The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Ransomware attack might have caused another death

Analysis by
October 1, 2021 at 7:07 a.m. EDT
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! It's officially Cybersecurity Awareness Month. So if you're starting October reading this, you're way ahead of the game.

Below: The FCC wants to get tough on SIM-swapping and some hacks against federal agencies increased during the pandemic. 

A ransomware attack might have caused another death

A ransomware attack against an Alabama hospital may have led to a baby’s death in 2019, one of the first known cases where a cyberattack had life-or-death consequences. 

The baby, Nicko Silar, was born with her umbilical cord wrapped around her neck and constricting her airway, causing severe brain damage, as the Wall Street Journal’s Kevin Poulsen, Robert McMillan and Melanie Evans report. She died nine months later.

Obstetricians would typically perform a Caesarean section delivery in such cases upon learning that the baby’s heart rate had slowed. 

In this case, however, Springhill Medical Center in Mobile, Ala., was eight days into a ransomware attack that had crippled its computer systems. Nurses did not notice the fetal heart rate change, which was recorded on a strip of paper printed by the bedside monitor. It would normally have appeared on a large digital display at the nurses’ station where monitoring was far easier. 

Silar’s mother, Teiranni Kidd, argues in a lawsuit that the ransomware attack removed safeguards that would otherwise have assured the nurses would notice the change in heart rate and alert the obstetrician.

The hospital denies any wrongdoing. CEO Jeffery St. Clair told the Journal in a statement that the hospital “concluded it was safe” to continue operating during the ransomware attack. 

The case is a stark reminder of the devastating human costs that can derive from cyberattacks, where the damage is more typically measured in lost money and productivity. 

It also raises thorny questions about how to reckon the danger posed by hacking — and how the government should account for those dangers as it expands its efforts to improve the cybersecurity of hospitals and other elements of critical infrastructure. 

Cyber experts typically bat back comparisons of hacking threats to those posed by terrorism, noting a cyberattack has never been proven to cause a death or large-scale property destruction. But cases like the one in Alabama are complicating that argument. 

This isn’t the first possible ransomware death. 

Prosecutors in Cologne, Germany, opened a negligent homicide investigation last year in the case of an ailing woman who was turned away from a hospital in the grips of a ransomware attack and died on the way to another hospital.  

Cybersecurity professionals speculate such situations are more common than is reported because of the difficulty determining that any particular death was due to a delay in care or a shift to nondigital hospital procedures rather than underlying medical conditions.

“Security practitioners sometimes take news about ‘the first ransomware-associated hospital death’ with a grain of salt,” Rachel Tobac, CEO of SocialProof Security, told me.

“Ransomware attacks on hospitals can disrupt access to emergency care, and any delay in care or diverted ER cases can lead to greater risk of patient death,” she said.  

The Journal cited a statistical analysis by the Cybersecurity and Infrastructure Security Agency, which determined that ransomware attacks against hospitals could lead to dire consequences.

“We can see that a cyberattack can strain you enough to contribute to excess deaths,” Joshua Corman, a senior adviser for CISA, told the Journal. 

Some ransomware gangs have claimed they don’t attack hospitals because of concerns about disrupting patient care, but those claims ring mostly hollow. Attacks against hospitals have increased dramatically in recent years, including during the pandemic. 

More deaths?

As ransomware attacks increase and hackers become more brazen, there are likely to be more deaths with possible links to those attacks

Unlike terrorist attacks, however, these deaths are likely to almost always fall into a gray area where it’s impossible to definitely prove the cyberattack caused the death. 

In the Alabama case, there’s no question hospital staff erred in not noting the change in heart rate, but it’s not completely clear that was the result of the ransomware attack. 

A text exchange between the obstetrician, Katelyn Parnell, and the nurse manager shortly after Silar’s birth has been entered into evidence in the lawsuit, the Journal reports. In the exchange, Parnell states that she would have performed a C-section if she’d been alerted about the lowered heart rate and calls the brain damage at birth “preventable.”

“I need u to help me understand why I was not notified,” she writes. 

Parnell is also a defendant in the case. 

The keys

Computer scientists defended their work tying the Trump campaign to a Russian bank 

John Durham, a special counsel appointed by the Trump administration to review the Russia investigation, suggested in a recent indictment that computer scientists who found curious Internet links between the Trump organization and Russia's Alfa Bank didn't actually believe their find was significant. 

Now, lawyers representing two of the computer scientists at the center of the claim say that’s misleading, the New York Times’s Charlie Savage and Adam Goldman report. “Reports that these findings were innocuous or a hoax are simply wrong,” the lawyers say. The FBI ultimately determined the Internet links were not suspicious. 

The indictment did not accuse the computer scientists of a crime. Instead, Durham charged cybersecurity lawyer Michael Sussmann, who alerted the FBI about the digital signals. Sussman said he was not relaying the claims on behalf of a client. In fact, Sussmann billed the work to Hillary Clinton’s presidential campaign, according to Durham.

Durham has issued a fresh set of subpoenas in the case, CNN’s Evan Perez and Katelyn Polantz report. One of the subpoenas is directed at Sussmann’s former law firm, Perkins Coie, they report, citing people briefed on the matter.

A federal regulator is looking into preventing hackers from stealing cellphone numbers

The Federal Communications Commission wants to halt “SIM-swapping,” in which hackers hijack phone numbers by convincing phone companies that they’re the owners. SIM-swappers have racked up numerous high-profile victims drawing attention to the practice. In 2019, Twitter CEO Jack Dorsey was targeted in such an attack.

The FCC wants to update its rules to require phone companies to make sure people who try to transfer phone numbers are who they say they are. The regulator is seeking public comments on how to do that. It also wants phone companies to immediately let customers know about requests to change their phone information.

Lawmakers have long called for the FCC to take action on SIM-swapping. In January 2020, six Democratic lawmakers urged then-FCC chairman Ajit Pai to start the rulemaking process to defend against the practice.

Government agencies faced more cyberattacks during the pandemic

Five out of 12 federal agencies surveyed by the Government Accountability Office said they faced “an increase in certain types of cyberattacks during maximum telework,” according to a report by the government watchdog. Officials from four of those five agencies said they had seen a rise in phishing attacks.

The report called out the Securities and Exchange Commission and the Social Security Administration for having incomplete plans for remote working securely. 

Hill happenings

The House Intelligence Committee advanced a bill that would put job restrictions on former spies and U.S. government hackers

The amendment was introduced two weeks after three former U.S. intelligence agents admitted to working as hackers for the United Arab Emirates, Reuters's Christopher Bing reports. The amendment would require some former officials who worked in sensitive posts to report their “national security, intelligence or internal security” work for foreign governments. 

Cyber insecurity

Nieman Marcus breach affected up to 4.6 million people

The compromised information includes contact information, payment card numbers, gift card numbers, usernames and passwords, the retailer said in a news release.

About 3.1 million of the affected customers used payment and virtual gift cards, more than 85 percent of which were expired or invalid, the company said. 

Nieman Marcus has hired the cybersecurity firm Mandiant to investigate. 

Hackers posed as Amnesty International, promising anti-spyware tool that actually collects passwords (CyberScoop)

Government scan

Military units track guns using tech that could aid foes (Associated Press)

Palantir could lose a lucrative contract for ICE's tool that targets unauthorized workers, according to a government document (Insider)

Securing the ballot

The push for Internet voting continues, mostly thanks to one guy (NPR)

National security watch

Inspector general finds ‘widespread’ problems in FBI’s FISA applications (Devlin Barrett)

Privacy patch

There’s a multibillion-dollar market for your phone’s location data (The Markup)

Former OnlyFans employees could access users’ and models' personal information (Motherboard)

Daybook

  • John Costello, National Cyber Director Chris Inglis’s chief of staff, speaks at a Center for Strategic and International Studies event on Oct. 4 at 9:30 a.m.
  • Chris Fonzone, the top lawyer in the Office of the Director of National Intelligence, and former senator Russ Feingold, a Democrat who represented Wisconsin, participate in a Center for Democracy & Technology event on the Patriot Act on Oct. 5 at noon.
  • The R Street Institute hosts an event on diversity in cybersecurity on Oct. 5 at 1 p.m.
  • CISA Director Jen Easterly speaks at a Washington Post Live event on Oct. 5 at 3 p.m.
  • U.S. Cyber Command Commander and NSA Director Gen. Paul Nakasone and deputy national security adviser Anne Neuberger speak at the Mandiant Cyber Defense Summit on Oct. 5.
  • Easterly and others speak on the first day of CISA’s four-week Annual National Cybersecurity Summit on Oct. 6.
  • Deputy Attorney General Lisa Monaco; Deputy Energy Secretary David Turk; National Cyber Director Chris Inglis; Rep. Yvette D. Clarke (D-N.Y.), who chairs the House Homeland Security Committee’s cybersecurity panel; Rep. John Katko (R-N.Y.), the top Republican on the committee; and Sen. Angus King (I-Maine) participate in the Aspen Cyber Summit on Oct. 6.
  • The Center for Strategic and International Studies hosts an event on sixth-generation network standards on Oct. 6 at 3 p.m.
  • Homeland Security Secretary Alejandro Mayorkas, Easterly, Inglis and other top U.S. government officials speak at the three-day Billington Cybersecurity Summit, which begins Oct. 6.
  • European cybersecurity officials speak at Kaspersky’s EU Cyberpolicy Forum on Oct. 7 at 5 a.m.
  • Silicon Flatirons hosts an event on encryption on Oct. 7 at noon.
  • The House Oversight and Reform Committee holds a hearing on the partisan election review in Maricopa County, Ariz., on Oct. 7 at 10 a.m.

Secure log off

Remember, this is a month-long affair. Don't blow all your best password advice on Day 1. 

Thanks for reading! I'll be away next week, leaving the newsletter in the able hands of Aaron Schaffer and Sarah Salem. Have a great weekend.