Johns Hopkins APL and the BIO-ISAC hosted a tabletop exercise for experts from the public and private sectors to identify vulnerabilities, recommend mitigations and establish greater understanding of the threats unique to the bioeconomy.
Representatives from the federal government, academia and private industry convened at the Johns Hopkins Applied Physics Laboratory (APL) in Laurel, Maryland, for a tabletop exercise to assess the nation’s preparedness for security threats unique to the bioeconomy.
In May 2023, several dozen experts in public health, policy, cyber, physical sciences and law came together to identify vulnerabilities, develop mitigation recommendations and establish a greater understanding of the extent of the threats to key biological capabilities. A report summarizing the lessons learned from the exercise was released Nov. 21.
The exercise, led by APL and the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC), highlighted the complex challenges associated with identifying, characterizing and responding to threats in the bioeconomy.
The bioeconomy, a complex network of biomedical, bioindustrial and agricultural domains, is a critical component of the nation’s economy that accounts for 5-7% percent of the United States Gross Domestic Product. Vulnerabilities to national and digital security are increasingly pervasive. Recent high-profile attacks, such as the Tardigrade threat, data breaches at Dr. Reddy’s Laboratories and the EvoTec ransomware attack have brought these vulnerabilities to the attention of the industry, regulators and policymakers.
“Safeguarding the bioeconomy is an economic necessity and urgent national priority,” said Brian Haberman, an APL research scientist who led the exercise. “The tabletop exercise built on APL’s decades of work in biothreat security and brought in key stakeholders to demonstrate the monumental challenges that exist, both from threats to the bioeconomy and in developing coordinated responses to those threats.”
“We have learned through these tabletop exercises that resilience comes from practicing the key elements of preparedness and response in a safe environment — ahead of incidents,” said Whitney Zatzkin, co-founder and director of BIO-ISAC. “We will continue our efforts with partners across the public and private sectors to meet the growing challenges and threats in the field.”
Participants were guided though a hypothetical scenario that placed them at the center of decision making in response to a fictional growing domestic outbreak of a highly pathogenic virus, for which there was no licensed medical therapeutics or vaccines. At the start of the exercise, a fictional private company successfully received emergency use authorization for its vaccine.
As more information was revealed to participants through a series of modules, participants had to reckon with confidential-information leaks, manipulated databases, misinformation campaigns and potentially compromised laboratory equipment. The narrative was constructed to highlight the complex challenges associated with identifying, characterizing and responding to digital threats in the bioeconomy.
Lessons Learned
“The complexity of the response required from both the public and private sectors in a time of need is truly daunting,” said Charles Fracchia, co-founder and chairman of the board at BIO-ISAC. “This exercise highlighted the needs in mapping out authorities, establishing high-trust support networks and connecting channels for information sharing. They are critical for the safe operation and defense of the whole bioeconomy, from health and public health to biotech and agriculture.”
The exercise revealed four key areas of action to ensure a safe and secure bioeconomy: trust, awareness, responsibility and preparedness.
“The bioeconomy depends on integrity and if trust is broken at any stage, the whole system becomes compromised,” said Haberman. “Trust between a researcher and research equipment is necessary to make informed decisions; trust between the researcher’s work and a regulatory body ensures services are safe and effective; trust in the information pipeline ensures we do not run the risk of deploying ineffective countermeasures; and trust between a consumer and the science behind therapeutics is essential so the country does not run the risk of rampant disease outbreak.”
Tabletop Takeaways
The May tabletop exercise at APL revealed four key areas of action to ensure a safe and secure bioeconomy:
Trust in lab equipment performance and data is foundational to the bioeconomy. Recommendations include developing digital security standards for lab equipment, hardening waypoints at each step in the data life cycle and introducing a system of tiered levels of compliance.
Awareness of vulnerabilities, cyber and physical, and the steps for prevention and intervention are needed. Recommendations include additional exercises to strengthen intra-agency coordination and training and extending this activity to private sector companies.
Responsibility for responding to threats in the bioeconomy, and the roles for each team member, need to be defined with a process workflow, using a shared responsibility model, and teams need regular training opportunities to practice.
Preparedness is lacking and threat mitigation strategies specific to the bioeconomy need to be identified, tested, and distributed. The exercise pressed the limits of participants’ traditional threat mitigation strategies and identified the need for assessments of critical infrastructure and functions, cross-domain training and the establishment of policies and procedures for an inter-agency group to rapidly respond to threats.
For more information on the bioeconomy defense exercise and the recommendations for identifying, mitigating and recovering from threats, visit the report here.
