Global Health Security Turns to Confront Cyber Threats

On May 19, the World Health Assembly—the most important decision-making body of the World Health Organization (WHO)—adopted a new resolution [PDF] at its virtual meeting that addressed responses to the COVID-19 pandemic. Media coverage focused on the assembly’s authorization of an “impartial, independent and comprehensive evaluation” of the pandemic response and the resolution’s call for equitable global access to technologies for combating COVID-19, especially vaccines. However, the resolution is important for another reason. It demonstrates that WHO and its member states recognize the need to confront cyber threats more systematically as part of strengthening global health security.

In the resolution, the World Health Assembly called on WHO member states, international organizations, and other stakeholders to counter the proliferation of “malicious cyber activities” and “misinformation and disinformation” associated with the pandemic. This call reflects concerns about cyberattacks against health-related agencies, facilities, companies, and research institutions and an online “infodemic” of false and misleading information. The assembly also called on WHO member states to protect privacy and personal data while leveraging digital technologies in COVID-19 responses. This part of the resolution reflects government interest in harnessing digital technologies, such as smartphones, for public health purposes, including case observation and contact tracing. Such strategies have raised concerns about privacy and the protection of data. In addition, the assembly requested that the WHO director-general support countries by developing normative and technical guidance, tools, data, and evidence for COVID-19 responses on, among other things, countering disinformation and malicious cyber operations.

The assembly’s resolution is not the first time that cyberattacks, disinformation campaigns, and threats to privacy have been recognized as problems in efforts to protect individual and public health. The Cyberspace Solarium Commission identified health-care and public health systems as critical infrastructure vulnerable to cyberattacks and has issued its own cybersecurity lessons from the COVID-19 pandemic. The WHO has addressed online disinformation in helping countries respond to outbreaks. The leading international agreement on infectious diseases, the International Health Regulations (2005), includes obligations on the treatment of health data that are informed by human rights principles.

However, concerns about cyber threats in global health have arisen in a reactive, ad hoc, and fragmented manner as they have grown more serious. The significance of the World Health Assembly’s resolution arises from how WHO member states more systematically identified cyber threats and integrated action on them in guidance for countries, international organizations, and other stakeholders grappling with COVID-19. This guidance will also inform efforts to improve preparedness and response capabilities against future outbreaks.

In short, the resolution elevates the importance of countering malicious cyber activities, disinformation, and risks to privacy through strategies designed to achieve global health security. In this regard, the resolution is unprecedented. Responses to, and reviews of outbreaks over the past twenty years, including the H1N1 influenza pandemic in 2009 and the West Africa Ebola epidemic of 2014, did not generate a cyber threat agenda for global health.

Implementation of the resolution’s provisions on cyber threats will require an independent evaluation of the pandemic to focus on these issues in order to make recommendations for national and international action. The WHO director general also should respond to the assembly’s request that he support WHO member states on countering cyber threats by, among other things, developing technical and normative guidance. In fulfilling this responsibility, the director general can network with existing technical and normative activities in cybersecurity, international law, human rights, and non-governmental initiatives. Pandemic-related interest in reforming the WHO or revising the International Health Regulations (2005) could also provide opportunities to advance the cyber agenda.

Developing effective policies against cyber threats will be daunting for the global health community. The pandemic has revealed that preparations for outbreaks proved inadequate in many countries. The lessons learned from COVID-19 will produce difficult challenges in many traditional areas of public health, such as strengthening outbreak surveillance and response capacities, that will take priority, consume resources, and reduce policy and capacity bandwidth for tackling cyber threats. Nor can health officials find ready-made answers in the cybersecurity or human rights sectors, which also struggle to defend against cyberattacks, counter disinformation, and mitigate privacy risks in the digital age.

To make matters more difficult, the United States and China have used the pandemic to escalate their rivalry by, among other things, quarreling about cyberattacks, disinformation, and human rights. President Donald Trump’s concerns about the WHO’s interactions with China during the pandemic informed his decision to withdraw the United States from the organization. How the cyber agenda established by the World Health Assembly will make progress in such a hyper-politicized, geopolitical context without U.S. involvement is unclear.

Efforts to advance global health security have leveraged the internet in order to produce faster disease surveillance and achieve better outbreak responses. With the dangers of cyber threats mounting, a stressed and fragmenting global health community now has to confront how the internet is exploited to damage health and human rights.