I’m an EA lawyer with an interest in legal routes to reduce biorisk. In the course of some research, I’ve come to think the Bureau of Industry and Security at the U.S. Department of Commerce may have significant power to reduce risks from biotechnology. (I think the same is true of artificial intelligence, and know some other EAs are working on export controls in that context.) The goal of this post is to briefly summarize my research and thinking so that others interested in these ideas can vet and/or benefit from them.
How Export Controls Work
“Export controls” are laws and regulations that restrict release of critical tech, information, and services to nationals of and persons located within certain foreign countries. (I’ll mostly be ignoring a distinction here where sometimes controls are focused on the country to which items/info are exported, and sometimes (with “deemed exports”) to nationals of those countries, even when located in the U.S. Apologies for some imprecision here.) Most countries impose such controls in some form, and they’re the subject of multiple (nonbinding) agreements between nations, such as the Wassenaar Arrangement for arms control and the Australia Group for biological and chemical dual-use technologies. The U.S. generally seeks multilateral agreements like these before adding items to its domestic export control lists, but can and does act unilaterally when it wants to impose additional controls (see here for a recent example concerning software designed to automate analysis of geospatial imagery).
Within the U.S., export controls are largely governed via (1) the Munitions List (ML), a State Department-administered program directed at technology that is “inherently for military end use” (this is construed pretty narrowly, and most tech not funded by the military will not qualify), and (2) the Commerce Control List (CCL), a Department of Commerce-administered program covering a vast array of potential dual-use tech (see here and here to get a sense of the categories addressed).
When an item is placed on the CCL, it cannot be “exported” or “released” in a manner that would make it available to certain countries or their nationals except under a license issued by Commerce. Export includes physical shipment of goods as well as distribution of information by electronic transmission or publication, and it extends from the specific items placed on the list down to any information required for designing, developing, creating, or using such an item, including instructions, models, and technical know-how. See 15 C.F.R. § 774 Appendix 2. Violation of the licensing requirement carries massive penalties, including fines up to $300,000 (or 2x the value of the offending transaction) and up to 20 years in prison.
Commerce has extremely broad discretion to place any item on the CCL that could be used militarily by another country or otherwise impair U.S. security, and its decision to do so is “in effect judicially unreviewable.” State v. United States Dep't of State, 996 F.3d 552, 564 (9th Cir. 2021). This means that Commerce can restrict access (including via publication) to certain types of technology or information by a method that’s less time-consuming and fraught with uncertainty than legislative or judicial action.
Using the CCL to Reduce Biorisk
The CCL already addresses a number of biosecurity-relevant items, including pathogens and genetic material from pathogens on the Australia Group list and CDC Select Agents list, plus tech for their development/production.* 15 C.F.R. § 742.2(a)(1); CCL §§ 1C351, 1C353, 1E001 (search in this doc). Recently, however, Congress has explicitly expanded Commerce’s mandate to “emerging technologies” that are “essential to the national security of the United States,” and asked it to establish licensing policies for such items (Export Control Reform Act of 2018).
The BIS, the division within Commerce responsible for the CCL, has interpreted “emerging technologies” to include “biotechnology” as well as “advanced computing technology” and “artificial intelligence and machine learning,” and has begun the process of issuing rules to address specific technologies within these categories. Recently (after negotiating similar controls for other Australia Group participants), BIS released a final rule placing controls on software for nucleic acid assemblers and synthesizers “capable of designing and building functional genetic elements from digital sequence data,” i.e. software that could be used to generate pathogens for biological weapons. (Full text of rule available here.)
I’m not going to discuss specific items that might be added to the CCL to reduce biorisk in this post, and would encourage people to use good judgment in avoiding info hazard territory in the comments; please feel free to DM me if you want to talk about specific tech instead. For purposes of thinking about potential applications and impact, I’ll say I’m particularly interested in export controls because I think they might help reduce information hazards by constraining publication of certain material,* which is an extremely difficult nut to crack under U.S. First Amendment law, no matter the circumstances -- and changing incentives around publication has potential to change incentives around research. Likewise beyond the scope of this post, but potentially important, is the fact that the Foreign Investment Risk Review Modernization Act of 2018 requires companies developing technologies placed on the CCL to undergo an onerous national security review before accepting investment from many foreign nationals.
Potential Limitations on Use/Usefulness
Finally, a few notes on constraints that apply to BIS and might be relevant to work to reduce serious risks from biotech:
- Preference for multilateral action: As noted, BIS prefers to implement controls that have multilateral support, although it can do so unilaterally. Expansion of export controls might require BIS either to depart from this general policy or to successfully seek multilateral agreements, which might make the process slower and more difficult than ideal. (The end of this article describes some impatience on the part of Congress with the delays here.)
- Other agency involvement: Although Commerce has authority to decide what goes on the CCL, for items that aren’t addressed by multilateral agreements or other regimes like the Select Agents program there’s an ambiguous multi-agency consultation process involving DoD, Energy, the State Department, and others -- it’s unclear whether that has any teeth, but anything inter-agency has the potential to create hassle.
- Exception for “fundamental research”: An exception to the export control regulations applies to technology “that is released to conduct fundamental research” -- i.e. research for non-commercial purposes “the results of which ordinarily are published and shared broadly within the research community.” 15 C.F.R. § 734.8. This might reduce the capacity of export controls to prevent publication in scientific journals. On the other hand, (1) the exception wouldn’t apply to large swaths of technology of concern, (2) I think there are medium-good arguments for construing the exception to exclude some of the highest-risk material, and (3) my current understanding (I don’t have a background in admin law -- please chime in if you do!) is that Commerce could simply override this exemption as part of the rulemaking where it adds items to the CCL.
- Constitutionality: As noted, it’s very hard to restrain publication of pretty much anything in the U.S. given how expansive our First Amendment is. This concern may be surmountable both for practical (lack of review mechanisms) and fundamental (based on narrow categories of case law) reasons, but I’d expect it to be an uphill battle to secure durable restrictions in some circumstances.
Thanks to Andrew Snyder-Beattie, Jake Swett, Andre Barbe, and Helen Toner for helpful comments.
* Analogous EU rules were interpreted in 2012 by the Dutch government to require licensing for information related to genetic modification of the H5N1 flu before it could be published in Science. Christian Enemark, Influenza Virus Research and EU Export Regulations: Publication, Proliferation, and Pandemic Risks, 25 Med. Law R. 293, 294 (2017).
Very interesting post, thanks for taking the time to write it up. It sounds like the BIS is moving in the right direction on regulating some sensitive biotech stuff. While it seems like there are some obvious things to add to this list (e.g. dangerous pathogens), it also seems like a lot of the dual-use stuff would be non-obvious to regulate this way given that many of the technologies that could be used to engineer a pathogen also have legitimate scientific and industrial applications.
I've included some of my shallow notes on this topic from investigating the Chinese bioeconomy.
Challenges with dual-use
For example, one area that has received particular scrutiny regarding import-export controls is w.r.t. surveillance technology used in China. In a 2018 letter to Secretary of Commerce Wilbur Ross inquiring about the sale of surveillance Technology to Chinese police, Senator Marco Rubio (R-FL) and U.S. Representative Chris Smith (R-NJ) wrote:
The letter goes on to request answers to the following questions:
In a response letter, Secretary Wilbur stated that the rules did not apply to Thermo Fischer because
including in education, medical research, and forensics, according to Mr. Ross’s letter.
This, I suspect, is the biggest challenge with an import-export. Where do you set the bar for technologies or products to join the export control list when it has applications in science or industry. Another externality here is that US biotech firms that sell products and services in China are likely to be hurt by too far-reaching an export control list (For more info on these considerations I recommend the report Two Worlds, Two Bioeconomies: The Impacts of Decoupling US–China Trade and Technology Transfer).
With regards to foreign investment, the U.S. has been pretty active in response to Chinese investment in biotech. The Committee on Foreign Investment in the United States (CFIUS) which sits under the Department of Treasury is the body in charge of reviewing transactions involving foreign investment in the United States that could involve national security concerns. The Foreign Investment Risk Review Modernization Act of 2018 (FIRMA) expanded CFIUS's purview to include subjecting even non-controlling foreign investments in companies with certain critical technologies or involved in sensitive data collection of US citizens. Under Firma, Chinese investment in U.S. biotech dropped sharply.
The article presents two biotech case studies where CFIUS has intervened:
Under its authority, CFIUS could and probably does try to prevent foreign actors from gaining bioweapon-enabling by means of technology transfer through foreign investment, but the same challenges around dual-use research are present.
Thanks so much for your detailed comment, and sorry for not seeing it earlier!
I'm a bit unclear what's going on in the Thermo-Fischer example: The second question from the initial letter makes it sound like TF had been granted a license to export under the EAR, but I don't see a claim that the technology was covered by the Commerce Control List, and the response from Ross seems to suggest otherwise (from what I can tell, I'm behind the WSJ paywall).
In any event, I think this is just the same issue that comes up generally with regulation of dual-use technologies. There's a question of whether technology with dual-use potential can be restricted from export under the CCL, and I think the answer to that is clearly yes (see, e.g., the restriction on software for DNA synthesizers). Then there's the separate question of whether it should be restricted, and that's going to require a context-dependent analysis of each case, with consideration of the balance of offensive and defensive uses of the tech. This is often a difficult question, but I think the analysis from a GCBR/advocacy perspective is going to be the same as it is for, say, differential development of technologies.
The concern about multilateral controls is a good one in general, though I think unilateral controls still pack a lot of punch when it comes to, e.g., publication of research by researchers at American universities.