The international coronavirus supply chain has become the latest target of cyber-espionage. The threat extends beyond pharmaceutical manufacturers to all of their suppliers and vendors, which provide potential points of entry for cyber thieves. In this conversation with SupplyChainBrain Editor-in-Chief Bob Bowman, Mike Hamilton, Chief Information Security Officer with CI Security, discusses what needs to be done to protect the entire vaccine supply chain from hackers.

SCB: Why has the international coronavirus supply chain become vulnerable to cyber espionage?

Hamilton: Number one, it's of intense value, and attempts to steal details of the vaccine and clinical testing are a way to get at your target by going in through an unlocked window. The other reason is a little more insidious. The fact that they've gone after, for example, a company that produces solar panels for trucks to provide power for refrigeration to keep vaccines super cold means they're trying to disrupt the ability for us to deliver the vaccine. It’s in the strategic interests of other countries for their citizens to get vaccinated, and for us to be flailing — to not have a sufficient delivery network, because that impedes our ability to make progress economically. It stalls everything.

SCB: So it’s not so much about financial gain in the traditional sense?

Hamilton: Right. There's not a bright line between state-sponsored cyber espionage and organized crime, where governments look the other way. Ultimately, if there are compromises of companies involved in that supply chain, they may get turned over to ransomware operators. It provides deniability for an event that was initiated by the state, because they can come back and say, "Everybody's getting hit by ransomware. It was the criminals. It wasn't us." That could be a secondary objective, but it’s complete speculation.

SCB: Have we seen anything like this in the pharma or vaccine supply chain during previous pandemics or epidemics?

Hamilton: Not to my recollection. Certainly there’s value in the intellectual property for pharma, which is pretty consistently under attack. But when there’s a global event like this, it's not so much about stealing I.P. They want a working vaccine. I understand the vaccine in Russia isn’t working out so well. Maybe they need to go steal another one.

SCB: Where are the biggest vulnerabilities? How are they getting in?

Hamilton: If you’re in the pharma industry, there are regulatory requirements that you need to meet, such as HIPAA [Health Insurance Portability and Accountability Act] and 21 CFR Part 11 [covering electronic recordkeeping]. The vendors that serve the industry have none. So the really sophisticated bad guys look for a service provider, manufacturer, or vendor to hit. There are some regulatory regimes that are trying to fix this. The more we can extend regulatory requirements from covered entities to their entire supply chains, the more we can start to move the needle.

SCB: How should all partners in the vaccine supply chain be responding to this threat right now?

Hamilton: Clearly they need to have a look at their own security, and try to align their organizations with a standard of practice. The one that's been devised to work for any sector is the NIST [National Institute of Standards and Technology] cybersecurity framework. It’s an outcome-based standard of practice. It doesn't say, "Have this control in place," and prescriptively tell you what to do. It says, "Make this outcome happen, and how you do that is up to you."

SCB: NIST also issues guidelines for Department of Defense contracting. Those are pretty tough rules, right?

Hamilton: Yes. That's an example of how a big purchaser, in this case DOD, is trying to regulate its supply chain using economic forces. It’s called the CMMC [Cybersecurity Maturity Model Certification]. If you want to make more money [as a contractor], you’d better show your security papers.

SCB: The CMMC now requires confirmation by a third-party auditor. Is there an equivalent in the vaccine supply chain, so that partners can have some way of assessing whether they’re following best practices in this area?

Hamilton: There are not. That is ground that's being broken by DOD. In the absence of auditable controls for pharma, everybody just kind of self-assesses, which is aspirational every time. A very simple methodology, in order of preference, is to ask your supplier for something like a high-trust or ISO certification. Don’t have that? Show me your SOC 2 [Service Organization Control] Type II report, where you voluntarily had an independent accounting and auditing firm look at your controls. Don't have that? Show me a third-party assessment report, even an executive summary of that report, where an assessment was conducted against a standard that I recognize, like the NIST framework. Can’t show me any of that? Then here is my godawful questionnaire that's going to take you four days to fill out. Everybody has to show their security papers, and if a company is surprised by requests like this, that's a bad sign coming out of the gate.

SCB: Are there some lessons going forward on preventing attacks from happening in the future?

Hamilton: The best lessons are the ones that we discussed, which were created by HIPAA, to bring service providers for covered entities into the scope of the regulations. The regulatory requirements being applied to pharmaceutical development research industries are going to have to be extended to those supply chains. It’s an easy fix to make if they wanted to do that legislatively. But in the meantime, everybody's going to have to be proactive. There's always the ability to bring in market forces rather than straight-up regulatory requirements. That’s a better way to do it in a capitalist society. If we give you the opportunity to make more money by showing your security, there's a value proposition there that tells you that you need to invest in that security, because ultimately that's going to make revenue tick up.

Keeping the bad guys out of the network is very 20th Century. We need to manage the risk of these foreseeable events, and one of the ways to do that is to make sure that the product that you create is drawing on a supply chain that's as serious as you are.