COVID-19 Vaccine Security Assessment

Page 1

CORPORATE RISK SERVICES

COVID-19 Vaccine Security Assessment FEB. 25, 2021

PHOTO CREDIT: STANTON SHARPE / SOPA IMAGES / LIGHTROCKET/GETTY


C O R P O R AT E RISK SERVICES PHOTO CREDIT: HOPKINS MEDICINE

Table of Contents PURPOSE AND SCOPE 3 OVERVIEW 3 SECURITY RISKS 3 COUNTERFEITS 4 THEFT 4 SABOTAGE 5 THEFT OF PII 5 ESPIONAGE AND THE VACCINE 6 CYBER SECURITY 6 DISINFORMATION 7 PROTESTS 8 PHYSICAL SECURITY 8 GLOBAL SITUATION 9 SUPPLY CHAIN 9 FACTORS 10 IMPACT ON COVID-19 12 OUTLOOK 12 RECOMMENDATIONS 13 METHODOLOGY 14 G4S CORPORATE RISK SERVICES 15 G4S SECURITY RISK OPERATIONS CENTER 16

Disclaimer: This report was prepared for the exclusive use of the recipient. It may contain proprietary, confidential information of either the recipient or G4S Corporate Risk Services (CRS) and is not intended for public disclosure. Any dissemination or reproduction of the report is governed by the applicable contract or letter of agreement between the recipient and CRS. Any disclosures outside of the contract terms must be authorized in writing by CRS. The findings in this report are based on information provided by the recipient and information to which CRS was provided access. CRS does not assume any responsibility or liability for the failure to detect, identify or make known any additional hazards, threats or areas of risk beyond what is identified in the report. Additionally, CRS makes no representations or warranties with respect to the recipient’s use of the report nor to any third party relating to information contained in this report.

2 COVID-19 Vaccine Security Assessment

G4S Corporate Risk Services


C O R P O R AT E RISK SERVICES PHOTO CREDIT: VTDIGGER / GLEN RUSSELL

Purpose and Scope

health measures, such as wearing masks.

This report examines the security risks associated with COVID-19 vaccination distribution, principally within the United States. It does not review the safety of the vaccine itself. For resources on vaccine safety, G4S recommends guidance by the Centers for Disease Control, Johns Hopkins, the U.S. Food and Drug Administration and the U.S. Department of Health and Human Resources.

A high demand for vaccines along with a limited supply and distribution has led to a number of further security concerns. These include frauds and scams (such as counterfeits and using this opportunity to target personal identifiable information) and a heightened cyber security risk.

Overview G4S has identified recent security threats associated with COVID-19 vaccine distribution in the United States. A number of opportunistic and predatory criminal behaviors and non-criminal activity involving both physical and cyberspace risks have been detected, with threat actors representing an array of individuals, political movements and organized or state-sponsored criminal groups. Since early in the pandemic, demonstrations have occurred by individuals and groups opposed to COVID-19 related public health measures. While some of this protest activity can be attributed to a range of concurrent and overlapping political, economic, health and environmental issues, demonstrations against government-imposed COVID-19 response have often been organized by members of antivaccine or far-right political groups who often espouse conspiracy theories surrounding the pandemic. Significantly, vaccines, along with masks, social distancing restrictions/ quarantines and testing are consistently denounced and protested, including in and around vaccination sites, which can cause disruptions and can also carry the potential for physical harassment or violence against those involved in vaccine distribution. G4S assesses that the risk of protests will continue throughout 2021 and is likely to center around mass vaccination sites, government buildings and corporate buildings of vaccine makers. Organizations and individuals, which feature in COVID19-related conspiracy theories may also be targeted. Isolated acts of violence are possible, similar to the type of isolated activity seen in recent months against individuals or businesses attempting to enforce other 3 COVID-19 Vaccine Security Assessment

The cyber threat landscape related to COVID-19 vaccine security has significantly b roadened t o i nclude s tatesponsored (i.e. ‘Advanced Persistent Threats’) as well as individual criminal hacking operations. While these attacks are the latest in a long series of incidents that have targeted healthcare organizations over the years, hackers have taken advantage of the global crisis to increase their activity, target organizations responsible for responding to the pandemic and prey on virus- and/or vaccine-related fears. G4S security and intelligence analysts assess that the risk of cyber threats will continue throughout 2021. Figure 1. Alleged COVID-19 Vaccine For Sale On Darknet

Security Risks G4S intelligence analysts have assessed that the security threats associated with the COVID-19 vaccine include counterfeits, thefts, cyber attacks, threats to personal identifiable information, disinformation and misinformation, protests and physical violence. An overall high risk of fraud is likely, impacting several of these security threats. For example, frauds and scams are propagated by misinformation and disinformation, include counterfeits and can lead to the theft of personal identifiable information.

G4S Corporate Risk Services


C O R P O R AT E RISK SERVICES PHOTO CREDIT: GETTY IMAGES

Counterfeits The risk of counterfeit products includes vaccines, PPE, websites and other products and services, such as cleaning and decontamination and ineffective m edicines o r o ther herbal cures. The Federal Trade Commission (FTC) reported $14.7 million in business imposters, $8.7 million in government imposters and $32 million online shopping (captured data of complaints mentioning COVID, stimulus, N95 and related terms), based on reporting data from January 2020 through mid-February 2021. Most of these complaints are opportunistic — businesses, individuals, criminal elements — looking to make money. An analysis of new domain names registered during 2020 by Insikt Group and Recorded Future shows there was a peak of activity in March 2020 in websites that covered everything from cleaning and decontamination services, to protective equipment, economic relief and cures. There was a drop off of activity and then another spike beginning in November 2020, which correlates with the advancement of the vaccines. In addition to counterfeit websites, companies and services, counterfeit PPE is a significant threat. The most common counterfeit product related to the pandemic is the N95 mask, which is the gold standard of masks. According to the U.S. Customs and Border Protection (CBP), over 14.6 million counterfeit facemasks have been seized entering the U.S. There is a risk of criminal groups trying to duplicate the vaccine or taking spoiled or leftover vaccine doses and trying to resell or copy them, although G4S security and intelligence analysts have seen limited reporting on counterfeit vaccines. The risk of counterfeit vaccines increases as more vaccines are approved and distributed and is likely to spike during times of vaccine shortages or perceived shortages. The risk of counterfeits is likely to wane in the long-term if the availability of legitimate vaccines matches the pace of demand; however, if shortages continue and poorer countries are unable to receive enough vaccines, then the risk of counterfeits will remain very high, according to G4S security and intelligence assessments. 4 COVID-19 Vaccine Security Assessment

Figure 2. Example of Counterfeit N95 Mask. DUKAL is not a NIOSH approval holder, or a private label holder. (CDC, Oct. 22, 2020)

Theft Thefts of the vaccine in the U.S. have been minimal and the handful of reported cases so far mostly involve healthcare workers with direct contact with the vaccine. The cases of thefts all involved healthcare workers who took a few vials to either sell or give to family and friends. While this risk may increase in the medium-term, as more vaccines are distributed to more locations around the country, G4S assesses that large-scale theft is a relatively low risk within the U.S., but may be a greater risk in other countries where access to the vaccine continues to be limited, where organized crime and traffickers are prevalent and/or where there is a higher level of corruption. Of more notoriety are the alleged insider criminal acts of those considered frontline employees amid the COVID-19 pandemic, such as emergency responders and healthcare workers. For example, Anthony Damiano, a former captain with Polk County Fire Rescue in Florida, G4S Corporate Risk Services


C O R P O R AT E RISK SERVICES PHOTO CREDIT: CNN

was arrested on Jan. 27, 2021 and charged with petty theft and causing paramedic Joshua Colon to falsify official records, when he allegedly took three syringes containing doses of Moderna’s vaccine with the intent of giving them to his elderly mother. Joshua Colon also was arrested for his suspected involvement in falsifying vaccine screening and consent forms when given vials of the vaccine to administer to firefighters. Police in Plant City, Florida, were searching for a person who they claim stole a car containing an unspecified number of vials of COVID-19 vaccine. Although the suspect’s motivations are unclear, the driver of the stolen car was employed by CDR Maguire, a contractor that provides COVID-19 vaccinations and testing.

Sabotage There is also a risk of isolated cases of sabotage to vaccinations. This is especially likely from individuals who subscribe to conspiracy theories against the vaccine. For instance, former pharmacist Steven Brandenburg has pleaded guilty to two counts of attempting to tamper with consumer products after he supposedly removed a container of 57 vials (which held more than 500 doses of the Moderna vaccine) from cold storage, at the Aurora Medical Center in Grafton, Wisconsin, on Dec. 24-25, 2020. Authorities say Brandenburg believed conspiracy theories, which according to a probable cause statement, held that “the COVID-19 vaccine was not safe for people and could harm them and change their DNA.

Theft of PII G4S intelligence analysts assess that the risk of theft of personal identifiable information (PII) is high. The process of registering for a vaccine appointment — usually through the internet — providing personal identifiable information and the sense of urgency to get an appointment scheduled can increase the chances of individuals not paying attention to signs of fraud. According to recent FTC data, there have been 54,000 reported 5 COVID-19 Vaccine Security Assessment

incidents of identity theft since January 2020, based on reporting data using terms such as COVID, stimulus and N95. The actual number of cases is likely much higher. The FTC has tracked a number of scams involving COVID-19 and the vaccine, including robocalls about fake test kits for Medicare recipients, health insurance pitches, mortgage scams, Social Security scams, ads to buy a vaccine, putting one’s name on a list to get the vaccine and asking for bank account or credit card information. The FTC has found that Americans have reported over $211 million in losses from COVID-19 related fraud since January 2020. On Dec. 18, 2020, the U.S. Department of Justice announced the seizure of two internet domains that impersonated the bio-pharmaceutical technology firms of Moderna (Cambridge, Mass.) and Regeneron (Westchester, N.Y.), both of which are involved with developing COVID-19 treatments. The two websites, mordernatx.com and regeneronmedicals.com, were used as ‘watering holes’ to steal visitors’ personal data. Investigators discovered that regeneronmedicals.com was registered to a resident of Onitsha Anambra, Nigeria. The Federal Bureau of Investigation, the Department of Health and Human Services Office of Inspector General and the Centers for Medicare & Medicaid Services issued a public warning regarding COVID-19 related fraud schemes in late Dec. 2020. A recent press report from the Washington Post also highlighted security risks within the V-safe program, which is the CDC’s voluntary text messaging system for COVID-19 vaccine recipients to use to report side effects. The program was designed so that patients would receive a QR code after being vaccinated, which they could scan with a smartphone, entering them into the system. The system would then send a daily text message for a week followed by weekly texts for individuals to complete surveys and record any symptoms and answer health questions. The security risk within the program is that anyone who can access the QR code — either from finding a sheet or pulling one off an image on social media — can access V-safe. V-safe is reportedly undergoing robust cybersecurity vetting with government agencies, following the Washington Post story. G4S Corporate Risk Services


C O R P O R AT E RISK SERVICES PHOTO CREDIT: GETTY IMAGES / MICHAEL CLEVENGER

In addition to the traditional financial motivations for stealing PII, there is also the possibility of stolen PII being used to fraudulently obtain a vaccine or obtain access to vaccines. Health departments in multiple U.S. states have warned vaccine providers and distributors of security threats specifically related to impostures. Notably, a case of mistaken identity triggered a security scare at the Froedtert Hospital in Wauwatosa, Wisconsin, on Jan. 12, when members of the Wisconsin National Guard arrived under orders to assist with vaccine transport. Some of the troops went to the wrong building, which prompted the hospital’s staff to contact the police and report that people may be posing as National Guard troops in an attempt to steal vaccine doses. G4S intelligence analysts have seen no actionable intelligence to date of any coordinated efforts to commit this type of fraud. Most fraudulent attempts at obtaining the vaccine have been individuals trying to get the vaccine by “jumping the line” and posing as frontline workers, first responders, etc.

Espionage and the Vaccine Vaccine development, production and distribution contain all the hallmarks of areas of interest to foreign intelligence services. Allies and adversaries alike are interested in what governments are doing and what they say they are doing in relation to vaccine development and distribution. The information gathered is likely used by countries to find indicators of deception by a government, insight into the targeted government efficacy, governing structure, economic stability and overall political stability. Friendly countries are likely to spy on each other to gain insights and potential advantages. Some countries with known aggressive intelligence services — such as Russia and China — may seek opportunities to also engage in disinformation campaigns that are part of their larger strategic interests or gain an economic advantage in areas. Individuals and companies involved in vaccine development, production and delivery face a heightened risk of espionage, as detailed information about the 6 COVID-19 Vaccine Security Assessment

vaccine is assessed as a likely high target (including to aid corporate espionage.) G4S intelligence analysts further assess that there is an increased overall espionage risk when traveling — even to friendly countries. An individual’s data stored on their phone about vaccine tracking, symptoms, etc. may pose an attractive target for host country intelligence services.

Cyber Threats The Cybersecurity and Infrastructure Security Agency (CISA) and other U.S. government agencies have warned of potential cyber threats to vaccine makers, distributors and administrators. The threat is mostly from criminals looking for ransom opportunities, either through malware, denial of service or phishing campaigns. Recent open reporting indicates that companies and their employees involved in the supply chain for the vaccine have reported incidents of phishing, spear phishing campaigns and ransomware. Ultimately, cyber threats are only effective if the criminal elements are able to get payment or achieve some other goal. In November 2020, Microsoft announced that it had detected multiple state-sponsored hacking operations that have launched cyber attacks against several prominent companies involved in COVID-19 research and treatments. Microsoft has reported that these attacks have targeted companies located in Canada, Europe, India, South Korea and Taiwan, as well as those based in the United States. Microsoft claimed to have traced the attacks back to one Russian and two North Korean-based hacking groups, known as Strontium (Fancy Bear), Zinc (Lazarus Group) and Cerium, respectively. In late December 2020, IBM’s cybersecurity arm authored a report covering a spear phishing attack against organizations involved in shipping the vaccine. Organizations were targeted in Italy, Germany, South Korea, Taiwan and other European countries, with the likely intent of gaining credentials for future unauthorized access, intellectual property or potentially sabotaging the efforts to ship COVID-19 vaccines. While attribution remains unknown, the sophistication of the attack increases the likelihood that this was state-sponsored. G4S Corporate Risk Services


C O R P O R AT E RISK SERVICES

Cyber attacks from both state-sponsored and individual sources may seek to steal data as part of efforts to conduct espionage and/or disinformation. Data stolen through these operations can be used for purposes of intellectual property theft related to vaccine development and also manipulated and shared to undermine public confidence in the vaccine. In what has been described as a “global phishing campaign,” adversaries are seeking to gain unauthorized access to private credentials and sensitive information relevant to the vaccine’s development and distribution. Spear phishing email campaigns have involved messages with COVID-19 related subject lines and included pretending to have been sent on behalf of health officials, business executives, or recruiters. These emails have been targeted toward job seekers and personnel in positions of sales, procurement, information technology and finance positions. There have been heightened concerns about the safety of both the development and deployment of the vaccines as adversaries attempt to attack the cold chain of organizations responsible for the temperaturecontrolled storage and transport of the vaccine, such as those in the energy, manufacturing, computer software and internet technology solutions sectors. The cybersecurity community has discussed the risk of criminals targeting cold-storage facilities for ransom or other purposes, however, to date, the biggest threat to cold storage facilities have been power outages due to severe weather. G4S security and intelligence analysts assess that the risk of cyber attacks or threats are a short-, medium-, and long-term risk, particularly targeting companies and employees within the supply chain or delivery mechanism of the vaccine.

increased. This has fueled protests in numerous countries across the globe as well as cultivated skepticism of the actual risk of the virus and the need for masks, vaccines and other protective measures. Due to this leading to skepticism and dismissal of safety precautions, this has increased the threat of COVID-19 itself. In late January 2021, anti-vaccine and other protestors temporarily shut down vaccine efforts at Dodgers Stadium in Los Angeles, California. Only 50 protestors were in attendance and the shutdown lasted just an hour before police arrived and dispersed the group. However, the media attention and impact has emboldened activists online from a variety of groups and is an event that will likely be repeated. Social media is filled with disinformation and misinformation that is hampering the efforts of health officials to educate the public on the ongoing risk of the virus and the safety and availability of the vaccine. Figure 3. Example of Misinformation / Disinformation Shared In Telegram Group

Disinformation The proliferation of misinformation, disinformation, hoaxes and scams are a high, sustained, long-term risk for vaccine security, according to G4S intelligence analysts. As soon as reporting of the virus began in early 2020, conspiracy theories, misinformation and disinformation began circulating and continually 7 COVID-19 Vaccine Security Assessment

G4S Corporate Risk Services


C O R P O R AT E RISK SERVICES PHOTO CREDIT: SKY NEWS

Protests There is a high risk of isolated protests continuing in the short-, medium-, and long-term to protest against vaccinations. Protest activity associated with other COVID-19 safety mitigations (wearing masks, social distancing, etc.) are considered a likely indicator to predict the risk of protests against vaccines. While most protests are likely to remain peaceful, isolated violence is possible [see below] and violent unrest is also possible. The risk of protests is likely to increase further if vaccine rollout becomes mandatory in some cases, or if vaccinated individuals begin to receive different treatment (i.e. are allowed entry to areas that unvaccinated individuals are not, are able to travel more, etc.) Currently, extreme winter weather across most of the U.S. has reduced the immediate risk of protests, which is likely to resume once weather improves. G4S analysts have noted that protests in early 2021 in the U.S., Europe and elsewhere have morphed to include Figure 4. Protest Suggested In Far-Right Telegram Groups

different groups using these protests to garner support for their causes as well, such as far-right ideologies, anti-government groups, nationalists, etc. Protests are likely to continue through 2021, particularly in areas of economic hardship and as a way for population to express frustration with the lack of control they may feel as a result of the pandemic (e.g., loss of job, loss of freedom and flexibility, frustration and anxiety over access to vaccine, fear of a vaccine, etc.) There is also a medium risk of protests advocating for the vaccine, but protesting a range of possible issues, including the speed of vaccine delivery, which groups are being prioritized, ‘vaccine tourism,’ or as counterprotests against anti-vaccination groups. As with most protests, there is a heightened risk of violence where two opposing groups are present.

Physical Violence G4S assesses that there is a risk of isolated attacks against COVID-19 relief efforts, for example at vaccination production and shipment facilities and Figure 5. Suggestion of Violence In Response to Vaccination, On QAnon Telegram Channel

8 COVID-19 Vaccine Security Assessment

G4S Corporate Risk Services


C O R P O R AT E RISK SERVICES

particularly at vaccination sites, which may have little to control access or increase security. This risk is assessed as most likely posed by individuals or small groups who subscribe to conspiracy theories and is highly unpredictable as it may occur with little to no warning and on a local scale. Physical violence could include an attack on an individual involved in vaccinations (similar to recent isolated attacks and skirmishes with individuals and businesses attempting to enforce mask regulations), anti-vaccine protests becoming violent or larger-scale targeted attacks against facilities.

Global Situation On Dec. 2, 2020, the International Criminal Police Organization (INTERPOL) issued a global ‘Orange Notice’ alert to law enforcement across its 194 member countries warning them of potential organized criminal activity in relation to the falsification, theft and illegal advertising of COVID-19 and seasonal flu vaccines. As governments around the world continue to roll out COVID-19 vaccination programs, G4S highlights the following recent examples of vaccine-security related incidents: •

European Union / Dec. 9, 2020: Data on the Pfizer/ BioNTech vaccine was stolen by hackers during a cyber attack against the European Medicines Agency. The stolen data was said to have appeared on various hacking forums as early as Dec. 31.

Mexico / Jan. 8, 2021: Mexico’s National Council of Private Security (CNSP) confirmed the presence of laboratories set up by organized crime groups to create fake COVID-19 vaccines. Operations were said to be identified in Jalisco, Tamaulipas, Chihuahua and Mexico City.

Canada / Jan. 21, 2021: A millionaire Canadian couple from Vancouver traveled secretly to a remote indigenous community in western Canada’s Yukon territory while claiming to be employees at a local motel in order to receive their first doses of the

9 COVID-19 Vaccine Security Assessment

COVID-19 vaccine. The couple was at an airport shortly after receiving their vaccinations and charged for violating quarantine protocols. •

China / Feb. 1, 2021: More than 80 people were arrested for selling counterfeit vaccines. Over 3,000 saline filled vials were seized, and it is unclear how many have been sold since the operation began in Aug. or Sept. 2019.

Supply Chain Supply shortages of the vaccine itself and within the supply chain and disruptions to the supply chain pose some of the greatest risks to effective distribution, as well as increasing the likelihood and risk of the aforementioned security concerns. Supply chain risks exist every day — weather, materials shortages, warehouse fires, worker strikes, etc. — and the vaccine works within this ongoing system of risks. Moreover, specific logistical requirements for the vaccine (for example, temperature requirements) further increase the risk of supply chain complications. The numerous points within the supply chain in different countries create opportunities for delays, bottlenecks and shortages. For example, 3M (a manufacturer of personal protective equipment, or PPE) has nearly 5,000 direct suppliers and each of those have their own suppliers. Any one event somewhere along the line has impact across the entire chain. The supply chain for PPE and vaccine production has encountered numerous challenges and setbacks since early 2020. The global-interface of products and manufacturing translates into hundreds of nodes among the supply chain that can be disrupted and cause delays. The bottlenecks within the supply chain aren’t static; as one area clears, another can back up and this process continually changes. Current supply-chain challenges involving the vaccine include manufacturing the vaccine, distributing it and finally administering it. Several states and local governments have experienced vaccine shortages within the first few weeks of February. San Francisco suspended vaccine distribution for a week G4S Corporate Risk Services


C O R P O R AT E RISK SERVICES PHOTO CREDIT: UNITED AIRLINES

to reassess and respond to supply shortages. A health official for the city described the vaccine supply as “limited, inconsistent, and unpredictable” according to press reporting. Some areas in and around Atlanta stopped scheduling appointments recently until more federal deliveries of the vaccine become available, according to press reports. In North Carolina, the state health agency cancelled 10,000 appointments in late January to ensure there was enough vaccine for administering the required second dose.

this process, not only at the final delivery location for vaccines and individuals who are against the vaccine may attempt to sabotage a node of the supply chain. Spear phishing campaigns may impersonate a node within the chain. Furthermore, disruptions to the supply chain are a significant factor that could increase other security risks; concerns about shortages and impatience for vaccinations have the potential to motivate individuals to attempt to gain the vaccine illicitly or protest shortages. Figure 6. Vaccine Cold Chain (World Health Organization)

Health agencies must contend with trying to estimate the number of second doses needed while expanding eligibility in a push to vaccinate more people quickly. This process is complicated and G4S assesses that miscalculations are likely — especially in the short term - which could lead to a series of fits and starts in order to ensure doses are not wasted and until local health agencies are able to find the rhythm of first and second doses. Pfizer and Moderna’s vaccines are both mRNA-based vaccines, which requires specialized machines that are in short supply. Pfizer’s manufacturing plant in Belgium is currently offline because it has to accommodate the specialized machines for production. There remain shortages of necessary equipment to administer the vaccine, facilities, personnel and storage which can hamper the delivery of the vaccine even after vaccine production has improved. Several states have reported a shortage in the specialty needles needed to administer the vaccine. The Supply Resource Chain Cooperative previously created the ‘Supply Chain Operations Reference (SCOR) Model’ in which they broke down each element of the supply chain, the risks and categorized the points of potential impact and/ or failure. Their list includes: national security issues; personnel shortages; lack of coordination; shortage of supplies; limited capacity; vaccine damage; gaps for rural areas and misinformation about the vaccine and tracking. Security Implications — Each node of a supply chain poses a target for intentional disruption and other criminal activity. For example, thefts may occur throughout 10 COVID-19 Vaccine Security Assessment

Factors G4S forecasts the following indicators that are likely to impact vaccine security: Instances of Individuals ‘Jumping the Line’ — There have been reported instances of individuals attempting to jump the line and get a vaccine either through manipulation, fraud, bribes or gaming the system. In early February, a program in Massachusetts advertised that caregivers could receive a vaccine alongside a participant of 75 years and older, sparking a number of imposters and scammers. There have also been reported cases of people sharing codes intended for frontline workers to G4S Corporate Risk Services


C O R P O R AT E RISK SERVICES PHOTO CREDIT: LOS ANGELES TIMES / IRFAN KHAN

access vaccine appointments. A few high-profile cases involved wealthy individuals trying to bribe doctors to receive a vaccine and one couple in Canada flew to a remote town to fraudulently obtain the vaccine. Former Time Warner CEO Richard Parsons is also a high-profile example of someone who has travelled to a location where they could receive the vaccine. This ‘vaccine tourism,’ as well as concierge medicine, is a means to be fast-tracked or gain access to vaccine doses immediately. As early as Jan. 8, 2021, a local media investigation in South Florida found that domestic and international tourists had received vaccine doses while on vacation in Florida as a result of an initial lack of a proof of residency requirement at state-run vaccination sites. By Jan. 27, Florida had begun enacting new policies that cracked down on this type of maneuvering or interception. These types of practices could lead to resentment and protests, particularly in the communities where they are occurring. Disinformation or Misinformation — The proliferation of conspiracy theories surrounding COVID-19 and the vaccine has had a detrimental impact on governments’ ability to effectively communicate and instill confidence among their populations regarding the risks of COVID-19, importance of safety measures and the efficacy and availability of the vaccine. It has been easy for conspiracy theorists and groups to hijack the feelings of uncertainty, mixed messaging, fear and fatigue of the pandemic to bolster support and gain traction for their own causes and purposes. Some of the groups involved in spreading conspiracy theories about vaccinations have also previously expressed violent intent. Conflicting Guidance — Countries that have a nationalized healthcare system are able to control and coordinate guidance and messaging. The decentralized nature of the U.S. healthcare system, however, has impacted the vaccine strategy leaving state and local governments scrambling to try to align criteria and rules for who is eligible for the vaccine. A recent example occurred in Illinois, where the governor of Illinois expanded eligibility for the vaccine to people of 11 COVID-19 Vaccine Security Assessment

any age who have underlying health conditions starting on Feb. 25, 2021. Cook County, where Chicago is located, isn’t following suit because they don’t have enough vaccines to cover additional people. According to local press reporting, available vaccines in other counties will likely lead to some people from Cook County travelling elsewhere within the state for a vaccine at Walgreens, which doesn’t require proof of residency. States also vary on their definitions of essential workers. As of midFebruary, 28 states and D.C. include teachers as frontline and essential workers eligible for the vaccine, regardless of age and underlying health conditions. Exploiting Flaws in Online Booking Systems — As individuals scramble to find vaccine appointments, many are finding ways to get around restrictions or take advantage of glitches in software. G4S has not included examples of these in this public-facing report, in case they have not yet been rectified. Human Error — Accidents and human mistakes are a high-risk, expansive and complex process that is new and requires new policies and procedures for handling the vaccine. For example, an employee in Knox County, Tennessee, accidentally threw away 1,000 doses of the vaccine in early February after he tossed out a box thought only to contain dry ice. Timing and Coordination — Governments have to continue to push to vaccinate as much as their population as possible to control the pandemic and to help curb the spread of recent mutations. The B.1.1.7 variant first discovered in the UK is highly contagious as is the South African variant B1.351 (E484) mutation. The variants have also been reported elsewhere, including in southern Iraq in mid-February 2021. This further increases the urgency of vaccination. There have also been reported instances in the U.S. and elsewhere of providers giving vaccines to whoever is around after vials are mistakenly opened and appointments hadn’t yet been arranged, so that no doses are wasted. For example, a mass call to vaccinate whomever was available occurred in Snohomish County, just north of Seattle, before doses went bad there. Weather — The U.S. experienced record-breaking G4S Corporate Risk Services


C O R P O R AT E RISK SERVICES PHOTO CREDIT: PAHO

cold temperatures throughout most of the country in mid-February, which caused five airports to close, power-outages and rolling blackouts throughout much of the South and Southwest. Testing sites and vaccine appointments were delayed in many states due to unsafe roads and unbearable wind-chill and had the potential to disrupt the vaccination process. In Oregon, snow delayed a vaccine truck and the staff trekked along the highway offering the vaccine to stranded motorists before the doses went bad.

misinformation, or other scams) will very likely take less precautions both to avoid getting sick themselves, as well as spreading the virus to others. Moreover, misinformation, disinformation and security flaws that garner media attention all risk further reducing faith and compliance with medical and government guidance. Finally, some of the security risks outlined in this report may have a direct impact on vaccine distribution (for example, if a facility has to close temporarily due to protests, or is targeted in an act of violence.)

Lockdowns, Travel Restrictions and Mandated Quarantine — Many countries continue to impose strict travel restrictions and some continue to mandate quarantines. Once countries ease restrictions, it has been challenging to tighten them again. If travel restrictions remain in place, or countries require health passports or proof of vaccination, the risk of counterfeit or fraudulent vaccines, proof of vaccines and/or tests will likely increase. Likewise, this would likely lead to protests.

Outlook

Figure 7. New York Times Headline About Vaccine Passports (New York Times)

Impact On COVID-19 The security risks outlined above also pose a risk to COVID-19 spread. Individuals who incorrectly believe that they have been vaccinated or that COVID-19 does not pose a risk to them anymore (due to counterfeits, 12 COVID-19 Vaccine Security Assessment

G4S analysts have determined that the most likely immediate security risks are supply shortages, misinformation or disinformation, weather-related impacts, theft of PII, other scams and continuing cyber security attacks. The intense cold, ice and snow across much of the U.S. in mid-February has caused several states to delay vaccine appointments for a week and close testing sites, as roads are unsafe to travel. Several states — including Alabama, Kansas, Kentucky, Mississippi, Oklahoma, Oregon and Texas — have declared states of emergency due to dangerous road conditions and power outages. Adverse weather conditions will likely temporarily decrease the risk of protests, but delays to vaccination have the potential to increase the risk of protests in the medium-term. The likely security risk in the medium-term is vaccine availability, counterfeit risks and other frauds, protests, cyber security risks and misinformation or disinformation. Protests continue to occur across the globe against government lockdowns, mask-mandates and vaccines. Risks of ongoing lockdowns and stalled travel may spur an increase in counterfeit vaccines, health passports and test kits. As travel restrictions continue, the risk of fake tests, fake health passports and counterfeits increases. Tourists have been sold fake test kits or overcharged for kits in various Mexican tourists spots before flying home. The long-term security risks are supply chain disruptions or shortages, counterfeit vaccines in some G4S Corporate Risk Services


C O R P O R AT E RISK SERVICES

countries, misinformation or disinformation and — particularly linked with misinformation/disinformation campaigns — protests. Scams and cyber attacks are also likely to continue, although both are likely to evolve to meet different demands. The burden of long-term risks will likely fall to governments as they try to counter disinformation, contest with a challenging process of administering and procuring enough vaccines and battle pandemic-fatigue as populations are likely to push back against mask mandates and restrictions (especially once vaccinated.) Supply chain risks for manufacturers will also remain and will continue to require companies to adapt. Many wealthier countries are likely to secure adequate vaccines by late 2021 for their populations, but the heightened risk of counterfeit vaccines is likely to continue in countries where vaccines are limited and there are existing organized crime and trafficking networks that can profit from fake vaccines.

violence against individuals or businesses enforcing other precautions such as mandatory masks. This risk is also connected with the propagation of conspiracy theories.

G4S assesses that the risk of isolated violence is likely to persist throughout the short-, medium-, and longterm. This is comparable to recent examples of isolated

Recommendations •

G4S Corporate Risk Services recommends businesses review local hotspot maps to determine if their office(s), facilities and/or critical infrastructure are in a high-risk location for transmission of COVID-19.

Individuals should educate themselves about recent scams. The Federal Trade Commission provides information on these at www.ftc.gov/ coronavirus/scams.

A high degree of vigilance is recommended for cyber security awareness. This is a good time to reinforce cyber security best practices. Companies

Figure 8. Examples of Scam Awareness Flyers (FTC)

13 COVID-19 Vaccine Security Assessment

G4S Corporate Risk Services


C O R P O R AT E RISK SERVICES

may want to remind employees how to to spot bogus emails and phishing attempts. It is good to remind employees not to click on unknown links in texts or email messages and to confirm that emails or texts about vaccine appointments or soliciting information to make an appointment is sent from their healthcare provider, healthcare agency or pharmacy. •

Companies should review their own cybersecurity policies and remind employees to update cyber security software on all devices.

Companies should raise awareness amongst employees not to share specific information about vaccinations online. This includes guidance not to post pictures of vaccine cards, appointment emails or QR codes. These contain personal information. Employees need to be vigilant about protecting personal identifiable information. Personal health information and vaccine status is valuable information.

Clear communication is essential to counter disinformation or misinformation. If there is a workplace vaccine program, the necessity to follow vaccine protocol needs to be communicated repeatedly and consistently. Companies may wish to create a workplace information hub on local vaccine sites, the process for scheduling appointments and other relevant information.

Companies should stay vigilant in reminding employees about COVID-19 safety best practices, including the vaccine, continuing to wear masks, social distancing and hand washing.

Employees should be provided with information on identifying fraudulent PPE, especially masks. Visit CDC’s website for the latest listing of counterfeit masks: https://www.cdc.gov/niosh/ npptl/usernotices/counterfeitResp.html

Now is also a good opportunity to update and review internal security practices that cover

14 COVID-19 Vaccine Security Assessment

physical security, employee security and internal threats (cyber attacks, disgruntled employees, carelessness, etc.) Companies within the supply chain for vaccines are at a higher risk, including amongst distribution (drivers, carriers and vehicles). •

Employees should be reminded that no legitimate vaccine is ever sold online.

A review of physical security is recommended at vaccination sites; particularly mass vaccination sites and ones that have received notable media attention.

All facilities involved in the vaccination process should carefully review the careful disposal of items related to the vaccine (for example, packaging, vials, etc.) Improper disposal may increase the risk of convincing counterfeits entering the market.

Methodology This intelligence assessment relies on an analysis of intelligence gathered via open-source networks such as online search engines, media and social media pages. Darknet sources were also reviewed. This report is analytical and should be viewed as a method for preparing for potential security risks rather than a list of guaranteed outcomes. This report is intended for a wide audience and individual businesses’ risks will vary depending on their business type, key leadership and the locations of their assets. G4S is able to provide tailored risk assessments upon request. This report has focused on security risks within the United States. International security risks vary, impacting by an array of additional factors including corruption levels, COVID-19 spread, local sentiment toward the pandemic and towards vaccines, levels of tensions within the local population, organized crime capabilities, etc. The information cut-off date is Feb. 17, 2021. G4S Corporate Risk Services


C O R P O R AT E RISK SERVICES

G4S CORPORATE RISK SERVICES

G4S is one of the world’s largest security companies, employing nearly 533,000 employees and supporting operations in around 80 countries. With one of the most tenured senior management teams, subject matter experts who are highly decorated members of the industry, and global visibility, we are committed to providing integrated security strategies with a holistic, all-hazards perspective. Our Corporate Risk Services (CRS) team are specialists in providing risk consulting, corporate investigations and executive protection. We provide clients access to unparalleled industry knowledge, expert consulting and integrated technologies. We’re a company that stands apart from the crowd; one that transforms challenges into opportunities and savings.

INTELLIGENCE AS A SERVICE

Security Intelligence provides actionable and comprehensive insights that reduce risk and operational effort for any size organization. Understanding what is happening across resources is critical when identifying threats. G4S employs global subject matter experts on geopolitical risk who provide real-time analysis of events through impact analysis, media monitoring and social/web/dark web analysis. This AI-augmented intelligence gathering enables you to immediately know when incidents occur.

SITUATIONAL AWARENESS MONITORING & ALERTING

When organizations have thousands of people and assets, there is limited time to assess and manage risk. G4S Security Risk Operations Center (SROC) analysts and operators leverage powerful situational awareness technology that can save hours of sorting through data and reaching stakeholders during a crisis. SROC analysts and operators leverage a powerful AI algorithm to review relevant news, social media, government information and other sources.

SOCIAL MEDIA/DEEP WEB MONITORING

G4S analysts monitor across social media platforms, as well as the open and deep web. This allows our analysts to identify real-time and emerging threats to clients’ security, ranging from executive protection and asset management to reputational risk.

TRAVEL RISK MANAGEMENT

G4S’ unrivaled geographic footprint helps you manage employees’ safety from departure to return. SROC analysts develop pre-travel advisory intelligence reports and on-demand, pre-travel security briefings. The SROC uses geolocation software to track your team members and provide in-country travel intelligence alerts (via text and mobile) to ensure employees remain safe and connected.

EXECUTIVE PROTECTION & TRANSPORT

From natural disasters and civil unrest to workplace violence, the SROC delivers immediate assistance during crises across the globe. Intelligence analysts keep executives safe by providing critical resources when disaster strikes — even in high-risk areas. SROC operators work 24/7 on requests to deploy G4S assets, including armored vehicles and air transport to secure and extract executives and business personnel.

GLOBAL SECURITY OPERATIONS CENTER (GSOC) AS A SERVICE

This solution provides outsourced or augmented solutions that integrate travel risk management, situational awareness monitoring & alerting, intelligence as a service, global crisis management response, security data analytics and remote video camera & alarm monitoring. Fully or partially outsourcing a GSOC will help you save money, decrease capital expenditure and expand resources. If you choose to build your own Security Operations Center (SOC), G4S provides expert assistance in designing and staffing a modern operations center to deliver a Center of Excellence for security.

15 COVID-19 Vaccine Security Assessment

G4S Corporate Risk Services


CORPORATE RISK SERVICES

G4S SECURITY RISK OPERATIONS CENTER For questions regarding this report or for immediate assistance, please call:

G4S Security Risk Operations Center services include:

G4S Security Risk Operations Center: (866) 604-1226 Alternate Phone: (866) 943-8892

g4s.us 16 COVID-19 Vaccine Security Assessment

Crisis Management and Incident Response Executive Protection Support 24/7/365 Employee Assistance GSOC as a Service (GSOCaaS) Intelligence as a Service Remote Video Monitoring


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.