Global health security is underpinned by the actions taken at a national level to ensure capacities exist to sufficiently prepare for and respond to acute threats and crises. In many contexts, National Public Health Institutes (NPHIs) were first established because of, and in response to, specific public health challenges typically related to infectious diseases.

The Strengthening National Accountability and Preparedness for Global Health Security (SNAP-GHS) project evolved from a series of roundtables and discussions hosted by the Centre on Global Health Security at Chatham House, in collaboration with the Graduate Institute of Geneva.

The outcome of the project is a SNAP-GHS Toolkit to support NPHIs in better diagnosing and understanding the challenges to data use within their own institutes, as well as in relation to external stakeholders and agencies. The toolkit is intended to be used for further circulation and dissemination by the International Association of National Public Health Institutes (IANPHI).

The project is led by the Centre on Global Health Security at Chatham House in collaboration with the Ethiopian Public Health Institute, the Nigeria Centre for Disease Control, and the National Institute for Health in Pakistan.

The world’s second-largest Ebola outbreak is ongoing in the Democratic Republic of the Congo (DRC) and experts from around the world have been parachuted in to support the country’s operation to stamp out the outbreak. The signs are encouraging, but we need to remain cautious.

In such emergencies, little thought is usually given to what happens to the body-fluid samples taken during the course of the outbreak after the crisis is over. What gets left behind has considerable implications for global biosecurity.

Having unsecured samples poses the obvious risk of accidental exposures to people who might come into contact with them, but what of the risk of malicious use? Bioterrorists would have ready access to materials that have the characteristics essential to their purpose: the potential to cause disease that is transmissible from person to person, the capacity to result in high fatality rates and, importantly, the ability to cause panic and social disruption at the very mention of them.

Comparisons can be drawn with the significant international impact of the anthrax attacks in the US in 2001. Not only was there a direct effect in the US with five deaths and a further 17 people infected, but there was a paralysis of public health systems in other countries involved in the testing of countless samples from the so-called ‘white-powder incidents’ that followed.

Many laboratory tests were done purely on a precautionary basis to eliminate any possibility of a risk, no matter how remote. However, the UK was also hit when a hoaxer sent envelopes of white powder labelled as anthrax to 15 MPs.

The threat of the pathogen alone resulted in widespread fear, the deployment of officers trained in response to chemical, biological, radiological and nuclear incidents and the evacuation of a hospital emergency department.

We learned from the 2014–16 West Africa Ebola outbreaks that during the emergency, the future biosecurity implications of the many thousands of samples taken from people were given very little consideration. It is impossible to be sure where they all are and whether they have been secured.

It is widely recognized that the systems needed at the time for tracking and monitoring resources, including those necessary for samples, were weak or absent, and this has to be addressed urgently along with other capacity-building initiatives.

In Sierra Leone, for example, the remaining biosecurity risk is only being addressed after the fact. To help achieve this, the government of Canada is in the process of providing a secure biobank in the Sierra Leonean capital of Freetown. The aim is to provide the proper means of storage for these hazardous samples and to allow them to remain in-country, with Sierra Leonean ownership.

However, it is already more three years since the emergency was declared over by the then director-general of the World Health Organization (WHO), Margaret Chan, and the biobank and its associated laboratory are yet to be fully operational.

There are many understandable reasons for this delay, including the critical issue of how best to ensure the sustainability of any new facility. But what is clear is that these solutions take time to implement and must be planned for in advance.

The difficulties of responding to an outbreak in a conflict zone have been well documented, and the frequent violence in DRC has undoubtedly caused delays in controlling the outbreak. According to figures from WHO, during 2019 approximately 390 attacks on health facilities in DRC killed 11 and injured 83 healthcare workers and patients.

Not only does the conflict inhibit the response, but it could also increase the risk posed by unsecured samples. There are two main potential concerns.

First is the risk of accidental release during an attack on a health facility, under which circumstances sample containers may be compromised or destroyed. Second is that the samples may be stolen for malicious use or to sell them to a third-party for malicious use. It is very important in all outbreaks to ensure the necessary measures are in place to secure samples; in conflict-affected areas, this is particularly challenging.

The sooner the samples in the DRC are secured, the sooner this risk to global biosecurity is reduced. And preparations for the next emergency must be made without further delay.

The following steps need to be taken:

• Affected countries must ‘own’ the problem, with clear national government commitment to take the required actions.
• Funding partners must coordinate their actions and work closely with the countries to find the best solutions.
• If samples are to be kept in-country, secure biobanks must be established to contain them.
• Sustainable infrastructure must be built for samples to be kept secure into the future.
• An international agreement should be reached on the best approach to take to prepare for the aftermath of global health emergencies.

About the Conference

At a time of geopolitical uncertainty and with multilateralism under pressure, this conference brought together diverse actors to explore the evolving role of international law on critical security and economic issues in the Asia-Pacific. From trade agreements to deep-sea mining, cyberwarfare to territorial disputes, the breadth of the discussion illustrated the growing reach of international law in the region.

Hosted by the International Law Programme and the Asia-Pacific Programme at Chatham House on 27 March 2019, the conference focused on three themes: trade and investment, maritime security and governance, and emerging security challenges. What trends are emerging in terms of engagement with international law in the region, and how can international standards play a greater role in encouraging collaboration and reducing tensions? And, with the eastward shift in geopolitical power, how will Asia-Pacific states shape the future of international law?

The ‘free and open Indo-Pacific’ (FOIP) strategy, actively promoted by the United States with support from its allies and partners, is a significant geopolitical response to China's growing power and expanding influence in Asia and beyond. Beijing has adopted various new strategies to cope with the challenges related to FOIP. One of these strategies is to secure a robust relationship with south-east Asia in order to make these regional states either neutral to or less supportive of the Indo-Pacific vision. In addition to economic statecraft and soft power, Beijing believes that it can also tap into the domain of non-traditional security (NTS) to strengthen relations with this region to position itself better in the intensifying regional geopolitical competition. The article addresses the following question: what is the impact of China's NTS cooperation with south-east Asia on Beijing's geopolitical rivalry with other major powers in the Indo-Pacific region? The article argues that China's NTS cooperation with south-east Asian countries may help China maintain its geopolitical standing in the region, but it is unlikely to lead to any dramatic increase of China's strategic influence in the region. This essentially means that Beijing may be able to prevent ASEAN or most ASEAN member states from lending substantive and strong support to the Indo-Pacific construct, but it will not be able to stop ASEAN states from supporting some elements of the FOIP.

The Belt and Road Initiative (BRI) has been regarded by international society as a major policy tool in China's geo-economic strategy. Under this policy platform, Beijing has pledged to invest billions of dollars in the infrastructure and industrial sectors across Eurasia and in the Indo-Pacific nations. It is widely believed that such huge amount of investment will inevitably generate significant geostrategic repercussions in these regions. In response to the BRI, the United States and other powers have come up with a ‘free and open Indo-Pacific’ strategy. This article attempts to address the following question: what impact is the BRI likely to have on the security ties between China and the other major players in the Indo-Pacific? The author finds that the BRI may significantly transform China's international security policy and the expansion of Beijing's security influence may further intensify the security competition between China and other major powers in the Indo-Pacific region. The article also proposes a new analytical angle for the study of geo-economics that unpacks the role of economic activities and processes in generating geopolitical intentions and catalysing geopolitical competition.

 

The rapid growth in the Asia-Pacific’s economic and political power has significant implications for global governance. Asia-Pacific countries such as Japan, India and China – and regional bodies such as ASEAN – are increasingly informing, influencing and seeking to shape international standards and norms.

This conference will bring together international law and policy experts to explore the political and legal dynamics affecting economic relations, security challenges and maritime governance in the region.

Given security and prosperity challenges within the region as well as the increasingly complex environment for global governance, to what extent is international law operating as a tool of cooperation in the Asia-Pacific? In which areas is it a source of friction?

And what are the broader implications for global governance including the development of international law?

About the Conference

At a time of geopolitical uncertainty and with multilateralism under pressure, this conference brought together diverse actors to explore the evolving role of international law on critical security and economic issues in the Asia-Pacific. From trade agreements to deep-sea mining, cyberwarfare to territorial disputes, the breadth of the discussion illustrated the growing reach of international law in the region.

Hosted by the International Law Programme and the Asia-Pacific Programme at Chatham House on 27 March 2019, the conference focused on three themes: trade and investment, maritime security and governance, and emerging security challenges. What trends are emerging in terms of engagement with international law in the region, and how can international standards play a greater role in encouraging collaboration and reducing tensions? And, with the eastward shift in geopolitical power, how will Asia-Pacific states shape the future of international law?

This workshop is the second in a series in the 'Implementing the Commonwealth Cybersecurity Agenda' project. The workshop aims to provide a multi-stakeholder pan-Commonwealth platform to discuss how to take the implementation of the 'Commonwealth Cyber Declaration' forward with a focus on the second pillar of the declaration – building the foundations of an effective national cybersecurity response with eight action points. 

As such, the workshop gathers different project implementers under the UK Foreign and Commonwealth Office’s Cyber Programme, in addition to other key relevant stakeholders from the global level, to explore ongoing initiatives which aim to deliver one or more of pillar two’s action points.

The workshop addresses issues from a global perspective and a Commonwealth perspective and will include presentations from selected partners from different Commonwealth countries.

Summary

• All satellites depend on cyber technology including software, hardware and other digital components. Any threat to a satellite’s control system or available bandwidth poses a direct challenge to national critical assets.
• NATO’s missions and operations are conducted in the air, land, cyber and maritime domains. Space-based architecture is fundamental to the provision of data and services in each of these contexts. The critical dependency on space has resulted in new cyber risks that disproportionately affect mission assurance. Investing in mitigation measures and in the resilience of space systems for the military is key to achieving protection in all domains.
• Almost all modern military engagements rely on space-based assets. During the US-led invasion of Iraq in 2003, 68 per cent of US munitions were guided utilizing space-based means (including laser-, infrared- and satellite-guided munitions); up sharply from 10 per cent in 1990–91, during the first Gulf war. In 2001, 60 per cent of the weapons used by the US in Afghanistan were precision-guided munitions, many of which had the capability to use information provided by space-based assets to correct their own positioning to hit a target.
• NATO does not own satellites. It owns and operates a few terrestrial elements, such as satellite communications anchor stations and terminals. It requests access to products and services – such as space weather reports and satellite overflight reports provided via satellite reconnaissance advance notice systems – but does not have direct access to satellites: it is up to individual NATO member states to determine whether they allow access.
• Cyber vulnerabilities undermine confidence in the performance of strategic systems. As a result, rising uncertainty in information and analysis continues to impact the credibility of deterrence and strategic stability. Loss of trust in technology also has implications for determining the source of a malicious attack (attribution), strategic calculus in crisis decision-making and may increase the risk of misperception.

Summary

• The application of ‘security by design’ in nuclear new builds could provide operators with the opportunity to establish a robust and resilient security architecture at the beginning of a nuclear power plant’s life cycle. This will enhance the protection of the plant and reduce the need for costly security improvements during its operating life.
• Security by design cannot fully protect a nuclear power plant from rapidly evolving cyberattacks, which expose previously unsuspected or unknown vulnerabilities.
• Careful design of security systems and architecture can – and should – achieve levels of protection that exceed current norms and expectations. However, the sourcing of components from a global supply chain means that the integrity of even the most skilfully designed security regime cannot be guaranteed without exhaustive checks of its components.
• Security by design may well include a requirement for a technical support organization to conduct quality assurance of cyber defences and practices, and this regime should be endorsed by a facility’s executive board and continued at regular intervals after the new build facility has been commissioned.
• Given the years it takes to design, plan and build a new nuclear power plant, it is important to recognize that from the point of ‘design freeze’ onwards, the operator will be building in vulnerabilities, as technology continues to evolve rapidly while construction fails to keep pace with it. Security by design cannot be a panacea, but it is an important factor in the establishment of a robust nuclear security – and cybersecurity – culture.

As countries move towards the fifth generation of mobile broadband, 5G, the United States has been loudly calling out Huawei as a security threat. It has employed alarmist rhetoric and threatened to limit trade and intelligence sharing with close allies that use Huawei in their 5G infrastructure.

While some countries such as Australia have adopted a hard line against Huawei, others like the UK have been more circumspect, arguing that the risks of using the firm’s technology can be mitigated without forgoing the benefits.

So, who is right, and why have these close allies taken such different approaches?

The risks

Long-standing concerns relating to Huawei are plausible. There are credible allegations that it has benefitted from stolen intellectual property, and that it could not thrive without a close relationship with the Chinese state.

Huawei hotly denies allegations that users are at risk of its technology being used for state espionage, and says it would resist any order to share information with the Chinese government. But there are questions over whether it could really resist China’s stringent domestic legislation, which compels companies to share data with the government. And given China’s track record of using cyberattacks to conduct intellectual property theft, there may be added risks of embedding a Chinese provider into critical communications infrastructure.

In addition, China’s rise as a global technological superpower has been boosted by the flow of financial capital through government subsidies, venture and private equity, which reveal murky boundaries between the state and private sector for domestic darlings. Meanwhile, the Belt and Road initiative has seen generous investment by China in technology infrastructure across Africa, South America and Asia.

There’s no such thing as a free lunch or a free network – as Sri Lanka discovered when China assumed shares in a strategic port in return for debt forgiveness; or Mexico when a 1% interest loan for its 4G network came on the condition that 80% of the funding was spent with Huawei.

Aside from intelligence and geopolitical concerns, the quality of Huawei’s products represents a significant cyber risk, one that has received less attention than it deserves.

On top of that, 5G by itself will significantly increase the threat landscape from a cybersecurity perspective. The network layer will be more intelligent and adaptable through the use of software and cloud services. The number of network antennae will increase by a factor of 20, and many will be poorly secured ‘things’; there is no need for a backdoor if you have any number of ‘bug doors’.

Finally, the US is threatening to limit intelligence sharing with its closest allies if they adopt Huawei. So why would any country even consider using Huawei in their 5G infrastructure?

Different situations

The truth is that not every country is free to manoeuvre; 5G technology will sit on top of existing mobile infrastructure.

Australia and the US can afford to take a hard line: their national infrastructure has been largely Huawei-free since 2012. However, the Chinese firm is deeply embedded in other countries’ existing structures – for example, in the UK, Huawei has provided telecommunications infrastructure since 2005. Even if the UK decided tomorrow to ditch Huawei, it cannot just rip up existing 4G infrastructure. To do so would cost a fortune, risk years of delay in the adoption of 5G and limit competition in 5G provisioning.

As a result, the UK has adopted a pragmatic approach resulting from years of oversight and analysis of Huawei equipment, during which it has never found evidence of malicious Chinese state cyber activity through Huawei.

At the heart of this process is the Huawei Cyber Security Evaluation Centre, which was founded in 2010 as a confidence-building measure. Originally criticized for ‘effectively policing itself’, as it was run and staffed entirely by Huawei, the governance has now been strengthened, with the National Cyber Security Centre chairing its oversight board.

The board’s 2019 report makes grim reading, highlighting ‘serious and system defects in Huawei’s software engineering and cyber security competence’. But it does not accuse the company of serving as a platform for state-sponsored surveillance.

Similar evidence-based policy approaches are emerging in other countries like Norway and Italy. They offer flexibility for governments, for example by limiting access to some contract competition through legitimate and transparent means, such as security reviews during procurement. The approaches also raise security concerns (both national and cyber) to a primary issue when awarding contracts – something that was not always done in the past, when price was the key driver.

The UK is also stressing the need to manage risk and increase vendor diversity in the ecosystem to avoid single points of failure. A further approach that is beginning to emerge is to draw a line between network ‘core’ and ‘periphery’ components, excluding some providers from the more sensitive ‘core’. The limited rollouts of 5G in the UK so far have adopted multi-provider strategies, and only one has reportedly not included Huawei kit.

Managing the risks to cyber security and national security will become more complex in a 5G environment. In global supply chains, bans based on the nationality of the provider offer little assurance. For countries that have already committed to Huawei in the past, and who may not wish to be drawn into an outright trade war with China, these moderate approaches offer a potential way forward.

Cyber security is a vital part of the national and international strategic infrastructure and weapons systems. The increasing cyber capabilities of countries such as China, Russia and North Korea put the North Atlantic Treaty Organization’s (NATO’s) nuclear systems - capabilities that include nuclear command, control and communication, weapons systems and early warning systems - in danger.

There is an urgent need to study and address cyber challenges to nuclear assets within NATO and in key NATO countries. Greater awareness of the potential threats and vulnerabilities is key to improving preparedness and mitigating the risks of a cyber-attack on NATO nuclear weapons systems.

Chatham House produces research responding to the need for information on enhancing cybersecurity for command, control and communications. This project constitutes the beginning of the second phase of the Cyber Security of Nuclear Weapons Systems: Threats, Vulnerabilities and Consequences, a report published in January 2018 in partnership with the Stanley Foundation.

The project responds to the need both for more public information on cyber risks in NATO’s nuclear mission, and to provide policy-driven research to shape and inform nuclear policy within NATO member states and the Nuclear Planning Group.

This project is supported by the Ploughshares Fund and the Stanley Foundation.

Understanding the complexity and the wickedness of the situation allows analysts and strategic planners to approach these complex and intractable issues in new and transformative ways – with a better chance of coping or succeeding and reducing the divisions between experts.

Using complexity theory, a complex adaptive system representing the international system and its interaction with the environment can be represented through an interactive visualization tool that will aid thought processes and policy decision-making. 

Until recently, analysts did not have the tools to be able to create models that could represent the complexity of the international system and the role that nuclear weapons play. Now that these tools are available, analysts should use them to enable decision-makers to gain insights into the range of possible outcomes from a set of possible actions.

This programme builds on work by Chatham House on cyber security and artificial intelligence (AI) in the nuclear/strategic realms.

In order to approach nuclear weapons as wicked problems in a complex adaptive system from different and sometimes competing perspectives, the programme of work involves the wider community of specialists who do not agree on what constitutes the problems of nuclear weapons nor on what are the desired solutions.

Different theories of deterrence, restraint and disarmament are tested. The initiative is international and inclusive, paying attention to gender, age and other aspects of diversity, and the network of MacArthur Grantees are given the opportunity to participate in the research, including in the writing of research papers, so that the complexity modelling can be tested against a wide range of approaches and hypotheses.

In addition, a Senior Reference Group will work alongside the programme, challenging its outcome and findings, and evaluating and guiding the direction of the research.

This project is supported by the MacArthur Foundation.

The World Health Organization, US Department of Health and Human Services, and hospitals in Spain, France and the Czech Republic have all suffered cyberattacks during the ongoing COVID-19 crisis.

In the Czech Republic, a successful attack targeted a hospital with one of the country’s biggest COVID-19 testing laboratories, forcing its entire IT network to shut down, urgent surgical operations to be rescheduled, and patients to be moved to nearby hospitals. The attack also delayed dozens of COVID-19 test results and affected the hospital’s data transfer and storage, affecting the healthcare the hospital could provide.

In the UK, the National Health Service (NHS) is already in crisis mode, focused on providing beds and ventilators to respond to one of the largest peacetime threats ever faced. But supporting the health sector goes beyond increasing human resources and equipment capacity.

Health services ill-prepared

Cybersecurity support, both at organizational and individual level, is critical so health professionals can carry on saving lives, safely and securely. Yet this support is currently missing and the health services may be ill-prepared to deal with the aftermath of potential cyberattacks.

When the NHS was hit by the Wannacry ransomware attack in 2017 - one of the largest cyberattacks the UK has witnessed to date – it caused massive disruption, with at least 80 of the 236 trusts across England affected and thousands of appointments and operations cancelled. Fortunately, a ‘kill-switch’ activated by a cybersecurity researcher quickly brought it to a halt.

But the UK’s National Cyber Security Centre (NCSC), has been warning for some time against a cyber attack targeting national critical infrastructure sectors, including the health sector. A similar attack, known as category one (C1) attack, could cripple the UK with devastating consequences. It could happen and we should be prepared.

Although the NHS has taken measures since Wannacry to improve cybersecurity, its enormous IT networks, legacy equipment and the overlap between the operational and information technology (OT/IT) does mean mitigating current potential threats are beyond its ability.

And the threats have radically increased. More NHS staff with access to critical systems and patient health records are increasingly working remotely. The NHS has also extended its physical presence with new premises, such as the Nightingale hospital, potentially the largest temporary hospital in the world.

Radical change frequently means proper cybersecurity protocols are not put in place. Even existing cybersecurity processes had to be side-stepped because of the outbreak, such as the decision by NHS Digital to delay its annual cybersecurity audit until September. During this audit, health and care organizations submit data security and protection toolkits to regulators setting out their cybersecurity and cyber resilience levels.

The decision to delay was made to allow the NHS organizations to focus capacity on responding to COVID-19, but cybersecurity was highlighted as a high risk, and the importance of NHS and Social Care remaining resilient to cyberattacks was stressed.

The NHS is stretched to breaking point. Expecting it to be on top of its cybersecurity during these exceptionally challenging times is unrealistic, and could actually add to the existing risk.

Now is the time where new partnerships and support models should be emerging to support the NHS and help build its resilience. Now is the time where innovative public-private partnerships on cybersecurity should be formed.

Similar to the economic package from the UK chancellor and innovative thinking on ventilator production, the government should oversee a scheme calling on the large cybersecurity capacity within the private sector to step in and assist the NHS. This support can be delivered in many different ways, but it must be mobilized swiftly.

The NCSC for instance has led the formation of the Cyber Security Information Sharing Partnership (CiSP)— a joint industry and UK government initiative to exchange cyber threat information confidentially in real time with the aim of reducing the impact of cyberattacks on UK businesses.

CiSP comprises organizations vetted by NCSC which go through a membership process before being able to join. These members could conduct cybersecurity assessment and penetration testing for NHS organizations, retrospectively assisting in implementing key security controls which may have been overlooked.

They can also help by making sure NHS remote access systems are fully patched and advising on sensible security systems and approved solutions. They can identify critical OT and legacy systems and advise on their security.

The NCSC should continue working with the NHS to enhance provision of public comprehensive guidance on cyber defence and response to potential attack. This would show they are on top of the situation, projecting confidence and reassurance.

It is often said in every crisis lies an opportunity. This is an opportunity for the UK government to show agility in how it deals with cyber threats and how it cooperates with the private sector in creating cyber resilience.

It is an opportunity to lead a much-needed cultural change showing cybersecurity should never be an afterthought.