By Georgia Ray
The Blue Ribbon Study Panel on Biodefense has, with the additional support of Representative Chrissy Houlahan (PA), been rechristened as the Bipartisan Commission on Biodefense. On September 17, 2019, they hosted an event on cyberbiosecurity.
Houlahan spoke on three issues relevant to the theme of this panel, “the Cyberbio Convergence”:
- Growing importance of cybersecurity as it relates to biological threat data (She is currently working on a report about this.)
- The future impact of China on the US’ bioeconomy.
- Educating people in the U.S., including recruiting and incentives for joining the US’ biosecurity enterprise
Former Senator of South Dakota Tom Dashchle described biosecurity as a cause area with “broad support but few champions” and agreed with the importance of creating career paths and pipelines into the field. (Great news for optimistic current Biodefense program students like myself.) The panel also agreed on the importance of education starting earlier, through STEM education, and basic numeracy skills.
Each session consisted of a panel of two or three experts on a particular aspect of the biosecurity-cybersecurity confluence. The experts made statements and answered a few questions from the Commission.
Panel 1: Pathogens and Biomanufacturing data systems vulnerability
Dr. Kelvin Lee is the director of the National Institute for Innovation in Manufacturing Biopharmaceuticals and is working on a report on safeguarding the US bioeconomy, to be out early next year. Lee’s statements in his talk weren’t about that though. Instead, he took a computer security approach to the question. Or rather, questions. With a field as young as digital biosecurity, there are lots of unanswered questions. For instance: will it take new solutions, or can it largely recycle the massive existing field of cybersecurity?
He was the first of several speakers of the day to bring up a fascinating case study – NotPetya, a computer worm that hit the company Merck in 2017, costing it hundreds of millions of dollars and devastating its ability to produce vaccines for some time. Merck, in fact, had to buy vaccines from the CDC to meet US needs. If this happened in the midst of a crisis, or affected the sole manufacturer of a vaccine, the consequences would clearly be dire. The Merck virus wasn’t intended as an attack, but had similar ramifications as one, and it’s easy to see how similar technology would be a potent weapon.
Lee also introduced a topic of great importance, located squarely at the intersection of cybersecurity and biodefense. That topic is security of DNA synthesis. Today, a variety of companies large and small receive digital files containing DNA sequences, synthesize those files into actual DNA sequences, and male them back to customers. Theoretically, many firms have promised to screen orders (to determine if someone is, say, ordering the smallpox genome), but there’s no law nor verification, and there are many companies nationally and internationally, some of whom are probably doing no screening at all.
Dr. Corey Hudson is a senior technical staff member at Sandia National Laboratory, and read a colleague’s remarks and answered questions.
Hudson highlighted the degree to which biological and medical research depend, almost without a direct decision-making, on an enormous global network of freely-available scientific research and data. Security was not originally a priority when this system was created, so we’re working in a sub-optimal space to try to introduce security into.
The volume of biological data online doubles every 18 months and is increasingly supplemented by new technology and machines. In particular, Hudson pointed out Internet of Things biotech equipment, which are connected to and controlled by online connections. Hudson says these create “unknown security implications.” (If you follow the twitter Internet of S#%^, you can probably guess that they’re going to be bad implications.) Cybersecurity-based risks here include disrupting MCM production, leaking personal data, or worse, like increasing access to dangerous pathogens.
John M Clerici, founder of Tiber Creek Partners, was next to speak. He pointed out that while there is certainly classified information of interest to state actors – for instance, DARPA’s project collecting data to determine what, genetically, makes some warfighters better than others – a country like China probably acquires more personal data through buying or harvesting it legally than by hacking. This can be through research, medical tests, personal genetic sequencing kits, and more.
Clerici noted that ASPR could potentially take on cyberbiosecurity responsibility. It has bipartisan support and already runs many biodefense activities. On the other hand, ASPR is chronically underfunded, and can’t just accept more responsibility without an expanded staff and budget.
How about deterring state actors? Cyber security and digital hygiene might help with that – part of deterrence of attacks like this is not being an easy target. Also, as other experts have noted, attribution of potential attacks is still an under-researched issue.
Commission co-chair and Former Governor of Pennsylvania Tom Ridge ended by noting that the cybersecurity issue is here to stay – “the digital sun is never going to set.” We’ve made our bed, and we need to figure out how to sleep in it.
Panel 2: Risks Associated with Misuse of Biotechnology
Dr. Allison Berke, executive director of the Stanford Cyber Initiative at Stanford University, discussed three fascinating biosecurity projects that her group is currently working on.
The first is developing open source indicators that signify that a country or researcher is complying (or not) with the Biological Weapons Convention. These take the form of signs that normal research activity is ongoing, for instance: publishing, uploading data to public websites, and professional social media like LinkedIn and GitHub. During the days of the Japanese WWII biological weapons program, for instance, noted scientists in the field were either not publishing or were publishing very little – indicators that the majority of their time was going into classified weapons work.
Her second project is on DNA sequence matching. This entails a cryptographic method in which two parties can compare DNA sequences using an algorithm and be told where the sequences match – but obfuscated by the algorithm in such a way that neither learns what the other party’s sequence is. This could be used for attribution or other cases where a suspected sequence might be proprietary or even info-hazardous.
Finally, a third project details biosafety control systems. Many biological technologies use the same software across all sorts of machinery or systems – heating and cooling, autoclaves, etc. – meaning many systems have the same idiosyncratic security flaws. We already know these systems have vulnerabilities.
Dr. James Diggans, the Director of Bioinformatics and Biosecurity at Twist Bioscience, talked primarily talked about DNA screening, and the International Gene Synthesis Consortium’s screening advice. Twist, which among other things synthesizes DNA, has signed onto this set of guidelines for screening their orders. But they have also gone above and beyond IGSC’s biosecurity recommendations, even doing red-teaming to see if security experts posing as hackers can find flaws in the system. So far as Diggans knows, Twist is the only company doing this.
Related to the DNA synthesis company is the idea of personal-sized DNA “benchtop printers” – small and cheap DNA synthesis machines that do what the companies do now – and what if anything should be done to regulate these. Diggans believes that the security risks from benchtop DNA synthesis outweigh the economic benefits of their distribution, and that such a machine should therefore, not be available to anyone.
He suggested that there are economic solutions – for instance, companies that don’t self-screen could lose NIH funding. An independent third party could act as a verification mechanism (preferably a non-US-government organization, so that it can work neutrally with international synthesis companies.)
Panel 3: Vulnerability of Intellectual Property and the Bioeconomy
This panel was represented by friend of the program, FBI Special Agent Edward You, as well as former director of ICE, Peter Edge.
Edward You discussed China further. China has been expanding in the medical industries already, creating for instance 80% of the world’s generic drugs. He pointed to China’s increasingly unprecedented access to US biological data including genetic and tissue samples and reiterated Clerici’s point that US companies and agencies are essentially sending this information to them outright. This could be used to create new healthcare solutions including personalized medicine, disrupting the United States’ current biotechnology dominance.
Peter Edge discussed the law enforcement angle of cyber-biosecurity. He pointed out that right now, different agencies in the US government have good coordination for terrorism issues. We should be able, eventually, to say the same for cybersecurity and biosecurity. (One of the Bipartisan Commission on Biodefense’s major criticisms of the existing US biodefense apparatus is that it is poorly coordinated and fragmented.)
As Clerici pointed out earlier, the current body taking the de facto lead on biosecurity is ASPR. However, this office is small, and the panel recommends (now and in their 2015 National Blueprint for Biodefense report) instituting the US vice president as the head of biodefense efforts. This would have the effect of centralizing biodefense coordination in a position of power, although assigning such a role to the vice president is unprecedented.