Even with all the looming uncertainty surrounding the global COVID-19 pandemic, system security needs to remain at the forefront of companies’ planning.
Businesses around the world are shutting down under local, state or national decrees as COVID-19 fears bring caution regarding public gatherings. Unsurprisingly, hackers have used the unprecedented opportunity of chaos and panic to probe weaknesses in information technology systems. One of those systems happened to be the United States Department of Health and Human Services, making the act even more egregious, considering the circumstances.
But the problem extends beyond hackers and threats to companies and individuals. During times of crisis, civil liberties also come under threat, and cryptography often provides a shield against unwarranted encroaches by the government.
So, whether you’re a business worried about paying server and security costs during this economic turmoil or an individual protecting your digital assets, cryptography can serve you well.
Hackers will continue to be opportunistic
It’s an unfortunate byproduct of crises, but hackers can wield social, economic and financial chaos for their gain.
For example, hackers launched a distributed denial of service attack against the Department of Health and Human Services last month in a bid to slow down the COVID-19 response. The current narrative makes the hack seem distinctly malicious in its effort to make the pandemic response slower, but there is likely more to the story.
The surging number of cases and by extension the hoarding of medical data under a consolidated government system presents an opportunity for hackers to abscond with sensitive information. Moreover, when emergency responses elicit rapid reactions, much of the system’s security may be a patchwork of protocols not backend tested thoroughly.
For example, cases being uploaded from the field — such as hospitals, makeshift testing centers, etc. — to government servers that aggregate and display current COVID-19 metrics may contain serious security flaws due to the rapidity of their development. Applications developed by small teams to assist doctors in times of crisis may also not follow security standards, specifically the Health Insurance Portability and Accountability Act — commonly referred to as HIPAA — compliance laws, which are esoteric and outside the scope of most technology-focused engineers.
Hackers, looking for medical data that can be sold at a high value on black markets, likely view this as a gold mine. The hacking incident against the Health Department is probably not the first, nor will it be the last, of ongoing attempts to infiltrate prominent security systems.
Cryptography provides a useful layer of defense against such intrusions. Masking medical data identifiers and other sensitive information is possible with a variety of cryptographic standards available today. Many projects in the crypto sector explicitly focus on financial applications, but the cryptographic modules for protecting and verifying sensitive data translate to other industries, such as healthcare, very well.
That’s not to say that cryptography is a panacea to the ongoing fallout of COVID-19. In some cases, governments are covertly using the dilemma as a method to subvert encryption entirely, such as is occurring in the U.S.
Government surveillance covertly gaining favor among amid crisis
Hidden behind all of the headlines about the Federal Reserve interest rate, the S&P 500 tanking and COVID-19 cases was a proposed legislation effort that has profound consequences on the field of cryptography.
Known as the EARN IT bill, U.S. Congresspeople have proposed a bill that would effectively grant the U.S. government the ability to access “any digital message.” The bill would create a consortium of law enforcement agencies headed by the Justice Department that would institute a standard verification mechanism for any digital message. If the message does not use the standard “verification” of the government’s technology to authenticate the message, then the sending/receiving parties can be sued into oblivion.
Concerning cryptography, this is a disastrous bill. The proposed document cleverly avoids the explicit use of the word “encryption,” but its language indicates that cryptography would become illegal, as all messages cannot be private between two counterparties. The government gets a backdoor.
Encryption would become illegal by default because it preserves privacy and authentication of a message between two parties, preventing the ability of a third party to snoop on the message’s contents.
The bill is still in its early stages, but it shows, once again, that governments do not approve of widespread encryption use among the public. Whether it be the Clipper chip scandal of the 1990s or the subversive move by Congress that is masked by a national crisis, the government’s efforts are persistent.
Fortunately, cryptography — which is empirically just math — does not adhere to the caprices of hackers, governments or opportunities to subvert its influence. The grassroots encryption movement started by cypherpunks and bolstered by the crypto community has spread the technology to an extent that is unlikely to fade away at fiat decree.
For businesses enduring the turbulent COVID-19 situation, don’t forget to account for your security during these vulnerable times. As individuals, remember that cryptography is your friend in protecting your civil liberties during a public health crisis.