In the U.S. and Israel, new urgency in battle against cyberattacks
Israeli physicians scramble in wake of ransomware attack at Hadera hospital, as global security threat ‘escalating’
When an Israeli hospital was thrown offline last week, sending it back to the pre-digital age of pen and paper, the country was forced to grapple with what its National Cyber Directorate described as a major ransomware attack — a challenge that many countries have had to tackle in recent years.
At the same time as Israeli doctors were contending with the ramifications of the significant blow to their health system, the White House National Security Council was convening a virtual conference on the topic of countering ransomware. Over 30 countries, including Israel and the United Arab Emirates, participated.
Among the recent events that triggered the meeting was the May ransomware attack on the Colonial Pipeline, which caused a shutdown of the U.S.’s largest fuel pipeline system for five days. Colonial Pipeline paid the requested ransom (75 bitcoin, or nearly $5 million) to the hacking group DarkSide, believed to be based in Eastern Europe, which has since claimed to have shut down. Due to its status as a government-owned hospital, the Israeli Hillel Yaffe hospital in Hadera, where the ransomware attack took place, was reportedly barred from paying a similar ransom.
As the world has become ever more dependent on the internet since the outbreak of the COVID-19 pandemic a year and a half ago, the threat of cyberattacks is higher than ever.
“We’re all very vulnerable, and especially as our dependence on cyberspace and our digital identities becomes greater and greater, our vulnerability to cyberattacks is liable to increase,” Deborah Housen-Couriel, the chief legal officer for Konfidas, a cybersecurity company based in Tel Aviv, told Jewish Insider.
A joint statement released at the NSC conference’s conclusion said the participants recognized that ransomware is “an escalating global security threat with serious economic and security consequences.”
“As with other cyber threats, the threat of ransomware is complex and global in nature and requires a shared response. A nation’s ability to effectively prevent, detect, mitigate and respond to threats from ransomware will depend, in part, on the capacity, cooperation, and resilience of global partners, the private sector, civil society, and the general public,” the statement read.
“This is an important development,” said Housen-Couriel, who — at the same time as the White House conference was underway — was participating in a panel discussion on cyber abuse, security and defense at a conference held by the University of Chicago’s Pearson Global Forum.
“It’s the first time that there’s been such an initiative to specifically address the use of ransomware internationally,” she remarked.
Amit Ashkenazi, legal advisor of the Israel National Cyber Directorate (INCD), was part of the Israeli contingent that participated in the conference. “The fact that we have like-minded countries around the table helps us talk about something that we at the INCD have been talking about over the last few years, more openly,” he told JI.
He said the effort can help reduce barriers between countries when it comes to information sharing and recovery techniques, and can create technical, legal and policy vehicles to enable swift cooperation.
A joint announcement by the Ministry of Health and the INCD on Sunday said the ransomware attack had spread to additional unnamed hospitals, but that early assessments and a quick response from the center and teams on the ground halted the attempts and no damage was done.
Health Ministry cybersecurity chief Reuven Eliyahu said in an Army Radio interview on Monday that a Chinese hacker group was likely behind the attack and that the motives were purely financial.
Ashkenazi said that in the event of significant incidents such as the Hillel Yaffe attack, government bodies are simultaneously working on various tracks, including “following the crumb trail” to identify the perpetrator; and working within the victim’s network to understand what has happened and whether additional attacks can be expected..
Israel’s digitized health system, which was touted during the coronavirus pandemic for enabling a speedy and efficient vaccination campaign, is also somewhat of an Achilles heel when it comes to vulnerability in the face of cyberattacks.
Doctors at Hillel Yaffe have been forced to piece together patients’ medical histories, which are usually readily available online. They now need to ask patients to bring in any records they have at home, and are building up physical folders from scratch.
“Some come from home with their records, but beyond that, we have no access to the system that enables us to see information about patients who were operated on or catheterized in the past,” Professor Ariel Roguin, who heads the hospital’s cardiology unit, told Haaretz earlier this week.
Medical equipment is working as usual and most operations are going ahead, other than elective, non-urgent procedures, and those that can be done via HMOs are deferred to them.
For Internal Medicine Department Director Nina Avshovich, the situation has taken her back to her days as a medical intern. “I worked without computers 20 years ago, so it didn’t agitate me,” she told JI, adding that the hospital has developed new systems to cope with the present reality.
Simulations were held for various situations, such as how to book and conduct the process of X-rays, from beginning to end.
Staff are required to walk around the hospital, or use fax machines, in order to transmit information that would usually be done digitally.
Full communication among staff has been key to enabling the current manual work system to function well, Avshovich said. “We spend much more time with the patients,” she added, seeing this as the “glass-half-full” aspect of the crisis.
Fewer patients are showing up at the hospital since news of the cyberattack began to circulate. Management is working both on building new systems as well as trying to restore the old ones.
“They promise us that in a few weeks we will partially be able to see lab results, X-rays and imaging digitally,” Avshovich said. When hospital staff will return to work as normal is not yet clear.
In addition to the health sector, Housen-Couriel, the Konfidas official, identified the finance sector and critical infrastructure in general communications as often-targeted sectors.
She described Israel as “an important player” that can contribute to the effort via its high level of cyber-awareness and talent in incident response, digital forensics and situational awareness in cyberspace. In turn, she said, it can gain from the initiative by broadening its cyber alliances around the world, developing expertise along with other like-minded countries. “Moving ahead with this common goal of combating this type of malware and ransomware which, in the end, if it does in fact pan out as a successful initiative, will obviously have ramifications for all, for many other types of cyberthreats.”
While expressing her support for the recent effort for strengthened international cooperation, she suggested that it needs to be expanded further.
“You can’t catch the cybercriminals if you’re operating only on your own as a country,” Housen-Couriel said. “Cyberspace is a global resource and the reach of global cybercriminals is global. Any meaningful response to mitigate the effects of these types of attacks has got to be international.” This includes international assistance on identifying how the attack vector was carried out, locating where in the world the attackers are based, and at the end of the process collaboration on legal aid, providing evidence, putting the suspects on trial and potentially extraditing them.
She also highlighted the importance of “addressing the money trail issue, which is really a hard one because of the anonymity of payments made through cryptocurrency. Once the money trail nut is cracked, that will achieve the goal that the Counter Ransomware Initiative set, which is to disrupt the business model of these ransomware attacks which has been such a successful model.”
Amounts of money demanded by ransomware attackers have skyrocketed. CNA Financial Corp., one of the U.S.’s largest insurance companies, reportedly paid $40 million in March to regain control of its network after a ransomware attack. According to a report this year by Palo Alto Networks, the average ransom paid by organizations in the U.S., Canada and Europe increased from $115,123 in 2019 to $312,493 in 2020 — a 171% spike.
Addressing the absence of countries such as Russia, China, North Korea and Iran in the U.S-led conference, Housen-Couriel said, “Clearly, without the participation of states whose citizens are actively using ransomware — and we know we’ve identified them as attackers — without their participation, in all the levels this initiative is committed to engage with, only limited progress can be made. So a lot more countries need to be involved and that is one of the stated aims of the initiative.”
But Ashkenazi said the recent conference was more focused on like-minded countries. “Given the type of cooperation that was discussed, I’m not sure this would have been the right format to share ideas and thoughts in such a broad manner — there are other forums for this,” he said, alluding to the United Nations, which he said has several channels open on cyber-related issues.
There are some basic differences, he noted, in the way other countries approach the role of the internet, and the focus of cybersecurity.
“Like-minded countries see cyberspace as an important space for human rights and defense of freedom of speech and rule of law regarding the relationship of the government with the people. Some countries see cyberspace as another place of governance in which they apply their government values and systems,” Ashkenazi said.
That isn’t to say that there isn’t bilateral cooperation between Israel, the U.S. and others with those countries. In a White House press call ahead of the virtual conference, for instance, a senior administration official said, in response to questions about Russia’s nonparticipation that “the U.S.-Kremlin Experts Group, which is led by the White House, was established by President Biden and President Putin, so the U.S. engages directly with Russia on this — on the issue of ransomware.”
Israel, Ashkenazi said, has some 90 bilateral agreements with organizations and missions similar to the INCD. He hopes, however, that this turn towards greater multilateralism will speed up the pace of information sharing and dealing with cyberattacks.