A Chinese state-sponsored hacker stands accused of stealing American COVID-19 research, and the Biden administration’s lax security posture made it all too easy for our adversaries to exploit gaping holes in our digital defenses—leaving the nation’s scientific edge on a silver platter.
At a Glance
- The Department of Justice charged Chinese national Xu Zewei for hacking U.S. universities to steal COVID-19 research.
- Cyberattacks exploited Microsoft Exchange Server vulnerabilities, targeting vital American scientific data as the pandemic raged.
- Xu, acting under the direction of China’s Ministry of State Security, was arrested in Milan and faces extradition to the U.S.
- The incident exposes the ongoing threat of state-sponsored cyber espionage and raises questions about America’s global competitiveness and national security.
A Brazen Attack on American Innovation
The case of Xu Zewei, now under arrest in Italy and awaiting extradition, lays bare the disturbing reality of foreign regimes targeting our universities for intellectual property theft. Between February 2020 and June 2021, as Americans struggled with lockdowns and mounting casualties, Xu and an accomplice allegedly infiltrated American research institutions, siphoning off sensitive information about vaccines and treatments. The hackers, operating under orders from China’s Ministry of State Security, took advantage of vulnerabilities in Microsoft Exchange Server—an all-too-familiar story as Big Tech and government bureaucrats squabble over who’s responsible for patching critical infrastructure, while hostile actors slip in and out with impunity.
Prosecutors say Xu wasn’t acting alone. He collaborated with Zhang Yu, another suspected operative still at large, orchestrating attacks that compromised the intellectual property of U.S. universities. These weren’t random data breaches—they specifically targeted COVID-19 research, a sector America poured billions into developing, only to have our national investment vacuumed up by Beijing’s digital spies. Let’s be clear: This is not just some anonymous, faceless hacking collective. This is a foreign government leveraging state resources to rob America of its competitive edge during a global crisis.
The Cost of Weak Borders and Weak Cybersecurity
While the Biden administration allowed chaos and confusion to reign at the border, it seems that the virtual borders were equally unguarded. For years, the U.S. government and cybersecurity experts warned about the rise in cyberattacks focused on biomedical research—especially as the pandemic unfolded. Yet the response was tepid at best. In the same way open borders have enabled a flood of illegal entrants, the lackadaisical approach to cyber threats has emboldened foreign adversaries to raid American labs and universities without fear of repercussion. The Department of Justice’s belated pursuit of these hackers only happened after the damage was done, and after critical research had already been exfiltrated to China’s Ministry of State Security. National security, economic prosperity, and public trust continue to pay the price for this ongoing negligence.
Despite the DOJ’s victory in securing Xu’s arrest in Milan, the damage is already done. The U.S. has lost competitive ground in vaccine research and biomedicine, while foreign operatives continue to operate with virtual impunity. The FBI’s own cyber division confirmed that over 60,000 U.S. entities were targeted by these campaigns, with more than 12,700 victims. These are not isolated incidents. They are part of a persistent, state-backed campaign to undermine American innovation and security. The question remains—how many more attacks have gone undetected, how many more American breakthroughs have been stolen, and how long before we draw a line in the sand?
International Cooperation—But At What Cost?
Xu’s arrest in Milan, thanks to cooperation between the FBI, the Department of Justice, and Italian authorities, marks a rare win for international law enforcement against cybercrime. But let’s not kid ourselves: bringing one operative to justice does not undo years of damage inflicted by state-sponsored espionage. The real challenge is holding the orchestrators—China’s Ministry of State Security and its proxies—accountable. Diplomatic statements and strongly worded press releases are cold comfort to the American researchers who watched their work stolen, or to the taxpayers whose investment in science now lines the pockets of a foreign regime.
This case also raises troubling questions about the security of our higher education sector and scientific community. Why are American universities, flush with funding, still so vulnerable to foreign penetration? Why does it take an international manhunt to respond to attacks that should have been anticipated and prevented? And while the DOJ touts this arrest as a victory, the broader pattern remains: hostile states exploit our openness and our technological prowess, while American leaders dither over “root causes” and “diplomatic engagement.”
What’s Next for American Security?
The theft of COVID-19 research is not just a crime against American institutions; it is a direct assault on the nation’s ability to lead in science, medicine, and technology. The arrest of Xu Zewei may disrupt one operation, but the threat remains. America’s adversaries will continue to exploit any weakness—digital, physical, or political. It is past time to demand accountability at every level: from government agencies charged with defending our digital infrastructure, to university administrators responsible for their own networks, and most of all, from political leaders who treat American innovation as just another chip to trade at the diplomatic table.
The nation’s scientific edge—and by extension, its security and prosperity—depend on the willingness to recognize, confront, and punish those who would steal it. The question is no longer whether America can afford to take cyber threats seriously. The question is whether we can afford not to, as the cost of inaction grows with each passing breach.
