Meet the Scientists on the Frontlines of Protecting Humanity from a Man-Made Pathogen
From left: Jean Peccoud, Randall Murch, and Neeraj Rao.
Jean Peccoud wasn't expecting an email from the FBI. He definitely wasn't expecting the agency to invite him to a meeting. "My reaction was, 'What did I do wrong to be on the FBI watch list?'" he recalls.
You use those blueprints for white-hat research—which is, indeed, why the open blueprints exist—or you can do the same for a black-hat attack.
He didn't know what the feds could possibly want from him. "I was mostly scared at this point," he says. "I was deeply disturbed by the whole thing."
But he decided to go anyway, and when he traveled to San Francisco for the 2008 gathering, the reason for the e-vite became clear: The FBI was reaching out to researchers like him—scientists interested in synthetic biology—in anticipation of the potential nefarious uses of this technology. "The whole purpose of the meeting was, 'Let's start talking to each other before we actually need to talk to each other,'" says Peccoud, now a professor of chemical and biological engineering at Colorado State University. "'And let's make sure next time you get an email from the FBI, you don't freak out."
Synthetic biology—which Peccoud defines as "the application of engineering methods to biological systems"—holds great power, and with that (as always) comes great responsibility. When you can synthesize genetic material in a lab, you can create new ways of diagnosing and treating people, and even new food ingredients. But you can also "print" the genetic sequence of a virus or virulent bacterium.
And while it's not easy, it's also not as hard as it could be, in part because dangerous sequences have publicly available blueprints. You use those blueprints for white-hat research—which is, indeed, why the open blueprints exist—or you can do the same for a black-hat attack. You could synthesize a dangerous pathogen's code on purpose, or you could unwittingly do so because someone tampered with your digital instructions. Ordering synthetic genes for viral sequences, says Peccoud, would likely be more difficult today than it was a decade ago.
"There is more awareness of the industry, and they are taking this more seriously," he says. "There is no specific regulation, though."
Trying to lock down the interconnected machines that enable synthetic biology, secure its lab processes, and keep dangerous pathogens out of the hands of bad actors is part of a relatively new field: cyberbiosecurity, whose name Peccoud and colleagues introduced in a 2018 paper.
Biological threats feel especially acute right now, during the ongoing pandemic. COVID-19 is a natural pathogen -- not one engineered in a lab. But future outbreaks could start from a bug nature didn't build, if the wrong people get ahold of the right genetic sequences, and put them in the right sequence. Securing the equipment and processes that make synthetic biology possible -- so that doesn't happen -- is part of why the field of cyberbiosecurity was born.
The Origin Story
It is perhaps no coincidence that the FBI pinged Peccoud when it did: soon after a journalist ordered a sequence of smallpox DNA and wrote, for The Guardian, about how easy it was. "That was not good press for anybody," says Peccoud. Previously, in 2002, the Pentagon had funded SUNY Stonybrook researchers to try something similar: They ordered bits of polio DNA piecemeal and, over the course of three years, strung them together.
Although many years have passed since those early gotchas, the current patchwork of regulations still wouldn't necessarily prevent someone from pulling similar tricks now, and the technological systems that synthetic biology runs on are more intertwined — and so perhaps more hackable — than ever. Researchers like Peccoud are working to bring awareness to those potential problems, to promote accountability, and to provide early-detection tools that would catch the whiff of a rotten act before it became one.
Peccoud notes that if someone wants to get access to a specific pathogen, it is probably easier to collect it from the environment or take it from a biodefense lab than to whip it up synthetically. "However, people could use genetic databases to design a system that combines different genes in a way that would make them dangerous together without each of the components being dangerous on its own," he says. "This would be much more difficult to detect."
After his meeting with the FBI, Peccoud grew more interested in these sorts of security questions. So he was paying attention when, in 2010, the Department of Health and Human Services — now helping manage the response to COVID-19 — created guidance for how to screen synthetic biology orders, to make sure suppliers didn't accidentally send bad actors the sequences that make up bad genomes.
Guidance is nice, Peccoud thought, but it's just words. He wanted to turn those words into action: into a computer program. "I didn't know if it was something you can run on a desktop or if you need a supercomputer to run it," he says. So, one summer, he tasked a team of student researchers with poring over the sentences and turning them into scripts. "I let the FBI know," he says, having both learned his lesson and wanting to get in on the game.
Peccoud later joined forces with Randall Murch, a former FBI agent and current Virginia Tech professor, and a team of colleagues from both Virginia Tech and the University of Nebraska-Lincoln, on a prototype project for the Department of Defense. They went into a lab at the University of Nebraska at Lincoln and assessed all its cyberbio-vulnerabilities. The lab develops and produces prototype vaccines, therapeutics, and prophylactic components — exactly the kind of place that you always, and especially right now, want to keep secure.
"We were creating wiki of all these nasty things."
The team found dozens of Achilles' heels, and put them in a private report. Not long after that project, the two and their colleagues wrote the paper that first used the term "cyberbiosecurity." A second paper, led by Murch, came out five months later and provided a proposed definition and more comprehensive perspective on cyberbiosecurity. But although it's now a buzzword, it's the definition, not the jargon, that matters. "Frankly, I don't really care if they call it cyberbiosecurity," says Murch. Call it what you want: Just pay attention to its tenets.
A Database of Scary Sequences
Peccoud and Murch, of course, aren't the only ones working to screen sequences and secure devices. At the nonprofit Battelle Memorial Institute in Columbus, Ohio, for instance, scientists are working on solutions that balance the openness inherent to science and the closure that can stop bad stuff. "There's a challenge there that you want to enable research but you want to make sure that what people are ordering is safe," says the organization's Neeraj Rao.
Rao can't talk about the work Battelle does for the spy agency IARPA, the Intelligence Advanced Research Projects Activity, on a project called Fun GCAT, which aims to use computational tools to deep-screen gene-sequence orders to see if they pose a threat. It can, though, talk about a twin-type internal project: ThreatSEQ (pronounced, of course, "threat seek").
The project started when "a government customer" (as usual, no one will say which) asked Battelle to curate a list of dangerous toxins and pathogens, and their genetic sequences. The researchers even started tagging sequences according to their function — like whether a particular sequence is involved in a germ's virulence or toxicity. That helps if someone is trying to use synthetic biology not to gin up a yawn-inducing old bug but to engineer a totally new one. "How do you essentially predict what the function of a novel sequence is?" says Rao. You look at what other, similar bits of code do.
"We were creating wiki of all these nasty things," says Rao. As they were working, they realized that DNA manufacturers could potentially scan in sequences that people ordered, run them against the database, and see if anything scary matched up. Kind of like that plagiarism software your college professors used.
Battelle began offering their screening capability, as ThreatSEQ. When customers -- like, currently, Twist Bioscience -- throw their sequences in, and get a report back, the manufacturers make the final decision about whether to fulfill a flagged order — whether, in the analogy, to give an F for plagiarism. After all, legitimate researchers do legitimately need to have DNA from legitimately bad organisms.
"Maybe it's the CDC," says Rao. "If things check out, oftentimes [the manufacturers] will fulfill the order." If it's your aggrieved uncle seeking the virulent pathogen, maybe not. But ultimately, no one is stopping the manufacturers from doing so.
Beyond that kind of tampering, though, cyberbiosecurity also includes keeping a lockdown on the machines that make the genetic sequences. "Somebody now doesn't need physical access to infrastructure to tamper with it," says Rao. So it needs the same cyber protections as other internet-connected devices.
Scientists are also now using DNA to store data — encoding information in its bases, rather than into a hard drive. To download the data, you sequence the DNA and read it back into a computer. But if you think like a bad guy, you'd realize that a bad guy could then, for instance, insert a computer virus into the genetic code, and when the researcher went to nab her data, her desktop would crash or infect the others on the network.
Something like that actually happened in 2017 at the USENIX security symposium, an annual programming conference: Researchers from the University of Washington encoded malware into DNA, and when the gene sequencer assembled the DNA, it corrupted the sequencer's software, then the computer that controlled it.
"This vulnerability could be just the opening an adversary needs to compromise an organization's systems," Inspirion Biosciences' J. Craig Reed and Nicolas Dunaway wrote in a paper for Frontiers in Bioengineering and Biotechnology, included in an e-book that Murch edited called Mapping the Cyberbiosecurity Enterprise.
Where We Go From Here
So what to do about all this? That's hard to say, in part because we don't know how big a current problem any of it poses. As noted in Mapping the Cyberbiosecurity Enterprise, "Information about private sector infrastructure vulnerabilities or data breaches is protected from public release by the Protected Critical Infrastructure Information (PCII) Program," if the privateers share the information with the government. "Government sector vulnerabilities or data breaches," meanwhile, "are rarely shared with the public."
"What I think is encouraging right now is the fact that we're even having this discussion."
The regulations that could rein in problems aren't as robust as many would like them to be, and much good behavior is technically voluntary — although guidelines and best practices do exist from organizations like the International Gene Synthesis Consortium and the National Institute of Standards and Technology.
Rao thinks it would be smart if grant-giving agencies like the National Institutes of Health and the National Science Foundation required any scientists who took their money to work with manufacturing companies that screen sequences. But he also still thinks we're on our way to being ahead of the curve, in terms of preventing print-your-own bioproblems: "What I think is encouraging right now is the fact that we're even having this discussion," says Rao.
Peccoud, for his part, has worked to keep such conversations going, including by doing training for the FBI and planning a workshop for students in which they imagine and work to guard against the malicious use of their research. But actually, Peccoud believes that human error, flawed lab processes, and mislabeled samples might be bigger threats than the outside ones. "Way too often, I think that people think of security as, 'Oh, there is a bad guy going after me,' and the main thing you should be worried about is yourself and errors," he says.
Murch thinks we're only at the beginning of understanding where our weak points are, and how many times they've been bruised. Decreasing those contusions, though, won't just take more secure systems. "The answer won't be technical only," he says. It'll be social, political, policy-related, and economic — a cultural revolution all its own.
The Science of Why Adjusting to Omicron Is So Tough
A brain expert weighs in on the cognitive biases that hold us back from adjusting to the new reality of Omicron.
We are sticking our heads into the sand of reality on Omicron, and the results may be catastrophic.
Omicron is over 4 times more infectious than Delta. The Pfizer two-shot vaccine offers only 33% protection from infection. A Pfizer booster vaccine does raises protection to about 75%, but wanes to around 30-40 percent 10 weeks after the booster.
The only silver lining is that Omicron appears to cause a milder illness than Delta. Yet the World Health Organization has warned about the “mildness” narrative.
That’s because the much faster disease transmission and vaccine escape undercut the less severe overall nature of Omicron. That’s why hospitals have a large probability of being overwhelmed, as the Center for Disease Control warned, in this major Omicron wave.
Yet despite this very serious threat, we see the lack of real action. The federal government tightened international travel guidelines and is promoting boosters. Certainly, it’s crucial to get as many people to get their booster – and initial vaccine doses – as soon as possible. But the government is not taking the steps that would be the real game-changers.
Pfizer’s anti-viral drug Paxlovid decreases the risk of hospitalization and death from COVID by 89%. Due to this effectiveness, the FDA approved Pfizer ending the trial early, because it would be unethical to withhold the drug from people in the control group. Yet the FDA chose not to hasten the approval process along with the emergence of Omicron in late November, only getting around to emergency authorization in late December once Omicron took over. That delay meant the lack of Paxlovid for the height of the Omicron wave, since it takes many weeks to ramp up production, resulting in an unknown number of unnecessary deaths.
We humans are prone to falling for dangerous judgment errors called cognitive biases.
Widely available at-home testing would enable people to test themselves quickly, so that those with mild symptoms can quarantine instead of infecting others. Yet the federal government did not make tests available to patients when Omicron emerged in late November. That’s despite the obviousness of the coming wave based on the precedent of South Africa, UK, and Denmark and despite the fact that the government made vaccines freely available. Its best effort was to mandate that insurance cover reimbursements for these kits, which is way too much of a barrier for most people. By the time Omicron took over, the federal government recognized its mistake and ordered 500 million tests to be made available in January. However, that’s far too late. And the FDA also played a harmful role here, with its excessive focus on accuracy going back to mid-2020, blocking the widespread availability of cheap at-home tests. By contrast, Europe has a much better supply of tests, due to its approval of quick and slightly less accurate tests.
Neither do we see meaningful leadership at the level of employers. Some are bringing out the tired old “delay the office reopening” play. For example, Google, Uber, and Ford, along with many others, have delayed the return to the office for several months. Those that already returned are calling for stricter pandemic measures, such as more masks and social distancing, but not changing their work arrangements or adding sufficient ventilation to address the spread of COVID.
Despite plenty of warnings from risk management and cognitive bias experts, leaders are repeating the same mistakes we fell into with Delta. And so are regular people. For example, surveys show that Omicron has had very little impact on the willingness of unvaccinated Americans to get a first vaccine dose, or of vaccinated Americans to get a booster. That’s despite Omicron having taken over from Delta in late December.
What explains this puzzling behavior on both the individual and society level? We humans are prone to falling for dangerous judgment errors called cognitive biases. Rooted in wishful thinking and gut reactions, these mental blindspots lead to poor strategic and financial decisions when evaluating choices.
These cognitive biases stem from the more primitive, emotional, and intuitive part of our brains that ensured survival in our ancestral environment. This quick, automatic reaction of our emotions represents the autopilot system of thinking, one of the two systems of thinking in our brains. It makes good decisions most of the time but also regularly makes certain systematic thinking errors, since it’s optimized to help us survive. In modern society, our survival is much less at risk, and our gut is more likely to compel us to focus on the wrong information to make decisions.
One of the biggest challenges relevant to Omicron is the cognitive bias known as the ostrich effect. Named after the myth that ostriches stick their heads into the sand when they fear danger, the ostrich effect refers to people denying negative reality. Delta illustrated the high likelihood of additional dangerous variants, yet we failed to pay attention to and prepare for such a threat.
We want the future to be normal. We’re tired of the pandemic and just want to get back to pre-pandemic times. Thus, we greatly underestimate the probability and impact of major disruptors, like new COVID variants. That cognitive bias is called the normalcy bias.
When we learn one way of functioning in any area, we tend to stick to that way of functioning. You might have heard of this as the hammer-nail syndrome: when you have a hammer, everything looks like a nail. That syndrome is called functional fixedness. This cognitive bias causes those used to their old ways of action to reject any alternatives, including to prepare for a new variant.
Our minds naturally prioritize the present. We want what we want now, and downplay the long-term consequences of our current desires. That fallacious mental pattern is called hyperbolic discounting, where we excessively discount the benefits of orienting toward the future and focus on the present. A clear example is focusing on the short-term perceived gains of trying to return to normal over managing the risks of future variants.
The way forward into the future is to defeat cognitive biases and avoid denying reality by rethinking our approach to the future.
The FDA requires a serious overhaul. It’s designed for a non-pandemic environment, where the goal is to have a highly conservative, slow-going, and risk-averse approach so that the public feels confident trusting whatever it approved. That’s simply unacceptable in a fast-moving pandemic, and we are bound to face future pandemics in the future.
The federal government needs to have cognitive bias experts weigh in on federal policy. Putting all of its eggs in one basket – vaccinations – is not a wise move when we face the risks of a vaccine-escaping variant. Its focus should also be on expediting and prioritizing anti-virals, scaling up cheap rapid testing, and subsidizing high-filtration masks.
For employers, instead of dictating a top-down approach to how employees collaborate, companies need to adopt a decentralized team-led approach. Each individual team leader of a rank-and-file employee team should determine what works best for their team. After all, team leaders tend to know much more of what their teams need, after all. Moreover, they can respond to local emergencies like COVID surges.
At the same time, team leaders need to be trained to integrate best practices for hybrid and remote team leadership. Companies transitioned to telework abruptly as part of the March 2020 lockdowns. They fell into the cognitive bias of functional fixedness and transposed their pre-existing, in-office methods of collaboration on remote work. Zoom happy hours are a clear example: The large majority of employees dislike them, and research shows they are disconnecting, rather than connecting.
Yet supervisors continue to use them, despite the existence of much better methods of facilitating colalboration, which have been shown to work, such as virtual water cooler discussions, virtual coworking, and virtual mentoring. Leaders also need to facilitate innovation in hybrid and remote teams through techniques such as virtual asynchronous brainstorming. Finally, team leaders need to adjust performance evaluation to adapt to the needs of hybrid and remote teams.
On an individual level, people built up certain expectations during the first two years of the pandemic, and they don't apply with Omicron. For example, most people still think that a cloth mask is a fine source of protection. In reality, you really need an N-95 mask, since Omicron is so much more infectious. Another example is that many people don’t realize that symptom onset is much quicker with Omicron, and they aren’t prepared for the consequences.
Remember that we have a huge number of people who are asymptomatic, often without knowing it, due to the much higher mildness of Omicron. About 8% of people admitted to hospitals for other reasons in San Francisco test positive for COVID without symptoms, which we can assume translates for other cities. That means many may think they're fine and they're actually infectious. The result is a much higher chance of someone getting many other people sick.
During this time of record-breaking cases, you need to be mindful about your internalized assumptions and adjust your risk calculus accordingly. So if you can delay higher-risk activities, January and February might be the time to do it. Prepare for waves of disruptions to continue over time, at least through the end of February.
Of course, you might also choose to not worry about getting infected. If you are vaccinated and boosted, and do not have any additional health risks, you are very unlikely to have a serious illness due to Omicron. You can just take the small risk of a serious illness – which can happen – and go about your daily life. If doing so, watch out for those you care about who do have health concerns, since if you infect them, they might not have a mild case even with Omicron.
In short, instead of trying to turn back the clock to the lost world of January 2020, consider how we might create a competitive advantage in our new future. COVID will never go away: we need to learn to live with it. That means reacting appropriately and thoughtfully to new variants and being intentional about our trade-offs.
An autonomous drone carrying an automated external defibrillator travels to a cardiac emergency in Sweden.
Picture this: your medical first responder descends from the sky like a friendly, unmanned starship. Hovering over your door, it drops a device with recorded instructions to help a bystander jumpstart your heart that has stopped. This, after the 911 call but before the ambulance arrives.
This is exactly what happened on Dec. 9, 2021, when a 71-year-old man in Sweden suffered a cardiac arrest while shoveling snow. A passerby, seeing him collapse, called for an ambulance. In just over three minutes, a drone swooped overhead carrying an Automated External Defibrillator (AED). The patient was revived on the spot before the ambulance arrived to rush him to the hospital where he made a full recovery. The revolutionary technology saved his life.
In 2020, Sweden became the first country to deploy drones carrying AEDs to people in sudden cardiac arrest, when survival odds depend on getting CPR and an electric shock to the heart from a defibrillator within 5 minutes—nearly always before emergency responders arrive.
In the U.S. alone, more than 356,00 cardiac arrests occur outside of hospitals each year; 9 out of 10 of these people die. Plus, the risk of permanent brain injury increases after the first three minutes the heart stops beating. After nine minutes, damage to the brain and other organs is usually severe and irreversible.
“The fundamental technology can be applied to a lot of other emergency situations.”
Once the stuff of sci fi, the delivery of life-saving medical equipment by drone will be commonplace in the near future, experts say. The Swedish team is hailing their study as the first-ever proof of concept for using drones in emergency medicine. The drones arrived only two minutes before the ambulance in most cases but that’s significant during cardiac arrest when survival rates drop 10% every minute.
Since that 2020 pilot, the drones have been tweaked for better performance. They can travel faster and after dark today, and route planning has been optimized, says Mats Sällström, chief executive officer of Everdrone, the technical and development guru for the project, who is collaborating with researchers at the Karolinska Institutet and Sweden’s national emergency call center, SOS Alarm.
When an emergency call comes in, the operator determines if it’s a cardiac arrest. If so, the caller gets CPR instructions while an ambulance is summoned and a control center is notified automatically to dispatch a drone. If conditions allow, the drone flies to the scene via a GPS signal from the caller’s cell phone. Once dropped at the location, the AED beeps to signal its arrival. The AED talks the user through every step when it’s opened while the emergency operator offers support.
Public health officials have tried placing AEDs in public spaces like airports and shopping malls for quick access but the results have been disappointing. Poor usage rates of 2% to 3% have been attributed to bystanders not knowing where they are, not wanting to leave victims, or the site being closed when needed.
Some people fear they could harm the victim or won’t know how to use the AED but not to worry, says Wayne Rosamond, a professor of epidemiology at the University of North Carolina Gillings School of Global Public Health, who studies AED drones. “[The device] won’t shock someone unless they need to be shocked,” he says.
The AED instructions are foolproof, echoes Timothy Chan, professor of engineering at the University of Toronto, who has been building optimization models to design drone networks in Ontario, Canada. All the same, he says, community education will be essential for success. “People have more awareness about drones than AEDs,” he’s found.
Rosamond and Chan are among scientists around the world inspired by Sweden to do their own modeling, simulation and feasibility studies on drone-delivered AEDs.
“Scandinavia is way ahead of us,” notes Rosamond. “There is a tremendous amount of regulatory control over flying drones in the U.S.” In addition to Federal Aviation Administration restrictions, medical drones in the U.S. must comply with HIPAA laws surrounding confidentiality and security of patient information.
To date, Sweden has expanded drone operations and home bases around the country and throughout Europe. Since April 2021, the team has deployed 1-4 drones per week, says Sällström.
Certain weather conditions remain an obstacle. The drones cannot be dispatched safely in rain, snow and heavy wind. Close, heavily populated neighborhoods with high-rise buildings also present challenges.
“Semi-urban areas with residential low-rise [1-5 stories] buildings are the sweet spot for our operations,” Sällström says. “However, as the system matures, we will pursue operations in practically all-weather conditions and also in densely populated areas.” The team is also trying to improve drone speed and battery life to enable flights to rural and remote areas in the future.
Chan predicts that delivering AEDs via drone will be a regular occurrence in five years. In addition, he says, “The fundamental technology can be applied to a lot of other emergency situations.”
Drones could carry medications for anaphylactic shock and opioid overdose, or bring tourniquets and bandages to trauma victims, Chan suggests. Other researchers are looking at the delivery of glucose for low blood sugar emergencies and the transport of organs for transplant.
The sky is no longer the limit.