The U.S. government has charged two citizens of China with cybercrime in connection with purported hacking of research into vaccines for the SARS-CoV-2 virus, but more than one speaker on a July 22 webinar said scientists involved in basic life science research at universities fail to appreciate the need for cybersecurity, a problem they may take with them to the private sector.
The U.S. Department of Justice said in a July 21 statement that a federal grand jury has indicted two citizens of the People’s Republic of China with hacking into the computer systems of a variety of types of organizations, including medical device and pharmaceutical manufacturers. Assistant attorney general for national security John Demers said research related to the COVID-19 pandemic is among the material of interest for hackers operating with the awareness of the government of the People’s Republic of China.
The July 22 webinar by Booz Allen Hamilton Corp., of McLean, Va., focused on cybersecurity for life science labs, a timely event, given the news from the DOJ. Brian Fitzgerald, a software engineer at the U.S. FDA’s Center for Devices and Radiological Health (CDRH), said lab security has changed in the digital world, including at the FDA. Roughly 10 years ago, “it became clear that the engineering aspects” of CDRH’s computing infrastructure was in need of high-end computing capacity to deal with the variety of challenges imposed on the center’s IT infrastructure, Fitzgerald said.
Computers and computer systems were black boxes to the user in bygone times, largely because cybersecurity was a minor consideration, but with the addition of networking and other facilitating technologies, “those black boxes now need to be supported throughout their life cycles,” Fitzgerald said. This support must now include a more robust support for cybersecurity.
Lauren Pittinger, a senior associate at Booz Allen, said scientists are experts in a given fields, and thus “they’re their own boss” and not always open to outside expertise. While lab computer systems are very similar to installations in other parts of an institution, the need to share data and resources with scientific collaborators “leads to a lot of homegrown work-arounds” to that infrastructure’s cybersecurity mechanisms. Thus, where cybersecurity is concerned, “the biggest hurdle is the culture of science,” and scientists have to be prodded to bring themselves into the 21st Century where risk management is concerned.
Carrots and sticks both still work
Pittenger said one way to force a change in the way scientists handle cybersecurity is to tie the award of grants to updated cybersecurity practices. She noted that the U.S. National Institutes of Health has tied grants to completion of ethics training, adding that the competition for NIH grants is quite intense, thus the willingness of researchers to comply with such mandates. The smart manager realizes that a successful approach to the problem consists of “not just telling them they needed to make a change, but showing them [how], and providing a carrot for making that change,” she said.
Fitzgerald said some labs decline to update various elements of their software infrastructure, such as operating systems (OS), because these labs may run applications that are incompatible with an updated version of that OS. The notion of “reasonably foreseeable misuse” allows an examination of an IT architecture with an eye toward heading off any predictable risk, which is one of the central assumptions of cybersecurity. There are those, however, who might see the restrictions as arbitrary, Fitzgerald advised.
Even less-than-ideal systems must be updated to ward off even a minor cybersecurity risk, but Fitzgerald said a robust system will offer the user “cyber secure-ability.” Ad-hoc fixes to poorly designed systems might never be as secure as the user may need, but a flexible, well-designed system can incorporate modular security features to respond to new concerns arising from routine threat modeling. Fitzgerald said the vendor of these systems will have to support those devices throughout the product’s life cycle, adding that the additional costs can be amortized by the customer.
Dale Curtis, of Astrix Technology Group in Red Bank, N.J., said many companies in the life sciences have undertaken digital transformation initiatives in recent years, and communication is a particular point of concern. Cyberattacks had shut down operations for a major pharmaceutical manufacturer that imposed $1 billion in losses, he said, which qualifies as a catastrophic event. He said that the manner in which research invokes collaboration via cloud technologies invites cyber-events, and that the associated risks “are going to dramatically increase” in the years ahead.
Curtis also noted that the chain of risk includes external collaborators, whose systems might be vulnerable as well. Thus, vulnerability cannot be assumed to be an internal systems-only problem, he said.
Fitzgerald said one of the potentially under-appreciated aspects of cyber-risk is that industrial control systems can be taken over from outside entities. There is some network segmentation within organizations, and he said it is paradigmatic in some quarters that disparate IT functions are handled by separate computing systems. Many of the valuable trade secrets and intellectual property are stored in systems designed for research, but these systems must be at least as secure as the systems designed for conventional administrative functions.
Cybersecurity culture shock awaits the academic researcher
The academic researcher who takes a job with government or industry “is not prepared for the culture shock that these [commercial or government] labs present to them,” Fitzgerald said. These non-academic settings are often quite reliant on cybersecurity quality management systems (QMS) that invoke a total life cycle approach. “It’s unusual for scientists to have experience with QMS,” he said, particularly older scientists, who have more limited exposure to computer systems in general and cybersecurity issues in particular. A graduate student from academe can be brought in to provide “reverse mentoring,” however.
Fitzgerald said cybersecurity intrusions are often from sources that won’t respond to a cease-and-desist letter, adding that these organizations may take such a letter and “post it on the wall as another success.” Reliance on law enforcement “will not cut it. You have to actually change your engineering to a principle of preventive engineering,” Fitzgerald said.