BY DAVID E. HOFFMAN |
Largely unseen by the world, two dangerous germs homed in on their targets in the spring and early summer of 2009. One was made by man to infect computers. The other was made by nature, and could infect man.
The man-made virus could invade a computer running Windows, replicate itself, wreck an industrial process, hide from human operators, and evade anti-virus programs. The natural pathogen could invade human cells, hijack them to replicate billions of copies of itself, and evade the body’s immune system.
The man-made weapon was Stuxnet, a mysterious piece of computer malware that first appeared in 2009 and was identified more than a year later by Ralph Langner, a Hamburg-based computer security expert, as a worm designed to sabotage Iran’s nuclear-enrichment facilities. The natural pathogen was the swine flu virus, which first appeared in Mexico City in March 2009 and touched off a global pandemic.
In the physical world, they have nothing in common. Stuxnet is computer code, bits of binary electronic data. The swine flu virus is a biological organism, a unique remix of genes from older influenza viruses. But they share one fundamental characteristic: They spread themselves and attack before their targets know what is happening. And in that way, they offer a glimpse of a rapidly evolving class of dangerous threats that former U.S. Navy Secretary Richard Danzig once described as instruments of “nonexplosive warfare.”
When Danzig first raised the concept in 1998, an Internet bubble was mushrooming, terrorist cult Aum Shinrikyo had attacked the Tokyo subway with sarin gas, and there were fresh disclosures about the vast, illicit biological-weapons program built by the Soviet Union. What has happened since then? Cyberattacks have grown in intensity and sophistication. The technology for manipulating biological organisms is advancing rapidly. But these potentially anonymous weapons continue to perplex and confound our thinking about the future of war and terrorism.
Both cyber and bio threats are embedded in great leaps of technological progress that we would not want to give up, enabling rapid communications, dramatic productivity gains, new drugs and vaccines, richer harvests, and more. But both can also be used to harm and destroy. And both pose a particularly difficult strategic quandary: A hallmark of cyber and bio attacks is their ability to defy deterrence and elude defenses.
Think of it this way: The most sophisticated cyberattacks, like Stuxnet, rarely leave clear fingerprints; bioweapons, too, are famously difficult to trace back to a perpetrator. But the concept of deterrence depends on the threat of certain retaliation that would cause a rational attacker to think twice. So if the attacker can’t be found, then the certainty of retaliation dissolves, and deterrence might not be possible.
What would a president of the United States say to the country if thousands of people were dying from a disease or trapped in a massive blackout and he did not know who caused it? A ballistic missile leaves a trajectory that can indicate its origins. An airline hijacker might be caught on video or leave behind a ticket or other telltale clue to his identity. When someone is shot with a weapon, the bullet and firearm can be traced. Not so for many cyber and bio threats.
Moreover, as Danzig pointed out, armies are of little use against such dangers, and neither the production nor delivery of such weapons requires large, expensive systems. They are accessible to small groups or individuals, and can hide under the radar.
So how to think about this? Recently, the Pentagon commissioned one of its most prestigious research advisory groups, JASON, to study the science of cybersecurity. One of the panel’s recommendations for dealing with threats: Draw lessons from biology and the functioning of the human body’s immune system. When it sees a dangerous pathogen, part of the immune system is adaptive and can resist the invader even if it has never seen the agent before. What computers might need to counter this new warfare is something similar, a “learning algorithm” that would allow them to adapt and resist when a bug like Stuxnet comes sneaking around — as it surely will.
ON FEB. 8, 2000, Joshua Lederberg, one of the founders of American microbiology and a Nobel Prize laureate, spoke at a Rand Corp. conference on bioterrorism and homeland defense in Santa Monica, California. Lederberg, a geneticist who had been concerned for years about the United States’ vulnerability to the use of biological agents in war and terrorism, told the group there would be no warning of such an attack, no big boom to alert everyone.
“We perhaps put too much stress on an acute incident, an explosion, a compelling notice that something really awful has happened,” Lederberg said. “No shrewd user” of a biological weapon “is going to give you that opportunity,” he warned. “The ‘incident’ will be people accumulating illness, disease, death.”
Within two years, it happened. In the fall of 2001, at least five envelopes containing anthrax bacteria were mailed to two senators in Washington and media organizations in New York City and Boca Raton, Florida. At least 22 people contracted anthrax as a result; five died. Ten thousand people were given antibiotics as a precaution. With just five envelopes, 35 postal facilities and commercial mailrooms were contaminated. The bacteria were found in seven buildings on Capitol Hill. The U.S. Postal Service closed two heavily contaminated processing centers; one in Washington did not open for two years, and one in New Jersey did not open for four years. More than 1.8 million letters, packages, and magazines were stuck in quarantine at the two centers, which cost roughly $200 million to clean up.
After the attack, the FBI and the U.S. Postal Inspection Service set up a task force to investigate who had done it. In the seven years that followed, more than 10,000 witnesses were interviewed, 5,750 grand jury subpoenas issued, and 6,000 items of evidence collected. In 2007, the FBI determined that the anthrax originated from a batch created and maintained by Bruce E. Ivins, a researcher at the U.S. Army’s biodefense laboratory at Fort Detrick, Maryland. Aware that he was under investigation, Ivins committed suicide in July 2008, leaving open the issue of his possible role and motives. There is still some uncertainty about the FBI’s microbial forensics, now under review by a committee of the National Academy of Sciences. Regardless, the investigation showed how hard it is to crack such a case.
Amy E. Smithson, a senior fellow at the James Martin Center for Nonproliferation Studies of the Monterey Institute of International Studies, has attempted to investigate and analyze how decision-makers would react to a future biological attack. “The pressures to finger the bad guy are going to be tremendous,” Smithson told me. Last year, Smithson assembled three teams of people for simulations of how high-level decision-makers might react. The groups were told they were playing the National Security Council, sitting in the White House Situation Room during the opening of a hypothetical G-8 summit in San Francisco, when a detector signaled the presence of a pathogen, Burkholderia pseudomallei, a bacterium that causes the disease melioidosis, which can be lethal if inhaled. The teams had been given several briefings on microbial forensics and the available intelligence, but still found themselves unsure how to untangle the evidence and how to respond.
Was the pathogen intended to harm the world leaders, or was it just a dispersal into the air, intended to shock? “They were massively frustrated at what microbial forensics and intelligence didn’t tell them,” Smithson said. “The effort to pinpoint a perpetrator is bound to confound, and the detection systems are not likely to deliver as much data as fast or as clearly as the policymakers want.”
So, the conundrum is clear: As Danzig put it a decade ago, “With nonexplosive weapons it may be difficult to tell if an incident is an act of war, the deed of a small terrorist group, a simple crime, or a natural occurrence.”
COULD SUCH AN ATTACK REALLY HAPPEN? In the field of biology, much of the debate has centered on the capabilities and intentions of terrorists. While some diseases occur easily in nature and are highly contagious, others require sophisticated processing for use as a weapon, probably well beyond the capability of today’s terrorist groups, which in the last decade have preferred explosive weapons — truck bombs, duffel bags filled with dynamite, exploding airplanes, and old-fashioned guns. By contrast, if the FBI is correct, the anthrax letters were sent by a skilled worker in a sophisticated, well-funded American military laboratory, not someone working out of a safe house or a cave in the Hindu Kush.
New alarms about bioterrorism were sounded in December 2008 by a congressionally mandated commission on weapons of mass destruction, headed by former Senators Bob Graham and Jim Talent. Their report, “World at Risk,” concluded that “terrorists are more likely to be able to obtain and use a biological weapon than a nuclear weapon.” No terrorist group currently has the ability to carry out a mass-casualty attack using pathogens, the panel reported — weaponizing pathogens and disseminating them in the air is extremely difficult. But, they warned, “the United States should be less concerned that terrorists will become biologists and far more concerned that biologists will become terrorists.” A group of U.S. scientists, however, responded that the commission had exaggerated the threat and that fears of bioterrorism were diverting resources from urgent public health needs for naturally occurring diseases, which have caused far more deaths.
One thing is certain: The technology for probing and manipulating life at the genetic level is accelerating. Advances in sequencing — plotting the genetic blueprint of an organism