In early March, as the novel coronavirus swept through the U.S., the Department of Homeland Security’s cybersecurity wing quietly began an initiative that would single out the critical government and private-sector organizations that needed protection from spies and criminals during the pandemic.
The list of essential organizations would include U.S. labs working on a vaccine, pharmaceutical firms researching virus treatments and a constellation of equipment suppliers with global supply chains. The initiative turned into something U.S. officials call Project Taken — a multi-agency effort to protect U.S. vaccine research and other data from hacking and infiltration.
“We really need to identify the parts of the United States government and industry that are going to get us through this COVID crisis,” recalled Bryan S. Ware, assistant director at DHS’s Cybersecurity and Infrastructure Security Agency. “And we need to prioritize … our capabilities and our outreach to those entities.”
While other parts of the Trump administration were bungling the federal response to a pandemic that has killed more than 120,000 people in the U.S., Project Taken was an opportunity for cybersecurity officials to do what they could to protect vaccine-developing labs and other infrastructure.
Publicly, CISA officials have accused Chinese government-backed hackers of trying to steal vaccine research and warned about cybercriminals exploiting pandemic-related fears. Privately, they have been working with the Pentagon and multinational manufacturers to try to protect supply chains from being compromised.
Supply chain worries
The initiative takes its name from the 2008 action film “Taken,” in which an ex-CIA operative played by Liam Neeson hunts down his daughter’s kidnappers with relish. The idea was to apply the Neeson character’s zeal for protecting something valuable — minus the violence — to U.S. efforts to fend of hacking threats from China and elsewhere.
The threat is not hypothetical. Earlier this month, researchers from IBM revealed a concerted phishing campaign targeting one of nine personal protective equipment procurers that are working with the German government.
Ware said U.S. officials from multiple agencies, including the FBI, have identified a “Tier 1” list of companies and universities that are most critical to developing treatment and a vaccine for the virus. CISA officials have been scanning devices on those organizations’ networks for vulnerabilities. After a slow start, more organizations are having their networks scanned, he said.
“We are seeing adversaries that are targeting our pharmaceutical companies, pharmaceutical research, laboratory companies, testing and really even out into the future manufacturing of the vaccine systems and the distribution of vaccines,” Ware said Wednesday during CrowdStrike’s Fal.Con for Public Sector Conference, produced by FedScoop and CyberScoop.
CISA Director Chris Krebs said the initiative has led the health care sector to fix critical software vulnerabilities faster than any other sector.
“At the onset of the COVID-19 pandemic, we recognized just how vital the health care sector was to the response and we established Project Taken to bring to bear the government’s particular set of skills to protect those organizations,” Krebs told CyberScoop. “For CISA, we’ve channeled our inner Bryan Mills [Liam Neeson’s character] through focused outreach and partnership with the health care sector to improve cybersecurity.”