Novel Threats is a series of brief conversations with fellows and affiliates of the Reiss Center on Law and Security exploring the intersection of the coronavirus pandemic and key national security challenges.
Judi Germano on Coronavirus, Cybersecurity and Misinformation
July 1, 2020
Judi Germano is a Non-Resident Senior Fellow at the Reiss Center on Law and Security, a Distinguished Fellow at the Center for Cybersecurity, and an Adjunct Professor of Law at NYU School of Law. She is a nationally-recognized thought leader on cybersecurity governance and privacy issues. Judi also is the founder of GermanoLaw LLC, advising public and privately-held companies on cybersecurity and privacy matters. A federal prosecutor for 11 years, Judi supervised and prosecuted complex criminal cases of national and international impact, involving cybercrime, securities and other financial fraud, corruption and national security. She serves on the advisory board of Truepic, a photo and video verification platform. Full bio
A global crisis like the coronavirus pandemic presents ample opportunities for both the inadvertent and purposeful spread of misinformation via technology. What should countries like the United States be doing to confront this issue, both at home and abroad? What if misinformation comes from senior government officials themselves?
A global crisis heightens the critical need to provide the public with accurate information to reduce risks and protect health and safety. Yet amidst the COVID-19 pandemic, we currently face an “infodemic” of misinformation (inadvertently spread) and disinformation (deliberately spread). This causes confusion, dilutes the seriousness of the crisis and marginalizes the sound and essential guidance of credible medical experts. Social media has been used aggressively throughout this crisis to share mistaken understandings, spread disputed and unverified facts and advance pernicious disinformation campaigns. Polarized media outlets that unduly politicize what and how they cover the pandemic further promulgate this misleading messaging and the ensuing confusion. Tragically, amidst this conflict and confusion, the COVID-19 death toll also has continued to increase.
To confront this serious problem of misinformation and disinformation, the public and private sectors should prioritize the availability and dissemination of clear and verified information regarding COVID-19 from credible medical and scientific experts. Given the speed and volume at which information is available online, and the vast amounts of false and misleading information disseminated, content authenticity measures are needed to identify and flag false or misleading facts as well as manipulated images and videos. Technologies such as artificial intelligence (AI) or machine learning and image verification technology are valuable tools for authenticating digital information.
When correctly and consistently applied, these tools advance fundamental First Amendment rights, enabling consumers of information to access greater knowledge, and evaluate the veracity of information, in less time, to make better informed decisions regarding online content. Content authenticity efforts can, and indeed must, be done in a way that does not erode or suppress the freedom to express and debate controversial ideas and opinions. They also should be applied consistently and universally, regardless of personal viewpoints or whether the misinformation is offered by an unknown speaker, organization or world leader. When senior government officials promulgate disinformation, it is important to flag and challenge those falsehoods; national and world leaders should not be afforded greater license to deceive.
The current global health crisis demonstrates the essential need to verify online content, including statements from public and private sector leaders, because false and misleading information can, literally, be deadly. AI/machine learning algorithms, image authentication technology, and human review designed to flag false information regarding COVID-19 should evaluate statements for factual and scientific accuracy, not political ideology, and should be designed carefully to overcome the potential for bias.
On May 28, 2020, the Office of the President of the United States issued an Executive Order (EO) that stated: “Free speech is the bedrock of American democracy.” As to that fundamental First Amendment right, I do hope parties across the political spectrum continue to agree. The best way to address the proliferation of misinformation and disinformation, consistent with the First Amendment, is not to suppress unpopular or antithetical ideas, but to provide a context of verified facts and authenticated images. Yet the EO was issued immediately after Twitter added a fact-check label to one of the President’s tweets criticizing California’s mail-in voting plans. The EO criticizes online platforms for conduct including “‘flagging’ content as inappropriate,” and seeks to create avenues for the government to punish internet intermediaries who do so, including by imposing civil liability and withholding federal advertising dollars. I am concerned that the EO, despite being titled “Preventing Online Censorship,” makes a dangerous misstep toward censorship by hindering necessary efforts to stop the spread of disinformation online.
Individuals and organizations who identify false and misleading information, and refer readers to verified facts, should be entitled to do so without threats of retaliation, censorship or government action aimed at silencing opposing political views. And content verification flags must be applied not just to one particular individual who spreads dangerous misinformation or disinformation, but to all statements offered as fact that promulgate falsehoods, endanger public health and safety and incite violence.
The COVID-19 crisis escalates the need to develop and apply content authenticity efforts in a consistent and apolitical way. With the constant influx of tremendous amounts of information, and the rapid-fire discourse of senior government officials and others, available technology is a valuable means to discern verified and unverified facts, and authenticate images and user accounts. This enables individual consumers of that information, regardless of ideology, to better evaluate the integrity of statements and make their own informed decisions about the information that is disseminated. That is not censorship or an encroachment on free speech. It is using technology to empower the public with truth.
Some of your previous work has focused on the cybersecurity of critical infrastructure. Could you speak to the cybersecurity of healthcare and hospital systems, which are at the frontlines in confronting this crisis?
The attack surface of the healthcare sector generally, and hospital systems in particular, has continued to grow and is of serious concern. This is because of the increased digitization and availability of electronic patient health data, as more information is now online, and organizations increasingly rely on telehealth options and virtual patient connectivity. Also, medical systems are increasingly automated and thus vulnerable to cyberattack.
The hospital sector has seen a rise in ransomware attacks that cripple operations as well as data exfiltration and a steady increase in unauthorized access to patient health data. On April 4, 2020, INTERPOL (the International Criminal Police Organization, which has 194 member countries worldwide) issued a fraud alert warning that it detected a significant increase in the number of ransomware attacks against hospitals and other organizations at the forefront of the global response to the COVID-19 pandemic. These attacks seek to lock critical systems, rendering them unavailable, and also prevent access to electronic data, in an attempt to extort payments. Moreover, the U.S. Department of Health and Human Services’ Office for Civil Rights reported a significant increase in healthcare data breaches from 2018 to 2019, with 510 healthcare data breaches (each affecting 500 or more records) in 2019. In 2019 alone, healthcare records of 12.55% of the population of the United States were compromised.
To address these growing concerns, among other necessary protections, it is essential that sensitive patient data is encrypted, access to data and systems is restricted, systems are regularly patched and updated, important files are frequently backed up and stored independent from the system (so a compromise of the system would not also compromise the backup), multi-factor authentication is available and enforced and system activity is monitored and logged to detect and track potential security events. These measures are best put in place before a crisis, but in any event are basic measures of good cybersecurity hygiene that are necessary to help protect hospitals and other healthcare institutions.
With so much attention on the pandemic crisis, do you worry about any particular cyber blind spots on which we also need to be maintaining focus?
We have a disconcerting gap in our approach to cybersecurity: The United States lacks a national quarterback empowered to handle cybersecurity preparedness and response at the top levels of government. Cyber threats are diverse, the potential harms for our government and country are enormous, and cybersecurity is a nonpartisan issue that must be a priority. We need a strong cybersecurity leader with bipartisan support who has authority over cybersecurity issues and budgets, brings together the diverse agencies and stakeholders responding to cyber threats, and is positioned to coordinate an effective, comprehensive and swift national response to an attack. The absence of this role is a blind spot, or more accurately a gaping hole, in our national strategy.
Also, the COVID-19 pandemic necessitated a rapid and unprecedented move to a global, remote workforce. This greatly widened the threat landscape for public and private sector organizations and increased the already vast opportunities for cyberattacks. Many entities lack the technological capabilities and governance protocols for supporting this swift transition in a sufficiently secure way. Also, people hungry for information regarding the crisis, lonely for social interaction or bored due to social distancing and quarantine requirements may be more vulnerable to cybercrime, including by clicking on dubious links that contain malware and falling prey to social engineering schemes. While attention and resources are focused on survival of people and businesses, it remains essential for individuals and organizations to continue to be vigilant as to cybersecurity. The public and private sectors must prioritize ways to protect individuals, information and systems in the current, remote work environment.
Another continuing concern is the impact of cyber threats on critical infrastructure operations, systems and data. Significantly more work needs to be done to improve cybersecurity, business continuity and resiliency as it pertains to critical infrastructure, including, among others, the water, energy, transportation and healthcare sectors. This requires federal, state and local leaders and private industry to collaborate in a productive and meaningful way. Vulnerabilities also increase as we continue to bring more products to market as part of the Internet of Things (IoT), with an estimated 31 billion IoT devices expected to be installed during 2020. This includes wearable devices and home health monitoring devices that allow real-time monitoring of patient’s health, including glucometers; insulin pens; scales; inhalers; and heart rate, blood pressure and asthma monitors. Many developers and end users have failed to sufficiently account for the security risks and privacy implications of IoT solutions and apps. We need to maintain focus, from a technical, policy and legal perspective, on these critically important areas.