The Perfect Enemy | Analysis | Covid-tracking program lacked bare minimum cyber protections
September 29, 2022

Analysis | Covid-tracking program lacked bare minimum cyber protections

Analysis | Covid-tracking program lacked bare minimum cyber protections  The Washington Post

Read Time:7 Minute

Welcome to The Cybersecurity 202! Volcanoes are amazing. I might see my first one in person during an upcoming trip.

Below: Researchers say a newly disclosed hacking campaign could be the work of contractors, and Android health apps share privacy data with advertisers. First:

A little-seen watchdog report revealed big cybersecurity shortcomings for an HHS program

The Department of Health and Human Services (HHS) failed to implement basic protections against hackers when it developed a system to track covid-19 data in 2020, according to an internal watchdog report it never made publicly available.

The inspector general report concluded that those failures before deployment of the HHS Protect program left it “susceptible to an unknown and possibly unacceptably high risk of failure or compromise from unintentional disruptions (e.g., man-made or natural disasters) or cyberattacks.” A successful attack could’ve hampered pandemic response, the report concluded.

Dated Nov. 2, 2021, the report got a public release of only its title two days later. My colleague Nate Jones obtained the full report last month under a Freedom of Information Act request, which cited “restricted, sensitive information” as the reason for its limited distribution.

The report also found similar failings in another, related HHS program called TeleTracking. But on Aug. 24 — the same day the inspector general (IG) delivered the report to The Washington Post — the IG rescinded the whole report. It cited unspecified inaccuracies in the part of the report that scrutinized TeleTracking.

Just last month, the leaders of the Cyberspace Solarium Commission (now known as CSC 2.0) wrote to HHS, citing concerns about how well it was helping to secure the health and public health sector.

“This indicates that the other half of their responsibility is equally challenged,” Mark Montgomery, executive director of CSC 2.0, told me, referring to HHS’s need to defend its own information technology. “To fix both of these elements is going to take a lot of senior leadership bandwidth.”

Specific failings

HHS Protect collects information such as case counts, hospital capacity, and population and demographic data from federal, state and local governments, as well as the health-care sector.

When HHS deployed HHS Protect in April of 2020, the program hadn’t completed work on some “foundational controls” on cybersecurity, according to the audit, which found that the department didn’t fully:

  • Assess the potential privacy impact of the program.
  • Identify threats and risks.
  • Provide an overview of security requirements and describe the protections in place to meet them.
  • Determine the potential impact of the program being disrupted.
  • Systematically evaluate it for vulnerabilities.
  • Write a plan on how to restore disrupted systems.

Furthermore, no agency official initially gave HHS Protect an “authorization to operate,” an explicit acceptance of the program’s risks to HHS operations. That final authorization arrived nine months later, and as of early last year, it also still hadn’t completed a risk assessment or contingency plan.

HHS did not answer requests for comment about whether it had addressed shortcomings identified in the report. According to the report, the HHS Office of the Chief Information Officer “explained that some cyber assessments had been conducted on an ad hoc basis before launch, and they believed based on their expertise that HHS Protect was secure when it was deployed. However, we could not verify that OCIO performed cyber assessments because documentation was not generated.”

All of this posed serious risks for HHS, the audit found.

“Although HHS had not reported a major incident for HHS Protect or TeleTracking during our audit period, HHS systems continued to be prime targets of cyberattacks,” the IG report reads. “If an attack had been successful, the systems or data could have been potentially destroyed or compromised and HHS may have been unable to restore the systems or data in a timely manner, which would have significantly hindered critical pandemic response efforts.”

But the report at least partially defends HHS for how it put the programs in place.

“Cybersecurity controls for both systems were not implemented before employment because HHS officials prioritized deploying the systems for operational use to achieve the agency’s mission of combating the covid-19 pandemic over meeting all the federal requirements before deployment.” 

One former government official who spoke on the condition of anonymity because they’re not authorized to speak publicly was less sympathetic. “Oof,” they said in a message to me about the lack of a privacy impact assessment. “That would’ve been a bare minimum for this system.”

The rescission

A spokesperson for the IG said they couldn’t discuss what was inaccurate about the TeleTracking audit. In the report, HHS rejected three recommendations from the IG, two of which recommended completing some of the cybersecurity safeguards for HHS Protect and another which did the same for TeleTracking. As of Nov. 2, the IG had defended its recommendations.

“We cannot provide further details at this time because the additional audit work is in progress and OIG does not discuss the details of ongoing work,” IG spokesperson Yvonne Gamble said.

Although the IG concluded that only the TeleTracking part of the report contained inaccuracies, “The auditing standards require that we rescind the entire report under such circumstances,” Gamble said.

Nor was there any correlation between The Post’s FOIA request being fulfilled and the rescission happening on the same day, Gamble said.

“The two events are not related,” Gamble said. “HHS provided information and documentation to OIG after the audit was complete. The rescission is based on analysis of that new information and interviews.”

Newly discovered hack could be work of government contractor, researchers say

The hackers, who researchers at SentinelOne’s SentinelLabs called Metador, targeted a Middle East telecommunications firm, journalist Kim Zetter reports. But the campaign left researchers speculating about who was behind the hack, with SentinelLabs senior director Juan Andrés Guerrero-Saade speculating that it could be a contractor working for a country.

“As for who may be behind the activity, SentinelOne says there aren’t enough clues to determine this,” Zetter writes. “Based on a few findings in the code, however, some of the operators and developers appear to speak English as their native language, others appear to speak Spanish. Additionally, build times for some of the malicious components suggest the developers may be based in the UTC+1 timezone. The latter encompasses many nations, but among those are the U.K. and Spain.”

Health apps share health concerns and identifiers with ad companies

Popular Android health apps give advertisers information they’d need to market to people based on their health concerns, Tatum Hunter and Jeremy B. Merrill report. Users have few digital data protections under the Health Insurance Portability and Accountability Act (HIPAA), and people consent to the apps’ practices when they accept their jargon-filled privacy policies.

Most of the data doesn’t directly identify people, but some is shared using “identifiers,” strings of numbers that are linked to devices. 

“But privacy experts say sending user identifiers along with key words from the content we visit opens consumers to unnecessary risk,” Tatum and Jeremy write. “Big data collectors such as brokers or ad companies could piece together someone’s behavior or concerns using multiple pieces of information or identifiers. That means ‘depression’ could become one more data point that helps companies target or profile us.”

Global cyberspace

Jamal Khashoggi’s wife to sue NSO Group over Pegasus spyware (The Guardian)

‘They are watching’: Inside Russia’s vast surveillance state (The New York Times)

Cyberattack steals passenger data from Portuguese airline (Associated Press)

Suspected Chinese hackers target Tibet media, politicians (Bloomberg News)

Proton CEO is shutting down India VPN servers to protest cybersecurity rules (The Wall Street Journal)

Cyber insecurity

Twitter discloses it wasn’t logging users out of accounts after password resets (TechCrunch)

Denver suburb won’t cough up millions in ransomware attack that closed city hall (The Denver Post)

Privacy patch

As facial recognition arrives in schools, Montana enters uncharted territory (Montana Public Radio)

Government scan

New review will examine NSA and Cyber Command’s ‘dual hat’ structure (The Record)

NSA shares guidance to help secure OT/ICS critical infrastructure (Bleeping Computer)

Senators Wyden, Warren urge NTIA to protect ‘highly sensitive’ domain registration info (The Record)

Industry report

Convicted Twitter spy says U.S hid whistleblower report (Bloomberg News)

  • Microsoft chief information security officer Bret Arsenault discusses cloud innovation and security at a Washington Post Live event Wednesday at 9 a.m.
  • The House Science Committee holds a hearing on artificial intelligence on Thursday at 10:30 a.m.
  • The U.S. Naval Institute hosts an event on cyberthreats and disinformation on Thursday at 10:30 a.m.
  • Reps. Frank Pallone Jr. (D-N.J.) and Cathy McMorris Rodgers (R-Wash.), the top members on the House Energy and Commerce Committee, discuss privacy legislation at a Washington Post Live event on Thursday at 11 a.m.

Secure log off

[embedded content]

Thanks for reading. See you next week.