tv Aspen Institute Discussion on COVID-19 Vaccine Distribution CSPAN December 11, 2020 4:57pm-5:43pm EST
west virginia university professor, author oloved and wanted, and the more of womanhood about how she took charge of reproductive health d health care for children and she's joined by public health director. watch this weekend. >> 20 years ago one of the most highly contested presidential races in us history took place area the 2000 residential contest between texas governor george w. bush and vice president al gore. every morning at 8:30 eastern look back at the election with washington post columnist ej dion and billboard, editor large william kristol, editorof the bush versus gore, cou cases and commentary what s versus gore 20 years later life saturday at 8:30 a.m. eastern american history tv on c-span3 and washington
journal. >> next, pharmaceutical company executives and cyber officials discussed securing the development and distribution of vaccines. this panel was part of the 2020 cyber summit. >> i'pleased to introduce my friendfrom npwho will be speaking with fbi deputy assistant director tonya eberts. chief information security officer in analysis and eli lilly director of security officer mary parker. welcome. >> thanks very mh john. >> good to be with you virtually . so you ve everyone bible and i don't need to reintroduce the panel but
at they're going to offer i think is a way to lookat the year and back of the year in the context of hybrid healthcare and give us a little bit of a different way to look at the latestefforts to get the vaccine out to the public . we had some news on this today by the way, we will get to that a little later. the new york times reported cyber attacks and cold storage of the vaccine and then going on since august and it's unclear whether this is ran somewhere or something more sinister we will get to that in a minute. what i thought we do is divide the discussion into three parts. we will look at the broader issue of cyber threats and attacks on the healthcare sector as we wrestled through a pandemic. we're going to look at security and protection of intellectual property, property related to the vaccines and finally the days news about packing the polls face, talk a little bit about the defense of the supply chain for the vaccine.
so what i like to do is if you have questions, i'll try and yield those as we go along and we may have tons of questions at the end as well. the q and a function i think will explain how you guys put those questions in and with that, i just wanted to start talking with meredith, i thought i would start withyou . >> ..
now they are a subset of those individuals in specific equipment in our lab and things like that so we put measures into place to protect their safety while they were in directing with the lab equipment. we could not pick it up and take it to someone's home so we did have an opportunity to have a small portion of our team and our physical location and it was fireproof in between. over 16,000 team members decided to work from home concerned about their health and safety so yes it has instrumentally grown over that period of time and we have continuously insured when employees are at home working there putting their security principles and practice in their
own home offices. sometimes we can get a little lax when we are at home in our physical work location but we have done i think a great job on a robust education awareness program of how to to be in your home environment. >> a goes beyond just don't double-click on that phishing e-mail. it may have to have authentication of routers and things like that. >> all of that. we put together a packet that we can give our members to say now in your home environment these are some of the controls we recommend you have in place in order to operate and secure -- we have a vpn so we need to connect to that and offer that security and get access to data that you need without putting
that information on your local device and things of that nature. we gave them something to follow saying here are some the of the questions you may be asking here's our recommendation for how to deal with that and we worked through those things together to make sure we are not increasing exposure from any of the other things we talked about is initially i can say we have to think through in the beginning was around the ibm printing. we get so comfortable printing and our physical locations that now you are starting to see things that are confidential, so how do you secure those printouts and store them appropriately and we tried to think of the full gambit of what we need to know in order to get themselves and their devices and data in. are protected. >> you were sending out shredders? >> we did do that.
we did give them opportunities to say if you have a home shredder here's the one we recommend if you do that. one of the other things i think we did was i really appreciated our leadership. people can work in the home environment and from an ergonomics perspective begets -- gave everybody the opportunity to say i need to outfit my workspace differently now that i'm working 100% from home. that meant a recommended shredder so you could destroy it to properly and even a new chair so you would be comfortable as you are working every day. there was an allowance offered to every team member who wanted to make those adjustments within their spaces so we offered recommendations and gave them options and then you chose what you needed to bring into your workspace to make a comfortable but also make it safe. >> that's clearly good.
i will get to the other panelists as well but have your concerns change since march? do you saying thanks that when you think about phishing attacks are you saying things that are progressing or evolving? >> i know we have had these conversations before. some of the activity that we see his standard for us. this is what brief physical easy within our environments in terms of exposure, attacks and through organizations. those things are happening everyday. what i have found though is i think the use of social engineering to be able to put a foothold into an organization by way of -- i think we have seen more of those types of attacks and we have become a little more sophisticated than you have seen in the past but that doesn't mean in terms of what we are
seeing a shocking to us. it's common at this stage of the game but i think there is this sophistication of it all that we are not training or team members approve really on whether something doesn't look quite right in a message we can find ourselves in a world of -- so we are training or team members during this time and specifically as it relates to some of our individual work and development into research because we know they will be a target. they are the ones that are working on our response to covid. we use training out, awareness and education to thwart some attacks. >> do you think some of the social engineering is working better because people are alone and by themselves in their homes? >> i don't know if it's the loneliness and i don't know if that's what makes them susceptible to it but i think sometimes and i know i've done i
myself i feel like i'm working more now that i'm at home and being able to disconnect is a little bit harder now. i'm sitting here in my office tonight don't get a chance to get things done but because we are moving fast and taking those things off our list sometimes we move a little bit too quick we and expose organization that way. i don't know but the loneliness. i do believe we are moving quicker in some instances which creates more problems for us. >> let me ask you one of the things we know from a public report is there was a hack of a number of different health care companies including johnson & johnson by north korea of these reports came earlier this month and they were trying to steal
sensitive covid information from johnson & johnson and others. could you walk us through what that kind of experience is like? >> first of all thank you for asking the question but i would say it's not a hack. clearly in a cybersecurity organization there's a clearly different item. the health care companies have seen an onslaught since march march 2010 because that is the day that the chinese actually -- the health care of the united states and there was a lot of concern that those who knew they had seen attacks or had seen that scam by a nation-state in those who hadn't. there was a great outreach and working with groups like the fbi
and homeland security on what this was all about. what was needed in this space. meredith and i and all those in health care are being -- seeing attempted penetrations by a nation-state actors. it's not just north korea. it's every single minute of every single day. we have four primary threats that i try to categorize and health care and just one of them is nation-state and the other's a criminal element for anything they can monetize. we have something called hactivists people who are trying to do occur in social media attempt to sway pharma companies
as well as threats. with the vaccine in development and therapeutics what we have seen is we are now on the grander stage where people are like wait a minute there's a company that i'm looking at what can i do there? what we don't know and i've seen many different attempts at extortion. it's just code. just binary that someone is trying to get into the network. they will use things like e-mail or a link on social media to get someone in my company to click on it and bring it into my house. in the health care industry and the department of homeland security we are working with
ciso and we were close together so we provide information. i don't have the resources to know where it came from or what they are actually going after. in working with our title agencies, working with government agencies and others we provide that information which tells us wait a minute that came from north korea and the warnings are going out. most of the large pharma companies have the cybersecurity organizations to be able to detect this malicious type code and protect against it. unfortunately not everyone has that in the health care industry >> any indication that there's a focus trying to get something covid-related does evebody want it right now? is there aigger appetite for
a? >> the's so many people who can get information andurn it into a bad thing. then we will have a group of people who say well i don't want the world to have a vaccine. so there'sot really much diffence. we have the capabilities that we have dealt and in this instance looking the vaccine prodtion you do remember they had a plan in wuhan china. we were le to see whatas happening alllong. we saw with the virus about a 30% uptick in what i will call hactivists or criminal type activity trying to monetize anything thathey could. some people were out of work and they decided they would try to come in and see what they could monetize.
>> large companies, well secured companiesave proteed against that. easily but again there's a 30% uptick in that specific. i'll be honest with the most of th, it would be har to tell because people will try to come in on one side and laterally move across the company much like meredith we took anyone who was working on vaccine production, anybody who was going to be working on intellectual property and what were all those syste to lock them down and provide necessary action. thosare the terms we use in e security industry to say protect it and then we did that.
and meredith talked about the social media one company had issues with social media which we talked about at the board meeting and one of the things that happened is we put that out an we all started to se some of that so we informed our people to be aware of it. don't go in and click on anything and gave some people some guidelis. >> do you have a cybersecurity de around covid stuffers that everything? >> week. tes.
most close themselves off so what reality is we provide the business to operate in an insecure environment giving them the right info in the right way. >> th was excellent in the example that you show up with one of the things we found our and was that are third-party that we partnered with in order for us to rry out security at eli lilly in terms of the third parties being impacted where ransomware and things of th nature so tours are third-party who are close in development and research ar of the work that we do when ty start to get attacked and starts to be a problem with eli lilly. we have to ensure that we are continuously able to deliver medicine.
we did see an increase in that. this year we have done way more than i've seen in the last couple of years. >> they generally are coming through some other faster so that's why ask about routers. i wanted to bring you in and talk a little bit about the coonent, the surity components of operati warp spd andt eli lilly and johnson & johnson are among the players in that. we don know much aut the cybersecurity side of works good though. we are asking these questions now. can you give us a idea of how that works for practice? >> sure. i caspeak a little bit too anhing that the unique role of the fbi plays but there are a
lot of different players across the federal government and the heal care sector as well and that's what makes it so strong. from my perspectivee have grown a domestic law enrcement and intelligence agency and what that helps us to do is protecting the vaccine research and the supply chain from these threats. if we have access to classified intelligence to understand an adversary and what their intentions are to use our broad domestic presence in field offices and hundreds of satellite agencies so we are embedded in committees d we have enduring partnerships of research institutions, companies, universities etc. were wreaking havoc informati downgraded which effectively mes we can share it ideally
before something occurs and is an operational agency we can act on what we see d must we don't have direct engagement with these organizations. it's so important as rene describes when one orgization orompany sees this type of threatening cyber activitye cannot only investigated that share that information with the intelligence community with network defenders, and help everyone strengthen the network. it'sost effective when it's operating at all those different levels. >> in this current envirment are you getting more support than you were in theast? sometimes companies are little more reticent to let the dhs or
fbi know they've been compromised. >> we've been extremely proactive in our outreach and that is than the combined effort. that's really a maturation of e federal government especially over the past few years. some of that was in response to well-deserved feedback that we have received from the private sector. not appreciating having federal agenci knocking at their door or sharing teat information with them. increasingly that's a partnership and we simplifyt with warp speed months before work starts. asarly asarch when we were starting to see the indation not only of cyber criminals but the nationtate targeting covid research. we very quickly teamed up with that department of human rvices on a couple of different fronts. one was to warn those who were being directly targeted and two to do some research and expand
that circle out toay okay i we know these entities are being targeted who is likely next and try to get ahead of that threat. erderly whh is something unusual for us in may which is that we issued a plic service announcement particularly aut the chinese cyber actors targeting covid research and that was for two purposes. one to warn but also to alert china we have the ability and understanding at they were doing and the consequences for that type of act two the deed. think by virtue of that sustained engagement we are seeing a great collaboration with the heah care sector. even on issues that aren't typically related to covid research. for example the recent credible threat on ransomware against
hospitals and other health care providers. we got trendous feedback from the health care sector organizations like the hospital sociation in response that becausegain at hhs we quickly put out those indicators to watch for. we had video calls and ways of engaging directlyith those who might the afcted to let them know we were taking this seriously and as a a result we were advised and that ey do too in keeping uphat contact because we know that's a real resource when we are advised of threat like that. it requires differt resources that have been sustainable for so long with continued communicationo that they can keep them updated on what we are seeing. >> one of the sategies like do and fbi is to bring charges
against people. i'm thinking of the hackers that were wrought charges against. that seemed to have an effect. it had some effect. the psa and putting out a pubc service announcement did that happen affect? >>e are aiming at different audiences when we d things like that and there are many different tools that are being used not only by the fbi but across the federal government and with private sectorartners whom we are doing efforts like that. there is a psa but that was also folled by an indictment shortly thereafter that they have identified chinese cyber actors as possible for targeting covid research. but increasingly this is part of our meeting that direct term wray announced a few months ago, not so much about an indictment. that's one means to an end but
because of the unique role in the partnerships that i described that fbi has we want to make sure that we are sharing the informati and relationships that we have with our partners from the federal government overseas in the private sector to do whatever step we can whether that's fbi action, treasury sanions more covid action thayou might not see d to do that in a joint and sequence and crdinate at way to have the maximum impact. we think these adversaries have acted with what they think is impunity and we want to change that risk calculus for them. >> let me tk a little head about intellectual prerty and how difficult it is to be a health care company trying to do open research and the need t protect ip against hackers. what are you doing in that
respect? >> one of the things is making sure we know -- we have fast networks and we have vast areas where we can store a how that information. those are positive or is worth of intellectual property is. the collaborations we may have with external and internal orgazations we are ensuring that we are helping with the security posture of those organizations as wel because again they are collaborative with us as we do that specific research. weo have control and not to get too deep into that but we have control of the wrap around of repositories to detect any expoposure to that data.
>> marene to have something to add? >> education of your workforce in what you are dealing with and went to handle something for some periodfime you realize the importance. have a credo about the importance of the data to our patits and health care and humanity. meredith hit on it really well about the third party. when a company creates a vaccine r a drug by itself. fo legal entities patent fing as well a you are manufacture and distribution. so y are continually looking at those third hearties.
the one thing that the covid vaccine did show us in a very quick period of time ithe data flow. when you look at the data flow for intellectual property for something specific like a vaccine we learned a lot and looking at helping in other ways that we wouldn't have known isted if we hadn'tone it in a short period of time. we word with the fbi and special agents at the north office who came and talked to ouintellectual property attorneys to talk about the threats. that educationn using our government entits to help us were tremendous rources for
people to understand how importt intellectual property is and how to protect i. >> i'm just guessing here it's being encrypted? >> that is one that you talk about datand people think about databases and networks but i need to look at the date on my computer. i need to send ito tonya. is that then encrypted? what do you do? there are a lot of elements in maki sure you have the appropriate repositories and the ability to encrypt that data from the beginning all the way to the end. >> what i thought i would do is save the news for last whichs very unjournalistic of me and for thosof you who may not have seen it i will bring you
ickly up to date. the reports on cyberattacks on vaccine distribution operations which goes to our next subject which is the supply chain. ibm and ciso that it's intended to steal the network credentials of corporate organizations and basically officials are focus on the refrigeration process. necessary to protect these vaccines. but they ask ts question. in termsf theupply chain meredith what is the thing that worries you th most about older abilities? >> i tnk sometimes the awareness by those organizations that provide a critical part of our value cha cycle.
they may not he the same level ound security of their areas because they think about are not really delering i.t.. i'm offering cold storage and should i be that concerned? i think that'my biggest concern is making them aware that they are a target when they are partnering with us in providing that service to get the vaccines to wherthey need to be. that would be my one biggest concern and the fact that they are a target. they have mayot have the same level of security th we have in our organization. they may not have that so that exposure is real. >> as a general matter iould assume if you have therapeutics here for regular flu vacne you haven't had to worry about getting it from a to b and making sure that it's safe. there's a finite amount of
vaccine at least in this first tranche that it's a hotter commodity. >> will me think about the incentive behind it when we look what the hackers are doing is at least of that i think one is st pure disruption. i want to disrupt the flow of the cycle. me may have a different take on that where they may want to expose those vaccines oncthey are delivered to patients and so the efficacy is not there with the patient for that think there are multiple intends behind why there is an interest in the cold chain or any other supportive supply chain we have for the development of hard drugs. >> marene are with you looking at ts in a different way because of covid? >> no you know we have a robust supply chain and a ctinuity
plan around that. it does not require the ereme temperatures that other vaccines do. it's nothat it's not a big deal but i would tell you it's the overall security of getting the vaccine from the point of the manufacture they are. but what i told one of my good friends that works at one o the mpanies that is going through operation warp speed is to make sure the vaccines are given out what i told her was this. because i had com from a pharmacy benefit company and we did mail order deliveries.
treat the vaccine like it said -- all drugs have a fall from the very giving. there are security requirements around it and requirements if you are storing up read at all of those things can be replicated for the vaccine. i askederson in charge of general warp speed. don't try to reinvent the wheel. use what you are to have. take the 50 boards of pharmacy across the united states and of all appred and uset. >> for those of us who are not in the hlth care industry can you describe of an example of a c to drug as? >> codeine or morphine something
that's hhly addictive are ghly controlled. it's a highly controlled substance. with those controlled substances there's a whe chain of how they must be dispensed and even organizations like ups or fedex when they have those types of drugs in their purvi or their ownership to deliver they have to have protocols that are already set up. >> when you say the general in charge you are talking abo general kern as? >>no, he's in charge of everything i don't know if i'm supposed to give o his name but general macauley. >> there are systems in place and i may not he is hot a commodity is covid but there are things you can do. >> the pharmaceutical industry
itself, they are requiring extreme temperature f the sensitivity. it not something new. it doesn't -- the protocol in health care are all bar and modifying is necessary. i don'tave any visibility to what was done or what'going on in that area but that was my recommendation. does that mean and i don't want to go all the way to the word relaxed that you don't have huge concerns with respect to the vaccine? >> no, i don't. i have full confidence in what the board of pharmacy and the health care organizations in the united states he already created. i was in that indust for over 10 years.
being able to ship, and we h drugs in the other company that worked with. they came every day from the warehouse to a distribution center. all the gps tracking wking with state police and monitoring. all those things are already in ple and utilizing those in leveraging them will make the job easier. if there'sn opportunity to provide better communication and tter visibility in today's digital technology? ablutelyut i have a lot of coidence in the u.s. health careystem which has already been put in place >> sorry to keep haing on this but i think the average person thinks that this whole distribution is going to be the most enormous and complicated
bound to have problems. you don't think it's as complicated as people are saying that we have done this at different levels in the past? >> the distribution of controlled substances or substanceshat require temperature efficacy isn't complicated. it's extremely complicated. the problem the u.s. health care industry has already saland can leverage that to be able to ma it in a secure manner. have there have been people who have tried to steal shipments before? absolutely. will there likely be someype ofttempt? maybbut then the question is what do accomplish?
>> thank you. and tonya let me get you in here as law enfcement. what do you gear up for in terms of distribution othe vaccine? >> from a cyber perspective there are motivations for some of these actors who are trying to drupt the supply chn and the concern wou b an attack and trying to throw a wrench into it and cyber adversaries move to targeting those third parties in order to move the targ that they are trying to reach. the motivations go beyond that type of disruptive attack. it could be trying to steal intellectual property for financial purposes. it could be to undermine confidence in efforts to provide
an effective vaccine or took damage in other countries on developments. or it could be a number of over -- other purposes. the other thing is while this discussion is focused on the bigger threats we s nation-state effort tards not just targeting the suppl chain but to comne cyber with using more trational espionage to try to penetrate organizations and en through diplomatic means to try to. relationships that might put them in a better position to disrupt or influence or steal information. our focus is looking across all of those combining cyber and counterintelligee programs to
make sure we are looking across rather than a knn type of attack secto >> it's a or something that worries you about this next phase of the vacne? >> i think potentially but after hearing om meredith and marene that they are thinking about it and as i said this is work the do all the time and they have the support of additional entities like the federal government who are focused on protecting t research so that gives me confidence. >> we have come to the end of our time. i tried to slip in the questions that i saw in the q&a channel. i want to thank you three s much for talking about this. i was quite concerned about the whole cyber aspect of this in the distribution aspect and it's fascinating to know w you've thought this through and how
there are building blocks out there already. for those of you staying for next session, please stay tuned. we a going to be right back with the next session about emerging technology and tech with some fascinating people some of my favorite people i this particular arena. thank you so much for being wi us today for this discussion and stay safe and healthy. thanks for being with us.