This is a post to share my Law Honours dissertation (link above) about the regulation of nucleic acid synthesis screening at an international level. I have also set out a summary below of the paper for those who do not have time/do not want to read the whole thing. This summary doesn’t necessarily reflect the structure and emphasis of the paper, but instead focuses on some of the key insights I identified in my research which those on this forum who have an interest in biosecurity are unlikely to have already seen. (Those who are more familiar with this topic, feel free to skip down to the third section for where I start discussing these after introducing some background information.)
I’m hoping to submit this for publication within the next few months, so if anyone has feedback for how to improve it (especially if I have some things wrong about the state of the law in each country I studied) that would also be appreciated. This article was also completed early in October 2023 so parts of it may be out of date, which it would be good to have highlighted (I am aware, for example, that it does not cover President Biden’s Executive Order which includes provisions requiring the creation of future guidelines for nucleic acid synthesis screening).
Introduction to the risks from nucleic acid synthesis (NAS)
- Nucleic acid synthesis (NAS) refers to the creation of DNA or other genetic molecules (e.g. RNA) artificially. This is done by several large companies and dozens of small ones across the world, who then deliver their product to researchers of various kinds. I will refer to NAS rather than DNA synthesis for the rest of this post because I think this broader category is what we really want to cover.
- The NAS process is currently undergoing rapid change, with new enzymatic techniquespotentially making it much cheaper to produce nucleic acids, especially at scale.
- Desktop synthesisers, which allow users to generate the sequences at their own labs, are also dramatically improving to the point that they may begin to replace the existing model where synthesis is mostly outsourced to private companies.
- There are several publicly available databases of genetic sequences, which include various pathogenic sequences.
- The field of synthetic biology, which applies engineering and computer science tools to “programme” biology, may make it easier over time for those who have obtained synthetic nucleic acids to then use these sequences to recreate existing harmful pathogens (e.g. smallpox) or engineer even more dangerous pathogens.
Given these risks, it is often argued that NAS companies should screen their orders for potentially harmful sequences and screen their customers to ensure they are trustworthy. Although there are good arguments for why the perceived risk may be overblown, I think this is clearly something they should do. My dissertation focuses on the best way to ensure that this happens.
Current well-known points regarding NAS regulation
What I see as the key components of the international regulatory system for NAS are as follows:
- The International Gene Synthesis Consortium – a set of large gene synthesis companies which have joined together and agreed to screen their orders according to the Harmonised Screening Protocol. IGSC members agree to screen their orders against a shared database of sequences of concern derived from organisms listed on various official lists of organisms of concern.
- The United States Department of Health and Human Services Guide – a set of voluntary sequence screening guidelines produced in the US. They are similar to the IGSC requirements, but (perhaps surprisingly) require a less rigorous sequence screening procedure than the IGSC’s Harmonised Screening Protocol because they rely more on automation and less on expert judgement.
- The Biological Weapons Convention (BWC) and United Nations Security Council Resolution 1540 (UNSCR 1540) – these both require states to take steps to limit the risk of bioweapons being created, which includes regulating the movement of biological agents within and across their borders.
- The Australia Group – an informal group of countries that have agreed to implement standardised lists of materials that could be used for nuclear, chemical or biological weapons which they will require licenses to export. The Australia Group lists include lists of dangerous pathogens, as well as sequences derived from these pathogens which “endow or enhance pathogenicity”.
- The International Biosecurity and Biosafety Initiative for Science – a non-profit that has recently spun out of the Nuclear Threat Initiative’s Biosecurity Innovation and Risk Reduction Initiative. IBBIS aims to fill the current gap left by a lack of international institutions which focus on reducing the risks of biotechnology, by working with governments, private synthesis companies and researchers (i.e. NAS customers).
- Importantly, IBBIS will also house the automated solution NTI is hoping to create for sequence screening known as the “Common Mechanism”.
- SecureDNA – this is an organisation which aims to develop an automated solution to sequence screening, but one which is more sophisticated than the Common Mechanism. It is funded by some key EA orgs, and will compete alongside the Common Mechanism with several other companies that also produce automated screening systems such as ACLID, BLiSS, SeqScreen, ThreatSeq and FAST-NA.
I won’t go into these in any more depth except to the extent that they are relevant to the following points which are based more on my own research.
Domestic laws – the divide between domestic transfers and exports
It is often claimed, perhaps most clearly on IBBIS’s website, that zero countries require NAS providers to screen their orders to prevent misuse. This is strictly true in that there are no countries which directly mandate a NAS screening process, but many countries have legally binding regulations that require licensing for the process of transferring certain biological agents from one person to another. If certain physical genetic sequences are included in this list of “biological agents”, then NAS companies must screen their orders for those sequence to establish whether they need a licence. These list-based approaches are often implemented in the name of fulfilling State obligations under the Biological Weapons Convention and UNSCR 1540. The standard approach of these indirect screening requirements is to have a list of pathogens that are considered dangerous, and then give a definition of which physical genetic sequences from such pathogens are also included.
The flaws of list-based approaches are well documented. Perhaps the most important problem is that simply because a sequence comes from a pathogenic species does not necessarily mean it is itself dangerous – there are many sequences that carry out normal cell function across a range of both pathogenic and non-pathogenic species, and conversely it is possible to have sequences that are unique to a specific pathogenic species but which do not actually assist the organism with causing harm.
However, critiques of list-based approaches seem to only ever focus on the United States Select Agent programme. I have never been able to find what I would think should logically come first – a review that simply summarises which countries across the world actually use such lists, whether their lists include physical genetic sequences, and if so, what definitions they use to map from a particular pathogen species to the regulated sequences themselves. Consequently, I used the following search strategy to carry out my own review. Given these list-based regulations are used to fulfil obligations under the BWC and UNSCR 1540, I looked at databases that attempt to measure compliance of States with the two regimes. Since I couldn’t investigate all countries in depth, I chose to focus on understanding which countries have some kind of biological agent lists at all, and then investigated in full detail the regulations of the countries which I knew had NAS companies operating within their borders.
From this search I identified the following key points (see the first half of chapter IV for details):
- Countries all used quite separate approaches for regulating the transfer of biological agents within their borders (I call such regulations “domestic transfer controls”) and transfers between borders (“export controls”).
- The most recent review of UNSCR 1540 implementation found that in 2022 only 25% of possible domestic transfer control measures have been implemented by UN members, and 40% of UN members had developed national export control lists for biological materials. These numbers put approximate upper bounds on the proportion of countries which have any NAS regulation.
- However, all countries in which NAS companies I knew about operate have both export and domestic transfer control lists, but most of them do not include physical genetic sequences in their domestic transfer control lists.
- Export control lists amongst these countries are direct copies of the Australia Group list – even in countries like China and Singapore which are not actually Australia Group members.
- Some countries seem to have attempted to include physical genetic sequences in their domestic transfer control lists (e.g. Canada), but do so in such a poor way that I believe a court would be unlikely to find that their lists actually cover physical genetic sequences.
- I found only two countries which clearly include physical genetic sequences in their domestic transfer control lists – the United States (with the Select Agent and Toxins List) and the United Kingdom – and these both use odd, very restrictive definitions that only seem to include viral sequences that could produce a viable virus as soon as they are introduced into a host cell.
A possible argument that States are violating both the Biological Weapons Convention and United Nations Security Council Resolution 1540
Braden Leach, in an article those of you familiar with this field may have read, has argued that by failing to adequately regulate NAS, the United States is breaching its obligations under the Biological Weapons Convention. In particular, article IV requires State Parties to “take any necessary measures to prohibit and prevent the development, production, acquisition or retention” of what the BWC defines as biological weapons. Leach believes proper NAS regulation fits the plain meaning of “necessary measures” to “prevent” biological weapons development, as well as the BWC’s purpose of“exclud[ing] completely the possibility of bacteriological (biological) agents being used as weapons”.
I think this argument is a good start but misses several factors as follows, which I try to take into account in making my own version of this argument, which I also aim to generalise to states other than the United States:
- The obligation in article IV must be balanced with the article X obligation to “facilitate … the fullest possible exchange of equipment, materials and scientific and technological information for the use of” biological agents which do not fit the definition of a biological weapon. The key test for whether a biological agent is defined as a weapon is whether it has “no justification for prophylactic, protective or other peaceful purposes”. Applying this test is not straightforward for dual-use technology, and I believe it cannot simply be resolved by pointing to the plain meaning of article IV and the BWC’s purpose (since that doesn’t tell you how to balance articles IV and X).
- Instead, the main factor that can be used to resolve this tension is subsequent state practice – that is, the way states have chosen to implement an international treaty like the BWC can itself be used as evidence of what the parties intended it to mean. Deciding what state practice implies here is complex, however, given many states don’t implement any biological agent lists at all, those that do illogically distinguish between exports and domestic transfers, and no states implement direct screening regulations.
- In my view, UNSCR 1540 implements essentially identical obligations to the BWC with respect to domestic transfer and export controls, and therefore provides an additional source of obligations for states. Leach believes that UNSCR 1540 only requires states to “prohibit” the acquisition and transfer of biological weapons (i.e. using criminal law) through article 2, but I am almost certain this is a mistake because he misses article 3(a) and (d) which govern domestic transfer and export controls respectively.
My conclusion here is mixed because there are a variety of possible things that the BWC and UNSCR 1540 could require. As the requirements get stronger, the arguments in favour of these requirements become weaker, and Leach’s proposal is the strongest possible interpretation. For example, I believe his view is plausible but will not convince everyone, whereas I think there is a more compelling case that all states at least have an obligation to include the same types of controls for domestic transfers of physical genetic material as they have for exports of physical genetic material.
Concerns I have about the International Gene Synthesis Consortium
To try and get a good understanding of the current state of the NAS industry, I decided to do a deep dive into the IGSC and its members, and what I found concerned me more than I expected. I tend to find that most critiques of the IGSC system focus on the fact that it is voluntary, that it only covers a majority of the gene synthesis market rather than all of it, and various problems with the specific Harmonised Screening Protocol it uses, while also admitting that it is better than nothing. I also agree that it is better than nothing, but I believe there are further problems with the IGSC that mean even if the industry sticks to using self-regulation the IGSC should probably either be substantially reformed or replaced with a different system of self-regulation.
The first problem is based on its history. This barely ever seems to get mentioned, but the IGSC standards came after a Code of Conduct created by a set of small German gene synthesis companies that had formed the International Association of Synthetic Biology (IASB). The IGSC resulted from backlash by two large companies against the IASB Code of Conduct, arguing that it would be better to use a fully automated solution which made no use of expert judgment to check for possible dangerous sequences outside of those from official lists. This proposal failed, but the two large companies remained separate from the IASB and joined with three others to form what is now the IGSC, creating their own standards which were virtually identical to the IASB Code. In contrast the IASB, the IGSC had (and still has) meetings that are only open to members and so are not open to scrutiny by other members of the industry, the media or governments in the way the IASB was. Further, voting membership is only open to large companies that surpass a certain annual revenue threshold, making it highly unlikely smaller industry members will ever join since they cannot contribute to the content of the regulation system they are agreeing to be bound by.
From what I can tell, for some time both groups were seen as major regulators of gene synthesis, but over more recent years IGSC has clearly become the only player and has grown to 33 members, while the IASB has been essentially forgotten. I think this is unfortunate, since the IGSC has a poorer governance structure than the IASB. In fact, probably once the most prolific scholar on DNA synthesis regulation, Stephen Maurer, has often spoken in favour of maintaining a system of self-regulation, but primarily uses the IASB as the standard he hopes the industry will model. It also seems like the IGSC’s history is still influencing how it engages with the more recent discussion about regulating DNA synthesis, given all industry members that contribute to NTI’s various publications seem to come from the IGSC despite the existence of many other gene synthesis companies. For example, NTI’s proposed “Common Mechanism”, an automated solution based on a database of sequences only from official lists, sounds almost identical to what the founding IGSC members originally proposed before they backtracked. (Although, to be clear, I am aware the proportion of total gene synthesis costs taken up by screening has risen dramatically, such that an automated screening system may be the only way to make screening affordable for all industry members, which was not true when the IGSC was first founded in 2009.)
There are also several other concerns I wanted to mention more briefly:
- The IGSC does not enforce its screening protocol or even monitor compliance of its members – while I note competition law in each of its members’ governing jurisdictions will limit the IGSC’s ability to do this to varying degrees, the IGSC really seems to do the bare minimum.
- The IGSC claims it covers ~80% of the gene synthesis market (although I have no idea where this number came from and it has not been changed since 2009). Even setting aside that even one company not screening may be enough to cause harm if a bioterrorist can find it, or that this number is likely inaccurate – it only applies to the “gene” synthesis market: that is, DNA (and not RNA) sequences of over 200 base pairs. In fact, there is a continually growing market in much shorter “oligonucleotide” (oligo) sequences which for a long time has been larger than the gene synthesis market. Given it is possible to join these oligos together after ordering them, and RNA can similarly be converted into DNA after ordering, it is not clear why the relevant figure should even be limited to “genes” in the first place. It is quite likely the IGSC really captures a small proportion of the relevant market.
- Of the 33 members, I only found 5 which mention biosecurity or their IGSC membership on the website, and there are 9 I can confirm do not after completing a fairly comprehensive search of their websites. This suggests that neither they nor their customers actually take this very seriously (compare this, for example, to the amount of advertising these companies have about their diversity, etc. policies for customers).
- Out of the 9 members which publish their standard terms and conditions on their websites, 4 do not mention the IGSC or their right to refuse orders that are flagged by the Harmonised Screening Protocol. This is surprising because if they were actually doing the screening, their customers would probably want to know about the risk of the order being refused and expect this to be in the sale contract. Further, although I haven’t looked into this at all, since IGSC members are meant to adopt more stringent screening standards than they are legally required to, refusing orders that are flagged by screening may actually be a breach of contract.
- The IGSC has expanded massively over the last few years, with 19 of its 33 members joining after the beginning of 2020, but it has not published any of these additions (unlike its previous new members). It has partially done this by expanding the range of companies that are joining to include some screening system providers (e.g. ACLID and Battelle), biofoundries (e.g. iBioFAB and the Edinburgh Genome Foundry) and benchtop synthesiser producers (e.g. Elegen Bio, Switchback Systems, Evonetix). This seems to me like potentially a significant change in ambition by the IGSC towards becoming a regulator of this full set of related but distinct parts of the biotechnology industry in a way which might not be optimal (especially since it does not by any means contain all the companies in any of these categories).
- That such a change can happen with nobody noticing shows the problem with the non-transparent approach the IGSC takes. However, my understanding is that there is also some evidence that self-regulatory regimes become less effective if they try to regulate many different dissimilar firms at once.
From looking at the history of international self-regulatory regimes like this, it seems fairly clear to me that there are some preferable alternatives. A common one is meta-regulation, where an external regulator sets the rules that the self-regulatory body has to follow when creating its standards. States struggle to do this at the international level, so it has been becoming increasingly common for systems like this to involve private meta-regulation. A good example of this is the Global Food Safety Initiative, which assesses the range of private food safety certification regimes used across the world against a set of common benchmarks and monitors the governance and practice of the industry associations that run these certification regimes. These regulatory systems are also not necessarily purely voluntary in terms of enforcement, since it is possible to enforce the agreed standards through contract law or requirements for membership with the regulatory scheme. Further, the private meta-regulator is often a separate not-for-profit, rather than an industry association run purely by industry members.
I think this is where IBBIS could take a much more ambitious role in the international regulation of NAS, or synthetic biology more broadly, than simply collaborating with the various groups involved. I think it would be more useful for it to essentially replace the IGSC as a private meta-regulator of several different industry associations which each separately govern their relevant domain.
Nucleic acid synthesis as a case study of the international law vs “transnational private regulation” debate
The final substantive chapter of the dissertation compares the various suggested solutions for the international regulation of synthetic biology in general, while also trying to apply them specifically to NAS. This section is quite long and relies on much of the context I detail in the earlier chapters, so I would encourage those who have been interested enough to read to this point to read the dissertation itself. However, I did want to mention a couple of key points from this section.
In the regulation of almost anything with international scope, the two alternatives often posed are creating a new international treaty or what is called “transnational private regulation” (TPR). I think TPR is much less well-known (I certainly hadn’t heard of it before I wrote the paper), but has a fairly strong track record in radiation dosage, the Internet (especially in cybersecurity), “dolphin-safe” tuna fishing, food safety (remember the Global Food Safety Initiative above), sustainable forestry, sustainable fishing, and sustainable coffee. The key features of TPR are as follows:
- A private entity (which may be for-profit or not-for-profit) sets standards for the regulated industry with input from industry members.
- Either (note these are some of the main models but there are many configurations):
- companies around the world voluntarily agree to follow the standards;
- the private regulator acts as a meta-regulator of several other private regulatory entities, which in turn regulate the companies; or
- It seems to be more common for a private meta-regulator to enforce its rules on the other intermediate regulatory entities, for example through contract law or membership requirements, compared to when the main private regulator directly regulates the companies with no intermediary. (I’m not sure why, although I suspect this is because it is less likely to create competition law problems).
- states directly implement the standards into their own laws, so that the standards become binding on companies that operate within their borders (see for example the International Commission on Radiological Protection).
These two options are not really alternatives since they can be combined, but they are often framed that way, and often TPR is presented as an opportunity to try to fill the gap created when international treaty negotiation fails. Also, as you can see above, TPR actually covers a wide range of different approaches, some of which can involve imposing non-voluntary requirements on companies, despite these examples often still being described as “self-regulation”, “self-governance” or “soft law” (as opposed to legally binding “hard law”).
I think the debate between these options is relevant to a wide range of issues, including not only artificial intelligence but also other technologies that create significant risks such as 3D printing. I note that there is already an EA forum post asking about other examples of self-governance that could be compared to AI. I think there are many examples of TPR, some of which appear to have been a success, but I think it is best to instead view the options for regulation as a spectrum with international treaties at one end and then purely voluntary systems like the IGSC representing the opposite end. TPR encompasses a wide range of options along the spectrum, including the purely voluntary systems on the far end. The question is really where on this spectrum is most appropriate for governing a given technology.
As an aside, I think that an important but non-obvious issue regarding the viability of a given TPR approach is how competition law is likely to apply to the suggested enforcement system. I have mentioned already that whether the IGSC can enforce its rules will depend on the competition law in the various jurisdictions that govern it (and indeed the conflict of laws rules that decide which country’s competition laws apply in each situation). I think this is an important area of research that it would be great for someone to explore, but which I did not even have enough time to look into during my dissertation.
After reviewing the literature comparing government regulation to self-regulation I found that, as you might expect, there is an unavoidable underlying trade-off. This is between the additional knowledge and flexibility that comes from the industry being able to govern itself, and the problem of the industry’s interests when regulating itself not necessarily aligning with the public interest. How this trade-off applies to a given case will depend on a variety of factors, as well as the specific governance structures used for the private regulator. There are in fact some fairly comprehensive papers outlining the various features their authors think a good TPR system should have, which I think should be drawn on more often.
Ultimately, I conclude in my dissertation that international law is not as effective as one might assume, that TPR might be more viable that it first appears, and NAS is really just another example where it is hard to know which is better. However, the main problem I see is with how the IGSC has turned out in fact (see the critiques above), so if I think we are to use TPR the IGSC requires substantial reform (also detailed above). My view is also that this is probably a case (perhaps like many cases) where the two approaches should be combined if possible – especially since here it may be possible to simply amend or clarify how the BWC applies to achieve the same result as negotiating a whole new international treaty. My recommendation is therefore to reform the IGSC, possibly by handing regulatory power over to some future, much more developed version of IBBIS, and still at the same time attempt to clarify or amend the BWC so that it is clear it requires states to implement NAS screening regulations.
 See for example Delay, Detect, Defend and The Economist published an op-ed by Jaime Yassif (NTI).
 This point is mentioned briefly in this paper at pg 13, although I haven’t taken the time yet to verify the papers it cites in support. The point was also more about different sized firms rather than those which involve different technologies, but intuitively having different technologies seems like it would create more problems than merely being different sizes.
 For the best explanation of this term I have found see Fabrizio Cafaggi, ‘Transnational Private Regulation: Regulating Global Private Regulators’ in Sabino Cassese (ed.), Research Handbook on Global Administrative Law (Edward Elgar 2016) 212 at 212-213. Some of this can be found on this link to the Google Books version.