CoR&Onavirus
CoR&Onavirus
COVID-19 responses highlight issues of resiliency, policy-based governance, and human factors.
Overall daily internet usage has increased around the world during the COVID-19 pandemic, much of it from people working from home via remote access. People working at a distance have experienced higher network loads, the use of new applications, scalability issues for standard platforms, and a growth in cyberattacks and threats. Responses to corona virus isolation from a technical standpoint are varied, but most sources appear to indicate a growth in both vulnerabilities and threats; rapid change has created an environment in which attacks thrive.
The surge in load was long foreseen. Jake Williams, a former government cyber analyst and founder of the security firm Rendition InfoSec, notes the “While the internet backbone was built with doomsday scenarios in mind, the current global pandemic is far beyond the contingency planning of most organizations.” John Graham-Cumming, Chief Technology Officer of the internet infrastructure company Cloudflare, says that he and other infrastructure providers he's spoken to aren't concerned about handling the load.
But if Graham-Cumming and others are not worried about the overall capacity of the Internet, the FCC is concerned about the distribution of access and quality of service. It has taken steps to ensure delivery of broadband services and to give carriers and service providers more flexibility to reach consumers. The FCC has “granted Special Temporary Authority to AT&T, Sprint, T-Mobile, U.S. Cellular, and Verizon as well as a large number of wireless Internet service providers to use additional spectrum to meet customer demand for mobile broadband across the United States, including Puerto Rico and the U.S. Virgin Islands.” It has also reminded state and local governments “that the Wireless Emergency Alert system is available as a tool to provide life-saving information to the public.”
Like the 2019 U.S. government shutdown, the Covid-19 pandemic could expose government entities to attack as agencies prioritize the outbreak above all else, close nonessential in-person operations, and direct staff to work from home. Rapid changes to daily life during the pandemic have also changed how people interact with internet-connected technologies. Without time to develop tailored defenses, that also means new exposures and risks.
Distanced remote work groups have begun to find new applications that allow video conferencing and social interaction. Apps such as WebEx Meeting and WebEx Teams, GoToMeeting, Zoom, Microsoft Events, Google Hangout, Hardcore and others have been used by a number of groups to create an interactive and collaborative environment. These are cloud-based apps for continuous teamwork with such components as videoconferencing, meetings, group messaging, file sharing, and white boarding. But many home environments lack the defenses of a corporate environment and new users may not be aware of the need for safeguards and those that are available.
Zoom has been particularly criticized. Reports of its privacy and security troubles have grown as it has become one of the preferred communications platforms for people sheltering at home. Its defenders argue that Zoom was originally designed for businesses and could not have anticipated a pandemic that would create dramatic growth in only a few weeks and being used for purposes like elementary school classes and family celebrations.
According to Paul Wagenseil of Tom’s Guide, Zoom is benign. “For school classes, after-work get-togethers, or even workplace meetings that stick to routine business, there's not much risk in using Zoom…you just need to be aware that the Zoom software creates a huge "attack surface."
Zoom has responded to criticism by creating an aggressive plan to add security and privacy features. It has posted a web page offering best practices for classroom use and “how tos” on their current security and privacy features.
While the term “zoom bomb” has entered the lexicon, other platforms have also experienced difficulties, particularly as public school systems transition to distance learning. Using Learning Management Systems (LMS) such as Blackboard, Canvas, Google Classroom, and others, these systems have tried to implement both synchronous and asynchronous tools for students ranging from pre-K through high school. Fairfax County, Virginia has one of the country’s largest and highest ranked school systems. In recent weeks, it has attempted to deploy a synchronous system, but has been plagued with technical and security errors and poor management decisions. According to the Washington Post, Fairfax County Public Schools waited four weeks, including spring break, before implementing its “virtual school” for its nearly 190,000 students. Trouble began immediately at launch when teachers and students could not log on. Classes were “hijacked by racist, homophobic, and obscene language. Students appeared on screen naked or flashed weapons.” The story goes on to say that interviewees said necessary software upgrades had been neglected for over a year and that basic privacy features were ignored. (Washington Post print edition, Sunday April 19, 2020, p. C1.)After shutting down the program for more than five days for repairs, it remains down as of this writing. Recriminations among techs, administrators, teachers, and the provider continue. The technicians assert the administrators insisted on leaving the “guest” sign-in option available, which allowed third parties to enter the classrooms using false identities and committing the obscene and racist acts. (Washington Post print edition Tuesday April 21, 2020, p B4.) Apparently policy-based security must adopt appropriate policies. Fairfax Schools later in the day announced they were changing LMS platforms. Administrators alleged that the volume of logins had contributed to the crashes.
Policy decisions about system features extend to include failures to upgrade entire systems. Wall Street Journal editorial writer Andy Kessler argues problems like this are endemic to government systems. He describes a myriad of legacy mainframe systems at federal, state, and local government agencies programmed in FORTRAN and COBOL that are still the primary processors for major government services. Failure to upgrade, in his opinion, increases risks, slows delivery of services, and is generally inefficient. (Andy Kessler. Inside View, Wall Street Journal April 20, 2020. p. A15.)
Attacks began earlier than social distancing began. As early as January, coronavirus phishing scams started circulating, preying on fear and confusion about the virus, and have proliferated since. Crane Hassold, a former digital behavior analyst for the Federal Bureau of Investigation and now senior director of threat research at Agari, the email security firm, describes the threat phishing poses to people working remotely. He says some Wi-Fi often doesn't have defenses such as firewalls and anomaly detection monitoring as do corporate office environments. Further, some leading corporate VPNs have major vulnerabilities that companies don't always take the time to patch. Finally, he notes that even extra-cautious employees may be more likely to take phishing emails at face value, since it's not as easy to call across the room to a colleague and check whether they really initiated that payroll payment reroute. "All of this is a perfect storm," he says.
"There’s no question that some intelligence agencies are going to take advantage of this," says Jake Williams." Whatever your baselines are, you've probably departed from them now with all of this remote access. So anything you thought you were going to get out of certain tools you’re not going to get anymore—and a lot of times everything, every connection is just lighting up like a Christmas tree. Plus, everybody is just so distracted. It definitely presents an opportunity for attackers to be a little bit noisier and a little more aggressive. I would be very surprised if they don’t take advantage of that."
Using the coronavirus crisis as a ruse is one of the fastest-growing tactics. Security firm Zscaler, said hacking threats on systems it monitors had increased 15% a month early in the year, and jumped 20% in March. The company says a growing category of hacks lure victims with the promise of information or protection from COVID-19. This is business as usual for hackers, who use current events to trick their victims. Experts say the attacks are increasing in frequency, and it's clear from hackers' behavior that they see the moment as potentially profitable.
Jerome Segura, Malwarebytes director of threat intelligence, said his company has also seen "an overall increase in malware campaigns using coronavirus/COVID-19 as a lure." He added that the hackers appeared to range from sophisticated, state-sponsored attackers to ordinary cybercriminals and that the malware aims to do things like steal banking credentials or logins to work-related accounts. Segura didn't specify which nation-state actors Malwarebytes was seeing in action, but security researchers have published findings that hackers affiliated with Russia, North Korea and China have taken this approach.
Eva Velazquez, president and CEO of the Identity Theft Resource Center, said “the impact of all these hacks will hit hardest down the road. Most of the time, people who fall victim to scams don't realize they've handed their personal information over to criminals until after the data has been abused. And the consequences could reverberate for a long time. Normally, when scammers use disasters like hurricanes or fires to trick people, there is only a small number of potential victims. The coronavirus crisis is hitting the whole world, and the number of people seeking help and information is huge. They're going to come out in droves," Velazquez said of the scammers, "because they see an opportunity."
The National Cyber Security Alliance urges internet users to “wash your hands and update your software.”
It seems clear the responses to the novel coronavirus COVID-19 have had impacts on the cyber universe and especially cybersecurity. Increased volume, the use of new applications, and a growth in cyberattacks and threats have all been consequences of sheltering and working from home. These outcomes highlight the continuing cybersecurity problems of resiliency, security scalability, policy-based security and human behavior, and suggest that researchers’ attention to these challenges is more critical than ever.
References
[1] FCC. “Chairman Pai's Response to Members of Congress Regarding Maintaining Connectivity During the Coronavirus/COVID-19 Pandemic” 2020 April 17 https://docs.fcc.gov/public/attachments/DOC-363806A1.pdf
[2] Laura Hautolo. “As coronavirus crisis worsens, hacking is increasing, security experts say “ CNET. 2020 March 19 https://www.cnet.com/news/as-coronavirus-crisis-worsens-hacking-is-increasing-security-experts-say/
[3] Natasha Singer and Nicole Perlroth. “ Zoom’s Security Woes Were No Secret to Business Partners Like Dropbox; Dropbox privately paid top hackers to find bugs in software by the videoconferencing company Zoom, then pressed it to fix them.” 2020 April 20 https://www.nytimes.com/2020/04/20/technology/zoom-security-dropbox-hackers.html
[4] Paul Wagenseil. “Zoom privacy and security issues: Here's everything that's wrong (so far)” 2020 April 21 https://www.tomsguide.com/news/zoom-security-privacy-woes
[5] Zoom. “Privacy & Security for Zoom Video Communications” https://zoom.us/docs/en-us/privacy-and-security.html
[6] Jack Pointer and Colleen Kelleher. “Fairfax Co. schools move away from Blackboard amid distance learning woes” WTOP News|https://wtop.com/coronavirus/2020/04/fairfax-co-students-encounter-more-problems-with-online-classes/
[7] Lily Hay Newman. “Coronavirus Sets the Stage for Hacking Mayhem” in Wired. 2020 March 19 https://www.wired.com/story/coronavirus-cyberattacks-ransomware-phishing/
[8] Hannah Natanson. “How Fairfax’s online learning flopped” Washington Post print edition, Sunday April 19, 2020, p. C1
[9] Hannah Natanson. “Fairfax school’s tech fiasco continues” Washington Post Tuesday April 21, 2020 p.B1
[10] Andy Kessler. “Upgrade Our 8-Track Government.” Wall Street Journal Monday April 20, 2020 p. A15.