In the wake of the pandemic, how can the United States and other countries fight their way back to good public health and an economic recovery? Short answer: develop enough doses of vaccines to be distributed and administered to millions of people without a hitch.
That’s the ideal, but the SARS-CoV-2 vaccine supply chain is rife with logistical complexities. What’s more, the enormously valuable intellectual property and data on the various vaccines, components and therapeutics are relatively easy for threat actors to pilfer. In fact, nation-states are already attempting to steal vaccine formulae and disrupt operations.
You are a potential target if you’re in the business of researching, developing, conducting trials, manufacturing or distributing the vaccine against SARS-CoV-2, the virus that causes COVID-19. If you’re a player in the highly intertwined network of big pharma, biotech, contract development and manufacturing organizations (CDMOs), and health and clinical research institutions, you can take a number of steps to help prepare for potential attacks.
Here are three questions to discuss with your executive team.
1. What are the evolving threats from nation-states and the resulting risks to vaccine development and supply chains?
Nation-state actors are patient, persistent, well-funded and sophisticated. They can destabilize vaccine development and supply chain using a variety of techniques:
i) IP theft at research stage. Academic research is subject to foreign influence via two conduits: personnel with ties to foreign governments or grants that are funded ultimately by foreign adversaries. Many research organizations are currently under investigation by the Departments of Justice and Homeland Security, and the National Institutes of Health.
In addition, PwC threat intelligence analysts have observed preparations to target COVID-19 research organizations and vaccine developers. Threat actors are staging command and control infrastructures to use against vaccine developers and manufacturers.
ii) IP theft and disruption at the trials stage. In July, the US Justice Department indicted two foreign nationals for espionage in several industries. It alleged that they were finding ways to access the networks of biotech and other firms that are known to be working on vaccines, treatments and testing technology in at least 11 countries, including the US.
iii) Manufacturing disruptions. Just a few days after receiving permission to start final-stage trials for a SARS-CoV-2 vaccine, one of India’s largest generic pharma companies reportedly suffered a cyberattack and had to shut down plants in a few countries. It’s reminiscent of the 2017 NotPetya attack – ransomware combined with tools to propagate itself across a network – which paralyzed hospitals, shipping, food manufacturing, postal systems and banking, and caused a shutdown of drug production for several days at one pharmaceutical company.
iv) Low vaccine uptake and reputational damage due to disinformation. In a September 2020 survey of Americans, 49% said they definitely or probably would not get vaccinated at this time. The historic speed of the vaccine development process and mistrust of the medical community among some Americans have contributed to increasing levels of vaccine hesitancy in the US. Enter nation-states that might mount disinformation campaigns to amplify doubt or to disparage a vaccine developer or manufacturer. The result would be tantamount to a manufacturing shutdown, stalling efforts to improve public health and the economy.
Takeaways for executive leadership: Work closely with your C-suite colleagues to identify the sites, systems, personnel and processes involved in vaccine development and manufacturing. Assess the risks and review your risk-mitigation plan against the threat of nation-state actors. Enhance real-time threat intelligence capabilities throughout your supply chain. On foreign influence, work with internal audit/compliance and the general counsel to help close the gaps in your compliance programme and reiterate your anti-bribery and anti-corruption policies.
Takeaway for the board: Understand the risks to your organization arising from these threats. Ask for regular communications from management on risks, defences and response plans.
2. How well can you defend against the threats?
Many affected organizations are easy targets. What’s their Achilles’ heel? In our experience, weak controls are the most significant source risk. For many health research organizations, the extent of potential foreign influence through their international connections is a blind spot. In addition, manufacturing sites often operate outdated, unpatched or insecurely deployed systems. Flat and open networks, lack of privilege access management, lack of removable media control and vendor connectivity further contribute to insufficient resiliency.
Your ability to defend against nation-state attacks rests on the strength of your cybersecurity and compliance programmes, which may be daunting to shore up all at once. But you can start by focusing on these:
i) Make it difficult for attackers to gain a foothold in your system – sharpen your threat hunting. Draw an overall picture of the attack surface and identify potential attackers, their motives and their ways of doing things. In addition, threat actors can exploit system weaknesses, misconfigurations and vulnerabilities to gain privileged access once they get into a system. Organizations should enhance privileged access management capabilities, to include vendor remote access.
ii) Reduce likelihood of threat actors moving laterally in your system – segment network access. With network segmentation, you can better isolate an incident, reduce attack surface and prevent propagation of ransomware, for example.
iii) Mind your entire ecosystem – manage third-party risks. Vaccine R&D and manufacturing activities rely on many third parties. Threat actors often use organizations with weaker cybersecurity protocols as a backdoor to the ultimate targets. Assess the cyber posture of third parties.
And don’t overlook your physical and digital connections to hospitals, which have come under ransomware attacks by foreign-based cybercriminals. In fact, ransomware attacks have surged in 2020 in many industries, fuelled by an influx of new ransomware actors, the expansion of existing affiliate schemes, and the pursuit of higher revenues by established cybercriminals.
Takeaways for executive leadership: Prioritize the three defences above, keeping in mind that the attackers may be insiders. Set up real-time dashboards to monitor for unusual activity among researchers and employees, suppliers, business partners and stakeholders. Periodically report to the board on indicators of effective defense against intrusions and threats.
3. In the event of a successful attack, do you have a response plan in place?
Any organization involved with vaccine research, trials, manufacturing and distribution should have a crisis response and remediation plan. A good response plan includes these four elements:
i) Conduct incident response simulations. Conduct these exercises at the C-suite level, and preferably with the board, not just within the IT and security groups. Plan to remediate system and process gaps, with varying approaches for different types of attacks — phishing, ransomware and otherwise.
If you don’t have a crisis center, you should set up one now to monitor and communicate threats, as appropriate, to stakeholders including the board.
ii) Make it formal; name your resilience team. Think beyond crisis management, disaster recovery or business continuity planning; think resilience. An effective response plan needs a clear-cut leader who can quickly orchestrate the activities of functions scattered throughout the organization. Decide who ultimately governs the plan. Assign roles and responsibilities to people who can execute the resilience playbook.
iii) Rehearse your resilience playbooks. Those without playbooks in place could take weeks or even months to recover from an attack — time we don’t have with SARS-CoV-2 vaccinations. Playbooks need to be rehearsed so that in a real-life crisis, team members can respond automatically and smoothly, almost like activating muscle memory.
iv) Define how you’ll engage with law enforcement and governmental agencies. An attack by a nation-state is by default a national security issue, triggering potential involvement by the Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) and others. The federal government has a substantial stake to protect because of its $11 billion investment in vaccine development through Operation Warp Speed. Establish a working relationship with the agencies — but retain full responsibility for communication to your customers, investors and other stakeholders.
In the case of ransomware, work with law enforcement for safe and legal transfer of ransom payment, investigations and payment tracking; new guidance has cautioned against ransom payments inadvertently made to sanctioned criminal entities and adversaries.
Takeaways for executive leadership: Build a response and resilience plan that’s transparent to executives, the board and business partners alike in order to engender trust. Engage the COO, CMO, CISO and CIO in developing and executing these strategies. Get the CFO’s buy-in for any spending or investment needed to mitigate the financial impacts of nation-state intrusions.
The bottom line: secure the vaccine
The stakes are high. Pharmaceutical and biotech companies are racing to capture the financial and reputational advantage of being first-to-market. Manufacturers are expecting the biggest contract manufacturing sales in recent history. To-date, in addition to $11 billion in grants, there may be ten times as much in investors’ money riding on the outcomes. Stock prices for some competing companies are trading around record highs.
The pharmaceutical industry garnered a record high of 73% of interviewees globally who said they trust the industry, according to the Edelman Trust Barometer spring update. But some nation-states are likely attempting to steal IP, bring about disorder and create a level of mistrust. Pharmaceutical companies — the face of the world’s way out of the pandemic — need to lead the entire vaccine ecosystem to make sure the spring 2020 boost isn’t just a trust bubble.
Nalneesh Gaur is the Principal, Pharmaceutical and Life Sciences Cybersecurity, Privacy & Forensics Leader, PwC US. Sean Joyce is the Principal, Global and US Cybersecurity, Privacy & Forensics Leader, PwC US.
The article first appeared on the World Economic Forum.