To say the first few weeks of vaccine delivery have been turbulent would be an understatement. States across the US have found themselves struggling with underdeveloped logistics that have caused problems in delivery and made rollout slower than promised. Meanwhile, the debacle at Stanford Medical Center, where a system to rank potential vaccine recipients managed to ignore frontline doctors, was proof that you could over-engineer the system too.
Many were puzzled as to how this could happen, given the months of lead time to arrange distribution. The US government had used a press conference in October to explain the military’s role in what it claimed would be world-leading delivery of vaccines.
“We have the best logisticians in the world at the Department of Defense, working in conjunction with the CDC, to guide … every logistical detail you could possibly think of,” declared Paul Mango, the deputy chief of staff for policy at the Department of Health and Human Services. Though the military would not be involved in giving injections, he said, it would run an end-to-end system of surveillance to ensure that every dose of vaccine was administered with precision before it expired.
That supply chain, however, has come under attack.
In one case a pharmacist in Wisconsin managed to sabotage 500 vaccines, apparently driven by his belief in apocalyptic conspiracy theories. It wasn’t exactly the strike that Interpol warned about when it cautioned nations to remain vigilant against threats to the vaccine supply from organized crime, but it did show that the weaknesses in the system were there—and that they might be the consequence of bad decisions at the top.
Temporary fixes cause trouble
It has become increasingly clear that many hospitals, pharmacies, and other facilities that received vaccine deliveries are on their own: forced to oversee the logistics themselves, organize appointments with patients, and monitor follow-ups. Under pressure, they have started to make hasty or uninformed decisions, or turn to services that weren’t built for such critical purposes.
Reports started to trickle in about how different free websites, like SignUpGenius, were being used for vaccination reservations in Oklahoma. Princeton University sociologist Shamus Khan chronicled how he was frustratedly refreshing Eventbrite, an online event service website, in order to grab a spot for his elderly parents in Florida. Some health departments in the state had decided to use the system because it was “quickest, easiest, and most efficient way” to meet their pressing need.
Later, however, it was revealed that some people who thought they had paid to secure a spot via Eventbrite had been duped. Fraudsters had created fake listings pages to trick people into handing over their money for appointments that didn’t exist. Phone numbers for county health departments were jammed all day, and websites struggled with demand, compounding the problem.
The use of third-party websites creates the perfect opportunity for a low-tech supply chain attack. Typically when we think about supply chains and cybercrimes, images of malicious software, stolen passwords, or phishing come to mind. But no hacking was needed in this case. What happened in Florida was media manipulation in the form of impersonation: fraudsters had only to use the website as it was designed in order to run away with desperate seniors’ cash.
The rule of misinformation
These cases are alarming for a number of reasons. Imposter sites hiding behind suspect domains to sell fake wares have become common during the pandemic. So, too, has the use of social media to conduct low-grade information warfare claiming that the pandemic is a conspiracy.
But if there is a law of misinformation, it is this: Everything open will be exploited.
Scammers will profit from crisis and confusion, especially if the heist is easy and risks are minimal. When the DOD and CDC failed to consider the last mile for vaccine delivery, it opened the possibility for a supply chain attack. Counties and hospitals with limited resources and basic infrastructure are not pandemic prepared, nor have they been briefed on the security risks posed by third-party websites that make money by harvesting the data associated with signups.
Counties should not be left to deal with this issue ad hoc. Media manipulators will continue to use their tactics until it is no longer profitable, and federal authorities should step up to the challenge and provide access to the logistics technology they so proudly boasted about in press conferences. The incoming administration promises to deliver 100 million shots during its first 100 days—but to do that, it will have to address misinformation as well all the other issues.
As a nation, we must treat these vaccines as life-saving medicine and ensure that this precious cargo is secured just like our software: end-to-end—or shot-to-arm.
—Joan Donovan is the research director of the Shorenstein Center on Media, Politics and Public Policy at Harvard.