Meet the Scientists on the Frontlines of Protecting Humanity from a Man-Made Pathogen
Jean Peccoud wasn't expecting an email from the FBI. He definitely wasn't expecting the agency to invite him to a meeting. "My reaction was, 'What did I do wrong to be on the FBI watch list?'" he recalls.
You use those blueprints for white-hat research—which is, indeed, why the open blueprints exist—or you can do the same for a black-hat attack.
He didn't know what the feds could possibly want from him. "I was mostly scared at this point," he says. "I was deeply disturbed by the whole thing."
But he decided to go anyway, and when he traveled to San Francisco for the 2008 gathering, the reason for the e-vite became clear: The FBI was reaching out to researchers like him—scientists interested in synthetic biology—in anticipation of the potential nefarious uses of this technology. "The whole purpose of the meeting was, 'Let's start talking to each other before we actually need to talk to each other,'" says Peccoud, now a professor of chemical and biological engineering at Colorado State University. "'And let's make sure next time you get an email from the FBI, you don't freak out."
Synthetic biology—which Peccoud defines as "the application of engineering methods to biological systems"—holds great power, and with that (as always) comes great responsibility. When you can synthesize genetic material in a lab, you can create new ways of diagnosing and treating people, and even new food ingredients. But you can also "print" the genetic sequence of a virus or virulent bacterium.
And while it's not easy, it's also not as hard as it could be, in part because dangerous sequences have publicly available blueprints. You use those blueprints for white-hat research—which is, indeed, why the open blueprints exist—or you can do the same for a black-hat attack. You could synthesize a dangerous pathogen's code on purpose, or you could unwittingly do so because someone tampered with your digital instructions. Ordering synthetic genes for viral sequences, says Peccoud, would likely be more difficult today than it was a decade ago.
"There is more awareness of the industry, and they are taking this more seriously," he says. "There is no specific regulation, though."
Trying to lock down the interconnected machines that enable synthetic biology, secure its lab processes, and keep dangerous pathogens out of the hands of bad actors is part of a relatively new field: cyberbiosecurity, whose name Peccoud and colleagues introduced in a 2018 paper.
Biological threats feel especially acute right now, during the ongoing pandemic. COVID-19 is a natural pathogen -- not one engineered in a lab. But future outbreaks could start from a bug nature didn't build, if the wrong people get ahold of the right genetic sequences, and put them in the right sequence. Securing the equipment and processes that make synthetic biology possible -- so that doesn't happen -- is part of why the field of cyberbiosecurity was born.
The Origin Story
It is perhaps no coincidence that the FBI pinged Peccoud when it did: soon after a journalist ordered a sequence of smallpox DNA and wrote, for The Guardian, about how easy it was. "That was not good press for anybody," says Peccoud. Previously, in 2002, the Pentagon had funded SUNY Stonybrook researchers to try something similar: They ordered bits of polio DNA piecemeal and, over the course of three years, strung them together.
Although many years have passed since those early gotchas, the current patchwork of regulations still wouldn't necessarily prevent someone from pulling similar tricks now, and the technological systems that synthetic biology runs on are more intertwined — and so perhaps more hackable — than ever. Researchers like Peccoud are working to bring awareness to those potential problems, to promote accountability, and to provide early-detection tools that would catch the whiff of a rotten act before it became one.
Peccoud notes that if someone wants to get access to a specific pathogen, it is probably easier to collect it from the environment or take it from a biodefense lab than to whip it up synthetically. "However, people could use genetic databases to design a system that combines different genes in a way that would make them dangerous together without each of the components being dangerous on its own," he says. "This would be much more difficult to detect."
After his meeting with the FBI, Peccoud grew more interested in these sorts of security questions. So he was paying attention when, in 2010, the Department of Health and Human Services — now helping manage the response to COVID-19 — created guidance for how to screen synthetic biology orders, to make sure suppliers didn't accidentally send bad actors the sequences that make up bad genomes.
Guidance is nice, Peccoud thought, but it's just words. He wanted to turn those words into action: into a computer program. "I didn't know if it was something you can run on a desktop or if you need a supercomputer to run it," he says. So, one summer, he tasked a team of student researchers with poring over the sentences and turning them into scripts. "I let the FBI know," he says, having both learned his lesson and wanting to get in on the game.
Peccoud later joined forces with Randall Murch, a former FBI agent and current Virginia Tech professor, and a team of colleagues from both Virginia Tech and the University of Nebraska-Lincoln, on a prototype project for the Department of Defense. They went into a lab at the University of Nebraska at Lincoln and assessed all its cyberbio-vulnerabilities. The lab develops and produces prototype vaccines, therapeutics, and prophylactic components — exactly the kind of place that you always, and especially right now, want to keep secure.
"We were creating wiki of all these nasty things."
The team found dozens of Achilles' heels, and put them in a private report. Not long after that project, the two and their colleagues wrote the paper that first used the term "cyberbiosecurity." A second paper, led by Murch, came out five months later and provided a proposed definition and more comprehensive perspective on cyberbiosecurity. But although it's now a buzzword, it's the definition, not the jargon, that matters. "Frankly, I don't really care if they call it cyberbiosecurity," says Murch. Call it what you want: Just pay attention to its tenets.
A Database of Scary Sequences
Peccoud and Murch, of course, aren't the only ones working to screen sequences and secure devices. At the nonprofit Battelle Memorial Institute in Columbus, Ohio, for instance, scientists are working on solutions that balance the openness inherent to science and the closure that can stop bad stuff. "There's a challenge there that you want to enable research but you want to make sure that what people are ordering is safe," says the organization's Neeraj Rao.
Rao can't talk about the work Battelle does for the spy agency IARPA, the Intelligence Advanced Research Projects Activity, on a project called Fun GCAT, which aims to use computational tools to deep-screen gene-sequence orders to see if they pose a threat. It can, though, talk about a twin-type internal project: ThreatSEQ (pronounced, of course, "threat seek").
The project started when "a government customer" (as usual, no one will say which) asked Battelle to curate a list of dangerous toxins and pathogens, and their genetic sequences. The researchers even started tagging sequences according to their function — like whether a particular sequence is involved in a germ's virulence or toxicity. That helps if someone is trying to use synthetic biology not to gin up a yawn-inducing old bug but to engineer a totally new one. "How do you essentially predict what the function of a novel sequence is?" says Rao. You look at what other, similar bits of code do.
"We were creating wiki of all these nasty things," says Rao. As they were working, they realized that DNA manufacturers could potentially scan in sequences that people ordered, run them against the database, and see if anything scary matched up. Kind of like that plagiarism software your college professors used.
Battelle began offering their screening capability, as ThreatSEQ. When customers -- like, currently, Twist Bioscience -- throw their sequences in, and get a report back, the manufacturers make the final decision about whether to fulfill a flagged order — whether, in the analogy, to give an F for plagiarism. After all, legitimate researchers do legitimately need to have DNA from legitimately bad organisms.
"Maybe it's the CDC," says Rao. "If things check out, oftentimes [the manufacturers] will fulfill the order." If it's your aggrieved uncle seeking the virulent pathogen, maybe not. But ultimately, no one is stopping the manufacturers from doing so.
Beyond that kind of tampering, though, cyberbiosecurity also includes keeping a lockdown on the machines that make the genetic sequences. "Somebody now doesn't need physical access to infrastructure to tamper with it," says Rao. So it needs the same cyber protections as other internet-connected devices.
Scientists are also now using DNA to store data — encoding information in its bases, rather than into a hard drive. To download the data, you sequence the DNA and read it back into a computer. But if you think like a bad guy, you'd realize that a bad guy could then, for instance, insert a computer virus into the genetic code, and when the researcher went to nab her data, her desktop would crash or infect the others on the network.
Something like that actually happened in 2017 at the USENIX security symposium, an annual programming conference: Researchers from the University of Washington encoded malware into DNA, and when the gene sequencer assembled the DNA, it corrupted the sequencer's software, then the computer that controlled it.
"This vulnerability could be just the opening an adversary needs to compromise an organization's systems," Inspirion Biosciences' J. Craig Reed and Nicolas Dunaway wrote in a paper for Frontiers in Bioengineering and Biotechnology, included in an e-book that Murch edited called Mapping the Cyberbiosecurity Enterprise.
Where We Go From Here
So what to do about all this? That's hard to say, in part because we don't know how big a current problem any of it poses. As noted in Mapping the Cyberbiosecurity Enterprise, "Information about private sector infrastructure vulnerabilities or data breaches is protected from public release by the Protected Critical Infrastructure Information (PCII) Program," if the privateers share the information with the government. "Government sector vulnerabilities or data breaches," meanwhile, "are rarely shared with the public."
"What I think is encouraging right now is the fact that we're even having this discussion."
The regulations that could rein in problems aren't as robust as many would like them to be, and much good behavior is technically voluntary — although guidelines and best practices do exist from organizations like the International Gene Synthesis Consortium and the National Institute of Standards and Technology.
Rao thinks it would be smart if grant-giving agencies like the National Institutes of Health and the National Science Foundation required any scientists who took their money to work with manufacturing companies that screen sequences. But he also still thinks we're on our way to being ahead of the curve, in terms of preventing print-your-own bioproblems: "What I think is encouraging right now is the fact that we're even having this discussion," says Rao.
Peccoud, for his part, has worked to keep such conversations going, including by doing training for the FBI and planning a workshop for students in which they imagine and work to guard against the malicious use of their research. But actually, Peccoud believes that human error, flawed lab processes, and mislabeled samples might be bigger threats than the outside ones. "Way too often, I think that people think of security as, 'Oh, there is a bad guy going after me,' and the main thing you should be worried about is yourself and errors," he says.
Murch thinks we're only at the beginning of understanding where our weak points are, and how many times they've been bruised. Decreasing those contusions, though, won't just take more secure systems. "The answer won't be technical only," he says. It'll be social, political, policy-related, and economic — a cultural revolution all its own.
Are the gains from gain-of-function research worth the risks?
Scientists have long argued that gain-of-function research, which can make viruses and other infectious agents more contagious or more deadly, was necessary to develop therapies and vaccines to counter the pathogens in case they were used for biological warfare. As the SARS-CoV-2 origins are being investigated, one prominent theory suggests it had leaked from a biolab that conducted gain-of-function research, causing a global pandemic that claimed nearly 6.9 million lives. Now some question the wisdom of engaging in this type of research, stating that the risks may far outweigh the benefits.
“Gain-of-function research means genetically changing a genome in a way that might enhance the biological function of its genes, such as its transmissibility or the range of hosts it can infect,” says George Church, professor of genetics at Harvard Medical School. This can occur through direct genetic manipulation as well as by encouraging mutations while growing successive generations of micro-organism in culture. “Some of these changes may impact pathogenesis in a way that is hard to anticipate in advance,” Church says.
In the wake of the global pandemic, the pros and cons of gain-of-function research are being fiercely debated. Some scientists say this type of research is vital for preventing future pandemics or for preparing for bioweapon attacks. Others consider it another disaster waiting to happen. The Government Accounting Office issued a report charging that a framework developed by the U.S. Department of Health & Human Services (HHS) provided inadequate oversight of this potentially deadly research. There’s a movement to stop it altogether. In January, the Viral Gain-of-Function Research Moratorium Act (S. 81) was introduced into the Senate to cease awarding federal research funding to institutions doing gain-of-function studies.
While testifying before the House COVID Origins Select Committee on March 8th, Robert Redfield, former director of the U.S. Centers for Disease Control and Prevention, said that COVID-19 may have resulted from an accidental lab leak involving gain-of-function research. Redfield said his conclusion is based upon the “rapid and high infectivity for human-to-human transmission, which then predicts the rapid evolution of new variants.”
“It is a very, very, very small subset of life science research that could potentially generate a potential pandemic pathogen,” said Gerald Parker, associate dean for Global One Health at Texas A&M University.
“In my opinion,” Redfield continues, “the COVID-19 pandemic presents a case study on the potential dangers of such research. While many believe that gain-of-function research is critical to get ahead of viruses by developing vaccines, in this case, I believe that was the exact opposite.” Consequently, Redfield called for a moratorium on gain-of-function research until there is consensus about the value of such risky science.
What constitutes risky?
The Federal Select Agent Program lists 68 specific infectious agents as risky because they are either very contagious or very deadly. In order to work with these 68 agents, scientists must register with the federal government. Meanwhile, research on deadly pathogens that aren’t easily transmitted, or pathogens that are quite contagious but not deadly, can be conducted without such oversight. “If you’re not working with select agents, you’re not required to register the research with the federal government,” says Gerald Parker, associate dean for Global One Health at Texas A&M University. But the 68-item list may not have everything that could possibly become dangerous or be engineered to be dangerous, thus escaping the government’s scrutiny—an issue that new regulations aim to address.
In January 2017, the White House Office of Science and Technology Policy (OSTP) issued additional guidance. It required federal departments and agencies to follow a series of steps when reviewing proposed research that could create, transfer, or use potential pandemic pathogens resulting from the enhancement of a pathogen’s transmissibility or virulence in humans.
In defining risky pathogens, OSTP included viruses that were likely to be highly transmissible and highly virulent, and thus very deadly. The Proposed Biosecurity Oversight Framework for the Future of Science, outlined in 2023, broadened the scope to require federal review of research “that is reasonably anticipated to enhance the transmissibility and/or virulence of any pathogen” likely to pose a threat to public health, health systems or national security. Those types of experiments also include the pathogens’ ability to evade vaccines or therapeutics, or diagnostic detection.
However, Parker says that dangers of generating a pandemic-level germ are tiny. “It is a very, very, very small subset of life science research that could potentially generate a potential pandemic pathogen.” Since gain-of-function guidelines were first issued in 2017, only three such research projects have met those requirements for HHS review. They aimed to study influenza and bird flu. Only two of those projects were funded, according to the NIH Office of Science Policy. For context, NIH funded approximately 11,000 of the 54,000 grant applications it received in 2022.
Guidelines governing gain-of-function research are being strengthened, but Church points out they aren’t ideal yet. “They need to be much clearer about penalties and avoiding positive uses before they would be enforceable.”
What do we gain from gain-of-function research?
The most commonly cited reason to conduct gain-of-function research is for biodefense—the government’s ability to deal with organisms that may pose threats to public health.
In the era of mRNA vaccines, the advance preparedness argument may be even less relevant.
“The need to work with potentially dangerous viruses is central to our preparedness,” Parker says. “It’s essential that we know and understand the basic biology, microbiology, etc. of some of these dangerous pathogens.” That includes increasing our knowledge of the molecular mechanisms by which a virus could become a sustained threat to humans. “Knowing that could help us detect [risks] earlier,” Parker says—and could make it possible to have medical countermeasures, like vaccines and therapeutics, ready.
Most vaccines, however, aren’t affected by this type of research. Essentially, scientists hope they will never need to use it. Moreover, Paul Mango, HSS former deputy chief of staff for policy, and author of the 2022 book Warp Speed, says he believes that in the era of mRNA vaccines, the advance preparedness argument may be even less relevant. “That’s because these vaccines can be developed and produced in less than 12 months, unlike traditional vaccines that require years of development,” he says.
Can better oversight guarantee safety?
Another situation, which Parker calls unnecessarily dangerous, is when regulatory bodies cannot verify that the appropriate biosafety and biosecurity controls are in place.
Gain-of-function studies, Parker points out, are conducted at the basic research level, and they’re performed in high-containment labs. “As long as all the processes, procedures and protocols are followed and there’s appropriate oversight at the institutional and scientific level, it can be conducted safely.”
Globally, there are 69 Biosafety Level 4 (BSL4) labs operating, under construction or being planned, according to recent research from King’s College London and George Mason University for Global BioLabs. Eleven of these 18 high-containment facilities that are planned or under construction are in Asia. Overall, three-quarters of the BSL4 labs are in cities, increasing public health risks if leaks occur.
Researchers say they are confident in the oversight system for BSL4 labs within the U.S. They are less confident in international labs. Global BioLabs’ report concurs. It gives the highest scores for biosafety to industrialized nations, led by France, Australia, Canada, the U.S. and Japan, and the lowest scores to Saudi Arabia, India and some developing African nations. Scores for biosecurity followed similar patterns.
“There are no harmonized international biosafety and biosecurity standards,” Parker notes. That issue has been discussed for at least a decade. Now, in the wake of SARS and the COVID-19 pandemic, scientists and regulators are likely to push for unified oversight standards. “It’s time we got serious about international harmonization of biosafety and biosecurity standards and guidelines,” Parker says. New guidelines are being worked on. The National Science Advisory Board for Biosecurity (NSABB) outlined its proposed recommendations in the document titled Proposed Biosecurity Oversight Framework for the Future of Science.
The debates about whether gain-of-function research is useful or poses unnecessary risks to humanity are likely to rage on for a while. The public too has a voice in this debate and should weigh in by communicating with their representatives in government, or by partaking in educational forums or initiatives offered by universities and other institutions. In the meantime, scientists should focus on improving the research regulations, Parker notes. “We need to continue to look for lessons learned and for gaps in our oversight system,” he says. “That’s what we need to do right now.”
The rise of remote work is a win-win for people with disabilities and employers
Disability advocates see remote work as a silver lining of the pandemic, a win-win for adults with disabilities and the business world alike.
Any corporate leader would jump at the opportunity to increase their talent pool of potential employees by 15 percent, with all these new hires belonging to an underrepresented minority. That’s especially true given tight labor markets and CEO desires to increase headcount. Yet, too few leaders realize that people with disabilities are the largest minority group in this country, numbering 50 million.
Some executives may dread the extra investments in accommodating people’s disabilities. Yet, providing full-time remote work could suffice, according to a new study by the Economic Innovation Group think tank. The authors found that the employment rate for people with disabilities did not simply reach the pre-pandemic level by mid-2022, but far surpassed it, to the highest rate in over a decade. “Remote work and a strong labor market are helping [individuals with disabilities] find work,” said Adam Ozimek, who led the research and is chief economist at the Economic Innovation Group.
Disability advocates see this development as a silver lining of the pandemic, a win-win for adults with disabilities and the business world alike. For decades before the pandemic, employers had refused requests from workers with disabilities to work remotely, according to Thomas Foley, executive director of the National Disability Institute. During the pandemic, "we all realized that...many of us could work remotely,” Foley says. “[T]hat was disproportionately positive for people with disabilities."
Charles-Edouard Catherine, director of corporate and government relations for the National Organization on Disability, said that remote-work options had been advocated for many years to accommodate disabilities. “It’s a little frustrating that for decades corporate America was saying it’s too complicated, we’ll lose productivity, and now suddenly it’s like, sure, let’s do it.”
The pandemic opened doors for people with disabilities
Early in the pandemic, employment rates dropped for everyone, including people with disabilities, according to Ozimek’s research. However, these rates recovered quickly. In the second quarter of 2022, people with disabilities aged 25 to 54, the prime working age, are 3.5 percent more likely to be employed, compared to before the pandemic.
What about people without disabilites? They are still 1.1 percent less likely to be employed.
These numbers suggest that remote work has enabled a substantial number of people with disabilities to find and retain employment.
“We have a last-in, first-out labor market, and [people with disabilities] are often among the last in and the first out,” Ozimek says. However, this dynamic has changed, with adults with disabilities seeing employment rates recover much faster. Now, the question is whether the new trend will endure, Ozimek adds. “And my conclusion is that not only is it a permanent thing, but it’s going to improve.”
Gene Boes, president and chief executive of the Northwest Center, a Seattle organization that helps people with disabilities become more independent, confirms this finding. “The new world we live in has opened the door a little bit more…because there’s just more demand for labor.”
Long COVID disabilities put a premium on remote work
Remote work can help mitigate the impact of long COVID. The U.S. Centers for Disease Control and Prevention reports that about 19 percent of those who had COVID developed long COVID. Recent Census Bureau data indicates that 16 million working age Americans suffer from it, with economic costs estimated at $3.7 trillion.
Certainly, many of these so-called long-haulers experience relatively mild symptoms - such as loss of smell - which, while troublesome, are not disabling. But other symptoms are serious enough to be disabilities.
According to a recent study from the Federal Reserve Bank of Minneapolis, about a quarter of those with long COVID changed their employment status or working hours. That means long COVID was serious enough to interfere with work for 4 million people. For many, the issue was serious enough to qualify them as disabled.
Indeed, the Federal Reserve Bank of New York found in a just-released study that the number of individuals with disabilities in the U.S. grew by 1.7 million. That growth stemmed mainly from long COVID conditions such as fatigue and brain fog, meaning difficulties with concentration or memory, with 1.3 million people reporting an increase in brain fog since mid-2020.
Many had to drop out of the labor force due to long COVID. Yet, about 900,000 people who are newly disabled have managed to continue working. Without remote work, they might have lost these jobs.
For example, a software engineer at one of my client companies has struggled with brain fog related to long COVID. With remote work, this employee can work during the hours when she feels most mentally alert and focused, even if that means short bursts of productivity throughout the day. With flexible scheduling, she can take rests, meditate, or engage in activities that help her regain focus and energy. Without the need to commute to the office, she can save energy and time and reduce stress, which is crucial when dealing with brain fog.
In fact, the author of the Federal Reserve Bank of New York study notes that long COVID can be considered a disability under the Americans with Disability Act, depending on the specifics of the condition. That means the law can require private employers with fifteen or more staff, as well as government agencies, to make reasonable accommodations for those with long COVID. Richard Deitz, the author of this study, writes in the paper that “telework and flexible scheduling are two accommodations that can be particularly beneficial for workers dealing with fatigue and brain fog.”
The current drive to return to the office, led by many C-suite executives, may need to be reconsidered in light of legal and HR considerations. Arlene S. Kanter, director of the disability law and policy program at the Syracuse University College of Law, said that the question should depend on whether people with disabilities can perform their work well at home, as they did during Covid outbreaks. “[T]hen people with disabilities, as a matter of accommodation, shouldn’t be denied that right,” Kanter said.
Diversity benefits
But companies shouldn’t need to worry about legal regulations. It simply makes dollars and sense to expand their talent pool by 15% of an underrepresented minority. After all, extensive research shows that improving diversity boosts both decision-making and financial performance.
Companies that are offering more flexible work options have already gained significant benefits in terms of diverse hires. In its efforts to adapt to the post-pandemic environment, Meta, the owner of Facebook and Instagram, decided to offer permanent fully remote work options to its entire workforce. And according to Meta chief diversity officer Maxine Williams, the candidates who accepted job offers for remote positions were “substantially more likely” to come from diverse communities: people with disabilities, Black, Hispanic, Alaskan Native, Native American, veterans, and women. The numbers bear out these claims: people with disabilities increased from 4.7 to 6.2 percent of Meta’s employees.
Having consulted for 21 companies to help them transition to hybrid work arrangements, I can confirm that Meta’s numbers aren’t a fluke. The more my clients proved willing to offer remote work, the more staff with disabilities they recruited - and retained. That includes employees with mobility challenges. But it also includes employees with less visible disabilities, such as people with long COVID and immunocompromised people who feel reluctant to put themselves at risk of getting COVID by coming into the office.
Unfortunately, many leaders fail to see the benefits of remote work for underrepresented groups, such as those with disabilities. Some even say the opposite is true, with JP Morgan CEO Jamie Dimon claiming that returning to the office will aid diversity.
What explains this poor executive decision making? Part of the answer comes from a mental blindspot called the in-group bias. Our minds tend to favor and pay attention to the concerns of those in the group of people who seem to look and think like us. Dimon and other executives without disabilities don’t perceive people with disabilities to be part of their in-group. They thus are blind to the concerns of those with disabilities, which leads to misperceptions such as Dimon’s that returning to the office will aid diversity.
In-group bias is one of many dangerous judgment errors known as cognitive biases. They impact decision making in all life areas, ranging from the future of work to relationships.
Another relevant cognitive bias is the empathy gap. This term refers to our difficulty empathizing with those outside of our in-group. The lack of empathy combines with the blindness from the in-group bias, causing executives to ignore the feelings of employees with disabilities and prospective hires.
Omission bias also plays a role. This dangerous judgment error causes us to perceive failure to act as less problematic than acting. Consequently, executives perceive a failure to support the needs of those with disabilities as a minor matter.
Conclusion
The failure to empower people with disabilities through remote work options will prove costly to the bottom lines of companies. Not only are limiting their talent pool by 15 percent, they’re harming their ability to recruit and retain diverse candidates. And as their lawyers and HR departments will tell them, by violating the ADA, they are putting themselves in legal jeopardy.
By contrast, companies like Meta - and my clients - that offer remote work opportunities are seizing a competitive advantage by recruiting these underrepresented candidates. They’re lowering costs of labor while increasing diversity. The future belongs to the savvy companies that offer the flexibility that people with disabilities need.