Protect Critical Biotechnology Infrastructure

Congress must direct the Department of Homeland Security (DHS) to ensure that biotechnology infrastructure and data are covered under “critical infrastructure.”

The Cybersecurity and Infrastructure Security Agency (CISA), within the DHS, is the operational lead for federal cybersecurity policy and operations and the national coordinator for critical infrastructure security and resilience.¹⁷⁶ Its activities are guided by a list of 16 Critical Infrastructure Sectors that Presidential Policy Directive (PPD) 21 established in 2013.¹⁷⁷

CISA is responsible for engaging with stakeholders in these Critical Infrastructure Sectors, including for the purpose of revising the National Infrastructure Protection Plan (NIPP).¹⁷⁸ Biotechnology infrastructure cuts across a number of these designated Critical Infrastructure Sectors, including the health, agricultural, and industrial sectors.

Indeed, PPD-21 designates as critical a number of sectors relevant to biotechnology: chemicals, critical manufacturing, the defense industrial base, energy, food and agriculture, and healthcare and public health.¹⁷⁹ But these areas are neither specific to biotechnology nor are they reflective of the full breadth of the biotechnology sector.¹⁸⁰ Currently, the federal government does not adequately protect either physical biotechnology infrastructure or sensitive biological data, despite their major ramifications for the economy, public health, and national security. ¹⁸¹

Already, they have carried out numerous attempted and successful cyberattacks on critical infrastructure in biotechnology, including against hospitals and agricultural facilities.¹⁸³

Biological data, which are critical to discovery and frequently contain sensitive personal information, face specific vulnerabilities. Some federal government efforts underway aim to protect sensitive types of biological data, including the National Institute of Standards and Technology (NIST) framework for genomic cybersecurity and the National Institute of Health’s (NIH) Genomic Data Sharing policy.¹⁸⁴ But these piecemeal efforts do not holistically address the changing landscape of genomic and biometric cybersecurity.

The DHS has existing authorities to help the private sector protect its most valuable and national security-relevant physical and digital assets, but its sector-based approach means there are currently no clearly-designated, biotechnology-specific critical infrastructure protections. The DHS needs to treat biological data, along with the entire biotechnology sector, as critical infrastructure for cybersecurity purposes.¹⁸⁵

To this end, Congress must direct the DHS to ensure that the biotechnology sector is covered by the list of Critical Infrastructure Sectors and require CISA to integrate the protection of genomic and other sensitive biometric data into its national strategy. Together, these actions should ensure that biotechnology infrastructure and data is covered under “critical infrastructure” and duly protected as such.

Given the urgent need to address this gap, once this recommendation is passed into law, the DHS should submit a work plan within 45 days. Since some biotechnology-specific infrastructure is already covered, this work plan should ensure that biotechnology is covered under the existing sectors, rather than adding it as a new one.

The DHS should consider including in the work plan:

• a preliminary list of biotechnology infrastructure stakeholders, such as the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC);
• an outreach plan to ensure that stakeholders are aware that they are covered under existing Critical Infrastructure Sectors (and which ones);
• an action plan to ensure that biotechnology stakeholders are represented at their appropriate consortia and Coordinating Councils; and
• an action plan to update the National Infrastructure Protection Plan (NIPP) by 2026, with input from the biotechnology sector.

Following the submission of this plan, DHS would execute it and submit a final report to Congress based on its findings. This entire process should take less than a year.

Additionally, Congress should amend the Cybersecurity and Infrastructure Security Agency Act of 2018 to:

• categorize genetic data systems that involve genomic sequences and other sensitive biometric data as critical infrastructure;
• require CISA and biotechnology sector stakeholders, including the government agencies responsible for biosecurity (see Section 4.4a), to together develop security protocols for genetic data, including joint exercises and data sharing;
• increase the staff at CISA as necessary to implement security policies and protocols related to the new responsibilities regarding genomic and other sensitive biometric data;
• implement training for federal personnel on protecting genetic and other sensitive biometric data, addressing unique security challenges and ethical considerations;
• incorporate genetic and biometric data security into the national cybersecurity strategy, thereby ensuring an ongoing focus on and adaptation to new threats; and
• collaborate with entities working on biosecurity (see Section 4.4a) to ensure that security concerns are synchronized (for example, coordinating when these data connect with systems that convert them into physical genetic sequences).

No later than two years after the NIPP is updated, Congress should direct the DHS to conduct a follow-up evaluation. If there are additional critical biotechnology areas that do not fit under the current sectors, that finding should be explicitly stated in the DHS’s report to Congress.