 So our next speaker is a supervisory special agent with the Federal Bureau of Investigations, Weapons of Mass Destruction, Directorate Biological Countermeasures Unit. I found the fed. I get a shirt. A little fun fact, he is also a big Star Trek fan and is a molecular biologist and biochemist originally. So here to present on his talk, biotechnology needs a security patch. Ladies and gentlemen, please welcome Eddie Yu. So good afternoon. Let me start by saying I consider it a real privilege and an honor to be able to speak at DEF CON and in the biohacking village in particular. And in the interest of time, I'll just go ahead and launch right into it in order to save some time for questions and answers at the end. But very quickly, and this is very appropriate because a couple of hours ago there was a talk on DIY bioweapons, and if there's anybody out there who's supposed to be protecting you all against biological weapons, it's us, we're one of the bigger players. I'm part of the WMD Directorate, the Weapons of Mass Destruction Directorate. It is one of the newest divisions within the FBI, and it was born unfortunately out of the events of the 9-11 attacks. And if you all recall, the U.S. has a dubious honor of being the one country that actually had a bioterrorism event. Literally one month after 9-11 we had the anthrax mailings that not only rocked the U.S. but it rocked the FBI in particular. And it shifted us from being not only a law enforcement investigative agency where we go in after the fact, where a crime has been committed, we go in, collect the evidence, find the perpetrator. That's all inherently reactive. Our priority, our number one priority now is one of prevention. And how do we stop another 9-11 from happening again? And in my program is how do you prevent the life sciences from being exploited and abused for offensive criminal purposes? Key point, there actually is a position within the FBI called WMD Coordinators. It's kind of a kick ass title. But these are really the cornerstone of our programs. These are special agents, men and women that are trained in chemical, biological, radiological and nuclear matters. And the reason why they're the strength of this is there's at least one of these agents stationed in each of our 56 field offices across the U.S. So their job is to set up linkages and partnerships with state and local law enforcement with public health. And ultimately their number one priority is to go out and develop partnerships with universities, with companies in their jurisdiction including the biohacker community. So there are a lot of community labs across the U.S. who have heard of our message and has met. And one of the recommendations is hey, find out who you're friendly local neighborhood WMD coordinator is and invite him out for a beer. But that's how we've been effectively trying to make sure that we protect the life sciences. And don't worry, I'm not going to bore you to death on this one slide, but this is just, there actually are federal criminal statutes dealing with biology specifically. And if you just look at the first one, it's a crime to no only possess a biological agent toxin resistant for use as a weapon. So if you're in possession of a particularly dangerous biological agent, a virus, a bacteria, a toxin, and you perpetrate an attack, that's the focus of the whole statute. It's the intent. If the intent is to perpetrate an attack, you're in violation of this crime. But the only reason why I show this is that this is only looking at historically for the last several decades when we talk about bio threats, it's always about the dangerous bugs or the toxins. And I want you to talk to you about where biotech is taking us. This is no longer sufficient. So here's where things get a little bit interesting, where biotech is taking us. This paper came out almost two years ago now, where in China, they used gene editing. It's a very powerful molecular biology tool now that is fueling synthetic biology. It's going to be utilized by the biohacking communities. It's a very powerful beneficial tool. And here the Chinese actually announced that they modified human embryos. And that shocked everybody. I mean, this caused a flurry of policy discussions around the world. And then on top of that, just last year, you had the former director of the U.S. National Intelligence Organization classifying gene editing the equivalent of a WMD. So here you have, he listed the top 10 threats, right there up there was North Korea in their nuclear program, Iran in their nuclear program and gene editing. And to be honest with you, what? But that's the whole focus. It's the whole focus on here, biotech is developing some really powerful tools and oh God, someone out there is going to engineer the next zombie apocalypse causing virus. Okay, that's a little bit of a concern. But because of those one or two specific trees, we're missing an entire forest. And by the way, let me back up one real quick. If you look at that one paper though, even the Chinese admitted that the work that they did on the human embryos, it was crappy. The efficiency was really bad. And one of the things they realized that to counter, to make things like gene editing work better in the future, they need more data. They need more genetic information to make targeting more efficient. So the takeaway for me here is not the zombie apocalypse. The takeaway from here is this is an indication that it incentivizes gathering more biological data to make tools like this more effective. So what do I mean by that? Well, this is you. And I don't mean this as a commentary on your personal hygiene. But if you think about it, this is us because you leave DNA everywhere. Like you throw away the plastic water bottle you just drank from, spit out a piece of chewing gum, throw away a cigarette butt, use a plastic fork you toss away. Even the seats you're sitting in, you're leaving a bit of yourself. DNA is everywhere. And that is actually very specific biological data. And it's getting more and more accessible, not just in what you slough off, but the first time an entire human person, an individual's DNA was disclosed, was in 2002, the Human Genome Project. That took over ten years and three and a half billion dollars to sequence one person's DNA. The technology today, you can sequence all of your DNA in one day for about 600 bucks. And I think within about a year or two it's going to be about $200 to sequence all of your DNA. And so right now we are generating massive amounts of DNA, genetic information. It also comprises of the data footprint you leave when you go visit a doctor's office. It's your medical records, your family history. The private sector is developing an interesting data profile on who you are. When you download an app, this DEF CON, among any other place, is painfully recognizing that, you know, what rights are you allowing these different companies when you download an app to have access to your contact list, to your caller activity. They're using that information for some, yes, some beneficial and some profitable ways, but do you realize what you're agreeing to when you sign on to that? Wearable tech. You know, you have your Fitbit or your Jobbone and you upload your daily activity into their corporate clouds. There's a reason why that's going to be intriguing. Not just only for your individual health, but I'll talk a little bit more about that later. And even social media is looking at the potential health, the biological applications of the data, because when you put in an entry, that's time, date, stamped, and geotagged. So that's actually going to be kind of interesting. And a good shining example of that is the near and present precision and personalized medicine. So this is happening as we speak, that when you go into a doctor's office pretty soon, when you need to require medical treatment, the first thing they're probably going to do is do a data dump. They're going to look at your genetic information. They're going to look at your family records, your medical history. And this is happening in order to treat existing disease states. So if you go in as a cancer patient, they'll do a DNA sequence and based on your genetic profile, that will determine what your chemotherapy cocktail will look like. So we're starting to see that already. But the real brass ring, the goal is how do you stop disease from happening in the first place? And that's where all the other data comes in, that if you identify the risk factors, maybe you can counter it and stop it now in its tracks before the disease, before the medical condition manifests itself. That's the whole goal of how do we get customized specific treatment for your condition, but even better, how do we stop it from happening in the first place? And here's a good example of data in action. This is a U.S.-based company. It's one of those DNA diagnostic services. You pay a monthly service subscription fee. You submit a DNA sample, they'll sequence it, and they provide you some regular information. So for like the women in the room, they'll identify for you what BRCA, the BRCA gene variant you have, and that'll determine your risk of developing potentially breast cancer or obesity or Alzheimer's disease. This is a new thing. But here, this company, they published this paper that was really significant in two ways. That one, they identified 15 specific regions in your DNA that are highly correlated to severe clinical depression. And why I mean that's interesting is that it's one of the few times where you see such a high correlation between genetic and to a clinical state. But the other part that really makes this so powerful is how they got there. They had a cohort of 450,000 individuals. So 450,000 of these subscribers provided their genetic information and volunteered their medical history, their family history. And using all that data is how they were able to find this correlation. This is how precision medicine works. It's finding all the data, looking at it in the massive scale. It's straight up statistics, right? The bigger the data set you have, the more reliability or fidelity you're going to have in your results. So bottom line, if I go in as a patient, you can have every single piece of data about who I am. It means nothing in isolation. How this works is now you compare me to a population data set. So look at how many other people are like Asian, male, my age range, my lifestyle. Look at the similarities, look at the differences and that will dictate what the treatment is going to be. And by the way, all those companies out there that you are now seeing advertising a lot saying, hey, look at your genealogy. What ethnicity are you? And all these type of diagnostic services, when you subscribe, they don't make money off of that. In fact, they lose money. It's not profitable for them. How they're going to make their return on investment is just this. That when they find those correlations that can sell this information to pharmaceutical, to biotech companies and come up with the specific treatments and the drugs. And by the way, if you're a subscriber, you sign on, you sign on any rights, any claim to any products that come out of this. So bear that in mind. But the important aspect of this is that the name of the game as we speak today is whoever has the largest, most diverse data sets wins the day. Unfortunately, that means that the bad guys know that too. And what I'm proposing here, and this is somewhat theoretical, is that this is one of the reasons why you're seeing a targeting of the healthcare sector. That it's not, this is not ransomware, this is not want to cry. This is looking at getting access to biological data. So if you look at historically, the very, very large and significant health insurance company hacks. I don't care about the PII, the private information. I don't care about the insurance. I don't care about the credit card information. It's the biological data that's really important. Because here you have a senior level person at a university who suffered from a breach of four and a half million patients and this is a direct quote, say, hey, don't worry folks. It doesn't look like a credit card or financial information was impacted. So don't sweat it. But in the same breath said, but those parts of the network that contains names of birth, names, dates of birth, social security numbers, Medicare health identification, and patient diagnoses and procedures. Well, yeah, that was hacked. That was accessed. Forget about credit card information. If you get the patient diagnoses and procedures, that's to the tune of millions of people, their medical condition, what drugs they're being provided, what treatments are being provided, what the schedule is. And oh, by the way, all these significant hacks, these companies hired their own private cybersecurity firms. They were Mandiant, Crowdstrike, FireEye. And those companies attributed all these health insurance hacks to a hacker group based in China. So somewhere sitting in China is all this biologically relevant data to the tune of millions of patients out there. But it doesn't mean that, you know, I classified that as criminal or covert acquisition of data. It doesn't help that we're giving it away too. That as of today, we are also in the midst of an information space race, whether you knew it or not. And for the most part, we don't recognize that. And so what I mean by giving away, this is a snapshot of a company called BGI. BGI was formerly known as the Beijing Genomics Institute. They are now based in Shenzhen. And through the government and private support over the years, they are one of the world's largest DNA sequencing companies out there. So they sequence DNA fast. They do it scale. And most importantly, they do it cheap. And so a lot of our universities and companies have partnered or contracted BGI to do DNA sequencing. So for cancer research, for diabetes research, for autism research, we're sending over blood samples, tissue samples. And yes, the DNA gets sequenced and our scientists and our doctors are getting the information. But at the end of the day, they have it too. And I don't care really whatever privacy contracts or statements they have signed. I don't know. But the point being is that the data is being made. And the key question is who actually has access to that? And it's not just the U.S. BGI rolled out a prenatal test kit in the European Union into 16 member countries. So if you're an expectant mother and you're worried about the health of your child, currently you go through a very invasive semi-risky amnia where they jam a large bore needle into your abdomen and pull out some amnia fluid. Well, this test kit is you just do a blood drop on the mother and they'll isolate the circulating maternal and fetal DNA and sequence the DNA. And you get just as good a result as you would get from an amnia. So very cheap, very easy to do. And BGI, when they rolled this out in 2014, they wanted to get 400,000 pregnant women into the program. As of last year they had more than one million. So all across Europe there are more than a million mothers and their children and their genetic information. So yes, they find out about the health of their future child. But again, somewhere sitting in China is probably that genetic information. And it's not just BGI. This is another company called WUSI. Well, that fantastic story about I showed you that of a U.S. company utilizing that genetic information to find a correlation between data and depression. Well, less than a year before they rolled out that finding, WUSI, this big giant pharma company in China became an investor, was an investor in that company. So why steal it? Just outright invest or merge with these companies and potentially have access to that data. The bottom part really bothers me a lot. That WUSI got their own DNA sequencing company and they were based in Shanghai. And this company got CLIA CAP accredited. What does that mean? They got accredited by the College of American Pathologists and got CLIA certification, which means that they are HIPAA or Privacy Compliant. So on paper they are good to go. So the entire state of California is looking at outsourcing genetic testing to China. So think about that for a second. You might be a patient in California and walk into a health clinic or a hospital seeking medical care and unbeknownst to you, your samples might be tested in either a Chinese or a Chinese affiliated firm and you don't know that. But at least on paper they are Privacy Compliant according to our existing policies. This is another company that acquired, I guess you would say older generation DNA sequencing. They acquired in a company in the U.S. that had next generation sequencing technologies. And the only reason why I highlight this is that if a foreign company comes in and wants to buy an arm of Raytheon, Northrop Grumman or Boeing, that immediately raises a lot of red flags because that's sensitive aerospace technology and there's a lot of oversight and review that happens. But if a foreign company like this company in China comes in and takes over a biological company or somebody has access to DNA sequencing data, it doesn't get flagged for the same kind of oversight and review. It's just bio. It's just medical data. What's the big deal? And here's yet another company called Novigene. They are literally only a couple years old. They bought some of the latest generation DNA sequencers and now they are actually one of the largest DNA sequencing companies in the world. And the thing is those three companies I just mentioned, Novigene, WooCee and BGI, as of two months ago all three of CAP accredited. All three are HIPAA compliant and so they can outbid everybody out there. So my guess is that if we're not careful, the entire U.S. and the rest of the world might outsource genetic testing to one of these three companies. So it doesn't matter that if you're familiar with data sciences, you can sit on all the data in the world. It doesn't matter. You have to get the tools to make that data useful. And China shows some tells here too that it shocked the entire world because he was sitting on top of everything but why? He's starting a whole new artificial intelligence and machine learning company to make the data useful. And here's yet another interesting tell that BGI partnered with Huawei. And if you're not familiar, Huawei is the world's largest telecom out there. They are think of Amazon Web Services and AT&T and Verizon combined and that's Huawei and yet you have a DNA sequencing company partnering with BGI. WooCee also partnered with Huawei just last year. So pretty soon a company that's trying to dominate the networks and put smartphones out there, you may install your iHealthKid or Fitbit app onto. They're going to be tapping into those networks and they're having access to those very large genetic data streams as well. So bottom line, do we really recognize what the security standards are? And nowhere do I want to say that we need to come full stop on this. There's just too much problem. If you can cure cancer, if you can treat disease, absolutely we need that to happen. But we do need to see that we need to go into this with our eyes wide open that there are some consequences that we need to be taken into consideration. My program, we partnered with the National Academies of Sciences and we hosted a series of workshops over the last year on data security when it comes to privacy. Not a whole heck of a lot when it comes to security. And that becomes a little bit of a problem. But because of this though, it's a challenge. We have a window of opportunity to understand, hey, one, this is an issue. This is not like I said viruses, bacteria, toxins. But the sort of the meme that I'm trying to get started is for our lack of foresight, if we're not careful, they corner the global data and everybody else's, then the US might become healthcare crack addicts and China might become our pusher. And if that happens, is that okay from a security standpoint? And I don't mean to be completely China bashing all the time, it's just that they are the most blatant players. But I guarantee you that as data becomes more and more a commodity that everybody's going to go out and try to grab as much data as they can to see how they can monetize it. And if that's the reality, you're going to have all kinds of security considerations to think about. So with that, you know, I'm an FBI agent. I deal with biological WMDs and yet here I am speaking at DEF CON, which again hats off to Nina and the invitation. This is really truly a privilege and even a few months back to south by southwest where you're seeing the cutting edge of innovation and investments. This is where the economy, not only the US but globally is going. And do we really, really want to see what we are? So with that, I just wanted to tell you that there's so much promise in this field in biotech that all of you are going to be a part of this either willingly or not. But at the same time, how can we potentially recognize this as an issue and then how can we be part of the solution to address these new challenges. So with that, thank you. And I think I have a little bit of time for questions, right? All right. Hello. Oh, okay. To sort of combine the whole WMD with the data is a commodity and hacking, how do you guys look at what they say some foreign entity hacks this vast store of data, gets access to this data and then uses it to either one, target a specific population based on their genetic data or conversely target a vast area of the population based on their genetic data. Yes. Thank you. I appreciate that. That always comes up and that it's actually was brought up at two talks ago about the DIY biological weapons and again, it goes back to somebody making the engineering, the zombie apocalypse of virus and targeting a specific ethnic group. Yeah, I mean, you always discuss and includes that, but I'm going to turn that around a little bit. Okay, so look at where the incentives are going to be, like I mentioned before. So it's in their best interest if you look at China or the Southeast Asian region in the just in general, they are faced with a clear and present danger of emerging and reemerging infectious disease. Influenza, it's percolating in their background. It's going to, it's not a matter of if it's when we had a 2009 H1N1 pandemic, right? It's going to happen again. I guarantee you that. But theoretically speaking though, theoretically speaking you could potentially, if you have enough population data all around next time you get hit with a pandemic you can probably engineer, manufacture a vaccine that may be more specific for your own population and just sit back and let the rest of the world get sick. That's almost as good as an offensive capability but it's far more an incentive to want to do that for yourself. Either or sell it to the rest of the world in an incredible markup. Either way, they hold all the levers and again it comes back to this is not privacy, this is not germ warfare per se, although it has an aspect of it, but there's a whole spectrum of risks that we're not thinking about. What does it mean that if some are out there they can figure out what your future medical fate or those of your family members or those of your children what it might be. Can you imagine right now that when you buy stuff from Google or Amazon, you get started with emails saying, hey, based on your purchase history you might be interested in this. That's all machine learning based on your pattern of activity. What happens if someone out there has that type of information about you biologically and say, hey, you might be vulnerable to this particular disease so we're the only ones that can provide this to you. That becomes an incredible hook and again this goes so much beyond the individual looking at what's the impact on our economy or economies and then looking at what does this do for our biodefense or also destabilization on our current foreign trade agreements if you promise I won't target your finished IP data today it may not mean that much because you don't have the tools to make it useful and if someone out there will take it but two years, five years, ten years from now as soon as we develop all of a sudden that data becomes incredibly valuable but we're not thinking about it that way we're looking at the finished product and I think that's too short-sighted on our part and because of that we're leaving our size wide open to be blindsided sorry, long-winded answer to your question but it is true you bring up at one point that's one aspect but there's a whole range of issues that we haven't taken into consideration yet alright thank you everyone