Hide table of contents

I’m an EA lawyer with an interest in legal routes to reduce biorisk. In the course of some research, I’ve come to think the Bureau of Industry and Security at the U.S. Department of Commerce may have significant power to reduce risks from biotechnology. (I think the same is true of artificial intelligence, and know some other EAs are working on export controls in that context.) The goal of this post is to briefly summarize my research and thinking so that others interested in these ideas can vet and/or benefit from them.

How Export Controls Work

“Export controls” are laws and regulations that restrict release of critical tech, information, and services to nationals of and persons located within certain foreign countries. (I’ll mostly be ignoring a distinction here where sometimes controls are focused on the country to which items/info are exported, and sometimes (with “deemed exports”) to nationals of those countries, even when located in the U.S. Apologies for some imprecision here.) Most countries impose such controls in some form, and they’re the subject of multiple (nonbinding) agreements between nations, such as the Wassenaar Arrangement for arms control and the Australia Group for biological and chemical dual-use technologies. The U.S. generally seeks multilateral agreements like these before adding items to its domestic export control lists, but can and does act unilaterally when it wants to impose additional controls (see here for a recent example concerning software designed to automate analysis of geospatial imagery).

Within the U.S., export controls are largely governed via (1) the Munitions List (ML), a State Department-administered program directed at technology that is “inherently for military end use” (this is construed pretty narrowly, and most tech not funded by the military will not qualify), and (2) the Commerce Control List (CCL), a Department of Commerce-administered program covering a vast array of potential dual-use tech (see here and here to get a sense of the categories addressed).

When an item is placed on the CCL, it cannot be “exported” or “released” in a manner that would make it available to certain countries or their nationals except under a license issued by Commerce. Export includes physical shipment of goods as well as distribution of information by electronic transmission or publication, and it extends from the specific items placed on the list down to any information required for designing, developing, creating, or using such an item, including instructions, models, and technical know-how. See 15 C.F.R. § 774 Appendix 2. Violation of the licensing requirement carries massive penalties, including fines up to $300,000 (or 2x the value of the offending transaction) and up to 20 years in prison.

Commerce has extremely broad discretion to place any item on the CCL that could be used militarily by another country or otherwise impair U.S. security, and its decision to do so is “in effect judicially unreviewable.” State v. United States Dep't of State, 996 F.3d 552, 564 (9th Cir. 2021). This means that Commerce can restrict access (including via publication) to certain types of technology or information by a method that’s less time-consuming and fraught with uncertainty than legislative or judicial action.

Using the CCL to Reduce Biorisk

The CCL already addresses a number of biosecurity-relevant items, including pathogens and genetic material from pathogens on the Australia Group list and CDC Select Agents list, plus tech for their development/production.* 15 C.F.R. § 742.2(a)(1); CCL §§ 1C351, 1C353, 1E001 (search in this doc). Recently, however, Congress has explicitly expanded Commerce’s mandate to “emerging technologies” that are “essential to the national security of the United States,” and asked it to establish licensing policies for such items (Export Control Reform Act of 2018).

The BIS, the division within Commerce responsible for the CCL, has interpreted “emerging technologies” to include “biotechnology” as well as “advanced computing technology” and “artificial intelligence and machine learning,” and has begun the process of issuing rules to address specific technologies within these categories. Recently (after negotiating similar controls for other Australia Group participants), BIS released a final rule placing controls on software for nucleic acid assemblers and synthesizers “capable of designing and building functional genetic elements from digital sequence data,” i.e. software that could be used to generate pathogens for biological weapons. (Full text of rule available here.)

I’m not going to discuss specific items that might be added to the CCL to reduce biorisk in this post, and would encourage people to use good judgment in avoiding info hazard territory in the comments; please feel free to DM me if you want to talk about specific tech instead. For purposes of thinking about potential applications and impact, I’ll say I’m particularly interested in export controls because I think they might help reduce information hazards by constraining publication of certain material,* which is an extremely difficult nut to crack under U.S. First Amendment law, no matter the circumstances -- and changing incentives around publication has potential to change incentives around research. Likewise beyond the scope of this post, but potentially important, is the fact that the Foreign Investment Risk Review Modernization Act of 2018 requires companies developing technologies placed on the CCL to undergo an onerous national security review before accepting investment from many foreign nationals.

Potential Limitations on Use/Usefulness

Finally, a few notes on constraints that apply to BIS and might be relevant to work to reduce serious risks from biotech:

  1. Preference for multilateral action: As noted, BIS prefers to implement controls that have multilateral support, although it can do so unilaterally. Expansion of export controls might require BIS either to depart from this general policy or to successfully seek multilateral agreements, which might make the process slower and more difficult than ideal. (The end of this article describes some impatience on the part of Congress with the delays here.)
  2. Other agency involvement: Although Commerce has authority to decide what goes on the CCL, for items that aren’t addressed by multilateral agreements or other regimes like the Select Agents program there’s an ambiguous multi-agency consultation process involving DoD, Energy, the State Department, and others -- it’s unclear whether that has any teeth, but anything inter-agency has the potential to create hassle.
  3. Exception for “fundamental research”: An exception to the export control regulations applies to technology “that is released to conduct fundamental research” -- i.e. research for non-commercial purposes “the results of which ordinarily are published and shared broadly within the research community.” 15 C.F.R. § 734.8. This might reduce the capacity of export controls to prevent publication in scientific journals. On the other hand, (1) the exception wouldn’t apply to large swaths of technology of concern, (2) I think there are medium-good arguments for construing the exception to exclude some of the highest-risk material, and (3) my current understanding (I don’t have a background in admin law -- please chime in if you do!) is that Commerce could simply override this exemption as part of the rulemaking where it adds items to the CCL.
  4. Constitutionality: As noted, it’s very hard to restrain publication of pretty much anything in the U.S. given how expansive our First Amendment is. This concern may be surmountable both for practical (lack of review mechanisms) and fundamental (based on narrow categories of case law) reasons, but I’d expect it to be an uphill battle to secure durable restrictions in some circumstances.

Feedback welcome!

Thanks to Andrew Snyder-Beattie, Jake Swett, and Helen Toner for helpful comments.

* Analogous EU rules were interpreted in 2012 by the Dutch government to require licensing for information related to genetic modification of the H5N1 flu before it could be published in Science. Christian Enemark, Influenza Virus Research and EU Export Regulations: Publication, Proliferation, and Pandemic Risks, 25 Med. Law R. 293, 294 (2017).

Comments2
Sorted by Click to highlight new comments since:

Very interesting post, thanks for taking the time to write it up.  It sounds like the BIS is moving in the right direction on regulating some sensitive biotech stuff.  While it seems like there are some obvious things to add to this list (e.g. dangerous pathogens), it also seems like a lot of the dual-use stuff would be non-obvious to regulate this way given that many of the technologies that could be used to engineer a pathogen also have legitimate scientific and industrial applications. 

I've included some of my shallow notes on this topic from investigating the Chinese bioeconomy.  

Challenges with dual-use 

For example, one area that has received particular scrutiny regarding import-export controls is w.r.t. surveillance technology used in China. In a 2018 letter to Secretary of Commerce Wilbur Ross inquiring about the sale of surveillance Technology to Chinese police, Senator Marco Rubio (R-FL) and U.S. Representative Chris Smith (R-NJ) wrote: 

Recently, Human Rights Watch and other organizations have identified Thermo-Fisher Scientific, a Massachusetts based company, as selling DNA sequencers with advanced microprocessors under the Applied Biosystems (ABI) Genetic Analyzer brand to the Chinese Ministry of Public Security and its Public Security bureaus across China. 

The letter goes on to request answers to the following questions:

1) Given that most crime control and detection and surveillance equipment, software and technology are controlled under the Export Administration Regulations, what factors are being used to determine the suitability of an export to an agent of state security?  How did Thermo-Fisher surmount a presumption of denial to sell their product to the Chinese government?

2) What other product licenses have been sought under Export Administration Regulations sections 742.7, 742.13, 744.17(c), or other sections, to sell to agencies of China’s state security? 

3) In light of recent reports, how are you—in coordination with the Department of State—reviewing the export of items being used by Chinese military and police end-users for surveillance, detection, and censorship, to determine whether more scrutiny is needed over the proliferation of “dual-use” information, software, and communication technologies? Are new legislation or new authorities needed to revisit/revise export control regulations so they are consistent with the rapid evolution of technology?  Is software or technology which could be used for the purpose of domestic repression, subject to export controls with respect to Chinese end-users of concern? 

4) In addition to possible export controls, is there any discussion currently underway to, at the very least, restrict the end-users of such technologies, in this case Xinjiang Public Security and related entities? 

In a response letter, Secretary Wilbur stated that the rules did not apply to Thermo Fischer because

The items [gene sequencers] are low-technology products that are available from worldwide sources, including indigenous Chinese sources, and have numerous legitimate end-uses,”

 including in education, medical research, and forensics, according to Mr. Ross’s letter. 

This, I suspect, is the biggest challenge with an import-export. Where do you set the bar for technologies or products to join the export control list when it has applications in science or industry. Another externality here is that US biotech firms that sell products and services in China are likely to be hurt by too far-reaching an export control list (For more info on these considerations I recommend the report Two Worlds, Two Bioeconomies: The Impacts of Decoupling US–China Trade and Technology Transfer). 

Foreign investment

With regards to foreign investment,  the U.S. has been pretty active in response to Chinese investment in biotech.  The Committee on Foreign Investment in the United States (CFIUS)  which sits under the Department of Treasury is the body in charge of reviewing transactions involving foreign investment in the United States that could involve national security concerns. The Foreign Investment Risk Review Modernization Act of 2018 (FIRMA) expanded CFIUS's purview to include subjecting even non-controlling foreign investments in companies with certain critical technologies or involved in sensitive data collection of US citizens.  Under Firma, Chinese investment in U.S. biotech dropped sharply

The article presents two biotech case studies where CFIUS has intervened:

After receiving $5 million in funding from the Department of Defense, San Francisco start-up Twist Bioscience, makers of synthetic DNA, decided to expand manufacturing through a Chinese subsidiary. This prompted an amendment to Congress’s annual defense policy bill to ensure grant recipients of the Pentagon’s Defense Advanced Research Projects Agency are prohibited from partnering with entities subject to foreign company or government control. The main concern cited was the threat of the Chinese government stealing intellectual property and trade secrets from American companies (O’Keefe, 2019).

In 2017, PatientsLikeMe, Cambridge-based online service that helps patients find people with similar health conditions, sold a majority stake to China’s iCarbonX. The goal was to combine the Chinese firm’s artificial intelligence technology with PatientsLikeMe’s customers and data sets. Currently, around 700,000 people use the website, which has generated tens of millions of data points about disease. CFIUS is now forcing a divestiture because the company collects potentially sensitive data on users who set up profiles which poses a danger to US national security. With this decision, PatientsLikeMe not only loses its principal financier, but also a critical technology partner (Farr, 2019).

Under its authority, CFIUS could and probably does try to prevent foreign actors from gaining bioweapon-enabling by means of technology transfer through foreign investment, but the same challenges around dual-use research are present. 

Overall thoughts

  • The U.S. government's focus on regulating foreign investment and doing export control stuff seems more broadly motivated by concerns about economic competitiveness, IP theft, and national security priorities (some more reasonable than others) that currently don't cleanly reflect GCBR reduction priorities. 
  • Any kind of unilateral approach on import-export regulations or even foreign investment is challenging since countries can find other vendors or companies of advanced biotech in Europe and China. That being said, the U.S. has the largest and most advanced bioeconomy so limiting the export of sensitive tech and products could certainly still limit some critical supplies, although I'm unsure of what. 
  • One approach might be to limit more dual-use biotech under export controls at a baseline, but increase the capacity at BIS to oversee exceptions to the export control list. This way sales can be verified against military or other suspicious end users.  

Thanks so much for your detailed comment, and sorry for not seeing it earlier!

I'm a bit unclear what's going on in the Thermo-Fischer example: The second question from the initial letter makes it sound like TF had been granted a license to export under the EAR, but I don't see a claim that the technology was covered by the Commerce Control List, and the response from Ross seems to suggest otherwise (from what I can tell, I'm behind the WSJ paywall).

In any event, I think this is just the same issue that comes up generally with regulation of dual-use technologies. There's a question of whether technology with dual-use potential can be restricted from export under the CCL, and I think the answer to that is clearly yes (see, e.g., the restriction on software for DNA synthesizers). Then there's the separate question of whether it should be restricted, and that's going to require a context-dependent analysis of each case, with consideration of the balance of offensive and defensive uses of the tech. This is often a difficult question, but I think the analysis from a GCBR/advocacy perspective is going to be the same as it is for, say, differential development of technologies.

The concern about multilateral controls is a good one in general, though I think unilateral controls still pack a lot of punch when it comes to, e.g., publication of research by researchers at American universities.

Curated and popular this week
Relevant opportunities