Published by The Lawfare Institute
in Cooperation With
On May 13, the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a public service announcement to raise awareness of the threat of foreign actor “theft” of COVID-19-related research. The pertinent part of this announcement said:
[C]yber actors and non-traditional collectors [affiliated with the People’s Republic of China] ... have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research. The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.
The FBI and CISA recommended that potential targets take certain actions. These included patching all systems for critical vulnerabilities while prioritizing timely patching for known vulnerabilities of internet-connected servers and software processing internet data; actively scanning web applications for unauthorized access, modification, or anomalous activities; improving credential requirements and require multi-factor authentication; and identifying and suspending access for users exhibiting unusual activity.
These are all fairly standard cybersecurity activities, and they do protect against a wide variety of cybersecurity threats. Unmentioned by U.S. government officials but of particular importance here is the possibility that a cyber intrusion intended to steal data might accidentally compromise the integrity of an important database or program, rather than just its confidentiality. If such a compromise occurred, scientists using such a database or program could easily be led to follow unpromising paths of research and waste valuable time and effort. For example, critical data could be changed without the researcher’s awareness, leading to incorrect inferences, or a program could be altered so that it generated incorrect and thus misleading output.
But I want to ask a more fundamental question: How does the potential theft of this information related to coronavirus research jeopardize the delivery of secure, effective and efficient treatment options?
The very idea of “theft” has meaning only in a competitive environment—that which I steal from you becomes available to me but unavailable to you. So, for example, if Chinese agents were engaged in the theft from American labs of a limited supply of chemical reagents needed for vaccines, this act would make them unavailable for American scientists. That would obviously hamper progress toward a vaccine.
Of course, “theft” has meaning in an intellectual property context as well, but with one fundamental difference—that which I steal from you is still available to you.
The FBI/CISA letter is grounded in concerns about U.S. retention of its own intellectual property. But that grounding is a counterproductive way to approach development of coronavirus vaccines and treatments.
Given the nature of the worldwide pandemic, all nations face a common enemy—the novel coronavirus, which causes the respiratory disease COVID-19. To my mind, this reality suggests that scientists in all nations should be cooperating and collaborating rather than competing.
What might cooperation and collaboration look like? One important element would be a decision to make all coronavirus-related data and research public and freely accessible. This decision would eliminate entirely the problem of intellectual property theft—no one steals information that is freely available. Such information would become available to the scientific community much more rapidly than if it had to be obtained by clandestine means. (The measures recommended by the FBI/CISA are still important though, to protect against malicious parties bent on impeding progress toward vaccines or treatments.)
Why isn’t all coronavirus-related data and research public and freely accessible? The only possible answer is that, collectively, we have goals in mind other than defeating the viral threat quickly. For example, individual scientists or even nations want credit and acclaim for being first to develop an effective treatment or vaccine. Also, companies and/or nations may seek to profit from or otherwise take advantage of early successes.
As a scientist myself, I understand that the desire to be recognized as being “first” is an important element of scientific culture. But given the nature of the current pandemic crisis, maybe that desire ought to be put aside for now and sorted out after the present viral threat is put to bed.
The most important issue is that of profit. Here I mean more than simply monetary profit—I also include the power and influence a nation might have over others should it be first to develop a safe and effective remedy. If competitive desires for monetary profit and political power would increase the speed of development of such a remedy, then I would gladly indulge those desires. But there is no evidence anywhere to suggest that is the case for today’s coronavirus crisis, and no such evidence is likely to be produced. Those desires really do need to take a back seat to efforts to advance the science quickly.
I confess that I have substantial ethical qualms about an environment characterized by dog-eat-dog competition and an every-nation-for-itself mentality, but that is what today’s national leaders seem to have created for the moment—and that is the primary, and sad, message that the FBI/CISA announcement delivers for me.