Jun 3, 2020

Axios Codebook

Thanks so much for your kind feedback last week on the first edition of the new Codebook.

  • Please remember you can always send tips, suggestions or more feedback by replying to this email or straight to zach.dorfman@axios.com.

Today's newsletter is 1,650 words, a 6-minute read.

1 big thing: China may be stockpiling the world’s virus test data

Illustration: Annelise Capossela/Axios

Some foreign firms could use skyrocketing global demand for commercial COVID-19 tests as an opportunity to collect genetic data on unsuspecting patients, say U.S. officials. Chinese gene-sequencing giant BGI, a leading manufacturer of coronavirus tests, is a particular concern, Axios' Bethany Allen-Ebrahimian and I report.

Why it matters: Widespread coronavirus testing is fueling concerns about the use of massive DNA databases for broad research as well as genetics-based surveillance, particularly by China.

The big picture: Frequent, accessible testing will be key to containing the pandemic, say experts. But this intense global demand may also provide an opportunity for state-connected companies to compile biometric data, such as DNA samples, from individuals all over the globe, unless appropriate safeguards are in place.

  • U.S. officials are particularly focused on BGI (formerly the Beijing Genomics Institute), a leading Chinese gene sequencing and biomedical firm, which has distributed more than 10 million COVID-19 tests to over 80 countries worldwide. BGI’s tests were approved by the FDA for use within the United States.

Driving the news: China “has a well-documented history of acquiring and exploiting vast troves of personally identifiable information, including health-related data, on individuals across the globe through illegal, quasi-legal and legal means,” said William Evanina, who, as director of the National Counterintelligence and Security Center, is the U.S.’ top counterintelligence official.

  • “We justifiably have concerns about Chinese firms subject to Chinese government information-sharing mandates being in a position to collect additional personal data on populations around the globe,” said Evanina.
  • Axios has found that BGI has engaged in gene-sequencing in Xinjiang, a region where authorities are building up genetics-based surveillance capabilities targeting ethnic minorities.

Of note: A recent NCSC bulletin warning test providers on potential risks was not designed to discourage individuals from seeking testing. “It’s about protecting patient data,” said Dean Boyd, chief communications executive at NCSC.

The intrigue: There’s a fundamental reason to take the threat of cooperation and coordination between Chinese firms and the Chinese government seriously: China’s laws mandate it.

  • A 2015 national security law obligates that individuals and companies provide “support and assistance” to the government in “safeguarding national security.”
  • A 2017 law goes even further, requiring private sector cooperation with China’s intelligence services.

These concerns are particularly salient when it comes to companies that collect and monetize genetic information — and especially if they apply that research to forensics, the use of DNA evidence for law enforcement purposes.

Context: The Chinese government, and the private Chinese companies that often work hand in glove with government ministries, have already pushed human genetics research beyond what many consider to be acceptable ethical boundaries.

  • In Xinjiang, where Chinese authorities have constructed a high-tech security state aimed at controlling Muslim ethnic minorities, authorities have collected DNA samples from wide swaths of the minority population under circumstances where informed consent was likely impossible.
  • Scientists affiliated with the Chinese public security bureau have sought to use DNA from China’s Muslim minorities to create facial reconstructions that could possibly be used for facial recognition surveillance.
  • Chinese scientists affiliated with public security bureaus frequently publish genetics research targeting Chinese minorities, one study by the scientific journal Nature found.

What they’re saying: “BGI Group takes all issues of data protection, privacy and ethics extremely seriously,” a BGI spokesperson told Axios in a statement.

  • “With all of the COVID-19 laboratory solutions we provide worldwide, including tests, BGI has no access to patient data. BGI only supplies the products and know-how, but does not receive, process or manage patient data.”
  • “BGI is an independent company owned by shareholders and employees. It is not owned or controlled by the government,” the spokesperson added.

But BGI does have significant and long-standing ties to the Chinese government.

The U.S. government has placed export bans on several Chinese companies deemed complicit in human rights abuses in Xinjiang, including surveillance tech manufacturers Hikvision and Dahua.

  • BGI has not been placed on the U.S. export blacklist.
2. Lawmakers want to encrypt Congress' network

Illustration: Rebecca Zisser/Axios

In a letter released last month, an ideologically diverse group of senators and congressmen, led by Sen. Ron Wyden (D-Ore.), wrote to the Senate’s sergeant at arms and the House’s chief administrative officer requesting that all calls on unclassified lines between the House and Senate be encrypted, in order to prevent foreign spying.

  • According to the letter, first reported by The Verge, calls within the Senate were not encrypted until August 2018, making them “vulnerable to interception by any hacker or foreign government that gained access to the Senate’s internal network.” Only some phones used by the House offer encryption. And calls between the two legislative chambers are still unencrypted.
  • The lawmakers cite the Pentagon’s recent work to encrypt its unclassified networks as an example of the government’s realization of the need to protect sensitive communications from foreign espionage.
  • This is a fix that Congress can make on its own through tech upgrades and coordination between the House and Senate.

The fears motivating this request are legitimate.

  • As I’ve previously reported, for years, U.S. counterintelligence officials were vexed by what they believed was a long-running effort by Russian intelligence officers on U.S. soil to map out, and potentially compromise, the country’s fiber-optic cable network, particularly the points where data transfers occur.
  • On at least one occasion, a former official previously told me, U.S. intelligence officials observed a suspected Russian spy actually break into a data closet to tap into a network.

These suspected Russian spies would often engage in what appeared to FBI officials as bizarre behavior — like getting out of their car at a rest stop, circling a tree a few times, and driving away.

  • The anomalous sojourns, officials realized, were often near U.S. military bases.
  • In the end, U.S. spy hunters concluded that the Russian spooks may have wanted to tap the communications of these military bases — or to exhaustively map them in order to have agents disrupt them in case of a war between the U.S. and Russia.

The bottom line: Even communications that aren’t classified can be sensitive and have intelligence value. As the prior Russian effort shows, spy services have devoted immense time and energy to mapping out nonclassified communications channels.

3. Russian military hackers exploiting email vulnerability, NSA says

Cyber operators reporting to the GRU, Russia’s military intelligence agency, have been exploiting a vulnerability in widely used email software “since at least last August,” according to a rare public warning by the NSA.

What's happening: The GRU’s Main Center for Special Technology, commonly labeled by the industry as Sandworm, is conducting this campaign, said the NSA. This group is known for its aggressive and boundary-pushing cyber activities.

  • The unit is responsible for the highly destructive 2017 NotPetya cyberattack that began in Ukraine — paralyzing Ukrainian energy, banking, transportation and telecommunications companies — before spreading globally. The same unit authored a major disruptive cyber action in the nation of Georgia in 2019.
  • Called Unit 74455 within the GRU, this group also coordinated in 2016 with the GRU hacking unit commonly known as Fancy Bear, which was responsible for the 2016 DNC and Democratic Congressional Campaign Committee compromises. According to a 2018 DOJ indictment, Unit 74455 was a key player in Russia’s post-hacking 2016 dissemination and disinformation campaign.
  • This unit was also responsible for a December 2015 cyberattack in Ukraine that shut off power for 230,000 people, among other incidents like NotPetya, says the United Kingdom’s National Cyber Security Centre.

Sandworm isn’t the stealthiest Russian hacking actor, a former U.S. intelligence official said.

  • For instance, Turla, another unit of Russian cyber operators, recently carried out an espionage campaign by secretly hijacking the infrastructure of an Iranian hacker group and spied while masquerading as Iranians.
  • But Unit 74455's tenacity, belligerence and reach make it a serious concern.

The bottom line: A rare public announcement by the NSA of a vulnerability being exploited by a major foreign hacking group is news in itself. But the fact that this unit, Sandworm, has shown itself willing to orchestrate campaigns with serious real-world effects means the warning should raise eyebrows.

  • Sandworm’s exploitation of this particular vulnerability may simply be aimed at old-fashioned cyber espionage. But 2020 is an election year, and as we know, purloined emails, subsequently released to the public, can roil a country’s political scene.
4. Solarium group gives its report a pandemic update

On Tuesday, the Cyberspace Solarium Commission, a bipartisan body that issued a voluminous report in March, released an annex focused on the challenges of the coronavirus era.

  • “The COVID-19 pandemic has put U.S. crisis leadership, preparedness, response, and recovery to the test,” says the report. “A sufficiently large cyberattack could mirror the virus’s effects — widespread disruption of our government, economy, and daily life, with the added challenge that a cyber adversary can watch, learn from, and rapidly adjust to our response.”

Some of the commission’s prior recommendations have taken on new urgency due to COVID-19, says the report, including:

  • Strengthening cybersecurity for remote work.
  • Ensuring that critical government services can be accessed digitally.
  • Enhancing mechanisms to combat online fraud and cyber crime.

The COVID-19 crisis is like a major cyberattack in some way, says the report.

  • Both are “complex” emergencies, necessitating “a balance between agility and institutional resilience across each sector of the economy.” For a disruptive cyber event, the report underlines the need for greater national-level coordination and planning efforts, as well as advance planning for remediation and recovery efforts.
5. Odds and ends
  • Zoom said it will offer full encryption on its popular videoconferencing service only to paying customers because it wants to cooperate with law enforcement when free users pursue "bad purposes." (The Next Web)
  • After a breach announcement, only one-third of affected users typically change their passwords, a Carnegie Mellon study finds. (ZDNet)
  • Former Deputy AG Rod Rosenstein is advising the NSO Group, an Israeli company that has provided spyware to authoritarian regimes used to surveil dissidents and journalists. Rosenstein is testifying today before a Senate committee about the Flynn investigation. (CyberScoop, Axios)
  • Facebook employees revolt over Mark Zuckerberg’s laissez-faire approach to handling incitements of violence on his platform, including those by the president. (Axios)
  • A dive into the U.S. cyber budget shows a military-heavy approach. (Lawfare)
  • Congress’ renewal of lapsed FISA provisions, and larger reform of the law governing domestic spying on foreign operations, collapsed after President Trump signaled a veto threat, and liberal Democrats also balked. (Wall Street Journal)