ANALYSIS: We’re not doing enough to protect COVID-19 vaccine research from cyber espionage

Protecting COVID-19 vaccine research from cyber espionage What will soon be the most valuable asset in the world? A vaccine for COVID-19. What are we doing to protect it from cyber espionage? In Homeland Security Staff In Homeland Security

The glory of the prize—in lives saved, reputations made, and profits earned—is incalculable. The hunt for a cure has unleashed an epic arms’ race among world powers, multinational corporations, and universities. And as with any arms’ race, not everyone is playing by the rules.

On July 16, the U.K.’s National Cyber Security Centre and the U.S. National Security Agency issued a joint statement accusing a Russian hacking group, dubbed “Cozy Bear,” of attempting to steal biomedical research from British scientists. The U.K. Foreign Secretary, Dominic Raab, thundered: “it is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic.” British scientists are not a random target as Oxford University, in partnership with AstraZeneca, has already garnered advance orders for two billion doses of its ChAdOx1 vaccine.

Less than a week later, the U.S. Department of Justice indicted two Chinese nationals allegedly affiliated with the Ministry of State Security for hacking medical research facilities in the United States, including the biotech company Moderna in Massachusetts. Moderna, which has partnered with the National Institutes of Health to develop a vaccine known as mRNA-1273, now in Phase 3 clinical trials, is considered a leading candidate in the race for a vaccine.

The goal of state and non-state actors can extend beyond stealing biomedical research. It can also be to sideline or delay adversaries. Hackers, for example, have the capacity to disrupt research efforts by, say, digitally manipulating data to make promising clinical trials appear to be failing.

This is not a theoretical risk. In 2017, the not-Petya ransomware cyberattack crippled Merck’s ability to produce both Hepatitis B and Gardasil vaccines for over a year. Indeed, it took Merck well into 2018 to fully restore its research, manufacturing, and distribution operations.

The progress of the scientific community in pursuit of a COVID-19 vaccine has been nothing short of heroic. Working day and night, government and industry researchers have accomplished in five months what in the past has taken five years or longer.

This extraordinary work must be protected at all costs. To do so, government, industry, and academia must come together in an unprecedented partnership.

First, laboratories should be “air-gapped” so that their critical research work is segregated from the rest of their IT networks. Advanced medical research relies on data science, automation, robotics, and other “smart” or “connected” devices—but the reality is that any connection to outside networks creates vulnerability. The goal is to create a protective gap between critical research and the rest of an organization’s functions. In addition, to mitigate the “insider” threat, many labs are mandating a two- or three-person rule so that no single individual is permitted access to secure research areas—called a “No-Lone Zone.”

Second, all companies on the frontlines of vaccine research and development need to invest like never before in patching known software vulnerabilities.....