ARGUMENT: FRAGILE DATA SUPPLY CHAINSHome for the Holidays? The Global Implications of a State-Level Cyberattack

Maryland is a small state. Geographically, it is the 42nd biggest state and ranks only 18th in population. But despite its small size, the 4 December 2021, cyberattack on the Maryland Department of Health (MDH) had a global impact.

Maggie Smith writes in Lawfare that at first blush, the MDH hack may seem like a local-to-Maryland problem. After all, the network security incident affected only MDH and some of its external partners—including local health departments.

However, the hack impaired MDH’s ability to report accurate COVID-19 data; and nearly a month after the initial outage, only 90 percent of state-level surveillance data have been restored. But who cares? After all, the department is a state-level organization that includes MDH and 24 local health departments—one each in Baltimore City and Maryland’s 23 counties—and whose vision is “lifelong health and wellness for all Marylanders.” So why would someone in Indiana or Nevada care about county-level transmission rates in Maryland? Or to be even more expansive, why would someone in Zimbabwe or Japan care? 

I argue that the MDH hack points to a concerning development at the nexus of cybercrime and data supply chains: Maryland’s COVID-19 stats may not be of direct interest to nonresidents, but MDH’s state-level data is one step in the global COVID-19 data supply chain that aggregates at the World Health Organization. In the current era of great power competition, adversaries seek to influence, manipulate, and obfuscate the information environment to degrade or deny America’s ability to respond and react to crises, making it necessary for the United States to focus on protecting the integrity of data supply chains to ensure readiness for resilience. With all the hallmarks of a ransomware attack, the MDH hack exposes how vulnerabilities in public data supply chains have the potential to affect the information available to decision-makers in times of national and international crises and normal, day-to-day operations. Ultimately, when Maryland’s numbers are off, the whole world’s numbers are off, and everyone should be concerned about that.

Smith concludes:

the MDH hack shows how fragile data supply chains can be and signals how easy it is to disrupt even the most critical data flows by stopping the upstream flow of data that provides the insights and statistics on which the nations’ decision-makers rely. Ultimately, adversaries can easily disrupt critical information flows to confuse, manipulate, and influence public, private, and personal readiness. If key leaders are unable to accurately assess conditions in a crisis, resources may be prioritized incorrectly, response efforts vectored to the wrong regions, recovery funding and assistance sent erroneously—in short, the list of potential impacts to national readiness and resilience is endless.