Biotechnology has long been a target of state-sponsored espionage. In 1848 Scottish botanist Robert Fortune travelled to Fujian province in disguise to discover the secret of Chinese tea processing to aid the development of British East India plantations, and in 1989 West German agent Karl Heinrich Stohlze seduced a manager at a Boston biotechnology firm to provide him proprietary documents about biotech research to pass on to Siemens. The threat not only continues today, but it is also growing. Although understanding the complete extent of biotech espionage is difficult, Ventria Bioscience, GlaxoSmithKline, Dow AgroSciences LLC, Cargill Inc, Dupont Pioneer and Monsanto have all experienced theft of trade secrets or biological materials by current or former employee(s) within the last 10 years. Most recently, the COVID-19 crisis has focused attackers on those organizations working on a cure, according to intelligence agencies in the US, UK and Belgium, among others. Indeed, many biotech companies are effectively ‘under siege’. This is where geopolitical tensions are played out: in the research frontlines. This blog highlights the characteristics that make biotechnology particularly vulnerable, the relevant threat events, the non-traditional collection methods available to actors, and the special threat posed by insiders.
Biotechnology is a broad discipline that historically was led by the Netherlands and Japan but has recently been dominated by the US, UK, Switzerland and Singapore. A key driver of a country’s economic competitiveness is discoveries. This ‘early’ knowledge can lead to the formation of an industry cluster, such as the biotechnology clusters found in Boston, Cambridge and Basel. For this reason, nation-states target small and medium-sized innovative companies where many discoveries are made. When early-stage know-how is leaked to competitors in other countries, it reduces the likelihood that clusters will be formed in the home country, regardless of whether initial investments were made there first. Thus retaining initial advantage is as important as first establishing it.
Despite the highly competitive nature of the industry, biotechnology has had an established tradition of research collaboration. The tension between protecting IP a company depends on to finance its continued existence and advancing the broader goal of improving human outcomes can complicate decision making. Some argue that the current pandemic and its aftermath compels organizations to collaborate more with competitors. However, when assessing the risk of sharing, however, consider the costs to national economic welfare if access to technical/ scientific knowledge were to be shared with state-controlled organisations. The following threat events are of particular relevance to the biotechnology sector:
The theft, deletion or modification of data, algorithms, or software with a direct or indirect impact on R&D or commercial operations;
The loss or sharing of intellectual property or commercial advantage;
The sabotage of important systems or infrastructure leading to impairment of commercial operations or impeding good manufacturing practices;
The stealing of cost and pricing information, internal strategy documents, bulk personally identifiable information (PII) to improve the competitiveness of state-controlled organisations or weapons programmes;
Repurposing biological or chemical research to aid weapons development or fulfil a vision.
Nation-states have several options to achieve these objectives – external hacking is only one of them. Next, we discuss several legal means often employed to obtain highly prized research.
Legitimate gains? Obtaining insider access to IP through foreign direct investment (FDI) and nontraditional collectors
The current pandemic has damaged the economic prospects and market valuation of many companies. Although biotechnology stocks have fared much better than broad indices, numerous companies have seen their valuations drop as their research is not directly relevant to the virus. Nation-states and their allied corporations have noticed. Acquiring distressed companies is an established practice to legally obtain intellectual property that otherwise would have to be stolen. Even partial ownership can create difficulties. Large minority owners often request representation on the supervisory board, and when these directors represent nation-state interests, it can increase the difficulty in addressing espionage cases. Board representation can also be achieved by providing early-stage financing through state-controlled venture capitalists firms.
In response to this heightened threat, the European Council (EC) has issued guidelines to strengthen foreign investment screening during the current public health crisis and related economic downturn. The guidelines encourage all states to set up an FDI mechanism to address foreign acquisition or control of particular businesses, infrastructures or technologies that threaten security in the EU. Several countries hardest hit by the virus have also issued stronger FDI restrictions, including Italy, Spain and France. These EC guidelines serve as a temporary measure until the EU FDI Screening Regulation takes effect on 11 October 2020.
Foreign actors are also increasingly employing non-traditional collectors to target and influence organisations. These collectors include students, visiting scientists, scholars, and businesspersons, making it increasingly difficult to assess who to trust. China’s renowned Thousand Talents Programme (TPP), which recruits overseas researchers to send their skills and knowledge back to China, is but one of 200 talent programmes in the country. Intelligence officials have been vocal about their use for espionage, and high-visibility prosecutions of talent plan members have caused the Chinese government to remove public information about these programs and their participants, making screening for members difficult. A satisfactory resolution to this dilemma remains elusive, but recent cases underscore the need for enhanced due diligence.
Insider threats within biotechnology pose risks for organizations…and society.
The risk of loss of critical assets due to insiders is significantly underestimated by most companies. This can be especially true during a pandemic lockdown that forces leaders to make difficult decisions regarding staffing levels despite financial support from governments. The resulting uncertainty has added stress to workers that may already be dealing with difficult work environments at home. These conditions create an elevated threat for several damaging insider behaviours:
Employees experiencing stress may accidentally leak sensitive data or dangerously mishandle the actual viruses themselves;
Terminated IT personnel, especially those in administrative roles, may sabotage IT operations in retaliation;
Scientists may seek to capitalize on the money and attention given to the sector by taking IP they’ve developed to competitors or to attract investments to their own startups;
Researchers may seek to generate a new crisis by releasing bioweapons. This was the suspected motivation of Dr Bruce Ivins, who allegedly sent letters laced with anthrax to US Senators a month after the September 11 attacks to revive interest and funding for his failing anthrax research program.
Are governments and organizations ready to manage these risks, especially during the COVID-19 crisis?
The success of biotechnology firms is a national issue. Now is the time for governments to step up and get full oversight of the complexity of the threat, regard biotechnology as critical national infrastructure and provide strong guidance and support to companies to conduct their business while safeguarding their critical assets.
Companies, for their part, should understand that a holistic insider risk programme provides the strongest defence against the loss of intellectual property and other damage caused by insiders. Implementing a comprehensive program may challenge smaller companies, but there are few shortcuts in security. Signpost Six has identified fourteen key countermeasures that enable organizations to manage and control the significant threat insider risk pose.
Due to its tradition of collaborative research and hosting visiting scientists, biotech organisations should pay special attention to their identity access management, third-party agreements and insider act response mechanisms, including establishing contacts with law enforcement agencies. Small and medium enterprises, in particular, should consider utilising external consultancies to enhance capabilities and provide guidance on priorities.
Need help on your journey towards a comprehensive insider program? Signpost Six has deep experience assessing and implementing holistic insider risk management programmes at public and private organisations of all sizes. Our specialists can provide targeted guidance on each of these countermeasures listed above and explain the benefits of a complete insider threat program. We stand ready to help.