COVID 19: Security & Protection Concerns
In the week that the world started celebrating the news that not one but three experimental vaccines against Covid-19 have proved at least 90% effective at preventing disease in late-stage clinical trials, research into understanding how the Sars-CoV-2 virus, which causes Covid-19, interacts with the human immune system never paused.
There are plenty of questions still to answer about the Pfizer/BioNTech and Moderna vaccines and now the Oxford and AstraZeneca and how well they might protect the elderly, for example, and how long for? Which aspects of the immune response that they elicit are protective and which aren’t? Can even better results be achieved, with vaccines that target different parts of the immune system. However, one question that seems to be overlooked by the entire world whilst celebrating, is what security measures are in place to secure the research and development and to stop counterfeit copies that are not as effective or only replicate a % of the real vaccine? It certainly does not seem important for the organisations involved as the research and findings below evidence.
On 11th May 2020 Archer, the UK national supercomputing service that was collating Covid-19 research and developments, was breached reportedly by Russia and Chinese state sponsored groups stealing the IP and data.
Initially blamed for being targeted to be used for crypto currency mining, the rationale for the attack quickly became clear. $billions in research and developments in Covid-19. Archers homepage became Not Secure, unencrypted with no data integrity several weeks prior to the attack when its digital certificate was allowed to expire. Bizarrely, it remains Not Secure to this day and as a government managed supercomputer, defies all
rationale of security and remains a major target.
It was also in the weeks leading up to the Archer breach in May that our research discovered Oxford University was maintaining a Not Secure homepage. We continuously informed Oxford University that they were maintaining sub optimal internet facing domains and a homepage that was Not Secure in the same way Archer were. This was ignored for months. Although Oxford did not report a breach at this time, it is important to note they receive £100’s of millions in grants for research and work closely with Archer, as do many of the Pharmaceutical organisations.
With the further news of the Covid-19 vaccines we started researching the other Pharmaceutical companies to ensure they were not compromised facing the internet and to our disbelief, when we researched Pfizer. Our research discovered Pfizer are also running sub optimal internet facing domains. We quickly alerted the Board of Pfizer and have yet to receive confirmation or a reply.
Our research took us onto Moderna and AstraZeneca. The same situation of negligence of security facing the internet at Moderna and AstraZeneca confirms and shows a worrying systemic security issue that makes one consider, and question the motivation to secure, what could be considered the world’s most incredible development in many generations. Yet at every single organisation, security of IP and data has absolutely no consideration or focus.
The pharmaceutical sector is among the very highest of sectors targeted for cyber attacks and a Covid-19 vaccine may be the single largest development in modern times. So why is the research and development on vaccines open to cyber attacks and IP theft?
Andy Jenkinson is a thought provoking, challenging consummate professional and natural leader whose drive, energy and enthusiasm is not only infectious but inspirational ensuring everyone succeeds together as a group. Andy has a no nonsense attitude to security, be that internal PKI or internet facing and is renowned for his candour and straight forward approach. If you want security, you might not like what you hear, but you’ll love the results.