Part 2. From natural security to neural security
Humans are fragile. For most of history we have lived with the expectation that we will loose the use of organs, and some of us limbs, as we age or suffer injury. But that is now changing. Prostheses are becoming more lifelike and more useful, and replacement organs have been used to save lives and restore function. But how robust are the replacement parts? The imminent prospect of technological restoration of human organs and limbs lost to injury or disease is cause to think carefully about increasing both our biological capabilities and our technological fragilities.
Technology fails us for many reasons. A particular object or application may be poorly designed or poorly constructed. Constituent materials may be faulty, or maintenance may be shoddy. Failure can result from inherent security flaws, which can be exploited directly by those with sufficient technical knowledge and skill. Failure can also be driven by clever and conniving exploits of the overall system that focus on its weakest link, almost always the human user, by inducing them to make a mistake or divulge critical information. Our centuries of experience and documentation of such failures should inform our thinking about the security of emerging technologies, particularly as we begin to fuse biology with electronic systems. The growing scope of biotechnology will therefore require constant reassessment of what vulnerabilities we are introducing through that expansion. Examining the course of other technologies provides some insight into the future of biology.
We carry powerful computers in our pockets, use the internet to gather information and access our finances, and travel the world in aircraft that are often piloted and landed by computers. We are told we can trust this technology with our financial information, our identities and social networks, and, ultimately, our lives. At the same time, technology is constantly shown to be vulnerable and fragile at a non-trivial rate -- resulting in identity theft, financial loss, and sometimes personal injury and death. We embrace technology despite well-understood risks; automobiles, electricity, fossil fuels, automation, and bicycles all kill people every day in predictable numbers. Yet we continue to use technology, integrating it further into multiple arenas in our lives, because we decide that the benefits outweigh risks.
Healthcare is one arena in which risks are multiplying. The IT security community has for some years been aware of network vulnerabilities in medical devices such as pacemakers and implantable defibrillators. The ongoing integration of networked medical devices in health care settings, an integration that is constantly introducing both new capabilities and new vulnerabilities, is now the focus of extensive efforts to improve security. The impending introduction of networked, semi-autonomous prostheses raises obvious similar concerns. Wi-fi enabled pacemakers and implantable defibrillators are just the start, as soon we will see bionic arms, legs, and eyes with network connections that allow performance monitoring and tuning.
Eventually, prostheses will not simply restore "human normal" capabilities, they will also augment human performance. I learned recently that DARPA explicitly chose to limit the strength of its robotic arm, but that can't last: science fiction, super robotic strength is coming. What happens when hackers get ahold of this technology? How will people begin to modify themselves and their robotic appendages? And, of course, the flip side of having enhanced physical capabilities is having enhanced vulnerabilities. By definition, tuning can improve or degrade performance, and this raises an important security question: who holds the password for your shiny new arm? Did someone remember to overwrite the factory default password? Is the new password susceptible to a dictionary attack? The future brings even more concerns. Control connections to a prosthesis are bi-directional and, as the technology improves, ever better neural interfaces will eventually jack these prostheses directly into the brain. "Tickling" a robotic limb could take on a whole new meaning, providing a means to connect various kinds of external signals to the brain in new ways.
Beyond limbs, we must also consider neural connections that serve to open entirely novel senses. It is not a great leap to envision a wide range of ensuing digital-to-neural input/output devices. These technologies are evolving at a rapid rate, and through them we are on the cusp of opening up human brains to connections with a wide range of electromechanical hardware capabilities and, indeed, all the information on the internet.
Just this week saw publication of a cochlear implant that delivers a gene therapy to auditory neurons, promoting the formation of electrical connections with the implant and thereby dramatically improving the hearing response of test animals. We are used to the idea of digital music files being converted by speakers into sound waves, which enter the brain through the ear. But the cochlear implant is basically an ethernet connection wired to your auditory nerve, which in principal means any signal can be piped into your brain. How long can it be before we see experiments with a cochlear (or other) implant that enables direct conversion of arbitrary digital information into neural signals? At that point, "hearing" might extend into every information format. So, again we must ask, who holds the password to your brain implant?
Hacking the Bionic Man
As this technology is deployed in the population it is clear that there can be no final and fixed security solution. Most phone and computer users are now all too aware that new hardware, firmware, and operating systems always introduce new kinds of risks and threats. The same will be true of prostheses. The constant rat race to chase down security holes in new products upgrades will soon extend directly into human brains. As more people are exposed to medical device vulnerabilities, security awareness and improvement must become an integrated part of medical practice. This discussion can be easily extended to potential vulnerabilities that will arise from the inevitable integration into human bodies of not just electromechanical devices, but of ever more sophisticated biological technologies. The exploration of prosthesis security, loosely defined, gives some indication of the scope of the challenge ahead.
The class of things we call prostheses will soon expand beyond electromechanical devices to encompass biological objects such as 3D printed tissues and lab-grown organs. As these cell-based therapies begin to enter human clinical trials, we must assess the security of both the therapies themselves and the means used to create and administer them. If replacement organs and tissues are generated from cells derived from donors, what vulnerabilities do the donors have? How are those donor vulnerabilities passed along to the recipients? Yes, you have an immune system that does wonders most of the time. But are your natural systems up to the task of handling the biosecurity of augmented organs?
What does security even mean in this context? In addition to standard patient work-ups, should we begin to fully sequence the genomes of donor tissues, first to identify potential known health issues, and then to build a database that can be re-queried as new genetic links to disease are discovered? Are there security holes in the 3D printers and other devices used to manipulate cells and tissues? What are the long term security implications of deploying novel therapeutic tissues in large numbers of military and civilian personnel? What are the long-term security implications of using both donor and patient tissue as seeds of induced pluripotent stem cells, or of differentiating any stem cell line for use in therapies? Do we fully understand the complement of microbes and genomes that may be present in donor samples, or lying dormant in donor genomes, or that may be introduced via laboratory procedures and instruments used to process cells for use as therapies? What is the genetic security of a modified cell line or induced pluripotent stem cell? If there is a genetic modification embedded in your replacement heart tissue, where did the new DNA come from, and are you sure you know everything that it encodes? As with information technologies, we should expect that these new biological technologies will sometimes arrive with accidental vulnerabilities; they may also come with intentionally introduced back doors. The economic motivation to create new protheses, as well as to exploit vulnerabilities, will soon introduce market competition as a factor in biosecurity.
Competition often drives perverse strategic decisions when it comes to security. Firms rush to sell hardware and software that are said to be secure, only to discover that constant updates are required to patch security holes. We are surrounded by products in endless beta. Worse yet, manufacturers have been known to sit on security holes in the naive hope that no one else will notice. Vendors sometimes appear no more literate about the security of hardware and software than are their customers. What will the world look like when eletromechanical and biological prostheses are similarly in constant states of upgrade? Who will you trust to build/print/grow a prosthesis? Are you going to place your faith in the FDA to police all these risks? (Really?) If you decide to instead place your faith in the market, how will you judge the trustworthiness of firms that sell aftermarket security solutions for your bionic leg or replacement liver?
The complexity of the task at hand is nearly overwhelming. Understanding the coming fusion of technologies will require competency in software, hardware, wetware, and security -- where are those skill sets being developed in a compatible, integrated manner? This just leads to more questions: Are there particular countries that will have a competitive advantage in this area? Are there particular countries that will be hotbeds of prosthesis malware creation and distribution?
The conception of security, whether of individuals or nation states, is going to change dramatically as we become ever more economically dependent upon the market for biological technologies. Given the spreading capability to participate and innovate in technology development, which inevitably amplifies the number and effect of vulnerabilities of all kinds, I suspect we need to re-envision at a very high level how security works.
[Coming soon: Part 3.]
Part 1. The ecosystem is the enterprise
We live in a society increasingly reliant upon the fruits of nature. We consume those fruits directly, and we cultivate them as feedstocks for fuel, industrial materials, and the threads on our backs. As a measure of our dependence, revenues in the bioeconomy are rising rapidly, demonstrating a demand for biological products that is growing much faster than the global economy as a whole.
This demand represents an enormous market pull on technology development, commercialization, and, ultimately, natural resources that serve as feedstocks for biological production. Consequently, we must assess carefully the health and longevity of those resources. Unfortunately, it is becoming ever clearer that the natural systems serving to supply our demand are under severe stress. We have been assaulting nature for centuries, with the heaviest blows delivered most recently. Nature, in the most encompassing sense of the word, has been astonishingly resilient in the face of this assault. But the accumulated damage has cracked multiple holes in ecosystems around the globe. There are very clear economic costs to this damage -- costs that compound over time -- and the cumulative damage now poses a threat to the availability of the water, farmland, and organisms we rely on to feed ourselves and our economy.
I would like to clarify that I am not predicting collapse, nor that we will run out of resources; rather, I expect new technologies to continue increasing productivity and improving the human condition. Successfully developing and deploying those technologies will, obviously, further increase our economic dependency on nature. As part of that growing dependency, businesses that participate in the bioeconomy must understand and ensure the security of feedstocks, transportation links, and end use, often at a global scale. Consequently, it behooves us to thoroughly evaluate any vulnerabilities we are building into the system so that we can begin to prepare for inevitable contingencies.
Revisiting the definition of biosecurity: from national security to natural security, and beyond
Last year John Mecklin at Bulletin of the Atomic Scientists asked me to consider the security implications of the emerging conversation (or, perhaps, collision) between synthetic biology and conservation biology. This conversation started at a meeting last April at the University of Cambridge, and is summarized in a recent article in Oryx. What I came up with for BAS was an essay that cast very broadly the need to understand threats to all of the natural systems we depend on. Quantifying the economic benefit of those systems, and the risk inherent in our dependence upon them, led me directly to the concept of natural security.
Here I want to take a stab at expanding the conversation further. Rapidly rising revenues in the bioeconomy, and the rapidly expanding scope of application, must critically inform an evolving definition of biosecurity. In other words, because economic demand is driving technology proliferation, we must continually refine our understanding of what it is that we must secure and from where threats may arise.
Biosecurity has typically been interpreted as the physical security of individuals, institutions, and the food supply in the context of threats such as toxins and pathogens. These will, of course, continue to be important concerns: new influenza strains constantly emerge to cause human and animal health concerns; the (re?)emergent PEDS virus has killed an astonishing 10% of U.S. pigs this year alone; within the last few weeks there has been an alarming uptick in the number of human cases and deaths caused by MERS. Beyond these natural threats are pathogens created by state and non-state organizations, sometimes in the name of science and preparation for outbreaks, while sometimes escaping containment to cause harm. Yet, however important these events are, they are but pieces of a biosecurity puzzle that is becoming ever more complex.
Due to the large and growing contribution of the bioeconomy, no longer are governments concerned merely with the proverbial white powder produced in a state-sponsored lab, or even in a 'cave' in Afghanistan. Because economic security is now generally included in the definition of national security, the security of crops, drug production facilities, and industrial biotech will constitute an ever more important concern. Moreover, in the U.S., as made clear by the National Strategy for Countering Biological Threats(PDF), the government has established that encouraging the development and use of biological technologies in unconventional environments (i.e., "garages and basements") is central to national security. Consequently, the concept of biosecurity must comprise the entire value chain from academics and garage innovators, through production and use, to, more traditionally, the health of crops, farm animals, and humans. We must endeavor to understand, and to buttress, fragility at every link in this chain.
Beyond the security of specific links in the bioeconomy value chain we must examine the explicit and implicit connections between them, because through our behavior we connect them. We transport organisms around the world; we actively breed plants, animals, and microbes; we create new objects with flaws; we emit waste into the world. It's really not that complicated. However, we often choose to ignore these connections because acknowledging them would require us to respect them, and consequently to behave differently. But that change in behavior must be the future of biosecurity.
From an enterprise perspective, as we rely ever more heavily on biology in our economy, so must we comprehensively define 'biosecurity' to adequately encompass relevant systems. Vulnerabilities in those systems may be introduced intentionally or accidentally. An accidental vulnerability may lie undiscovered for years, as in the case of the recently disclosed Heartbleed hole in the OpenSSL internet security protocol, until it is identified, when it becomes a threat. The risk, even in open source software, is that the vulnerability may be identified by organizations which then exploit it before it becomes widely known. This is reported to be true of the NSA's understanding and exploitation of Heartbleed at least two years in advance of its recent public announcement. Our biosecurity challenge is to carefully, and constantly, assess how the world is changing and address shortcomings as we find them. It will be a transition every bit as painful as the one we are now experiencing for hardware and software security.
(Here is Part 2.)
Scientists and engineers around the globe dream of employing biology to create new objects. The goal might be building replacement organs, electronic circuits, living houses, or cowborgs and carborgs (my favorites) that are composed of both standard electromechanical components and novel biological components. Whatever the dream, and however outlandish, we are getting closer every day.
Looking a bit further down the road, I would expect organs and tissues that have never before existed. For example, we might be able to manufacture hybrid internal organs for the cowborg that process rough biomass into renewable fuels and chemicals. Both the manufacturing process and the cowborg itself might utilize novel genetic pathways generated in DARPA's Living Foundries program. The first time I came across ideas like the cowborg was in David Brin's short story "Piecework". I've pondered this version of distributed biological manufacturing for years, pursuing the idea into microbrewing, and then to the cowborg, the economics of which I am now exploring with Steve Aldrich from bio-era.
Yet as attractive and powerful as biology is as a means for manufacturing, I am not sure it is powerful enough. Other ways that humans build things, and that we build things that build things, are likely to be part of our toolbox well into the future. Corrosion-resistant plumbing and pumps, for example, constitute very useful kit for moving around difficult fluids, and I wouldn't expect teflon to be produced biologically anytime soon. Photolithography, electrodeposition, and robotics, now emerging in the form of 3D printing, enable precise control over the position of matter, though frequently using materials and processes inimical to biology. Humans are really good at electrical and mechanical engineering, and we should build on that expertise with biological components.
Let's start with the now hypothetical cowborg. The mechanical part of a cowborg could be robotic, and could look like Big Dog, or perhaps simply a standard GPS-guided harvester, which comes standard with air conditioning and a DVD player to keep the back-up human navigation system awake. This platform would be supplemented by biological components, initially tanks of microbes, that turn raw feedstocks into complex materials and energy. Eventually, those tanks might be replaced by digestive organs and udders that produce gasoline instead of milk, where the artificial udders are enabled by advances in genetics, microbiology, and bioprinting. Realizing this vision could make biological technologies part of literally anything under the sun. In a simple but effective application along these lines, the ESA is already using "burnt bone charcoal" as a protective coating on a new solar satellite.
But there is one persistent problem with this vision: unless it is dead and processed, as in the case of the charcoal spacecraft coating, biology tends not to stay where you put it. Sometimes this will not matter, such as with many replacement transplant organs that are obviously supposed to be malleable, or with similar tissues made for drug testing. (See the recent Economist article, "Printing a bit of me", this CBS piece on Alexander Seifalian's work at University College London, and this week's remarkable news out of Anthony Atala's lab.) Otherwise, cells are usually squishy, and they tend to move around, which complicates their use in fabricating small structures that require precise positioning. So how do you use biology to build structures at the micro-scale? More specifically, how do you get biology to build the structures you want, as opposed to the structures biology usually builds?
The bioeconomy continues to emerge as a significant component of the U.S. economy. Domestic revenues from genetically modified systems are growing at approximately 15% annually, much faster than the economy as a whole. Around the world an ever larger number of countries have articulated strategies that explicitly identify biotechnology as critical to economic growth. The U.K., for example, has gone so far as to explicitly name synthetic biology as one of the "eight great technologies" that will propel economic growth and has announced more than ₤160 M (or about ₤2 per capita) for research, development, and commercialization of synthetic biology.
As I announced during a Congressional Briefing in November, the total 2012 U.S. revenues from genetically modified systems, hereafter the Genetically Modified Domestic Product (GMDP), reached at least $350 billion, the equivalent of approximately 2.5% of GDP, up from $300 billion in 2010. For comparison, according to IHS iSuppli, the 2012 global revenues for the semiconductor industry amounted to $322 billion. Remarkably, assuming a 2011-12 GDP annual growth rate of 2.5%, the two year, $50 billion increase in GMDP accounted for almost 7% of total U.S. GDP growth.
Due to differences in regulatory structure, financing, and, consequently, pace of development and commercialization across the industry, the GMDP naturally breaks down into the sub-sectors of biotech drugs (biologics), GM crops, and industrial biotechnology.
In 2012, global revenues from biologics reached $125 billion. In the U.S., domestic revenues from biologics reached more nearly $100 billion, although this figure includes $28 billion in revenues accruing to companies such as Genentech, Zymogenetics, and Genzyme that are now wholly owned by overseas entities. Domestic U.S. clinical demand for biologics rose about 5%, reaching almost $54 billion in sales in 2011, indicating that the U.S. continues to enjoy a substantial positive balance of payments by biologics sold in international markets.
In 2012, global planting of GM crops increased by 6%, reaching a total of 170 million hectares. Of the 17 million farmers chose to plant GM crops, more that 15 million were "resource poor farmers in developing countries". In the U.S., where farmers planted 40% of the total GM area, GM corn, cotton, and soy held steady at approximately 90% penetration, with GM sugar beets planted at about the 95% level. Based on average crop revenue figures compiled by the USDA, I estimate that in 2012 the combination of biotech seeds and farm-level revenues reached $125 billion in the U.S.
U.S. revenues from industrial biotech (fuels, enzymes, and materials) reached at least $125 billion in 2012. The accuracy of this estimate continues to suffer in comparison to revenues from biologics and GM crops due to the quality of available data. For the purposes of this post, I am temporarily relying on an estimate provided by Agilent Technologies, as recently described by Darlene Solomon. The internal breakdown of the $125 billion in business-to-business sales is quite interesting: $66 billion in chemicals, $30 billion in biofuels, $16 billion in biologics feedstocks, $12 billion in the food and ag, and $1 billion in emerging markets. (Agilent did not provide any greater specificity on how these areas were defined or how the numbers were derived.) As I have been predicting for several years, it appears that chemicals have eclipsed fuels as the largest component of industrial biotech revenues. Finally, note that, at the level of consumers, the ultimate economic impact of these revenues is probably larger than $125 billion.
More Work To Do
It is important to recognize that the preceding estimates are relatively inaccurate compared to those describing other parts of the U.S. economy. While I have previously estimated revenues from biopharmaceuticals ("biologics") and GM crops using corporate financial reporting and data collected by the USDA, respectively, revenues from industrial biotechnology are poorly constrained because no relevant data is gathered by the U.S. government or provided by industry (see previous reports on this topic for an in depth discussion). The Agilent numbers are a welcome additional bit of information, but we really need to have better data for, and analysis of, the GMDP in order to understand the larger impacts on our economy and society. Among other details, we need to understand the skill base, employment, and also generate historical estimates in order to sort out what the longer term trends look like. As I mentioned during my presentation at SynBioBeta in November, I am launching a new non-profit to take up this task. More on this soon.
#GMDP = Genetically Modified Domestic Product