The Infodemic as a Threat to Cybersecurity

ABSTRACT

The infodemic has become a means to facilitate the exploitation of weaknesses in digital networks and launch cyberattacks against vulnerable communities and vital services, highlighting a lack of cybersecurity in critical infrastructure. This paper will delve into the caveats of the cyber threats posed by the infodemic and what it means for the broader network of cybersecurity and the protection of human rights in cyberspace. It will also examine the damage sustained by vulnerable groups as a result of cyberattacks, particularly in light of COVID-19. The infodemic has created a situation where malicious cyber actors spread false information to manipulate human nature and deceive individuals, leaving them susceptible to devastating attacks that risk producing physical and financial harm. This has the effect of undermining human security, dignity and equity in cyberspace. The situation is further exacerbated by the lack of accountability that operates as a carte blanche for cybercriminals to continue with illicit operations against vulnerable persons.

KEYWORDS:

• Cybersecurity
• infodemic
• cyberattacks
• healthcare
• hospitals
• COVID-19
• social media
• disinformation
• misinformation

Introduction

Since the outbreak of the pandemic, the world has witnessed a drastic uptick in the spread of false information as cybercriminals exploit the chaotic nature of the coronavirus as a means to deploy cyberattacks against vulnerable individuals and critical sectors, including healthcare services. On 2 February 2020, the World Health Organization (WHO) announced that the coronavirus was accompanied by ‘a massive “infodemic” – an over-abundance of information – some accurate and some not – that makes it hard for people to find trustworthy sources and reliable guidance’ (Novel Coronavirus (2019-NCoV) Situation Report – 13, 2020). The infodemic is a phenomenon that has fueled the spread of cyber threats by malicious actors who capitalize on the confusion provoked by certain events to disseminate false information to the general public.

This spread of false information is not a by-product of the COVID-19 pandemic, but rather a recurring epidemic that has been witnessed on previous occasions, during which malicious cyber actors launched cyberattacks against populations that have been the victims of health disruptions or political upheavals. During the Ebola crisis in 2014 and 2018, as well as the Zika virus in 2015–2016, the chronic spread of disinformation and fearmongering exacerbated attempts to combat these diseases, while allowing cybercriminals to dispatch cyberattacks against vulnerable communities (A Brief History of Cyberattacks, 2020). In like manner, cybercriminals have also used politically charged events to spread disinformation. The Charlie Hebdo terrorist attack is one such illustration of nefarious cyber operations to steal personal credentials by sending infected e-mails and luring victims to fake websites using the popular hashtag #JeSuisCharlie (A Brief History of Cyberattacks: From Ebola to COVID-19 – CyberPeace Institute, 2020). The vast nature of the infodemic and its ability to affect human behavior culminated with the 2016 US presidential election, where state actors were accused of launching disinformation to sway public opinion, thereby interfering with the democratic rights of voters in the US (Mueller, 2019). Thus, COVID-19 has served to merely accentuate the underlying digital illness that has been running rampant in cyberspace in recent times.

Since the onset of the infodemic, the ability to manipulate false information to launch cyberattacks has gained considerable momentum, albeit the mechanics of cyberattacks remain the same with the application of various social engineering techniques and use of malware. Yet, the ability of cybercriminals to mass produce disinformation to mask these attacks has redefined the landscape of cyberspace. The consequences of this behavior are augmented by the higher level of internet penetration and the normalization of teleworking that expand the population of vulnerable people exposed to cyber threats hidden in a stream of disinformation. By taking advantage of human curiosity and other traits, the infodemic aims to beguile people into believing that a particular source will be able to provide them with more information about the pandemic (Wang, McKee, Torbica, & Stuckler, 2019). This has effectively challenged existing cyber infrastructure for both public and private institutions, as malicious cyber actors seek to abuse weaknesses in the digital network.

There are vast human costs due to this illicit behavior as human security, dignity and equity are sidelined and a prominent lack of accountability results in cybercriminals absconding from the rule of law. Compounded with this already volatile mixture is the lack of streamlined reporting mechanisms for victims of cyberattacks that would otherwise enable policymakers to make evidence-led decisions that strengthen resilience against cyberattacks arising from the infodemic. COVID-19 highlights the structural weaknesses of previous multi-stakeholder responses to the infodemic and accompanying cyberattacks. Organizations, such as the CyberPeace Institute, are calling both for an end to the infodemic campaign and for governments to invest resources to protect vulnerable groups from these attacks.

This paper will track the growth of cyber threats as they have emerged from the infodemic throughout the course of the COVID-19 pandemic and examine its implications for cybersecurity as well as its effect on human security in cyberspace. The unprecedented diffusion of both a global pandemic and an information epidemic that has spread like digital wildfire creates an avenue for cybercriminals to further infiltrate mainstream media outlets. Section I of this paper analyses the vectors of cyberattacks against the backdrop of the COVID-19 infodemic and the challenges of suppressing the spread of disinformation in cyberspace. Section II delves into the human impact of these cyberattacks and analyses society’s response to both the infodemic and the rise in attacks on digital networks. Finally, Section III focuses on the challenges posed by the COVID-19 infodemic and explores potential solutions to compensate for this lacuna and protect the future of cyberspace by adopting a human-centric approach to combat attacks against cyber infrastructure and vulnerable communities.

I. The nexus between cybersecurity and the infodemic

The ability of cybercriminals to masquerade behind a veil of false information is evidence that digital infections are no longer consigned to traditional methods that are easily recognizable by internet users. Before this point can be explored further, it is important to first differentiate between misinformation and disinformation, both of which are often used interchangeably. Misinformation refers to information that is unintentionally wrong, whereas disinformation is false information that was intentionally created for the purpose of deceiving others (Vaidyanathan, 2020). Cybercriminals use a combination of both in order to mislead the public and feed into the broader narrative of false information broadcasted throughout the digital network.

The nature of COVID-19 cyberattacks

The dynamics of false information vary widely. In the context of the coronavirus, cybercriminals have adopted various means of deception in order to inveigle public opinion. Among the sea of attacks, this includes attempts to impersonate high level officials, share false updates on the virus and purportedly offer protective equipment to medical personnel. In March 2020, the UK National Cyber Security Center (NCSC) observed an e-mail campaign where cybercriminals impersonated the Director-General of the WHO in an attempt to infect devices with malware (National Centre for Cyber Security, 2020). Cybercrime groups have also advertised fake medication, provided links to malicious websites imitating government portals offering fiscal packages and sent phishing e-mails impersonating disability welfare service providers (Cybercrime: COVID-19 Impact, 2020). The means by which these cyber threats are concealed is seemingly endless, as malicious cyber actors, both state and non-state, exploit every facet of the pandemic to mislead the public.

The demographics of vulnerable persons and institutions are wide ranging. At a glance, the NCSC has identified individuals, small and medium sized businesses and large organizations as targets of COVID-19 scams. A prominent victim of these cyberattacks is the healthcare sector, which has proven susceptible to the risk of cyber threats particularly under the pressure of having to manage a surge in hospital patients (Muthuppalaniappan & Stevenson, 2021). It is an attractive target for cybercriminals due to the extent of personal information stored in its servers. The wealth of confidential data compounded with the need to continue medical operations creates a situation ideal for cybercriminals to exploit. Faced with the additional dimension of rapid digitalization, the sector’s continued use of outdated systems prevents medical establishments from being able to insulate themselves from the emerging cyber threats that accompany the use of digital technology. Recent studies reveal that more than 70% of medical devices (Wolf, 2019) and 83% of medical imagery devices in the US run on outdated systems (Du, Liang, & Das, 2020). Thus, cybersecurity infrastructure in this sector lags behind, hindering the ability of these institutions to withstand cyberattacks. Malicious cyber actors capitalize on these weaknesses in order to increase the likelihood of launching successful attacks, with the knowledge that the healthcare sector cannot afford to cease operations, especially in the presence of a global pandemic.

Given the circumstances, healthcare organizations are among the most vulnerable groups for COVID-19 related cyber threats, which can have tremendous implications for individuals and critical services (“Effects of the COVID-19 Pandemic on the Health Sector’s Risk Profile,” 2020).

The mechanics of cyberattacks against the healthcare sector

By exploiting COVID-19, cybercriminals add a new element to the healthcare sector’s risk profile, using the infodemic as a means by which to orchestrate cyberattacks with increased frequency. Consequently, disinformation serves as the platform by which cyber actors are able to launch traditional cyberattacks that ultimately jeopardize human security. A typology of cyberattacks reveals how traditional tactics used by cybercriminals have been reintroduced with a coronavirus theme in order to blend into the wave of disinformation and increase the likelihood of successful attacks against the public.

The first type of cyberattack is phishing, also known more broadly as social engineering, where a person is encouraged to perform a certain action (eg share information) with the understanding that they are engaging with a legitimate party (Lallie et al., 2020). Most phishing attacks are sent by e-mail, but government agencies have also noticed efforts to conduct phishing through SMS, known as ‘smishing’ (National Centre for Cyber Security, 2020).

Malware refers to the use of infected software to disrupt services and extrapolate data. The relationship between disinformation and malware occurs where cybercriminals use COVID-19 themed information to lure victims to access malicious websites or download contaminated files. In a recent cybercrime survey, INTERPOL member countries identified malware as being used “widely in phishing emails”(Cybercrime: COVID-19 Impact, 2020). Ransomware, which is a common type of malware, focuses on extortion attempts that hold data for ransom in return for payment. Previous ransomware attacks include WannaCry and NotPeya in 2017 that both impacted the healthcare sector. A recent study reveals that “737 incidents related to malware and 48,000 malicious URLs – all related to COVID-19 – were detected” (INTERPOL report shows alarming rate of cyberattacks during COVID-19, 2020). In addition to the noticeable rise of social engineering campaigns inspired by the pandemic (Enisa, 2020; Europol, 2020), there has also been a simultaneous shift in malware attacks designed to increasingly target the healthcare sector and government institutions, where higher financial demands can be made (Cybercrime: COVID-19 Impact, 2020; CISA, 2020; Dealing with digital security risk during the Coronavirus (COVID-19) crisis, 2020). Such a threat is further aggravated by a distinct “lack of cybersecurity awareness” (Cybercrime: COVID-19 Impact, 2020).

Another common vector of cyberattacks is the use of domain names that entice internet users to visit malicious websites. The Internet Corporation for Assigned Names and Numbers (ICANN), which oversees the coordination and distribution of domain names, has witnessed a “general reduction” in the use of domain names for cyberattacks (Marby, 2020). However, reports indicate that numerous COVID-19 related domain names are being used for illicit purposes which constitute abuse of the domain name system (ICANN Strategic Outlook: 2020). In the midst of public confusion fueled by the disinformation campaign, attackers have been exploiting domain names as a means to trick internet users into giving away financial credentials on spurious websites that claim to sell cures for the virus or personal protective equipment. On other occasions, scammers have posed as charities to help COVID-19 victims, as well as government and university employees pretending to operate track-and-trace programmes (Sjouwerman, 2020).

Motives for exploiting the pandemic

There are multiple reasons for these nefarious attempts to exploit the health crisis, among which include the desire to sow distrust among the general public, causing them to lose faith in public health services; influence public opinion by misconstruing scientific information and fabricating conspiracy theories; seek financial profit; steal confidential medical research; and delay a nation’s economic recovery (Bing, 2020; Cybercrime: COVID-19 Impact, 2020). By targeting the healthcare sector in particular, cybercriminals can make higher financial demands as opposed to targeting individual victims. Needless to say, individuals remain a prime target of cyberattacks as the infodemic thrives on individual deception as a gateway to exploit the vulnerabilities of information technology (IT) infrastructure.

Due to the extraordinary circumstances of the pandemic, medical facilities have had to divert resources to respond to the surge in hospital demand, placing them in a precarious situation as an already weak cyber infrastructure is strained under the pressure of a global health crisis (Cybersecurity in the healthcare sector during COVID-19 pandemic, 2020). The healthcare sector, which spans from hospitals and pharmaceutical companies to healthcare providers, is a treasure trove of sensitive personal information and confidential medical research, access to which can have severe societal implications (Seh et al., 2020). The industry is also faced with the challenge of digitization and the absence of a secure cyber infrastructure to support this transition. The presence of the infodemic serves to further undermine cybersecurity for the healthcare sector and ultimately for individuals who encounter cyber threats as a result of exposure to disinformation. The consequence of disinformation and the detrimental impact it has on the security of vulnerable groups in cyberspace is a direct threat to cyberpeace.

II. The social contagion of disinformation and cyberattacks

Infodemic-inspired attacks feed into the narrative of cyber warfare, allowing both state and non-state actors to advance operations in the midst of disorder. To this effect, the latest episode in the infodemic saga further fuels the weaponization of cyber tools and alienates prospects for achieving cyberpeace. Tragic events on a global scale evoke an emotional response and malicious actors take advantage of these human traits, which is an ever-present reminder that individuals are at the center of the digital ecosystem. A human-centric approach must be taken in order to understand the consequences of the infodemic, which expose people to greater vulnerabilities in cyberspace, and adopt an approach that effectively counters the societal impact of the coronavirus.

The exploitation of existing infrastructure to target individuals

One such approach that cybercriminals use to target individuals is by exploiting weaknesses in teleworking networks. The outbreak of the pandemic has prompted a surge in the digitization of workflows, which has led to a higher level of internet penetration and increased interconnectivity (Wiggen, 2020). In addition to exploiting known vulnerabilities in teleworking infrastructure, cybercriminals take advantage of the fact that individuals increasingly use the internet as a means of communication and a news source. A 2018 study revealed that one-in-five Americans obtain news from social media websites, causing this mode of communication to surpass print newspapers in the US (Shearer, 2020). With over four billion people around the world connected to social media (Social Media Users, 2020), the dissemination of news expands community echo chambers that were once traditionally defined by conventional media outlets (Bernard, Bowsher, Sullivan, & Gibson-Fall, 2020), thereby increasing the potential of spreading disinformation.

From the perspective of posing as a cyber threat, these versatile communication mediums complicate fact-checking procedures that are unable to keep pace with the frequency at which information is circulated on the internet (Chou, Gaysynsky, & Vanderpool, 2021). This enables cybercriminals greater flexibility in spreading false information that appeals to human emotions through messages that transmit a sense of urgency or impersonate authoritative figures, encouraging internet users to visit malicious websites or open attachments containing malware (Nurse, 2018). Through these cyber intrusions, actors take advantage of public trust.

Although cybercriminals employ the same modus operandi, the overriding factor that distinguishes the COVID-19 infodemic from other disinformation campaigns is the sheer scale of the global health crisis that has prompted a wave of public concern. A contributor to the rapid spread of disinformation is the fact that individuals are more prone to open items shared by trusted friends and colleagues (Nurse, 2018). By exploiting trust relationships, cybercriminals increase the likelihood of success as people are more inclined to believe the source is credible and thereby fall victim to a cyberattack. This has the dual function of impacting both individuals, as they encounter these cyber threats, as well as larger communities connected through the digital network.

The human costs of the infodemic

The salience of the infodemic should not be underestimated as it diminishes the security of cyber infrastructure by targeting humans as the weakest link in order to penetrate IT systems. Cyber threats emerging from the infodemic have immense potential to mislead the public and undermine human security in cyberspace as a result. The prospect of having sensitive personal information in malicious hands plays into the narrative of insecurity, as individuals fear identity theft and suffer the prospect of having highly confidential and sensitive information divulged to a larger audience (Coventry & Branley, 2018). The consequences of these cyberattacks transcend multiple domains, however, the common denominator of these operations is the profound societal impact they have on people. This speaks to the underlying principle that individuals remain at the center of cyberspace. While cognizant of the fact that these cyberattacks compromise human security, both state and non-state actors continue to exploit vulnerabilities on an individual and organizational level.

Recent reports of Twitter removing over 150,000 accounts designed to amplify disinformation and allegations of states launching similar campaigns related to COVID-19 are merely a drop in the ocean highlighting the significant impact that the infodemic can have on reaching people around the world (Yang & Murphy, 2020). Psychologically, these attacks undermine public confidence in national healthcare services and affect public response to the pandemic. At the same time, it has given birth to new opportunities for cybercrime. By way of illustration, Google blocked 18 million malware and phishing e-mails daily relating to the pandemic (Kumaran & Lugani, 2020; Tidy, 2020). Consequently, there is evidence of a formidable threat to an individual’s internet security as a result of these illicit operations that undermine fundamental rights in cyberspace.

The extent to which these attacks are taking place against the backdrop of the infodemic has brought this situation to the attention of governments and international organizations. During the dialogues of the Open-ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security (OEWG), Switzerland recognized cyberspace as a vector for spreading disinformation and interfering with international peace and security (Federal Department of Foreign Affairs FDFA, 2020). The COVID-19 pandemic has proven the degree to which the infodemic and accompanying cyberattacks are an affront to human security, dignity and equity in cyberspace.

The digital network has expanded to cover nearly every facet of human life, yet managing this growth lacks an integrated approach that appreciates human susceptibility to cyberattacks, particularly during major events, as in the case of a pandemic. An increased focus on human security requires greater protection of cyber infrastructure, which has been recognized as a norm by the UN Group of Governmental Experts (United Nations General Assembly, 2015), and mechanisms to ensure that disinformation is not allowed to proliferate at such an exponential rate. In particular, the shift to an online network during the pandemic must be accompanied by instruction for individuals who may lack familiarity with the nuances and novelties of the digital network. This need for a more human-centric lens was raised by Member States and observers during previous meetings of the OEWG that was established to stimulate dialogue on international law and norms in cyberspace (“Comments by the CyberPeace Institute on the Initial ‘Pre-Draft’ of the Report of the OEWG,” 2020). Business disruption and destabilization of a nation’s economic infrastructure are among the consequences of the social contagion of the infodemic, where allowing it to spread can also have consequences in terms of slowing down a nation’s economic recovery post-pandemic (Rash, 2020).

The COVID-19 infodemic supports the conclusion that the manipulation of information to provide misleading data and conspiracy theories produces an irrational hunger for more information that opens the door wider to cyberattacks. Malicious cyber actors are manipulating audiences during a period of global tension when individuals are more susceptible to misinformation. The discussion of the societal impact of the infodemic cannot be held in isolation. It requires a collaborative effort through a multi-stakeholder approach that includes public and private entities in addition to victims of cyberattacks. In the absence of this integrated approach and the operationalization of agreed norms, there will continue to be a vast accountability gap within which cybercriminals operate. The next section will examine the current landscape of existential challenges in stemming cyber threats born from this movement and explore multi-stakeholder responses to this situation.

III. Challenges and solutions to the COVID-19 cyber landscape

There are a number of challenges that make limiting the spread of the infodemic a mammoth task. The solution will inevitably require a multi-layered approach that takes into consideration the human aspect of the infodemic and develops effective policies. Currently, there is a large accountability gap that must be filled in order to hold actors accountable for their illicit behavior in cyberspace. Cybercriminals thrive on this accountability gap which must be stopped in order to stymie the number of cyberattacks against vulnerable individuals and critical services. Witnessing the scale of public disorder and cyber threats caused by the COVID-19 infodemic also underlines the need to streamline reporting mechanisms in order to aggregate data and adopt an evidence-led response at a collective level. There is no one-size-fits-all solution to the infodemic, but rather a combination of proposals must be operationalized to effectuate change in cyberspace and ensure human security.

A number of public and private initiatives aim to target some of the challenges currently faced by vulnerable groups connected to an ever-expanding digital ecosystem. Among the challenges identified, several reports have cited a lack of cyber hygiene and unfamiliarity with developing a secure cyber infrastructure (Cybercrime: COVID-19 Impact, 2020; Danish Ministry of Health, 2019; Price, 2020). Since the outbreak of the coronavirus, these infrastructural and societal weaknesses are more pronounced than could have been anticipated. As public and private actors scramble to account for the shortfalls in protective measures and procedures, cybercriminals take advantage of these loopholes to launch attacks against civilians, healthcare workers and other individuals who have become the victims of digitization. This disorder is further stoked by the lack of a sophisticated accountability framework that can implement effective response measures once the perpetrators have been identified. Rectifying this situation will inevitably require a collaborative, cross-sectoral effort to counter the coronavirus infodemic and related cyber threats.

A multi-layered approach

At a societal level, both public and private institutions have mobilized resources in an effort to counter the infodemic and protect vulnerable groups from cyberattacks. As a nonprofit organization, the CyberPeace Institute launched Cyber 4 Healthcare, a free programme to facilitate cyber assistance for vulnerable healthcare organizations (Cyber 4 Healthcare – A Free Cybersecurity-Healthcare Matchmaking Service, 2020). The initiative brings together cybersecurity expertise and healthcare providers to offer personalized services that enable medical institutions to introduce a secure infrastructure able to withstand cyber threats. This programme illustrates the initiatives that have emerged to manage the technologically complex and sensitive environment of the healthcare sector, which requires further protection to be able to deflect the bombardment of cyberattacks and respond to the spread of false information that has arisen in the midst of the global pandemic.

With this in mind, the CyberPeace Institute also promoted a call to governments, inviting them to take immediate and decisive action to stop all cyberattacks on the healthcare sector and medical personnel (“CyberPeace Institute – Call to Governments,” 2020). This call highlights the prevalent role that governments occupy in halting attacks on medical facilities and the need for government collaboration with the private sector to ensure the protection of medical institutions. The unstable concoction of disinformation and the spread of cyberattacks must be addressed on both a domestic and international level in order to counter these campaigns and ensure responsible behavior in cyberspace. The CyberPeace Institute’s Stop Infodemic Campaign is one such initiative that aims to raise awareness about the dangers of spreading disinformation and promote cyber hygiene among internet users (“CyberPeace Institute – Infodemic,” 2020). Similar initiatives on an international scale are required to strengthen resilience against the infodemic and related cyber threats.

Public-private collaboration to stop the infodemic

Managing the infodemic necessitates greater clarity and effective procedures to filter information shared on social media. This will require private actors to become more engaged in halting the spread of disinformation. Private sector initiatives to address the spread of COVID-19 disinformation and abuse of social media platforms came about only after much prodding from the public sector (European Union Agency for Cybersecurity, 2017). Yet, the spread of disinformation must be halted at an early stage in order to minimize its social impact, which is exacerbated when disinformation becomes ingrained in broader narratives that give it the appearance of having more credibility.

The expectations of stakeholders in cyberspace, both public and private actors, require clear articulation and the operationalization of established norms in order to create a sound legal framework that holds actors accountable for these attacks. These standards should reflect the current challenges faced in the world, which include geographical, cultural and technological considerations, as well as the promotion of human wellbeing. The lack of effective sanctions for breaches of international norms should be considered in greater depth, as COVID-19 cyberattacks have targeted medical providers, hospitals and research institutions, ultimately affecting critical services that are dedicated to saving lives.

Charting the societal impacts of the infodemic and the cyber threats it produces are important factors to address when considering how to quench the digital wildfire of disinformation. Another important consideration is the need to ensure that victims of cyberattacks are heard in order to better understand the nature of these attacks and their human impact. Discussions should be refocused around the human cost of the infodemic as a result of being fed false information and becoming more vulnerable to cyber threats. The pandemic has already prompted some states to pay greater attention to the harmful consequences of mis- and disinformation as well as the capacity for cyberattacks to seep into all areas of human life, particularly as the world becomes increasingly digitalized (“COVID-19 Pandemic: Countries Urged to Take Stronger Action to Stop Spread of Harmful Information,” 2020, p. 19). However, more work is required in order to ensure a stable and inclusive cyberspace that is able to respond to the challenges of an infodemic and subsequent cyberattacks.

Due to the multifaceted nature of the infodemic, regulators have been challenged by the outlets through which false information is disseminated. The expansive means by which news and information are now communicated has a profound human impact as traditional media channels, which could also be better insulated from the prospect of disinformation, are increasingly replaced by unconventional news mediums. Several studies have concluded that social media by and large contains a vast amount of “unfiltered and uncontrolled information” (Eysenbach, 2020).

In response to the infodemic, a number of initiatives have been launched to augment fact-checking operations. After COVID-19 was recognized as a public health emergency, the WHO launched an Information Network for Epidemics platform to deliver information tailored to specific groups (EPI-WIN, World Health Organization’s epidemic information network, 2020). There was also a joint public-private effort where public health officials reported any signs of misinformation to social media companies and responded to rumors with evidence-based answers (Zarocostas, 2020). However, traditional mass media outlets must also intensify fact-checking operations. According to the head of Public Health Emergencies at UNICEF, misinformation is projected through conventional media channels that misconstrue the severity of the virus and ultimately send the wrong message to viewers (Zarocostas, 2020).

Exploring avenues to counter the infodemic and deflect cyber threats

In April 2020, the WHO held consultations aimed at crowdsourcing ideas to counter the infodemic (Tangcharoensathien et al., 2020). Participants acknowledged the unprecedented speed at which information travels as a result of the digital network and recommended amplifying the outreach of credible messages through the creation of guidelines and fact-checking organizations, among other options. This includes the need to streamline interventions and support statements with scientific evidence, as well as translate scientific knowledge into “actionable behavior-change messages” that are contextually and culturally sensitive (Tangcharoensathien et al., 2020). It also involves reaching out to key communities and vulnerable persons (Tangcharoensathien et al., 2020). These recommendations capture the fact that individuals are the focus of the digital ecosystem and an evidence-led response to counter the disinformation campaign will require fact-checking initiatives and similar mechanisms as part of the solution to combat cyber threats. When individuals are able to identify false information online, they can make informed decisions that will protect them from being attracted to malicious e-mails or websites spreading conspiracies or disinformation.

On a supranational level, the EU has proposed the Digital Services Act in an attempt to regulate online platforms and digital services. Among the Act’s provisions, there have been calls for companies to be aware of the customers they supply, in order to easily identify fraudulent actors, with the aim to stem the spread of disinformation (MEPs spell out their priorities for the Digital Services Act | News | European Parliament, 2020). This legislative approach should seek to enhance transparency obligations in order to make sure that accurate content is shared on online platforms. In a similar vein, other legislative initiatives will be required from policymakers to respond to the lack of accountability mechanisms in place to address the spread of disinformation and subsequent cyberattacks deployed in these moments of confusion.

Formulating such procedures requires a thorough analysis not only of the current vectors of cyberattacks that operate in the COVID-19 infodemic, but also a detailed analysis of how the infodemic and related cyberattacks functioned on previous occasions. Policymakers must consider lessons not learned from these past attacks and apply that understanding to present and future situations. Without this evidence-led approach, the response to cyberattacks and disinformation campaigns will lack efficacy. Both human security and the protection of vulnerable sectors must also be considered at length. The COVID-19 pandemic has proven that the multidimensional consequences of disinformation and cyberattacks has a direct effect on the individual at a personal level, as well as an indirect effect through attacks on vital services upon which individuals rely. In terms of the coronavirus infodemic, healthcare has been a main focus of the discussion, as an indispensable source to combat a global pandemic and yet a prime recipient of numerous cyberattacks.

An important focal point of the debate around the infodemic and the cyber threats it produces is the need to appreciate the civilian aspect of critical infrastructure to understand why these entities must be protected. In essence, there can be no peace in cyberspace without accountability. The solutions presented during the WHO consultations are a means to deflect future cyberattacks masquerading behind the infodemic campaign. However, to hold malicious actors accountable for their role in cyberspace, more actions must be taken on an international and national level to promote justice, effect change and advance responsible behavior.

Conclusion

The discussion of cyber threats in the context of the infodemic and its profound impact on society is a reminder that this issue cannot be relegated to the sidelines of international debate. Limiting the spread of disinformation and ensuring a secure cyber infrastructure must be a primary item on state agendas. Stifling the dissemination of mis- and disinformation will require the operationalization of agreed norms and multi-stakeholder engagement. This latter item is indispensable to address all of the facets of disinformation, much of which is circulated through social media and other unorthodox modes of communication in the digital network.

The most effective way to stem the growth of the infodemic is by taking a human-centric, evidence-led approach that seeks to hold actors accountable. This way forward should actively engage victims of cyberattacks and states to ensure global representation. Such an initiative must be supported by the understanding that each country has a differing level of cybersecurity infrastructure and must therefore consider the solutions most suitable to resolve the cyber threats it faces domestically. On an international level, there must also be an effort to streamline information and ensure sufficient fact-checking bodies are in place to combat the spread of disinformation in cyberspace.

It is apparent that vectors of cyberattacks during the COVID-19 pandemic come in different forms as cybercriminals capitalize on various weaknesses to generate false information. Public and private actors must be cognizant of this existing threat and introduce procedures and mechanisms that strive to ensure human security in cyberspace and hold malicious cyber actors to account.

The human impact of cyber threats during an infodemic arises both from direct attacks on the individual as well as attacks on critical services and infrastructure that undermine their efficacy. The healthcare sector is a prime illustration of the harmful impact of cyberattacks, which adds further pressure to an already overburdened system, leaving a critical service in a vulnerable position.

The multifaceted nature by which disinformation permeates the ranks of global society and misleads people into believing false assumptions, thereby exposing them to cyber threats, is a key concern that if not addressed now will resurface in the future. The international community must be prepared to respond to the infodemic with effective measures that also counter cyber threats and hold actors accountable for their behavior in cyberspace.

Additional information

Notes on contributors

Tiffany Smith

Tiffany Smith currently works in the field of international trade law. As a Governance Support Officer under the supervision of Stéphane Duguin at the CyberPeace Institute, she was involved in examining the effects of cyberattacks on the healthcare sector, among other areas. In 2019, she received a Master’s degree in International Law from The Graduate Institute of International and Development Studies and completed her Master’s dissertation on cybersecurity laws and their effect on the broader international legal framework.