Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management
NCSC Warns of China’s Efforts to Collect US DNA DataStolen Data Could Support Surveillance, Extortion Efforts
The National Counterintelligence and Security Center is calling attention to China's ongoing efforts to collect DNA data sets and other sensitive health data of Americans through hacking and other methods.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The collection of PII, personal health information and large genomic data sets gives China vast opportunities to precisely target individuals in foreign governments, private industries or other sectors for surveillance, manipulation or extortion, the NCSC warns.
The NCSC alert comes on the heels of a 60 Minutes CBS television segment Sunday featuring William Evanina, the former director of the NCSC, who estimated that 80% of American adults have had their personally identifiable information “stolen” by China.
“You have probably five or six healthcare companies the last five years who have been, I would say, penetrated, exfiltrated, hacked by China,” Evanina told 60 Minutes.
The NCSC alert notes that major data breaches in recent years attributed to the Chinese government or to hackers based in China include the theft of personnel records of roughly 21 million individuals from the U.S. Office of Personnel Management; the theft from Marriott hotels of roughly 400 million records; the theft of data from Equifax on roughly 145 million people; and the theft of data from Anthem on nearly 79 million individuals.
The hack of U.S.-based health insurer Anthem detected in 2015 involved the theft of names, health identification numbers, Social Security numbers, employment and income data and other information, NCSC notes.
A U.S. Justice Department indictment in 2019 charged two individuals based in China in connection with the hack of Anthem and three other U.S. companies (see: Chinese Men Charged in Hacking of Health Insurer Anthem).
Government Access to Data
NCSC points out that the Chinese government can force companies in that nation to share data they collect.
“Under [China’s] national security laws, Chinese companies are compelled to share data they have collected with the government,” NCSC says. “There is no mechanism for Chinese companies to refuse their government’s requests for data.”
As of 2019, at least 15 Chinese companies were licensed to perform genetic testing or whole genomic sequencing on patients in the U.S. healthcare system, giving them direct access to genetic data, the NCSC says.
“While no one begrudges a nation conducting research to improve medical treatments, the People’s Republic of China’s mass collection of DNA at home has helped it carry out human rights abuses against domestic minority groups and support state surveillance,” the NCSC says.
What’s at Stake
NCSC says the exploitation of healthcare and genomic data by China “are not hypothetical.” It points out that the Chinese government has “a documented history of exploiting DNA for genetic surveillance and societal control of minority populations in Xinjiang, China.”
The report warns: “[China’s] collection of healthcare data from America poses equally serious risks, not only to the privacy of Americans, but also to the economic and national security of the U.S."
China’s acquisition of U.S. healthcare data is helping to fuel the nation's artificial intelligence and precision medicine industries, while China severely restricts foreign access to such data on its own citizens, putting America’s $100 billion biotech industry at a disadvantage, the NCSC says.
”Over time, this dynamic could allow China to outpace U.S. biotech firms with important new drugs and health treatments and potentially displace American firms as global biotech leaders,” according to the NCSC report.
Technology attorney Philip Crowley of the law firm Crowley Law LLC says the NCSC’s warning about China’s growing DNA and health data troves spotlights serious threats.
”My concern is having gene editing technology such as CRISPR [clustered regularly interspaced short palindromic repeats] and vast amounts of genetic information in the hands of a nefarious state actor,” he says.
“It is conceivable that such an actor could use those tools to create viruses or biological products that would preferentially infect and harm people with a genotype of low incidence in the state actor’s country but widely expressed in the target country or countries. With the combination of quantum computing, artificial intelligence, ‘big data’ science, current biotechnology tools – and those that have yet to be discovered, the prospect of such attacks cannot be dismissed.”
Legislation and regulations are needed to restrict China’s access to critical U.S. biomedical information, he says. “I’m concerned that much of the data China would need to perform the research necessary for targeted bio-weapons has already been acquired.”
Meanwhile, U.S. entities and technology firms collecting and handling sensitive health data, including genomic data, are also facing growing challenges in keeping that data protected from nefarious actors, he notes.
”It is difficult to keep data secure from a determined state actor for an indefinite period of time,” he says. “Even if securely encrypted, data subject to industry standard encryption schemes cannot withstand the power of quantum computers. That technology is clearly on the horizon.”
That means obtaining encrypted data can be useful to a state actor, Crowley contends. “The response from government and industry has to be employment of the highest standards for preventing, detecting and remedying intrusions.”
Greg Garcia, executive director of cybersecurity at the public-private Health Sector Coordinating Council, says the organization has been watching for any state-sponsored industrial espionage targeting health and vaccine data.
”Health sector stakeholders are working with our government to identify those essential linchpins in the healthcare supply chain in pharmaceutical or device manufacturing or that collect, analyze, transmit or store health data,” he notes.
”We strongly encourage all healthcare organizations to heighten their situational awareness and work with the Department of Homeland Security, law enforcement and the Department of Health and Human Services to enhance their data security defenses against nation-state theft, disruption and exploitation.”