Skip Navigation
 

Managing the Insider Threat in High-Containment Laboratories

Gigi Kwik Gronvall

This article is part of Crossroads in Biosecurity: Steps to Strengthen U.S. Preparedness, published by the Center for Biosecurity September 8, 2011 to mark the 10th anniversery of the 2001 anthrax attacks. Full document | Printable PDF

            
When the FBI declared in 2008 that Bruce Ivins, a senior scientist for the U.S. Army, was solely responsible for the 2001 anthrax attacks, the insider threat to U.S. laboratories came into sharp focus. Many security measures had already been put into place since 2001 to address the concern that someone could misuse legitimate access to pathogens and laboratory equipment, but the Ivins allegation provoked additional questions about whether enough was being done.

External security threats to a laboratory would be apparent and straightforward to counter. Unauthorized people can be easily prevented from gaining access to anthrax in a laboratory by key-card access, a refrigerator lock, and/or a security guard who checks personnel badges. At the other extreme, a paramilitary attack on a university laboratory might allow the perpetrators to steal frozen tubes of pathogens, but not without drawing considerable attention to their crime. Discovering and countering an insider threat is a challenge that requires other forms of attention and calibrated action.

“Security” Has Its Costs

In the 10 years since the anthrax attacks, there have been no insider (or externally led) thefts or deliberate misuse of regulated pathogens. Laboratory security has been greatly enhanced, so there are now more checks on laboratory personnel and facilities than before. But additional security procedures come at a cost to both science and the research facilities. It is now considerably more expensive to conduct research on regulated pathogens1—the Biological Select Agents and Toxins (BSATs)—and it is much more difficult for U.S. scientists to form international research collaborations on BSATs, which cause disease everywhere in the world.2

If we are going to impose increased costs for lab security, then we should have great confidence that additional spending is sensible and actually buys enhanced security. Unfortunately, some measures, particularly personnel behavioral assessments and inventory control, incur costs without a security benefit, while other measures that could yield substantial benefits, such as management training for laboratory directors, are left relatively neglected. We should redirect our efforts accordingly.

Behavioral Assessment Is Not the Right Answer

Many of the laboratory security measures that are in effect now are intended to weed out a potential security risk during the hiring process, with the goal of avoiding hiring a high-risk scientist altogether. To that end, a clearance process has been in place since 2003 for scientists who work with regulated pathogens. The clearance process is administered by the U.S. Department of Justice, and it applies to all personnel who have access to BSATs.

Most research institutions actually go beyond the federal requirements and have their own procedures for checking personnel background, credentials, references, and credit. And personnel reliability checks do not cease once a person has been cleared for access; BSAT workers are continually monitored through laboratory inspections and record checks. Some facilities conduct video surveillance of all laboratory activities, while others enforce a 2-person rule, which stipulates that a BSAT researcher is not permitted to work alone in a laboratory—the security effectiveness of which has been called into question.3

The monitoring of BSAT workers extends to behavior as well, and a federal panel is currently examining whether psychological assessments of BSAT workers should be a national requirement.4 All BSAT researchers who work in maximum containment labs (BSL-4) in the National Institutes of Health (NIH) are required to undergo annual behavioral health screens “designed to help assess the worker’s psychological resilience and individual attitudes toward laboratory safety and personal responsibility.”5 While the Federal Experts Security Advisory Panel (FESAP), which has been tasked with evaluating the BSAT program, “will further explore the utility of behavioral assessments to identify indicators of potential for violent behaviors, criminal behaviors, or other behaviors that pose a national security risk,” some research institutions may try to anticipate FESAP’s recommendations and establish behavioral monitoring systems preemptively.

Will behavioral assessments of thousands of laboratory personnel catch an insider threat? A National Academies of Science (NAS) committee charged with examining personnel reliability measures thought that it would not. They also wrote of experts’ concern that, if a screening procedure is thought to be unfair or too intrusive, it could “ironically contribute to someone becoming disgruntled and potentially susceptible to the very behavior screening is intended to prevent.”6 At some point, considering their extensive, years-long training, security clearances, and continual monitoring, those professionals who research deadly diseases need to be trusted to perform their work.

Federally required behavioral assessments could also give research institutions a false sense of security. Experts on the psychology of terrorism “have been nearly unanimous in [the] conclusion that mental illness and abnormality are typically not critical factors in terrorist behavior,” and that what is characteristic is a terrorist’s normality, in spite of performing heinous acts.7 People who exhibit behaviors that are evidence of research misconduct, including fraud, certainly make for terrible laboratory personnel and would justify investigation and dismissal, but there is no evidence that those behaviors are linked to terrorism.

The Right Answer? Enlightened Leadership, Trust, and Openness

What then should research institution officials and the FESAP do about the insider threat? First, requirements already in place should be assessed and changed (or eliminated) if they are not effective. As an example, one of the duties of a BSAT laboratory is inventory control of pathogens. The intent of this security requirement seems logical. But tube-counting, quantity estimates, and regulatory inventorying make no sense in the context of a biology laboratory, as microorganisms multiply. The NAS committee on BSAT research recommended this procedure be changed because the practice is “both unreliable and counter-productive, yielding a false sense of security.”6

Unfortunately, this security requirement is not a harmless nuisance. Many hours are wasted cataloging laboratory inventory, and an empty tube could lead to an FBI investigation. But in addition to the time and expense incurred for this work and the prospect of misguided investigations of scientists who are guilty of nothing, these measures undermine the credibility of the security officials. Scientists who are being regulated need to understand the purpose and value of the measures with which they must comply. Otherwise, scientists may come to think they are being treated unfairly, that the regulations are just for show, and that they are not trusted. Such conditions are not conducive to scientific productivity.

To enhance protection against the insider threat, considerably more attention should be paid to promoting active laboratory management—to making sure that laboratory leaders have the time, responsibility, and training to be able to observe and evaluate what is happening in their laboratories day to day. After all, personnel screening tests are not perfect, and people change over time: Bruce Ivins was apparently able to function as a productive scientist for several decades before he is alleged to have mailed the anthrax letters.

Research on insider threats suggests that “in many cases there will be signs or signals that something is wrong prior to an event. Those cases in which an individual’s action is genuinely spontaneous are rare.”6 To recognize potential security risks as they emerge, there has to be at least 1 person in a lab who is close to personnel and who can detect changes and potential problems and intervene if needed. Ideally, this person is an aware, trained manager who has the tools to detect and act on a potential problem.

Educating and training laboratory leaders and giving them the time they need to be actively engaged with their staff so they can detect troublesome behavior may be the most important security investment for deterring the insider threat. This point has been highlighted by many—most recently David Franz and James LeDuc, who stated that, “Official biosecurity policy must include means of fostering enlightened leaders . . . troubled scientists have and will come to an engaged and enlightened leader for help, where openness has been built and trust is the currency.”8

Do Not Discourage BSAT Research

Finally, it is important that we do not eliminate the insider threat by eliminating BSAT research altogether because it has been made too onerous to perform. Even if all biological laboratories had in place every conceivable security measure, the U.S. would not be secure against the threat of biological weapons. As the Defense Science Board put it, “A determined adversary cannot be prevented from obtaining very dangerous biological materials intended for nefarious purposes. . . . We need to recognize this reality and be prepared to mitigate the effects of a biological attack. We, as a nation, are not prepared.”3 And we do not have time or money to waste in chasing a false sense of security by imposing ineffective measures on laboratories and scientists.

References

  1. Dias MB, Reyes-Gonzalez L, Veloso FM, Casman EA. Effects of the USA PATRIOT Act and the 2002 Bioterrorism Preparedness Act on select agent research in the United States. Proc Natl Acad Sci USA YEAR May 25;107(21):9556-9561.

  2. Rambhia KJ, Ribner AS, Gronvall GK. Everywhere you look: select agent pathogens. Biosecur Bioterror 2011;9(1):69-71.

  3. Report of the Defense Science Board Task Force on Department of Defense Biological Safety and Security Program. Washington, DC: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics; 2009. http://purl.access.gpo.gov/ GPO/LPS113763. Accessed August 24, 2011.

  4. Federal Experts Security Advisory Panel. Recommendations Concerning the Select Agent Program. 2010; revised 2011. http://www.phe.gov/Preparedness/legal/boards/fesap/ Documents/fesap-recommendations-101102.pdf. Accessed August 24, 2011.

  5. Skvorc C, Wilson DE. Developing a behavioral health screening program for BSL-4 laboratory workers at the National Institutes of Health. Biosecur Bioterror 2011;9(1):23-29.

  6. National Research Council. Committee on Laboratory Security and Personnel Reliability Assurance Systems for Laboratories Conducting Research on Biological Select Agents and Toxins. Responsible Research with Biological Select Agents and Toxins. Washington, DC: National Academies Press; 2009.

  7. Borum R. Psychology of Terrorism. Tampa, FL: University of South Florida; 2004.

  8. Franz DR, LeDuc JW. Commentary: Balancing our approach to the insider threat. Biosecur Bioterror 2011;9(3).