The Coronavirus Pandemic and the Cyber Landscape
The coronavirus pandemic has increased our reliance on the digital world and has highlighted five fundamental security challenges.
Cybercrime
There is a surge in online fraudsters looking to exploit the pandemic for criminal ends. The UK’s National Cyber Security Centre (NCSC) recently issued an advisory describing how criminals are using coronavirus-themed phishing emails, and distributing malware using lures exploiting concerns about the pandemic.
Furthermore, we may see an increase in more serious cyber attacks on businesses, for example ransomware, as criminals judge that the additional pressures of the pandemic may make organisations more likely to pay up to protect their data or ability to operate. There is certainly a risk of an increase of such attacks on medical institutions, as Interpol warned recently.
NCSC reports that as yet there has been no overall increase in cybercrime, so it is more a case of existing cyber criminals pivoting to exploit the current pandemic as a theme in scam and phishing emails. This raises the question of whether global lockdowns, border closures, restrictions on movement and the rest will ultimately push criminals who would usually operate in the physical world to operate online instead. This might only manifest itself in more low-level fraud, but if it happens, it could be something that lasts beyond the pandemic as any criminals who have switched may find cyber crime easier and more lucrative. Off-the-shelf malware is readily available and means that there is a low-barrier to entry into this type of cyber crime.
Exploiting Technology in New Ways
The enormous rise in home working opens up new opportunities for those who want to do the UK harm. The dramatic shift of personal, business and even governmental communications to systems such as Zoom may be one of the trends that continues long after the lockdown restrictions are relaxed. But this clearly creates great opportunities for criminals and hostile states to exploit communications that may well be insecure.
The NCSC has noted attempts by criminals to exploit this trend, and there has been plenty of coverage of security vulnerabilities in Zoom, which the company says it is addressing. But other popular video conferencing systems are also likely to have weaknesses. Home working at scale may strain organisations’ abilities to manage the security implications, but the pressures of the moment may make them more likely to take more risk. This could be the right decision, but it needs to happen as a result of a proper risk-management process, not by default. And there is a risk that crisis-driven exceptions to security policies may just roll forward once we are closer to normality.
The pandemic may lead to a general increase in hostile state cyber activity, as new opportunities emerge for intelligence gathering and disruption. It is possible that disinformation campaigns, cyber espionage or harder-edged cyber disruption may exacerbate geopolitical tensions, including in areas such as the development of a vaccine. Meanwhile, various states, including those with an existing predilection for large-scale surveillance of their citizens, are exploring the potential for further data exploitation to help combat the virus. As well as the civil liberties implications, this may also lead to the development of new techniques which could be turned against other targets.
But it is not just states with a questionable record on mass surveillance that are looking to use mobile apps to track their population to help control the pandemic. The UK government recently announced a new NHS contact tracing app that would allow users to report their symptoms, so as to alert others that they had been in contact with someone displaying the signs of infection. Apparently, around 60% of the population would need to use the app for it to have a material effect.
The government has provided assurances around the secure and ethical handling of the data. But the privacy implications of a system that tracks the movements and interactions of a large proportion of the population are obvious. And as the pandemic is unlikely to have a clear end, techniques such as contact tracing may play a significant ongoing role in enabling relaxation of the lockdown. So, there could be pressure to maintain this kind of monitoring.
Pressure on Cyber Investment
We are still a long way from understanding the economic implications of the crisis, and the scale of any recession, or even depression, that might follow. Whatever the outcome, the fiscal pressures on government and the private sector are going to be considerable.
Amongst other things, this will impact investment plans. Cyber investment in the private sector may be paused, reduced or halted, not least as it can still be perceived as an enabling function that is a net cost to a business, not something that generates revenue. As a result, many companies may scale back their cyber investment programmes, increasing their strategic risk.
The UK government was at a pivotal point in setting its new strategy and spending plans for defence and security, through the new ‘integrated review’. The timing for this and the associated funding decisions is now unclear. But decisions will surely be dominated by the economic consequences of the pandemic and its implications for government spending.
The UK’s current national cyber strategy comes to a close in 2021, and work is underway to develop its replacement. Even before the current crisis, it seemed unlikely that government investment in cyber security would top the £1.9 billion that accompanied the 2016 strategy. In a period of renewed fiscal pressure, ministers must resist any temptation to see cyber as something that has been largely ‘done’, and downgrade investment as a result. Many fundamental challenges remain.
At the same time, the new strategy should place the right emphasis on cyber’s role in prosperity and economic security. It will be more important than ever that key elements of the UK’s economy have the right cyber protections in place, and there is greater potential for our cyber security industry to contribute to the UK’s post-pandemic economic recovery.
China
China has played a central part in the pandemic. Allegations of poor handling of the early stages of the crisis, coupled with a lack of transparency, are damaging China’s prestige and stirring up anti-Chinese sentiment globally. China’s role in the pandemic is giving further prominence to questions about the country’s values and its role in the world.
None of this alters the sound arguments put forward by the UK government, on the basis of expert NCSC advice, that it is possible to manage the security implications of a small Chinese component to the UK’s future 5G network. But concerns around how China has engaged during the coronavirus crisis are bound to strengthen the arm of those seeking a government re-think on the 5G decision.
Globalisation of Technology, Supply Chains and Investment
More fundamentally, the crisis has shone a further spotlight on issues relating to the UK’s global supply chains, its dependence on other countries (particularly China) for key technology and other goods, and the lack of sovereign capability in critical areas. These issues are fundamental to our future approach to securing the technology on which we will depend, and the adoption of which in some ways has been accelerated by the pandemic. But there are no easy answers.
At the same time, the economic consequences of the pandemic may lead to further security issues around foreign direct investment, as cash-strapped British tech companies look overseas for funds, including to China. The recent focus on Chinese investment in Imagination Technologies Group is just one example.
So, while some cyber consequences of the coronavirus pandemic may be short lived, others could have profound implications for some time to come.
The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.
WRITTEN BY
Conrad Prince CB
Distinguished Fellow and Senior Cyber Adviser