COVID-19: When a health crisis drives cyber risk
In recent weeks, stay-home COVID-19 mandates have pushed crowds of people to work from home, often for the first time. Workers have turned to communication platforms such as Zoom, Webex, Hangouts and Skype, as well as simpler ones like email and file sharing.
Training and experience have prepared established online professionals for cyber-attacks. But many of these new digital workers have little experience and context for cyber security. This sudden increase in the use of digital tools has exposed a lot of personal data and program information.
Increase in attacks and damage expected
Recent incidents illustrate this growing risk:
- Hackers have crashed onto Zoom meetings, disrupting conversations of government officials who conduct remote discussions
- False emails from the US Department of Health and Human Services are targeting supplier companies. They request protective equipment described in an attachment infected with malware.
- A cyberattack on Italy’s social security system (INPS) has revealed Personally Identifiable Information to applicants as they were attempting to claim benefits.
All these problems will worsen over time for two reasons. The sheer volume increase in digital transactions will bring with it a commensurate increase in attacks. But the number of affected organizations will also increase through cascading effects. Indeed, the impact of an initial attack can cascade to all the interconnected systems. For instance, a cyber-attack on a trucking company could impact food security. The disruption could affect weekly food deliveries to supermarkets. In turn, the loss of revenue would weaken the business sustainability of distributors and producers.
Addressing systemic risk with the Global Risk Assessment Framework (GRAF)
Years before the Covid-19 pandemic, the UN Office for Disaster Risk Reduction (UNDRR) began to explore the potential management of long-term risks around the globe under a Global Risk Assessment Framework (GRAF). This framework enables officials to manage the overall risk accruing from specific events rather than focusing on isolated hazard analysis and response. This shift was articulated in the 2015 Sendai Framework, and work has been underway since then to deploy helpful management tools and strategies supporting a systemic approach to risk.
While traditional hazard definitions do not explicitly include cyber risk, systemic approaches call for an increased focus on this modern cyber disaster environment. Indeed, cyber risk can rival with other hazards in terms of reach, extent of damage and future cascading damage. The 2019 Global Assessment Report (GAR19) explores this topic in a contributing paper focusing on the cascading risk of cyber-attacks, using food security as a case study.
Recommendations for policy makers
What can policy leaders and managers do to reduce the impact of current and future cyber risks driven by the migration of work to an online environment? Here are some simple steps:
- Train, train and train again! Software and cyber experts can only do so much. Informed workers remain the best line of defense. All employees should understand the risks of each technology tool they use. Remind them periodically of good and safe practices.
- Increase investment in cyber security. Technical staff, the latest software and hardware protections and adequate external support from specialized consultants are essential to mitigate cyber risk
- Do a risk and vulnerability analysis. Prioritize spending on cyber protection based on the importance of the function(s) at risk, rather than technology requirements.
- Build DRR capacity in cyber risk and its impact. Allocate staff and resources. Adopt the GRAF as a framework to track, respond to- and reduce the impact of expected cyber-attacks.
The COVID-19 pandemic is a dramatic illustration of the systemic nature of risk. As we move away from a hazard-by-hazard approach, DRR professionals need to improve their understanding of cyber-risk and its potential cascading impact.
Dr. Toregas is the Director of the Cyber Security and Privacy Research Institute (www.cspri.seas.gwu.edu ) at The George Washington University and manages the NSF Scholarship for Service and DoD Cyber Scholarship Program and conducts research on diverse areas including the community college role in cybersecurity workforce development, cybersecurity insurance and cybersecurity curriculum development including cyber competitions.
He also serves as the IT Adviser to the County Council of Montgomery County, MD, overseeing the investment of $230m annually in Information Technology goods and services. He is a fellow of the National Academy of Public Administration, and past chair of its standing panel on Social Equity in Governance.
He serves on the boards of many non-profit organizations including Women in Cybersecurity (www.wicys.org ), the National CyberWatch Center (www.nationalcyberwatch.org ) and the National Cyber League (www.nationalcyberleague.org ), and supports the UN Disaster Risk Reduction’s Global Risk Assessment Framework through participation in its Expert Group.
He has PhD, MSc and BSc degrees from Cornell University.