If biotechnology is following the steps of IT, and it seems to, then we are going about biosecurity in precisely the worst possible way.
Of the many strategies used so far to make complex programmable systems secure, most have proven useless or worse:
- Knowledge suppression (“Security through obscurity”) doesn’t work, as one of the key impacts of the IT revolution has been precisely an exponential explosion on the ability to cheaply distribute and access knowledge. If it’s useful, it’s out there, and if it’s out there, it can be reverse-engineered.
- Constraining what regular users can do doesn’t work; if the system has a backdoor or administrative mode, it will only be as secure as the (thin) shell defending it.
- Security by bureaucracy doesn’t work. Standards and processes impose their own logic on systems, which is seldom compatible with good security.
- Security by reaction doesn’t work, or at least it doesn’t as well as you’d like to. This is a subset of the above issue; the first reflex of companies and governments is to deny problems, then to shift blame internally, and only much later to do something about it. Against the threat model of contemporary technological infrastructure, they are hopelessly slow.
Not coincidentally, our approach to biosecurity so far relies on a combination of knowledge suppression, constraining regular users, bureaucracy, and reaction. As humans beings, and most living organisms, are in fact interconnected programmable biological systems even more complex and less understood than computers, it’s very likely that our biosecurity won’t work better than out IT security, and might in fact be worse.
That’s a scary thought, and because we tend to react to fear in a small set of ways, the most natural ideas to deal with it are going to be variants of the ones above, and equally unlikely to work.
What works in IT is the use of systems designed to be secure, not ex-post “secured” (the term should be considered a one-word oxymoron in computer science) systems. The problem is, of course, that we haven’t been designed, intelligently or otherwise. We have evolved, quite well adapted against certain threat models, that’s true, but there have been no hackers in nature before us. We need to do better than to plug piecemeal individual security vulnerabilities in our bodies; we need to upgrade our security architecture, from the immune system down to DNA integrity assurance, and up to the global public health network, to make it safer by design. There’s nothing in our sometimes painfully gained knowledge of complex systems that suggests there’s any other possible way.
The technical challenges of making the human system structurally safer from a biotechnological point of view are huge, but it’s just a variant of or a point of view about problems we are already fighting: cancer, aging, etc. And insofar as the main difficulty is the insane complexity of the system, that’s something we are constantly getting better at dealing with.
The main problems are political and cultural. Most incumbent institutions are historically committed to a post hoc approach (imagine if antivirus companies founded and vetted OS security research… that’s how it works now in healthcare). Even worse, there’s a strong cultural preference for the unpatched original model, regardless of its problems. Everybody wants better security, but nobody wants a more secure system.
It didn’t work in information technology, and it’s not working for biotechnology, either.