Paging a Joint Task Force: Cyber Defense of Pandemic Medical Infrastructure

The ongoing global response to COVID-19 infections has become a critical public health, economic, and national security priority. The crisis has been made worse by ransomware and other disruptive intrusion incidents, threatening the continued provision of healthcare services to patients affected by the disease. U.S. Health and Human Services disclosures of known data breaches — even prior to the current pandemic — represent a stunning array of victims across the country.

Under ordinary conditions, cyber attacks are subtly corrosive but meaningful in cumulative effect over time. Malicious accesses to key networks threaten the United States, allies, and global partners. During this global health crisis, new options are needed to change the decision calculus of adversary actors that threaten what are now our most vulnerable populations.

The Defense Department has a role to play in defending the healthcare system against cyber attacks. The military should be called upon to degrade and destroy the capabilities of criminals to conduct ransomware extortion, and to prevent state actors from inflicting strategic damage against the United States at this critical time. Such operations should be conducted in accordance with recently developed concepts of persistent engagement, in which American and allied critical infrastructure is defended forward of our own networks.

Ransomware Attacks and the Healthcare System

In the medical setting, ransomware events are not simply financial events. Disruption of hospital systems threatens diagnostic, case information handling, life support and treatment, inventory, and other vital functions of the medical enterprise. Beyond immediate disorganization, there is evidence that care outcomes worsen for patients for an extended time after an incident. A 2019 Vanderbilt University study found increased mortality for up to three years following breach events at identified hospitals.

The coronavirus outbreak is not the first time criminals have used high-profile headlines to craft attention-grabbing phishing lures. However, exploiting the current pandemic is particularly troubling. Some ransomware attacks this year include a campaign to propagate the AZORult malware variant through a malicious app modeled on popular geospatial outbreak mapping sites, and Emotet campaigns that compromised victims using forged official health service notifications. New COVID-19-themed ransomware, targeting mobile device users, was further identified as of mid-March.

The latest suspected disruptive incidents directly impacted a major hospital and associated testing lab in Brno, Czech Republic, on Mar. 13, 2020. In the United States, a federal Health and Human Services network was attacked two days later, although motivations in these incidents remains unclear. A UK clinical research firm was also extorted by the Maze ransomware operators of Mar. 21, 2020.

Crimeware and Disruptive Attacks are at a Tipping Point

Crimeware gangs often acquire an initial foothold in a network where technical bugs are compounded by human errors. These accesses can also be exploited by state adversaries to inflict systemic damage with potentially cascading implications across society. Hostile intelligence services have previously sought to leverage the frequent criminal use of ransomware as part of deliberate deception operations intended to obfuscate motivation and confuse attribution — however implausibly or even ineffectively.

Offensive cyber campaigns are about more than a single attack, no matter how damaging. States seeking to inflict pain on a rival first try to understand its target’s recovery, resilience, and consequence-management practices. Ransomware incidents provide unique insights into behaviors that are often difficult to anticipate. Some security researchers have hypothesized that more sophisticated offensive planners may have sought to engineer such disruptive events in the wild — in other words, they deployed ransomware in live operations mimicking criminal activity to test victim responses.

A state adversary could replicate such systemic targeting for strategic effect, seeking to magnify disruption at a time when people and systems are already stressed beyond their limits. A number of potential actors motivated by geopolitical considerations, ongoing rivalries, or single-issue ideological agendas might seize such opportunities to advance their own objectives. Multiple states, including Russia and Iran, have already proven willing to act aggressively in other domains despite the crisis. Multiple intrusions from actors in Russia, North Korea, and China have been observed using COVID-19 themes as a lure to obtain new access. As always, it remains difficult to distinguish “mere” spying from potential operational preparation of the environment intended to stage future attack options. The low threshold for commodity ransomware capabilities acquisition may even allow for mere anarchic actors to engage in the digital equivalent of early-modern, plague-spreading behavior.

The perceived benefits that make ransomware attacks an attractive business model under normal circumstances are amplified in a crisis. This is especially the case since common responses to ransomware incidents actually contribute to the large ecosystem of malicious behaviors. Such factors will almost certainly accelerate under current pressures. “Ransomware as a Service” threats, in which cyber criminals operate through affiliate business models to share workload and profits, may result in aggressive new targeting of critical sectors as individual operators’ choices aggregate at scale.  Such swarming behaviors may emerge when victim organizations and associated political leadership are vulnerable, and may be willing to pay extortion demands on a more aggressive timeline. Emergency funding, including from generous charitable donors, may inadvertently feed this cycle.

A New Strategic Approach

Different policy tools are called for in an acute crisis. Ransomware, and other forms of cyber extortion that predate current crypto-malware payment models, has been long treated as a law enforcement matter. However, criminal prosecution is known to be complicated by the transnational character of the offense, uncooperative jurisdictions, lagging legal frameworks, and a lack of technical capacity within judicial institutions. Yet, to date, these have been considered part of the challenges that accompany21st -century law enforcement problems.

The potential impact on medical-sector victims under pandemic conditions changes the calculus. The sustained investment in building national-level cyber mission capabilities provides options the United States has not previously had. While defense planners contemplated providing support to civil authorities under a small number of scenarios, protecting Defense Department networks was the primary mission of early military cyber commands.

This thinking has changed. U.S. Cyber Command has now articulated a vision in which it will, as called upon by national leadership, serve to defend forward in order to contest and counter adversary presence and action beyond government networks. The emerging approach of persistent engagement seeks to disrupt an adversary’s operators, and draw new red lines that may cause its leadership to rethink their commitment to provocative courses of action.

The adoption of persistent engagement has led to a fundamental shift in how Cyber Command looks at future operations, and ultimately the authorities and approval processes by which the executive branch will task such operations. Indeed, the new posture has raised concerns regarding potential risks generated by more assertive posture. In addition, persistent engagement may complicate civil-military relations, relationships with congressional oversight, and with allied and partner nations. Nevertheless, the Defense Department has moved forward to operationalize this approach, anticipating that it will be called upon in new ways.

Cyber Command has institutional experience that provides a model to surge support to counter hostile actions in a crisis. Recently declassified documents detail past efforts. For example, the U.S. government stood up Joint Task Force ARES in early 2016 in order to execute Operation GLOWING SYMPHONY: offensive operations to deny and degrade ISIL networks used for recruitment, financing, planning, and communications. The lessons learned from these operations reportedly informed a second effort, intended to combat propaganda and other actions seeking to damage the integrity of U.S. elections.

A New Joint Task Force for the Current Crisis

The military should establish a new joint task force for the novel pandemic crisis, oriented to protect the functioning and integrity of our global healthcare infrastructure. Much as early militaries protected Galen, one of the first medical practitioners, as he sought to investigate and document unknown plagues, so too it is appropriate to consider the defense of our modern doctors, nurses, and their ever-more complex networks of diagnostic sensors, treatment technologies, and case communications. An effort such as the proposed Joint Task Force GALEN would serve to place pressure on adversary operators and planners. Its operations would draw a new red line by changing what is at present an almost casual lack of concern for abusing systems and networks operated by medical organizations that are considered protected under international law. Ultimately, it would be hoped that such an effort would force adversary decision-makers to rethink such aggressive and particularly destabilizing operations, whether for criminal profit or strategic impact.

Institutional relationships would be the key to Joint Task Force GALEN. Such connectivity is vital to enable U.S. agencies at all levels of government, foreign government organizations, private sector players, and civil society institutions that are in the front line of the fight today. This is by no means a minor matter — such interactions work best face-to-face, which will be complicated by current quarantine, travel restrictions, and social distancing measures. These will also be types of relationships that look fundamentally different from the earlier counter-terrorism fight, involving more open conversations than prior, heavily classified dialogues involving counterparts steeped in decades of government secrecy. Much as in other humanitarian stability and support operations, a different type of exchange is needed — one that meets counterparts where they are.

Information sharing from new relationships will be vital towards prioritizing action against observed threats and cueing additional intelligence collection, leveraging open-source, commercial-service, and national-technical means. Such intelligence will drive operations to degrade, disrupt, and destroy the infrastructure supporting adversary campaigns.

Joint Task Force Galen should be conducted with partners that share common democratic oversight of military operations. Operations should be subject to rigorous targeting and other planning processes intended to ensure the lowest possible risk of collateral damage, capabilities disclosure, and blowback against the critical health sector organizations and other entities. At the same time, these operations will require a new approach to managing scarce arsenals of offensive capabilities, as one may anticipate a higher rate of expenditure against a broader range of criminal targets than previous narrowly scoped actions. This will further burden planners and operators with the unwavering requirement to ensure that such capabilities remain under effective control and avoid further proliferation problems. Navigating the difficult balancing of the vulnerabilities equities process will be an acute challenge.

The proposed joint task force would be a very different kind of operation than previously mounted by Cyber Command. In the past, the United States targeted single, defined adversaries, including ISIL and Russian intelligence services. Currently, the origins of hostile attacks are more diffuse. But while incidents may be attributed to a variety of actors, there are common malicious infrastructure services (e.g., proxy botnets and bulletproof hosting operations), developer networks, and other continuing criminal enterprise structures that function as key enabling components. These adversary targets are well-known and have been extensively described by commercial intelligence services and industry researchers. While prior law enforcement actions may have successfully pursued prosecution against individual elements of this problem, these investigations take a long time — a scarce commodity in the current crisis — and have proven limited in their ability to impact offenders operating in non-cooperating jurisdictions. The proposed joint task force is not intended to replace law enforcement, but rather to disrupt threat activities before they inflict further damage on life-saving professionals.

Implications and Outlook

The proposed joint task force represents a substantial expansion of U.S. Cyber Command’s existing mission priorities. But the current threat to healthcare infrastructure justifies the kind of mobilization akin to the military escorting medical supply convoys and hospital ships in crisis, and ensuring stability and security for first responders.

While the prognosis for the COVID-19 pandemic remains unclear, current estimates suggest continuing concern over at least the next year. Previously unknown diseases will inevitably arise again — even when the current virus fades into the background. When that happens, malicious actors will once again be tempted to interfere in the crisis response. Actions today will set enduring precedents for the norms, backed by real commitments, intended to safeguard the medical professionals working to save lives.

In the short term, the surge of a new joint task force to protect global care delivery would safeguard against current threats that may accelerate the spread of infection. The prospective psychological impact of COVID-19 will only be known in time. In the United States, the current pandemic may trigger criminal and anti-democratic behaviors from unknown individuals with access to offensive malware. The dangers of COVID-19 — and the likelihood of new threats — demands unprecedented efforts to counter hostile capabilities with all possible speed.

J.D. Work serves as the Bren Chair for Cyber Conflict and Security at Marine Corps University. He holds additional affiliations with the School of International and Public Affairs at Columbia University, the Elliot School of International Affairs at George Washington University, and serves as a senior advisor to the Cyberspace Solarium Commission. He can be found on Twitter @HostileSpectrum. The views and opinions expressed here are those of the author(s) and do not necessarily reflect the official policy or position of any agency of the U.S. government or other organization.

Image: U.S. Navy