The Relationship Between the Biological Weapons Convention and Cybersecurity

Today, the Biological Weapons Convention (BWC)—the first treaty to ban an entire class of weapons—marks the 40th anniversary of its entry into force. Reflections on this milestone will examine the BWC’s successes and travails, such as its ratification by 173 countries, its lack of a verification mechanism, and what the future holds. Although not prominent in these discussions, the BWC relates to cybersecurity in two ways. First, the BWC is often seen as a model for regulating dual-use cyber technologies because the treaty attempts to advance scientific progress while preventing its exploitation for hostile purposes. Second, the biological sciences’ increasing dependence on information technologies makes cybersecurity a growing risk and, thus, a threat to BWC objectives.

The BWC as a Model for Cybersecurity

The BWC addresses a dual-use technology with many applications, including the potential to be weaponized. Similarly, cyber technologies have productive uses that could be imperiled with the development of cyber weapons. Those concerned about cyber weapons often turn to the BWC for guidance because of characteristics biology shares with cyber—the thin line between research and weaponization, the global dissemination of technologies and know-how, the tremendous benefits of peaceful research, and the need to adapt to new threats created by scientific and political change.

The BWC supports actions to prevent weaponization and foster peaceful exploitation of the biological sciences, including:

• Prohibitions on weaponization and transferring the means of developing bioweapons;
• Requirements to implement domestic measures to prevent weaponization;
• Obligations to cooperate and provide assistance in addressing BWC violations; and
• Undertakings to facilitate exchange of information, materials, and technologies for peaceful research.

However, the BWC maps poorly against cybersecurity problems. Cyber weapons, weaponization, and attacks by states and criminals have become ubiquitous. The BWC required destruction of stockpiles of bioweapons, but many countries accepted this obligation and the weaponization ban because they concluded bioweapons had little national security utility. The same cannot be said for cyber technologies. States find cyber exploits useful for multiple national security tasks, including law enforcement, counter-intelligence, espionage, sabotage, deterrence, and fighting armed conflicts. Tools used to prevent biological weaponization, such as imposing licensing and biosecurity requirements on biological research facilities, make little sense for cyber given the nature of cyber technologies and their global accessibility.

Experts have called for a norm requiring countries to assist victims of cyberattacks, which echoes the BWC’s provision on assistance in cases of treaty violations. However, political calculations, not normative considerations, determine whether governments offer assistance to countries hit by cyberattacks—behavior consistent with other contexts where states provide discretionary assistance, such as after natural disasters.

Nor have countries embraced export controls on cyber technologies in the manner seen with biological technologies. Countries harmonizing export controls on dual-use technologies through the Wassenaar Arrangement added "intrusion software" to this regime in December 2013. However, this decision reflected human rights concerns about authoritarian governments using such software, a reason having no counterpart in export controls supporting the non-proliferation of bioweapons.

Perhaps led by the United States, the Wassenaar Arrangement might create more export controls for cyber technologies, but here the BWC offers a cautionary tale. Developing countries have long considered that export controls on biotechnologies imposed for non-proliferation reasons violate their BWC right to gain access to equipment, materials, and information for peaceful purposes. Whether a similar controversy emerges if Wassennaar participants agree to more export controls on cyber technologies remains to be seen, but this path is not one the BWC suggests would be easy or effective.

The Cybersecurity Challenge in the Biological Sciences

The more important aspect of the BWC-cyber relationship involves the biological sciences’ increasing exploitation of, and dependence on, information technologies (IT). In describing scientific developments for the BWC review conference in 2011, the BWC Implementation Support Unit noted that "[i]ncreasingly the life sciences are referred to as information sciences. Digital tools and platforms not only enable wetwork but are increasingly able to replace it."

Cybersecurity problems increase as dependence on information technologies deepens. Biological research enabled by information technologies is vulnerable to cyber infiltration by foreign governments, criminals, or terrorists and theft of data or manipulation of facilities. The cybersecurity challenge has been recognized in some policies. In the United States, Executive Order 13546 (2010) identified the need for cybersecurity in facilities handling dangerous pathogens, which led to amended regulations. As the biological and information sciences converge, cybersecurity becomes increasingly important for responsible biological research.

Despite awareness of this dependence, the BWC process has not focused on cybersecurity. Neither the 2011 review conference nor meetings in 2012-14 identified the security of information and the ubiquity of IT systems as issues arising from developments relevant to the BWC. As planning for the next BWC review conference in 2016 unfolds, cybersecurity should be included to ensure the BWC’s next chapter does not ignore a problem the biological sciences face now and in the future.