It's no secret that the Covid-19 pandemic has created prime conditions for nation-state hacking. Working from home often means less-strict security, which in turn invites digital espionage. But on Wednesday, the United States called out China-backed hackers specifically, accusing them of not just spying but endangering Covid-19 vaccine research.
As the world rushes to contain the pandemic and find a vaccine, researchers and government officials have increasingly warned about a rise in cyberattacks, including among those likely linked to intelligence-gathering. The latter have especially targeted public health institutions like the World Health Organization.
The race to develop a vaccine is particularly high stakes. While many countries claim they're willing to collaborate internationally throughout the process, it's unsurprising that some nations would turn to espionage to fill the gaps and suss out what researchers might be holding back. But if these operations disrupt or damage vaccine development, they could violate the norms surrounding espionage. A joint statement by the Federal Bureau of Investigation and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency accuses China of doing exactly that.
"These actors have been observed attempting to identify and illicitly obtain valuable intellectual property and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with Covid-19-related research," the joint announcement says. "The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options."
The warning gives scant details about how exactly China-linked operations could hinder the delivery of treatments, but it could relate to the potentially distracting and cumbersome precautions organizations must take to shore up their digital defenses.
"If the espionage is throwing off efforts to get to a vaccine, then I’m glad that CISA is calling this out," says Jason Healey, a senior research scholar at Columbia University's School for International and Public Affairs focused on cyberconflict. "But they’re not specifically saying here that China is trying to steal this to gain a national security or competitive advantage. If the US is wanting to argue for norms, I look forward to us doing it directly and saying here’s where we think the playing field lies, because certainly we’re being active in many of these areas as well. I'd expect CIA and NSA are not just sitting on their hands."
International norms of spycraft and espionage are more a collective project than a set of individual rules. Every nation has a security interest in spying and will do so if it can. But there's still generally an unspoken consensus that limits exist on acceptable acts versus those that constitute aggression. Over the past few decades, the rise of digital espionage has given nations much broader potential reach, though, and blurred these already fine lines.
The US has for years struggled to deter Chinese cyber-espionage in particular. A landmark agreement between the two countries in 2015 seemed to slow the pace of assaults on the private sector, but it has since become clear that the accord wasn't a panacea. At this point, the US expects Beijing to perpetrate a certain amount of intelligence-gathering and intellectual property theft but has increasingly condemned those acts publicly, indicted Chinese hackers, and levied sanctions as those efforts escalated. All those tools are meant deter espionage, although so far with little apparent success.
Desperation caused by the Covid-19 pandemic is a powerful incentive for countries to ignore those implicit checks on hacking.
"The prospects for deterrence are dim, because the stakes are very high," says John Hultquist, the director of intelligence analysis at security firm FireEye. "We’re seeing intrusions from several different actors against organizations that are developing treatments: China, Russia, Iran. And we suspect that there are a lot more actors in play. This crisis is just too important to ignore. I don’t think it’s very likely that anyone is conducting business as usual. I think they are all refocusing their efforts on this problem."
The CISA/FBI warning doesn't say why it calls out China alone, when so many countries are presumably involved in the same activities. But the already fraught relationship between China and the US has been complicated even further by the pandemic. Some US officials, including President Trump, have publicly attempted to blame China for the emergence of Covid-19.
Wednesday's announcement came, though, without coordinated, high-profile condemnations of the behavior from the White House or State Department. This could mean that it's not intended to contribute to the narrative that China is to blame for the pandemic. Or it could simply mean that other agencies haven't decided what further steps they might take, if any.
"Clearly a global pandemic is an existential threat to all nations and a valid target for intelligence teams," Columbia's Healey says. "It must be priority requirements to learn more about the pace of the pandemic and if national leaders—especially but not only China, Russia, and Iran—are giving accurate statistics. But there's an argument that even normally acceptable geopolitical espionage should be highly circumscribed when going after vaccine and related data."
The CISA/FBI announcement indicates that the US government is mulling the parameters of espionage in a pandemic. At an extreme, aggressive hacking against targets developing vaccines or other lifesaving treatments could be interpreted as crossing an invisible line—and could warrant some sort of retaliation.