By almost any conceivable measure, 2020 was an extremely difficult year. Nowhere is this more apparent than in hospitals around the globe. That’s why, when the first reports emerged that hospitals and laboratories were being targeted by both cybercriminals and adversarial state actors, it created a collective, almost visceral sense of outrage. How could people be so morally bankrupt that they would pursue these cyberattacks during a pandemic? And how could governments allow these attacks to occur?
For some cybercriminals, the answer is simple: it’s about money. The US Federal Bureau of Investigation (FBI) estimates that victims of the attacks deploying Ryuk (a form of ransomware) paid out more than US$61 million to recover their files that had been encrypted.
For adversarial state actors, the answer is more complex: both money and power are on the table. According to the Communications Security Establishment (Canada’s national cryptologic agency), “large medical and biopharmaceutical companies in Canada and abroad have been targeted by state-sponsored cyberthreat actors attempting to steal intellectual property related to COVID-19 tests, treatments and vaccines.” The actors carried out these attacks to “support their own domestic public-health response or to profit from its illegal reproduction by their own firms.” That is the money part — building your own prosperity by stealing it from others.
For the power part, it may seem trite, but states are continually vying in geostrategic and geo-economic competition for greater power and influence. In this way, countries that can deploy mass vaccination and revive their economies first may have an advantage in this competition. This advantage can only be furthered by sullying competitors’ efforts or throwing them into disarray. Sometimes, a cyberattack does the job. This jockeying can be both dangerous and destabilizing, but it’s an unfortunate fixture in international relations.
There is some nuance to interpreting (and applying) the domestic and international laws that allow such behaviour. Prosecuting transnational cybercrime is notoriously difficult. The first step involves successfully identifying the perpetrator, who may take steps to mask their identity. If an individual or group can be successfully identified, the second step involves marshalling sufficient evidence for prosecution. Here, the difficulty is compounded by the fact that much of the pertinent evidence is likely to be found in the jurisdiction where the criminal resides, which often differs from the residence of the victim. If that jurisdiction will not prosecute, it means requesting assistance through either a mutual legal assistance treaty, the Budapest Convention on cybercrime, or through extra-legal channels, all of which are slow and cumbersome at the best of times. Then comes the small matter of extradition, which is also a long and complicated legal process.
Another reason why this occurs is because, as my colleague Melissa Hathaway has argued, for the past 30 years we have created a strategic vulnerability “by allowing poorly coded or engineered commercial-off-the-shelf (COTS) products to permeate and power every aspect of our connected society. These products and services are prepackaged with exploitable weaknesses and have become the soft underbelly of government systems, critical infrastructures and services, as well as business and household operations.” We have inadvertently engineered an easy path for cybercriminals and have connected everything we possibly can to the internet — creating a massive attack surface.
Adversarial state actors can engage in this manner without a corresponding consequence because it takes place in what Canada’s Strong, Secure, Engaged defence policy refers to as the “grey zone,” which exists just below the threshold of armed conflict. In the grey zone, adversarial states “rely on the deliberate spread of misinformation to sow confusion and discord in the international community, create ambiguity and maintain deniability.… By staying in the fog of the grey zone, states can influence events in their favour without triggering outright armed conflict.”
But, then, why is there a grey zone? Why would the international rules not be crystal clear on this? It is because strong states like it that way. A number of major state actors use the ambiguity to pursue their agenda and as a tool in geostrategic competition, and their preference is to maintain this tactical capability.
What can be done? First, as my colleague Michel Girard has argued, we need to develop a safety code for 5G (fifth-generation) technology. The infrastructure network to enable 5G should meet stringent security, health and safety standards. Governments and industry should jointly develop a “5G safety code” that sets the bar regarding security, health and safety requirements.
Second, like-minded states should band together to extract a cost from adversarial actors who seek to disrupt, undermine or steal prosperity from others. In the context of the COVID-19 pandemic, this malicious conduct toward health care institutions was reprehensible, and it cannot be forgiven or forgotten. The best way to curtail this behaviour in the future is to make sure there is a hefty price for engaging in it.
