Oh, for the bad old bricks and mortar days, when distinguishing between old-fashioned espionage and destructive acts of war was a relatively simple matter. In today’s digital world, making such distinctions has become agonizingly difficult, despite being critically important. The recent headlines reporting that the Russians have mounted “malicious attacks” on coronavirus-related organizations illustrate the new definitional problems that we face.
The story broke this week, when the British government issued a statement backed by U.S. and Canadian officials claiming that a group of hackers thought to be directed by Russian intelligence has targeted Western organizations involved in COVID-19 vaccine research and development. The British Foreign and Commonwealth Office said that it was “highly likely that the group was trying to collect information on vaccine development or research on the virus itself.” British Foreign Secretary Dominic Raab called the intrusions “completely unacceptable.” The director of operations at the UK’s National Cyber Security Centre stated, “We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic.”
These statements beg some important questions. Does using cyber espionage “to answer intelligence questions about the pandemic,” as the British report phrased it, constitute malicious and despicable behavior? If so, it would be surprising indeed if Western cyber spies were not guilty of much the same thing in China and other countries dealing with the novel coronavirus. Few would dispute that understanding the origins and course of COVID-19, as well as gauging the efforts of foreign organizations to deal with its spread and develop treatments, is a critical intelligence mission.
If espionage alone is not enough to constitute malice, does one cross that line when the goal of cyber intrusions is to steal intellectual property and gain an unfair advantage in the race to create a vaccine? Such competitive chicanery is certainly objectionable on ethical and legal grounds, and we should undoubtedly make every effort to defend against it. But it would not be unusual in the rough and tumble intersection between the worlds of business and international relations. Both the U.S. and Soviet governments spied extensively on each other’s space programs in their efforts to win the race to the moon in the 1960s. That Russia, China, and others might seek an illegitimate edge in the scramble to develop a vaccine today is hardly a man bites dog story, particularly when international cooperation to fight the disease has been lackluster.
Or do such intrusions only become truly despicable when their goal is to impede or disrupt important research, frustrating Western efforts to prevent and treat COVID-19? Such an intention would, in fact, be more than despicable. It would constitute a genuine security threat to citizens of the target countries, if not to the entire world. The British report implies such destructive intent by employing such phrases as “attacks against those doing vital work,” but it offers no evidentiary basis for distinguishing between intelligence gathering, IP theft, and malicious sabotage.
The problem lies not so much in the shortcomings of the British report as it does in the nature of modern cyber technology itself. For those on the receiving end of digital intrusions, it can be difficult to distinguish between operations meant to grab sensitive information and those intended to prepare for cyber sabotage. Once inside a computer system, hackers can root through its entire network and gather enormous quantities of valuable data. They can also corrupt or destroy that data, or even disrupt a system’s functions. A cyber operation’s ultimate objectives are often not apparent for weeks, months, or even years after detection, and they may not even be clear to the hackers themselves when the intrusions are first launched.
As the alleged Russian targeting of COVID-19-related organizations suggests, cyber technology is also changing the targets of intelligence operations. In the Cold War, the United States and Soviet Union focused collection efforts on national security entities, a restricted world of senior political leaders, militaries, intelligence organizations, defense industry, weapons systems, and high-technology laboratories. The Venn diagrams marking the worlds of espionage and civilian society overlapped minimally. But in cyber espionage, there is increasingly little distinction between national security targets and civilian targets. Many technological advances depend on local start-ups and private or university-based accelerators, making these entities attractive targets for intelligence collection. Keeping pace with these advancements inevitably requires cyber spies to tread on what was once considered civilian territory.
All this renders judgments on Russian intentions toward the COVID-19 research – and corresponding decisions about how we should respond – exceedingly difficult. One thing should be clear amidst the uncertainty, however: there is little chance that Moscow and Beijing will play by our preferred rules in this new era of great power competition if we refuse to engage with them over what the rules of the game should be.
George Beebe is the Vice President and Director of Studies at the Center for the National Interest, former head of Russia analysis at the Central Intelligence Agency, and author of The Russia Trap: How Our Shadow War with Russia Could Spiral in Nuclear Catastrophe.