We’re not doing enough to protect COVID-19 vaccine research from cyber espionage

What will soon be the most valuable asset in the world?

A vaccine for COVID-19.

The glory of the prize—in lives saved, reputations made, and profits earned—is incalculable. The hunt for a cure has unleashed an epic arms’ race among world powers, multinational corporations, and universities. And as with any arms’ race, not everyone is playing by the rules.

On July 16, the U.K.’s National Cyber Security Centre and the U.S. National Security Agency issued a joint statement accusing a Russian hacking group, dubbed “Cozy Bear,” of attempting to steal biomedical research from British scientists. The U.K. Foreign Secretary, Dominic Raab, thundered: “it is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic.” British scientists are not a random target as Oxford University, in partnership with AstraZeneca, has already garnered advance orders for two billion doses of its ChAdOx1 vaccine.

Less than a week later, the U.S. Department of Justice indicted two Chinese nationals allegedly affiliated with the Ministry of State Security for hacking medical research facilities in the United States, including the biotech company Moderna in Massachusetts. Moderna, which has partnered with the National Institutes of Health to develop a vaccine known as mRNA-1273, now in Phase 3 clinical trials, is considered a leading candidate in the race for a vaccine.

The goal of state and non-state actors can extend beyond stealing biomedical research. It can also be to sideline or delay adversaries. Hackers, for example, have the capacity to disrupt research efforts by, say, digitally manipulating data to make promising clinical trials appear to be failing.

This is not a theoretical risk. In 2017, the not-Petya ransomware cyberattack crippled Merck’s ability to produce both Hepatitis B and Gardasil vaccines for over a year. Indeed, it took Merck well into 2018 to fully restore its research, manufacturing, and distribution operations.

The progress of the scientific community in pursuit of a COVID-19 vaccine has been nothing short of heroic. Working day and night, government and industry researchers have accomplished in five months what in the past has taken five years or longer.

This extraordinary work must be protected at all costs. To do so, government, industry, and academia must come together in an unprecedented partnership.

First, laboratories should be “air-gapped” so that their critical research work is segregated from the rest of their IT networks. Advanced medical research relies on data science, automation, robotics, and other “smart” or “connected” devices—but the reality is that any connection to outside networks creates vulnerability. The goal is to create a protective gap between critical research and the rest of an organization’s functions. In addition, to mitigate the “insider” threat, many labs are mandating a two or three person rule so that no single individual is permitted access to secure research areas—called a “No-Lone Zone.”

Second, all companies on the frontlines of vaccine research and development need to invest like never before in patching known software vulnerabilities. Every CIO, CTO and CISO knows that this can feel like a Sisyphean task at times, but it is a potential Achilles’ heel of any organization. Hackers have exploited these vulnerabilities in software code to gain access to systems and credentials. Any critical vulnerabilities that are internet facing should be swiftly remediated. This is the hard, tedious work of cyber defense that pays dividends.

Third, this effort must bridge the information gap between the public and private sectors. This starts with clear and reciprocal lines of communication. The U.S. and U.K. governments recently issued a joint advisory with the tactics, techniques, and procedures (TTPs) currently being used to attack laboratories, including the “WellMess” and “WellMail” forms of malware. Pharmaceutical, biotech, and academic research facilities should utilize these TTPs to identify and root out threats. And there needs to be a feedback loop from industry back to the government.

Fourth, the urgency of this moment requires a whole-of-nation approach. Who wins this race will have enormous human, economic, and geopolitical consequences. So every instrument of power and insight should be deployed. Within the federal government, the Department of Defense and the NSA should help detect sophisticated threats, particularly by any nation state, that can penetrate perimeter security defenses. In addition, the biggest tech firms should be making their best security experts available, around the clock, to help the limited number of labs that have a credible chance of producing a viable vaccine. These labs, which were constructed with open networks to foster collaboration, were never designed with cybersecurity as the top priority.

Our scientists are embarked on a mission tantamount to sending a man to the moon. These brilliant researchers are fighting day in and day out to achieve a lifesaving breakthrough to protect us from a global pandemic. We need to protect them with everything we’ve got.

Peter J. Beshar is general counsel of Marsh & McLennan, the world’s largest risk adviser, and has testified multiple times before Congress on cybersecurity.  

Dr. Judith Salerno is the President of the New York Academy of Medicine and a national leader on public health.