Hacking the vaccine: Three questions that boards and CEOs should ask to help prevent successful attacks

In the wake of the pandemic, how can the United States and other countries fight their way back to good public health and an economic recovery? Short answer: Develop enough doses of vaccines to be distributed and administered to millions of people without a hitch. 

That’s the ideal, but the SARS-CoV-2 vaccine supply chain is rife with logistical complexities. What’s more, the enormously valuable intellectual property and data on the vaccines, components and therapeutics are relatively easy for threat actors to take. In fact, nation-states are already attempting to steal vaccine formulae and disrupt operations. 

You are a potential target if you’re in the business of researching, developing, conducting trials, manufacturing or distributing the vaccine against the SARS-CoV-2, the virus that causes the disease COVID-19. If you’re a player in the highly intertwined network of big pharma, biotech, contract development and manufacturing organizations (CDMOs), and health and clinical research institutions, you can take a number of steps to help prepare for potential attacks.

Your CEO and board are right to ask: Are we taking effective measures to protect against cyber and foreign-actor risks?

Here are three questions to discuss with your executive team

1. What are the evolving threats from nation-states and resulting risks to vaccine development and supply chain?

Nation-state actors are patient, persistent, well funded and sophisticated. They can destabilize the SARS-CoV-2 vaccine development and supply chain using a variety of techniques.

  • IP theft at research stage. More than once, white coats have been co-opted by black hats — academic research is subject to foreign influence via two conduits: personnel with ties to foreign governments or grants that are funded ultimately by foreign adversaries. Many research organizations are currently under investigation by the Departments of Justice and Homeland Security, and the National Institutes of Health.

    In addition, PwC threat intelligence analysts have observed preparations to target COVID-19 research organizations and vaccine developers. Threat actors Blue Kitsune (aka APT29) using WellMail, Blue Callisto, and Black Banshee are staging command and control infrastructures to use against vaccine developers and manufacturers.  
  • IP theft and disruption at the trials stage. In July, the US Justice Department indicted two foreign nationals for espionage in several industries. It alleged that the foreign nationals were finding ways to get into the networks of biotech and other firms that are known to be working on vaccines, treatments and testing technology in at least 11 countries, including the US. 
  • Manufacturing disruptions. Just a few days after receiving permission to start final-stage trials for a SARS-CoV-2 vaccine, one of India’s largest generic pharma companies reportedly suffered a cyber attack and had to shut down plants in a few countries. It’s reminiscent of the 2017 NotPetya attack — ransomware combined with tools to propagate itself across a network — which paralyzed hospitals, shipping, food manufacturing, postal systems, and banking, and caused a multiday shutdown of drug production at one pharmaceutical company. 
  • Low vaccine uptake and reputational damage. The public is skittish: In a September 2020 survey of Americans, 49% say they definitely or probably would not get vaccinated at this time. The historic speed of the vaccine development process and mistrust of the medical community among some Americans have contributed to increasing levels of vaccine hesitancy in the US. Enter nation-states that might mount disinformation campaigns to amplify doubt or to disparage a vaccine developer or manufacturer. The result would be tantamount to a manufacturing shutdown: stalled efforts to improve public health and the economy.

Takeaways for executive leadership: Work closely with your security chief, CIO, CCO and COO to identify the sites, systems, personnel and processes involved in the vaccine development and manufacturing. Assess the risks and review your risk mitigation plan against the threat of nation-state actors. Enhance real-time threat intelligence capabilities throughout your supply chain. On foreign influence, work with internal audit/compliance and the general counsel to help close the gaps in your compliance program and reiterate your anti-bribery and anti-corruption policies. 

Takeaway for the board: Understand the risks to the organization arising from these threats. Ask for regular communications from management on risks, defenses and response plans.

2. How well can you defend against the threats?

Many affected organizations are easy targets. What’s their Achilles’ heel? In our experience, weak controls are the source of significant risk. For many health research organizations, the extent of potential foreign influence through their international connections is a blind spot. In addition, manufacturing sites often operate outdated, unpatched or insecurely deployed systems. Flat and open networks, lack of privilege access management, lack of removable media control and vendor connectivity further contribute to insufficient resiliency. 

Your ability to defend against nation-state attacks rests on the strength of your cybersecurity and anti-fraud and anti-corruption compliance programs, which may be daunting to shore up all at once. But you can start by focusing on these: 

  • Make it difficult for attackers to gain a foothold in your system — sharpen your threat hunting. Draw an overall picture of the attack surface and identify potential attackers, their motives and their ways of doing things. In addition, threat actors can exploit system weaknesses, misconfigurations and vulnerabilities to gain privileged access once they get into a system. Organizations should enhance privileged access management capabilities to include vendor remote access.
  • Reduce likelihood of threat actors moving laterally in your system — segment network access. With network segmentation, you can better isolate an incident, reduce attack surface and prevent propagation of ransomware, for example.    
  • Mind your entire ecosystem — manage third-party risks. Vaccine R&D and manufacturing activities rely on many third parties. Threat actors often use organizations with weaker cybersecurity protocols as a back door to the ultimate targets. Assess the cyber posture of third parties.

    And don’t overlook your physical and digital connections to hospitals, which have come under ransomware attacks by foreign-based cybercriminals. In fact, ransomware attacks have surged in 2020 in many industries, fuelled by an influx of new ransomware actors, the expansion of existing affiliate schemes, and the pursuit of higher revenues by established cyber crime actors.

Takeaways for executive leadership: Prioritize the three defenses above, keeping in mind that the attackers may be insiders. Set up real-time dashboards to monitor for unusual activity among researchers and employees, suppliers, business partners and stakeholders. Periodically report to the board on indicators of effective defense against intrusions and threats.

3. In the event of a successful attack, do you have a response plan in place? 

Any organization involved with vaccine research, trials, manufacturing, and distribution should have a crisis response and remediation plan. A good response plan includes these four elements.

  • Conduct incident response simulation. Conduct these exercises at the C-suite level, and preferably with the board, not just within the IT and security groups. Plan to remediate system and process gaps, with varying approaches for different types of attacks — phishing, ransomware and otherwise.

    If you don’t have a crisis center, you should set up one now to monitor and communicate threats, as appropriate, to stakeholders including the board.
  • Make it formal; name your resilience team. Think beyond crisis management,  disaster recovery or business continuity planning; think resilience. An effective response plan needs a clear-cut leader who can quickly orchestrate the activities of functions scattered throughout the organization. Decide who ultimately governs the plan. Assign roles and responsibilities to people who can execute the resilience playbook.  
  • Rehearse your resilience playbooks. Those without playbooks in place could take weeks or even months to recover from an attack — time we don’t have with SARS-CoV-2 vaccinations. Playbooks need to be rehearsed so that in a real-life crisis, team members can respond automatically and smoothly, almost like activating muscle memory.
  • Define how you’ll engage with law enforcement and governmental agencies. An attack by a nation-state is by default a national security issue, triggering potential involvement by the Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) and others. The federal government has a substantial stake to protect because of its $11 billion investment in vaccine development through Operation Warp Speed. Establish a working relationship with the agencies — but retain full responsibility for communication to your customers, investors and other stakeholders.

    In the case of ransomware, work with law enforcement for safe and legal transfer of ransom payment, investigations and payment tracking; new guidance has cautioned against ransom payments inadvertently made to sanctioned criminal entities and adversaries. 

Takeaways for executive leadership: Think of the response plan within your resilience framework, and assess your resilience maturity. Make your plan transparent to executives, the board and business partners alike in order to engender trust. Engage the COO, CMO, CISO and CIO in developing and executing these strategies. Get the CFO’s buy-in for any spending or investment needed to mitigate the financial impacts of nation-state intrusions.

The bottom line: secure the vaccine

The stakes are high. Pharmaceutical and biotech companies are racing to capture the financial and reputational advantage of being first-to-market. Manufacturers are expecting the biggest contract manufacturing sales in recent history. To-date, in addition to $11 billion in grants, there may be ten times as much in investors’ money riding on the outcomes. Stock prices for some competing companies are trading around record highs.

The pharmaceutical industry garnered a record high of 73% of interviewees globally who said they trust the industry, according to the Edelman Trust Barometer spring update. But some nation-states are likely attempting to steal IP, bring about disorder and create a level of mistrust. Pharmaceutical companies — the face of the world’s way out of the pandemic — need to lead the entire vaccine ecosystem to make sure the spring 2020 boost isn’t just a trust bubble.

Contact us

Nalneesh Gaur

Principal, Information Technology, PwC US

Sean Joyce

Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US

Robbie Higgins

Principal, Information Technology, PwC US

Joseph Nocera

Cyber, Risk and Regulatory Marketing Lead Partner, PwC US

Follow us