Recent Cybersecurity Attacks Involving COVID-19 Vaccine Distribution Reveals Weaknesses In Supply Chain

If there’s anything to take away from this article, it’s that you need to stop assuming that everything is safe. It’s not. For far too long, the supply chain has convinced itself of a fallacy that the software supply chain is strong enough to withstand cybersecurity attacks. Reality check–it’s not. 

And the recent cybersecurity and ransomware attacks involving the COVID-19 vaccine distributions being held hostage are the perfect example. On February 24, President Biden signed an executive order for a 100-day review of critical supply chains to identify vulnerabilities, following the shortage of semiconductors that has disrupted car production. The review targeted four groups of critical goods, as well as six sectors of industry, including national defense, public health, IT and communications technology, energy for industry, and transport and food production.

The review which has the support of the U.S. Chamber of Commerce, aims to secure US supply chains against a wide range of risks and vulnerabilities, avert critical product shortages and identify necessary investments to maintain the nation’s competitive edge and boost national security efforts.

In 2017, the logistics and transportation industry were subject to their first cybersecurity attack, after approximately 80 ports and terminals worldwide either stopped working completely or had significant delays. This ransomware attack on the shipping giant A.P. Moller-Maersk also came with a $300 million bill, after the company had to completely rebuild its IT infrastructure. According to a (ISC)² 2018 Cybersecurity Workforce Study, the shortage of cyber security experts worldwide is almost 3 million, which is a risk to businesses, including airline freight companies. In order to combat the risk from cyber attacks, the airline freight industry will need to redirect their efforts regarding cyber security.

If after a year living with the global coronavirus pandemic, we have learned nothing when it comes to the extreme vulnerability of infrastructures such as hospitals, e-commerce companies like Amazon and USPS, and of course, credit bureaus, then come what may. And now, vaccines critical to surviving this pandemic are now being weaponized by hackers who have found their way into the system, ultimately holding these vaccines hostage from everyone.

Incident Response for the Supply Chain?

COVID-19 has forever changed supply chain logistics, rendering a critical need to implement systems which are designed to keep people at the center of logistics operations. Indeed, having an incident response plan, or as it’s often (in) correctly referenced, a data breach response plan, is the first step in ensuring that there is a strong cybersecurity infrastructure in place, beginning with vaccine distribution.  

As of January of this year, ransomware attacks have spiked 715% year-over-year, which is exactly what security and data backup experts predicted. Think about it, with the U.S. still facing hiccups surrounding COVID-19 vaccine distribution, the skyrocketing cybercrime couldn’t just bring the supply-chain sector to its knees, but would have devastating, if not fatal consequences for COVID-19 vaccine distribution. The Pharma industry has lost $14 billion through Intellectual Property (IP) cyber-theft worldwide, according to the United Kingdom Office of Cybersecurity and Information Assurance. The industry’s average total cost of such a data breach is roughly around $5.06 million, with one of the highest costs of course being addressing the breach; an approximate $10.81 million across all industries, according to a recent ProofPoint study.

Protecting customer information is critical, and that is why logistic companies must invest in ways to protect shipping and transportation data. With many people working remotely, data backup and security practices may not be as robust as they traditionally would be at the office. Why? A complete lack of oversight. 

Second, most businesses do not have an Incident Response Plan in place, which is the result of underfunded data backup and security and disaster recovery. Surely, the result of this pandemic, to which its effects are now being compared to that of The Vietnam War and World War II, has left people tired, overwhelmed, and therefore, are more likely to click or download a file from a source if it seems “real enough.”

So, I mentioned the word “incident” versus “data breach.” Here’s why. 

The “B” Word

Cybersecurity experts and privacy enthusiasts advocate that the phrase “data breach” should not be thrown around casually. Instead, it is always smarter to use the word “incident” rather than “breach” (henceforth the “B” word), because the latter infers legal liability. 

According to a recent New York Times article on the recent cybersecurity attacks, some experts say they suspect something “more nefarious” is at work. “Efforts to interfere with COVID-19 vaccine distribution, or ransomware, in which the vaccines would be essentially held hostage by hackers who have gotten into the system that runs the distribution network and locked it up and who demand a large payment to unlock it.”

For logistics companies in particular, protecting customer information is critical, which is why it is imperative that the company introduce an Incident Response Plan, narrowly tailored to the company, its operations, and of course the heavily-rooted issues that plague the supply chain.

Supply Chain Friction With China

Current trade friction with China and its importance to supply chains has made the U.S. a primary target for cybersecurity scrutiny. Unfortunately, government officials continue to downplay the seriousness, which inevitably leaves us open to attack. Senate majority leader Chuck Schumer has called for legislation aimed at strengthening U.S. competitiveness against China in manufacturing and technology.

If we’ve learned anything about the stability of our supply chain during the COVID-19 pandemic, it’s that they are still just as brittle and lack flexibility as they did back in the 1990s. And the first step in the right direction requires providing a mechanism for end-to-end visibility for supply chains.