On 10 September 2020, in Germany, more than 30 internal servers of the University Hospital of Düsseldorf were hit by a cyberattack, which crippled the hospital’s systems and caused emergency patients to be turned away. In the midst of the global crisis arising from the COVID-19 pandemic, the hospital was forced to route patients to other facilities for care. German authorities subsequently launched an investigation to determine whether the death of a re-routed patient had resulted from delays to her treatment because of the cyberattack; if this was found to be the case, the death of the patient would be the first known fatality directly caused by a ransomware attack. This attack was not an isolated incident. During the pandemic, malicious cyber actors are also known to have targeted the Paris hospital system; medical clinics and healthcare agencies in the US; the World Health Organization (WHO); COVID-19 treatment and vaccine research institutions; and other healthcare entities.
Such incidents are reminders of the constant threat that cybercrime and other malicious cyber activity presents to countries’ national, economic and human security. And these threats are nothing new. Cybercrime was already accelerating rapidly and evolving in most parts of the world before the COVID-19 pandemic, and the virus has only served to provide perpetrators with new opportunities and vulnerabilities to exploit for a variety of motivations. The stakes are perhaps higher now, in terms of how such crimes will impact national governments as they struggle to blunt the spread of both a deadly infectious disease and its resulting economic effects. Thus, cybercrime has been thrust into the spotlight as a threat to which more attention needs to be paid, across all sectors in all societies. In the long term, there are a number of questions about how the rise of cybercrime linked to the pandemic will impact developments that were already under way before the onset of the pandemic. In particular, COVID-19-related cybercrime, and the global attention being paid to it, may have lasting implications for global cybercrime cooperation and for internet governance more broadly.
Cybercrime in the pre-COVID period
Cybercrime was a persistent and often transnational threat before the COVID-19 pandemic hit. The ubiquity of technology and the growing rates of internet connectivity, coupled with the continued development of new technologies that allow for anonymity, have made cybercrime a low-risk, high-reward venture for a wide spectrum of state and non-state actors. Legacy technology used by critical infrastructure and a lack of adequate investments in cybersecurity in certain parts of the world have also exacerbated the problem. The professional services firm Accenture found that the average cost of cybercrime for companies (across 11 different countries and 16 different industry sectors) increased by some 12 per cent in 2018, to a new high of $13 million, from $11.7 million in 2017. The same study also estimated that the total economic value at risk from cybercrime around the globe may be as high as $5.2 trillion in the five-year period 2019–23. It found that the techniques used by non-state and nation-state actors to commit cybercrimes were evolving, with perpetrators increasingly using ‘people-based attacks’ such as phishing or other forms of social engineering attacks. The boundary between state actors and non-state cybercriminals was also increasingly blurring, as states abetted and in some instances directly employed non-state cybercriminals and/or their tools to advance their objectives.
Law enforcement has struggled to keep up with this dynamic threat, resulting in a significant global cyber enforcement gap that allows cybercriminals to operate with near impunity. For example, the think-tank Third Way estimated in 2018 that only three in 1,000 reported cyber incidents in the US saw the arrest of one or more perpetrators. While the extent of the entire global enforcement gap is unknown, the rates of arrest are not much better in a broad range of countries. There are numerous technical, operational and strategic challenges that have contributed to this gap, including significant hurdles related to the collection, handling and transfer of electronic evidence. The fact that cybercrime investigations often require intensive cooperation within and across borders presents particularly thorny challenges. This gap has resulted in a perception among certain publics that, while governments have the legal authority to bring malicious cyber actors to justice, law enforcement will rarely be able, or willing, to try to do so. This may be, in part, due to the lack of capacity and capability among criminal justice actors on cybercrime and digital evidence. This leads to decreased public trust in the ability of law enforcers to secure justice for victims, which can hinder reporting.
Cybercrime during COVID-19
While cybercrime was continuing to increase and transform before the COVID-19 crisis, some data now indicate that the pandemic has only made things worse, at least at certain points. Europol (the European Union Agency for Law Enforcement Cooperation) noted that with a record number of people staying in their homes and relying even more on the internet for daily activities including work, education and leisure, ‘the ways for cybercriminals seeking to exploit emerging opportunities and vulnerabilities have multiplied’. According to one study published in March 2020, 88 per cent of US organizations had encouraged or required employees to work remotely. In addition, social media usage rates have spiked. Such shifts have created a large pool of individuals, businesses and even public officials who are increasingly using online communication, often with less stringent cybersecurity measures in place than would be employed in an office environment. This provides cybercriminals with an unprecedented number of victims to target.,
While cybercrime was continuing to increase and transform before the COVID-19 crisis, some data now indicate that the pandemic has only made things worse, at least at certain points.
As well as having a growing number of potential targets, cybercriminals have customized their tactics, techniques and procedures (TTP) to the COVID-19 crisis, often exploiting people’s fears about the pandemic to their advantage. INTERPOL (the International Criminal Police Organization) found an increase in the detected number, reported by global law enforcement entities, of malware and ransomware campaigns using the COVID-19 pandemic to access and infect computers. Among the many examples of how cybercriminals are exploiting fears about the virus to conduct business are phishing campaigns or malware distribution through websites that have the appearance of being legitimate sources of information about COVID-19.
Social engineering has been key to the success of many cybercriminals seeking to exploit the pandemic. While this was already a technique used by cybercriminals before COVID-19, the cybersecurity company FireEye found that: ‘COVID-19 is being adopted broadly in social engineering approaches because it has widespread, generic appeal, and there is a genuine thirst for information on the subject that encourages users to take actions when they might otherwise have been circumspect.’ Business email compromise (BEC) attacks, in particular, are expected to continue to increase in frequency during the current crisis. These are a type of fraud that typically targets anyone who performs legitimate fund transfers. In April 2020 the US Federal Bureau of Investigation (FBI) noted that there had been an increase in BEC targeting municipalities purchasing COVID-19-related equipment and medical supplies.
The above factors are reported to have resulted in an overall acceleration of cybercrime as the COVID-19 crisis took hold. As early as April 2020, the FBI reported that complaints of cybercrime had increased up to fourfold compared with the months prior to the pandemic. By mid-2020, the US Secret Service estimated that $30 billion in COVID-19 relief funds would be lost to cybercrime. The UN Under-Secretary-General and High Representative for Disarmament Affairs told an informal meeting of the UN’s Security Council that there had been a 600 per cent increase in ‘malicious emails’ during the crisis. In addition, the member states of Europol reported an increase in the number of attempts to access illegal websites featuring child sexual exploitation material. However, some data indicate that the dramatic spikes in cybercrime recorded at the beginning of the COVID-19 crisis may be starting to level off.
Broadly speaking, the types of threat actors that are conducting malicious cyber activity in the COVID-19 era are thought to be similar to those conducting such activity before the outbreak of the virus. Criminals, criminal organizations, nation states and state-backed actors are perpetrating malicious cyber activity with a variety of motivations during this crisis. For many non-state criminals and criminal organizations, the proliferation of potential victims has been a boon for their financially motivated cybercrime businesses. For states and state-backed actors, the motivations are often quite different. Advanced persistent threat groups (APTs) receiving direction and/or support from states are targeting critical infrastructure, including hospitals and vaccine development labs. It is widely suspected that they are motivated by a desire to gain access to valuable information about COVID-19 response efforts and research. WHO reported in April 2020 that it had seen a fivefold increase in cyberattacks, with at least some of these incidents believed to be linked to hackers connected to the Iranian government. The UK, the US and Canada have publicly accused APTs associated with the Russian government of targeting vaccine research and development organizations. Similarly, US authorities have accused actors affiliated with the Chinese government of being behind cybercrime and other forms of malicious cyber activity perpetrated against organizations conducting research related to COVID-19.
While the threat actors remain largely the same, the risks posed to certain sectors during the COVID-19 crisis by a cybercrime incident or cyberattacks may be even greater. In particular, although the healthcare sector was already a major target for cybercrime before the pandemic – particularly through ransomware attacks, where victims’ data or systems are held hostage until victims pay a ransom, as happened in the 2017 WannaCry attack on the UK’s National Health Service – a disruption or complete shutdown of a hospital treating patients, or of a research institution working to find a vaccine and treatments, could be tremendously destabilizing to entities already under unprecedented strain. For a hospital, a successful attack could mean days or even weeks of being offline, and there is a risk that recovery efforts could inhibit a medical facility’s ability to provide rapid, life-saving care to patients, as already demonstrated in the case of the attack on the University Hospital of Düsseldorf in March 2020. INTERPOL has already reported a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response. Cybercriminals are striking at healthcare providers and medical facilities as a means of targeting a sector that has lagged behind in its cybersecurity capacity – at a time when an institution may be most willing to pay a ransom in order to recover quickly from an attack. In addition, insurance companies have, in some cases, been reported as having advised entities in the healthcare sector to pay a ransom instead of incurring the substantial recovery costs in the event of an attack, despite law enforcement guidance in certain countries against doing precisely that. While targeting the healthcare sector is not a novel approach for cybercriminals, the stakes for such attacks may be significantly higher in the context of the current pandemic.
Taken together, these factors have put cybercrime in the spotlight during the COVID-19 crisis as a threat impacting countries and their people around the world. Combating this threat will require strong cooperation within and across borders. Already, a number of cooperation mechanisms have been set up since the outbreak of the coronavirus in order to deal with the rising cybercrime challenge that transcends national borders. For example, the COVID-19 Cyber Threat Coalition was established to bring together cybersecurity practitioners who have volunteered their time to share cyberthreat intelligence. Another entity, the CTI League, connects the cybersecurity community to law enforcement agencies, with the particular purpose of protecting life-saving sectors from cyberattacks during the course of the COVID-19 crisis. The League produces intelligence feeds, analyses attacks, and works with relevant agencies to ‘take down’ cybercriminals. Governments are also enhancing and establishing new mechanisms to boost cooperation between criminal justice actors. In the US, the FBI established a COVID-19 Working Group in March 2020; this comprises hundreds of personnel, and is dedicated to boosting the investigation of and response to COVID-19-related crime. In June, Europol announced the launch of the European Financial and Economic Crime Centre (EFECC) to support EU member states and EU institutions on issues related to financial and economic crime, noting that law enforcement authorities would need more support to follow the ‘money trail’ as part of their investigations into cybercrime and other forms of crime. Multilateral organizations such as INTERPOL and the UN are also boosting their efforts to educate participating countries on COVID-19-related cybercrime.
The long-term impacts of COVID-19-related cybercrime
While the long-term impact of the COVID-19 crisis on the evolving threat of cybercrime cannot yet be assessed, there are several pressing questions about how the developments seen during the pandemic will affect global cooperation on cybercrime, on a number of levels. Policymakers, practitioners and advocates will need to pay close attention to these issues in the near future.
First, will the mechanisms and networks that have been established in response to the rise in cybercrime be leveraged and institutionalized in the long term to sustain progress on cybercrime cooperation? While governments are rightly focused on trying to slow the spread of the coronavirus and blunt the pandemic’s economic impact (and as law enforcement authorities themselves are directly impacted by the virus), the capacity to attribute, disrupt and bring to justice the activities of cybercriminals and to impose consequences (both punitive and deterrent) on other malicious cyber actors may be weakened at a time when cybercrime remains tremendously high under any measure and the perpetrators continue to evolve in their TTP. The private sector can – and does – play a big role in working with criminal justice actors to identify cybercriminals and disrupt their infrastructures, but only governments have the legal authority to prosecute and bring them to justice. Cooperation between the public and private sectors on cybercrime is therefore vital, but this has historically been subject to significant challenges, including issues around trust and communication. Similarly, cooperation between criminal justice actors within and across borders has been impeded by a number of factors, including issues around capacity building and harmonization of laws. Progress in cyber enforcement will require better cooperation within and between these sectors, and the new mechanisms and networks that have been established in response to COVID-19 cybercrime may prove to be enormously helpful in addressing the challenges that have always existed in facilitating greater cooperation. But it is unclear whether – beyond the context of the pandemic as the unifying factor binding the critical relationships and networks together – these positive steps can be sustained in the long term in a way that is both inclusive and underpinned by the necessary resources and political will.
The new mechanisms and networks that have been established in response to COVID-19 cybercrime may prove to be enormously helpful in addressing the challenges that have always existed in facilitating greater cooperation.
Second, and somewhat related, is the question of what – if any – impact the cybercrime developments arising from the COVID-19 crisis might have on trends in government actions that were evident before the pandemic, and that could hinder longer-term progress on public–private cybercrime cooperation. For example, prior to the pandemic a number of governments were taking steps to pass anti-encryption laws and mandate exceptional access to encrypted technologies, in the face of strong opposition from many technology companies. In 2018, the Five Eyes intelligence alliance committed to a Statement of Principles that encouraged information and communications technology (ICT) service providers to establish ‘lawful access solutions’ to their products and services, and highlighted that they would take steps to achieve solutions to the issue of encryption if they continued to be impeded. This declaration was further strengthened in a statement issued in October 2020, with the addition of India and Japan as signatories. Also in 2018 Australia moved the process forward by adopting legislation on access to encrypted communications; and other governments are attempting to follow suit. Some observers in civil society have argued that not only do these moves to weaken encryption raise alarm bells for their potential impact on privacy and human rights, but they could undermine national security. These efforts have been met with strong opposition from technology companies, whose cooperation with the broader public sector is critical to making progress in reducing the global cyber enforcement gap. However, law enforcement authorities in many countries have argued that, in the absence of a solution to the issue they call ‘going dark’ (the encryption of data that can impede investigations), their ability to investigate cybercrime and other threats will continue to be hindered. While this area of contention is not new, that the pandemic has cast further light on the continued rise and evolution of cybercrime makes it possible that governments could double down on their argument for further action against encryption. Given the divide between the two sides on this and other issues, this could mean a tremendous challenge to the public–private relationships that are ultimately critical to reducing the global cyber enforcement gap.
Third, what impact will these developments have on broader efforts towards building consensus and promoting cooperation between governments on behavioural norms for nation states in cyberspace? Before the pandemic, a number of multilateral processes were under way to develop and enhance the so-called ‘rules of the road’ guiding responsible state behaviour in cyberspace. These efforts have attempted to set parameters for what is and is not acceptable cyber behaviour for states, and to promote voluntary, non-binding norms on cooperation in cybercrime investigations – as enshrined through the Council of Europe’s Convention on Cybercrime. In response to cyber operations conducted, directed or sponsored by nation states during the pandemic, a number of governments have called for established cyber norms to be updated. The Netherlands, in particular, has called for norms restricting the intentional damage of critical infrastructure to be enhanced specifically to reflect attacks on the healthcare sector. There has historically been wide disagreement, when it comes to cyber norms, between governments that support an open, free and secure internet, and those with a more authoritarian view of internet control. This fragmentation has been evident in a number of areas of concern, including in debate on the applicability of international law in cyberspace, which led to the eventual breakdown of the 2017 UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security. Similar divides were seen during the 2019 vote in the UN General Assembly on whether a new global convention on cybercrime should be negotiated. However, as certain countries are now being accused of violating agreed norms, and with the increasing blurring of the boundary between state and non-state cyber activity, the gulf between the two sides will likely only continue to widen. This could ultimately hinder progress in building some consensus across the international community on future cyber norms. Furthermore, it could impede practical cooperation across borders on cybercrime and other cyber-related issues.
Conclusion
The threat of cybercrime is not a phenomenon unique to the context of COVID-19. Indeed, the dramatic spikes seen at the onset of the pandemic may already be moderating. Yet both cybercrime and the enforcement gap were running at unacceptably high levels before the pandemic, and have continued to do so throughout the crisis. While the actors perpetrating malicious cyber activity have largely remained the same, they have continued to evolve in their approaches to take advantage of the pandemic context and exploit a pool of potential victims that has ballooned exponentially. The possible consequences of cybercrime are, arguably, higher now for some sectors than ever before, as the world grapples with the dual task of stemming the spread of the virus and mitigating the grave economic consequences of the pandemic. Imposing effective punitive measures on the different types of perpetrators engaged in cybercrime will require intense cooperation within and across borders and between different sectors. The COVID-19 crisis is likely to impact this cooperation in many different ways, not all of which may be for the better. However, the attention currently being paid by policymakers to the extent of the threat of cybercrime, as a result of the spikes seen at the beginning of the pandemic, can – and should – be harnessed to move forward policy changes aimed at fostering greater collaboration across and within borders. Ultimately, it will be a missed opportunity if any progress, galvanized in the context of COVID-19, in global cooperation to tackle cybercrime is not maintained for the long term.