Double-Edged DNA: Preventing the Misuse of Gene Synthesis

During the past decade, a global industry has emerged based on synthetic genomics: the use of automated machines to construct genes and other long strands of DNA by stringing together chemical building blocks called nucleotides in any desired sequence. Some 50 companies—concentrated primarily in the United States, Germany, and China—synthesize gene-length segments of double-stranded DNA to order. Scientists in government, university, and pharmaceutical laboratories worldwide use these products to study fundamental cellular processes and to develop new vaccines and medicines, among other beneficial applications. But synthetic genomics presents a dual-use dilemma in that outlaw states or terrorist groups could potentially exploit synthetic DNA for harmful purposes. Of the biotechnologies that entail dual-use risks, gene synthesis has elicited the greatest concern because of its maturity, availability, and potential consequences.

Already, the ability to synthesize long strands of DNA and stitch them together into a genome, the blueprint of an organism, has enabled scientists to recreate infectious viruses from scratch in the laboratory. This feat was accomplished for poliovirus in 2002, the Spanish influenza virus in 2005, and the SARS virus in 2008. Some analysts worry that it will soon become technically feasible to synthesize the smallpox virus, a deadly scourge that was eradicated from nature in the late 1970s and currently exists only in a few highly secure repositories.

It is critical, then, to devise effective governance measures for synthetic genomics that permit the beneficial use of this powerful technology while minimizing, if not eliminating, the risks. Some analysts contend that the best approach is to have governments impose top-down, legally binding controls. Yet formal government regulations have a number of drawbacks. Not only are regulations time-consuming and cumbersome to develop and promulgate, but they are static and hard to modify in response to rapid technological change.

A better approach is to adopt a form of “soft” governance based on voluntary guidelines or industry best practices. This type of self-regulation, involving suppliers and perhaps consumers of synthetic DNA, can be reinforced by government policies that encourage responsible behavior. Although biosecurity measures for the gene-synthesis industry are being implemented in the United States and elsewhere, these activities are not well coordinated, and continued efforts will be needed on a national and international basis to fashion an effective global regime.

A movement begins

The science behind commercial DNA synthesis may be cutting-edge, but ordering a synthetic gene over the Internet is quite straightforward. A customer—say, a university research scientist—goes to a supplier’s Website, enters the sequence of the desired gene, and provides payment information, such as a credit card number. The company then synthesizes the requested strand of DNA. After verifying that the genetic sequence is correct, the company inserts it into a loop of DNA (called an expression vector) that can be cloned in bacteria to produce a large number of copies. Finally, the order is shipped to the customer by express mail.

The worry, of course, centers on what the recipient will do with the synthetic gene. Early on, a few suppliers recognized the dual-use nature of their product and began to develop voluntary biosecurity measures to reduce the risk that criminals or terrorists could order dangerous DNA sequences over the Internet. Blue Heron Biotechnology, founded in 2001 in Bothell, Washington, was one of the first to implement such measures. Initially, the company relied exclusively on screening customers to verify their bona fides, but in the wake of 9/11 and the anthrax letter attacks, it deployed a second line of defense: screening DNA synthesis orders.

As part of this effort, Blue Heron agreed to serve as a testbed for a software package called Blackwatch, developed at Craic Computing in Seattle. Blackwatch uses a standard suite of algorithms to compare incoming synthesis orders against a database of DNA sequences of known pathogens: viruses and bacteria that cause infectious disease. If an order closely matches a genetic sequence in the database, the program flags it as a “hit.” When that happens, a human expert employed by the company assesses the security risk associated with the flagged sequence, checks the identity of the customer, verifies that the intended end-use is legitimate, and confirms that all biosafety and biosecurity concerns have been addressed.

To date Blue Heron’s screening system has detected a large number of pathogenic sequences, but follow-up review by human experts has yet to identify a customer with malicious intent. Instead, nearly all orders for pathogenic genes have involved the development of new vaccines or basic research into the molecular mechanisms of infectious disease. In July 2009, for example, the company received an order from a Japanese government laboratory for 30% of the genome of Lujo virus, a hemorrhagic fever virus that was discovered in Zambia in September 2008 and then sequenced in the United States. The lab in Japan requested two genes coding for proteins in the viral coat, presumably for vaccine development. After careful review, Blue Heron determined that the order was legitimate and proceeded to fill it.

Craic Computing is now developing an improved version of the Blackwatch software, under the working title Safeguard. This new version is expected to be better at spotting DNA sequences related to pathogenicity, such as genes coding for virulence factors (traits that increase the ability of a bacterium or virus to cause disease) or toxins (poisonous substances produced by bacteria and other living organisms). The goal of improved screening is to reduce the number of false-positive hits caused by the presence of common “housekeeping genes” in both pathogenic and nonpathogenic microbes.

By the mid-2000s, many suppliers of synthetic DNA in the United States and Europe had begun to screen sequence orders voluntarily, but the methodology varied from company to company, and a few firms resisted screening entirely. During the summer of 2006, in an effort to harmonize the inconsistent biosecurity practices in use across the industry, Blue Heron Biotechnology and six other leading gene-synthesis companies in the United States and Europe (GENEART, Codon Devices, Coda Genomics, BaseClear, Bioneer, and Integrated DNA Technologies) formed the International Consortium for Polynucleotide Synthesis to promote safety and security in the emerging field of synthetic biology. The participating firms worked closely with officials at the FBI on a pilot project called the Synthetic Biology Tripwire Initiative. In October 2007, this collaboration culminated in a mechanism by which companies could report suspicious gene-synthesis orders to the FBI. Because the industry consortium relied on volunteer labor, however, it gradually became inactive.

Meanwhile, in April 2007, a group of five German companies (ATG:biosynthetics, Biomax Informatics, Entelechon, febit Holding, and Sloning BioTechnology) formed another consortium called the International Association Synthetic Biology (IASB). A year later, the IASB held an industry workshop in Munich at which leading gene-synthesis experts from Europe and the United States discussed creating a uniform Code of Conduct for screening customers and gene-synthesis orders, based on best practices already in use by several companies. IASB members agreed that biosecurity was not an area of competition and pledged to share resources to develop a screening system that would benefit them all, while creating a level playing field. By mid-2008, they had prepared and circulated for comment a draft “Code of Conduct for Best Practices in Gene Synthesis.”

In mid-2009, however, a split emerged within the industry over the role of human experts in the screening process. The two largest suppliers of synthetic genes—DNA2.0, based in California, and GENEART, based in Germany—proposed replacing human experts with an automated system that would screen all gene-synthesis orders against a predetermined list of virulence-related sequences that would be frequently updated. Advocates of this approach argued that it would be fast and cheap to implement, with no need to pay human experts to determine the function of close matches. But the DNA2.0/GENEART proposal met with considerable resistance because it was less capable than existing screening methods, and by September 2009 its supporters had backed off. Even so, the two firms continued to pursue an alternative to the draft IASB Code of Conduct by holding a series of secret meetings with other large gene-synthesis providers.

Events continued apace. In November 2009, the IASB held a second industry workshop in Cambridge, Massachusetts, to put the finishing touches on its Code of Conduct. Companies at the workshop reached consensus on a basic set of guidelines for screening customers and gene-synthesis orders, but they delegated the details of the process to a Technical Expert Group on Biosecurity, to be established at a later date. All five members of the IASB immediately endorsed the Code of Conduct, and not long afterwards, the first non-IASB company, Generay Biotech of Shanghai, China, also adopted it. But other leading firms, including Blue Heron Biotechnology and GENEART, declined to sign on to the IASB code because they objected to putting key technical decisions in the hands of an expert group that was not directly accountable to the participating companies.

Under the IASB system, firms that adopt and comply with the Code of Conduct will receive a “seal of approval” that they can display on their Websites and use in promotional materials. The seal is designed to give these companies a competitive advantage by identifying them as reputable suppliers. Because large-volume customers such as major pharmaceutical firms are unlikely to accept the IASB seal at face value, the association plans to certify participating suppliers on an annual basis and to field complaints about alleged noncompliance. To this end, the IASB is considering a “red team” strategy in which it sends companies fake gene-synthesis orders containing pathogenic sequences in order to verify that they are screening effectively. Large scientific societies and major customers could also reinforce the standard by refusing to purchase synthetic DNA from companies that do not screen.

To complement its Code of Conduct, the IASB is preparing a Web-based, password-controlled database called the Virulence Factor Information Repository, or VIREP. This database will “annotate” the genes of viral and bacterial pathogens according to biological function, such as the proteins they encode, thereby helping human screeners to distinguish between harmless genes and those that pose a biosecurity risk. Screeners will also be able to deposit information about newly discovered virulence factors into VIREP, saving those with access to the database the trouble of repeatedly investigating the same sequences. As a result, biosecurity screening will become a dynamic process that is refined over time as additional genes associated with pathogenicity are identified.

Developments continue

Even after the IASB introduced its Code of Conduct, matters were far from settled. Two weeks after the Cambridge workshop, five leading gene-synthesis companies—GENEART, DNA2.0, Blue Heron Biotechnology, Integrated DNA Technologies, and GenScript—announced the formation of a separate industry group called the International Gene Synthesis Consortium (IGSC). The five members of IGSC, which together account for more than 80% of the global market for synthetic genes, also launched their own standard called the “Harmonized Screening Protocol for Gene Sequence and Customer Screening to Promote Biosecurity.”

The IGSC protocol provides that companies should “screen the complete DNA sequence of every synthetic gene order … against all entities found in one or more of the internationally coordinated sequence reference databanks.” Whenever this process identifies a sequence associated with pathogenicity, the order will receive further scrutiny from a human expert, including “enhanced” customer screening. IGSC member companies are currently developing a Regulated Pathogen Database that will include all gene sequences identified as potentially hazardous in several existing national lists, including the U.S. Select Agent List (which includes 82 pathogens and toxins of bioterrorism concern) and the Core Control List compiled by the Australia Group, an informal forum of 41 countries that harmonize their national export controls on dual-use materials and equipment suitable for chemical and biological weapons production.

Under the IGSC protocol, participating companies must reject all sequence orders that encode an infectious virus or a functional toxin on the Select Agent List. Whenever the screening software identifies a sequence associated with pathogenicity that does not encode an entire Select Agent, a human expert will review the order to ensure that the customer is legitimate and the material will be used only for peaceful purposes. If enhanced customer screening turns up grounds for suspicion, the IGSC protocol requires the supplier to deny the order and to notify the FBI or some other law enforcement authority. Consortium members agree to retain all customer, order, and screening records for at least eight years, the length of the statute of limitations for obtaining an indictment.

Substantively, the IGSC Harmonized Screening Protocol and the IASB Code of Conduct are remarkably similar, differing only in a few minor details. The main difference between the two industry standards is the process by which they were developed. Whereas the IASB code was drafted in an open and transparent way by all firms that wished to participate, the IGSC protocol was written in secret by a self-selected group that was limited to the suppliers with the largest market share. Thus, although the IGSC has urged all gene-synthesis providers to adopt its standard, only the member companies will have a say in how the screening system evolves in the future. For this reason, smaller U.S. and European firms worry that their interests and concerns will not be taken into account during the IGSC decision-making process.

Enter the U.S. government

In parallel with the development of the two industry screening standards, the U.S. government prepared its own set of guidelines for commercial gene synthesis. A federal advisory committee called the National Science Advisory Board for Biosecurity (NSABB) recommended in December 2006 that the government “develop and promote standards and preferred practices for screening gene-synthesis orders and interpreting the results, and require that orders be screened by providers.” Responding to this recommendation, the White House convened an interagency working group in June 2007 to develop biosecurity guidelines for the U.S. gene-synthesis industry.

Despite the NSABB’s call for legally binding regulations, the interagency group decided to develop a set of voluntary guidelines and test them for a few years to assess their effectiveness. The government took this approach partly out of concern that binding regulations would impede legitimate scientific research and put U.S. suppliers at a disadvantage vis-à-vis their foreign competitors. Another reason was that formal regulations are best suited to situations that are relatively static, whereas synthetic genomics is an emerging technology that is currently in flux both technically and commercially. Recognizing that overly flexible guidelines could permit lax or variable implementation, U.S. government officials sought a reasonable balance between flexibility and consistency.

Although there was no formal coordination between the government and industry tracks, enough discussion occurred to ensure that the two efforts were largely compatible. Finally, on November 27, 2009, the U.S. government published a draft “Screening Framework Guidance for Synthetic Double-Stranded DNA Providers” in the Federal Register and opened it up for 60 days of public comment. The proposed federal guidelines called for the simultaneous screening of new customers and orders for double-stranded DNA greater than 200 nucleotide base-pairs long.

According to the draft guidelines, customer screening involves confirming the purchaser’s identity and institutional affiliation, ensuring that it is not in a database of “denied entities” involved in terrorism or biological weapons proliferation, and verifying the intended end use. Suppliers must also look for “red flags” suggestive of illicit activity, such as the use of a post office box instead of a street address. At times, customer screening demands considerable research. In India, for example, gene-synthesis customers rely on extensive networks of distributors and middlemen, making it difficult to identify the actual end-user. One currently unresolved issue is whether gene-synthesis companies should supply synthetic DNA to researchers who lack an institutional affiliation, such as hobbyists working in home laboratories.

The primary difference between the draft U.S. government guidelines and the two industry standards is the method for screening gene-synthesis orders. In the draft federal guidelines, companies are urged to use a “Best Match” algorithm that compares requested sequences against the National Institutes of Health’s comprehensive GenBank database and flags an order if it is “more closely related to a Select Agent or Toxin sequence than to a non-Select Agent or Toxin sequence.” The U.S. government chose this approach because its primary objective was to prevent would-be bioterrorists from circumventing security controls on access to Select Agents by ordering the corresponding genetic material over the Internet.

In January 2010, the Center for Science, Technology and Security Policy at the American Association for the Advancement of Science (AAAS) held a scientific workshop in Washington, D.C., to discuss the draft federal guidelines. Participants called into question the proposed 200 base-pair cutoff for screening sequence orders on the grounds that it was arbitrary and hard to justify scientifically, and suggested instead that screening be performed on any piece of double-stranded DNA delivered in an expression vector, regardless of length. The proposed Best Match algorithm also provoked a great deal of discussion. Critics argued that although Best Match may be simple and easy for companies to implement, it is weaker than either industry standard because it cannot detect genetic sequences of pathogens and toxins of biosecurity concern that are not on the Select Agent List, such as the SARS virus or recently emerged hemorrhagic fever viruses. Indeed, although the draft federal guidelines admit that non-Select Agent sequences “may pose a biosecurity threat,” such sequences are exempted from routine screening “due to the complexity of determining pathogenicity and because research in this area is ongoing.”

The consensus of the AAAS workshop was that although automated screening using Best Match is the most practical approach for detecting genetic sequences that code for Select Agents, there is a clear need to capture a larger universe of sequences of concern. Not only are static defenses such as the Select Agent List easily circumvented, but the marginal cost of screening for pathogens and toxins outside the list is relatively low. One workshop participant warned that if the U.S. government endorses the Best Match algorithm, companies that have argued in the past for fast and cheap screening methods will almost certainly embrace this approach. In that case, other firms will follow suit to remain competitive, moving the industry toward a screening standard that is less capable than what is already practiced by most companies today.

In response to the concerns expressed at the AAAS workshop, it appears likely that the U.S. government will strengthen the draft guidelines. A possible solution to the shortcomings of the Best Match algorithm, for example, is a modified strategy that might be termed “Best Match-plus.” This approach would involve screening all gene-synthesis orders for their similarity to Select Agent sequences, flagging those of concern for further review. Then, in a follow-on process, a human screener would compare the requested sequence to a curated database of non-Select Agent sequences that pose potential security risks. Such a database might be either an annotated version of GenBank or a dedicated database of sequences known to be associated with pathogenicity. (Simply adding more pathogens to the Select Agent List would be undesirable because it could impede vital public health research. Indeed, the SARS virus was deliberately kept off the list for that reason.)

Some workshop participants also argued that the screening software should be open source, meaning that the programming code would be freely available. The advantage of open-source software is that it can be updated and validated by the scientific community as knowledge grows, whereas proprietary software tends to be more static. Development of open-source screening software and a curated database could be supported by the gene-synthesis industry, the U.S. government, or both.

Addressing global governance

Because gene synthesis capabilities have spread worldwide, a voluntary biosecurity regime will be effective at preventing misuse only if it is adopted internationally. A harmonized method for customer and sequence screening is needed to ensure uniformity in biosecurity practices across the industry, reducing the risk that a problematic order denied by one company will be filled by another. Any framework that applies to the United States alone would yield few security benefits and could be counterproductive by driving illicit customers to the small minority of foreign suppliers that refuse to screen. At present, the fact that the IASB and IGSC rules do not cover all gene-synthesis firms is a serious gap in the global biosecurity regime. Although it is unclear how many rogue suppliers might seek to profit from the black market in synthetic DNA, the existence of even one non-adhering company reduces security everywhere.

Advocates of legally binding regulations note that past attempts at industry self-policing have failed, most notably in the environmental field. According to a skeptical editorial on the IASB Code of Conduct in the journal Nature, “Although such a code of conduct is useful and welcome, compliance and enforcement will be paramount. There have been, and will probably continue to be, companies that are not interested in cooperating with any industry group and that are happy to operate in the unregulated grey area. The ultimate hope is that customers will put economic pressure on those non-compliers to fall in line, or else lose all but the most disreputable business. But that is just a hope.” Despite this skepticism, a formal treaty is not a viable solution because it would take years to negotiate and, once enacted, would be difficult to modify in response to rapid technological change.

To harmonize voluntary biosecurity measures for commercial gene synthesis, it will be necessary for the industry groups and the U.S. government to engage companies worldwide. At present, such outreach is insufficient. Although China is home to several leading suppliers, most of them have yet to endorse either industry screening standard. In 2009, the U.S. government discussed gene synthesis with Germany and initiated exploratory contacts with the Chinese Foreign Ministry. Consultations are also under way with countries participating in the Australia Group.

One way to encourage international compliance with the voluntary industry guidelines is to publicize which suppliers are complying with the rules, for example through the IASB’s “seal of approval” program. By giving gene-synthesis companies that screen a competitive advantage, this approach may motivate the small number of holdout firms to change their practices.

A second way to promote compliance with the biosecurity standard is to take advantage of market forces. Today, economies of scale and intense price competition are driving the consolidation of the gene-synthesis industry. Firms with sufficient sales volume to automate their manufacturing operations have extremely low costs, enabling them to force less efficient competitors out of business. These trends will result in a major shakeout in which companies with the best technology and the highest volume will prevail. As a result of this process, the gene-synthesis industry will become an integrated global market in which a limited number of major suppliers in several countries compete for the same pool of customers. In such a highly competitive environment, the biggest consumers of synthetic DNA—leading research institutions and major pharmaceutical companies—will have a great deal of leverage. The European pharmaceutical giant AstraZenica, for example, already requires its suppliers of synthetic DNA to comply with the screening guidelines. Thus, as the industry consolidates, gene-synthesis firms that wish to maintain or expand their market share will have a strong incentive to screen.

Voluntary DNA screening differs from other areas of policy, such as limiting emissions of greenhouse gases, in that it does not follow the logic of the “prisoner’s dilemma,” a game-theoretical model in which the individual players obtain the biggest payoff by defecting while others cooperate, but end up worse off if the other players defect as well. Thus, without binding government regulation to ensure a level playing field, companies in industries with this type of incentive structure often find themselves in a race to the bottom. The economics of gene synthesis are fortunately quite different. Because sequence screening is cheap compared with other costs of doing business, gene-synthesis companies cannot gain a competitive price advantage by defecting. Moreover, the black or gray market for gene-synthesis products is not large enough to sustain rogue companies on illicit orders alone. Suppliers of synthetic DNA therefore have a strong incentive to screen as a matter of survival, and they have few incentives to defect. In other words, the payoff from unilateral defection is lower than that from cooperation, which benefits all players. As Stephen Maurer of the University of California, Berkeley, has observed, if gene-synthesis companies comply with the screening standard because they cannot compete in the market otherwise, then there is really nothing voluntary about it.

A third way to encourage suppliers to comply with the voluntary screening guidelines is through the threat of legal liability. Under the “reasonable person” standard in tort law, if synthetic DNA supplied by a gene-synthesis company is used in a bioterrorist attack, it may be possible to prosecute the supplier for not taking precautions that a reasonable person would have taken—for example, rejecting a suspicious order that used a post office box instead of a verifiable address. The risk of litigation would deter companies from flouting the screening standard. Of course, a major challenge in bringing a tort action against a supplier of synthetic DNA would be to prove that the genetic sequence used in a bioterrorist weapon had been supplied by a specific company. Doing so would require tracing the synthetic DNA back to the source and demonstrating a clear chain-of-custody from supplier to end-user. In any event, complying with government-approved guidelines gives companies a good deal of legal protection. Without such guidelines, what constitutes responsible corporate behavior is largely a judgment call. But if guidelines exist, complying with them is tantamount to performing due diligence, immunizing a company from liability for damages in the event its product is misused.

Anticipating future developments

The current existence of three competing screening standards is an unstable situation, leading some observers to worry that the biosecurity regime will devolve to the lowest common denominator. Because the draft U.S. government guidelines are widely considered inadequate, however, they are likely to be revised, perhaps by incorporating strategies such as Best Match-plus. Whatever screening system for the commercial gene-synthesis industry is ultimately selected, it will probably remain in place for several years, while presumably adapting to changing circumstances.

Despite the tendency to view voluntary guidelines and legally binding regulations as opposite ends of a spectrum, they are not mutually exclusive. Once voluntary guidelines have been in place for some time, governments could take action at the national and global levels to reinforce industry compliance. For example, countries could mandate that government-funded researchers purchase synthetic DNA from suppliers that comply fully with the voluntary screening standard.

Another possible approach would be to require all companies that sell synthetic DNA to have their biosecurity policies reviewed by an objective third party. To perform this function, the industry associations could hire outside contractors to monitor companies’ screening activities and certify that they meet the agreed standard. This certification would be renewed periodically, perhaps every one or two years. Purchasers of pathogenic gene sequences might also be made subject to certification to verify their bona fides. Because scientists move frequently from one lab to another, such certification should probably take place at the institutional level. Ideally, the list of approved customers would be made public so that suppliers know to whom they are authorized to sell.

Finally, some mechanism could be established for notifying suppliers whenever a sequence order is denied, so that a request turned down by one company is not filled by another. Although antitrust concerns and companies’ desire to protect trade secrets make them reluctant to share customer information, the small fraction of the DNA synthesis market that involves pathogenic sequences (about 1%) is not particularly lucrative, making such information less competition-sensitive and hence easier to share. It is also possible that the U.S. government could identify firms that refuse to screen and keep them and their customers under surveillance.

The proposed industry and government guidelines represent an important first step toward a system of global risk management for the gene-synthesis industry. Of course, any biosecurity system will inevitably be imperfect and contain gaps. For example, advanced bench-top DNA synthesizers capable of producing gene-length sequences with high accuracy will probably reach the market within a decade. If in-house gene synthesis becomes widespread, it will reduce scientists’ reliance on commercial suppliers and thus diminish the security benefits of customer and sequence screening. For the next several years, however, an effective governance regime for the gene-synthesis industry will remain the low-hanging fruit for managing the risk of misuse.