How Malicious Hackers Could Disrupt COVID-19 Vaccine Production

Opinion Coronavirus Cybersecurity

Social media erupted last week with false rumors of a massive DDoS, or distributed denial of service, attack against the United States. Reports indicated that T-Mobile, among other carriers, social media giants and internet providers, were having service problems, and even the hacktivist group Anonymous tweeted about the controversy.

Although these reports were debunked, DDoS attacks have occurred for years. What if a real DDoS attack—or any cyberattack, for that matter—were to hit the U.S. during the pandemic? What if they targeted, for example, a COVID-19 vaccine manufacturing facility?

Cybersecurity vulnerabilities continue to be exposed and exploited during the pandemic. Phishing attacks, more intricate and personalized than ever, claim to offer new work-from-home guidelines from your corporate IT team, the latest data on cases in your ZIP code and the best deals on personal protective equipment (PPE). Most are well-designed covers for malicious links to steal your email credentials or other private data.

Ransomware has also been hitting hospitals nationwide, from Colorado to New York, holding up life-saving daily operations until a certain dollar amount is paid to opportunistic cybercriminals. Even academic models are being used against unsuspecting knowledge-seekers, as an interactive coronavirus infection and death map produced by Johns Hopkins University was built into a malware deployment kit.

In mid-May, the FBI and Cybersecurity and Infrastructure Security Agency issued a joint notice that offered recommendations for vigilance against Chinese attempts to target U.S. organizations conducting COVID-19 research. And more recently, as the United States has begun reporting on vaccine studies and not just generalized research regarding COVID-19, cyberattacks against academic centers, biotech companies and pharmaceutical giants continue to rise steadily.

But the next phase of solving the COVID-19 pandemic will play out in a different arena: manufacturing facilities. As of June 18, there are 32 vaccine candidates in Phase 1-3 trials, in addition to many others in earlier investigation stages. Under the United States government's Operation Warp Speed, the national program in place to "accelerate the development, manufacturing, and distribution of COVID-19 vaccines, therapeutics, and diagnostics," one of the primary goals is to have a vaccine available for Americans by January. As vaccine candidates move through trials and the pool narrows, the necessary manufacturing plants are correspondingly being constructed in advance.

Unfortunately, it is not unusual for manufacturing centers to be the target of cyberattacks—and vaccines have suffered in the past. During the infamous NotPetya malware rampage of 2017, Merck's production of pediatric vaccine Gardasil came to a grinding halt, forcing the pharma giant to seek out additional units of the drug from the Centers for Disease Control and Prevention.

The anticipation surrounding the production of a COVID-19 vaccine presents a valuable opportunity for malicious hackers, either to gain notoriety (with a DDoS attack), information (with phishing communications) or money (with ransomware). In an unsettling recent report, the U.S. Government Accountability Office issued an update highlighting its finding that thousands of chemical facilities across the country are vulnerable to cyberthreats due to lagging cybersecurity policies and procedures. And cyberattacks against vaccine production facilities abroad are already in the news, in Israel, Europe and the United Kingdom.

vaccine COVID-19 — Three potential COVID-19 vaccines are kept in a tray at Novavax labs in Gaithersburg, Maryland, on March 20. Andrew Caballero-Reynolds/AFP/Getty

Dealing with the current pandemic is an all-encompassing task at the local, state and national level. Policies regarding social distancing, testing, PPE and community openings and closings are intricate and ever-changing. Cybersecurity may be involuntarily taking a backseat, as politicians, health care officials and citizens race to ensure physical safety. But the slew of cyberattacks the United States has experienced over the last decade should illustrate why this extreme threat can wreak physical havoc in the real world too.

In May, the Cyber Peace Institute issued "A Call to All Governments: Work Together Now to Stop Cyberattacks on the Healthcare Sector," with signatories including the World Health Organization, the Red Cross and other acclaimed politicians and academics. The campaign is an important gesture, but the hits keep coming, and increased vigilance is our only option. The health care sector must be proactively on guard, implementing best practices at warp speed as we move forward toward a vaccine.

Leeza Garber is a consultant and attorney, specializing in cybersecurity and privacy law. She is a lecturer at the University of Pennsylvania's Wharton School and is an adjunct law professor at Drexel University's Kline School of Law.

The views expressed in this article are the writer's own.