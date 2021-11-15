As cyber attacks continue to hamper the operations of critical infrastructure, including hospitals, it can be tempting to think of hackers as if they are the main characters in the world. movie of the same name from 1995: Children who want to cause trouble and maybe make some money by doing it.

But “it’s not a teenager in a hoodie doing these kinds of attacks. They are elaborate, sophisticated organized criminal gangs,” as Errol Weiss, head of security at H-ISAC, warned HIMSS21 last summer.

And some of these gangs have the strength of nation states behind them, making them even more potentially threatening to healthcare organizations of all sizes.

Weiss, who will appear in December at the virtual fair HIMSS Healthcare Cyber ​​Security Forum, spoke with IT health news last week, just as news broke that the US Department of Justice had indicted two men for their alleged involvement in the deployment of the REvil ransomware linked to Russia.

He discussed the motivations behind the nation-state threat actors, what can be done to reduce ransomware, and why it’s so important for everyone to protect themselves and their data.

Q. Let’s start with a brief overview of the threat landscape. How do nation state threat actors differ from cyber attackers?

A. There are a lot of threat actors and they are targeting everywhere. There are the criminals who mainly practice the shotgun approach. They are just launching their attacks, and whoever bites the hook and falls into the trap as a victim, the criminals will figure out how to monetize what they have access to. There is a whole range of these threatening actors.

Focus on the threat of the nation state: they are very patient. They take years to launch the attack. They’re so good at it, and they’re so hard to spot that once they’re in it, they are for months, if not a year, before anyone realizes what it is.

We can give some examples of Russian state actors, Chinese state actors, and perhaps lesser known actors, such as those related to Iran, North Korea, Vietnam.

Q. How has this changed over the years?

A. A few years ago, you could maybe count a few dozen countries that had decent offensive cyber capability. And now it’s probably the opposite, where there are only a few dozen countries that don’t have a decent cyber-offensive capability. So it’s really come a long way. It’s not uncommon to hear about actors like this now.

In the past, too, when we talked about nation-state goals, it was usually cyberespionage: they tried to bypass their way to gain a competitive advantage over their other adversaries, or research and development.

So, of course, the big motivation over the past few years has been around COVID-19. One of the obvious goals is to develop vaccines, treatments, whatever they can get their hands on so they can help their own people. And I think that makes a lot of sense.

But with these other countries surging in, I’m sure they’re still concerned about protecting people from COVID-19. But they are also motivated by cash. Their goal is also, just like cybercriminals, to steal money. So they use ransomware to raise funds. It’s not just intellectual property.

Q. We have certainly seen downtime, at least temporary, as a side effect of ransomware attacks on hospitals and healthcare systems. Do you think it’s possible that nation states are deploying ransomware specifically to disrupt services?

A. I can’t say that I could find real examples of something like this. But I think it’s definitely doable, right? There has been a lot of media coverage and some speculation that there is a link between the ransomware events, the shutdown of hospital services, and the impact on patients.

I think any reasonable person would probably agree that, of course, if an organization has to use paper or hijack ambulances, because their computer systems are down, there will probably be some impact on patients.

Could an adversary use a tactic like this to cause some level of disruption and essentially create a terrorist type event? I think the answer is yes.

Especially if you capitalize on a natural disaster and make it even worse by interfering with the ability of first responders to do what they have to do, or with a hospital or healthcare providers capable of helping patients. I think that’s certainly possible, unfortunately.

Q. I love talking to security professionals. It’s always so cheerful. This begs the question for me: Biden administration has signaled it will deal with some ransomware terrorist-like attacks, and that it could respond to the ransomware with military action. In the future, do you envision some kind of ceasefire agreement?

A. I think you are on the right track. When you see things happening like that, I think that’s where citizens would expect government help of this order. We don’t have the capacity to drop bombs or take control of countries. And this is where we would need the government to be able to do it, for the military to do it.

We can act from a malware and ransomware defense perspective. We can try to work with the civil courts to try to make it harder for criminals to use malware. But when it comes to arresting people, law enforcement has to do it. I can not do that.

So in the same way, if there was a terrorist event like this that really caused that kind of disruption or impact on society, I would expect some kind of government response of that magnitude.

Q. We are also seeing some movement from Congress to try to implement carrots and sticks when it comes to responding to cyber incidents. Do you have any idea of ​​the effectiveness of the proposed measures?

A. I think it was kind of a gut reaction that we were starting to see these mandatory incident reporting requirements, and I’m not sure that’s the right way to go.

Personally, I think when it comes to the ransomware problem we are facing today, I think it is fueled by the underground economy of digital currency. And that’s where I really think we need to deal with it. I don’t think we can ever get rid of digital currency. I think he’s here to stay.

But I think we have to figure out how we can control it and regulate it appropriately so that it cannot be used for what I see as so many clandestine and illegal activities. Criminals are able to move money very, very easily, without any sort of consequences that are established today with legitimate banking institutions.

I mean, let’s face it. Humans have been paying ransoms for much longer than the Internet has existed. And it’s made worse for all kinds of reasons.

I think we need to address some of the underlying issues here. The first payments simply encouraged the actors to keep going, and now we are seeing ransom payments that people would never have thought of five years ago. Millions of dollars. This is unheard of.

Q. Given this environment, what do you expect audience members to take away from your Fireside Chat in December?

A. These attacks are real. This is no longer the science fiction of spy novels. Everyone has a piece of this puzzle that the opponents are interested in. These nation states that I mentioned have intelligence objectives in order to capture information and protect their countries. They are trying to protect their citizens and their populations.

True or false: we have been spying on each other for years, we will continue to do so. The Internet is one way to do it.

People who work on things like COVID-19 vaccines, treatment plans, and prevention mechanisms are of great interest to adversaries. Whether you are working on a clinical trial or have patients tested in trials, the data inside these institutions is a treasure trove.

We are all sitting on this data which is of enormous value to others. And while you may not have a direct role in this project or in the study, you are a means for the opponent to get this information. This is where everyone needs to be on the alert.

Errol Weiss will continue the discussion at the Digital Healthcare Cybersecurity Forum event with Jigar Kadakia, Head of Information Security and Privacy at Mass General Brigham. Their fireside chat, “Focus on Nation State Threats Targeting Health Providers,” is scheduled to air at 3:55 p.m. ET on Monday, December 6.

