About the SA Blog Network



Opinion, arguments & analyses from the editors of Scientific American
Observations HomeAboutContact

A Crypto Expert’s View on Scary Bird Flu Data

The views expressed are those of the author and are not necessarily those of Scientific American.

Email   PrintPrint

Avian InfluenzaAfter months of contentious debate, the journal Science is publishing a controversial study on Friday about H5N1 avian influenza‘s ability to spread among mammals. The report faced a tortuous path to publication as some researchers sought to censor the study’s findings for fear that they could be replicated and put to nefarious use. In a Science Perspective article accompanying the H5N1 research led by Ron Fouchier at the Erasmus Medical Center in the Netherlands, cryptographer Bruce Schneier draws parallels between cyber security and efforts to control access to scientific data.

Whether a virus effects computers or living things, a head-in-the-sand approach to protecting information about the virus’s nature is unlikely to be successful, according to Schneier, chief security technology officer and co-founder of digital security services firm BT Counterpane. He points out that virologists take significant risks when they rely on secrecy to protect their findings. Secrets are difficult to keep and once the data is exposed the researchers have little recourse—the genie is out of the bottle.

Likewise, the omission of technical details—initially proposed by the U.S. government’s National Science Advisory Board for Biosecurity’s (NSABB) for Fouchier’s research as well as another H5N1 study led by Yoshihiro Kawaoka at the University of Wisconsin–Madison published last month in Nature—provides poor security, according to Schneier. (Scientific American is part of Nature Publishing Group.) Kawaoka’s research detailed the mutation of lab-made strains of the H5N1 avian flu virus to the point where it became highly transmissible in ferrets. Sooner or later someone would have filled in any missing pieces, either through trial and error or working backward from the study’s results.

It is also a mistake to think that an experiment is too difficult for others to replicate for lack of access to the necessary equipment. “What is impossible today will be a Ph.D. thesis in 20 years, and what was a Ph.D. thesis 20 years ago is a high-school science fair project today,” Schneier says.

Although much research is now analyzed, stored and disseminated via computer networks, scientists should understand something that most businesses still haven’t grasped: “Everything gets hacked,” Schneier says. The list of organizations whose data has been compromised by cyber attackers or insiders leaking information includes banks, government agencies, military institutions—and the list goes on. One of the most glaring recent examples is the professional networking Web site LinkedIn. After a massive security breach and a seemingly complacent response to the theft of millions of poorly protected customer passwords LinkedIn now faces a $5-million class action suit and, perhaps worse, a general sense of mistrust among its users.

Trying to keep scientists from publishing the results of sensitive research for fear that an enemy might use this information is problematic, says Schneier. If the scientific community is facing a difficult problem with serious consequences, someone, somewhere will be working on a solution. And even a prestigious journal like Science or Nature had refused to publish the H5N1 research, it would have found its way to the public online, where there are no international borders.

Labs have some recourse against “opportunistic attackers”—those who exploit weak security for financial gain. Against them, relative security is important. “You are safe if you are more secure than other networks,” Schneier says. Targeted attacks are another matter. “It is almost impossible to secure a network against a sufficiently skilled and tenacious adversary,” he writes. “All we can do is make the attacker’s job harder.”

Schneier’s Perspective article elaborates on a presentation he gave at April’s Royal Society H5N1 research conference in London. “I wasn’t asked to comment on H5N1—I was asked to explain the realities of cyber security,” he says. “But after listening to everyone talk about the issue, I realized that I had a lot of related experience that might be useful to the virology community.”

Although this was the first time Schneier has specifically applied lessons from computer security and cryptography to another academic discipline in this way, the nature of the data being protected is irrelevant, he says. “The names and motivations of the attackers are slightly different, but so what? It’s all on the same computers and networks,” he adds. “The attack tools are all the same.”

Image courtesy of the U.S. Geological Survey

Larry Greenemeier About the Author: Larry Greenemeier is the associate editor of technology for Scientific American, covering a variety of tech-related topics, including biotech, computers, military tech, nanotech and robots. Follow on Twitter @lggreenemeier.

The views expressed are those of the author and are not necessarily those of Scientific American.

Rights & Permissions

Comments 4 Comments

Add Comment
  1. 1. darkfire79 6:01 pm 06/21/2012

    He’s right.

    Link to this
  2. 2. davidhill 12:39 pm 06/22/2012

    A Drug Cure will always come too late to save Humanity

    In 1997 the pandemic was stopped in its tracks in Hong Kong. The system adopted was not reliant upon a drug cure but that prevention was better than cure. It worked and Ken Shortridge who devised the strategy was given the Asian equivalent of the Nobel Prize in medicine, The Prince Mahidol Award. By doing this Prof. Shortridge stopped a bird flu pandemic starting and which had the propensity to kill millions (the only one ever to do so and prevent the deaths of incalculable numbers). The premise was, ‘don’t let it start in the first place’.

    Why has the establishment therefore forgotten the first dictum of medical health that ‘prevention is better than cure’?

    And why have those who are advocating a drug cure not taken on-board this system that has worked? This question is postulated because the Swine Flu pandemic showed that with reference to the Spanish Flu in 1918 which took up to 100 million lives, that a cure would come too late. In this respect it was not until 7 months 1 week that a vaccine was created and then it had to be manufactured and thereafter distributed to the masses (a logistics nightmare). In the second wave of the Spanish Flu, after the virus had mutated again into a human-to-human killer, it did its worst between week 16 and week 26, some 1 month 1 week before a cure was found for the Swine Flu pandemic.
    Therefore whatever way we look at it a drug vaccine will come too late to save us, no matter who you are from the president of the United States downwards. Fact not fiction.

    Margaret Chan, Director-General of the WHO says that it is only a matter of time not when the killer virus will emerge – may be next week, next month, next year or whenever; but it will happen sometime and such a pandemic according to pandemic researchers is overdue. Therefore we are living on borrowed time and we have to adopt Prof. Shortridge’s strategy for the good of all humanity.

    Dr David Hill
    Chief Executive
    World Innovation Foundation

    Link to this
  3. 3. sunspot 6:49 pm 06/22/2012

    You said: “And even [if] a prestigious journal like Science or Nature had refused to publish the H5N1 research, it would have found its way to the public online…”

    In this incredibly naive statement, substitute the words “nuclear bomb research ” for “H5N1 research”. The comparison with nuclear security is far more compelling than Mr. Schneier’s parallels with cyber security. It is reported that H5N1 has the potential to kill far more people than any nuclear bomb that was EVER envisioned. After many years in nuclear research, I am well aware of the need to tightly guard this knowledge. Why was this incredibly more dangerous H5N1 research even allowed to proceed outside government control, let alone published?! The NSABB, along with Nature Publishing Group, is as criminally negligent for publishing this research as they would be if they published research on nuclear bombs … and yet they did it … apparently with the blessing of the US government, and with little thought to the future lives that they put at risk.

    If “scientific knowledge” trumps risk to human life, then Dr. Josef Megele is alive and well in the hearts of the bio-research community, and in the hearts of the governments and publishers that encourage their work. Nuclear research is controlled, and few would dare to demand its publication! If we do not learn to control the direction of current bio-research, then future generations (if they survive) may dub the 21st century, not the Age of Science, but the Age of Mengele.

    Link to this
  4. 4. EyesWideOpen 7:27 pm 06/23/2012

    I agree. By publishing the information, it may effectively thwart attempts to create and deliver a virus. Now, everyone who is a stakeholder in humanity’s survival has this information. EVERYONE. Not only terrorists, but those who would destroy their diabolical plans. Ironically it’s the world’s geniuses, who may reap the greatest rewards from this planet’s resources (including human resources), have a vested interest in killing terrorists before they kill them. Make no mistakes, their motives may be Darwinian, but it’s not in anybody’s best interests for terrorists to create an epic plague, ironically, not even in the terrorists’ best interests. Unfortunately, many terrorists are insane and have religious delusions that may dwarf those of the most rabid fundamentalist preachers. It may take their Darwinian counterparts, with their exceptional gifted intellects and will to survive, to put these terrorists out of their misery. Nobody lives in the lap of luxury in a world without people, and a world of cybernetic slaves to serve a few rich folks is a long way off.

    Link to this

Add a Comment
You must sign in or register as a member to submit a comment.

More from Scientific American

Email this Article