In this Help Net Security interview, Flavio Aggio, CISO at the World Health Organization (WHO), explains how the organization prepares for and responds to cyber threats during global health emergencies.
These crises often lead to an increase in phishing scams, ransomware attacks, and disinformation campaigns, with vaccine research and public trust among the primary targets. WHO’s cybersecurity team fights threats by removing fake websites, issuing public warnings, and securing data sharing with global partners.
To stay ahead, WHO has developed and refined a comprehensive cyber response strategy through realistic, integrated simulations. These exercises have revealed critical gaps, particularly in escalation and decision-making, and have led to new protocols that strengthen incident containment and communication.
What types of cyber threats tend to spike during global health emergencies? Are there patterns in the tactics or motivations of threat actors?
During global health crises, cyber attackers swiftly exploit vulnerabilities. The COVID-19 pandemic saw a fivefold increase in phishing attempts targeting WHO, with attackers impersonating leadership to distribute malware. Ransomware incidents surged, notably impacting hospitals, forcing surgery cancellations. Advanced Persistent Threat (APT) actors targeted vaccine research for strategic gains.
These threats capitalize on urgency and misinformation, aiming for financial gain, intelligence collection, or disruption. The pattern is clear: health emergencies are fertile ground for cyber exploitation.
How do you test your response plans for high-pressure scenarios like pandemics, and what have you learned from past responses?
At WHO, we conduct simulations integrating technical incidents with operational pressure. A notable exercise involved a regional office network breach during COVID-19, where attackers accessed internal communications. This scenario required rapid forensic analysis, containment, and external messaging. We learned that decision-making delays can be more damaging than breaches.
Initially, uncertainty over authority to disconnect systems hindered containment, leading to new protocols for swift isolation and escalation. Realistic exercises, like our ransomware simulation, revealed reporting and escalation gaps, which were addressed preemptively. Testing under real pressure is crucial for identifying and rectifying plan deficiencies.
How do you deal with the dual risk of attacks targeting WHO systems and disinformation campaigns targeting public health messaging?
Phishing attacks impersonating WHO have led to false claims about IT breaches and fabricated infection numbers. Despite removing malicious sites, misinformation persisted. Our response involves two key strategies:
Technical measures: Rapid incident response and collaboration with digital risk partners to dismantle fraudulent sites swiftly.
Communication and readiness: Issuing public advisories to distinguish authentic channels, publishing document hash values for verification, and conducting regular cybersecurity training for staff.
This integrated approach of people, processes, and technology is essential to mitigate the impact of misinformation campaigns.
How do you ensure secure communication and data exchange between WHO and partners in regions with vastly different cybersecurity capabilities?
COVID-19 highlighted the challenge of securely sharing sensitive data with partners in over 190 countries. We implemented strict encryption for all data transfers, ensuring security even in low-resource settings. Segmented access controls limited intrusions, preventing lateral movement into core systems.
Targeted support, including guidance on remote access security and phishing awareness, helped partners enhance their cybersecurity quickly. A risk-based approach restricted access to vulnerable environments, safeguarding the health response. By combining encryption, access controls, and support, we maintained information flow while minimizing compromise risks across diverse environments.
Are there specific technologies or platforms that are especially vulnerable during health emergencies?
During the COVID-19 pandemic, cybersecurity threats intensified, targeting public-facing websites and exploiting remote work vulnerabilities. Attackers launched DDoS attacks on health ministry sites, coinciding with disinformation campaigns.
Email phishing remained prevalent, with campaigns mimicking legitimate domains like https://who.int to steal credentials. Remote access infrastructure, hastily deployed, was vulnerable. Cloud services hosting vaccine research data were targeted by sophisticated groups identified by international authorities for attempting to steal sensitive information. These incidents underscore the critical need for robust cybersecurity measures.
English (US) ·