Saturday, April 28, 2012

What Biosecurity Can Learn From Infosec

Recently there has been been debate over research on the H1N1 strain of influenza. This is the strain sometimes called avian flu or bird flu. Many researchers have been studying all they can about the disease, while many researchers, institutes and governments are trying to prevent more research. The arguments on both sides are complex and nuanced, and each side has many valid points.

While I don't want to recap the entire argument, I'll try to summarize each position in a sentence or two. The pro- side believes that legitimate research will help us deal with any eventual version of the virus that can spread from human-to-human. The con- side belives that research makes it more likely that a very deadly strain might make its way out of the lab, or that terrorists or governments will be able to more quickly have a weaponized strain.

Current Situation
While public science on H1N1 may cease, the virus itself will keep evolving. Life will always experiment with new forms. Eventually one of these may be a variant of H1N1 that is successful in spreading human-to-human. That is, it finds a new evolutionary niche it can exploit.

And certainly it's to be expected that organizations currently researching biotechnology for warfare would continue. What we saw with chemical weapons in the first World War was private research done by corporations being co-opted for use by the military. Bioweapons research groups may even reduce or discontinue their work in the presence of public research, because any effective weapon is likely to be much less effective if it is well understood and can be effectively combated.

Comparison to Infosec
There has always been a lot of research on finding security vulnerabilities in software. Some researchers look for vulnerabilities so issues can be fixed. Some researchers look for vulnerabilities so they can break into systems. And so in the Infosec community we used to have similar discussions as those going on in the Biotechnology and Biosecurity community now. 

That debate always used to remind me of a bad movie chase scene. When the person fleeing sees a big rock coming up quickly, he stays calm and turns at just the right angle - a near miss. When the person chasing sees it he panics and throws his arms in front of his face - a gratuitous explosion ensues.

Fortunately in the Infosec industry we have mostly moved toward the first course - staying calm and taking just the right angle. But for a while we, too, had lots of people who tried to make the rock go away by hiding from it. Many times this was software developers who reacted more violently to the legitimate research than to the criminal research! And the software developers have benefited by having much more robust and secure products.

Benefits of research and publication
Research helps in that:
  • identifies potential issues before they are found in the wild
  • allows us to prepare for likely strains before we see them
  • able to refine methods of doing this kind of research
  • gives us a better idea of the actual threat level - more or less severe than imagined
  • shows us indicators of what an outbreak might look like
  • shows us indicators of what an attacker might need to create a bioweapon
Publication helps in that:
  • publicizes the fact that these risks exist and are being studied
  • attracts more scientists
  • attracts more funding
  • allows results to be peer reviewed
  • identifies those working in the field to facilitate collaboration
Alleviating fears
One fear is that the research may be co-opted by a nation state for biowarfare. But I would argue that the antidote for that is more research, not less. The same fear exists in Infosec and that's just the way we've tried to deal with it. Hundreds of people doing security research, banging away on software. They're not going to find all of the bugs, but they're likely to find quite a few of them. Looking at it from the other direction, if governments quash open, public research, the only people who will be looking for a bug will be the ones looking for a weapon. And of course you can't legislate nature not to find a virulent strain.

But like in the Infosec community, there is still a question of the right amount of disclosure. Some in both fields advocate a full disclosure stance. That is, every detail should be published as soon as it is known. Others advocate a more limited disclosure policy, only publicly releasing enough information to describe the issue and to protect against it. Releasing certain technical details only to those who will be a part of the solution to the problem.

Publishing technical details is important for a couple of reasons. First, it ensures that the results can be replicated. This part of the scientific process is critical to the reliability of the results, as well as to identify potentially significant but unknown variables or mistakes. Second it provides foundations upon which future scientists can improve their techniques. Process and methodological innovation are critical to the scientific process, especially in this case where nature and bioterrorists are continually improving their results.

In many minds, the biggest fear is that we do nothing. If nature or a bioweapons group creates a viable threat, our lack of preparation will doom us to a greater impact. But if we understand the H1N1 virus well then we will either have defenses in place or can quickly take action. And as previously mentioned, public research may discourage groups from trying to develop weaponized versions in the first place.

Biotechnology should be looking (particularly in the case of Avian H5N1 Influenza) to increase scientific study and publication, rather than suppress it. The more scientists who work on it and publish their results, the more likely we are to find a way to defeat both a natural and unnatural strain of the disease. But certain technical details should be limited to a smaller group who rigorously review those details to make sure legitimate researchers stay ahead of the alternatives.


Update 2012-05-07: Since I published this article, I've had some discussions and there have been some new developments.
  • First, the paper in question has been published. Second, Nature has written a good article explaining the circumstances around publishing the controversial article
  • Second, I want to make clear that what I'm advocating is for Biosecurity to review our discussions and debate and apply it to their own situation. In other words, learn from our mistakes, successes and thought processes to speed up and improve their own.
  • Third, I've replaced "Biotechnology" with "Biosecurity" where it seems appropriate, in order to clarify to whom I am referring. I know Biotech spends billions and has well developed processes in place for research. Infosec ourselves can probably learn from their process.

1 comment:

Anonymous said...

H5N1, not H1N1 (=swine flu).