Ordinarily, most people don’t pay much attention to firms like Novavax and Genexine. Now, however, the survival of millions of people depends on them. And because we live in a world of grayzone warfare, where countries can harm and weaken other countries without sending a single citizen across a single border, firms like Novavax and Genexine are becoming targets of geopolitical aggression. The firms are working on COVID vaccines, and North Korea has been conducting cyber-attacks against them.
Last month, the magazine Science reported about Novavax, a small vaccine firm in Gaithersburg that until recently had been struggling mightily. In January this year, the company employed a mere 166 people. Then COVID-19 struck, and soon Novavax became one of the seven companies chosen by the US government for its massive Operation Warp Speed vaccine-development program. For Novavax, that meant funding of up to $2 billion, Science reported.
North Korea was paying attention. This week, The Wall Street Journal reported that North Korean hackers have attacked Novavax along with US medical-products conglomerate Johnson & Johnson and the South Korean companies Genexine, Shin Poong Pharmaceutical Co, and Celltrion. North Korean hackers had previously attacked AstraZeneca, the Swedish-UK pharmaceutical giant which has already succeeded in developing a COVID vaccine.
It’s unclear what, if any, sensitive information the hackers managed to extract from their victims’ networks, but what’s clear is that North Korea has excellent hackers that it doesn’t hesitate to use, not even against firms working for the common good of global health. It’s also clear that no matter how obscure, Western companies and research institutes are now targets of hackers working for hostile states. In November, North Korean and Russian hackers were found to have attacked seven pharmaceutical companies as well as vaccine researchers in Canada, France, India, South Korea, and the United States. The Russian hacker collective involved, which is known as Fancy Bear and is thought to be linked to Russia’s military intelligence agency the GRU, is a dominant player in the field, having previously attacked the German parliament, the Democratic National Committee, and France’s TV5 Monde. In October, the UK government had imposed sanctions on Fancy Bear’s members, but so far that doesn’t seem to deter them.
In many cases, cyber attackers leave empty-handed, and it’s welcome news that today’s companies are set up to successfully defend themselves against intrusions. Unfortunately, though, the advantage is with the attacker. Because staging a cyber-attack costs relatively little in money and labor effort — and extremely little compared to a conventional military attack — and carries virtually no risk for the attacker, it’s worth attacking even when the targets are well-defended. If 99 attacks on vaccine firms and research institutes fail but one succeeds, it’s time and money well spent.
For some of the six vaccine-makers attacked by North Korea, the attention will have come as a surprise. But no matter how disconnected from national security they may consider themselves, companies all over the world are discovering that they’re in the firing line and thus unwitting participants in today’s geopolitical confrontation. In late November, China imposed tariffs on Australian wine so punitive that China — Australia’s largest wine-export market — is now effectively closed to Australian winemakers. The tariffs had nothing to do with Australian vintners and were not even an effort to correct dangerous or unethical Australian behavior, the typical motivation for international sanctions. Instead, they appear to be a Chinese retaliation against the Australian government’s call for an inquiry into COVID-19’s origins. When the UK banned Huawei from its 5G network, China warned the UK private sector would suffer consequences; when Sweden banned Huawei, China issued a similar threat.
But while liberal democracies’ openness indisputably makes them vulnerable, targeted companies are not alone. They can team up with (gulp) rivals to share incident updates, a painful but mutually beneficial step. And governments can invite them to be part of a combined shield helping to keep the country safe. That includes regular consultations and even grayzone exercises, a concept I proposed this fall which is already being implemented by a NATO member state.
To paraphrase a slogan used in a different context, the 2014 Scottish independence referendum: In grayzone defense, we’re stronger together.
This article first appeared on AEIdeas, a publication of the American Enterprise Institute.