On Sunday night, the Department of Health and Human Services was hit with a cyberattack. This incident is the third in a string of cyberattacks that show malicious cyber actors are not slowing their assault on our public health system despite the global coronavirus pandemic. In the last week, the Brno University Hospital in the Czech Republic was hit with a ransomware attack and the Champaign-Urbana Public Health District’s website was also taken over by cybercriminals demanding payment. In the case of the Brno University Hospital, the attack caused all surgeries to be cancelled and all incoming patients to be re-routed to a nearby hospital. cyberattacks at this time could make an already dire situation far worse.
The national security community has been slow to recognize cybercriminal groups as a national security threat. The growth in sophistication of ransomware campaigns suggests that the capabilities these groups possess are now on par with many nation states. Many people have expressed hope online that cybercriminals would empathize with those who are suffering and think twice before targeting hospitals. Unfortunately, hope is not a strategy. Their targeting of vulnerable critical infrastructure, like public health systems and hospitals, in a time of crisis demands that the threat posed by these groups be countered with the full weight that the United States can bring to bear.
The president’s National Cyber Strategy laid the groundwork for this approach in 2018, declaring that “All instruments of national power are available to prevent, respond to, and deter malicious cyber activity against the United States.” These instruments include the ones that are commonly used to punish malicious cyber actors—diplomacy, information sharing, financial sanctions, and law enforcement—and those that have largely thus far been withheld, such as intelligence and military (both kinetic and cyber).
Moving from high-level strategy to clear and direct messaging to deter cyberattacks on our hospitals in this time of crisis requires specific guidance. To that end, the president should issue a specific policy statement that makes clear that criminal attacks on our critical infrastructure will be treated as an armed attack on the United States. He should also direct federal law enforcement to give the investigation of these attacks the highest priority and require the intelligence community to assist law enforcement in attributing attacks to the individuals behind them.
The criminal community should understand that if the United States is able to attribute Chinese espionage operations to real names and faces, it can do the same for them. And while Chinese PLA officers enjoy the protection of the Chinese state, no criminal group without state protection will be beyond the reach of the United States if they target our public health systems.
If foreign governments are not responsive to requests for assistance, the U.S. government should be prepared to go outside the realm of law enforcement. Such a response should not be limited to in-kind retaliatory options. Last June, Israel bombed a building that was allegedly used by a group of Hamas cyber operatives. The United States should also be prepared to respond to cyberattacks with proportional kinetic military action if they result in the death of COVID-19 patients.
Given the difficulty of attribution and the existence of cybercrime sanctuaries, the rules of the game have been pretty clear—most cybercriminals could reasonably expect that their ill deeds would go unpunished as long as they didn’t go on vacation in countries that could extradite them. During a global pandemic, if cybercriminals impact the delivery of medical interventions, they should understand that they are playing a different game. When the U.S. government stands up from the table and flips over the board, there are no rules that protect you.