Contact tracing apps – Critical infrastructure cyberattacks

The colonial pipeline transports gasoline and other fuel from Texas to the Northeast and supplies about 45 per cent of fuel the East Coast uses for driving and flying. Picture: https:// www.tennessean.com

Last week, we saw a real-world consequence of a successful cyberattack clearly highlighted with the closure of one of the US’ largest trans-continent fuel pipelines (from Texas to New York) because of ransomware.

Last Friday, Colonial Pipeline said a cyberattack forced the company to proactively close down operations and freeze IT systems after becoming the victim of a cyberattack.

Third-party cybersecurity consultants were called in to assist.

This is one of the largest pipeline operators in the US and daily transports over 380 million litres or about 45 per cent of the East Coast’s fuel, including gasoline, diesel, home heating oil, jet fuel, and military supplies.

Details are scarce on how the cyberattack took place, and it is likely that this will not change until Colonial Pipeline and the third-party company brought in to investigate, have concluded their analysis of the incident.

However, what did occur was a ransomware cyberattack, linked to the DarkSide group, that struck Colonial Pipeline’s networks.

It should be noted that DarkSide operators targeted the business side rather than operational industrial control systems, which implies the intent was money-orientated rather than designed to send the pipeline crashing down.

The US President Joe Biden has also been briefed on the event highlighting its seriousness.

As I have mentioned in earlier articles critical infrastructure is mainly owned and operated by private companies. Critical infrastructure includes power, telecommunications, water and other utilities infrastructures.

This appears to be one of the largest and most successful cyberattacks on a critical component of a country’s infrastructure to date, but it is not the first.

In February, a cyber attacker attempted to add lethal levels of a chemical to a city in Florida’s drinking water system, and back in 2016, the city of Kyiv, in Ukraine, lost all power for a few hours due to malware.

Cyberthreats continue to evolve and, either way, this is unlikely to be the last time we see such severe disruption caused by cyber attackers just in it for the money.

A year ago cybersecurity pros were warning people to exercise caution before downloading contact tracing apps aimed at combating the COVID-19 pandemic that might be rushed out without adequate security protections.

The contact tracing apps, which were launched across the globe, like our very own careFIJI app, could provide useful information for governments and researchers trying to stop the virus’ spread and give people an early warning that they might be infected.

But they could also provide a trove of information for hackers if they’re breached – which risks exposing the personal details of people who tested positive for the virus and scaring people away from potentially critical tools to flatten the curve.

There was little time for security testing.

And the apps are dealing with potentially sensitive health and location data. Developers could miss basic security measures amid pressure to get the apps released as quickly as possible.

I must confess that even though I downloaded the careFIJI app last year I never really used it until the recent community outbreak last month which Fiji is still trying to contain.

The way some apps are built could make them an attractive target. And a compromise could potentially have huge data breach consequences.

Cybersecurity pros are especially concerned about apps that store large amounts of COVID-19 and other private data in a central location.

Those systems raise risks because they create a single target for hackers who could steal or expose reams of data that could be used to identify infected people.

The fear is that governments and companies might collect more information than they need to, keep it longer than necessary
or use it for purposes unrelated to the pandemic such as sharing it with law enforcement – basically opening the door
to pervasive state surveillance and privacy infringement, with potentially discriminatory effects.

Google and Apple, meanwhile, have developed a similar Bluetooth-based system that public health agencies across the globe can use to alert people who might be infected with the COVID-19 virus – but it stores all the data on people’s phones rather than sending it to an external server.

I prefer this method as there’s no central database of information for hackers to target – but it also limits how useful the information is for public health services trying to combat the virus’s spread.

Most of the contact tracing apps released by Western governments are limited to collecting anonymised information about users’ infection status and the people they’ve been in contact with.

To clarify, it’s important to identify what types of mobile data and application usage we are talking about.

They fall into three main categories: 1) understanding general population movement, 2) potential proximity to COVID-19 positive individuals and advice on measures for self-quarantine and 3) the collection of information from patients for statistical analysis.

In the case of determining potential proximity to COVID-19 positive individuals, these types of applications have been in place in several countries since the beginning of the pandemic, including China (Alipay Health Code) and Israel (Hamagen).

This has been particularly highlighted in Fiji’s recent COVID-19 community outbreak with a lot of time and manpower being
expanded by government officials manually tracking possible infections from infected individuals not using the careFIJI app.

The data is then stored by mobile providers in a variety of places that must be secured, both to protect the app users’ privacy but also to prevent manipulation/ spoiling of the data by a third party.

And given that data is sourced from different places, like repositories of GPS, Bluetooth and other apps on the device, different security arrangements by the source may need to be considered.

Collection of consent for tracking data on an individual level is indeed a cybersecurity and privacy challenges.

Today, most contact tracing apps are voluntarily downloaded and activated by users but made mandatory by the Fiji Government in the addition to wearing masks in public.

The challenge is that these applications often need to be used by a certain percentage of the population to truly be of value in the fight against the virus.

This can tempt developers not to disclose the true purpose of an app.

A recent survey in Europe showed that around 80 per cent of the  population in France, Italy and Germany was willing to adopt a tracking application during the COVID-19 pandemic.

However, if the app hides a type of data collection and sharing, then the consent given by an individual cannot be valid.

Apps must explain which data types are collected, how they are collected, and what is the goal behind the collection.

As an example, the Pan-European Privacy- Preserving Proximity Tracing team have explained clearly on their website that they do not collect any personal information such as addresses, phone numbers or geolocation.

The question then arises how do you ensure developers respect the privileges it has been granted by users and doesn’t abuse them by operating outside of necessary tasks?

App developers should outline under what  conditions data collected by the app may be shared or sold to third parties.

Thirdparty sharing limited to public health bodies, as an example, may be more palatable to the end-user than a sale of data to an unrelated third party.

App developers should also build in the ability to discontinue their use if national health authorities determine that the data they collect is no longer needed to address the pandemic.

Data retention and storage should also be guided by decisions flowing down from national health authorities.

Understanding the technology that users and providers are relying on to exchange information is the key to successful adoption.

Providers and policymakers will need to define the specific rules for each technology and its associated use.

The way technologies are collecting information is important when defining the how the when and the why of using one technology over another.

Several technologies that support these uses around the world include:

  • GPS;
  • Bluetooth;
  • Video Surveillance (with or without
    AI); and
  • Mobile antenna location.

Each technology brings both advantages and limitations, and these must be taken into account when choosing the one which will correspond to the need.

As an example, Bluetooth presents limits to the availability of data collection since the device needs to have the application open and the Bluetooth setting on.

Selected features also can impact battery life—if the feature heavily impacts the battery, user adoption will be low.

The careFIJI app is remarkably low on both data and battery usage but again this may vary depending on the age of your phone.

Most important is to properly secure the collected data. App providers need to ensure an appropriate level of security, possibly through the use of encryption, to avoid any data leaks and any data manipulation by non-trusted third parties.

Mobile providers should also be transparent about their choices regarding the technology implementation of their applications and how secure it is.

A user guide should be provided, as well as the compliance rules already put in place by international organisations and governments.

The facilitation of data protection rights, including deletion rights, must also be addressed at the outset.

End-users may have the right to request access to personal data that has been collected and to delete the data.

App developers must think through how they will receive, validate and action all these requests.

App developers are advised to work with their legal counterparts to understand evolving guidance from regulators.

Achieving a balance between providing a tracking app to maximise its impact in helping halt the virus’s spread, whilst ensuring
there’s an astringent and tested security/privacy strategy in place, is quite a challenge.

As a renowned technologist pointed out – “Privacy is one of the biggest problems in this electronic surveillance age…” God bless you all and stay safe and secure in both physical and digital worlds during this lockdown!

  • ILAITIA B. TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com

More Stories