The Cyber Side of Vaccine Nationalism

In the COVID-19 pandemic, vaccine nationalism has become an important and controversial phenomenon. Rather than cooperate through global mechanisms to develop, manufacture, and distribute a vaccine against the coronavirus, countries with the means to do so have prioritized national access to a vaccine. Despite warnings about its adverse consequences for global health and international cooperation, vaccine nationalism is not abating. The political momentum of vaccine nationalism can be found in not only the pharmaceutical realm but also cyberspace.

A New York Times story from September 5 detailed how the race to develop a coronavirus vaccine has produced a proliferation of cyber espionage targeting vaccine research and development. According to the article, the pandemic triggered a shift “for the world’s intelligence agencies, pitting them against each other in a new grand game of spy versus spy” such that “every major spy service around the globe is trying to find out what everyone else is up to.”

This aspect of vaccine nationalism raises issues for cybersecurity and global health. The scale and intensity of cyber espionage against vaccine R&D connect with concerns about cyber activities conducted against health services and facilities. During the pandemic, international lawyers have issued statements on international law applicable to cyber operations targeting the health-care sector (May 21) and vaccine research (August 7). The statement on vaccine research asserted that “COVID-19 vaccine research, manufacture, and distribution are . . . essential medical services and part of States’ critical infrastructure that must be protected by international law” and that “harmful cyber activity may undermine States’ and global efforts to contain and recover from the COVID-19 pandemic.”

Neither statement explicitly addresses cyber espionage. According to the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, international law does not prohibit espionage, including espionage conducted through cyber means. Nonetheless, as the statement on vaccine research noted, cyber operations, including espionage, would violate international law if they cause “significant adverse or harmful consequences” for vaccine research, testing, manufacture, and distribution, including damage to research data or imposition of “significant costs on the targeted facilities in the form of repair, shutdown, or related preventive activities.”

The ubiquity of cyber espionage targeting coronavirus vaccine R&D highlights international law’s permissiveness on espionage and the difficulties this legal environment creates for defending against or deterring cyber espionage, even spying against potentially lifesaving endeavors needed to counteract a killer pandemic. In addition, despite their frequency and intrusiveness, cyber espionage activities undertaken by many countries that target vaccine research have not, apparently, caused the type of significant adverse consequences that would trigger a violation of international law.

In global health, the cyber espionage frenzy associated with vaccine R&D is unprecedented and disconcerting. This aspect of vaccine nationalism underscores the extent to which geopolitics now influences global health. The New York Times article also reported that, according to U.S. officials, China exploited “information from the World Health Organization to guide its vaccine hacking attempts” against U.S. and European targets—an assessment that contributed to the U.S. government’s hard line against, and eventual decision to withdraw from, the organization. Here, the move to separate U.S. global health interests from Chinese influence and cyber espionage aligns with U.S. efforts under the Clean Network program to safeguard the U.S. government, companies, and citizens in the digital realm “from aggressive intrusions by malign actors, such as the Chinese Communist Party.”

This alignment hints at a larger development, namely that geopolitical calculations for many countries have superseded policy tropes about cyberspace and global health as borderless realms requiring global solutions, norms, and governance. My CFR colleague Thomas J. Bollyky and Chad P. Brown captured this change by indicating that states are “paging Dr. Hobbes” in efforts to secure national vaccine supplies at the expense of a global approach. The same insight applies to cyber espionage directed at vaccine R&D because the good doctor also observed that sovereign states continually spy on one another.

Cyber espionage’s role in vaccine nationalism does not end with the exfiltration of information about foreign vaccine R&D. According to the same article in the New York Times, U.S. officials also worry that adversaries, such as Russia, will manipulate controversies about vaccine espionage in online disinformation campaigns in “a more aggressive effort to escalate the anti-vaccine movement in the West.” Put differently, cyber espionage might enhance a state’s access to a vaccine, and disinformation could undermine an adversary’s vaccination efforts. As the COVID-19 “infodemic” demonstrates, disinformation can disrupt health responses, polarize domestic politics, and increase demands for heightened regulation of cyberspace. Even so, like cyber espionage, international law does not generally prohibit disinformation operations.

Vaccine nationalism, including its cyber manifestations, was not inevitable with COVID-19. However, the phenomenon is now widespread and persistent, reflecting how great power competition is transforming transnational issues such as global health and cyberspace policy. In this contested world, it is getting increasingly difficult to know who to page for a second opinion.