By Shanon FitzGerald
Two well-told stories in the most recent issue of Wired magazine highlight complex technological and human security challenges that will remain with us for the foreseeable future. The first is, “The Full Story of the Stunning RSA Hack Can (Finally) be Told,” by Andy Greenberg. It’s about a 2011 breach at security firm RSA, which compromised master-key like information central to the firm’s secure-ID products, used by the likes of Fortune 500 clients and the Pentagon to verify employees’ identities. The second story, “The Manhattan Project,” by Geoff Manaugh and Nicola Twilley, examines the ongoing construction of the Department of Homeland Security’s new $1.25 billion lab, “the National Bio and Agro-Defense Facility,” located in Manhattan, Kansas. This facility will be used to study dangerous and contagious plant and animal pathogens at Biosafety Level 4, the highest standard for containment.
The RSA story is backward looking, even as the incident is billed as a harbinger of things to come, but with the expiry of many former RSA executives’ non-disclosure agreements on the matter, Greenberg can dive much deeper into the progression of the hack than was possible to report on at the time of its occurrence. Some of the details are rather stunning. Executives resorted to paper and in-person communications because they thought their phones had been tapped, their emails surveilled, and their offices bugged (some even claim to have discovered listening devices, of unknown origin); others were worried about long-range laser-microphone surveillance, which works by detecting vibrations on windowpanes caused by conversation–so they covered their office windows with layers of butcher paper. This paranoia confirms that the Chinese state-sponsored hackers were in deep alright (although how deep exactly no-one knows), and as one employee put it, the firm was forced to act for years afterward on the assumption that the attack was still ongoing. The existence of malicious backdoors was taken as a given once the front gates had been so spectacularly, yet subtly, breached. Summing up the situation, one former RSA executive said it was “a glimpse of just how fragile the world is,” and a reminder that even the best security features often amount to little more than “a house of cards during a tornado warning.”
This takeaway becomes even more sobering when applied to the second story, about the new bio and agro-defense lab being built on the plains of Kansas. The logic for the new facility goes something like this: We (the United States, the West) are reliant on the global food supply chain, within which concentrated animal feedlots and monocrop fields are significant—you might even say foundational—links. Given the limited genetic diversity of mass-production crops, cows, pigs, chickens, and other plants and animals, and the limited (if at all present) security at many of the facilities where these things are grown and raised and processed en masse, in the eyes of Homeland Security the food production network is rife with “soft targets.” Certain terrorist organizations have in the past expressed interest in attacking these soft targets (at least according to reports of materials seized in Afghanistan and Syria), possibly through the introduction into animal populations of nasty and effective pathogens such as the virus that causes foot-and-mouth disease. Thus the new, ostensibly ultra-secure facility will serve to study such harmful pathogens (both in advance of, and in response to their release, should that ever occur) and to come up with ways to stop them. That is, without bringing in police and military units for a mass destruction of infected populations… a la the UK in 2001, when six million sheep, pigs, and cattle had to be put down to quell an outbreak of foot-and-mouth disease caused by contaminated, illegally-imported pork being fed to pigs.
Some have criticized the construction of the new bio-defense facility on two main fronts: it is near significant portions of the nation’s agriculture and mass husbandry operations, so an accidental release could unleash costly havoc with relative ease, and the site is in an area prone to super-strong tornados. But the design has been “hardened” to withstand even the most punishing weather events, and the decontamination and containment processes are said to be world-class. For instance, a researcher working in the facility can move through it only in one direction; same with the animals; there is no “going back” without going through total decontamination, which involves for humans a series of chemical and normal showers inside a personal airlock. “Constant training” and a “buddy system” will also be in place to, at least in theory, prevent lapses in protocol. (A lingering criticism raised by the authors centers on varying risk estimates of how likely a willful violation of the safety rules might be.)
As for the non-human component, redundancies are also in place. “Thermal tissue autoclaves”—described as “big pressure cookers with a paddle inside” —will produce out of lab animal carcasses “a kind of tissue smoothie” that, while actually sterile enough to be used as fertilizer, will instead be incinerated in 55-gallon drums, again out of an abundance of caution.
Yes, caution seems to haunt the minds of those designing this facility and others in its class. The question is, will an abundance of caution be enough to keep the lab secure? Certainly I join many others in hoping so, but then again, hope alone doesn’t count for much when trying to contain dangerous pathogens. Lately I have wondered about the degree to which we humans ought to be regularly interacting with them in laboratories at all, particularly when the aim is anything like “gain of function.” Pre-emptive study and modification are bound up with the risk of accidental release, and it’s not clear to me that the possible value of the former outweighs the decidedly negative consequences of the latter. But if such research is going to take place, competent institutional and facilities design offer a better foundation than wishful thinking, hope, or naïve faith in the competence of scientific researchers. It should also be remembered that human behavior, accidental and intentional, can throw wrenches into the gears of even the most fine-tuned of plans.
At the same time, this is a complex problem being worked on by lots of smart people, from the public and private sectors, who understand the stakes. Theoretically incentives are aligned such that the designers, builders, managers, and employees of the facility all have an interest in minimizing the possibility of a leak or accident ever occurring. None of them would look good, and perhaps all of them would be on the hook, if such an incident were to take place. There are several more security and design features discussed in the article that I won’t get into here (such as the prohibition on lab workers keeping personal chickens), and I should stress that in my opinion (and seemingly also that of the article authors) the facility will do a much better job than the current US alternative, a place built in the 50s called Plum Island (which is not even BSL-4 and cannot handle large livestock). But that doesn’t mean that there won’t be problems, and unlike Plum Island, New York, Manhattan, Kansas is not surrounded by the harsh, virus-insulating ocean. Rather it exists amidst a sea of plants, animals, and people, often flowing state to state in step with the rhythms of global demand and supply.
Manaugh and Twilley’s article (not yet online as of this writing, perhaps because it’s an excerpt from a forthcoming book) doesn’t discuss this angle at any length, but I can’t help but wonder whether the designers and managers of the new Manhattan facility will keep in mind the lessons of RSA, and the slate of cyberattacks and ransomware extortions and digital security breaches that have taken place since 2011. One sentence from the article stands out in this respect. “The [lab] building has a computerized maintenance management system that all but tells the operating staff what it needs.” What could go wrong with that?
In fairness, though, problems with the agricultural animal population of America might arise well before any security incident at the new National Bio and Agro Defense Facility. Other than foot-and-mouth, the main not-yet-found-in-the-US disease that’s been under study at Plum Island is African Swine Fever, an outbreak of which DHS states would “terminate the ability of the US to export pork” (we’re the largest single-nation exporter) and take a significant chunk, in dollars and in pig lives, out of the $25 billion a year, 115-million-hog domestic pork industry. China, the largest pork producer and home to over half of the world’s population of swine, has seen an ASF outbreak reduce its total pig count by around 50% since late 2018. It could happen here, and perhaps it will. According to the USDA, “There is no treatment or vaccine available for this disease [although the FDA claims some are in development]. The only way to stop this disease is to depopulate all affected or exposed swine herds.” That’s about as unpleasant as it sounds, for pigs and for their human destroyers. Fortunately, plans are already in place to surveil domestic swine for outbreaks of the disease. Still, a modest amount of hope against the manifestation of the worst possible outcomes would not be misplaced.