U.S. Government Issues Warning to COVID-19 Research Organizations

14 May 2020 Blog
Authors: Steven M. Millendorf
Published To: Coronavirus Resource Center: Back to Business Privacy, Cybersecurity & Technology Law Perspectives

On May 13, 2020, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Research Agency (CISA) issued an announcement directed at organizations involved in COVID-19 research to be on increased alert against potential cybersecurity attacks. The announcement stated that actors from the Peoples Republic of China (PRC) have targeted and potentially have compromised organizations involved in COVID-19 research, including those researching potential treatments, vaccines, and tests in an attempt to obtain intellectual property and health data. 

The announcement notes that the increased attention an organization associated with COVID-19 research activities has received may result in increased interest by attackers seeking to launch a cyberattack. As a result, the announcement urges organizations conducting COVID-19 research to remain especially vigilant to insider and external cybersecurity threats. 

Although the announcement provides little evidence that the threats are unique to the PRC, it reminds us that cybersecurity attacks not only originate from malicious individuals and other organized hacking groups, but they may also be launched from well-funded nation-state actors. Unlike individuals or organization hacking groups who are often looking to monetize information or bring down an organization, nation state actors may have additional motivations, including industrial espionage and other types of economic incentives. This is especially true for COVID-19 research, where the economic impacts of an organization’s research, if successful, may be significant and world-changing. The modification of information may drive research in the wrong direction and the unavailability of data could set back advances at a critical time. Therefore, organizations should not only be on alert for attacks that impact the confidentiality of critical research data, but also for attacks that may impact the integrity or availability of this data. 

The FBI’s warning should prompt organizations involved in COVID-19 research (or almost any organization) to review and update its security measures, including: 

  • Actively scanning your systems for unauthorized system or data access, modifications, or other anomalous activities. 
  • Ensure that alerts issued by network security devices are promptly investigated and addressed. With an increase in external access due to “stay at home” orders leading to significantly more alerts, it is important to strike the correct balance between “noise” and alerts that may be an early indication of an attack. 
  • Review system configurations to ensure that reasonably detailed log files are being maintained for a reasonable period. These log files may indicate the origin and scope of an attempted or successful security incident. Organizations may need to take additional steps to preserve log files for cloud-based enterprise systems, such as O365. 
  • Patch all systems (including network devices) for critical vulnerabilities; prioritize systems based on the severity of known vulnerabilities, exposure to the public internet, and the criticality of the data stored or accessed by those systems. 
  • Identify and suspend access to any user that displays unusual activity.
  • Enable multi-factor authentication for all external access to the network where possible. This may be especially difficult with current shelter in place orders. 
  • Enable multi-factor authentication for privileged access to the network and eliminate any external access where possible. 
  • Create regular, offline backups to defend against ransomware attacks and other similar attacks that may affect not only the confidentiality of data but also the availability and integrity of the data. 
  • Review access control configurations to ensure that users with access to the information systems only have the least amount of privileges required to do their job functions. Pay close attention to service accounts that cannot be disabled. 
  • Where possible, use data integrity technology to quickly detect unauthorized modifications to critical data. 
  • Malicious actors with physical access can destroy or contaminate research samples or use virus samples for terrorist activities. Restrict access to physical facilities that contain these samples to individuals that need such access. If visitors must be allowed access to facilities, only permit supervised access to the minimum area required.
  • Review your incident response plan to make sure that your organization can promptly and effectively respond to a security incident with diminished on-site staff. 

For more information about these security measures or in the event of a confirmed or suspected security incident, please contact your Foley relationship partner. For additional web-based cybersecurity resources, CISA offers additional COVID-19 related cybersecurity resources that can be found here

Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.