Six months ago, as professional sports were postponed indefinitely, schools were shuttering, Tom Hanks was the poster boy for COVID-19, and President Donald Trump addressed a nervous nation, people at the highest levels of the U.S. government became laser-focused on one idea: Coronavirus vaccine research needed to be defended from hacking attempts.
Soon after the World Health Organization declared a pandemic, the Pentagon’s Defense Digital Service and the National Security Agency got to work on a behind-the-scenes protection mission for “Operation Warp Speed,” the U.S. government program responsible for producing 300 million coronavirus vaccine doses by January 2021.
Known as the Security and Assurance portion of Operation Warp Speed, the mission is no small effort. Consisting of people from DDS, NSA, FBI, the Department of Homeland Security and the Department of Health and Human Services, it has been running behind the scenes for months, and is being detailed here for the first time.
The effort’s main goal is to provide cybersecurity advice, guidance, and services to pharmaceutical giants developing a vaccine or working on manufacturing and distribution, as well as government agencies participating in OWS, multiple U.S. government officials involved in the operation told CyberScoop. The companies involved are pillars of the industry: Johnson & Johnson, AstraZeneca, and Moderna are among those working on the medicine, while companies like Emergent BioSolutions, SiO2, and Corning will be responsible for dispersing that medicine to people. The companies, in addition to the government agencies working on OWS, are highly visible and vulnerable organizations.
The task is one of the most sweeping, high-profile cybersecurity supply chain issues the U.S. government has ever attempted to solve. The damage that could be wrought from a cybersecurity incident goes beyond a massive loss of intelligence or money: It could cost lives.
The pandemic has been a clarion call to supply chain security efforts for the entire federal government, according to Bill Evanina, the Director of the National Counterintelligence and Security Center at the Office of the Director of National Intelligence.
“COVID has really awoken not only the federal government, but a lot of people, with respect to supply chain,” said Evanina, who was speaking broadly about hackers targeting U.S. coronavirus response efforts at a U.S. Chamber of Commerce event in July. “Once we identify a vaccine, we have to manufacture that and distribute that. That provides a lot of vulnerabilities for adversaries to infiltrate the supply chain. We have to be able to secure that.”
The mission has been tested already, as hackers attached to foreign governments have targeted the U.S. vaccine effort. In recent months, the NSA has detected Russian intelligence hackers targeting coronavirus vaccine research in the U.S. Chinese government hackers have also been targeting American entities working on a vaccine with the intent of conducting intellectual property theft. In July, the Department of Justice also charged two men for working with Chinese intelligence agencies on efforts to compromise COVID-19 vaccine research.
And while the U.S. has altruistic goals in developing a vaccine at “warp speed” without interruption, safeguarding the research is crucial as its introduction to the world will have long-reaching foreign policy implications, according to senior officials.
“Right now, we believe there’s nothing more valuable today than the research for COVID-19 vaccines,” Evanina, Trump’s top counterintelligence official, said at the Chamber of Commerce event. “The nation who gets that is going to have a massive financial and geopolitical leverage base for the next 10 years.”
The government’s protection mission
While several different agencies are working on the initiative, the mission at hand, like the coronavirus itself, is novel. The team at the NSA involved with the project comes from the Cybersecurity Directorate, an office which was stood up less than one year ago and is primarily focused on tipping nation-state threat information to the public. The agency writ large has not historically had a health lead, the NSA’s former general counsel, Glenn Gerstell, told CyberScoop.
“The focus for the intelligence community has been on more immediate intelligence priorities, like understanding everything from terrorism threats to nuclear proliferation, to understanding an adversary’s weapons systems … in part because until recently, health issues tended to be local matters. There would be an outbreak of Ebola, in Africa, and it would be quite limited to one country, or an adjacent country,” Gerstell, who left the agency earlier this year, told CyberScoop. “I think it’s fair to say that while it’s surely on the list of things to think about that affect national security, it’s historically taken a back seat to more urgent threats to the country.”
The program’s primary concern, for now, is hackers motivated to manipulate, delete, or steal vaccine trial data, Brett Goldstein, the Director of DDS, told CyberScoop.
“If you’re part of a randomized double blind [placebo study], could a bad actor mess with that data at the pharmaceutical level? Or could the data be messed with before it gets into the U.S. government? Or in residence there?” Goldstein said in an interview. “That full spectrum is part of the mission here.”
The DOD is worried a cybersecurity incident could scrap months of U.S. scientific research or cause the U.S. government to produce a vaccine with potentially hazardous outcomes, along with the prospect that an adversary could use pilfered information to boost their own vaccine research.
The assistance the team has offered to OWS participants has included threat briefings at the classified and unclassified levels, according to Bryan Ware, the Assistant Director of Cybersecurity at the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), who is working on the Security and Assurance operation. In some cases, the Department of Defense has offered review of suspicious, targeted cyberattacks on government officials involved in OWS, a DDS official told CyberScoop.
To coordinate the government’s efforts, the DOD agencies involved host a daily meeting to monitor efforts in real-time. Additionally, DHS has assigned specific CISA personnel to address incident response and other cybersecurity concerns at some of the high-profile companies involved with the operation.
Beyond briefings and reviews of security incidents, the operation also includes scanning participating companies’ internet-connected devices, sharing notifications and technical indicators on potential nation-state threats, as well as providing assistance following security incidents.
Ware admits it’s a tall order, given the scope of companies and government agencies involved.
“This is really what CISA was designed to do … identifying the most critical infrastructure [sectors] and targeting products and services from a security perspective [for them],” Ware said. “It is more ambitious with maybe some higher stakes than some of the things that CISA has done before.”
Ware told CyberScoop that the group has notified companies about “a number” of targeting incidents the intelligence community or law enforcement is tracking. After each cybersecurity incident, DHS has been sharing technical indicators across OWS companies to boost collective defense, Ware said.
One of the companies the team has been paying particular attention is Moderna, which has a promising vaccine candidate currently in Phase 3 trials. The company has been targeted by hackers with links to Chinese intelligence, raising questions about what the U.S. government can do to fend off foreign hackers across such a broad set of vulnerable targets.
A senior administration official told CyberScoop that overall, one of the most concerning prospects is foreign government hackers conducting IP theft, “which negatively impacts U.S. healthcare companies and U.S. geopolitical positions.”
Historically, the health sector’s cybersecurity posture has lagged behind those of other industries. But the concerns cybersecurity professionals have about the health sector’s straggling security posture aren’t just about what defense mechanisms and practices are in place — it’s about how the sector tends to conceptualize threats.
The nation’s top infectious diseases expert, Anthony Fauci, has suggested in recent weeks he is not concerned about the Chinese government’s effort to target coronavirus vaccine research.
“What we do is transparent … if they want to hack into a computer and find out results of a vaccine trial … they’re going to hear about it in the New England Journal of Medicine in a few days anyway,” Fauci, the Director of the National Institutes of Health’s National Institute of Allergy and Infectious Diseases said in testimony before the House Select Subcommittee on the Coronavirus Crisis in July.
Fauci’s remarks are the wrong way to go about it, multiple current and former senior U.S. government officials and cybersecurity experts tell CyberScoop. While U.S. national security officials have long said there is a baseline of cyber-espionage actions that the U.S. can expect from foreign governments, no one should accept hackers stealing vaccine-related IP, said Gen. Keith Alexander, the former director of the NSA.
“I would not share how we developed that vaccine. I would share the results of the vaccine [trial] — and the vaccine — with the world,” Alexander told CyberScoop. “What makes our country great? It’s our economy. What are they stealing? They’re stealing the future of the economic wealth of this country … We should collectively defend across companies, and we should block others from stealing our intellectual property and push back where appropriate. I think we need to have our government weigh in here.”
Although the health sector has been making some progress on cyberdefenses, Beau Woods, a cyber safety innovation fellow at the Atlantic Council, is concerned that awareness of hacking issues in the industry has traditionally been more about privacy than about state-backed hackers tampering with data.
“There’s a wide perception among a lot of people in healthcare that cybersecurity is primarily concerned with confidentiality of data, protecting the patient data from disclosure,” Woods said. “But I’m much more concerned with the ability to tamper with those results.”
Scientists around the globe working to develop a safe and effective vaccine are already dealing with an immense amount of pressure — from rising death tolls to politicians pushing for an expeditious rollout. As the thinking at the DOD goes, U.S. scientists should not have to worry about hackers getting in the way of their science.
Alexander warned that it can be incredibly difficult to fend off motivated and well-resourced hackers without taking advantage of the U.S. government’s assistance.
“People say, ‘The company should defend itself.’ But if it’s a nation-state attacking them, who do you think wins every time? The nation-state,” Alexander told CyberScoop. “You need to bring in government to help defend them.”
Moderna, for its part, told CyberScoop that it worked in recent months with the FBI when hackers attempted coronavirus-related espionage activities. The company is maintaining “an internal team, external support services and good working relationships with outside authorities to continuously assess threats and protect our valuable information,” the company told CyberScoop.
CyberScoop reached out to more than a dozen other OWS companies involved in both developing and manufacturing an eventual COVID-19 vaccine, many of which declined to comment, did not return requests for comment, or declined to elaborate any further than saying cybersecurity was a “priority.”
The post-vaccine mission
Officials involved in the OWS cybersecurity protection mission acknowledged their work won’t end in January.
A senior Trump administration official told CyberScoop the Pentagon is concerned about possible efforts that could erode the public’s confidence in an eventual vaccine once the U.S. has one to offer. A defense official said the Pentagon is concerned about “any activity, or the perception of any activity, that would erode the trust of the U.S. population in the viability of the final vaccines.”
Actors in China and Russia have already made pains to spread misinformation and disinformation about the coronavirus in recent months.
Moving forward, Alexander told CyberScoop he thinks foreign government hackers may be less inclined to conduct hacking operations aimed at causing physical disruption to the vaccine manufacturing process, as the geopolitical blowback might be larger than if they were to just tamper with data.
And while the threats the U.S. faces right now don’t appear targeted at disrupting vaccine production, foreign government hackers may flip their focus in the months ahead, Ware told CyberScoop.
“Getting to a global supply of vaccine takes a long period of time and in different phases there will be different risks that will are more or less important. Right now the activity we’re seeing is espionage, but much later, it could be disruptions and delays to production and manufacturing,” Ware said. “Because OWS has us moving at a very, very fast pace, we’re not just interested in trying to reduce the risks that we’re seeing today, we’re trying to reduce the risks that we’re going to see next year.”