spoof into our system, and we spot it very quickly,” says Mark Sawicki, CEO of health logistics company Cryoport Systems, which provides distribution and cold-storage services for 26 different COVID vaccine candidates still in trial stages. “I’m honestly not that concerned with that.”
In response to inquiries about cybersecurity risk, Pfizer said it carefully tracks and responds to threats. “For our COVID-19 vaccine we have developed detailed logistical plans and tools to support effective vaccine transport, storage, and continuous temperature monitoring.”
Controlant, which provides the monitoring technology for distributing Pfizer’s vaccine, also expressed confidence. “Our established security program meets industry standards and best practices for the pharmaceutical industry.”
But Troia says procedural controls such as the FDA’s requirements aren’t guaranteed protection against determined and well-funded hackers. He points to the recent revelations of a foreign cyberattack that compromised the widely used IT software SolarWinds, giving the attackers deep access to systems, including at the U.S. Treasury. More than 80% of Fortune 500 companies are SolarWinds customers, though it’s currently unclear how many, if any, were compromised in the attack.
An attack on tracking data could be deeply damaging, even if it only succeeded at a very small scale.
“Is it enough to do it once?” asks Reiber, the former Defense Department cyberpolicy chief. “Is that enough to help you achieve your strategic goal of sowing distrust? That could be the case.”
Steal the blueprints
“We’ve seen state actors trying to steal vaccine IP from the very beginning of the pandemic,” says Reiber, using shorthand for intellectual property. That has included alleged attempts by state-sponsored hackers from China, Russia, Iran, and North Korea to steal coronavirus vaccine research or production techniques.
According to Troia, the other former Defense Department official, another common tactic is simply scanning software developers’ accounts on sites like GitHub, where many engineers store or share software code—and sometimes, carelessly, passwords.
Once hackers gain access to a GitHub or similar account, says Troia, they search for both sensitive data and credentials for access to other systems, such as Amazon Web Services cloud storage. “That’s like the Holy Grail right now. When they log into the Amazon bucket, it’s all right there on a silver platter.”
Even if a digital IP heist were successful, though, it wouldn’t be inherently harmful to vaccine distribution. In fact, the ultimate goal of such a hack would be to produce more vaccine at a time when many countries are facing an uphill battle and, in some cases, even calling for the emergency rollback of intellectual property protections for COVID vaccines.
Sow seeds of doubt
Troia believes that the most likely tactic for a hostile agent hoping to disrupt U.S. vaccine distribution would not target the vaccine itself, but public perception.
“It’s more likely if you’re trying to cause disruption, you’re going to choose to do disinformation. It’s easier to inject a narrative into a society, especially if there’s a predisposition to distrust something,” he says.
That predisposition is widespread in America. Currently, about 27% of Americans are hesitant to take the vaccine, according to a Kaiser Family Foundation survey, with more than half of those citing distrust of government as a factor.
In 2016, the cyberwarfare arm of Russia’s GRU intelligence agency exploited Americans’ distrust to spread political disinformation. Russian state actors are now allegedly engaged in a similar effort to further undermine faith in Pfizer’s and other successful vaccines. They have reportedly found receptive audiences among anti-vaccination groups on social media sites.
Disinformation efforts may be particularly harmful to African-Americans, who have been disproportionately harmed by the pandemic. Yet 35% of them are hesitant to take a coronavirus vaccine, the Kaiser survey found, well above Americans as a whole. That elevated distrust is in part the legacy of mistreatment of Black people by American medical institutions.
“If I’m putting on my most nefarious adversary hat, I’m going to look at American society and say, who are the populations suffering most under COVID-19?” says Reiber. “And I’m going to try and make that situation worse.”
Attacks on public confidence in vaccines, whether through data sabotage or online disinformation, have implications beyond the individuals who may decline to take the vaccine. Dr. Anthony Fauci has said 75% to 80% of Americans will need to be vaccinated to end the coronavirus pandemic.
If digital malefactors slow the progress to that threshold, it would be one of the most devastating cyberattacks of all time.
Correction 12.18: This piece previously referred to Vinny Troia as a former Defense Department staffer, rather than a former contractor. We regret the error.