Read on Twitter
Thinking lately about int'l law's implications for COVID-19 vaccine research efforts. Good news--existing int'l law does lots to protect these efforts; bad news--there's a widespread misassumption about spying on vaccine research that may create global public health risks 1/
(Buckle up - long thread) On the plus side, it's not hard to see a consensus now forming on int'l law's application to cyber ops that target the healthcare-sector and specifically essential medical services 2/
Together with @ELAC_Oxford Dapo Akande, @YaleLawSch Harold Koh and ASG's Jim O'Brien, we had a 2 day virtual workshop in May focused on how int'l law regulates cyber ops implicating the healthcare sector 3/ http://opiniojuris.org/2020/05/21/oxford-statement-on-the-international-law-protections-against-cyber-operations-targeting-the-health-care-sector/
The result was the Oxford Statement; it highlighted both int'l law's prohibitions (stuff States shouldn't do vis-a-vis the healthcare sector) & its positive obligations (e.g., duties to respect and protect) when cyber threats do target healthcare 4/ https://www.justsecurity.org/70293/oxford-statement-on-the-international-law-protections-against-cyber-operations-targeting-the-health-care-sector/
133 Int'l lawyers from across the globe signed on & several States signaled support (the Dominican Republic cited it positively in a recent UN Sec. Council meeting). If you're an int'l lawyer, you can still join us as a signatory by letting @ELAC know 5/ https://vm.ee/en/activities-objectives/estonia-united-nations/signature-event-estonias-unsc-presidency-cyber
So far so good. But what about vaccine research itself? What does int'l law have to say? 6/
In recent discussions, I've seen lots of support for recognizing vaccine research re COVID-19 as an essential medical service, a designation that's important for triggering the special protections of int'l humanitarian law and, I'd argue, int'l law in peacetime as well 7/
Essential medical services are easy to categorize as part of a State's domaine réservé in which other States cannot intervene &, if you think of sovereignty as a rule, vaccine research is pretty easily qualified as protected infrastructure (even if privately owned) 8/
Either way, I believe most int'l lawyers would support the Oxford Statement summary - "International law prohibits cyber operations by States that have serious adverse consequences for essential medical services in other States." 9/
The question then becomes what are "adverse consequences"? It's easy to imagine cyber ops targeting vaccine research that'd be off limits under this standard - eg ops that mess with the integrity of research or ransomware data necessary for vaccine production/ distribution 10/
But what about spying on foreign vaccine research efforts? We've already seen reports suggesting this isn't a hypothetical question. Russia has been accused of doing it 11/ https://www.nytimes.com/2020/07/16/us/politics/vaccine-hacking-russia.html
But I've not seen any of these accusations (which come from the US, UK, Canada etc) suggest this spying violates int'l law (rather, as a colleague described it, it's often viewed as "lawful but awful" behavior) 13/ https://www.nsa.gov/news-features/press-room/Article/2275378/nsa-teams-with-ncsc-cse-dhs-cisa-to-expose-russian-intelligence-services-target/
And does anyone really think the USG is not doing the exact same thing? After all, in a prisoner's dilemma type-situation it's a rational (even if sub-optimal) move (& that's putting aside what this particular White House might want/order done) 14/
In policy circles there's also a sense that we must expect AND accept spying on vaccine research as OK (see the always super thoughtful @Jason_Healey) even if it shouldn't be OK to disrupt or manipulate that research 15/ https://www.cfr.org/blog/using-covid-19-double-down-cyber-norms
But for those of you still with me, here's the thing -- spying on vaccine research, particularly the ongoing clinical trials -- may be inherently disruptive in novel ways distinguishable from traditional espionage and indeed cyber espionage generally 16/
Int'l law has long treated espionage with ambiguity - suggesting its widespread practice makes it lawful or extra-legal. Read @UVALaw Ashley Deeks for more 17/ https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2490700
Cyber espionage raises new issues both in terms of its tremendous scale & the difficulty victims have in differentiating it from a cyber-attack (victims often can't tell if they're just being spied on or if a breach is (or will) impact data integrity or availability) 18/
As a result, even if a victim isn't concerned about a data breach itself (although most usually are), they'll still burn lots of hours and $ to remediate it because of the risk of other types of losses 19/
Those risks are readily evident in the vaccine context; for example, even if Oxford's @JennerInstitute will share its vaccine candidate formula and research publicly, they don't want to risk outsiders altering it or installing ransomware that blocks their access to it 20/
Such potential disruptions suggest int'l law should move vaccine research under what I've heard called a 'no-fly' zone. But, I imagine some States would argue that's not existing law or worry about such logic's implications for all cyber espionage 21/
For those States, I heard 2 arguments yesterday that I think warrant MUCH more attention as they contemplate whether they can "just" spy on vaccine research so long as they don't intend to impact the integrity or availability of such data 22/
First, even if States or proxies are just trying to spy on vaccine data, there's always a risk that the op will break something on the way in or out of a system. But "breaking" something when it comes to vaccine research could cause undoubted (& tremendous) adverse effects 23/
Imagine: cyber espionage compromises ongoing Phase III clinical trials. If the integrity of those trials is undermined, the trial fails. We lose the necessary scientific information on whether (and how) a vaccine works (or doesn't). A new trial has to be started from scratch 24/
Some States may think - "We're good here. We have such skill that we can get in and out without breaking anything. So, this is just like espionage elsewhere and it's OK to pursue." For them, I've got a second argument I'd not heard previously 25/
The integrity of vaccine clinical trial data is dependent on its confidentiality. A loss of confidentiality in the clinical trial IS a loss of integrity 26/
If confidentiality is lost over who got a placebo & who got the vaccine, the trial is compromised and the vaccine researchers can’t proceed 27/
This could happen even if the State had no malicious intent other than to see the data – finding its data compromised could lead, say Oxford, to fail its trial simply because there was a successful hack 28/
Of course, a State that acquires such data could dox it & in so doing ruin its potential availability in 2020 for all of us 29/
Or, a State that steals such data might itself fall victim to cyberespionage by some other State (remember #EternalBlue) 30/
As I see it, there are specific risks to spying on vaccine trials that distinguish it from IP-related cyber espionage that has become bread & butter for certain States and others 31/
Now, maybe States are already aware & have accounted for these risks in making decisions on what sorts of operations they will – and will not – pursue. 32/
And maybe their lawyers have thought through whether the analogy to old school espionage holds or if they have to analyze these operations in lieu of other international law prohibitions or protections 33/
If so, my apologies for such a long thread. But, if not, I hope others agree that we need more conversations on this 34/
And not just conversations – States need to be called on to disavow cyber operations that put clinical trials at risk. Literally thousands of lives hang on us getting a COVID-19 vaccine; every day delayed, more lives will be lost 35/
I have no illusions certain rogue actors will still try to spy whatever int’l law or cyber norms say on this. But it’s a different world if we can focus on them than one where we worry that EVERY state sees itself as entitled to spy on all foreign vaccine efforts 36/
Of course, there’re other important issues re int’l law & vaccine research like the protections of human rights law, due diligence & the balance between IP rights & the protection of public health. They warrant attention too & there’s more to be said on them in the future 37/
For now, though, it’s important to highlight the novel risks spying on vaccine research poses. END
