Q&A  | 

Cyberattacks on laboratories and cyberwar, new global threats with Javier Tobal

Javier Tobal: "If we are not already in a cyberwar, we are undoubtedly in a process of developing and supplying cyber weapons by all states of the planet".

Tags: 'Cibersecurity'


Reading Time: 5 minutes

Javier Tobal is a computer technician, computer judicial expert and security auditor. He has been a member of the European Observatory on Cybersecurity and Privacy and since April 2018 has been CISO at FINTONIC. In addition, Tobal advises several European cybersecurity projects such as Cyberwiser.eu, a platform that enables cybersecurity training and training in a controlled environment.

CNI Director Paz Esteban recently warned of "a particularly virulent campaign, not only in Spain, against laboratories working to find a vaccine for covid-19". How delicate is the situation at the world today and what kind of attacks are we talking about?

Attempts to attack all types of systems are becoming more frequent and sophisticated. Any activity that becomes relevant, as in this case laboratories, attracts the interest of wrongdoers who are continually looking for new victims.

The main attacks on laboratories can be classified into several categories: attacks on intellectual property, which are the most sophisticated and reserved for patentable treatments. Exfiltration of confidential or private data, whether financial, employee, customer or, in the most severe and sensitive cases, data from patients participating in clinical trials.

In 2019, the US company AMCA (American Medical Collection Agency) suffered the theft of information belonging to 21 million patients from different medical centers that had contracted their services. The database contained personal data (name, date of birth, postal address, etc.) and could be purchased over the Internet. 

Another type of attack is ransomware that consists of accessing an organisation’s systems and encrypting information essential for its operation. The ultimate goal of the action is to get a ransom for the key that allows the organisation to recover the data and resume activity.

In 2019, the Park DuValle hospital in Kentucky (USA) paid a ransom of 70,000 euros (6 bitcoins) to recover data from 20,000 patients encrypted by such an attack. For two months, the hospital operated without patient information (histories, appointments, etc.). 

Does teleworking and lack of home security protocols make cyberattacks against institutions and organisations easier?

Evidently, the mass adoption of telework has a major impact on the global security of organisations, especially for employees whose activity was previously face-to-face and who have had to adapt to the new telework model in a precipitate way.

In general, the domestic environment involves the use of networks whose security settings are not always optimal (many times, using wireless connections, generic operator default settings, etc.). It is also common to have people close to them (e.g. family members) who have access to employees’ devices. Finally, the home environment makes it easy for professional equipment to go to different uses with more risks: access to dangerous content, installation of non-corporate applications, etc.

Are laboratories and universities sufficiently protected and prepared against such attacks?

In general, most organisations currently have a level of security appropriate to a previously conducted risk assessment.

The main difficulty is to develop an ongoing assessment mechanism that responds to the very evolution of threats and updates security mechanisms. Keep in mind that the risks are becoming more numerous because the number of devices, data and applications to protect is also higher. Equally, the number of potential attackers is increasing.

For all this, protection measures must be continuously updated and investments in cybersecurity progressively increased.

In the study Cyberthreats and Trends Edition 2020, the National Cryptological Center talks about cyber espionage, extortion, destruction of information or even operations of influence towards public opinion as motivators of these attacks. In your experience, who is carrying out these attacks and with what objective?

On the one hand, today’s attacks are becoming more sophisticated, specialising in a type of target or industry and with more powerful tools and greater attack capability. This sophistication means that attackers are organised into specialised teams whose members play different roles and provide specific technical knowledge.

On the other hand, successful attacks often get great economic performance for their perpetrators.

In summary, in many cases these are international criminal organisations with large financial, technological and human resources that design complex and high-impact attacks with the main objective of obtaining the highest economic profitability and minimising criminal risk.

The same study also notes that "during 2019 there was a noticeable increase in ransomware attacks on hospitals and other health infrastructure and services". Is a national cybersecurity strategy necessary for healthcare environments? What are we playing on it?

Like any complex system, hospitals present many opportunities to be attacked: heterogeneous technologies, many elements connected to some communication networks, personnel with varied profiles, etc.

Hospitals are part of the critical infrastructure network and have special protection within the National Security Scheme.

Evidently, they must have digital systems that make them more efficient and even open. From mobile applications for users to manage their appointments and health information, to telemedicine systems that allow clinicians to care for patients without their travel or digitised medical records that can be consulted online and shared securely with other professionals.

The security of digital systems in an environment as sensitive as the hospital should cover many aspects: service availability, integrity and confidentiality of the data handled, authentication and secure identification of different system users, traceability of operations, etc.

This security should be extended both horizontally to all organisations that make up the health services network (hospitals, medical consultations, laboratories, research centres, health emergency units, etc.) and vertically to all elements that make up the healthcare supply chain (including material providers, service providers, external and internal, human resources, logistics, etc.).

In the race to combat Covid19 Europe is considering different proposals for automatic monitoring of proximity of people, such as Pan-European Privacy-Preserving Proximity Tracing, based on radiotelephone networks, mobile terminals, Bluetooth and cryptography. Could these also be objects of attack?

In fact, Europe is one of the most concerned markets with privacy, both from the point of view of European citizens and the authorities of the European Union.

Monitoring of upcoming contacts using mobile technologies, such as the Spanish Radar-COVID application, is based on protocols that especially respect safety. The DP-3T (Decentralised Proximity Tracking to Preserve Privacy) protocol is a European public development and is used by many of these systems, including the aforementioned Spanish Radar-COVID application.

All systems are susceptible to attack but in this case, after several months of testing and mass use, none of the applications based on the DP-3T protocol have suffered any reportable security incidents. In addition to Spain, other countries have implemented the same protocol (for example Switzerland).

What steps can we take at the personal level to mitigate risks?

The first thing is to value the digital information we handle on a daily basis. Once we are aware of the value of this data, we will be able to assess the protection they require, both for the value that that information has for us and the harm that comes with its loss or misuse.

Then, we must include in our daily practice some very basic safe habits. These habits should inevitably include the following points:

– Protect our digital identity: use strong passwords and review any alarms that indicate misuse.

– Securely manage our data based on its importance: keep backing up the most critical data, controlling the public dissemination of private or confidential data, erasing our data from devices and services when they are no longer needed.

– Cultivate a certain “digital scepticism”: distrust unsolicited offers from unknown sources, ignore messages whose provenance and veracity cannot be verified and, finally, avoid the overexposure of private information on public networks.

Would you say we are in a cyber-cold war?

All states assume cyberspace as one more battlefield or, as defined by the 2016 NATO summit in Warsaw, “a new mastery of military operations, along with land, sea and air.”

However, we cannot talk about “Cyber Cold War” because there is no public statement of blocks and alignment of different states with them.

Although officially all states declare themselves neutral and friends of other legitimate states, cyberspace presents its own arms escalation: all nations are developing their capabilities to operate militarily in cyberspace either as a single scenario of specific operations or as support for operations developed in traditional domains. These capabilities include technology, personnel, procedures, information from other actors, etc.

Cyberwarning has special features compared to traditional military operations:

– Actions are difficult to attribute (anonymity, false flag).

– Demonstrating offensive capabilities puts their effectiveness at risk in the future, so it is difficult to assess the actual capabilities of states.

– Cyber weapons lose their potential once used for the first time.

– the targeting process can become an effective attack without prior alert.

– private companies (technological, communications operators, etc.) control 90% of the infrastructures that make up the cyberspace battlefield.

Therefore, although there is evidence of cyberwar actions that have occurred in recent years, in no case has there been a prior declaration, nor subsequent confirmation, nor official attribution to any state.

If we are not already in a cyberwar, we are certainly in a process of developing and supplying cyber weapons by all states of the planet.