China is using cyber means to target and compromise U.S. organizations involved in healthcare research related to countering the ongoing COVID-19 pandemic and could pose a threat to the U.S. response, the FBI and Department of Homeland Security warn in public service announcement issued on Wednesday.
The one-page notice said the hacking is being done by China-affiliated "cyber actors and non-traditional collectors" and is aimed at obtaining "valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research. The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options."
Preserving U.S. research advantages here will have its advantages, a key DHS official said.
"Somewhat like the race to AI or the race to quantum computing first mover on a effective COVID treatment or vaccine will have a significant advantage," Chris Krebs, the director of DHS's Cyberscurity and Infrastructure Security Agency (CISA), said on Wednesday. "I think the interests of the Chinese are not necessarily aligned against ours here so we would be doing everything we can here to protect the domestic COVID response, particularly from a network integrity and availability perspective."
Krebs spoke during a regularly scheduled meeting of the National Telecommunications Advisory Committee, which advises the federal government on the availability and reliability of telecommunications services.
The warning and recent reports of Chinese-sponsored hacking of U.S. agencies and healthcare organizations working on COVID-19 response efforts prompted Sen. Gary Peters (D-Mich.) to write President Trump on Tuesday urging him to boost cyber security efforts to protect these organizations and warn China of potential consequences.
"Finally, the United States must communicate a strong message to China's government that this behavior is unacceptable," Peters, the ranking member on the Senate Homeland Security and Governmental Affairs Committee, wrote the president. "The Administration should use public pressure and the threat of sanctions and additional indictments to deter future Chinese government attacks against research institutions. In the event China's government directly threatens the lives of Americans through actions against hospitals, other Department of Defense capabilities should be considered to make it clear that there will be consequences for these actions."
With few exceptions there has been little in the way of consequences over the years for bad behavior in cyber space.
Sen. Angus King (I-Me.) said the U.S. needs a clear deterrence strategy to prevent cyber attacks in the first place.
"We have been attacked over and over the last 10 or 15 years and our adversaries have paid very little price," King testified to the Senate panel in his opening remarks. "We need to establish a clear declaratory policy that if you attack the United States in cyber space, you will have to pay a cost. And that's really the fundamental idea of deterrence and we've got to be clear about it and we've got to have our adversaries make the calculation that attacking us is going to cost them."
King testified before the committee in his role as co-chair of the Cyberspace Solarium Commission, which earlier this year released a report that includes dozens of recommendations on strengthening the nation's cyber security posture.
In response to a question from Peters on how the commission's recommendations would help the U.S. combat the COVID-19 research-related attacks, King said that there needs to be agreement on international norms and behaviors so that any violation of these is met with a collective response on the part of nations. He also said that the U.S. needs better protective measures. Most importantly, he said, is having a clear deterrence strategy where bad actors know there will be consequences.
In their public service announcement, the FBI and CISA made five recommendations to organizations that may be targets of the Chinese hacking. These include updating all patches for vulnerabilities, suspending users performing unusual activities, requiring multi-factor authentication, scanning web applications for unauthorized access or anomalous activities, and assuming that if an organization has received media attention for its COVID-19 research that there will be "increased interest and cyber activity" related to that organization.