Full Disclosure in Biology

The debate over full disclosure in computer security has been going on for the better part of two decades now. The stakes are much higher in biology:

The virus is an H5N1 avian influenza strain that has been genetically altered and is now easily transmissible between ferrets, the animals that most closely mimic the human response to flu. Scientists believe it's likely that the pathogen, if it emerged in nature or were released, would trigger an influenza pandemic, quite possibly with many millions of deaths.

In a 17th floor office in the same building, virologist Ron Fouchier of Erasmus Medical Center calmly explains why his team created what he says is "probably one of the most dangerous viruses you can make"­and why he wants to publish a paper describing how they did it. Fouchier is also bracing for a media storm. After he talked to ScienceInsider yesterday, he had an appointment with an institutional press officer to chart a communication strategy.

Of course, there's value to the research:

"These studies are very important," says biodefense and flu expert Michael Osterholm, director of the Center for Infectious Disease Research and Policy at the University of Minnesota, Twin Cities. The researchers "have the full support of the influenza community," Osterholm says, because there are potential benefits for public health. For instance, the results show that those downplaying the risks of an H5N1 pandemic should think again, he says.

Knowing the exact mutations that make the virus transmissible also enables scientists to look for them in the field and take more aggressive control measures when one or more show up, adds Fouchier. The study also enables researchers to test whether H5N1 vaccines and antiviral drugs would work against the new strain.

And we know how badly this sort of security works:

Osterholm says he can't discuss details of the papers because he's an NSABB member. But he says it should be possible to omit certain key details from controversial papers and make them available to people who really need to know. "We don't want to give bad guys a road map on how to make bad bugs really bad," he says.

Posted on November 30, 2011 at 12:28 PM • 34 Comments

Comments

Glenn MaynardNovember 30, 2011 12:56 PM

Full disclosure about security bugs lets people fix the bugs, and lets customers choose to avoid software that has critical bugs too often. Full disclosure about the methodology of security attacks (eg. methods for exploiting buffer overflows) allows developers to write software and platforms more resiliant to new types of attacks.

Full disclosure about viruses doesn't have many of those properties. There are still benefits, but the costs and benefits are clearly different, so don't assume that the conclusions the computing industry has come to are automatically the correct ones for biology. Maybe in the end they are, but it's not a given.

dokuhebiNovember 30, 2011 2:04 PM

Following up on Glenn's statement, engineering a fix to a software vulnerability is generally a matter of fixing offending code, but biotechnology is not at the point where we can be assured the ability to deploy a security patch to any new virus that's released.

Matt MatolcsiNovember 30, 2011 2:09 PM

Regrettably, I cannot (yet?) patch my immune system or swap it out with a better one. I would support partial disclosure in this case.

Fred PNovember 30, 2011 2:13 PM

I'm weakly trained in Biology (roughly the equivalent of a minor, that's now dated by nearly 20 years). Here's my rough understanding:

Background:

There are 16 (or more) different types of hemagglutinins (H1-H16) used in influenza viruses. Hemagglutinins are the chemicals that bind the virus to the cell that is being infected. Presently, H1, H2, and H3 are found in human influenzas. Part of the concern about H5N1 is that it's possible that it could become the first air-transmissible influenza strain using a new type of hemagglutinin in a long time. Because it's a nearly novel feature in a virus (and hemagglutinins are what the antibodies in our immune systems attack - indeed, they are critical to the virus), our immune systems would not respond as well as they do against other strains of influenza, which means that if H5N1 ever becomes air-transmissable between humans, it could result in a nasty pandemic.

This research:
The objective of research replicating a model version of H5N1 is to figure out both if an air-transmissable version between humans is plausible, and how to defend against such strains. ferret-based research is an extremely good model because it's close to humans in terms of immune response, infectivity, etc., but also a relatively dangerous model, because it's close to humans in terms of immune response, infectivity, etc.

So the above is really the question: is the increase in our knowledge about H5N1 (and, for example, possibly making effective vaccines earlier) more valuable than the increased chance of either malicious or accidental release of this same disease, into the wild ferret population (which presumably would eventually get into the human population faster than it otherwise would)?

A lot of the answer to this question depends on the usefulness of early vaccination and the chance of this happening in and of itself. I'm afraid that my epidemiology isn't up to estimating either of these.

ScaredNovember 30, 2011 2:17 PM

So the influenza community that got laughed at for their "H5N1-pandemic cry-wolf" fiasco is developing a much more potent one that's easily transmissible?

Fred PNovember 30, 2011 2:31 PM

As far as limited disclosure is concerned, I'm not certain how that would work well. There are two things that this paper apparently has that are of interest:

1) Information about this specific virus that is air-transmissible between ferrets. This is of interest to people and organizations trying to develop a vaccine. Note that in some stages of vaccine research, samples of the virus itself may be useful - which is another risk. Also, this of interest to health authorities to track the various mutations which enable this. Now think about this for a moment - we're talking about multiple companies, a number of labs of researchers, and many governments, WHO, etc. wanting this information. That's a fairly wide spectrum of people knowing this.

2) Information about how to replicate this experiment. This is primarily of interest to epidemiology researchers. Ideally, someone else would replicate this experiment (this is common in many sciences, to reduce the chance of fraud). If this is a new and useful method to do this type of genetic testing on viruses, using this methodology could result in help creating vaccines for a number of different potentially novel viruses, not just influenza. This would involve a smaller group of people knowing the methodology at first, but if this sort of experiment is repeated numerous times, it's unlikely that it will remain a secret long-term.

Fred PNovember 30, 2011 3:00 PM

@Scared-

Over 300 people have died, and HPAI A(H5N1) (What we're usually referring to when we say H5N1) is both enzootic and panzootic. It appears to be highly virulent, and many of the usual signatures of a virus before it leaps to humans have happened.

I don't think it will become a pandemic tomorrow, next month, or even next year. However, if we want to prepare for the next virulent pandemic, there's a short list of targets we're aware of, and H5N1 is near the top of that list - it's essentially global, it can infect and kill humans, and now (apparently) a variant of it can reproduce and transmit between a fairly close human model (ferrets).

@My last comment-

#2 should be in reference to virologists, not epidemiologists

Krypt3iaNovember 30, 2011 3:12 PM

Fred has it pretty much nailed down. The concerns I have are that this research is deliberately creating anitgenic drift for research to nail down a vaccine but might instead go awry should this escape the lab. It's one thing to have the drift happen in the wild.. Quite another to be manufacturing it and then publishing for all to see.

My experience with BSL4 labs in the past has seen some bad slips in security in the past so I am not all that comfortable with this being so much in the news as it may attract the wrong kind of attention. Fouchier is working toward a good goal, but one has to ask the questions on how we are going about it.
K.

JessicaNovember 30, 2011 4:33 PM

I've had time to think about this, and I'm pretty sure that full disclosure would be good. It's highly ineffective as a bioweapon, since it'd also kill everyone you were fighting for, and there aren't people (that I know of) that just want to destroy all of humanity.

I agree that the highest risk is it being released by accident, which I still think is very minimal.If you have the lab tech to actually make it, you're also going to have protocols in place to prevent its release.

It's too complicated to be made in someone's basement, and if someone is evil enough and has the resources, them withholding the information isn't really going to matter.

Does anyone have a list of deadly bio stuff that have accidentally escaped labs? Curious as to what the risk actually is.

JayFromBKKNovember 30, 2011 10:43 PM

Simply announcing that it's possible might not be such a good idea. It tells a potential malefactor that the goal is achievable, and there are enough public resources describing funding to get the project cost right to within less than an order of magnitude.

Kevin CantuNovember 30, 2011 10:47 PM

Vincent Racaniello, Alan Dove, and Rich Condit spent some time deflating this bubble, here:
http://www.twiv.tv/2011/11/27/...

Their basic points:
(1) ferrets are not humans,
(2) this technique is commonly used to make _weaker_ viruses,
(3) bio-security through obscurity is foolish.

This research is being over hyped: publish it and let's talk about the facts.

rogerhDecember 1, 2011 2:19 AM

Please don't tell the economists - they might see this as a cure for Europe's woes.

grumpyDecember 1, 2011 3:38 AM

I find this troubling. We had a fairly irrelevant virus (300 deaths - for to be laughink... More die every day in accidents in the US alone). Now someone has upgraded it because we have to research a vaccine against a worse form, just in case. No we don't. There's only a very slim chance that the actual mutations in nature are going to resemble those found in the lab so any vaccine against the lab-version is unlikely to be relevant. OTOH, humans being what they are they have created a very real risk because the virus may leak by accident or design. Of course, if we're lucky and the timing is right we in the rich countries are going to have a vaccine against it...

I say shoot the lot of them and burn them in their lab with all hardware and notes. This is madness of the highest order.

circusDecember 1, 2011 4:21 AM

Keyword: Biopreparat
Keyword: Pine Ridge

We harass the public researchers and forget the secret ones? Wake me up when we start talking about the big labs.

r.dyDecember 1, 2011 4:33 AM

The information about creating a genetically altered biological virus is not public. Computer vulnerabilities are usually disclosed post hoc, after the vulnerability is in the wild.

VlesDecember 1, 2011 5:16 AM

@JayFromBKK
For a moment, I thought you were talking about the bomb and the dangers of nuclear arms proliferation.

@Jessica
On risk: Terry Pratchetts law of a million-to-one chances. (million-to-one chances are dramatic enough to "crop up nine times out of ten", http://en.wikipedia.org/wiki/Discworld_(world) )

>Full disclosure -- the practice of making the details of security vulnerabilities public -- is a damned good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure.

Define "public". For one thing "the public" is no longer means all individuals in your group/bubble of trust. News in one country becomes news in another overnight.....
Musing: Maybe all instances of "public disclosure" ought to be replaced with "global disclosure"...

WinterDecember 1, 2011 6:28 AM

This research was done because it is known these ecxact things happen in nature at a high rate. It is not a question whether these mutations will happen in the wild. The question is when they will happen.

The flu is hopping between pigs, poultry, and humans all the time. Recombining in each host with other strains. This is how we get these yearly flu epidemics. Btw, these people know that if the virus escapes, they themselves and their families will die as the first victims. That helps ensuring security.

@Scared
Whenever you avert a disaster (say AIDS/SARS/Flu pandemic), people will complain that you over reacted as nothing has happened. When you do nothing, people will try to lynch you because you did nothing. In the end, your choice as a public health official is between being ridiculed and being incarcerated.

BF SkinnerDecember 1, 2011 7:41 AM

Thought this issue would come up here.

@Matt Matolcsi " I cannot (yet?) patch my immune system or swap it out "

Seems to be an argument based on end user ability. Yes for a bug YOU could take action but what about the millions of people who are consumer grade button pushers. I still get calls from people that have me telling them were to click thier mouse on a screen.

Also -- Wouldn't the software vendors make your same argument on their behalf? (Actually I think they did).

@Fred P "is the increase in our knowledge about H5N1 more valuable than the increased chance of... release of this ...disease, into the wild...?"

A good formulation of the risk equation I think.

The answer of the scientist should be Yes. Shouldn't it? The purpose of science is to create a free flow of information so that many minds can be brought to bear on a problem. In this case the known functioning and creating the ability to make the pathogen no longer function.

Of course this is the defense argument around smallpox and other bio-hazards. But these risks already exist.

A bunch of follow on ideas are rattling around for me here about knowledge being surpressed/used/owned by government/corporations but the coffee is giving me hallucinations.

LinkTheValiantDecember 1, 2011 8:24 AM

Seems to be an argument based on end user ability. Yes for a bug YOU could take action but what about the millions of people who are consumer grade button pushers. I still get calls from people that have me telling them were to click thier mouse on a screen.

I'm not sure the analogy fits. Computer software can be rewritten/swapped out by someone knowledgeable. "Human immune software" cannot be, even by our most advanced biologists, with our current level of biological understanding. To throw this back on the users seems far-fetched.

Not to mention that it's FAR easier/less expensive to gain proficiency in protecting a computer than in protecting the human body.

albatrossDecember 1, 2011 8:48 AM

I'm not an expert, but virologists make genetically modified viruses pretty routinely. Among other things, this is a common way of studying the viruses ("what does this gene do, anyway?"), studying specific biological mechanisms in cells ("what happens if I suppress expression of this gene with siRNA?"), making vaccines ("let's make an influenza virus with the same HA and NA molecules as the circulating strain, but which is adapted to grow in chicken eggs so we can manufacture it"), and all sorts of other stuff.

WinterDecember 1, 2011 8:51 AM

@Matt Matolcsi " I cannot (yet?) patch my immune system or swap it out "

Ehh, never heard of vaccination?

Was that not the whole point of the research: To be able to make a vaccine earlier?

albatrossDecember 1, 2011 8:52 AM

Just as a nitpick, you can indeed receive patches to your immune system periodically. Medical organizations like WHO and CDC, as well as state and national health departments, usually have a recommended schedule of when you should receive those patches, mostly as a child, but also before traveling to some places, and in one case, even after exposure to a particularly nasty but slow-moving virus.

ScaredDecember 1, 2011 12:41 PM

@Winter
There's a lot of people with the impression that the last flu scare had one purpose: Make sure the research labs get plenty of funding.
And the vaccine manufactures didn't mind a little public fear either....

StormcrowDecember 1, 2011 4:32 PM

I did some digging immediately after I saw the story bounced off of Slashdot.

There was a decent survey article at the Scientific American site which gave enough details of what Ron Fouchier and his team actually did, to put the issue in some perspective: What Will the Next Influenza Pandemic Look Like?.

The key passage is this one:

In the derided experiment, they let the virus itself evolve to gain that killer capacity. To do that, they put the mutated virus in the nose of one ferret; after that ferret got sick, they put infected material from the first ferret into the nose of a second. After repeating this 10 times, H5N1 became as easily transmissible as the seasonal flu.

So Fouchier's team didn't do any fancy gene-splicing to get their aerosol-contagious H5N1 strain.

All the did was "passage" their starting virus through 10 sets of ferrets in series.

This isn't exactly rocket science. In fact, it's pretty much what you can expect a virus to do by itself, when it's first starting to exploit a new host species.

There isn't any "bag" for the cat to be let out of. In fact, Old Mother Nature is probably doing this with H5N1 in Southeast Asia right now. Albeit, more slowly than Fouchier's team did at Erasmus Medical Center.

So publication isn't going to reveal much that isn't already broadly known.

And it will serve to inform everybody in public health who is paying attention that H5N1's present sluggish transmission mechanism for human infection, which mostly relies on contact with infected poultry, could crank up to serious epidemic-sustaining velocity with little or no warning. And no human intervention at all.

Matt MatolcsiDecember 1, 2011 5:06 PM

@Winter (and others):

Thanks for your response. On the one hand, you're right and I agree, we can "patch" our immune systems with vaccinations. I should've thought about that more before posting.

But, vaccines like patches take time to develop and distribute. I can imagine a scenario where someone takes the results of the research, recreates the virus themselves, and then releases it before I had a chance to protect myself through a vaccination. I think for this reason I would still only support partial disclosure.

x.y.z.December 5, 2011 2:11 AM

Disclosure rules in astronomy:

You can take a gander at how astronomers purport to deal with the occurrence of a SETI discovery.

http://www.setileague.org/general/protocol.htm

Here are excerpts:

"After concluding that the discovery appears to be credible evidence of extraterrestrial intelligence, and after informing other parties to this declaration, the discoverer should inform observers throughout the world through the Central Bureau for Astronomical Telegrams of the International Astronomical Union, and should inform the Secretary General of the United Nations in accordance with Article XI of the Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Bodies."

"All data necessary for confirmation of detection should be made available to the international scientific community through publications, meetings, conferences, and other appropriate means."

"If the evidence of detection is in the form of electromagnetic signals, the parties to this declaration should seek international agreement to protect the appropriate frequencies by exercising procedures available through the International Telecommunication Union. Immediate notice should be sent to the Secretary General of the ITU in Geneva, who may include a request to minimize transmissions on the relevant frequencies in the Weekly Circular."

"No response to a signal or other evidence of extraterrestrial intelligence should be sent until appropriate international consultations have taken place. The procedures for such consultations will be the subject of a separate agreement, declaration or arrangement."

"The SETI Committee of the International Academy of Astronautics, in coordination with Commission 51 of the International Astronomical Union, will conduct a continuing review of procedures for the detection of extraterrestrial intelligence and the subsequent handling of the data. Should credible evidence of extraterrestrial intelligence be discovered, an international committee of scientists and other experts should be established to serve as a focal point for continuing analysis of all observational evidence collected in the aftermath of the discovery, and also to provide advice on the release of information to the public"

W/ respect to the science of astronomy, the individuals who can verify a SETI signal are probably cryptographers not astronomers.

epidemicDecember 9, 2011 6:04 PM

Rotterdam would be the last place I would choose to develop a frightening bio weapon. Below sea level and estimated to be the first casualty of climate change wonder how well secured this stuff is.

Also since he just passed it through 10 generations of ferrets technically any country can do the same after capturing a bird with h1n1.

A guyDecember 15, 2011 12:48 PM

@grumpy:

Late to the party, I know, but you're making the assumption that viral mutations happen independently and spontaneously. Unfortunately, that's not always the case.

Viral mutations have been shown in the past to occur as gene swaps from two different but similar virii. For example, if a cell in a duck were to host H5N1 and, say, a more human friendly version such as H1N1, it is distinctly possible that some traits would swap between virii and a new, combined, voltron strain would be produced.

So - it's much less than "one in a million." I would go so far as to agree with other posters who have said it's "when, not if."

A guyDecember 20, 2011 2:50 PM

One more point - for the people who are up in arms about "creating" such a deadly thing and how unlikely it is to evolve naturally in the wild: It wasn't created and it effectively did evolve naturally...just not in the wild.

http://blogs.discovermagazine.com/loom/2011/12/...

In effect the researchers used the same technique that virii use to mutate on their own. So, yes - mutations are not as hard as you believe!

arnimJanuary 21, 2012 1:46 AM

And we know how badly this sort of security works: ...

The problem is that it doesn't make sense to adopt the lessons learned on full disclosure or security by obscurity from IT to biology, because in the former we have two main defence mechanisms: developing and installing patches and getting new virus signatures for our scanner.

In biology we could develop a vaccine which is a pretty good equivalent to a av-software-signature because it shows our immune system which cells should be attacked. And in both departments it's benefit is just limited to know patterns. Patching software against know bugs is much more effective because it helps against any exploit ever developed against this weakness. Sadly there's no equivalent in biology for this process except maybe mutating but that's kind of slow taking hundreds of years and painful for those failing in the evolutionary race.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..