Using COVID-19 to Double Down on Cyber Norms

Jason Healey is senior research scholar at Columbia University’s School of International and Public Affairs and a former White House director of cyber infrastructure protection.

Virpratap Vikram Singh is a 2020 RSA security scholar and a master’s candidate at Columbia University’s School of International and Public Affairs.

A recent announcement [PDF] by the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) accused China of stealing COVID-related “public health data,” which they argue “jeopardizes the delivery of secure, effective, and efficient treatment options.” The FBI and CISA go on to make the somewhat flimsy claim that mere espionage “jeopardizes the delivery of secure, effective, and efficient treatment options,” thereby putting lives at risk.

The FBI and CISA seem to be hinting at a new norm, one we find unrealistic, that espionage against “vaccines, treatments, and testing” should be unacceptable during the pandemic. The global pandemic of COVID-19 has shown itself to pose a simultaneous, existential threat to all nations. It is whimsical to argue that states should not use their intelligence services to mitigate its dangers.

Instead, the U.S. government should (1) accept the inevitability of COVID-related espionage, but not for commercial gain, and (2) push for a new set of COVID-related cyber norms.

It is “honorable state espionage”—to borrow the term used by General Michael Hayden, former director of both the CIA and the National Security Agency (NSA)—for states to determine the fragility of the health-care systems and regimes of rivals, if states are lying about their public health statistics, or if there is a mismatch between public announcements about tests and treatments and their actual results. Imagine the poor Chinese intelligence operatives tasked with finding out “what is it with President Trump and hydroxychloroquine? Do they know something they aren’t publishing?”

It is not just China. According to the New York Times, Iranian hackers were caught trying to hack into Gilead Sciences, the maker of remdesivir, while South Korea seems to have undertaken a “broad effort to gather intelligence on virus containment and treatment.” If so, it shows “[E]ven allies are suspicious of official government accounting of cases and deaths around the world.”

The CIA and NSA will be similarly active on COVID collection and analysis priorities. What they will not be doing is stealing vaccine secrets to share with Big Pharma. This distinction should have been at the heart the FBI-CISA release: Not “lives are at risk” but instead “China is again stealing for commercial gain and the stakes have never been higher.”

China’s president, Xi Jinping, after all, has already agreed to forego “cyber-enabled theft of intellectual property” for “competitive advantages.” Reinforcing the norm against such theft is especially important during a pandemic when the stolen data could ensure that the first successful vaccine is from a Chinese company. China would illicitly be the primary worldwide distributor of the cure to a worldwide problem, a massive and unfair competitive advantage that would allow it to continue rewriting the geopolitical narrative surrounding the virus for substantial national-security gains.

The United States should work with allies over the coming weeks to develop a set of strong, COVID-19-specific principles. The United States and the European Union have both proposed COVID-19-related norms, and the UN Open-Ended Working Group, which aims to develop a framework for responsible state behavior in cyberspace, has also made progress in this area. These efforts need to be made more specific and more complete.

For example, U.S. Secretary of State Mike Pompeo condemned any attack which “impairs the ability of hospitals and healthcare systems to deliver critical services,” while the EU condemns even scanning and phishing against the health-care sector. These are overly broad restrictions that are certainly ignored by intelligence services of the United States and EU member states.

A more thorough list of norms should include at least the following:

• States agree that cyber incidents should not cause direct harm, such as ransomware targeting hospitals or public health authorities or denial-of-service attacks on “critical infrastructures that are essential to managing this crisis.”
• States agree that cyberattacks on hospitals, such as ransomware, should be prosecuted to the maximum extent of the law, not just as computer crimes but reckless endangerment and even manslaughter or murder.
• States agree that espionage regarding vaccine and public health data is acceptable. Such espionage should be as non-disruptive as possible so as not to interrupt the work of the medical and research teams. The fruits of such espionage, such as stolen intellectual property, cannot be used for commercial advantage.
• States agree that hospitals should be off-limits to espionage, which could affect health care.
• States agree that interruption of the availability of or, even worse, manipulation of vaccine and public health data is reckless and completely unacceptable.
• States agree that “cyber enabled information operations” [PDF] should not interfere with crisis response in times of urgent crisis.
• States should not turn a blind eye to cybercriminals or other organizations carrying out such activity from their territory.
• States “will work together on a voluntary basis to hold states accountable when they act contrary” to these obligations, including speaking out against and directly interdicting egregious behavior.

The COVID-19 pandemic is an opportunity for like-minded states to further global cyber norms, not only for the stability of cyberspace but to build a stronger post-pandemic global order.