How to stop bioterrorists from buying dangerous DNA

Animation by Erik English. Original illustrations by Jane Kelly, sapannpix via Adobe.

Layout by Erik English

April 7, 2025

Imagine you work for a hypothetical gene synthesis company, one of dozens around the world that manufacture tiny strands of custom nucleic acids like DNA for customers in academia and industry. DNA isn’t just the basis for life on Earth—it’s also the basis of many research laboratories. Plastic tubes of DNA are a familiar sight for many researchers, from students in undergraduate biology labs to scientists in pharmaceutical development facilities. Scientists’ capacity to perform genetic engineering, design new medical tests and therapies, and understand gene functions has skyrocketed thanks to the ability to design specific DNA sequences that meet particular research goals.

Along with new possibilities, however, the ability to custom-order genes also has the potential to open up new risks. Some DNA codes for genes from pathogens and toxins—sequences that could cause harm if misused. To limit such an outcome, experts from industry, government, and academia recommend screening orders and customers before filling an order.

In the United States, this screening is at a pivotal moment. A Biden administration executive order that would require researchers working with federal funds to order from companies that screen DNA orders was short-lived; the Trump administration rescinded the requirement less than three months after it went into effect. While many of the leading synthesis companies are committed to voluntarily screening orders as members of an industry-led consortium, the revoked executive order would have marked the first time that the practice was made standardized and compulsory. Since the new administration may retain some aspects of the Biden executive order, it remains unclear what the status of screening requirements will be moving forward.

But the issue of screening is not likely to go away as new science demands more synthetic genes.

Animation by Erik English. Jane Kelly via Adobe.

The current crossroads provides an opportunity to strengthen the next iteration of screening requirements. One major shortcoming of policymaking so far is the lack of clear guidance and decision-making criteria to conduct customer screening. Providers should make efforts to look closely at orders containing potentially concerning sequences to see who ordered them and why. Potentially risky DNA sequences, such as pathogen genes that contribute to virulence, might be necessary for studying disease and designing vaccines, for example. Customer screening, not just sequence screening, therefore, is necessary. But classifying customers as “legitimate” or “illegitimate” is subjective and often ambiguous. Screening is a trickier problem than it might first appear.

Malice aforethought?

Let’s return to your gene synthesis company. Today, six customers are seated in the waiting room just outside your office door. Most customers order benign DNA that you can provide without worry, like sequences from non-infectious organisms or for helpful research features like fluorescent markers that help to show that an experiment is proceeding as planned. But these six customers are different: They have all requested a sequence of DNA that comes from a federally regulated pathogen or toxin.

As the company’s chief screening officer, you must decide who should receive their requested DNA and who you’re concerned might misuse it.

Your six customers, Emma, Bob, John, Nicole, Ralph, and Alex, have varying levels of qualification based on their scientific expertise and access to infrastructure. These customers might also be either malicious or non-malicious, but since they aren’t likely to say they are malicious on their request forms, you don’t know who falls into which category.

First up are Emma and Bob. They both ordered the sequence for botulinum toxin and have no research background. Neither Emma nor Bob has biosafety training or access to high-containment laboratory facilities.

Emma is a high school teacher mentoring a group of students who are very interested in biology but have limited lab experience. Emma thinks that ordering some synthesized DNA from a provider would be a good start, and thinks that botulinum toxin would be an interesting example for her students to learn about (since it is a toxin but is also used for cosmetic purposes).

Bob ordered the same DNA sequence. He hasn’t provided any documentation supporting his ability to safely conduct research with the regulated agent or his research need for the sequence. He isn’t a scientific researcher and has never worked in a laboratory before.

What you don't know:

Emma doesn’t have malicious intent. She knows that botulinum toxin is dangerous, but she truly means no harm with it and doesn’t know it’s controlled.

Bob does have malicious intent and wishes to cause harm to others. He read online that he could order DNA sequences from dangerous pathogens from a synthesis provider and decided to try his hand at it with nefarious goals.

This one’s easy. You deny Emma and Bob the toxin genes. In fact, in this case, what they wanted to do with the synthetic genes was irrelevant to your decision. Neither of them has research experience, much less with dangerous agents, nor do they have access to the high-containment labs or research facilities needed to research these agents safely.

Next, let’s meet John and Nicole. They’re doctoral researchers at university laboratories who ordered DNA coding for the hemagglutinin (HA) protein from an avian influenza virus. While both John and Nicole have extensive laboratory experience, neither has ever worked with high-risk pathogens. They have access to appropriate containment infrastructure at their facilities and claim that the requested sequence will not be used to generate infectious particles.

John has spent his career studying how viruses infect cells using relatively low-risk, circulating strains of human influenza. His work has led him to discover a new inhibitor that he thinks may also be effective against the HA protein from H5N1 avian influenza. He plans to use the requested sequence to test whether the inhibitor can bind and disrupt the HA protein, potentially offering a way to neutralize the avian influenza virus.

Nicole has similarly worked extensively with various HA genes from low-risk human influenza, and her order form explains that she will conduct a study similar to that described by John.

What you don't know:

John doesn’t have malicious intent. He truly intends to use the requested DNA as described and will most likely do so safely.

Nicole Nicole does have malicious intent. She plans to use the requested DNA to make a more virulent strain of the flu to cause harm to others.

This one’s tricky. John and Nicole’s qualifications make this a gray area that is challenging for screening. It’s currently up to the provider to decide whether to ship the sequence of concern, depending on how much the customer needs it for their research, how experienced they are, and how much information they have provided about their research infrastructure and biosafety practices, among other factors. There is no standard, universal guidance for how this should be done.

The last two customers in your waiting room, Ralph and Alex, are highly respected Ph.D. researchers co-leading a research project at a national lab. Their work is intended to develop and optimize a vaccine for Lassa fever for eventual production and inclusion in the US Strategic National Stockpile (SNS). As such, their work regularly involves ordering both modified and unmodified versions of genes from Lassa fever virus.

They have extensive documentation justifying the new project, are qualified to work in the institution’s well-maintained high-containment facilities, and received the go-ahead from the national lab’s biosafety officer. Both Ralph and Alex themselves, and their laboratory as a whole, are overseen by the Federal Select Agent Program, which regulates the possession, use, and transfer of pathogens and toxins that pose a threat to people, plants, and animals. The pair have a proven history of compliance with federal regulations for select agents. In both cases, the order will be sent to the national lab facility itself and not the individual researchers.

What you don't know:

Ralph doesn’t have malicious intent. He’s the perfect example of a customer who should definitely receive the requested order; it is necessary for critical work to further US security.

Alex, on the other hand, does have malicious intent. Her work with select agents has led her to want to cause harm using the lab’s research material, which she plans to remove from the high-containment facility.

Based on the information provided, you have no reason not to provide the sequences of concern to both Ralph and Alex. They’re both approved to work with select agents and work at a prestigious, well-respected facility that’s worked with the Lassa fever virus before. In your mind, it should be up to the institution and the Federal Select Agents Program to prevent theft or misuse at facilities that truly need sequences of concern. Even though Alex has malicious intent, you have no way of knowing that as a commercial provider. The good news is that given the extensive background checks researchers like Ralph and Alex undergo, there are unlikely to be many Alexes out there.

Where Do We Go From Here?

Although Emma, Bob, John, Nicole, Ralph, and Alex are fictitious, their stories illustrate the real challenges in conducting customer screening for synthetic nucleic acids. DNA synthesis screening is a hard, complex job.

Three recommendations can help the biosecurity community set realistic expectations for synthesis screening.

First, regardless of how challenging it is to define which customers are legitimate, there are a subset of customers that are easy to identify as not legitimate. Customers like Emma and Bob clearly demonstrate the inability to use sequences of concern safely given their complete lack of experience, infrastructure access, and appropriate research questions.

These factors are objective rather than subjective and could be the foundation for building a set of standards that define when it is unacceptable to provide a synthesized sequence of concern. If these guidelines are clearly established, then future evaluations for compliance could include testing whether providers deny this subset of orders as expected.

Second, providers need guidance for handling gray areas. Without clear guidance, providers will likely come to different conclusions about what constitutes legitimacy for customers like John and Nicole. Ultimately, determining whether a legitimate researcher is good enough to receive a sequence of concern is subjective and will only get more challenging as more sequences are categorized as concerns in the future. There needs to be an “answer key” to compare providers’ decisions against, especially when it comes time to assess how well providers are complying with future requirements. This requires developing more explicit criteria to help providers decide whether to fulfill their orders. Factors could include how critical the sequence of concern is for the requester’s research, how experienced they are with similar sequences, or how much information they have provided about biosafety at their facility.

Similarly, providers face another gray area: Should they report Emma and Bob, or even John and Nicole, to the FBI? Without knowing a customer’s intent, which orders are suspicious enough to warrant an investigation by law enforcement? In addition to help deciding which requests to fulfill, DNA synthesis providers need guidance to ensure that these choices are systematic and consistent across companies.

Last, it’s important to remember synthesis screening is not the only defense against misuse of potentially dangerous sequences. Some customers really do have a legitimate need for sequences of concern. If there were no such legitimate uses, then customer screening to evaluate legitimacy would not be needed in the first place.

Ralph and Alex are qualified to work with sequences of concern, given their credentials and research agendas. It’s unreasonable to expect a provider to fulfill a request from Ralph and not Alex—or to test providers on their ability to catch that Alex is a malicious actor. Rather, it would make more sense to focus on the other safety mechanisms that apply before and after the nucleic acid synthesis provider’s involvement.

Legitimate high-containment laboratories, like the one that employs Ralph and Alex, have stringent processes in place to prevent theft and misuse of regulated agents in order to comply with the Federal Select Agent Program. Verifying or strengthening biosafety practices at research institutions will help ensure that work involving DNA sequences of concern is conducted safely. The FBI and other intelligence agencies can monitor malicious actors, particularly the ones sophisticated and well-resourced enough to fool a DNA synthesis provider’s screening mechanisms. Building capacity for these tools alongside DNA synthesis screening will help reduce biological risk to the greatest extent possible.

Nucleic acid synthesis screening can be most effective when preventing a baseline of clearly illegitimate customers from receiving potentially dangerous DNA. That being said, provider-conducted screening is just one piece of the puzzle when it comes to reducing biological risk. Synthesis providers will need standards and guidance, the support of other biosecurity tools, and clear metrics for compliance for the next iteration of required screening to be most effective. The Trump administration will have to develop a plan, given the synthetic gene industry’s continued importance to biomedical research and biotechnology. A good place to start would be to maintain the Biden-era screening requirements—and build on them to support synthetic gene providers and keep the public safe.

Steph Batalis

Steph Batalis is a research fellow at Georgetown University’s Center for Security and Emerging Technology (CSET), where she leads biotechnology... Read More

Vikram Venkatram

Vikram Venkatram is a research analyst at Georgetown University’s Center for Security and Emerging Technology (CSET), where he focuses on emerging... Read More