As cyberattacks continue to hamper the operations of critical infrastructure, including hospitals, it may be tempting to think of the hackers as if they’re the main characters in the 1995 film of the same name: Kids who want to stir up trouble, and maybe make some cash doing it.
But “this is not a teenager in a hoodie doing these kinds of attacks. These are elaborate, sophisticated, organized criminal gangs,” as Errol Weiss, chief security officer at H-ISAC, warned at HIMSS21 this past summer.
And some of these gangs have the muscle of nation-states behind them – making them even more potentially threatening to healthcare organizations of all sizes.
Weiss, who will be appearing this December at the virtual HIMSS Healthcare Cybersecurity Forum, spoke with Healthcare IT News this past week just as news broke that the U.S. Department of Justice had charged two men for their alleged involvement in deploying Russia-linked REvil ransomware.
He discussed the motivations for nation-state threat actors, what can be done to tamp down on ransomware and why it’s so important for everyone to protect themselves and their data.
Q. Let’s get started with just a quick overview of the threat landscape. How do nation-state threat actors stand out in terms of cyberattackers?
A. There’s a lot of threat actors out there, and they target all over the place. There are the criminals who are basically doing the shotgun approach. They’re just launching their attacks, and anybody who takes the bait and falls for it as a victim, the criminals will figure out how to monetize what they’ve gotten access to. There’s a spectrum of those threat actors.
Focusing on the nation-state threat: They’re very patient. They take years to run the attack. They’re so good at it, and they’re so difficult to detect that once they’re in, they’re in for months, or maybe a year, before anybody ever figures that part out.
We can provide some examples of Russian state actors, Chinese state actors, and maybe lesser-known ones, like those linked to Iran, North Korea, Vietnam.
Q. How has that changed over the years?
A. A few years ago, you could count maybe a few dozen countries that had a decent, offensive cyber capability. And now it’s probably the opposite, where there are only a few dozen countries that don’t have a decent cyber-offensive capability. So it’s really come a long way. It’s not unusual to hear about actors like this now.
In the past, too, when we’ve talked about nation-state objectives, it was usually about cyber espionage: They were out to try and short-circuit their way to gain some competitive advantage over their other adversaries, or research and development.
So, of course, the big motivation over the past few years has been around COVID-19. One of the obvious objectives there is vaccine development, treatments, anything that they can get their hands on in terms of being able to help their own population. And I think that makes a lot of sense.
But with these other countries sweeping in – I’m sure they’re still concerned about protecting the population from COVID-19. But they are also motivated by cash. Their objective is also, just like cybercriminals, to steal money. So they’re using ransomware to raise cash. It’s not just about intellectual property.
Q. We’ve certainly seen service disruptions, at least temporary ones, as secondary effects of ransomware attacks on hospitals and health systems. Do you think there’s a possibility that nation-states will deploy ransomware specifically to disrupt services?
A. I can’t say I could find any real-world examples of something like that. But I think it’s certainly feasible, right? There’s been a lot of media coverage and some conjecture that there’s a connection between ransomware events, disabling hospital services and causing some patient impact.
I think that any reasonable person would probably agree that, of course, if an organization has to use paper, or they’re diverting ambulances, because their IT systems are down, there’s probably going to be some level of patient impact.
Could an adversary use a tactic like that to cause some level of disruption and essentially create a terrorist-level kind of an event? I think the answer is yes.
Especially if you are capitalizing on some natural disaster, and then making it even worse by interfering with the ability for first responders to do what they have to do, or with a hospital or health providers being able to help patients. I think that’s certainly possible, unfortunately.
Q. I just love talking to security professionals. It’s always so cheerful. That raises the question for me: The Biden administration has has signaled that it would treat some ransomware attacks as akin to terrorism, and that it might respond to ransomware with military action. In the future, do you foresee a sort of ceasefire agreement?
A. I think you’re on the right path. When we see events happening like that, I think this is where the citizens would expect assistance from the government of that order. We don’t have the ability to launch bombs or take over countries. And that’s where we would need the government to be able to do that, the military to be able to do that.
We can do things from a malware-ransomware defense standpoint. We can try to work with the civil courts to try to make it harder for the bad guys to do malware. But when it comes to arresting people, it’s law enforcement that has to do that. I can’t do that.
So in much the same way, if there was a terrorist event like that that was really causing that kind of disruption or impact to society, I would expect some kind of response from the government of that order.
“A few years ago, you could count maybe a few dozen countries that had a decent, offensive cyber capability. And now it’s probably the opposite.”
Errol Weiss, H-ISAC
Q. We’re also seeing some movement from Congress to try to implement some carrots and sticks when it comes to cyber incident response. Do you have any thoughts as to the efficacy of those proposed measures?
A. I think it was kind of a knee-jerk reaction – we’re starting to see these mandatory incident reporting requirements, and I’m not sure that’s the right way to go.
Personally, I think when it comes to the ransomware problem that we’re having today, I think it’s being fueled by the underground economy of digital currency. And that’s where I really think we need to address it. I don’t think we’re ever going to be able to get rid of digital currency. I think it’s here to stay.
But I think we’ve got to figure out how we can appropriately control it and regulate it so that it can’t be used for what I see as so many underground, illegal activities. Criminals are able to move money around very, very easily, without any kind of consequences that are established today with legitimate banking institutions.
I mean, let’s face it. Humans have been paying ransoms for a long time – a lot longer than the internet’s been around. And it’s gotten worse for all kinds of reasons.
I think we need to address some of the underlying issues here. The first payments just encouraged the actors to keep going, and now we’re seeing ransom payments that people never would have thought of five years ago. Millions of dollars. It’s unheard of.
Q. Given that environment, what are you hoping audience members will take away from your Fireside Chat this December?
A. These attacks are real. It’s not the science fiction of spy novels anymore. Everyone has got a piece of this puzzle that the adversaries are interested in. These nation-states that I mentioned have got intelligence objectives in order to capture information and protect their country. They’re trying to protect their citizens and their populations.
Right or wrong: We’ve been spying on each other for years, we’re gonna continue to do it. The internet’s an enabling way to do that.
People that are working on things like COVID-19 vaccines, treatment plans and preventive mechanisms are of high interest for adversaries. Whether you’re working on a clinical trial, or you’ve got patients that are being tested in trials, the data that is sitting inside these institutions is a treasure trove.
We’re all sitting on this data that has enormous value for other people. And while you may not have a direct role in that project or the study, you are an avenue for the adversary to obtain that information. That’s where everybody needs to be on alert.
Errol Weiss will continue the discussion at the digital Healthcare Cybersecurity Forum event with Jigar Kadakia, chief information security and privacy officer at Mass General Brigham. Their Fireside Chat, “Focus on Nation State Threats Targeting Health Providers,” is scheduled to air at 3:55 p.m. ET on Monday, December 6.