A critical infrastructure biodefense program should be established at the Department of Homeland Security as “biological events could destroy, incapacitate, and disrupt critical infrastructure and prevent our society from both functioning properly and protecting itself,” says a new report from the Bipartisan Commission on Biodefense.
The commission, chaired by former Sen. Joe Liebermann (I-Conn.) and former Homeland Security Secretary Tom Ridge, noted in its report “Insidious Scourge: Critical Infrastructure at Biological Risk” that when the 2001 anthrax attacks occurred “critical infrastructure sectors were caught unaware and unprepared,” with sectors adversely impacted including commercial facilities, emergency services, critical manufacturing, energy, the defense industrial base, transportation, government facilities, healthcare, and even the chemical sector as demand for antibiotics Ciprofloxacin and Doxycycline skyrocketed.
“The public turned to the Internet, greatly increasing the load on servers, generating opportunities for the spread of misinformation and disinformation, and creating enormous inefficiencies in the Information Technology Sector,” the report adds. “The instability produced by poor communications and Internet-driven mass panic affected the stock market and became an issue with which the Financial Services Sector had to contend, especially after the discovery that anthrax could survive on banknotes.”
“The cost of testing, remediation, and prevention of further anthrax contamination exceeded $1 billion … The anthrax events of 2001 impacted 11 critical infrastructure sectors. All 16 critical infrastructure sectors remain at biological risk today.”
The damage to critical infrastructure sectors comes not just from the risk of reduced manpower as employees fall ill or die in large-scale biological events. “The malfunctioning of some sectors could exacerbate the impact of a biological event. For example, the physical compromise of Dams Sector water retention facilities could result in standing water that attracts mosquitoes and other vectors of disease,” the report states. “Physical compromise of the Water and Wastewater Systems Sector could result in inadequate water treatment and the continued presence of disease-causing organisms. Physical compromise of laboratories that work with organisms in the Chemical Sector, Food and Agriculture Sector, and Healthcare and Public Health Sector could result in the release of organisms to surrounding environments.”
Data compromises could spread disinformation about biological events or even “delay the identification of organisms and hamper the ability of these sectors to track the spread of disease.” COVID-19 also showed how the supply chain can buckle under the demands of a pandemic.
And the critical infrastructure sectors are considered targets for biological attacks, “but some are more attractive than others,” the report notes, citing high-profile events such as the Super Bowl, institutions such as Congress, or transportation systems such as subways. “Influenza virus can survive on banknotes, which suggests that other organisms, including some biological agents, could use the Financial Services Sector to spread disease intentionally,” the report adds. “Even without spreading disease through the sector, a significant biological event would result in the stock market dropping dramatically in a very short period of time, greatly affecting the Financial Services Sector as well as the national and global economies. A biological attack on agriculture (including food) would create shortages in the Food and Agriculture Sector.”
Even if a biological event is originally centered on one or a few sectors, “cascading and indirect impacts affecting other critical infrastructure sectors” are expected, “making it impossible for them to pull together efficiently.”
The commission found that sectors “could have managed the biological risk posed by COVID-19 much earlier” if they had maintained risk-reduction activities including coordinating prevention and response with established partnerships, assessing facility vulnerability, information sharing about biological threats, and more.
The commission recommended that Congress mandate federal defense of critical infrastructure against biological threats, which would incorporate the departments of Homeland Security, Agriculture, Defense, Energy, Health and Human Services, Transportation, and Treasury along with the Environmental Protection Agency, Food and Drug Administration, and General Services Administration. The DHS biological risk management program should be established at the Cybersecurity and Infrastructure Security Agency to coordinate intelligence and subject-matter expertise and “report information to sector specific federal agencies about disease events that affect, or could affect, critical infrastructure assets in all 16 sectors, and private sector owners and operators,” “determine what should be done if a naturally occurring disease outbreak, accidental pathogen release, or biological attack significantly affects critical infrastructure,” “identify national critical functions most vulnerable to biological threats,” and “work across all sectors to manage biological risk.”
Critical infrastructure sectors and DHS “should plan to protect critical infrastructure operators and ensure continued critical functions during biological events” and agencies along with sectors “should maintain awareness of the disease environment in which critical infrastructure operates,” the report continues. Vulnerabilities should be identified and mitigated, and sectors and agencies “should take action to reduce the impact of biological events before they occur again,” the commission recommends. Sector-specific actions should be executed to understand, prevent, prepare for, and respond to biological events.
“When biological events occur, they affect many (if not all) critical infrastructure sectors and put our national, economic, and public health security in jeopardy,” the report says. “DHS bears a great deal of responsibility in this arena and should continue to build on previous activities to manage and reduce biological risk to critical infrastructure. However, all other sector specific federal agencies, as well as the owners and operators of the individual sectors, must also devote resources to help defend critical infrastructure against biological threats.”