Chief Information Security officer, meredith harper. Welcome, and over to you. Thanks very much, john. Its nice to see you, even virtually. So, today, you have everyones bio. So, i dont think i need to reintroduce our panel. But what theyre going to offer us, i think, is a way to look at the year, and back at the year in a context of cyber and health care, and give us a little bit different way to look at the latest efforts to get the vaccine out to the public. We actually have some news on this today, by the way. Well get to that a little later. Basically, the New York Times reported that Cyber Attacks related to cold storage of the vaccine have been going on since august. Its unclear whether this is about ransomware or something more sinister. But well get to that in a minute. What i thought wed do is divide the discussion basically into three parts. Were going to look at the broader issue of cyberthreats and attacks of the Health Care Sector as we sort of wrestle through a pandemic. Were going to look at the security and protection of intellectual property related to the vaccine. And then finally, as related to todays news about hacking the cold chain, well talk about the Security Protection and defense of the supply chain for the vaccine. So, what id like to do oh, and if you have questions, ill try and field those as we go along. And we may have time for questions at the end, as well. Theres a q a function, i think, the team at aspen will explain how you guys need to put those questions in. And with that, i just wanted to start, maybe with meredith, i thought i would start with you, as the ciso at eli lilly, having to deal with all that were dealing with, but in a laboratory setting, with Laboratory People either having to be in pods or working remotely. Are you dealing with more attack services because people arent all over the same building . Theyre spread out. The answer is yes. We do have an unique footprint as relates to our service because we made a decision quite early in the pandemic around the march 8 time frame to send all of our team globally home to work. Now, there were a subset of individuals that need to touch specific equipment in our labs and places like that so we put some measures in place to be able to protect their safety while they were actually interacting with that specific Lab Equipment that we could not pick up and take to someones home. So, we did have an opportunity to still have a small portion of our team still going into our physical location. But it was far and few between. Over 16,000, 17,000 of our team members were deciding to work from home based off of the concerns about their health and safety. So, yeah, the attack surface now has incrementally grown over that period of time. Continuously,to as an organization, ensure when our team members are at homeworking, theyre still putting those security principles in practice even if theyre sitting in their own home offices. I think sometimes we can get a little lax at home and we dont always think the same way when were in our physical work location. But i think weve done a really good job of rolling out a robust Education Awareness Program of how to protect those secure spaces within your home environment. So yes, we have seen an increase in that and attacks as well because the pandemic. So, it goes beyond just dont double click on that weird phishing email. It may have to do with authentication of routers, things like that. Is that what youre talking all talking about . All of that, yes. We put together a packet with our team members to say now that youre in your home environments, heres the technical controls you need to have to operate and carry out the business of lily. We have a vpn. We need to access the data you that need in order to perform your role without you putting that information on your local device and things of that nature. So, we gave them a toolkit to follow, say heres the questions you may be asking. Heres our recommendations for how to deal with that. And then we work with those things together to make sure were not seeing increased exposure. One of the other things that we talked about, initially, i can say, we didnt really think through i think at the beginning was around the idea of printing. So, we get so comfortable printing in our physical locations at work. But now youre starting to print things that may be confidential at home. So, how do you support those printouts . How do you destroy them appropriately . We tried to pick it up on what a home worker would need to know to make sure they make themselves and their devices and data and the things that they print are protected. So, you were sending out shredders and safes . So, we didnt do that. We did give opportunity to say if you have a home shredder, heres the ones we recommend if you do that. One of the other things that i recommend that i really appreciate our leadership going down this road. We knew that people now working in these home environments and from an ergonomic and security perspective, we gave each member of the team to say i need to outfit my workplace differently now that im working 100 from home. So that meant you needed to get a recommended shredder so that you could now destroy documentation appropriately. If you needed to get even a new chair so you can get functionally careful as youre working every day. There was an allowance offered to every team member who needed to make adjustments. So, we offered the recommendations. We gave them options and said heres what you can pick from. And then you chose what you can bring to your work space to make it comfortable, but also make it secure. Yeah, npr gave us chairs, so thats clearly on this. So, are your concerns and ill get to the other panelists , as well, but have your concerns changed since march . I mean, have you seen things when we think about ransomware or phishing attacks, are you seeing things, is this progressing or evolving . What were seeing is, and i know maureen and i had this conversation before. Some of the activity, most of the activity that we see is standard for us. This is typically what we see in our environments in terms of exposure attacks, interest in our organization. Those things are happening every day. And thats no different. What i have found, though, is, i think, the use of social engineering, to be able to get a foothold in san organization by way of credential stealing and things of that nature, i think weve seen more of those attacks and theyve become a little more sophisticated than we probably have seen in the past. But that doesnt mean that the volume, in terms of what were seeing, is shocking to us. Its common at this stage of the game. But i think there is this turnup on the sophistication of it all. And if were not training our team members appropriately to look for those indications of whether something doesnt look quite right from the message, we can find ourselves in a world of hurt. So, we try to focus a lot on our training and awareness of our team members at this time. And specifically, as it relates to the individuals working in the development and research space, because we know that they will be a target. Theyre the ones who are actually working on our response to covid. So, from that perperspective, we tried to use training education to thwart some of those attacks. Do you think some of the social engineering is working better now because people are lonely and by themselves in their home their home . I dont know if its the loneliness. I dont know if thats what makes them susceptible to it. I know ive done it myself. I feel like im working more now that i am at home. Right. Being able to shut off and being able to disconnect is harder now because im sitting here in my office and i get a chance to get things done. But i think because were moving past and were moving to really tick those things off of our list, sometimes we can move a little too big quick. And then we click and open or expose our organization that way. I dont know if its the loneliness, but i do believe that we are moving quicker, probably, in some instances, that creates problems for us. Maybe journalists just get lonely. Maureen, let me move to you. One of the things we know from public reports is that there was a hack, a number of different medical or health Care Companies, including Johnson Johnson, with north korea. Those complaints came earlier this month. And they were trying to steal , allegedly, sensitive covid information from Johnson Johnson and others. Can you walk us through what that kind of experience is like . First of all, dina, thank you very much for the question. But i would say, whats called lets call it an attempted hack, not a hack. Fair enough. Clearly, it was a Cyber Security organization and theyre clearly different items. Health Care Companies literally have seen an onslaught since march 2010. That is the day that the chinese actually started a hard knock of most of the health care in the united states. And there was a lot of talk at the time, those who knew that they had seen attacks or had seen that stand by a nation state. And those who hadnt. There was a great outreach and a great pouring out, working with the fbi and Homeland Security, what was this all about . Especially in health care. I and everyone in health care are seeing attempted penetrations by nation state actors, not just north korea, every single minute of every single day. Primary threats i tried to categorize in health care. One of them is nationstates. The other is a criminal element looking for anything they can monetize. We have something called hacktivists, people who are trying to through social media attempt to sway Pharma Companies on the pricing or other items, as well as insiders. Developmentcine in and therapeutics, what we have seen is we are on a grander stage where people thought, wait a minute, there is a company i should be looking at, what should i do there . We have seen that rise. We dont know, and i see many different attempted assertions. Malware is just code. It is just binary somebody is going to try to put in my network. They are going to use things like email and links and social media to get someone in my company to click on it and bring it into my house. Just coming in the door. Industry, we Care Department ofth Homeland Security so we find information. We found this code. I dont have the resources to or, where it came from where they actually going after . Our federal agencies, government agencies, we provide that information, which then tells us, wait a minute. That code came from north korea. Then, warnings are going out. Companies have the skill and security organizations to be able to detect this malicious code and protect. Not everybody has that in the health care industry. Any indication there is a focus on trying to get something covid related because everybody wants it right now . Is there a bigger appetite . There is only going to be so many people who can get information and turn it into a vaccine. Then we are going to have the people who just decide i dont want the world to have a vaccine. There is not much of a difference. We have the Protection Capability we have built and then, in this instance, looking at the vaccine production, and , Johnson Johnson has a plant in wuhan, china. We were able to see what was happening all along. We saw with the virus about a 30 uptick in what i will call vist or criminal activity trying to monetize anything they could. Again, large companies, secured companies, have defenses against and are able to defend very easily, but in general, about a 30 uptick. Was it going for virus . It would be hard to tell. People will try to come in one the ability to detect it is what helped us. We took a concerted effort. Anyone who was working on vaccine production, anybody who was going to be working on , tollectual property provide minimum necessary access, those are terms we use to protected. We did that. The social media, about june time frame we saw one of the other companies having issues with social media which we talked about at the Board Meeting and one of the things that happened was we had all started to see some of that, so we informed our people to be aware of it. ,ont go and click on anything giving people some guidelines to make sure they were secure. Do you have a little cybersecurity moat around covid stuff or is it everything . Moat. Have a huge honkin thats what we do. We create moats. Sounds like we close ourselves off. Is, is that we provide the ability for the business to operate in an insecure environment, giving the right controls and the right risks. That was excellent in terms of the example you showed. One of the things we also showed on our end was that our thirdparty we partner with to carry out the mission here, we did see an increase in terms of ford parties being impacted attack. Inrd parties who are close the Development Research arm of getwork we do, when they attacked it becomes a problem for lily. We have to spring into action to ensure our value chain is projected and that we are is protected and that we are able to deliver lifesaving medicines. We did see an increase. This year we have done way more around our third parties that have seen the last couple years. Attacks generally are coming through some other vector. That is why i ask you about routers. I wanted to bring you in nice to see you and talk about the security components of operation warp speed. Eli lilly and Johnson Johnson are among the players. We dont know very much about the cybersecurity side, what it looks like. Maybe just because geeky people ask those questions. Can you give us an idea how that works in practice . Can speak to the unique role the fbi plays. There are a lot of different players across the federal government and the Health Care Sector as well. From the fbis perspective, we have the advantage of being a domestic Law Enforcement and intelligence agency. Int that helps us to do service of this mission of protecting the Vaccine Research use ourly chain is to role having access to classified intelligence to understand what adversary plans and intentions are to see threats as they are forming. Our domestic presence with 56 field offices and satellite agencies, we are really embedded in communities and we have enduring partnerships, research institutions, companies, etc. , where we can have that information downgraded which effectively means at a level that we can share it, ideally before something occurs. We can actually act on what we see and that is where the types of direct engagement these organizations is so important. One organization like a university or a company sees this type of threatening cyber , it can be used not only to investigate but to share that information with the Intelligence Community with networked offenders, share it across, and help everyone strengthen their networks. Are you getting in this current environment, more backandforth than you were in the past . I think companies are more reticent to let dhhs know they have been compromised. We have been proactive and the has been a combined effort. That is a maturation in the federal government over the past few years. Some of that was in response to welldeserved feedback we would sector,from the private not appreciating having several federal agencies knocking at their door or sharing the same threat information with them. Increasingly that is a partnership and that has been simplified by warp speed and even months before speed started. As early as march, when we were starting to see the indication not only of cyber criminals, but also of nationstates targeting covid research. We very quickly formed up with the department of health and Human Services on a couple different fronts to warn those who were being directly targeted and to do some research and expand that circle out to sea, of if we know these types entities are being targeted, who is likely next . Thirdly, we did something unusual for us in may, which is that we issued a Public Service announcement with cisa about the chinese cyber actors targeting covid research. That was for two purposes. One, to warn, but also to let china know we have an understanding of what they are doing. There would be some risk and consequences to them for that activity. By virtue of that extended that sustained engagement, we are seeing collaboration with the Health Care Sector, even on issues that are not specifically related to covid research, for example, recent credible threat with ransomware against hospitals and other health care providers. We got tremendous feedback from the Health Care Sector organizations like the American Hospital association in response to that because, again, with cisa and hhs we put out those indicators, we had video calls and ways of engaging directly cisa to let him know we were taking this seriously and as a result, we were advising that they do, too. And then keeping up that contact because we know that is a real resource strain when we are advising a threat like that. Resourcess a shift in and that is only sustainable for so long given that continued communication is important so we can keep them updated on what we are seeing. One of the strategies that has been used in the past is to actually bring charges against people. I am thinking of the pla hackers that were brought charges against. Effectat seem to have an . However long it did, it had some knock on effect. Did the psa have a knock on effect . We are aiming at a number of different audiences when we do things like that. There are many different tools being used, not only by the fbi, but across the federal government and the private sector partners, too. There is the psa, but that was also followed by an indictment shortly thereafter that did identify chinese cyber actors responsible for targeting covid research. Increasingly, this is part of our new fbi Cyber Strategy that director wray announced a few months ago. It is not so much about an indictment. That is one means to an end. Because of the unique role in the art i described that fbi has, we want to make sure we are sharing the information and relationships we have with our partners in the federal government, overseas, in the , whatever steps we can, whether that is fbi sanctions,asury publicly outing some more covert action you might not see, and to do that in a joint sequence coordinated way to have a maximum impact, because for too long, adversaries had acted with what they think is impunity. We want to change the risk calculus for them. Let me talk about intellectual property and how difficult it is to be a health care company. Time to do open and cooperative research and the need to protect ip against hackers. What are you doing in that respect . One of the things is making sure we know where all of our ips. We have that network and we have that area where we can store inhouse that information. There are protections we have wrapped around those repositories where intellectual property sits. As it relates to the research, dealing with collaborations we may have with external resource organizations, we are also ensuring that we are helping to assess the Security Posture of the organizations as well. They are collaborating with us as it relates to that specific research which is going to start to create ip. That are have controls wrapped around those repositories to ensure we are monitoring any exposure to that data. We know how to monitor that on our end. Do you have something tapped to that . Your and what they are dealing with, what you have been handling something for some period of time, you lose sight of the importance. At j j, we continually talk about the importance of the data to our patients and to health care and health care to humanity. It really well about the third parties. No one Company Creates the vaccine or a drug by itself. There are multiple third parties, legal entities, patent filings, patent offices, as well and youranufacturer distribution that you are going through. You are continually looking at those. The covidthe road to vaccine did show my organization in a very quick period of time is look at the data flow. When you look at the data flow for intellectual properties, for something specific like vaccine production, we learned a lot and looking at helping the business in other ways, that we would not have known existed if we had not done it during the short period of time. Us, we worked with the fbi and a special agent who came and talked to all our ,ntellectual property attorneys regulatory attorneys, to talk about the threats. That education and using our Government Entities to be able tremendouswas a resource for people to understand how important intellectual property is and how to protect it. Example of protection, i am just guessing here, data at risk being encrypted . That is one. Think about databases and big networks. I need to look at the date on my computer. Is that encrypted . I need to send it. Is that encrypted . What do you do . There are a lot of elements of how things are in making sure you have appropriate repositories and ability to encrypt that data from the beginning all the way to the end. I thought i would do is save the news for last, which is very unjournalistic for me. For those who may not have seen it, i will bring you a quick look, there is an article that reports on Cyber Attacks on vaccine distribution, which goes to our next subject, supply chains. Ibm researchers and cisa said the attack seemed to be intended to sterile to steal Network Credentials of officials at global organizations. These were officials who were very focused on the refrigeration process necessary for these vaccines. Question. Ask you this in terms of the supply chain, meredith, what is the thing that worries you most about the vulnerability in distribution . Awarenesses there is by those organizations that provide a critical part of our value chain and our Development Cycle they may not have the same level of concern around security of their areas as we may because they think about it, im not really delivering ip. I am offering cold storage. Should i be worried if i am just housing something . That is my biggest concern, is them being aware that they are targets when they are partnering with us and providing that service for us to be able to get the vaccines where they need to be. That would be my one biggest concern. Target. They are a they may not have the same controls we have within our larger organizations because they may be smaller. They may not have that. That exposure is real. I would assume if you have therapeutics you have a regular flu vaccine, you have not had to take think as much about getting it from a to b. Correct. Because there is a finite. Mount of vaccine this is a hotter commodity. When we think about the intent behind that, we look at what the hackers and the bad guys are doing, it is twofold. One of them is disruption. I want to disrupt the flow or the cycle. Some may have a different take on that where they may want to damage vaccines, so once they are delivered, the efficacy is not there. I think you have multiple intent behind why there is an interest in cold chain or any other supportive supply chain we have the development of our are you looking at this any other way because it is covid . We have a robust supply chain. J j does not say have the temperature requirements other vaccines do. Deal not that is not a big. It is the overall security of getting the vaccine from point of manufacture into somebodys arm. Twice in some cases. J j it is only one. One of my good friends at a company that is going to help operation warp speed make sure the vaccine is given out, and is o in pharmaceutical retail i had come from a Pharmacy Company and we did mail order delivery of drugs. Aeat the vaccine like it is c2 drug. From the beginning have to have a signoff, there are security requirements around. There are a lot of requirements for storing it. All of those things should be replicated for the vaccine. Wheel. Ry to reinvent the use what you already have. It is a great practice. It is approved for c2. Just use it. For those of us who are not in health care, can you explain what a c2 drug is, what an example would be . A c2 drug would be Something Like coding or morphine. Something highly addictive or highly controlled. It is a controlled substance. Substance,rolled there is a whole chain of how they must be dispensed. Even organizations like ups or those type they have theydrug in their purview, actually have protocols that are already set up. Say the general, you were talking about no, general you did not need to reinvent the wheel. There are systems in place. A c2 drug may not be as hot a commodity as covid but you could deal with it. Requiring the extreme temperature or the sensitivity of how the drug must be dispensed is not something new. Protocols in health care are already there. Just utilize them. Capitalize on them and modify them as necessary for this. I do not have any visibility to what was done or going on in that area. But that was my recommendation. Does that mean i dont want to go all the way to the word relaxed. But you do not have huge concerns with respect to the distribution of the vaccine . I dont. In healthl confidence Care Organizations in the united , leveraging what was already there. I was in the industry for 10 years. , and we have shift a lot of c2 drugs in the company i worked with. A tractor trailer load went out every day from the warehouse to a distribution center. Working with, state police, monitoring, all of those things are already and have been in place. Utilizing those and leveraging them will make the job easier. Is there an opportunity to provide better communication, better visibility with digital technology, absolutely. I have a lot of confidence in the u. S. Health care system, what has already been put in place. Sorry to keep harping on this, but i think the average person thinks this distribution, all we have been hearing is how this is going to be the most enormous and complicated and bound to fail or bound to have problems. You do not think it is as complicated as people are saying . That we have done this in Different Levels in the past . Dont get me wrong. The distribution of controlled substances or substances that require low temperature efficacy isnt complicated. It is extreme we complicated. Complicated. It is a problem the u. S. Has already solved and can leverage those learnings to be able to make this done in a secure manner. Have there been people who have tried to steal c2 drugs in shipment before . Absolutely. Will there likely be some type of attempt made . Maybe. The question is what do you accomplish . Thank you. Has Law Enforcement, what are you gearing up for in terms of distribution of a vaccine . Perspective,er theres obviously a number of motivations for these actors trying to disrupt the supply chain. Our biggest concern would be a distracted attack to launch into that chain. We certainly see cyber adversaries move to targeting third parties to try to move into the targets theyre trying to reach. Thatotivations go beyond type of destructive or disruptive attack. It could be trying to steal intellectual property, for beancial purposes, it could to undermine confidence in the u. S. Efforts to provide an or toive vaccine advantage another countrys developments. I think the other thing we try to keep in mind is that while this discussion is focused on the cyberrelated threats, we see are most determined nationstate adversaries not just relying on one method to target the supply chain, but to combine using more traditional forces to try to penetrate organizations and through diplomatic means to treaties and create relationships that might put them in a better position to disrupt or influence information. Our focus is looking across all of those. Working with our cyber and counterintelligence programs. Is there something in particular that worries you about this next phase . I think the complexity of it potentially. Hearing they are thinking about it. This is work they do all the time. They have the support of additional entities from the federal government focused on protecting research. That gives me confidence. End ofave come to the our time. I tried to focus questions i found in the human day channel. Q and a channel. I was quite concerned about the cyber aspect of the sand of this and the distribution aspect and it is fascinating to know how you have thought this through. Who are goingou to stay for our next session, stay tuned. We are going to be right with the next session about emerging technology with some fascinating people, some of my favorite people in this arena. I thank you so much for being with us today for this session. Stay safe and healthy. Thanks for being with us. With coronavirus cases increasing across the country, use our website, cspan. Org coronavirus, to follow the trends, track the spread with interactive maps, and watch updates on demand anytime at cspan. Org coronavirus. Cspans washington journal. Every day we take your calls on the news of the day and discuss policy issues that impact you. Friday morning we will talk about the planned house vote on the more act which would decriminalize marijuana. Then Stephanie Murphy on the future of the Democratic Party and the priorities of the blue Dawn Coalition in the new congress. On then Tom Mcclintock decriminalizing marijuana at the federal level and other news of the day. Journalshington friday morning and joined the discussion with your phone calls, facebook comments, texts, and tweets. Coming up live on friday, the house returns at 9 00 am for debate on the marijuana decriminalization bill. That is 9 00 a. M. Eastern. P. M. , president obama will hold a Virtual Campaign rally for Senate Candidates facing runoff elections on january 5. A. M. , johnat 8 30 boehner, joe crowley, and former transportation secretary Rodney Slater look at the key decisions in the transition from a trump bidenstration to a administration. At 1045 mam House Speaker pelosi holds her Weekly Briefing with reporters. Look at the strip reading covid19 vaccines. The Johns Hopkins school of public
comparemela.com © 2020. All Rights Reserved.