Some foreign firms could use skyrocketing global demand for commercial COVID-19 tests as an opportunity to collect genetic data on unsuspecting patients, say U.S. officials. Chinese gene-sequencing giant BGI, a leading manufacturer of coronavirus tests, is a particular concern, Axios' Bethany Allen-Ebrahimian and I report.

Why it matters: Widespread coronavirus testing is fueling concerns about the use of massive DNA databases for broad research as well as genetics-based surveillance, particularly by China.

The big picture: Frequent, accessible testing will be key to containing the pandemic, say experts. But this intense global demand may also provide an opportunity for state-connected companies to compile biometric data, such as DNA samples, from individuals all over the globe, unless appropriate safeguards are in place.

• U.S. officials are particularly focused on BGI (formerly the Beijing Genomics Institute), a leading Chinese gene sequencing and biomedical firm, which has distributed more than 10 million COVID-19 tests to over 80 countries worldwide. BGI’s tests were approved by the FDA for use within the United States.

Driving the news: China “has a well-documented history of acquiring and exploiting vast troves of personally identifiable information, including health-related data, on individuals across the globe through illegal, quasi-legal and legal means,” said William Evanina, who, as director of the National Counterintelligence and Security Center, is the U.S.’ top counterintelligence official.

• “We justifiably have concerns about Chinese firms subject to Chinese government information-sharing mandates being in a position to collect additional personal data on populations around the globe,” said Evanina.
• Axios has found that BGI has engaged in gene-sequencing in Xinjiang, a region where authorities are building up genetics-based surveillance capabilities targeting ethnic minorities.

Of note: A recent NCSC bulletin warning test providers on potential risks was not designed to discourage individuals from seeking testing. “It’s about protecting patient data,” said Dean Boyd, chief communications executive at NCSC.

The intrigue: There’s a fundamental reason to take the threat of cooperation and coordination between Chinese firms and the Chinese government seriously: China’s laws mandate it.

• A 2015 national security law obligates that individuals and companies provide “support and assistance” to the government in “safeguarding national security.”
• A 2017 law goes even further, requiring private sector cooperation with China’s intelligence services.

These concerns are particularly salient when it comes to companies that collect and monetize genetic information — and especially if they apply that research to forensics, the use of DNA evidence for law enforcement purposes.

Context: The Chinese government, and the private Chinese companies that often work hand in glove with government ministries, have already pushed human genetics research beyond what many consider to be acceptable ethical boundaries.

• In Xinjiang, where Chinese authorities have constructed a high-tech security state aimed at controlling Muslim ethnic minorities, authorities have collected DNA samples from wide swaths of the minority population under circumstances where informed consent was likely impossible.
• Scientists affiliated with the Chinese public security bureau have sought to use DNA from China’s Muslim minorities to create facial reconstructions that could possibly be used for facial recognition surveillance.
• Chinese scientists affiliated with public security bureaus frequently publish genetics research targeting Chinese minorities, one study by the scientific journal Nature found.

What they’re saying: “BGI Group takes all issues of data protection, privacy and ethics extremely seriously,” a BGI spokesperson told Axios in a statement.

• “With all of the COVID-19 laboratory solutions we provide worldwide, including tests, BGI has no access to patient data. BGI only supplies the products and know-how, but does not receive, process or manage patient data.”
• “BGI is an independent company owned by shareholders and employees. It is not owned or controlled by the government,” the spokesperson added.

But BGI does have significant and long-standing ties to the Chinese government.

• The firm was founded with government support in 1999.
• It runs China’s national gene bank, a massive, government-owned facility.
• It received a $1.5 billion loan in 2010 from a Chinese state development bank.
• Its researchers have collaborated with a Chinese military academy; in one case, an academic maintained formal ties with both institutions simultaneously.
• BGI or its subsidiaries have contributed to efforts to document the genetic material of ethnic minorities in China, including the forensic applications of such sequencing.

The U.S. government has placed export bans on several Chinese companies deemed complicit in human rights abuses in Xinjiang, including surveillance tech manufacturers Hikvision and Dahua.

• BGI has not been placed on the U.S. export blacklist.

In a letter released last month, an ideologically diverse group of senators and congressmen, led by Sen. Ron Wyden (D-Ore.), wrote to the Senate’s sergeant at arms and the House’s chief administrative officer requesting that all calls on unclassified lines between the House and Senate be encrypted, in order to prevent foreign spying.

• According to the letter, first reported by The Verge, calls within the Senate were not encrypted until August 2018, making them “vulnerable to interception by any hacker or foreign government that gained access to the Senate’s internal network.” Only some phones used by the House offer encryption. And calls between the two legislative chambers are still unencrypted.
• The lawmakers cite the Pentagon’s recent work to encrypt its unclassified networks as an example of the government’s realization of the need to protect sensitive communications from foreign espionage.
• This is a fix that Congress can make on its own through tech upgrades and coordination between the House and Senate.

The fears motivating this request are legitimate.

• As I’ve previously reported, for years, U.S. counterintelligence officials were vexed by what they believed was a long-running effort by Russian intelligence officers on U.S. soil to map out, and potentially compromise, the country’s fiber-optic cable network, particularly the points where data transfers occur.
• On at least one occasion, a former official previously told me, U.S. intelligence officials observed a suspected Russian spy actually break into a data closet to tap into a network.

These suspected Russian spies would often engage in what appeared to FBI officials as bizarre behavior — like getting out of their car at a rest stop, circling a tree a few times, and driving away.

• The anomalous sojourns, officials realized, were often near U.S. military bases.
• In the end, U.S. spy hunters concluded that the Russian spooks may have wanted to tap the communications of these military bases — or to exhaustively map them in order to have agents disrupt them in case of a war between the U.S. and Russia.

The bottom line: Even communications that aren’t classified can be sensitive and have intelligence value. As the prior Russian effort shows, spy services have devoted immense time and energy to mapping out nonclassified communications channels.

Cyber operators reporting to the GRU, Russia’s military intelligence agency, have been exploiting a vulnerability in widely used email software “since at least last August,” according to a rare public warning by the NSA.

What's happening: The GRU’s Main Center for Special Technology, commonly labeled by the industry as Sandworm, is conducting this campaign, said the NSA. This group is known for its aggressive and boundary-pushing cyber activities.

• The unit is responsible for the highly destructive 2017 NotPetya cyberattack that began in Ukraine — paralyzing Ukrainian energy, banking, transportation and telecommunications companies — before spreading globally. The same unit authored a major disruptive cyber action in the nation of Georgia in 2019.
• Called Unit 74455 within the GRU, this group also coordinated in 2016 with the GRU hacking unit commonly known as Fancy Bear, which was responsible for the 2016 DNC and Democratic Congressional Campaign Committee compromises. According to a 2018 DOJ indictment, Unit 74455 was a key player in Russia’s post-hacking 2016 dissemination and disinformation campaign.
• This unit was also responsible for a December 2015 cyberattack in Ukraine that shut off power for 230,000 people, among other incidents like NotPetya, says the United Kingdom’s National Cyber Security Centre.

Sandworm isn’t the stealthiest Russian hacking actor, a former U.S. intelligence official said.

• For instance, Turla, another unit of Russian cyber operators, recently carried out an espionage campaign by secretly hijacking the infrastructure of an Iranian hacker group and spied while masquerading as Iranians.
• But Unit 74455's tenacity, belligerence and reach make it a serious concern.

The bottom line: A rare public announcement by the NSA of a vulnerability being exploited by a major foreign hacking group is news in itself. But the fact that this unit, Sandworm, has shown itself willing to orchestrate campaigns with serious real-world effects means the warning should raise eyebrows.

• Sandworm’s exploitation of this particular vulnerability may simply be aimed at old-fashioned cyber espionage. But 2020 is an election year, and as we know, purloined emails, subsequently released to the public, can roil a country’s political scene.

On Tuesday, the Cyberspace Solarium Commission, a bipartisan body that issued a voluminous report in March, released an annex focused on the challenges of the coronavirus era.

• “The COVID-19 pandemic has put U.S. crisis leadership, preparedness, response, and recovery to the test,” says the report. “A sufficiently large cyberattack could mirror the virus’s effects — widespread disruption of our government, economy, and daily life, with the added challenge that a cyber adversary can watch, learn from, and rapidly adjust to our response.”

Some of the commission’s prior recommendations have taken on new urgency due to COVID-19, says the report, including:

• Strengthening cybersecurity for remote work.
• Ensuring that critical government services can be accessed digitally.
• Enhancing mechanisms to combat online fraud and cyber crime.

The COVID-19 crisis is like a major cyberattack in some way, says the report.

• Both are “complex” emergencies, necessitating “a balance between agility and institutional resilience across each sector of the economy.” For a disruptive cyber event, the report underlines the need for greater national-level coordination and planning efforts, as well as advance planning for remediation and recovery efforts.

• Zoom said it will offer full encryption on its popular videoconferencing service only to paying customers because it wants to cooperate with law enforcement when free users pursue "bad purposes." (The Next Web)
• After a breach announcement, only one-third of affected users typically change their passwords, a Carnegie Mellon study finds. (ZDNet)

• Former Deputy AG Rod Rosenstein is advising the NSO Group, an Israeli company that has provided spyware to authoritarian regimes used to surveil dissidents and journalists. Rosenstein is testifying today before a Senate committee about the Flynn investigation. (CyberScoop, Axios)
• Facebook employees revolt over Mark Zuckerberg’s laissez-faire approach to handling incitements of violence on his platform, including those by the president. (Axios)
• A dive into the U.S. cyber budget shows a military-heavy approach. (Lawfare)
• Congress’ renewal of lapsed FISA provisions, and larger reform of the law governing domestic spying on foreign operations, collapsed after President Trump signaled a veto threat, and liberal Democrats also balked. (Wall Street Journal)