Dangerous Liaisons: Terrorism and Pharma - Pharmaceutical Executive


Dangerous Liaisons: Terrorism and Pharma

Pharmaceutical Executive

The Shionogi case: What happens when pharma fails to monitor ex-employees

Every landlord knows to change the locks after a tenant leaves—but at least one pharmaceutical company didn't similarly change the internal passwords after an IT worker left—and suffered the consequences. Jason Cornish, a former IT specialist of Shionogi, Inc., the United States subsidiary of that Japanese pharmaceutical company, resigned just ahead of a major cutback that made redundant a former supervisor and close friend. In revenge for his friend's termination, Cornish gained unauthorized access to Shionogi's computer network using a "back door" he'd installed before his resignation. Cornish then used the secretly installed software program to delete the contents of each of 15 "virtual hosts" on Shionogi's computer network.

These 15 virtual hosts (subdivisions on a computer designed to make it function like several computers) housed the equivalent of 88 different computer servers. Cornish used his familiarity with Shionogi's network to identify each of these virtual hosts by name or by its corresponding Internet Protocol address.

The deleted servers housed most of Shionogi's American computer infrastructure, including the company's e-mail and Blackberry servers, its order tracking system, and its financial management software. The attack effectively froze Shionogi's operations for a number of days, leaving company employees unable to ship product, cut checks, or communicate by e-mail.

Cornish was eventually traced to the IP address of a McDonald's restaurant in Georgia where he'd charged a meal with a credit card at the time the Shionogi systems had been hacked. He was sentenced to 41 months in prison, and required to pay $812,567 in restitution.

The Shionogi experience demonstrates just a small fraction of the risk of improperly secured computer systems, and failure to consider the possibility of criminal or terrorist acts by former employees who leave with valued information. The risk of cyber-access for pharma goes far beyond vandalizing a company's systems—it potentially spans criminal interest in a company's secret manufacturing and security technology, as well as providing the gist for political attacks designed to embarrass or damage the pharmaceutical industry.

Suppose, for example, a former pharma company IT specialist sells his access information to criminals with economic or political clients:

The access information could be sold to international customers interested in mining the company's R&D computers for unpatented technology or secret manufacturing technology. It could steal the company's unpublished adverse reactions reports, tests using laboratory animals, or information on the status of contract negotiations.

The same information could be used to access a company's HR records, where terrorists could find employees with internationally vulnerable families—employees who could be blackmailed to steal biologicals or toxins with terror potential, or to reveal technology such as how to produce the three-micron particles needed to weaponize agents like anthrax.

Counterfeiters might value knowing the source and composition of proprietary coatings and packaging materials, so they can more easily produce fakes capable of escaping detection by the closest visual examination.

Criminals in the raw materials supply chain may wish to exploit knowledge of incoming assay tests so they can subvert those tests by substituting cheap adulterated additives. Baxter's Chinese suppliers of heparin precursor knew about Baxter's safety inspection tests, and substituted cheap oversulfated chondroitin for expensive heparin precursor.

Other criminals in the supply chain may wish to learn how to penetrate track-and-trace security—or even the schedule of truck shipments to distant warehouses or wholesalers.

The Japanese terror group Aum Shinrikyo, responsible for a 1995 sarin gas attack on the Tokyo subway system, tried to manufacture anthrax and botulinum toxin from common non-pathologic strains. They didn't order pathologic forms from lab supply houses because of traceability after an attack. Today, a terrorist group might use its digital expertise to exploit gaps in a pharmaceutical company's computerized purchase-authorization process to generate orders for dangerous biologicals, and to intercept those orders in transit—thus obtaining vastly more potent organisms than the ones the Japanese cult tried to culture and scale up almost 20 years ago. The cyber threat to pharma from terrorist groups is especially troubling in Japan, because the surviving members of Aum Shinrikyo—regrouped under an organization named with the Hebrew letter "Aleph"—has morphed into a software company specializing in security software. Before its front company names were penetrated, Aleph sold its software programs to at least 10 government agencies, including the Defense Ministry, and more than 80 major Japanese companies. Although the software was removed when its developers were identified, Japanese security officials worry that inadvertent collaboration with terrorist-background individuals might have given them valuable information on how major companies and the government protect their secrets.

Pharma as a political target

Politically-based cyber-attacks on pharma came to international attention on December 8, 2012, when the global hacker group Anonymous announced via YouTube that it intended to attack the global pharmaceutical industry, in a manifesto dubbed "Operation Bad Pharma." The goals of Anonymous appear to harmonize with those of domestic groups pledged to violence against drugmakers, like the UK Animal Liberation Front. In addition to targeting pharma, Anonymous proclaimed it intended to target Israel after the November 2012 rocket attacks on Israeli territory from Gaza—a troubling connection between anti-pharma international hackers and Mid-East militants.

Conclusion: act preemptively to prevent

For managers dealing with day-to-day business challenges, the security issues and risks raised here may seem too remote to merit in-depth consideration and development of action plans. Not since the unsolved 1982 Tylenol poisonings has the US pharmaceutical industry been even considered as potential vector through which a terrorist group or lone wolf might inflict death or illness on the general population. Since that episode, the pharma, cosmetics and food industries have all taken steps to protect their products against field tampering.

However, the industry faces a changed world with different political threats, and new technologies by which terrorists might exploit security gaps. Whether manufacturing brand or generics, solid dosage forms or injectables, every pharmaceutical company should reevaluate its procedures to prevent the entry of criminals and others through their HR departments, supply chains, warehouses, transportation systems, purchasing departments and computer networks. Only formal security Standard Operating Procedures (SOPs) as rigorous as those for quality assurance and GMP, and which are routinely reconsidered and tested, can reduce the risk of involvement in a potentially fatal imagination failure.

Miriam Halperin Wernli, PhD, is Vice President, Deputy Head Global Clinical Development and Global Head Business & Science Affairs, at Actelion Pharmaceuticals in Allschwil, Switzerland. She can be reached at
. Boaz Ganor, PhD, is co-founder of the International Centre for the Study of Radicalization and Political Violence (ICSR), a partnership of the University of Pennsylvania; the Interdisciplinary Center, Israel; King's College, London; and the Regional Center on Conflict Prevention (RCCP), Jordan. He is also deputy dean of the Lauder School of Government at The Interdisciplinary Center as well as executive director of the International Institute for Counter Terrorism (ICT), an academic policy research institute dedicated to innovative public policy solutions to international terrorism. He can be reached at
. They are co-authors of "Dangerous Liaisons" on pharma terrorism risk for World Pharmaceutical Frontiers and speak on this topic at meetings and workshops for security personnel.


blog comments powered by Disqus

Source: Pharmaceutical Executive,
Click here