On December 3rd 2020 BBC News issued an article on its website[1], reporting a statement by IBM according to which the international vaccine supply chain was targeted by cyber-espionage, with particular attention to the cold supply chain for COVID19 vaccines. According to IBM, an international phishing campaign started in September 2020, targeting with fake emails organizations across 6 countries linked to the Cold Chain Equipment Optimization Platform (CCEOP) of Gavi, the international vaccine alliance. Attackers impersonated a business executive from a legitimate Chinese company involved in CCEOP’s supply cold chain to obtain log in credentials and gain insights about infrastructures, purchases and movements concerning the vaccines. The campaign reached a broad spectrum of companies involved in the COVID19 operation such as companies involved in manufacturing solar panels, which can be used to keep vaccines cold in places where reliable power is not available, a South Korean software-development company, a German website-development company, which supports clients associated with pharmaceutical manufacturers, container transport, biotechnology and manufacturers of electrical components for communications.
This high-impact news, although not an isolated one, shows the two most important aspects to keep in mind nowadays: first, more and more often a “target” is not to be considered a “single point” in the cyberspace. To make a parallel, is not like a specific house been targeted by a burglar that wants to penetrate it. Nowadays many valuable information are exchanged among different players in an interconnected network. It’s like the burglar observing the whole house block and gaining in the easiest way fundamental information to achieve its purpose. Therefore, this time the target was not the single pharmaceutical company, but the whole supply chain network, making this information gathering campaign of high impact.
Second, the precision targeting and nature of the specific targeted organizations potentially point to nation-state activity, says IBM. And that’s the point. A growing number of cyber threats derive not from independent hackers (or groups of hackers), but from foreign states, making the dangerousness of these attacks exponentially higher, as well as their striking power. More like a SWAT assault than a random burglar.
But what this all means? Trying to have a more practical look at global situation, The Washington Post recently reported[2] a McAfee study[3] on the global cost of cybercrime.
Since 2018, McAfee estimates that the cost of global cybercrime reached over $1 trillion globally. The estimated monetary loss from cybercrime is approximately $945 billion. Added to this was global spending on cybersecurity, which was expected to exceed $145 billion in 2020. Today, this is $1 trillion dollar drag on the global economy. Their 2018 report found that cybercrime cost the global economy more than $600 billion. The new estimate suggests a more than 50% increase in two years.
“The increase in cybercrime stems in part from the dramatic shift in the threat landscape in just the past two years”, said Grobman, senior vice president and chief technology officer at McAfee, “as hackers move from targeting specific machines or users to whole organizations”, and to networks of organizations we would add. “There can also be a residual impact when a company is a part a supply chain”, Grobman notes. A 2017 attack on Danish shipping company Maersk disrupted operations for two weeks and cost the company $300 million. And the “vaccine case” confirms this tendency, unfortunately.
Moreover, the Washington Post states, Cybersecurity officials have warned of an increase in efforts by Chinese hackers to steal U.S. business secrets and research. Specific cases aside, this confirms the evolution trend shown by the cyberattack led on the vaccine supply chain.
A tricky question rises spontaneously: are companies, let them be public or private, ready for this new scenario? Question is tricky but answer is trivial. Despite a spike in crime, many companies lack a clear plan for dealing with cyberattacks, confirm the McAfee report. More than half of the 1,500 organizations surveyed for the report said they lack plans to both prevent and respond to an incident. Only a third of the organizations that had plans said their plans were actually effective. Hence, our house has not even a good alarm system to prevent intrusions.
