China Is Hacking Coronavirus Research and Federal Agencies Can't Stop Them

China is stepping up efforts to hack the critical coronavirus research conducted by American universities and laboratories in the private sector because the information is not classified and federal authorities can't do anything to protect it, national security experts and legislators told Newsweek.

As a result, China is actively "trying to exploit" the gap between federally protected information and what's produced in the public realm, retired FBI Assistant Special Agent in Charge of Intelligence and Counterintelligence Scott Olson told Newsweek.

"The Chinese want to be in these centers of development and innovation because if something new is created and it's not covered by a classification or other restriction law, they can take it and remove it from the U.S.," Olson, who now leads his own consulting firm, told Newsweek. "The bottom line is federal agencies in the executive branch can only act if authorized by statute."

Although the information developed by research institutions is valuable and sensitive, it is not subject to the same requirements for protection that classified and national security information is. Weapons systems schematics and other military-related information are obvious secrets the state would want to protect because of the harm they could inflict.

But a vaccine could be argued to have the same weight with the lives, economies and even world power that are at stake—just as the world has seen play out with the coronavirus and the rising tensions between Washington and Beijing.

That leaves these universities, pharmaceutical companies and even giants like Google vulnerable to hacking by China.

"When you talk about universities and private companies, these are not government agencies, so you can obviously provide defensive briefings and make the industry aware of the threat," Senator Marco Rubio, chairman of the Senate Intelligence Committee, told Newsweek.

Ultimately, he argued, "you're asking a university or even sometimes a business to stand up against a nation-state."

china, flag, hack, cyber, security
An artist's illustration displays China's national flag with binary code with China flag. BirgitKorber/iStock/Getty Images

Hacking attempts are not new. China has been working to access U.S. information for years. Adam Meyers, senior vice president of intelligence at cybersecurity technology company CrowdStrike, told Newsweek his firm "observes cyber activity from China-based threat actors frequently." Cybersecurity experts find various technical clues in each hacking attempt, including IP addresses, domains and infrastructure elements, but intent also plays a role. "Motivation is a large factor" in tracing certain intrusions back to China, he explained.

In the latest incident, China appears to have tried to leverage coronavirus research as it jockeys with the United States over leadership in controlling the global pandemic. The FBI and Cybersecurity and Infrastructure Security Agency last week issued a joint statement warning that China-linked hackers were targeting data related to COVID-19 research, including vaccines, treatments and testing from networks across the nation.

The "potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options," the notice warned.

One top site involved in the race to find a formula to help alleviate the world from a disease that has already infected more than 5 million people and killed 330,000—with the United States bearing the brunt so far—is Harvard University's Center for Virology and Vaccine Research. The university itself was just recently at the center of an international scandal involving China and allegations of intellectual property theft.

In January, when reports of the pathogen spreading across the central Chinese city of Wuhan and beyond first began to grasp international attention, the chairman of Harvard University's Chemistry and Chemical Biology Department, Charles Lieber, was arrested for allegedly failing to disclose his relationship with the Wuhan Institute of Technology and China's Thousand Talents program, a project geared toward recruiting overseas expertise.

The Justice Department said in a press release at the time that the Thousand Talents program was also designed to "reward individuals for stealing proprietary information."

Harvard University declined Newsweek's request for comment.

Beijing's embassy in Washington did not respond to Newsweek's request for comment and instead referred to Chinese Foreign Ministry spokesperson Zhao Lijian's dismissal of the FBI and CISA's report. He told reporters last week that "China deplores and opposes such slanderous actions" and urged the U.S. to instead focus on finding ways the two countries could work together to combat the new coronavirus.

Some lawmakers are now calling for heightened protections for academic institutions and more punitive measures against Beijing.

"I think the overall misbehavior of China needs to be addressed and, clearly, whatever we're doing to push back is not working," South Carolina Senator Lindsey Graham, chair of the Senate Judiciary Committee, told Newsweek. "People tend to stop doing things when it gets to be painful. So we need to make it more painful."

Establishments such as universities are not entirely helpless, and secure access to their research on their own. Those measures, however, aren't always enough.

"University IT infrastructure has limited resources and different priorities when it comes to implementing a robust information security program," one former National Security Agency official told Newsweek. "Unless mandated by funding requirements or contractual obligations, they operate just like any other businesses where revenue-generating operations and services are what drives priorities."

"Unfortunately, this comes at a price as they are easy targets, ranging from insider threats that include students, faculty, and staff, to weak vulnerability management and incident response programs," the former official added. "This has led to the loss of intellectual property, research data, and personal records."

The loss is sizable. Most research in the U.S. is conducted in the private sector as well as in universities, and Chinese cyber espionage is estimated to have cost the country between $20 billion and $30 billion, the Center for Strategic and International Studies estimated in 2018.

Even with the risk of unauthorized information-sharing, analysts say there is a delicate balance between securing information and making it accessible for the public good.

Many universities, for example, value their independence from the federal agencies that oversee classification measures, because it allows for a separation that fuels U.S. enterprise and knowledge. Christopher Li, a researcher at Harvard's Belfer Center for Science and International Affairs, said the openness of American universities also bolsters the country's innovation.

But this strength also presents a major weakness, he argued.

"As numerous U.S. government agencies have publicly stated, the People's Republic of China is one of the world's most sophisticated cyber actors—and has employed cyber tools as well as non-traditional methods to acquire U.S. technology through theft and coercion," Li told Newsweek.

"To be sure, all nations engage in espionage—but the U.S. and many of our allies draw a distinction between espionage for military and national security purposes and the theft of commercial intellectual property from the private sector or academic institutions for the economic benefit of a country's domestic industries," he added. "Illicit behavior by the Chinese government, however, suggests that it does not."

Li, however, also extolled the spirit of international cooperation among the academic community and with scholars from China who continue to pioneer in the sciences. And while Senator Roy Blunt of Missouri, chair of the Senate Rules Committee, described China's attempts at intellectual property theft at private entities as a "real problem" that warrants a greater level of security and awareness for such facilities, he said that the onus is on the host country to shield its most valued assets.

"It's considered that if you can't protect what you have, you don't deserve to have it," Blunt told Newsweek.