Meet the Scientists on the Frontlines of Protecting Humanity from a Man-Made Pathogen
Jean Peccoud wasn't expecting an email from the FBI. He definitely wasn't expecting the agency to invite him to a meeting. "My reaction was, 'What did I do wrong to be on the FBI watch list?'" he recalls.
You use those blueprints for white-hat research—which is, indeed, why the open blueprints exist—or you can do the same for a black-hat attack.
He didn't know what the feds could possibly want from him. "I was mostly scared at this point," he says. "I was deeply disturbed by the whole thing."
But he decided to go anyway, and when he traveled to San Francisco for the 2008 gathering, the reason for the e-vite became clear: The FBI was reaching out to researchers like him—scientists interested in synthetic biology—in anticipation of the potential nefarious uses of this technology. "The whole purpose of the meeting was, 'Let's start talking to each other before we actually need to talk to each other,'" says Peccoud, now a professor of chemical and biological engineering at Colorado State University. "'And let's make sure next time you get an email from the FBI, you don't freak out."
Synthetic biology—which Peccoud defines as "the application of engineering methods to biological systems"—holds great power, and with that (as always) comes great responsibility. When you can synthesize genetic material in a lab, you can create new ways of diagnosing and treating people, and even new food ingredients. But you can also "print" the genetic sequence of a virus or virulent bacterium.
And while it's not easy, it's also not as hard as it could be, in part because dangerous sequences have publicly available blueprints. You use those blueprints for white-hat research—which is, indeed, why the open blueprints exist—or you can do the same for a black-hat attack. You could synthesize a dangerous pathogen's code on purpose, or you could unwittingly do so because someone tampered with your digital instructions. Ordering synthetic genes for viral sequences, says Peccoud, would likely be more difficult today than it was a decade ago.
"There is more awareness of the industry, and they are taking this more seriously," he says. "There is no specific regulation, though."
Trying to lock down the interconnected machines that enable synthetic biology, secure its lab processes, and keep dangerous pathogens out of the hands of bad actors is part of a relatively new field: cyberbiosecurity, whose name Peccoud and colleagues introduced in a 2018 paper.
Biological threats feel especially acute right now, during the ongoing pandemic. COVID-19 is a natural pathogen -- not one engineered in a lab. But future outbreaks could start from a bug nature didn't build, if the wrong people get ahold of the right genetic sequences, and put them in the right sequence. Securing the equipment and processes that make synthetic biology possible -- so that doesn't happen -- is part of why the field of cyberbiosecurity was born.
The Origin Story
It is perhaps no coincidence that the FBI pinged Peccoud when it did: soon after a journalist ordered a sequence of smallpox DNA and wrote, for The Guardian, about how easy it was. "That was not good press for anybody," says Peccoud. Previously, in 2002, the Pentagon had funded SUNY Stonybrook researchers to try something similar: They ordered bits of polio DNA piecemeal and, over the course of three years, strung them together.
Although many years have passed since those early gotchas, the current patchwork of regulations still wouldn't necessarily prevent someone from pulling similar tricks now, and the technological systems that synthetic biology runs on are more intertwined — and so perhaps more hackable — than ever. Researchers like Peccoud are working to bring awareness to those potential problems, to promote accountability, and to provide early-detection tools that would catch the whiff of a rotten act before it became one.
Peccoud notes that if someone wants to get access to a specific pathogen, it is probably easier to collect it from the environment or take it from a biodefense lab than to whip it up synthetically. "However, people could use genetic databases to design a system that combines different genes in a way that would make them dangerous together without each of the components being dangerous on its own," he says. "This would be much more difficult to detect."
After his meeting with the FBI, Peccoud grew more interested in these sorts of security questions. So he was paying attention when, in 2010, the Department of Health and Human Services — now helping manage the response to COVID-19 — created guidance for how to screen synthetic biology orders, to make sure suppliers didn't accidentally send bad actors the sequences that make up bad genomes.
Guidance is nice, Peccoud thought, but it's just words. He wanted to turn those words into action: into a computer program. "I didn't know if it was something you can run on a desktop or if you need a supercomputer to run it," he says. So, one summer, he tasked a team of student researchers with poring over the sentences and turning them into scripts. "I let the FBI know," he says, having both learned his lesson and wanting to get in on the game.
Peccoud later joined forces with Randall Murch, a former FBI agent and current Virginia Tech professor, and a team of colleagues from both Virginia Tech and the University of Nebraska-Lincoln, on a prototype project for the Department of Defense. They went into a lab at the University of Nebraska at Lincoln and assessed all its cyberbio-vulnerabilities. The lab develops and produces prototype vaccines, therapeutics, and prophylactic components — exactly the kind of place that you always, and especially right now, want to keep secure.
"We were creating wiki of all these nasty things."
The team found dozens of Achilles' heels, and put them in a private report. Not long after that project, the two and their colleagues wrote the paper that first used the term "cyberbiosecurity." A second paper, led by Murch, came out five months later and provided a proposed definition and more comprehensive perspective on cyberbiosecurity. But although it's now a buzzword, it's the definition, not the jargon, that matters. "Frankly, I don't really care if they call it cyberbiosecurity," says Murch. Call it what you want: Just pay attention to its tenets.
A Database of Scary Sequences
Peccoud and Murch, of course, aren't the only ones working to screen sequences and secure devices. At the nonprofit Battelle Memorial Institute in Columbus, Ohio, for instance, scientists are working on solutions that balance the openness inherent to science and the closure that can stop bad stuff. "There's a challenge there that you want to enable research but you want to make sure that what people are ordering is safe," says the organization's Neeraj Rao.
Rao can't talk about the work Battelle does for the spy agency IARPA, the Intelligence Advanced Research Projects Activity, on a project called Fun GCAT, which aims to use computational tools to deep-screen gene-sequence orders to see if they pose a threat. It can, though, talk about a twin-type internal project: ThreatSEQ (pronounced, of course, "threat seek").
The project started when "a government customer" (as usual, no one will say which) asked Battelle to curate a list of dangerous toxins and pathogens, and their genetic sequences. The researchers even started tagging sequences according to their function — like whether a particular sequence is involved in a germ's virulence or toxicity. That helps if someone is trying to use synthetic biology not to gin up a yawn-inducing old bug but to engineer a totally new one. "How do you essentially predict what the function of a novel sequence is?" says Rao. You look at what other, similar bits of code do.
"We were creating wiki of all these nasty things," says Rao. As they were working, they realized that DNA manufacturers could potentially scan in sequences that people ordered, run them against the database, and see if anything scary matched up. Kind of like that plagiarism software your college professors used.
Battelle began offering their screening capability, as ThreatSEQ. When customers -- like, currently, Twist Bioscience -- throw their sequences in, and get a report back, the manufacturers make the final decision about whether to fulfill a flagged order — whether, in the analogy, to give an F for plagiarism. After all, legitimate researchers do legitimately need to have DNA from legitimately bad organisms.
"Maybe it's the CDC," says Rao. "If things check out, oftentimes [the manufacturers] will fulfill the order." If it's your aggrieved uncle seeking the virulent pathogen, maybe not. But ultimately, no one is stopping the manufacturers from doing so.
Beyond that kind of tampering, though, cyberbiosecurity also includes keeping a lockdown on the machines that make the genetic sequences. "Somebody now doesn't need physical access to infrastructure to tamper with it," says Rao. So it needs the same cyber protections as other internet-connected devices.
Scientists are also now using DNA to store data — encoding information in its bases, rather than into a hard drive. To download the data, you sequence the DNA and read it back into a computer. But if you think like a bad guy, you'd realize that a bad guy could then, for instance, insert a computer virus into the genetic code, and when the researcher went to nab her data, her desktop would crash or infect the others on the network.
Something like that actually happened in 2017 at the USENIX security symposium, an annual programming conference: Researchers from the University of Washington encoded malware into DNA, and when the gene sequencer assembled the DNA, it corrupted the sequencer's software, then the computer that controlled it.
"This vulnerability could be just the opening an adversary needs to compromise an organization's systems," Inspirion Biosciences' J. Craig Reed and Nicolas Dunaway wrote in a paper for Frontiers in Bioengineering and Biotechnology, included in an e-book that Murch edited called Mapping the Cyberbiosecurity Enterprise.
Where We Go From Here
So what to do about all this? That's hard to say, in part because we don't know how big a current problem any of it poses. As noted in Mapping the Cyberbiosecurity Enterprise, "Information about private sector infrastructure vulnerabilities or data breaches is protected from public release by the Protected Critical Infrastructure Information (PCII) Program," if the privateers share the information with the government. "Government sector vulnerabilities or data breaches," meanwhile, "are rarely shared with the public."
"What I think is encouraging right now is the fact that we're even having this discussion."
The regulations that could rein in problems aren't as robust as many would like them to be, and much good behavior is technically voluntary — although guidelines and best practices do exist from organizations like the International Gene Synthesis Consortium and the National Institute of Standards and Technology.
Rao thinks it would be smart if grant-giving agencies like the National Institutes of Health and the National Science Foundation required any scientists who took their money to work with manufacturing companies that screen sequences. But he also still thinks we're on our way to being ahead of the curve, in terms of preventing print-your-own bioproblems: "What I think is encouraging right now is the fact that we're even having this discussion," says Rao.
Peccoud, for his part, has worked to keep such conversations going, including by doing training for the FBI and planning a workshop for students in which they imagine and work to guard against the malicious use of their research. But actually, Peccoud believes that human error, flawed lab processes, and mislabeled samples might be bigger threats than the outside ones. "Way too often, I think that people think of security as, 'Oh, there is a bad guy going after me,' and the main thing you should be worried about is yourself and errors," he says.
Murch thinks we're only at the beginning of understanding where our weak points are, and how many times they've been bruised. Decreasing those contusions, though, won't just take more secure systems. "The answer won't be technical only," he says. It'll be social, political, policy-related, and economic — a cultural revolution all its own.
Bivalent Boosters for Young Children Are Elusive. The Search Is On for Ways to Improve Access.
It’s Theo’s* first time in the snow. Wide-eyed, he totters outside holding his father’s hand. Sarah Holmes feels great joy in watching her 18-month-old son experience the world, “His genuine wonder and excitement gives me so much hope.”
In the summer of 2021, two months after Theo was born, Holmes, a behavioral health provider in Nebraska lost her grandparents to COVID-19. Both were vaccinated and thought they could unmask without any risk. “My grandfather was a veteran, and really trusted the government and faith leaders saying that COVID-19 wasn’t a threat anymore,” she says.” The state of emergency in Louisiana had ended and that was the message from the people they respected. “That is what killed them.”
The current official public health messaging is that regardless of what variant is circulating, the best way to be protected is to get vaccinated. These warnings no longer mention masking, or any of the other Swiss-cheese layers of mitigation that were prevalent in the early days of this ongoing pandemic.
The problem with the prevailing, vaccine centered strategy is that if you are a parent with children under five, barriers to access are real. In many cases, meaningful tools and changes that would address these obstacles are lacking, such as offering vaccines at more locations, mandating masks at these sites, and providing paid leave time to get the shots.
Children are at risk
Data presented at the most recent FDA advisory panel on COVID-19 vaccines showed that in the last year infants under six months had the third highest rate of hospitalization. “From the beginning, the message has been that kids don’t get COVID, and then the message was, well kids get COVID, but it’s not serious,” says Elias Kass, a pediatrician in Seattle. “Then they waited so long on the initial vaccines that by the time kids could get vaccinated, the majority of them had been infected.”
A closer look at the data from the CDC also reveals that from January 2022 to January 2023 children aged 6 to 23 months were more likely to be hospitalized than all other vaccine eligible pediatric age groups.
“We sort of forced an entire generation of kids to be infected with a novel virus and just don't give a shit, like nobody cares about kids,” Kass says. In some cases, COVID has wreaked havoc with the immune systems of very young children at his practice, making them vulnerable to other illnesses, he said. “And now we have kids that have had COVID two or three times, and we don’t know what is going to happen to them.”
Jumping through hurdles
Children under five were the last group to have an emergency use authorization (EUA) granted for the COVID-19 vaccine, a year and a half after adult vaccine approval. In June 2022, 30,000 sites were initially available for children across the country. Six months later, when boosters became available, there were only 5,000.
Currently, only 3.8% of children under two have completed a primary series, according to the CDC. An even more abysmal 0.2% under two have gotten a booster.
Ariadne Labs, a health center affiliated with Harvard, is trying to understand why these gaps exist. In conjunction with Boston Children’s Hospital, they have created a vaccine equity planner that maps the locations of vaccine deserts based on factors such as social vulnerability indexes and transportation access.
“People are having to travel farther because the sites are just few and far between,” says Benjy Renton, a research assistant at Ariadne.
Michelle Baltes-Breitwisch, a pharmacist, and her two-year-old daughter, Charlee, live in Iowa. When the boosters first came out she expected her toddler could get it close to home, but her husband had to drive Charlee four hours roundtrip.
This experience hasn’t been uncommon, especially in rural parts of the U.S. If parents wanted vaccines for their young children shortly after approval, they faced the prospect of loading babies and toddlers, famous for their calm demeanor, into cars for lengthy rides. The situation continues today. Mrs. Smith*, a grant writer and non-profit advisor who lives in Idaho, is still unable to get her child the bivalent booster because a two-hour one-way drive in winter weather isn’t possible.
It can be more difficult for low wage earners to take time off, which poses challenges especially in a number of rural counties across the country, where weekend hours for getting the shots may be limited.
Protect Their Future (PTF), a grassroots organization focusing on advocacy for the health care of children, hears from parents several times a week who are having trouble finding vaccines. The vaccine rollout “has been a total mess,” says Tamara Lea Spira, co-founder of PTF “It’s been very hard for people to access vaccines for children, particularly those under three.”
Seventeen states have passed laws that give pharmacists authority to vaccinate as young as six months. Under federal law, the minimum age in other states is three. Even in the states that allow vaccination of toddlers, each pharmacy chain varies. Some require prescriptions.
It takes time to make phone calls to confirm availability and book appointments online. “So it means that the parents who are getting their children vaccinated are those who are even more motivated and with the time and the resources to understand whether and how their kids can get vaccinated,” says Tiffany Green, an associate professor in population health sciences at the University of Wisconsin at Madison.
Green adds, “And then we have the contraction of vaccine availability in terms of sites…who is most likely to be affected? It's the usual suspects, children of color, disabled children, low-income children.”
It can be more difficult for low wage earners to take time off, which poses challenges especially in a number of rural counties across the country, where weekend hours for getting the shots may be limited. In Bibb County, Ala., vaccinations take place only on Wednesdays from 1:45 to 3:00 pm.
“People who are focused on putting food on the table or stressed about having enough money to pay rent aren't going to prioritize getting vaccinated that day,” says Julia Raifman, assistant professor of health law, policy and management at Boston University. She created the COVID-19 U.S. State Policy Database, which tracks state health and economic policies related to the pandemic.
Most states in the U.S. lack paid sick leave policies, and the average paid sick days with private employers is about one week. Green says, “I think COVID should have been a wake-up call that this is necessary.”
Maskless waiting rooms
For her son, Holmes spent hours making phone calls but could uncover no clear answers. No one could estimate an arrival date for the booster. “It disappoints me greatly that the process for locating COVID-19 vaccinations for young children requires so much legwork in terms of time and resources,” she says.
In January, she found a pharmacy 30 minutes away that could vaccinate Theo. With her son being too young to mask, she waited in the car with him as long as possible to avoid a busy, maskless waiting room.
Kids under two, such as Theo, are advised not to wear masks, which make it too hard for them to breathe. With masking policies a rarity these days, waiting rooms for vaccines present another barrier to access. Even in healthcare settings, current CDC guidance only requires masking during high transmission or when treating COVID positive patients directly.
“This is a group that is really left behind,” says Raifman. “They cannot wear masks themselves. They really depend on others around them wearing masks. There's not even one train car they can go on if their parents need to take public transportation… and not risk COVID transmission.”
Yet another challenge is presented for those who don’t speak English or Spanish. According to Translators without Borders, 65 million people in America speak a language other than English. Most state departments of health have a COVID-19 web page that redirects to the federal vaccines.gov in English, with an option to translate to Spanish only.
The main avenue for accessing information on vaccines relies on an internet connection, but 22 percent of rural Americans lack broadband access. “People who lack digital access, or don’t speak English…or know how to navigate or work with computers are unable to use that service and then don’t have access to the vaccines because they just don’t know how to get to them,” Jirmanus, an affiliate of the FXB Center for Health and Human Rights at Harvard and a member of The People’s CDC explains. She sees this issue frequently when working with immigrant communities in Massachusetts. “You really have to meet people where they’re at, and that means physically where they’re at.”
Equitable solutions
Grassroots and advocacy organizations like PTF have been filling a lot of the holes left by spotty federal policy. “In many ways this collective care has been as important as our gains to access the vaccine itself,” says Spira, the PTF co-founder.
PTF facilitates peer-to-peer networks of parents that offer support to each other. At least one parent in the group has crowdsourced information on locations that are providing vaccines for the very young and created a spreadsheet displaying vaccine locations. “It is incredible to me still that this vacuum of information and support exists, and it took a totally grassroots and volunteer effort of parents and physicians to try and respond to this need.” says Spira.
Kass, who is also affiliated with PTF, has been vaccinating any child who comes to his independent practice, regardless of whether they’re one of his patients or have insurance. “I think putting everything on retail pharmacies is not appropriate. By the time the kids' vaccines were released, all of our mass vaccination sites had been taken down.” A big way to help parents and pediatricians would be to allow mixing and matching. Any child who has had the full Pfizer series has had to forgo a bivalent booster.
“I think getting those first two or three doses into kids should still be a priority, and I don’t want to lose sight of all that,” states Renton, the researcher at Ariadne Labs. Through the vaccine equity planner, he has been trying to see if there are places where mobile clinics can go to improve access. Renton continues to work with local and state planners to aid in vaccine planning. “I think any way we can make that process a lot easier…will go a long way into building vaccine confidence and getting people vaccinated,” Renton says.
Michelle Baltes-Breitwisch, a pharmacist, and her two-year-old daughter, Charlee, live in Iowa. Her husband had to drive four hours roundtrip to get the boosters for Charlee.
Michelle Baltes-Breitwisch
Other changes need to come from the CDC. Even though the CDC “has this historic reputation and a mission of valuing equity and promoting health,” Jirmanus says, “they’re really failing. The emphasis on personal responsibility is leaving a lot of people behind.” She believes another avenue for more equitable access is creating legislation for upgraded ventilation in indoor public spaces.
Given the gaps in state policies, federal leadership matters, Raifman says. With the FDA leaning toward a yearly COVID vaccine, an equity lens from the CDC will be even more critical. “We can have data driven approaches to using evidence based policies like mask policies, when and where they're most important,” she says. Raifman wants to see a sustainable system of vaccine delivery across the country complemented with a surge preparedness plan.
With the public health emergency ending and vaccines going to the private market sometime in 2023, it seems unlikely that vaccine access is going to improve. Now more than ever, ”We need to be able to extend to people the choice of not being infected with COVID,” Jirmanus says.
*Some names were changed for privacy reasons.
What causes aging? In a paper published last month, Dr. David Sinclair, Professor in the Department of Genetics at Harvard Medical School, reports that he and his co-authors have found the answer. Harnessing this knowledge, Dr. Sinclair was able to reverse this process, making mice younger, according to the study published in the journal Cell.
I talked with Dr. Sinclair about his new study for the latest episode of Making Sense of Science. Turning back the clock on mouse age through what’s called epigenetic reprogramming – and understanding why animals get older in the first place – are key steps toward finding therapies for healthier aging in humans. We also talked about questions that have been raised about the research.
Show links:
Dr. Sinclair's paper, published last month in Cell.
Recent pre-print paper - not yet peer reviewed - showing that mice treated with Yamanaka factors lived longer than the control group.
Dr. Sinclair's podcast.
Previous research on aging and DNA mutations.
Dr. Sinclair's book, Lifespan.
Harvard Medical School