SCOOP: Largest Cryobank in the U.S. to Offer Ancestry Testing
Sharon Kochlany and Vanessa Colimorio's four-year-old twin girls had a classic school assignment recently: make a family tree. They drew themselves and their one-year-old brother branching off from their moms, with aunts, uncles, and grandparents forking off to the sides.
The recently-gained sovereignty of queer families stands to be lost if a consumer DNA test brings a stranger's identity out of the woodwork.
What you don't see in the invisible space between Kochlany and Colimorio, however, is the sperm donor they used to conceive all three children.
To look at a family tree like this is to see in its purest form that kinship can supersede biology—the boundaries of where this family starts and stops are clear to everyone in it, in spite of a third party's genetic involvement. This kind of self-definition has always been synonymous with LGBTQ families, especially those that rely on donor gametes (sperm or eggs) to exist.
But the world around them has changed quite suddenly: The recent consumer DNA testing boom has made it more complicated than ever for families built through reproductive technology—openly, not secretively—to maintain the strong sense of autonomy and privacy that can be crucial for their emotional security. Prospective parents and cryobanks are now mulling how best to bring a new generation of donor-conceived people into this world in a way that leaves open the choice to know more about their ancestry without obliterating an equally important choice: the right not to know about biological relatives.
For queer parents who have long fought for social acceptance, having a biological relationship to their children has been revolutionary, and using an unknown donor as a means to this end especially so. Getting help from a friend often comes with the expectation that the friend will also have social involvement in the family, which some people are comfortable with, but being able to access sperm from an unknown donor—which queer parents have only been able to openly do since the early 1980s—grants them the reproductive autonomy to create families seemingly on their own. That recently-gained sovereignty stands to be lost if a consumer DNA test brings a stranger's identity out of the woodwork.
At the same time, it's natural for donor-conceived people to want to know more about where they come from ethnically, even if they don't want to know the identity of their donor. As a donor-conceived person myself, I know my donor's self-reported ethnicity, but have often wondered how accurate it is.
Opening the Pandora's box of a consumer DNA test as a way to find out has always felt profoundly unappealing to me, however. Many people have accidentally learned they're donor-conceived by unwittingly using these tools, but I already know that about myself going in, and subsequently know I'll be connected to a large web of people whose existence I'm not interested in learning about. In addition to possibly identifying my anonymous donor, his family could also show up, along with any donor-siblings—other people with whom I share a donor. My single lesbian mom is enough for me, and the trade off to learn more about my ethnic ancestry has never seemed worth it.
In 1992, when I was born, no one was planning for how consumer DNA tests might upend or illuminate one's sense of self. But the donor community has always had to stay nimble with balancing privacy concerns and psychological well-being, so it should come as no surprise that figuring out how to do so in 2020 includes finding a way to offer ancestry insight while circumventing consumer DNA tests.
A New Paradigm
This is the rationale behind unprecedented industry news that LeapsMag can exclusively break: Within the next few weeks, California Cryobank, the largest cryobank in the country, will begin offering genetically-verified ancestry information on the free public part of every donor's anonymous profile in its database, something no other cryobanks yet offer (an exact launch date was not available at the time of publication). Currently, California Cryobank's donor profiles include a short self-reported list that might merely say, "Ancestry: German, Lebanese, Scottish."
The new information will be a report in pie chart form that details exactly what percentages of a donor's DNA come from up to 26 ethnicities—it's analogous to, but on a smaller scale than, the format offered by consumer DNA testing companies, and uses the same base technology that looks for single nucleotide polymorphisms in DNA that are associated with specific ethnicities. But crucially, because the donor takes the DNA test through California Cryobank, not a consumer-facing service, the information is not connected in a network to anyone else's DNA test. It's also taken before any offspring exist so there's no chance of revealing a donor-conceived person's identity this way.
Later, when a donor-conceived person is born, grows up, and wants information about their ethnicity from the donor side, all they need is their donor's anonymous ID number to look it up. The donor-conceived person never takes a genetic test, and therefore also can't accidentally find donor siblings this way. People who want to be connected to donor siblings can use a sibling registry where other people who want to be found share donor ID numbers and look for matches (this is something that's been available for decades, and remains so).
"With genetic testing, you have no control over who reaches out to you, and at what point in your life."
California Cryobank will require all new donors to consent to this extra level of genetic testing, setting a new standard for what information prospective parents and donor-conceived people can expect to have. In the immediate, this information will be most useful for prospective parents looking for donors with specific backgrounds, possibly ones similar to their own.
It's a solution that was actually hiding in plain sight. Two years ago, California Cryobank's partner Sema4, the company handling the genetic carrier testing that's used to screen for heritable diseases, started analyzing ethnic data in its samples. That extra information was being collected because it can help calculate a more accurate assessment of genetic risks that run in certain populations—like Ashkenazi Jews and Tay Sachs disease—than relying on oral family histories. Shortly after a plan to start collecting these extra data, Jamie Shamonki, chief medical officer of California Cryobank, realized the companies would be sitting on a goldmine for a different reason.
"I didn't want to use one of these genetic testing companies like Ancestry to accomplish this," says Shamonki. "The whole thing we're trying to accomplish is also privacy."
Consumer-facing DNA testing companies are not HIPAA compliant (whereas Sema4, which isn't direct-to-consumer, is HIPAA compliant), which means there are no legal privacy protections covering people who add their DNA to these databases. Although some companies, like 23andMe, allow users to opt-out of being connected with genetic relatives, the language can be confusing to navigate, requires a high level of knowledge and self-advocacy on the user's part, and, as an opt-out system, is not set up to protect the user from unwanted information by default; many unwittingly walk right into such information as a result.
Additionally, because consumer-facing DNA testing companies operate outside the legal purview that applies to other health care entities, like hospitals, even a person who does opt-out of being linked to genetic relatives is not protected in perpetuity from being re-identified in the future by a change in company policy. The safest option for people with privacy concerns is to stay out of these databases altogether.
For California Cryobank, the new information about donor heritage won't retroactively be added to older profiles in the system, so donor-conceived people who already exist won't benefit from the ancestry tool, but it'll be the new standard going forward. The company has about 500 available donors right now, many of which have been in their registry for a while; about 100 of those donors, all new, will have this ancestry data on their profiles.
Shamonki says it has taken about two years to get to the point of publicly including ancestry information on a donor's profile because it takes about nine months of medical and psychological screening for a donor to go from walking through the door to being added to their registry. The company wanted to wait to launch until it could offer this information for a significant number of donors. As more new donors come online under the new protocol, the number with ancestry information on their profiles will go up.
For Parents: An Unexpected Complication
While this change will no doubt be welcome progress for LGBTQ families contemplating parenthood, it'll never be possible to put this entire new order back in the box. What are such families who already have donor-conceived children losing in today's world of widespread consumer genetic testing?
Kochlany and Colimorio's twins aren't themselves much older than the moment at-home DNA testing really started to take off. They were born in 2015, and two years later the industry saw its most significant spike. By now, more than 26 million people's DNA is in databases like 23andMe and Ancestry; as a result, it's estimated that within a year, 90 percent of Americans of European descent will be identifiable through these consumer databases, by way of genetic third cousins, even if they didn't want to be found and never took the test themselves. This was the principle behind solving the Golden State Killer cold case.
The waning of privacy through consumer DNA testing fundamentally clashes with the priorities of the cyrobank industry, which has long sought to protect the privacy of donor-conceived people, even as open identification became standard. Since the 1980s, donors have been able to allow their identity to be released to any offspring who is at least 18 and wants the information. Lesbian moms pushed for this option early on so their children—who would obviously know they couldn't possibly be the biological product of both parents—would never feel cut off from the chance to know more about themselves. But importantly, the openness is not a two-way street: the donors can't ever ask for the identities of their offspring. It's the latter that consumer DNA testing really puts at stake.
"23andMe basically created the possibility that there will be donors who will have contact with their donor-conceived children, and that's not something that I think the donor community is comfortable with," says I. Glenn Cohen, director of Harvard Law School's Center for Health Law Policy, Biotechnology & Bioethics. "That's about the donor's autonomy, not the rearing parents' autonomy, or the donor-conceived child's autonomy."
Kochlany and Colimorio have an open identification donor and fully support their children reaching out to California Cryobank to get more information about him if they want to when they're 18, but having a singular name revealed isn't the same thing as having contact, nor is it the same thing as revealing a web of dozens of extended genetic relations. Their concern now is that if their kids participate in genetic testing, a stranger—someone they're careful to refer to as only "the donor" and never "dad"—will reach out to the children to begin some kind of relationship. They know other people who are contemplating giving their children DNA tests, and feel staunchly that it wouldn't be right for their family.
"With genetic testing, you have no control over who reaches out to you, and at what point in your life," Kochlany says. "[People] reaching out and trying to say, 'Hey I know who your dad is' throws a curveball. It's like, 'Wait, I never thought I had a dad.' It might put insecurities in their minds."
"We want them to have the opportunity to choose whether or not they want to reach out," Colimorio adds.
Kochlany says that when their twins are old enough to start asking questions, she and Colimorio plan to frame it like this: "The donor was kind of like a technology that helped us make you a person, and make sure that you exist," she says, role playing a conversation with their kids. "But it's not necessarily that you're looking to this person [for] support or love, or because you're missing a piece."
It's a line in the sand that's present even for couples still far off from conceiving. When Mallory Schwartz, a film and TV producer in Los Angeles, and Lauren Pietra, a marriage and family therapy associate (and Shamonki's step-daughter), talk about getting married someday, it's a package deal with talking about how they'll approach having kids. They feel there are too many variables and choices to make around family planning as a same-sex couple these days to not have those conversations simultaneously. Consumer DNA databases are already on their minds.
"It frustrates me that the DNA databases are just totally unregulated," says Schwartz. "I hope they are by the time we do this. I think everyone deserves a right to privacy when making your family [using a sperm donor]."
"I wouldn't want to create a world where people who are donor-conceived feel like they can't participate in this technology because they're trying to shut out [other] information."
On the prospect of having a donor relation pop up non-consensually for a future child, Pietra says, "I don't like it. It would be really disappointing if the child didn't want [contact], and unfortunately they're on the receiving end."
You can see how important preserving the right to keep this door closed is when you look at what's going on at The Sperm Bank of California. This pioneering cryobank was the first in the world to openly serve LGBTQ people and single women, and also the first to offer the open identification option when it opened in 1982, but not as many people are asking for their donor's identity as expected.
"We're finding a third of young people are coming forward for their donor's identity," says Alice Ruby, executive director. "We thought it would be a higher number." Viewed the other way, two-thirds of the donor-conceived people who could ethically get their donor's identity through The Sperm Bank of California are not asking the cryobank for it.
Ruby says that part of what historically made an open identification program appealing, rather than invasive or nerve-wracking, is how rigidly it's always been formatted around mutual consent, and protects against surprises for all parties. Those [donor-conceived people] who wanted more information were never barred from it, while those who wanted to remain in the dark could. No one group's wish eclipsed the other's. The potential breakdown of a system built around consent, expectations, and respect for privacy is why unregulated consumer DNA testing is most concerning to her as a path for connecting with genetic relatives.
For the last few decades in cryobanks around the world, the largest cohort of people seeking out donor sperm has been lesbian couples, followed by single women. For infertile heterosexual couples, the smallest client demographic, Ruby says donor sperm offers a solution to a medical problem, but in contrast, it historically "provided the ability for [lesbian] couples and single moms to have some reproductive autonomy." Yes, it was still a solution to a biological problem, but it was also a solution to a social one.
The Sperm Bank of California updated its registration forms to include language urging parents, donor-conceived people, and donors not to use consumer DNA tests, and to go through the cryobank if they, understandably, want to learn more about who they're connected to. But truthfully, there's not much else cryobanks can do to protect clients on any side of the donor transaction from surprise contact right now—especially not from relatives of the donor who may not even know someone in their family has donated sperm.
A Tricky Position
Personally, I've known I was donor-conceived from day one. It has never been a source of confusion, angst, or curiosity, and in fact has never loomed particularly large for me in any way. I see it merely as a type of reproductive technology—on par with in vitro fertilization—that enabled me to exist, and, now that I do exist, is irrelevant. Being confronted with my donor's identity or any donor siblings would make this fact of my conception bigger than I need it to be, as an adult with a full-blown identity derived from all of my other life experiences. But I still wonder about the minutiae of my ethnicity in much the same way as anyone else who wonders, and feel there's no safe way for me to find out without relinquishing some of my existential independence.
The author and her mom in spring of 1998.
"People obviously want to participate in 23andMe and Ancestry because they're interested in knowing more about themselves," says Shamonki. "I wouldn't want to create a world where people who are donor-conceived feel like they can't participate in this technology because they're trying to shut out [other] information."
After all, it was the allure of that exact conceit—knowing more about oneself—that seemed to magnetically draw in millions of people to these tools in the first place. It's an experience that clearly taps into a population-wide psychic need, even—perhaps especially—if one's origins are a mystery.
Earlier this year, biotech company Moderna broke world records for speed in vaccine development. Their researchers translated the genetic code of the coronavirus into a vaccine candidate in just 42 days.
We're about to expand our safety data in Phase II.
Phase I of the clinical trial started in Seattle on March 16th, with the already-iconic image of volunteer Jennifer Haller calmly receiving the very first dose.
Instead of traditional methods, this vaccine uses a new -- and so far unproven -- technology based on synthetic biology: It hijacks the software of life – messenger RNA – to deliver a copy of the virus's genetic sequence into cells, which, in theory, triggers the body to produce antibodies to fight off a coronavirus infection.
U.S. National Institute of Allergy and Infectious Diseases Director Anthony Fauci called the vaccine's preclinical data "impressive" and told National Geographic this week that a vaccine could be ready for general use as early as January.
The Phase I trial has dosed 45 healthy adults. Phase II trials are about to start, enrolling around 600 adults. Pivotal efficacy trials would follow soon thereafter, bankrolled in collaboration with the government office BARDA (Biomedical Advanced Research and Development Authority).
Today, the chief medical officer of Moderna, Tal Zaks, answered burning questions from the public in a webinar hosted by STAT. Here's an edited and condensed summary of his answers.
1) When will a vaccine become available?
We expect to have data in early summer about the antibody levels from our mRNA vaccine. At the same time, we can measure the antibody levels of people who have had the disease, and we should be able to measure the ability of those antibodies to prevent disease.
We will not yet know if the mRNA vaccine works to prevent disease, but we could soon talk about a potential for benefit. We don't yet know about risk. We're about to expand our safety data in Phase II.
In the summer, there is an expectation that we will be launching pivotal trials, in collaboration with government agencies that are helping fund the research. The trials would be launched with the vaccine vs. a placebo with the goal of establishing: How many cases can we show we prevented with the vaccine?
This is determined by two factors: How big is the trial? And what's the attack rate in the population we vaccinate? The challenge will be to vaccinate in the areas where the risk of infection is still high in the coming months, and we're able to vaccinate and demonstrate fewer infections compared to a placebo. If the disease is happening faster in a given area, you will be able to see an outcome faster. Potentially by the end of the year, we will have the data to say if the vaccine works.
Will that be enough for regulatory approval? The main question is: When will we cross the threshold for the anticipated benefit of a presumed vaccine to be worth the risk?
There is a distinction between approval for those who need it most, like the elderly. Their unmet need and risk/benefit is not the same as it is for younger adults.
My private opinion: I don't think it's a one-size-fits-all. It will be a more measured stance.
2) Can you speed up the testing process with challenge studies, where volunteers willingly get infected?
It's a great question and I applaud the people who ask it and I applaud those signing up to do it. I'm not sure I am a huge fan, for both practical and ethical reasons. The devil is in the details. A challenge study has to show us a vaccine can prevent not just infection but prevent disease. Otherwise, how do I know the dose in the challenge study is the right dose? If you take 100 young people, 90 of them will get mild or no disease. Ten may end up in hospital and one in the ICU.
Also, the timeline. Can it let you skip Phase II of large efficacy trial? The reality for us is that we are about to start Phase II anyway. It would be months before a challenge trial could be designed. And ethically: everybody agrees there is a risk that is not zero of having very serious disease. To justify the risk, we have to be sure the benefit is worth it - that it actually shrunk the timeline. To just give us another data point, I find it hard to accept.
This technology allows us to scale up manufacturing and production.
3) What was seen preclinically in the animal models with Moderna's mRNA vaccines?
We have taken vaccines using our technology against eight different viruses, including two flu strains. In every case, in the preclinical model, we showed we could prevent disease, and when we got to antibody levels, we got the data we wanted to see. In doses of 25-100 micrograms, that usually ends up being a sweet spot where we see an effect. It's a good place as to the expectation of what we will see in Phase I trials.
4) Why is Moderna pursuing an mRNA virus instead of a traditional inactivated virus or recombinant one? This is an untried technology.
First, speed matters in a pandemic. If you have tech that can move much quicker, that makes a difference. The reason we have broken world records is that we have invested time and effort to be ready. We're starting from a platform where it's all based on synthetic biology.
Second, it's fundamental biology - we do not need to make an elaborate vaccine or stick a new virus in an old virus, or try to make a neutralizing but not binding virus. Our technology is basically mimicking the virus. All life works on making proteins through RNA. We have a biological advantage by teaching the immune system to do the right thing.
Third, this technology allows us to scale up manufacturing and production. We as a company have always seen this ahead of us. We invested in our own manufacturing facility two years ago. We have already envisioned scale up on two dimensions. Lot size and vaccines. Vaccines is the easier piece of it. If everybody gets 100 micrograms, it's not a heck of a lot. Prior to COVID, our lead program was a CMV (Cytomegalovirus) vaccine. We had envisioned launching Phase III next year. We had been already well on the path to scale up when COVID-19 caught us by surprise. This would be millions and millions of doses, but the train tracks have been laid.
5) People tend to think of vaccines as an on-off switch -- you get a vaccine and you're protected. But efficacy can be low or high (like the flu vs. measles vaccines). How good is good enough here for protection, and could we need several doses?
Probably around 50-60 percent efficacy is good enough for preventing a significant amount of disease and decreasing the R0. We will aim higher, but it's hard to estimate what degree of efficacy to prepare for until we do the trial. (For comparison, the average flu vaccine efficacy is around 50 percent.)
We anticipate a prime boost. If our immune system has never seen a virus, you can show you're getting to a certain antibody level and then remind the immune system (with another dose). A prime boost is optimal.
My only two competitors are the virus and the clock.
6) How would mutations affect a vaccine?
Coronaviruses tend to mutate the least compared to other viruses but it's entirely possible that it mutates. The report this week about those projected mutations on the spike protein have not been predicted to alter the critical antibodies.
As we scale up manufacturing, the ability to plug in a new genetic sequence and get a new vaccine out there will be very rapid.
For flu vaccine, we don't prove efficacy every year. If we get to the same place with an mRNA vaccine, we will just change the sequence and come out with a new vaccine. The path to approval would be much faster if we leverage the totality of efficacy data like we do for flu.
7) Will there be more than one vaccine and how will they be made available?
I hope so, I don't know. The path to making these available will go through a public-private partnership. It's not your typical commercial way of deploying a vaccine. But my only two competitors are the virus and the clock. We need everybody to be successful.
Kira Peikoff was the editor-in-chief of Leaps.org from 2017 to 2021. As a journalist, her work has appeared in The New York Times, Newsweek, Nautilus, Popular Mechanics, The New York Academy of Sciences, and other outlets. She is also the author of four suspense novels that explore controversial issues arising from scientific innovation: Living Proof, No Time to Die, Die Again Tomorrow, and Mother Knows Best. Peikoff holds a B.A. in Journalism from New York University and an M.S. in Bioethics from Columbia University. She lives in New Jersey with her husband and two young sons. Follow her on Twitter @KiraPeikoff.
Meet the Scientists on the Frontlines of Protecting Humanity from a Man-Made Pathogen
Jean Peccoud wasn't expecting an email from the FBI. He definitely wasn't expecting the agency to invite him to a meeting. "My reaction was, 'What did I do wrong to be on the FBI watch list?'" he recalls.
You use those blueprints for white-hat research—which is, indeed, why the open blueprints exist—or you can do the same for a black-hat attack.
He didn't know what the feds could possibly want from him. "I was mostly scared at this point," he says. "I was deeply disturbed by the whole thing."
But he decided to go anyway, and when he traveled to San Francisco for the 2008 gathering, the reason for the e-vite became clear: The FBI was reaching out to researchers like him—scientists interested in synthetic biology—in anticipation of the potential nefarious uses of this technology. "The whole purpose of the meeting was, 'Let's start talking to each other before we actually need to talk to each other,'" says Peccoud, now a professor of chemical and biological engineering at Colorado State University. "'And let's make sure next time you get an email from the FBI, you don't freak out."
Synthetic biology—which Peccoud defines as "the application of engineering methods to biological systems"—holds great power, and with that (as always) comes great responsibility. When you can synthesize genetic material in a lab, you can create new ways of diagnosing and treating people, and even new food ingredients. But you can also "print" the genetic sequence of a virus or virulent bacterium.
And while it's not easy, it's also not as hard as it could be, in part because dangerous sequences have publicly available blueprints. You use those blueprints for white-hat research—which is, indeed, why the open blueprints exist—or you can do the same for a black-hat attack. You could synthesize a dangerous pathogen's code on purpose, or you could unwittingly do so because someone tampered with your digital instructions. Ordering synthetic genes for viral sequences, says Peccoud, would likely be more difficult today than it was a decade ago.
"There is more awareness of the industry, and they are taking this more seriously," he says. "There is no specific regulation, though."
Trying to lock down the interconnected machines that enable synthetic biology, secure its lab processes, and keep dangerous pathogens out of the hands of bad actors is part of a relatively new field: cyberbiosecurity, whose name Peccoud and colleagues introduced in a 2018 paper.
Biological threats feel especially acute right now, during the ongoing pandemic. COVID-19 is a natural pathogen -- not one engineered in a lab. But future outbreaks could start from a bug nature didn't build, if the wrong people get ahold of the right genetic sequences, and put them in the right sequence. Securing the equipment and processes that make synthetic biology possible -- so that doesn't happen -- is part of why the field of cyberbiosecurity was born.
The Origin Story
It is perhaps no coincidence that the FBI pinged Peccoud when it did: soon after a journalist ordered a sequence of smallpox DNA and wrote, for The Guardian, about how easy it was. "That was not good press for anybody," says Peccoud. Previously, in 2002, the Pentagon had funded SUNY Stonybrook researchers to try something similar: They ordered bits of polio DNA piecemeal and, over the course of three years, strung them together.
Although many years have passed since those early gotchas, the current patchwork of regulations still wouldn't necessarily prevent someone from pulling similar tricks now, and the technological systems that synthetic biology runs on are more intertwined — and so perhaps more hackable — than ever. Researchers like Peccoud are working to bring awareness to those potential problems, to promote accountability, and to provide early-detection tools that would catch the whiff of a rotten act before it became one.
Peccoud notes that if someone wants to get access to a specific pathogen, it is probably easier to collect it from the environment or take it from a biodefense lab than to whip it up synthetically. "However, people could use genetic databases to design a system that combines different genes in a way that would make them dangerous together without each of the components being dangerous on its own," he says. "This would be much more difficult to detect."
After his meeting with the FBI, Peccoud grew more interested in these sorts of security questions. So he was paying attention when, in 2010, the Department of Health and Human Services — now helping manage the response to COVID-19 — created guidance for how to screen synthetic biology orders, to make sure suppliers didn't accidentally send bad actors the sequences that make up bad genomes.
Guidance is nice, Peccoud thought, but it's just words. He wanted to turn those words into action: into a computer program. "I didn't know if it was something you can run on a desktop or if you need a supercomputer to run it," he says. So, one summer, he tasked a team of student researchers with poring over the sentences and turning them into scripts. "I let the FBI know," he says, having both learned his lesson and wanting to get in on the game.
Peccoud later joined forces with Randall Murch, a former FBI agent and current Virginia Tech professor, and a team of colleagues from both Virginia Tech and the University of Nebraska-Lincoln, on a prototype project for the Department of Defense. They went into a lab at the University of Nebraska at Lincoln and assessed all its cyberbio-vulnerabilities. The lab develops and produces prototype vaccines, therapeutics, and prophylactic components — exactly the kind of place that you always, and especially right now, want to keep secure.
"We were creating wiki of all these nasty things."
The team found dozens of Achilles' heels, and put them in a private report. Not long after that project, the two and their colleagues wrote the paper that first used the term "cyberbiosecurity." A second paper, led by Murch, came out five months later and provided a proposed definition and more comprehensive perspective on cyberbiosecurity. But although it's now a buzzword, it's the definition, not the jargon, that matters. "Frankly, I don't really care if they call it cyberbiosecurity," says Murch. Call it what you want: Just pay attention to its tenets.
A Database of Scary Sequences
Peccoud and Murch, of course, aren't the only ones working to screen sequences and secure devices. At the nonprofit Battelle Memorial Institute in Columbus, Ohio, for instance, scientists are working on solutions that balance the openness inherent to science and the closure that can stop bad stuff. "There's a challenge there that you want to enable research but you want to make sure that what people are ordering is safe," says the organization's Neeraj Rao.
Rao can't talk about the work Battelle does for the spy agency IARPA, the Intelligence Advanced Research Projects Activity, on a project called Fun GCAT, which aims to use computational tools to deep-screen gene-sequence orders to see if they pose a threat. It can, though, talk about a twin-type internal project: ThreatSEQ (pronounced, of course, "threat seek").
The project started when "a government customer" (as usual, no one will say which) asked Battelle to curate a list of dangerous toxins and pathogens, and their genetic sequences. The researchers even started tagging sequences according to their function — like whether a particular sequence is involved in a germ's virulence or toxicity. That helps if someone is trying to use synthetic biology not to gin up a yawn-inducing old bug but to engineer a totally new one. "How do you essentially predict what the function of a novel sequence is?" says Rao. You look at what other, similar bits of code do.
"We were creating wiki of all these nasty things," says Rao. As they were working, they realized that DNA manufacturers could potentially scan in sequences that people ordered, run them against the database, and see if anything scary matched up. Kind of like that plagiarism software your college professors used.
Battelle began offering their screening capability, as ThreatSEQ. When customers -- like, currently, Twist Bioscience -- throw their sequences in, and get a report back, the manufacturers make the final decision about whether to fulfill a flagged order — whether, in the analogy, to give an F for plagiarism. After all, legitimate researchers do legitimately need to have DNA from legitimately bad organisms.
"Maybe it's the CDC," says Rao. "If things check out, oftentimes [the manufacturers] will fulfill the order." If it's your aggrieved uncle seeking the virulent pathogen, maybe not. But ultimately, no one is stopping the manufacturers from doing so.
Beyond that kind of tampering, though, cyberbiosecurity also includes keeping a lockdown on the machines that make the genetic sequences. "Somebody now doesn't need physical access to infrastructure to tamper with it," says Rao. So it needs the same cyber protections as other internet-connected devices.
Scientists are also now using DNA to store data — encoding information in its bases, rather than into a hard drive. To download the data, you sequence the DNA and read it back into a computer. But if you think like a bad guy, you'd realize that a bad guy could then, for instance, insert a computer virus into the genetic code, and when the researcher went to nab her data, her desktop would crash or infect the others on the network.
Something like that actually happened in 2017 at the USENIX security symposium, an annual programming conference: Researchers from the University of Washington encoded malware into DNA, and when the gene sequencer assembled the DNA, it corrupted the sequencer's software, then the computer that controlled it.
"This vulnerability could be just the opening an adversary needs to compromise an organization's systems," Inspirion Biosciences' J. Craig Reed and Nicolas Dunaway wrote in a paper for Frontiers in Bioengineering and Biotechnology, included in an e-book that Murch edited called Mapping the Cyberbiosecurity Enterprise.
Where We Go From Here
So what to do about all this? That's hard to say, in part because we don't know how big a current problem any of it poses. As noted in Mapping the Cyberbiosecurity Enterprise, "Information about private sector infrastructure vulnerabilities or data breaches is protected from public release by the Protected Critical Infrastructure Information (PCII) Program," if the privateers share the information with the government. "Government sector vulnerabilities or data breaches," meanwhile, "are rarely shared with the public."
"What I think is encouraging right now is the fact that we're even having this discussion."
The regulations that could rein in problems aren't as robust as many would like them to be, and much good behavior is technically voluntary — although guidelines and best practices do exist from organizations like the International Gene Synthesis Consortium and the National Institute of Standards and Technology.
Rao thinks it would be smart if grant-giving agencies like the National Institutes of Health and the National Science Foundation required any scientists who took their money to work with manufacturing companies that screen sequences. But he also still thinks we're on our way to being ahead of the curve, in terms of preventing print-your-own bioproblems: "What I think is encouraging right now is the fact that we're even having this discussion," says Rao.
Peccoud, for his part, has worked to keep such conversations going, including by doing training for the FBI and planning a workshop for students in which they imagine and work to guard against the malicious use of their research. But actually, Peccoud believes that human error, flawed lab processes, and mislabeled samples might be bigger threats than the outside ones. "Way too often, I think that people think of security as, 'Oh, there is a bad guy going after me,' and the main thing you should be worried about is yourself and errors," he says.
Murch thinks we're only at the beginning of understanding where our weak points are, and how many times they've been bruised. Decreasing those contusions, though, won't just take more secure systems. "The answer won't be technical only," he says. It'll be social, political, policy-related, and economic — a cultural revolution all its own.