Cyber-Security and Digital Vulnerability during the Coronavirus Pandemic
As the world has responded to the COVID-19 pandemic, the Internet has become more important than ever before. In an isolated and socially-distanced society, it is the digital world which, above all, has afforded some sense of “normality”, allowing loved ones to communicate and businesses to continue to operate.
However, this increased reliance has also created new vulnerabilities which some individuals have attempted to exploit. Speaking at the government’s daily briefing on May 5, the United Kingdom’s Foreign Secretary, Dominic Raab, acknowledged this problem stating, “there will always be some who seek to exploit a crisis for their own criminal and hostile ends.” As he warned, individuals and Advanced Persistent Threats (APTs) seem principally concerned with the theft of “bulk personal data, intellectual property and wider information”, which places individuals, businesses and, alarmingly, the healthcare industry at risk.
Businesses face many cyber-risks in the age of COVID-19. In the rapid and unprecedented shift to home-working, companies had limited time to introduce new software to facilitate remote collaboration and to test their new operating models. Some employees are now working from home using their own computers which may have outdated operating systems and can lack anti-virus software. Additionally, these computers may be shared with other family members or even flatmates. The use of home Wi-Fi networks also exposes businesses, as they may not be securely configured or may be shared between various individuals. Virtual private networks (VPNs), which companies now rely on for sharing and encrypting data between remote workers, are generally well-protected. However, with so many uncontrolled aspects of the home environment, there is potential for malware to penetrate these networks. Moreover, detecting these vulnerabilities can be difficult, requiring specific software.
Such risks also affect the organisations at the heart of the response to COVID-19. According to an advisory statement by the British and American cyber-security bodies, the National Cyber Security Centre (NCSC) and Cybersecurity and Infrastructure Security Agency (CISA) respectively, APT groups are targeting healthcare bodies, pharmaceutical companies and local governments, amongst others, in order to attain research data and intellectual property. They warned that “password spraying,” a strategy which tests common passwords to gain access to business networks, is one of the principal ways in which this has been achieved. Since this strategy cannot easily be detected, it poses a considerable risk.
Multiple measures can be taken to minimise these risks. For example, business laptops should be issued where possible and in avoidable cases where employees use personal devices, anti-virus software, and operating systems must be up to date. Employees should be warned of the risks of phishing emails in the event that they are not stopped by virus protection and should be reminded that data should not be stored on personal devices if company laptops and phones have been provided. Multi-factor login authentication should also be enforced when accessing corporate systems or VPNs for maximum protection. Any new software should be configured correctly and tested for use from a remote home environment, and employees should be trained on its use. Implementing such changes as quickly and thoroughly as possible is essential but the expense of such measures should not be dismissed. However, as the United Kingdom looks to a more “socially distanced” future, investing in this infrastructure will certainly be money well-spent.
The growing reliance on video conferencing software has also caused concerns about cyber-security risks for businesses. By holding confidential and private meetings on these applications, companies are potentially making this information more readily available to hackers and other cybercriminals. Establishing the privacy policies of these applications is thus essential. One of the most popular free applications, Zoom, has been criticised for the ability to access, or hack into, other people’s calls. Following an investigation by British newspaper The Independent, it was confirmed that a journalist from the Financial Times had listened to a confidential and private conference call in April where staff were informed of pay cuts and furloughs being implemented by the company.
There have been several such occurrences of what has now become known as “Zoombombing” where individuals have accessed calls either secretly or publicly. The latter case poses a particular risk to the general public; newspapers have reported multiple cases where schools, conferences and family groups have been disturbed by individuals publishing racial slurs in video chats, performing indecent acts or screen-sharing obscene footage. One London synagogue reported that a public service had been hijacked by individuals who posted anti-Semitic content. Zoom’s handling of data prompted further criticism as it was revealed that data had been routed through servers in China and the company was forced to apologise about its misleading statements on the strength of its encryption technology.
These problems have prompted many companies to ban this software. In April, teachers in Singapore were warned against using Zoom following incidents during online classes while the UK Ministry of Defence has reportedly discouraged the use of the app for security purposes. In the United States, similar measures have been taken by the Senate while Google has also banned employees from using “Zoom Desktop Client”, stating that it did not meet company security standards. Zoom’s response to these criticisms has been rapid, repeatedly acknowledging the importance of customer privacy and cyber-security, and hiring the former Facebook security chief, Alex Stamos, as a consultant as part of its 90-day plan to improve security.
Its latest update, Zoom 5.0, introduces a new form of encryption AES 256-bit GCM and effectively minimises the responsibility of the individual by setting waiting rooms and meeting passwords on default, whilst a new security icon allows hosts to easily change settings as they see fit. Speaking about this update, the company’s CEO Eric Yuan said, “this is just the beginning… we will earn our customers’ trust and deliver them happiness.” One competitor, the Houseparty app, was also criticised over fears that it was linked to the hacking of third-party Netflix and Spotify accounts. Whether these rumours hold true or constitute a “paid commercial smear campaign” as the company has claimed, remains to be seen.
The security of video conferencing apps, both in terms of privacy and data protection, varies significantly and is ultimately determined by these companies’ policies and software. However, there are some measures that individuals can take to protect themselves and their callers. Whilst many applications now set security features such as password-protection as a default, users should acquaint themselves with an app’s particular security settings and options. Whenever possible, waiting rooms and limited screen-sharing capabilities should be put in place and meeting passwords should be shared privately.
The increased reliance on online shopping has also exposed consumers to scams. The Local Government Association has reported a 40 per cent surge in the number of reported scams since the beginning of the COVID-19 pandemic. Some products, which would typically be viewed in person before a deposit is placed, are now being paid for earlier before customers have had a chance to take a look. For example, Action Fraud found that in March and April, 669 people who paid deposits for pets listed on selling platforms had lost a total of £282,686.
Concerns about the virus itself have also been exploited as fake coronavirus-related products have been listed on social media or sites such as Amazon. These products have included Personal Protective Equipment (PPE), hand sanitisers, self-testing kits, and medicines which claim to treat or prevent the virus. In a press release on May 7, the Medicines and Healthcare Products Regulatory Agency (MHRA) warned that medicines which claim to cure coronavirus have not been approved or licenced by the UK government and that they may pose a health risk. Operations to clamp down on this form of cyber-crime are being taken by multiple bodies.
Furthermore, the Local Government Association is encouraging members of the public to report scams and individual councils have taken action. In Ealing, more than half a million face masks of sub-standard quality were taken off the market while selling platforms, such as Amazon, are also taking down fake or overpriced products. The MHRA has removed multiple websites and social media advertisements and is working with the UK Border Force to intercept unlicensed medicines. Nevertheless, given the number of listings and scams, detecting them all will be impossible and it is vital that consumers remain vigilant when purchasing online.
The government is also looking to roll out a national coronavirus contact-tracing app, which may present further challenges for cyber-security. The very nature of this mobile app, responding to the user’s proximity to other people and recording symptoms of coronavirus, has raised alarm bells about the data recorded and how this might be stored. According to the app’s website, it will not hold personal information, nor will it track the location of its users. However, according to the government’s Joint Committee on Human Rights, these assurances are not enforceable under current data protection legislation and further protections must be put in place before the application can be rolled out nationally. As the committee’s chairman, Harriet Harman, stated, “the contact-tracing app involves unprecedented data gathering” and thus requires new legislation which states how data will be processed, stored and accessed. The committee has also called for the creation of a Digital Contact Tracing Human Rights Commissioner to oversee the data and human rights protection elements of the app and has argued that the powers held by this officer should also be set out in the law.
Having initially aimed for a national roll-out in mid-May, the app continues to be in the stages of its first trial in the Isle of Wight and, speaking on May 18, Downing Street said it has not ruled out a different version of the app. Whilst the current app follows a centralised system, other countries, such as Germany and Italy, are working with tech companies Google and Apple on a more decentralised model. Given that the outsourcing firm, Serco, has already leaked the email addresses of 300 contact tracers, there may be fears about the security risks posed by working with larger and more significant partners. In what form the app will ultimately be introduced, and how involved third parties may be, is unclear. However, as a strategy which relies upon the app’s use by a significant portion of the population, it is certain that necessary precautions must be taken to protect users from further security risks.
Many law firms and consulting firms have acknowledged these various risks in blogs and articles, and have undoubtedly warned their clients about the threats they face during this period. As Dominic Raab stated, “we expect this kind of predatory criminal behaviour to continue and evolve over the coming weeks and months ahead”. Various legislation from the Computer Misuse Act 1990 and the Investigatory Powers Act 2016 to the Data Protection Act 2018 already exists to protect individuals online. However, as recent months have shown, responding to these threats also requires the vigilance of individuals and the diligence of multiple government bodies; adapting to new challenges as and when they emerge will be crucial.